Google Maps and Data Protection – What Website Operators Need to Know

If a website operator embeds Google Maps via iframe or API, they process click paths, web server log data, and coarse location data for the purpose of providing map functionality on the basis of consent (Art. 6(1)(a) GDPR in conjunction with § 25(1) TDDDG). Google Maps is a map service from Google that provides interactive maps, navigation instructions, and location information.

A. Purpose and Function of Google Maps

Google Maps is a cartographic service from Google Ireland Limited that enables website operators to embed interactive maps on their websites – for example to locate and show an office, a shop, a restaurant, or a venue. Users can zoom in on the embedded map, change the view, plan routes, and access location details.

Integration function: Google Maps is typically embedded via an HTML <iframe> element or via the Google Maps API. The iframe loads from a Google server and embeds the map display directly. With the API, JavaScript code is used to load maps dynamically. In both cases, when the page loads, a connection to Google servers is established, cookies are set (in particular the NID cookie of Google), and the IP address as well as browser information are transmitted to Google.

B. Mandatory Disclosures in the Privacy Policy on Google Maps

The GDPR requires the following mandatory disclosures in the privacy policy for the use of Google Maps: purposes of data processing (Art. 13(1)(c) GDPR), legal bases (Art. 13(1)(c) GDPR), in the case of legitimate interests additionally the specifically pursued interests (Art. 13(1)(d) GDPR), recipients or categories of recipients (Art. 13(1)(e) GDPR), third-country transfers and their basis (Art. 13(1)(f) GDPR), and the retention period or its criteria (Art. 13(2)(a) GDPR).

It is not necessary to treat Google Maps as its own text template in the privacy policy. The widespread practice of providing a separate section for every tool makes privacy policies long, unwieldy, and difficult to maintain – and runs counter to the transparency requirement of Art. 12(1) GDPR. A topic-oriented approach is more appropriate, explaining external content (maps, videos, social media) in an integrated manner and naming Google Ireland Limited as a recipient in the annex.

C. Provider of Google Maps: Google Ireland Limited

Provider: Google Ireland Limited (controller for EU users)

Full address: Gordon House, Barrow Street, Dublin 4, Ireland

Country of seat: European Economic Area (EEA), Ireland

According to the provider's information, Google Ireland Limited acts as a controller within the meaning of Art. 4(7) GDPR for data processing by Google Maps. The actual data processing is carried out by Google LLC (Mountain View, California, USA) and its sub-processors.

Data Privacy Framework (DPF): According to the provider, Google LLC is certified under the EU-US Data Privacy Framework. Verification at: https://www.dataprivacyframework.gov/participant/5780

Provider's privacy policy: https://policies.google.com/privacy

Data Processing Agreement (DPA): For Google Maps, the operator must verify whether a DPA is required and available.

D. Data Processing by Google Maps – Procedure

E. Data Collected When Using Google Maps

Google Maps records, when loading and during use, the IP address of the user, browser and device information, interaction data (zooming, panning, search operations on the map, clicks on points of interest), and cookies for user tracking. Where users are logged in to their Google account, these activities are linked to the account.

This data can be classified into the following standardised data type categories:

• Web server log data: IP address, date/time/time zone, user agent (browser, operating system), referrer page, status code
• Click paths: Page on which the map is called, interactions with the map (zooming, search operations, clicks on location markers)
• Device data: Device type, operating system, screen resolution, orientation
• Browser information: Browser name, browser version, language
• Coarse location data: Coarse location determined from the IP address
• User profiles: Google account data (where logged in), search and navigation history

F. Purposes of Use When Using Google Maps

The website operator uses Google Maps primarily for the provision of map functionality and location information (e.g. to display the office location, a shop, or an event). According to the provider's information, Google LLC uses the data collected to improve the Maps service and to track traffic patterns.

The purposes can be classified as follows:

• Provision of functionality: Display of interactive maps, navigation instructions, location information, traffic information
• Security and abuse protection: Detection of bots and unauthorised accesses to the Maps API
• General product improvement: Non-individual optimisation of map data, improvement of traffic information
• User profile creation: Creation of interest profiles based on search and navigation history (by Google, where users are logged in)
• User-individual marketing: Personalised advertising on the basis of location and behavioural data (by Google as an independent controller)

G. Legal Bases for Google Maps

Google Maps is a third-party content service in which external servers (Google) are embedded in the website. Typically the following comes into consideration:

Primary legal basis: Consent (Art. 6(1)(a) GDPR in conjunction with § 25(1) TDDDG)

Since Google Maps sets cookies and transmits data to Google servers when the page is loaded, the user's consent before loading is regularly the relevant legal basis. Consent is typically obtained via a cookie consent system.

A practical implementation is the two-click system: First, a placeholder/teaser is displayed. The user must actively click in order to load the map. This is regarded as consent to data processing.

The specific legal basis must be examined by the website operator on a case-by-case basis.

H. Special Features and Notes on Google Maps

• NID cookie: Google sets the NID cookie for usage tracking. This may be regarded as a tracking cookie that may require consent.
• Data Privacy Framework (DPF): According to the provider, Google LLC is DPF-certified. Verification at: https://www.dataprivacyframework.gov/participant/5780
• Two-click solution: A privacy-friendly method: First, a teaser/placeholder is displayed. The user must actively click in order to load the map. This makes it possible to obtain consent before data is transferred.
• Alternatives: OpenStreetMap is an open-source map solution. For mere display of a location, a static map image without third-party requests can also be used.
• Processing relationship: The operator must verify whether a DPA with Google is to be concluded.

I. FAQ on Google Maps

J. Conclusion and Recommendation on Google Maps

Google Maps is a widely used tool for displaying locations on websites. Since when the map is loaded cookies are set and data is transferred to Google servers, consent is typically the relevant legal basis. According to the provider, the data is transferred to the USA under DPF certification.

It makes little sense to include a separate text template for Google Maps in the privacy policy. This makes the privacy policy long, unwieldy, and difficult to maintain – and runs counter to the transparency requirement of Art. 12(1) GDPR. A topic-oriented approach is more appropriate, describing external content in an integrated manner and naming Google Ireland Limited in the recipient annex. This is precisely the methodology of the matterius generator.