Data protection How do I use Google Analytics in a legally secure manner

Data protection is a tricky thing in the web business. Several German courts have already ruled in one direction that data protection is part of competition law. That would be a novelty that companies have to adjust to. Above all, Google services are controlled particularly strongly by the state, which is why special data-collecting offers such as Google Analytics should be legally secure.

Tip 1: anonymize data – this is how it works

Google – as the largest provider in this segment – has been offering the option of encrypting user data in Google Analytics for some time. But to do this, the code inserted in the website has to be changed.

For the old layout on Google Analytics

_gaq.push ([‘_ gat._anonymizeIp’]);

For the new layout on Google Analytics

ga (‘set’, ‘anonymizeIp’, true);

Just paste this code in and you’re done. Google itself also offers detailed instructions on how to anonymize IPs in Analytics.

Above all, this serves to protect the visitors to your site. In the end, it is important for you: It is legally binding.

Otherwise, data protection authorities could give you a legally valid warning. It is also advisable to conclude a standard data processing agreement with Google.

Tip 2: conclude a standard data processing contract with Google

The right to informational self-determination – the highest data protection law in Germany – allows the user to decide for himself how his personal data will be used.

In the last few months in particular, more and more websites – including mine – have been seeing cookie declarations. They are necessary because, according to the interpretation of many courts, a user cannot know who is accessing his user data (IP address, etc.), so he must be informed about it.

This is also the case with statistical programs such as Google Analytics. But because a third party (Google) processes the data of the user (first), the page provider (second) has to inform the user about it once.

In addition, according to German data protection law – more precisely § 11 BDSG – a formal contract must be entered into with the third party. This contract formally instructs the third party with the standard processing of the data – hence the name:

Standard data processing contract.

Quite a word monster, admittedly.

Standard data processing contractStandard contracts should always be read carefully before signing!

Fortunately, Google offers a template for the standard data processing contract as a download. But such a contract does not only have to be concluded with Google: Actually, all third-party companies with whom you exchange data (including many plug-in providers) should also sign such contracts with you. But as an industry giant, Google is usually the only one that the data protection authorities follow up on.

Follow these tips and legally secure your online activities. This is not the ultimate protection, but the minimum so that you, your customers and third parties do not have sleepless nights.

Leave a Reply

Your email address will not be published. Required fields are marked *