Zum Inhalt Zum Hauptmenü

Search form

Tracking: Forbidden, allowed or what applies now?


Tracking: Forbidden, allowed or what applies now?

Cash, Das Handelsmagazin 12/2017
2017, December 12

The observation, recording and analysis of customer and user behaviour plays a central role in business practice. Especially for the purposes of advertising, market research and the demand-oriented design of products and services, tracking - both online and offline - has become indispensable.

The General Data Protection Regulation applicable from 25 May 2018 ("GDPR") and the E-Privacy Regulation, which is in the starting blocks, will further tighten the legal limits.

Admissibility of tracking under data protection law

Tracking essentially means the observation and analysis of the behaviour of (potential) customers and interested parties. As a rule, an individual customer profile is created based on the data collected from user behaviour. On this basis, for example, a possible (future) need for certain products or services as well as the personal preferences of those affected can be determined. Online and offline tracking of customer activities using tracking and analysis tools therefore essentially serves the increase of sales through more targeted (advertising) measures.

Even if the GDPR does not provide any explicit special provisions for tracking, some general data processing regulations are also applicable to this form of marketing activity: For example, the tracking and monitoring of the activities of customers and interested parties - depending on intensity and scope - is only permitted under data protection law if (i) the person responsible (i.e. the tracking company) has a overriding legitimate interest in data processing, (ii) the data subject gives his consent or (iii) expressly consents.

Minimally invasive tracking:

legitimate interests Up to now, the Austrian data protection authority has been very reluctant to accept an overriding legitimate interest in marketing activities based on the current data protection regime. As a rule, it does not accept purely economic purposes (such as increased sales) to justify data processing activities. However, this will change from May 2018: The GDPR is more liberal in this regard and considers the processing of data for the purpose of direct advertising to be covered by legitimate interests (Act 47). According to the new regime, a legitimate interest of companies to know their customers' preferences through cautious tracking can therefore be argued. However, this is only for the purpose of better matching their offers to the respective person and finally offering goods and services that better meet the needs and wishes of their customers. However, a legitimate interest presupposes that data processing is limited to the minimum necessary and that only the absolutely necessary information is used (data minimisation principle according to Art 5 GDPR). It may therefore be permissible, for example, for a food delivery service to analyse its customers' orders and send them suitable discount coupons for meals from its favourite supplier or suggestions for new restaurants with similar cuisine through posts based on consumer behaviour to date.

However, pursuant to this legal basis, it is not permitted to collect excessive amounts of data about the online and/or offline activities of customers and to combine them into complex profiles. In addition, the data subjects must be informed about the tracking in an understandable form and have the possibility to object to the data processing at any time.

In practice, however, due to the lack of special provisions in the GDPR and the associated scope for argumentation, the previously strict view of the data protection authority and the still missing case law, recourse to consent will often make sense in order to secure tracking activities. This applies in particular if the minimum approach is exceeded and analyses that are even more extensive are carried out.

More comprehensive tracking: consent

If a company wants to analyse or even predict the personal preferences and behaviour of individual customers or interested parties in more detail, the consent of the data subjects is usually required due to the extent of data processing and the intensity of the intervention.

According to the GDPR, such consent must be given in an intelligible and easily accessible form and in a clear and plain language (Art 7 para 2 GDPR). It must also (i) be based on comprehensive information of the data subject, (ii) be given voluntarily by the data subject, and (iii) inform the data subject that it can be withdrawn at any time without giving reasons. According to the case-law, these conditions must be interpreted strictly: The data subject must be informed in detail (i) which of his data (ii) should be used for which purposes (including a detailed description of tracking and analysis methods) and (iii) by which company.

In practice, consent is required in particular for tracking for the purposes of direct advertising by e-mail, for target-group-oriented marketing based on a great amount of data, for location-based advertising or tracking-based market research.

Sensitive areas: explicit consent

The GDPR provides for even stricter requirements for tracking based on special categories of personal data (such as information on ethnicity, political opinion and health data under Article 9 GDPR). Such data may only be processed with the express consent of the data subject. This should be issued in writing and signed separately, in particular for reasons of preservation of evidence. However, it is also sufficient to click on a checkbox that has not already been pre-activated.

Special provisions for online tracking

The collection and analysis of data from website visitors by cookies and plug-ins is only permitted on the basis of the user's consent, including comprehensive information, unless data processing is technically necessary (Sec 96 para 3 of the Telecommunications Act; "TKG" and Art 8 of the ePrivacy Ordinance draft). This consent is usually obtained via a button in the cookie banner on the homepage of the website. The user must be informed in detail about the use of his data by means of a data protection declaration. According to the ePrivacy Regulation draft, the strict requirements of the GDPR apply to this consent (see above). At the same time, however, the draft of the regulation makes it easier to set cookies: Accordingly, the browser settings of the visitor are already sufficient - as was the case before the amendment of the TKG in 2011, which tightened cookie regulations. This would make the unattractive and impractical banners, which have only just been introduced, history again. It remains to be seen, however, whether this relief will really be implemented. At present, the ePrivacy Regulation is still being agreed on and further negotiated at EU level following revision by the EU Parliament. It is currently planned for it to be applicable alongside the GDPR on 25.5.2018. Any changes that may be necessary will therefore probably have to be implemented at very short notice.

Consequences of inadmissible tracking measures

Missing or invalid consent leads to inadmissibility of data processing activities. The same applies if the limits of legitimate interest are exceeded. The current administrative penalties of up to EUR 25,000 for data protection violations will be increased to up to EUR 20 million or 4% of the global group turnover from 25 May 2018 with the GDPR and the draft of the ePrivacy Regulation. In addition, there are claims for damages from data subjects and - in addition to loss of customers - there is also the threat of PR damage. In view of the imminent increase in penalties, it is therefore highly recommended to review the existing tracking measures and the associated declarations of consent and adjust them if necessary


Alle Angaben auf dieser Website dienen nur der Erstinformation und können keine rechtliche oder sonstige Beratung sein oder ersetzen. Daher übernehmen wir keine Haftung für allfälligen Schadenersatz.

The material contained in this website is provided for general information purposes only and does not constitute legal or other professional advice. We accept no responsibility for loss which may arise from reliance on information contained on this site.

© 2020 · DORDA   PODCAST

we deliver clartity