RheinMain University of Applied Sciences – Court Ruling (Germany, 2021)
A German court ruled that RheinMain University improperly used tracking tools on its website without obtaining user consent. The court found that the university's actions violated privacy rules by sending users' IP addresses and device information to Google without permission. This case highlights the need for websites to ensure they have proper consent mechanisms in place.
What happened
RheinMain University tracked users' IP addresses and device information without obtaining consent through its website.
Who was affected
Visitors to RheinMain University's website were affected by the unauthorized tracking of their data.
What the authority found
The court determined that the university violated GDPR by not obtaining valid consent before processing users' personal data.
Why this matters
This ruling stresses the importance of consent for tracking technologies on websites. Companies must review their cookie policies and ensure they have clear consent from users before collecting any personal data.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
Controller is the RhineMain University of Applied Sciences. On its website (https://www.hs-rm.de), it used the consent manager “Cookiebot” to obtain users' consent to the use of cookies, and the "Google Tag Manager". Data subject regularly visits the website to look for specialist literature in their online catalogue, and found that their IP address is automatically transmitted to Google’s server each time they visit the website, without having given consent. In addition to their IP address, all kinds of information on the hardware and software of the user’s terminal device is sent, i.e., the accessed’ website, their operating system and its version, the browser and its version, the screen resolution etc. Moreover, Cookiebot is a service offered by the Danish provider Cybot. Although the company is established in Denmark, the target domain “consent.cookiebot.com” refers to a server with an IP address registered with the US-based cloud company Akamai Technologies Inc. (hereafter: Akamai). Although the server might be located in the EU, the cloud company has access to the data on this server. Therefore, the US Cloud Act applies, which means that US governmental agencies can request access to this data, without a court order or mutual legal assistance agreement. After the data subject had written three warning letters to the controller, the latter responded on 7 June 2021 that it no longer used the Google Tag Manager, but refused to submit the obligation to cease and desist regarding Cookiebot. Hence, on 8 June 2021, the data subject applied for interim relief. The Court upheld the appeal and ordered controller to terminate the integration of Cookiebot for the purpose of obtaining consent on its website, since the transmission of personal data is unlawful. First, it noted that the data subject could invoke the right to effective judicial remedy, pursuant to Article 79 GDPR, and that this provision does not have a blocking effect for further judicial remedies. Sec
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Violations (2)
Non-essential cookies (tracking, advertising) are placed on the user's device before obtaining valid consent.
Art. 6(1) GDPR
Third-party tracking cookies or scripts are loaded without obtaining prior user consent.
Art. 13, 14 GDPR
Related Cases (0)
No other cases found for RheinMain University of Applied Sciences in DE
This is the only recorded case for this entity in this jurisdiction.
Similar Cases
Enforcement actions with similar violations
Details
About this data
Cite as: Cookie Fines. RheinMain University of Applied Sciences - Germany (2021). Retrieved from cookiefines.eu
Last updated: