view all news & events


Attention, threat of supervision – tracking tools in media companies

On August 19th 2020, the Baden-Württemberg State Commissioner for Data Protection and Freedom of Information announced ongoing data protection audits of media companies across several German states. Initial inquiries from data protection authorities have already been received.

What is the data protection audit of media companies across several states about?

The audit focuses on the integration of tracking technologies on the websites of media companies and the associated use of cookies.

Infringements of the applicable data protection laws may result in fines and loss of reputation that should not be underestimated. Especially media companies with their journalistic offerings enjoy special trust among the population, which should be preserved.

Which issues need to be considered?

We would therefore like to take this opportunity to again point out the most important issues in connection with the use of tracking technologies and cookies:

  • Media companies are advised to check their websites and, where applicable, their apps to ensure that effective consent management for tracking and analysis technologies and cookies is implemented. Many tracking and analysis technologies may only be used on the basis of explicit and actively obtained consent, which may have to include data transfers to third countries such as the U.S. Upon request, we can provide a best-practice example of a cookie banner.
  • It should be examined which tracking and analysis technologies and cookies are used on the respective website and, where applicable, in apps. Their use should be documented in the media company’s records of processing activities. For the supervisory authorities on transparency and traceability of data transfers are critical factors.
  • In connection with consents, appropriate documentation of the consent and possible withdrawals (consent management) must also be ensured.
  • Companies should ensure that website visitors are adequately informed of the use of tracking technologies in the respective privacy policies/cookie policies.

Special features since the ECJ’s “Schrems II” decision

Since the European Court of Justice’s July 16th 2020 judgement (“Schrems II”), the transfer of personal data to the USA is neither possible on the basis of the EU-US Privacy Shield nor on the basis of EU standard contractual clauses that are not adapted to the ruling. In particular, the use of tracking and analysis technologies by U.S. providers is to be considered very critical for the time being. We therefore advise businesses to check all tracking and analysis technologies used on websites or in apps.

How are inquiries from regulatory authorities answered correctly?

Inquiries from supervisory authorities need to be answered and the necessary information provided in accordance with Section 40(4) sentence 1 Federal Data Protection Act and Article 31 GDPR. Companies failing to comply with this obligation are acting in breach of the provisions under Article 83(4) (a) GDPR for this reason alone. We therefore recommend that the mail room also be made aware of potential letters from the supervisory authorities so that responses may be duly returned within the set period.

Irrespectively thereof, the noby organization of data protection activist Max Schrems is currently taking action against 101 companies that have integrated Google and Facebook on their websites. The organization has filed a complaint directly with the relevant supervisory authority, demanding the imposition of fines. It cannot be ruled out that the organization will also take action against other companies.

We are here for you!

Our data protection experts from the IT & Digital Business department are always glad to assist you with preparing your reaction to any such inquiries and specific responses to them.

Please do not hesitate to contact us personally for additional questions and concerns.


Nikolaus Bertermann

Nikolaus Bertermann


visit profile