DSGVO study – no online service examined complies with data protection regulations


A study has examined compliance with the General Data Protection Regulation (DSGVO) of large online portals in Germany. The sobering result: not one of the services examined was data protection compliant. The deficiencies vary depending on the offer and range.

The scientists of the University of Göttingen have researched on behalf of the Federal Ministry of Justice and Consumer Protection. 35 online services took them under the microscope. These include online stores like Amazon and Zalando, social networks like Facebook, Twitter and YouTube, messengers like WhatsApp and Signal, search engines like Google and DuckDuckGo, review portals, news sites, email providers and websites of big companies.

The greatest deficits exist in the protection of minors, as age limits are simply not checked, and in dealing with sensitive data, according to the not yet published study, which is available online. All services have data processing problems for personalized advertising purposes. "There is a lack of transparency here and the most frequently used legal basis of Article 6 (1) (f) GDPR is only partially sustainable." The article discusses when data may lawfully be processed – such as consent, performance of legal obligations or the legitimate interests of the person responsible. Providers seem to see in the article a kind of free ticket. The legally compliant configuration of the consent is a "serious problem".

Overall, the deficits are greatest among social networks and messengers. Online shops, media and businesses performed better. And although, according to the authors, it is clear that "the process of implementation is still in full swing," they see "a clear need for action." The DSGVO came into force almost one and a half years ago, a time of success and difficulty.

According to the investigation, 33 services had integrated social media plugins into their websites, some of them were not informed at all, other services did not mention the corresponding data processing. Only seven pages took advantage of the heise online and c't developed Shariff solution in which the plugins are not directly involved and users would have to activate them. Default settings as opt-out describe the authors basically as "little user-friendly".

Individual services also use the study as best practice examples. For example, Zalando, eBay Classifieds, Cliqz and Focus Online are exemplary in the privacy policy, other services are highlighted for their full compliance with other criteria – for example, the cookie banner from Volkswagen is preset privacy-friendly, Spiegel Online has a particularly consumer-friendly registration process, the express the setting of cookies for advertising purposes and is opt-in.

The investigation took place between July and September of this year. The examined criteria included the obligation to inform, legal bases for the data processing, declarations of consent, the handling of sensitive data and the privacy-friendly presettings. Always the user-friendliness was considered. For example, in the analysis of the formal requirements, it may be said that in some services, there is a "nesting" of various privacy statements that "make even the most educated person despair".


. (TagsToTranslate) Cookies (t) DSGVO (t) Privacy Statement (t) study (t) Tracking