Home

Trackerdetect Legal Guide

This document describes:

  • legal duties (GDPR, ePD etc) site owners have when Trackers are on site owners’ sites, and
  • actions site owners can take to comply with such legal duties.

Duty to discover Trackers

Do site owners have a duty to use a tool to detect and monitor Trackers on their sites?

Yes.

Site owners must technically ensure and be able to demonstrate to process site visitors’ personal data as required by the GDPR.

Site owners can achieve lawful use of Trackers on their sites and demonstrate it only if site owners first

  • detect Trackers on their sites,
  • monitor whether, how and when Trackers process site visitors’ personal data,
  • identify relevant legal requirements,
  • put the legal requirements into practice (e.g. consent), and
  • monitor whether what was put into practise is effective and not violated (e.g. you use Trackerdetect to discover that a Tracker places a cookie on your site visitors’ machines without your permission, so you quickly can act against the Tracker).

Legal reference: GDPR Article 24.1, 1st sentence.

What to do? Use Trackerdetect.

Duty to have a Tracker policy

Do site owners have a duty to have internal policies for using Trackers on their sites?

Site owners may be obliged to adopt internal policies for using Trackers on their sites.

Such policies should tell employees etc the rules for whether, when, where, how to classify, authorise and manage Trackers on their sites.

Legal reference: GDPR Article 24.2 and 24.1.

What to do? Ask us for a policy template !

Duty to classify site owner and Tracker

Do site owners (and Trackers) have a duty to classify themselves and each other as a “controller”, “joint controller” or “processor”?

Yes.

Site owners and Trackers have a duty to classify themselves and each other to count as a “controller”, “joint controller” or “processor”.

The reason is that these notions trigger different legal duties that regulate

  • what each is allowed to do or not allowed to do,
  • their relation, and
  • who is responsible for what.

Who is (not) a (joint) controller with regard to what?

Site owners count as “controllers” in relation to their site visitors.

Trackers may - depending on the circumstances - count as

  • “processors” that process site visitors’ personal data on behalf of site owners, or
  • “controllers” in relation to site owners’ site visitors’ personal data.

Site owners and Trackers may count as a joint controllers.

What to do? Assess in which capacity/role site owners and Trackers process site visitors’ personal data.

Duty when Tracker is “processor”

Do site owners have a duty to use only Trackers that provide sufficient guarantees for GDPR compliant processing of site owners’ website visitors’ personal data?

Yes.

Site owners must assess if Trackers provide sufficient measures for GDPR compliant processing of site owners’ website visitors’ personal data, in particular in terms of:

  • expert knowledge,
  • reliability,
  • resources, and
  • security of processing.

Legal reference: GDPR Article 28.1 and 32.

Do site owners have a duty to enter into a Data Processing Agreement (DPA) with site Trackers?

Yes.

Legal reference: GDPR Article 28.3.

Must the Data Processing Agreement (DPA) have a certain content?

Yes.

What to do? Ask us for a DPA template!

Legal reference: GDPR Article 28.3.

Can site owners use Trackerdetect to indicate whether a Data Processing Agreement (DPAs) is signed with each Tracker?

Yes, in the Tracker Dashboard of Trackerdetect.

Can site owners use Signatu’s Consent technology to enter into a Data Processing Agreement (DPAs) with Trackers electronically?

Yes.

What to do? Contact us!

Do site owners have additional duties if Trackers share site owner’s website visitors’ personal data to 1) a 3rd party controller, 2) Trackers’ own sub-processor, 3) site owner’s other processors, or 4) a 3rd party processor?

Yes.

Such sharing must be based on the instructions of the site owner.

Legal reference: GDPR Article 28.2 and 28.4.

Is the disclosure of site owners’ website visitors’ personal data to Trackers unauthorised and therefore a data breach if no Data Processing Agreement (DPA) is signed between the site owner and the Trackers?

Yes.

Legal reference: GDPR Art 4(12).

Duty when site owner is joint controller with Tracker

Do site owners have a duty to enter into a Joint Controller Agreement (JCA) site Trackers?

Yes.

Legal reference: GDPR Article 26.

Must the Joint Controller Agreement (JCA) have a certain content?

Yes.

Joint controllers must determine their respective responsibilities for compliance with the GDPR, in particular as regards the site visitors’ exercise of rights, and the joint controllers’ respective duties to inform site visitors as required in GDPR Articles 13 and 14, by means of an arrangement between them. The arrangement may designate a contact point for site visitors.

What to do? Ask us for a JCA template!

Legal reference: GDPR Article 26.1.

Must site owners and Trackers inform site visitors about the respective roles and relationships of the joint controllers vis-à-vis the site visitors?

Yes.

What to do? Contact us! We enable you to inform site visitors appropriately.

Legal reference: GDPR Article 26.2.

Can site owners use Trackerdetect to indicate whether a Joint Controller Agreement (JCA) is signed with each Tracker?

Yes, in the Tracker Dashboard of Trackerdetect.

Can site owners use Signatu’s Consent technology to enter into a Joint Controller Agreement (JCA) with Trackers electronically?

Yes.

What to do? Contact us!

Is the disclosure of site owners’ website visitors’ personal data to Trackers unauthorised and therefore a data breach if no Joint Controller Agreement (JCA) is signed between the site owner and the Trackers?

Yes.

Legal reference: GDPR Articles 26.1 and 4(12).

Is the disclosure of site owners’ website visitors’ personal data to Trackers unauthorised and therefore a data breach if legal basis for the processing purpose lacks?

Yes.

Legal reference: GDPR Articles 6 and 4(12).

Can site owners be responsible towards site visitors for Trackers’ breach of site visitors’ rights?

Yes.

Legal reference: GDPR Article 26.3.

For which stage of the processing are the site owner and Tracker jointly responsible?

The EU General Advocate says in his Opinion in the Fashion ID case that:

Site owners and Trackers are jointly responsible for the stage of the processing that concerns the collection and transfer to Trackers (but not further downstream) of site visitors’ personal data (e.g. IP address, browser string etc) caused by the Tracker resources that provide the parameters of the data to be collected and transferred if

  • the site owners voluntarily embed the Tracker resources on their sites (then the site owners are considered to set those parameters with regard to any visitors to their websites), and
  • the site owners and Trackers pursue commercial purposes in a way that appears to be mutually complementary (in this way, although the purposes of the site owners and Trackers may not be identical, there is unity of purposes).

Legal reference: Fashion ID case

Must site owners and Trackers have legal basis for their purpose to collect and transfer site visitors’ personal data to Trackers?

Yes.

Is it the site owners or Trackers who have a duty to request, receive and record site visitors’ consent?

Site owners have the duty to request and receive site visitors’ consent.

Site owners are considered to be in a position to provide information in the consent request about

  • the identity of the joint controller (the Trackers).
  • the purpose of the respective stage of the processing over which the site owners and Trackers have joint control.
  • the fact that the personal data will be collected and transferred.

Site owners are considered to be in a position to receive consent since it is when their sites are visited that the collection and transfer of data is triggered.

Site owners are considered to be in a position to record the consent events (that site visitors consent, refuse to consent or withdraws consent).

Legal reference: Fashion ID case

Can site owners use Signatu’s Consent technology to request and receive site visitors’ consent electronically?

Yes.

What to do? Contact us!

Which information must site owners provide to site visitors when requesting site visitors’ consent?

Please see our Consent documentation.

When must site owners request and receive site visitors’ consent?

Site owners must provide information and request and receive site visitors’ consent BEFORE site visitors’ personal data are collected and transferred to Trackers.

How can site owners request and receive site visitors’ consent BEFORE site visitors’ personal data are collected and transferred to Trackers?

Our Tag Manager conditionally loads Tracker resources (e.g. cookies) based on site visitors’ consent.

What to do? Contact us!

Must site visitors be informed about the Legitimate Interest of the site owners only or Trackers only or both?

Both.

In the balancing against the rights of website visitors, it is the Legitimate Interest of both the site owners and the Trackers that have to be taken into account when they both act as joint controllers for the collection and transfer of the data to the Trackers.

Legal reference: Fashion ID case

Is it the site owners or Trackers who have a duty to inform site visitors about the legitime interest?

The site owners that have a duty to inform about their legitimate interest, and most probably also have a duty to inform about the legitimate interest of the Trackers, as in the case with consent (see above).

Legal reference: Fashion ID case

Must site owners provide site visitors with the possibility to opt out automatically of legitimate interest?

Yes.

See our Consent documentation.

What to do? Contact us!

Legal reference: GDPR Articles 21.1 and 21.5.

Duty when site visitors’ personal data are transferred outside the EU

Must site owners and Trackers have a separate legal basis for transferring site visitors’ personal data outside the EU?

Yes.

Legal reference: GDPR Articles 44-46.

How can site owners know whether site visitors’ personal data are transferred outside the EU?

Trackerdetect detects the location of the server from which the Tracker resources are loaded. Also, Trackerdetect indicate the location of the Tracker address. This can indicate to where site visitors’ personal data are transferred outside.

Duty to have a Processing Record with Tracker details

Must site owners keep a Processing Record with details about Trackers?

Yes, except, says GDPR Article 30.5, if you employ

“fewer than 250 persons unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data as referred to in Article 9(1) or personal data relating to criminal convictions and offences referred to in Article 10”.

Legal reference: GDPR Article 30.1 and 30.5.

What to do? Use Trackerdetect.

Which information must the Processing Record show?

The processing record must show:

  • the name of the Trackers (GDPR Article 30.1(d))
  • the categories of data subjects (site visitors) that are processed when using each Tracker (GDPR Article 30.1(c))
  • the categories of personal data that are disclosed to each Tracker (GDPR Art 30.1(c))
  • the envisaged time limits for storage/erasure of the different categories of data (GDPR Art 30.1(f))
  • the transfers of personal data to a Tracker in a third country, including the identification of that third country, and identify a) the existence/absence of adequacy decision, and b) document suitable safeguards (GDPR Art 30.1(e))
  • the security measures to authorise Trackers on site owner’s site and the collection and transfer of data to the Trackers (GDPR Art 30.1(g))
  • the processing purpose(s) for using each Tracker (GDPR Art 30.1(b))

How often must site owners record that Trackers are on their sites?

Regularly.

If Trackers place cookies on site visitors’ machines, then the Consent Record must show the site visitors’ Consent Events regarding all cookies that require site visitors’ consent. Ideally site owners should use Trackerdetect daily to record that Trackers place cookies on site visitors’ machines and check with the Consent Record whether the cookies are placed on site visitors’ machines without their permission, so site owners quickly can act against the Tracker.

What to do? Use Trackerdetect to scan sites 4 times daily!

Must site owners be able to prove the date of creation of the record and the last update?

Yes.

The Italian Data Protection Authority says that tracking changes to the record is achieved when you can prove the date of creation of the record (sheet) and the last update.

Legal reference: FAQ of the Italian Data Protection Authority regarding GDPR Article 30.

Must site owners show the Processing Record to Data Protection Authorities?

Yes, site owners must make the record available to the Data Protection Authorities on request.

Legal reference: GDPR Article 30.4.

Duty to risk assess Trackers

Do site owners have a duty to carry out a documented preliminary risk assessment to determine whether having Trackers on the site will trigger the need to undertake a full DPIA?

Yes, according to Ireland’s Data Protection Authority who in general says

“the data controller needs to go through a methodological process to identify the threats to data subjects and a calculation of the inherent risks involved. Clearly, if a processing operation is not high risk this can be easily recorded alongside the record keeping required for processing operations under Article 30. On the other hand, if a processing operation is complex, then a full scale screening process may be required and it may in fact form the preliminary steps of a DPIA. Other less complex processing operations may not require such an in depth risk analysis. If this analysis step determines in fact that the risks are low and no further work on a DPIA is required then, this can be recorded with other Article 30 records.”

Site owners may be obliged to carry out a Data Protection Impact Assessment (DPIA) of the impact of the collection and transfer of site visitors’ personal data to Trackers, assess if processing is performed in accordance with the DPIA and consult the Data Protection Authority prior to the collection and transfer.

Legal reference: GDPR Articles 35.1, 35.11 and 36.

What to do? Carry out a risk assessment and DPIA.

Duty to include Tracker details in Privacy Policy

Must site owners include details about Trackers in their Privacy Policies?

Yes.

The Privacy Policy must include:

  • the name of the Trackers (GDPR Article 13.1(e))
  • the envisaged time limits for storage/erasure of the different categories of data (GDPR Art 13.2(a))
  • the transfers of personal data to a Tracker in a third country, including the identification of that third country, and identify a) the existence/absence of adequacy decision, and b) document suitable safeguards (GDPR Art 13.1(f))
  • the processing purpose(s) for using each Tracker (GDPR Art 13.1(c))
  • the legal basis for each processing purpose (GDPR Article 13.1(c))
  • the legitimate interest (if any) for using each Tracker (GDPR Article 13.1(d))

Legal reference: GDPR Article 13.

What to do? Generate a Privacy Policy with Signatu and include the Tracker details from Trackerdetect.

Duty to include Tracker details in Access Right Response

Must site owners include details about Trackers in their Access Right Response?

Yes.

The Access Right Response must include:

  • the name of the Trackers (GDPR Art 15.1(c))
  • the categories of personal data that are disclosed to each Tracker (GDPR Article 15.1(g))
  • the envisaged time limits for storage/erasure of the different categories of data (GDPR Art 15.1(d))
  • the transfers of personal data to a Tracker in a third country, including the identification of that third country, and identify a) the existence/absence of adequacy decision, and b) document suitable safeguards (GDPR Art 15.2)
  • the processing purpose(s) for using each Tracker (GDPR Art 15.1(a))

Legal reference: GDPR Article 15.

What to do? Include the Tracker details from Trackerdetect.

Duty to notify Trackers

Do site owners have a duty to notify Trackers of site visitors’ request to rectify or erase their personal data or restrict processing?

Yes.

Legal reference: GDPR Article 19.

Contact us if you need help.