It is widely known that, on the Internet, large amounts of data are generated. This applies in particular to social networks but also to electronic commerce -be it to complete the ordering process or for further purposes, such as marketing. However, the regulations for data protection are diverse and extensive. Shop owners should therefore be informed about the applicable data protection law. For example, the privacy policy must be in line with all the specific circumstances of the online shop, in particular, the information on the use of cookies or web analytics tools should be communicated separately. Likewise, the sending of newsletters is subject to strict rules. Also the outsourcing of the data processing (data processing agreement) does not exempt from legal responsibility.
The central legal basis of German data protection law is the Federal Data Protection Act (BDSG). For the Internet, the German Telemedia Act (TMG) holds a number of supplemental additions ready. With the BDSG amendment in 2009, data protection law was comprehensively reformed and modernized. In addition, from May 25, 2018 the General Data Protection Regulation (GDPR) will apply throughout the EU. Virtually all companies are making far-reaching changes. Especially, the increased accountability and documentation obligations provide for considerable administrative work, which should be tackled in a timely manner. The subject of data protection law is, above all, the handling of personal data. According to § 3 Abs. 1 BDSG (respectively Art. 4 No. 1 GDPR), these are “individual details about personal or factual circumstances of a specific or identifiable natural person (any person concerned)”. Controversial is whether dynamic IP adresses fall under this term.
Online merchants should pay particular attention to the following points:
1. The privacy policy statement
A privacy policy is always required when personal information is collected or used on a website. For this reason, a privacy policy may not be missing in any online shop. Essential regulatory matters are defined in accordance with § 13 para. 1 TMG : nature, scope and purpose of the data processing and, if applicable, the transfer to third countries. If an anonymous or pseudonymous use is possible, it must also be pointed out. Likewise, the possibilities of revocation and opposition as well as information, correction, blocking and cancellation rights must be instructed. The privacy policy also includes references to cookies and web analysis tools.
2. Data Processing Agreement
Data Processing Agreement is referring to the passing on of the processing of personal data from the company to external parties. This is not only the case in complex processes of outsourcing of IT (business process outsourcing) but also in cooperation with collection, shipping or logistics service providers. In these cases, the legal responsibility remains with the client himself. In addition to the existing contractual relationship (usually a work or service contract), the client must conclude a so-called data protection agreement with the external party. This is subject to the extensive requirements of § 11 BDSG .
3. Newsletters and Marketing
Customer data is subject to the data protection principle. Accordingly, the data in online trading may in principle only be used for the conclusion of the (purchase) contract. Unproblematic is a passing on to transport companies or credit institutes, as far as this requires the execution of the contract.
For the use of personal data beyond the fulfillment of the contract, however, the consent of the customer is always required. This applies in particular to newsletter distribution or data collection for marketing purposes. This consent can only be explicitly given (“Opt-In”). The safest method is to confirm your consent once again, for example by clicking a link in a confirmation email (“Double-Opt-In”). Unsatisfactory is the consent by means of “Opt-Out” procedure, for example, by an already crossed checkbox.
Exceptions to these basic rules are conceivable under very narrow conditions in existing business contacts. In any case, it is important to point out a revocation possibility.
4. Cookies
Depending on the nature and use of cookies, they may trigger clauses or require consent. It should be distinguished: If the used cookies contain personal data but are required for the execution of the contract, the operator only has to point out their use. If the cookies do not allow conclusions to be drawn about the person of the customer, it is not necessary to make any reference. However, as soon as the cookies serve purposes beyond the mere purchase (in particular marketing purposes), the customer’s consent is required.
5. Google Analytics & Co.: Use of Web-analytics-Tools
Web analytics tools for capturing surfing behavior are truly widespread. However, data protection is not unproblematic, especially with regard to Google Analytics, where there were considerable concerns in the past.
The problem is that Google Analytics saves IP addresses without the consent of those affected. However, the without consent creation of usage profiles, as done by web analytics tools, is only allowed in anonymous or pseudonymous form. Whether or not IP addresses are such pseudonyms has not yet been finally clarified, but is now being denied by the data protection supervisory authorities.
If you want to use web analytics tools, you should make sure that the program does not store IP addresses or at least make them unrecognizable. In any case, a reference to the use in the privacy policy is required.
6. Data transfer and credit check
In principle, the consent of the customer must be obtained prior to the disclosure of customer data to third parties. This does not apply if the disclosure is for the purpose of fulfilling the contractual relationship, e.g. when passing on to transport companies. Likewise, a consent is not required, if the data is used anonymously for market or opinion research purposes. In these cases, however, the customer has to be informed about the right to object.
Nevertheless, consent is always required if the disclosure is not used to fulfill the contract or if it is expressly permitted by law. The consent must then state the purpose of the processing and be available to the customer at any time. The customer must also be able to revoke it at any time. Consent can be given electronically, although an Opt-Out solution is not allowed.
If the data is passed on for the purposes of a credit check, then consent is only required if there is a legitimate interest. In this case, the customer just needs to be informed. A legitimate interest, for example, is given if the trader pays in advance.
For further news and information, please visit our blogs Internetrecht München and Datenschutzerklärung.