Home » Riscreen Compliance Blog » Tracking Tools – Accountability

Tracking Tools – Accountability

Tracking Tool

Accountability (pursuant to Article 5(2) of the GDPR) when using tracking tools.

In its activity report for 2019, the BayLDA once again discussed the issue of accountability in connection with the use of tracking tools.

According to the BayLDA, the background to this is that many companies are often not sufficiently aware of their own processing activities and also only deal superficially or not at all with the legal requirements imposed by the GDPR. Since website creation and maintenance are often handled by external agencies, there is little or no knowledge on the part of the company about the use of tracking tools. Often, tracking tools are also integrated into the website to finance advertising. In many cases, this also takes place without the knowledge of the management or/and the internal/external data protection officer. At this point, an improved understanding of the tracking tools used is certainly still necessary in many companies.

The issue of accountability represents one of the few major changes in the new data protection law. For this reason, we would like to take a deeper look at this topic once again.

BayLDA has already started auditing accountability compliance of large corporations in October 2018 and points out that in such an audit, it is not enough to print out the website’s privacy policy and additionally declare “advertising is a legitimate interest and therefore you are allowed to do that”. According to BayLDA, many responsible parties of the audited companies were overwhelmed with the issue of accountability.

So what is necessary to fulfill an accountability obligation?

The GDPR already contains a large number of obligations to provide evidence that the controller must fulfill, such as the balance of interests pursuant to Art. 6 in conjunction with. Recital 47. a list of processing activities (Art. 30 DSGVO), the data protection impact assessment (Art. 35 DSGVO), approved codes of conduct (Art. 40 DSGVO), certification (Art. 42 DSGVO), data protection breach notifications (Art. 33 DSGVO) and contracts for commissioned processing (Art. 28 (3) DSGVO), ….. Accountability can further be achieved through other data protection documentation, such as legal opinions, employee training, internal/external audits concepts to ensure data subject rights, certifications according to DIN and ISO standards, contract management, introduction of data protection guidelines, data protection organization processes.

The purpose of the documentation is for the controller to check whether data processing has been carried out lawfully and/or whether further measures still need to be initiated to ensure lawful processing. In addition, after reviewing the above-mentioned obligations to provide evidence and the data protection documentation, the controller has comprehensively dealt with the more extensive requirements and is in a position to meet its transparency obligations (Art. 12 et seq. GDPR) to an appropriate extent.

To assist in this regard, the German data protection supervisory authorities have supplemented this document as a follow-up to their position statement on the applicability of the Telemedia Act 2018 and published a guidance document of the supervisory authorities for telemedia providers in 2019. The requirements defined here were confirmed in the context of the ECJ Planet 49 ruling in October 2019.

Hint: This text has been translated by an AI (German > English). Slight errors may occure.