etracker Analytics is 100% GDPR-compThe data protection statement for our customers, business partners, interested parties and other visitors to our online offer and the associated websites, functions and contents can be found here.
Find out in the following how etracker enables companies to run web analysis and marketing communication in compliance with data protection regulations by aligning the collection and use of tracking data with all legal requirements. This ensures sustainable data-driven marketing, legal security and customer confidence.
Data Protection is our Highest Priority
The etracker DNA includes very high standards for the correct and confidential handling of visitor and customer data. As the first provider of solutions for the analysis and optimisation of websites and online marketing measures ever, we were already certified as compliant with data protection laws in 2006 by the Hamburg Commissioner for Data Protection and Freedom of Information after an extensive test procedure.
We have always been in continuous dialogue with the supervisory authorities in order to provide privacy-by-design solutions that comply with data prWe are well acquainted with the data protection regulations and are in continuous dialogue with the supervisory authorities. Thus, we implemented the requirements of the General Data Protection Regulation (GDPR) at an early stage by means of privacy-by-design.
DSGVO Compliance without the need for consent and with maximum data
On 28 May 2For us, it is a matter of course to react immediately to the latest jurisdiction and to provide our customers with a web analysis solution with maximum data as a standard that conforms to data protection regulations: etracker Analytics Cookie-less.
Compliance with the General Data Protection Regulation (GDPR) and the Federal Data Protection Act new (BDSG new) was checked, certified and awarded the ePrivacyseal data protection seal of approval in an independent audit.
The audit result confirms the freedom of consent in the cookieless mode:
“[…] On the basis of our detailed examination, we consider it acceptable to justify data processing by etracker Analytics and etracker Optimiser, also with regard to the DSK paper from March 2019 and the ECJ ruling of 01.10.2019, by the legal basis of Art. 6 Para.1 lit.f) GDPR (legitimate interest). In cookieless mode (standard mode), the use of etracker Analytics is legal without any obligation to give consent.”
Secure Data Processing and Storage in the EU
With the Schrems II ruling of the ECJ on 16.07.2020, the Privacy Shield Agreement between the EU and the USA was declared invalid with immediate effect. Since then, the use of US Martech in the EU is illegal. This is because even the use of so-called “standard contract clauses” would only be possible with additional guarantees, such as data encryption by the client. And even an explicit consent of the users after being informed about the risks of data transfer is out of the question for permanent transfers.
German supervisory authorities are clearly behind the new laws and call on companies to adapt to the changed legal situation:
“The days when personal data could be transferred to the US for convenience or cost savings are over after this ruling. Now is the time for Europe’s digital independence. We accept the challenge that the ECJ explicitly obliges the supervisory authorities to prohibit unauthorised data transfers”. (Translated by the author)
Press release of the Berlin Commissioner for Data Protection and Freedom of Information of 17.07.2020.
Our computer centre as well as the development and system administration are located in Hamburg, Germany. We use the high-quality, highly secure and highly available data centre infrastructure of the ISO/IEC 27001:2013 certified IPHH Internet Port Hamburg GmbH for pure server housing. This means that no third party has access to servers, applications or data.
Effective Pseudonymisation and Anonymisation
When storing visitor data, the IP addresses, device and domain data of the visitors in particular are only stored or encoded in a shortened form, so that it is not possible to identify the individual visitor. We undertake never to merge collected data with other databases, for example to establish a personal reference.
The shortening of the IP address is carried out at the earliest possible point in time and is automated by default, without our customers having to make any special adjustments or configurations. In this way we offer the required data protection-friendly presettings (Privacy by Design and Privacy by Default). Identifiers for app tracking, execution of session and optional cross-device tracking as well as behaviour-related data for remarketing are securely pseudonymised and encrypted.
Data is provided exclusively for the respective customer
We process the data exclusively on behalf of the customer in accordance with the concluded agreement on order processing. The data belong to the respective customer and are not combined with other data or even passed on to third parties. We neither trade in data nor use the data of our customers for higher-level analyses or profile building.
GDPR-compliant Data Processing Agreement (DPA)
In order to implement the processing of data by order in conformity with data protection, a contract for order processing (Data Processing Agreement) must be concluded in accordance with Art. 28 GDPR. At etracker, the contract is concluded as soon as a (test) account is created or a written order is placed, so that the principal (customer) and order processor (etracker) comply with it. Our Data Processing Agreement is based on the templates of the German state data protection authorities and has been adapted to the needs of etracker web analysis and conversion optimisation by a law firm specialised in IT law and data protection.
Technical and Organisational Data Protection
The operation of complex technological infrastructures is our core competence and an elementary component of our service. Therefore it is our top priority that our data centre is always operated according to the latest security standards. This includes the latest firewall and intrusion detection technologies as well as extensive physical controls and access restrictions. At the application level, modern authentication methods for user and administrator authorisations are standard as well as daily backups.
In addition, we subject our entire security infrastructure to regular penetration tests. Secure Socket Layer (SSL) transmission is always used when recording data and accessing our application. All information transmitted using this method is encrypted before it is sent.
For us, the obligation of our employees to comply with the data protection requirements of the GDPR and to maintain confidentiality is just as natural as the use of the latest security technologies. These obligations continue even after termination of the employment relationship.
“We provide you securely with all data independent of content and cookies in order to better understand your users and create successful marketing.”
Olaf Brandt, Managing Director