Usercentrics CMP and Data Protection – What Website Operators Need to Know

If a website operator uses the Consent Management Platform (CMP) of Usercentrics, they process consent data and technical data of their website users for the purpose of consent management and compliance proof on the basis of legitimate interests under Art. 6(1)(f) GDPR. Usercentrics acts as a processor in this case. This information is based on the provider's statements and publicly available sources.

A. Purpose and Function of Usercentrics CMP

Usercentrics is a Consent Management Platform (CMP) – a software solution for collecting, managing and documenting consents of website visitors for the processing of their personal data. The CMP is embedded as JavaScript code into the website and thus becomes the legal basis for the use of further cookies and tracking tools on the website (such as Google Analytics, Facebook Pixel, etc.).

Integration function: The operator integrates the Usercentrics banner (Consent Management Banner) into their website. When visiting the website, users see a consent banner in which they can object to or consent to the processing of their data. Usercentrics stores this consent and provides the operator with a consent proof API so that other tools on the website are only activated after consent has been obtained.

B. Mandatory Disclosures in the Privacy Policy regarding Usercentrics

Under the GDPR, the operator must disclose the following information about Usercentrics in their privacy policy:

• Purpose (Art. 13(1)(c)): Consent management, compliance documentation
• Legal basis (Art. 13(1)(a), Art. 6(1)(f)): Legitimate interests of the operator in legal compliance
• Recipient (Art. 13(1)(e)): Usercentrics GmbH as processor
• Third-country transfer (Art. 13(1)(f)): To be verified by the operator; Usercentrics is based in Munich (EEA)
• Storage duration (Art. 13(2)(a)): Until consent is revoked; technical implementation to be verified by the operator

Note: Tool-specific text templates ("Privacy policy for Usercentrics") are bad – they are not based on the data processing objectives of the operator, but on product features. Better: Topic-oriented structure (e.g. chapter "Consent Management") with a list of data recipients in the appendix.

C. Provider of Usercentrics: Usercentrics GmbH

• Legal name: Usercentrics GmbH
• Headquarters: Sendlinger Straße 7, 80331 München, Deutschland
• Country of seat: Germany (European Economic Area)
• Privacy Policy: https://usercentrics.com/privacy-policy/
• DPF status: Not required (seat in the EEA)
• DPA: Available; according to preliminary information, DPA templates are available (https://usercentrics.com/de/wp-content/uploads/sites/2/2024/12/Usercentrics_DPA_August-2024.pdf)

D. Data Processing by Usercentrics – Workflow

E. Data Collected when Using Usercentrics

Usercentrics collects various types of user data during consent management. These can be classified into the following standardized data type classes:

• Web server log data: IP address, date/time/time zone, request URL, referrer, device information
• Browser information: Browser type, browser version, user agent string
• Device data: Device type (desktop/tablet/mobile), operating system, display resolution, language setting
• Interaction data: Clicks in the banner (Accept all / Reject button / Preferences), time spent in the banner, scroll movements
• User account data: If users log in: username, email address (encrypted), login status
• Consent data: Which categories accepted/rejected (e.g. "Statistical cookies", "Marketing cookies"), timestamp of the decision, revocation status

F. Purposes of Use when Using Usercentrics

The data is processed for the following purposes:

• Compliance: Proof of consent vis-à-vis supervisory authorities and in the case of a check (Art. 7(1) GDPR)
• Legal enforcement: Documentation of user decisions for potential legal disputes
• Provision of functionality: Technical activation/deactivation of cookies and tracking tools on the website according to user decision
• General product improvement: Analysis of which user segments give which consents in order to optimize the CMP
• Security and abuse protection: Detection of suspicious activities, botnets, cookie manipulation

G. Legal Bases for Usercentrics

Step 1 – Categorization: Usercentrics is a compliance infrastructure – the operator uses it to obtain consents lawfully.

Step 2 – Legal basis:

• For the operation of the CMP itself (consent management by the operator): Legitimate interests under Art. 6(1)(f) GDPR. The operator has a legitimate interest in lawfully obtaining and documenting consents – this is not optional under GDPR Art. 7.
• For Usercentrics as processor: Processor relationship under Art. 28 GDPR with a Data Processing Agreement (DPA).

Note: Usercentrics itself does not require separate consent from users for operation (consent-free), since the CMP software itself is part of the legal basis evidence. However, this should be clearly communicated in the privacy policy.

H. Special Features and Notes regarding Usercentrics

• Processor relationship required: The operator MUST conclude a Data Processing Agreement (DPA) with Usercentrics. Template: https://usercentrics.com/de/wp-content/uploads/sites/2/2024/12/Usercentrics_DPA_August-2024.pdf
• Subprocessors: Usercentrics uses cloud infrastructure providers. These must be disclosed in the DPA appendix.
• Third-country transfers: Most subprocessors are US companies (AWS, Google Cloud). Data protection impact assessment required; Standard Contractual Clauses (SCC) or similar safeguards must be in place.
• Accountability: The operator must document that the DPA has been concluded (Art. 5(2) GDPR).
• User rights: Users can revoke consent at any time; Usercentrics must implement this immediately.

I. FAQ on Usercentrics

J. Conclusion and Recommendation regarding Usercentrics

Summary: Usercentrics is a necessary infrastructure for GDPR-compliant cookie and tracking management. However, the operator must establish a processor relationship with Usercentrics (DPA) and document subprocessor transfers.

Common error: Operators create separate "Usercentrics data protection clauses" for their privacy policy, but base them on product features instead of data processing objectives. This is not GDPR-compliant under Art. 12(1) GDPR (transparency requirement). Better: Topic-oriented structure (compliance → consent management) with a list of all recipients in the appendix.