Why is Google Maps necessary

How can Google Maps be integrated in a GDPR-compliant manner?

For years now, a seemingly small feature on company websites has been indispensable: Google Maps. Companies use the digital map to inform customers about the company's location and to inform visitors of the directions and parking options nearby, which make it easier to reach the business premises. Google and data protection - wasn't there something? With this article we would like to show how you can integrate this little helper (almost) in compliance with data protection regulations on websites.

Data transfer to the USA

Only almost? Unfortunately yes! At the latest since the judgment of the European Court of Justice on the Privacy Shield of July 16, 2020, the transfer of personal data is no longer possible 100 percent in compliance with data protection regulations. The Privacy Shield can no longer be considered as a guarantee within the meaning of Art. 46 (2) GDPR. All hopes now basically rest on the standard data protection clauses. These were expressly not overturned by the ECJ in the aforementioned ruling and therefore continue to represent - at least formally - a suitable legal basis for data transfer to the USA.

However, the ECJ wrote in the homework booklet for the European legislator that one must nevertheless ensure that the guarantees, which are so nicely described in the standard data protection clauses, are actually complied with. The ECJ just did not say exactly how these additional measures should look. And so the data protection world has been trying desperately to find solutions for a good six months now. There have already been many suggestions; Most recently, the first guidelines were published by the European Data Protection Committee in mid-November 2020. Final results are still a long time coming.

Google Maps on commercial websites

One can also point out that Google LLC itself, through its opaque behavior in the past - like other US companies - has contributed its small part to this problem. Nevertheless, many European companies still rely on the numerous services from Google. How do I integrate Google Maps - apart from the Privacy Shield problem - on my website in a data protection-compliant manner?

Privacy policy and integration

In any case, a note must be made in the data protection declaration in order to fulfill the information obligations under Art. 13 GDPR. Finally, the website operator must inform each user when they access the website about the conditions under which their personal data can be transmitted to a third-party service provider. It is essential to know that when you click on the map, the user's personal data is transferred to Google.

The programming interface “Google Maps API” (application programming interface) is usually required for integration into your own website. This key represents a method to uniquely authenticate users, developers or a calling program with an API. The API key is assigned to the respective website after creating a Google account. This enables Google to track card access on the website and assign it to the corresponding Google account. The integration can be done in the following ways:

  • Embed function: This allows you to place an interactive map or a street view panorama on the website with a simple HTTP request; JavaScript is not required here
  • JavaScript: With this "classic" method, several functions are offered by Google.

Here you will find a good overview of the different models.

And how do you feel about consent?

Since the ECJ's ruling on the need for consent for cookies, this problem has also become a real perennial issue in data protection law. With the ruling, the ECJ made it clear that there is a general obligation to consent for all cookies that are not absolutely necessary for the operation of the website. The setting of these cookies can no longer be based on the legal basis of the legitimate interest according to Art. 6 Paragraph 1 Letter f GDPR.

If the use of Google Maps is accompanied by the integration of cookies, these principles must be observed in any case. If cookies are set as part of the integration of Google Maps, they establish - what a surprise - a connection to the Google network. This happens even if the user is not logged into their existing Google account. Although it is undisputed that the use of Google Maps represents a certain added value for the use of a website, it is difficult to justify viewing the setting of a cookie as technically essential. It is therefore important to ensure that the website visitor's consent is obtained beforehand.

Two-click solutions: Shariff Wrapper & Co.

Since personal data may only be transferred to Google after the user has given their consent, so-called two-click solutions are ideal. This technically ensures that the website only transmits the data when the user clicks on the card. Technically, this works in such a way that the area on which the map is placed is represented by a graphic that serves as a placeholder. Since this graphic belongs to the actual website, no data is transmitted to third parties when the page is simply called up. There is then the option to include a note for the website users or to link the website's privacy policy.

In this regard, the two-click solutions from

into consideration. While Shariff Wrapper and Embetty represent projects from German sources, AVADA belongs to the US provider ThemeFusion. At this point, of course, we must again refer to the problem with the data transfer to the USA ...

Borlab cookie: Also for Google Analytics and Matomo

For WordPress websites, there is another option for the largely GDPR-compliant integration of Google Maps. The “Borlab cookie” plug-in is a comprehensive solution, as it also provides information on usage, including opt-in. The plugin recognizes z. B. also scripts that run on the website. In addition, the plugin can be used to recognize JavaScript codes with other tools, e.g. B. Google Analytics or Matomo), so that the scripts are only loaded when the user has consented.

On the safe side: without the USA!

So there are many ways to integrate Google Maps in a nearly GDPR-compliant manner. However, if you want to be completely on the safe side, you would still have to do without US service providers completely. Here every company has to decide for itself to what extent it is able to forego the concentrated market power of the big players. There is always a residual risk at the moment. As a European alternative for a map service is z. B. OpenStreetMap available. The operator's headquarters are in the United Kingdom and therefore no longer in the EU. However, the United Kingdom is not - at least until the end of April - a third country within the meaning of the GDPR.

Overall, time will have to show whether and in what way data transfer to the USA will be possible again in the future - if it ever was - fully compliant with data protection regulations.

Do you like the post? Then we look forward to a recommendation:

About the author

Christopher SchewiorFull lawyer

The digitization of the world is advancing. It is therefore important to protect the privacy of the individual. At the same time, it is my motivation to make companies future-proof when it comes to data protection. Because: data protection concerns us all! more →

intersoft consulting services AG

As experts in data protection, IT security and IT forensics, we advise companies across Germany. Find out more about our range of services here:

External data protection officer

Do you have any suggestions for topics or improvements? Contact us anonymously here.