Web hosts find themselves in a quandary in some situations. They must uphold their contractual obligations to their customers, whose Data and IP addresses to public authorities under certain circumstances. This is particularly the case with law enforcement agencies. We will explain to you when web hosts have to transmit data and what obligations they are subject to when storing personal data!
Do web hosters have to disclose the IP addresses of their customers?
Web hosters are subject to a variety of obligations and must occasionally deal with the question of whether they have to disclose personal data of their customers. In principle, such an obligation only applies if the web hoster's customers have deposited illegal content. A transfer of data only has to take place if a court order is available. The legal basis in many cases is formed by the principle of good faith, § 242 BGB. Whether there is an obligation to provide information must always be checked in each individual case. In a legal dispute in Bamberg, for example, the court decided that anonymisation services are not obliged to provide information about IP addresses and other customer data if only a minor offence has been committed. Web hosters pay close attention to whether or not they have to pass on customer data. On the one hand, the seriousness or popularity of the webhoster is undermined, which leads to fewer customers and stagnating sales. On the other hand, webhosters fear that they will be sued by their customers for breach of contractual obligations. Although webhosters do not participate in the events apart from making resources available, they are between the fronts and run the risk of being sharply attacked by both sides.
Web hosting and personal data
When using webhosters, numerous personal data are stored. The legal basis for the collection, processing and use of the data results from the Teleservices Data Protection Act (TDDSG) and the Media Services State Treaty (MDStV). The provision of access to the Internet and e-mail services is a telecommunications service, which means that the Telecommunications Act (TKG) applies. Various personal data is collected from web hosts. This includes connection, inventory, usage, content and billing data. Personal data must always be transmitted to a state authority if the web hoster has been given the appropriate legal basis. If the latter does not comply with the request, judicial orders are submitted. Once the demand has been submitted, webhosters must comply with it, i.e. allow the monitoring of an e-mail box, for example. Web hosters do not have to check the content requirements of an order. However, they are obliged to convince themselves that the formal requirements are met. If criminal prosecution authorities are involved, webhosters must implement the corresponding orders and support any monitoring. If they are secret services, webhosters are entitled to provide information, but are under no circumstances obliged to do so.
Basic information on data storage, inventory data and usage data
Web hosts have various personal data of their users. Inventory data is data that is used to establish, structure or amend contracts. Web hosts regularly store name, address, E-mailphone number, date of birth, bank details or credit card number, user ID and IP address. Which inventory data is collected, processed and used in individual cases depends on the technical design of the web hoster and on the individual contracts. Inventory data may only be collected if its collection is absolutely necessary for the web hoster. Accordingly, the web host must require the data in order to fulfill its contractual obligations. As a rule, inventory data is only collected for paid web hosting services. In the case of free services, e-mail addresses are occasionally stored. According to § 35 II No. 3 BDSG inventory data must be deleted as soon as the contractual relationship is terminated, there are no post-contractual claims and there is no need to save the data. Data for telecommunication services must be deleted after termination of the contract according to § 5 III S.1 TDSV at the end of the following calendar year. Exceptions result from § 35 III BDSG, according to which personal data may have to be stored permanently if they are subject to the statutory storage regulations. In such a case, the data will be stored separately for the fulfilment of the documentation obligation and separated from the operative data stock. Usage data is data that is required to enable and invoice web hosting services, see § 6 I TDDSG and § 19 II MDStV. Usage data serves to identify users, to record the start and end of services and as information about the services used. The significance of usage data is immensely high. In contrast to connection data, it not only reveals who communicated with whom at what time: Usage data also shows what content has been transmitted.
Deletion periods and other data
According to § 6 IV TDDSG web hosters are allowed to use and process usage data after the end of the web hosting contract, if it is needed for billing purposes. All other data must be deleted as soon as possible, see § 19 V MDStV. Billing data is usage data that is used for billing purposes. These are usually obtained from the inventory data. In general, all data and IP addresses used must be handed over to state authorities. However, this is only necessary if a court order is available.
