The German Data Protection Conference (DSK) issued guidance on the Federal Act on the Regulation of Data Protection and Privacy in Telecommunications and Telemedia (‘TTDSG’), which went into effect on December 1, 2021.
Some key takeaways:
If no personal data is processed, only TTDSG is applicable. If both personal and non-personal data is processed, both TTDSG and GDPR apply. However, for the storage and access of information on/from terminal equipment, TTDSG takes precedence. For the subsequent processing, GDPR applies. Storage in or access from terminal equipment requires consent. This is not just telephony or VoIP, but also cable, WLAN, and IoT connections (including appliances and smart TVs).
Storage and Access:
Storage and access includes: access to hardware device identifiers, advertising identification numbers, telephone numbers, SIM card serial numbers (IMSI), contacts, call lists, Bluetooth beacons or SMS communication. For all devices, the reading of the unique identifiers of the network hardware (MAC addresses) and browser fingerprinting. An access requires a targeted transmission of browser information that is not initiated by the end user. If only information, such as browser or header information, is processed that is transmitted inevitably or due to (browser) settings of the end device when calling up a telemedia service, this is not to be considered “access to information already stored in the end device.” Examples of this are: (1) the public IP address of the terminal device, (2) the address of the called website (URL), (3) the user agent string with browser and operating system version and (4) the set language. You can get consent to store and access information and consent for further processing under GDPR 6(1)(a) at the same time if: (a) you inform the users of all purposes (including of the subsequent processing), and that it is clear to the user that several consents are given in a single action (e.g. the pressing of a single button). Consent by approval of a banner is not consent for TTDSG and GDPR, it’s just consent under TTDSG.
Consent for Chas the same requirements as consent for GDPR.
From whom: consent is required from