On 12 May 2020,German Data Protection Conference (‘DSK’) issued guidelines on the use of Google Analytics in the non-public sector (‘the Guidelines’). The guidelines have been issued in consequence of the DSK’s decision that Google Analytics is not a Data Processor but a Data Controller or Joint Data Controller. Google Analytics contended that the data it collects does not allow identification of persons. However, the German Data Protection Conference concluded that it does and it further confirmed that this category of data falls under personal data of GDPR.
The main items within the guidelines are as follows:
1. Personal data
- Data Governance-It is important to plan every aspect of data. As it may happen that subsequent to data being collected it may either be processed, retained or deleted. This required meticulous planning as any data leak may attract penalties or loss of reputation.
- DPIA-Data Protection Impact Assessment is a clinical method of assessment of journey of data right from the data subject to the controller. It analyses and detects any possible leaks which can be corrected or repaired.
Read here: Taxpayers’ personal data under risk