Data Protection guidelines-Google Analytics

On 12 May 2020,German Data Protection Conference (‘DSK’) issued  guidelines on the use of Google Analytics in the non-public sector (‘the Guidelines’).  The guidelines have been issued in consequence of the DSK’s decision that Google Analytics is not a Data Processor but a Data Controller or Joint Data Controller. Google Analytics contended that the data it collects does not allow identification of persons. However, the German Data Protection Conference concluded that it does and it further confirmed that this category of data falls under personal data of GDPR.

The Guidelines thus provide for changes in Google Analytics’ policies. The changes are suggested through the guidelines keeping in mind its users by providing them a explicit privacy policy and respect the rules of transparency. The guidelines also lays down that the user consent must be flexible, informative and positive and also allow easy withdrawal of the same.

The main items within the guidelines are as follows:

1. Personal data

When using Google Analytics, personal data of the user is always processed.
Google Analytics contend in its help section that the data it collects does not constitute personally identifiable information. However, the Guidelines conclude that the data, namely the usage data and other device-specific data that can be assigned to a specific user, does in fact fall under the definition of personal data as per the GDPR.




  1. Privacy Policy-It is important to maintain an updated privacy policy in consonance with GDPR. The Privacy Policy needs to be self-explanatory answering fundamental questions with respect to data (process, retention and refusal,etc). Personal data as well as specific category of personal data has to be given particular attention in privacy policy with respect to GDPR.
  2. Data Governance-It is important to plan every aspect of data. As it may happen that subsequent to data being collected it may either be processed, retained or deleted. This required meticulous planning as any data leak may attract penalties or loss of reputation.
  3. DPIA-Data Protection Impact Assessment is a clinical method of assessment of journey of data right from the data subject to the controller. It analyses and detects any possible leaks which can be corrected or repaired.

Read here: Taxpayers’ personal data under risk

Leave A Comment