In the recently published JENTIS Tracking Report, findings indicate that server side tracking is moving toward mainstream adoption in key European markets, with DACH and the Nordics leading the trend. Many organisations are shifting from browser based to server side tracking to reduce data loss and regain control over their analytics setup, with server side GTM often considered first due to its promise of better performance, fewer client side dependencies and a cleaner implementation.
However, from a data protection perspective, this move frequently creates an unexpected problem: server-side GTM does not resolve the core legal risks associated with international data transfers, third-party dependency, and joint controllership.
By contrast, JENTIS was designed as a Privacy Enhancing Technology that embeds GDPR-compliant processing, EU-based hosting, and controllership clarity directly into its architecture.
This article outlines where those risks come from and how an alternative server-side approach like JENTIS resolves them.
The compliance gap in server-side GTM
The perception that server-side GTM ensures compliance stems from the idea that “server-side = safer.” But the technical shift does not change who processes the data, where it is processed, or how it is legally classified.
Risk of joint controllership
The most significant legal concern in server side GTM setups is the risk of joint controllership under Article 26 GDPR. This arises because Google is not acting as a neutral hosting provider. The processing that takes place via GTM is shaped both by the configuration decisions of the website operator and by Google’s own technical environment and service logic. As a result, both parties take part in determining essential aspects of the processing.
According to the Spirit Legal memorandum, JENTIS processes personal data exclusively on behalf of the website operator, based on that operator’s instructions, and without any independent purpose of its own. This clear allocation of roles is an essential element of GDPR compliant processing because it allows the operator to document and maintain full responsibility for defining the purpose and scope of data use.
In contrast, GTM introduces a situation in which Google’s role goes beyond simple infrastructure provision. Google determines certain elements of how tags are loaded, how information is transmitted and which technical conditions apply. This creates a shared decision making structure in which the operator cannot claim exclusive control over the processing. As highlighted in the documentation, such a structure undermines the operator’s ability to fulfil its accountability obligations, because it becomes unclear who is responsible for which part of the processing.
The legal risk is therefore not merely theoretical. When responsibility is shared, demonstrating compliance becomes significantly more complex. The operator cannot unilaterally determine data flows, cannot ensure that processing is limited to the intended purposes and cannot reliably assess or mitigate downstream risks. This is precisely the scenario that the GDPR seeks to avoid through the controller–processor model, where the controller retains full authority and the processor acts only on instruction.
This makes responsibilities less straightforward and can complicate how you demonstrate compliance.
Consent does not automatically fix the problem
Even with consent banners in place, the EDPB’s guidance explains that consent by itself does not resolve the underlying issue when personal data is processed in environments governed by laws that permit broad or disproportionate access by public authorities.
The concern is not the consent mechanism but the legal framework of the country where the data is handled. If the surrounding legal environment allows authorities to request or access data in ways that do not meet European standards, the level of protection required under the GDPR cannot be guaranteed through consent alone. In such cases, organisations must apply additional measures to ensure that the data receives a level of protection that is essentially equivalent to the one provided within the European Union.
The Hanover Administrative Court ruling of March 2025 points in a similar direction on a more practical level by finding that Google Tag Manager already triggers personal data transfers before any user choice and therefore requires explicit consent before activation.
The result is a compliance trap: server-side GTM reduces browser-level complexity, yet the fundamental legal issues remain unchanged. These risks have been highlighted for years, most prominently in the context of the CJEU’s Schrems II ruling, which emphasised the need for strong safeguards when data may be subject to foreign access regimes.
How JENTIS resolves these compliance risks
Legal reviews by Spirit Legal, Fieldfisher, and external technical assessments confirm that JENTIS implements data protection by design and provides a legally robust alternative to server-side GTM.
Clear controller–processor relationship
JENTIS acts exclusively as a data processor within the meaning of Article 28 GDPR. The website operator defines the purposes, categories and scope of the processing, and JENTIS carries out these instructions within a controlled and EU based technical environment. This structure is confirmed in the legal memoranda and is an essential part of the JENTIS design.
Unlike in server side GTM setups, there is no situation in which JENTIS determines how the data is used or for what purposes it is processed. The operator decides what is collected, how it is transformed and which third parties may receive it, while JENTIS provides the technical means to execute these decisions. This clarity eliminates the risk of joint controllership because there is no shared decision making about the essential elements of the processing.
This model also brings practical benefits. Since JENTIS does not introduce its own purposes, operators can document a straightforward controller–processor relationship, rely on a standard Article 28 data processing agreement and avoid the legal uncertainty that arises when third country providers influence the processing flow. The operator retains full governance over data filtering, pseudonymisation and release decisions, and can demonstrate that data handling follows its own policies rather than those of an external platform. This transparency strengthens accountability and makes it easier to meet GDPR requirements for controllership, documentation and security of processing.
EU-based processing and full operator control
With the JENTIS Twin Server architecture, data is handled entirely within the EU and remains under the website operator’s control from the very beginning.
Third-party tools do not access the user’s device directly. Instead, any data sent to them is first passed through the JENTIS environment, where it can be reduced, pseudonymised, or adapted according to the operator’s settings.
This approach supports key GDPR principles such as data minimisation and purpose limitation, while keeping data flows transparent and manageable.
Essential Mode for non-consent situations
When users reject consent, JENTIS enables Essential Mode, a configuration that allows only the technically necessary first-party data processing permitted under:
- Article 5(3) ePrivacy Directive
- §25(2) TDDDG (Germany)
This allows lawful audience measurement without infringing user choice or introducing excessive tracking logic【JENTIS Essential Mode Pack DE】.
Privacy-preserving analytics through pseudonymisation
Where consent is lacking, JENTIS provides a GDPR-compliant method to maintain analytical insight.
The Synthetic Users technology creates pseudonymised statistical outputs that reflect real behavioural patterns without allowing attribution to individuals. Fieldfisher (2025) concludes that Synthetic Users qualify as pseudonymised data under Art. 4(5) GDPR, enabling processing based on legitimate interest (Art. 6(1)(f) GDPR) for statistical purposes.
The takeaway
Moving to server-side tracking is a necessary step for modern analytics. But server-side GTM solves technical challenges, not compliance challenges.
The dependency on Google infrastructure, the risk of third-country transfers, and the potential for joint controllership make it a legally fragile solution under EU law.
JENTIS, by contrast, implements EU-based processing, strict controller–processor separation, validated pseudonymisation methods, and legally permissible non-consent modes. This ensures that organisations can operate a high-performance analytics setup without compromising on GDPR obligations.
