In its 2024 activity report, the Berlin Commissioner for Data Protection and Freedom of Information wrote about an on-site inspection of a Berlin-based company operating as a data broker in the field of online advertising.
No or invalid consent
The Berlin DPO found that the documents submitted by the company showed that either no consent had been obtained or that it did not meet the legal requirements. The company does not operate its own apps, but obtains personal data from various data suppliers, who in turn obtain the data via their own apps or via third parties. The responsibility for obtaining consent was outsourced to the original data collectors. Although the company had terminated cooperation in some cases involving particularly serious deficiencies, it continued to cooperate with providers who had demonstrably violated data protection regulations.
Consent texts not sufficiently transparent or comprehensible
The consent texts used were based on the IAB Europe’s Transparency & Consent Framework (TCF), which serves to standardize consent processes in the field of programmatic advertising. The following points were criticized:
- the incomprehensible and meaningless amount of information presented to the data subjects
- insufficient description of the purposes and data processing
- In some cases, the actual data processing went beyond the declared content of the consent
- The options for refusing consent were often hidden, difficult to find or linked to essential functions
- Privacy policies and consent texts were only available in foreign languages
- There was no proof that consent had actually been given; the business had only carried out an abstract review of the consent process
- There was often no proof that no data transfers had actually taken place when consent was refused, which leads to unlawful tracking.
Questionable data quality
In addition, the Berlin DPO randomly checked the quality of the aggregated tracking data and found that it contained a large number of inconsistencies. For example, individual users were assigned different age or income groups at the same time.
Responsibility despite lack of end customer access
The case exemplifies the challenges in the area of data protection-compliant tracking and profiling. Even businesses that are not in direct contact with the data subjects remain fully responsible for the lawfulness of data processing. This includes, in particular, providing reliable proof of effective consent and transparent information to the data subjects.
Simply referring to consent texts is not sufficient if these are neither comprehensible nor appropriate, especially when hundreds of businesses are involved, data flows are highly complex and cannot be traced by data subjects.
Recommendation: Review consent processes
All controllers should take the on-site audit by the Berlin DPO as an opportunity to review their own consent processes:
- Are the consent texts clearly understandable?
- Are all purposes and data processing clearly specified?
- Can refusals be made effectively and easily?
- Can the entire process be reliably documented and individual declarations of consent be verified?
As data protection officers, we are happy to advise you if you wish to review your procedures or develop them further in line with data protection requirements.