VG Wiesbaden - 6 L 738/21.WI: Difference between revisions
(→Facts) |
|||
(2 intermediate revisions by the same user not shown) | |||
Line 49: | Line 49: | ||
|Appeal_To_Body= | |Appeal_To_Body= | ||
|Appeal_To_Case_Number_Name= | |Appeal_To_Case_Number_Name= | ||
|Appeal_To_Status= | |Appeal_To_Status=Pending | ||
|Appeal_To_Link= | |Appeal_To_Link= | ||
Line 56: | Line 56: | ||
}} | }} | ||
The Administrative Court of Wiesbaden ordered the | The Administrative Court of Wiesbaden ordered the RhineMain University of Applied Sciences to stop using the consent manager “Cookiebot” to obtain user’s consent, because website visitor’s personal data was unlawfully transferred to the United States. | ||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
Controller is the | Controller is the RhineMain University of Applied Sciences. On its website (https://www.hs-rm.de), it used the consent manager “Cookiebot” to obtain users' consent to the use of cookies, and the "Google Tag Manager". Data subject regularly visits the website to look for specialist literature in their online catalogue, and found that their IP address is automatically transmitted to Google’s server each time they visit the website, without having given consent. In addition to their IP address, all kinds of information on the hardware and software of the user’s terminal device is sent, i.e., the accessed’ website, their operating system and its version, the browser and its version, the screen resolution etc. | ||
Moreover, Cookiebot is a service offered by the Danish provider Cybot. Although the company is established in Denmark, the target domain “consent.cookiebot.com” refers to a server with an IP address registered with the US-based cloud company Akamai Technologies Inc. (hereafter: Akamai). Although the server might be located in the EU, the cloud company has access to the data on this server. Therefore, the US Cloud Act applies, which means that US governmental agencies can request access to this data, without a court order or mutual legal assistance agreement. | Moreover, Cookiebot is a service offered by the Danish provider Cybot. Although the company is established in Denmark, the target domain “consent.cookiebot.com” refers to a server with an IP address registered with the US-based cloud company Akamai Technologies Inc. (hereafter: Akamai). Although the server might be located in the EU, the cloud company has access to the data on this server. Therefore, the US Cloud Act applies, which means that US governmental agencies can request access to this data, without a court order or mutual legal assistance agreement. | ||
Line 75: | Line 75: | ||
== Comment == | == Comment == | ||
Although one must consider that this decision is one of the first decisions in this particular field, and there is not a lot of case law to build on, one can also ask questions about the Court's reasoning. First, the Court never evaluated whether a transfer actually occurred, but it ''assumed'' it. Second, although the Court acknowledged the use of standard contractual clauses, the Court did not refer to the SCC's in its decision, and only discussed the lawfulness of the data transfer in relation to [[Article 48 GDPR|Article 48]] and [[Article 49 GDPR]]. Third, the Court never assessed whether the US Cloud Act would undermine the SCC's as safeguards. | |||
However, it seems that the University have lodged an appeal against this decision, since the decision has been made more than two weeks ago, and a party must lodge an appeal within two weeks of the decision pursuant to § 146 (1) VwGO. Hence, it will be the Hessian Administrative Court in Kassel that will decide whether the reasoning of the Administrative Court of Wiesbaden will be upheld. | |||
== Further Resources == | == Further Resources == | ||
Line 86: | Line 86: | ||
<pre> | <pre> | ||
Subject | |||
Interim prohibition of the use of the "C[xxx]-Bot" content service | |||
Tenor | |||
The proceedings are discontinued insofar as they have been declared closed by mutual agreement. | |||
The defendant is prohibited by way of interim injunction from integrating the "C[xxx]bot" service for the purpose of obtaining consents in such a way that personal or referable data of the applicant (including his IP address) are transmitted to servers operated by companies of the Akamai Technologies Inc. group, including the server "consent.c[xxx]bot.com". | |||
This order is valid until the final conclusion of the main proceedings, which must be initiated within four weeks after notification of this decision. Otherwise, the order shall lose its effect four weeks after notification. | |||
The costs of the proceedings shall be set off against each other. | |||
The value in dispute is set at 5,000 euros. | |||
Reasons | |||
I. | |||
1 | |||
The applicant still seeks a ban on the integration of the service "C[xxx]bot" on the website of the defendant (www.hs-rm.de) after a concurrent declaration of settlement. | |||
2 | |||
The applicant states that he regularly inquires as a user in the online catalogue of the university library on the website of the defendant about available specialist literature. He had noticed that his personal data were transmitted to third parties in an inadmissible manner. | |||
3 | |||
In a letter dated 26.5.2021, the applicant sent the respondent a warning for various infringements and requested the respondent to issue a cease-and-desist declaration with penalty clause regarding the services "G[xxx] Tag Manager" and "C[xxx]bot". | |||
4 | |||
The "G[xxx] Tag Manager" is a service intended to facilitate the integration of other code fragments and thus other services into a website. "C[xxx]bot", according to the service's website (www.c[xxx]bot.com/en/), makes it possible to obtain the consent of the users of a website to the use of cookies. The service monitors the cookies used and blocks those cookies for which consent has not been given. | |||
5 | |||
With regard to the service "G[xxx] Tag Manager", the applicant states that his IP address is transmitted to G.'s servers every time a page is called up, without consent having been given. In addition, as a result of the contact between the user's computer and the G. server initiated by the defendant, G. read out further information about the hardware and software of the user's terminal device and was able to evaluate it. This concerned the internet page accessed, the operating system and its version, the browser used and its version, the language and number of colours set, the type of screen (e.g. touch screen), the screen resolution, the support of script languages and the fonts of plug-ins installed on the computer. This information combined to create a unique digital fingerprint of the user, because no other person had exactly the same combination of all parameters at the same time. This would enable G. to create surfing profiles. | |||
6 | |||
With regard to the service "C[xxx]bot", a consent manager of the Danish provider Cy. A/S, the applicant states that the same data as for the "G. Tag Manager" are transmitted to C[xxx]bot. This service is offered by a company based in Denmark. However, the target domain consent.c[xxx]bot.com refers to a server with an IP address registered to the US-based cloud hosting company Ak. Technologies Inc., a cloud hosting company based in the USA. Even though the server may be located in the EU, the US company has access to it, so the US Cloud Act applies. | |||
7 | |||
Under the Cloud Act, US government agencies could request personal data from US companies unilaterally, without a court order and without a mutual legal assistance agreement. This contradicts Articles 7, 8, 11 and 52 (1) GrCh and the interpretation of these norms by the ECJ, according to which official access to traffic data is only permitted in cases of suspicion of serious crime and is subject to the reservation of the judge or an independent authority. The US legal situation, on the other hand, allows the initial suspicion of any crime to suffice. Thus, the respondent, as the controller, exposed the applicant's personal data to the risk of unauthorised access, which constituted a breach of confidentiality under Article 32(1)(b) of the GDPR. | |||
8 | |||
Since 3 (letter to the applicant dated 7.6.2021) or 2.6.2021 (letter dated 22.7.2021), the respondent, according to its information, no longer uses the G. Tag Manager. It informed the applicant of this in a letter dated 7.6.2021. | |||
9 | |||
By letter of 7.6.2021, the respondent refused to give the cease-and-desist undertaking. | |||
10 | |||
On 8.6.2021 the applicant applied for interim relief. | |||
11 | |||
He essentially relies on the grounds of his warning to the respondent. Furthermore, he is of the opinion that the respondent, as a public body, cannot rely on Article 6(1)(f) of the GDPR, since, according to the last sentence of Article 6(1) of the GDPR, this does not apply to processing carried out by public authorities in the performance of their tasks. | |||
12 | |||
Finally, he doubts the necessity of the consent manager "C[xxx]bot". This is because the consent for cookies obtained by the service is invalid because the consent checkbox for "Statistics" is set by default and thus no unambiguous consent within the meaning of Article 4(11) of the GDPR is generated. The consent could also not be revoked, as the corresponding banner was hidden after consent had been given. | |||
13 | |||
The respondent had not concluded any standard contractual clauses with Cy. It was also not sufficient for Cy. to have agreed certain standard data protection clauses with its contractor Ak. The submitted standard contractual clause between Cy. and Ak. lacks supplementary safeguards against unauthorised data transfers to the USA. | |||
14 | |||
In this respect, Cy. and the defendant were jointly responsible. This is because the defendant transfers user data to Cy. for the administration of the consents granted and determines the processing purposes. Cy. is responsible for the technical design and helps to determine the means of processing, as Cy. decides on the categories of data collected. However, the respondent could also use services running in the EU which did not use US sub-processors such as Ak. Technologies. | |||
15 | |||
The right to an injunction arises from the fact that the applicant's personal data is transferred to insecure third countries and the subsequent retrieval and deletion of that data is impossible. The respondent could achieve its processing objectives as countervailing interests through alternative products that refrained from transferring data to third countries. After extensive pleadings had already been exchanged in the summary proceedings, the added value of main proceedings was low. | |||
16 | |||
After the applicant declared the proceedings with regard to the "G. Tag Manager" to be settled at the hearing on 1.9.2021, it now still applies for the defendant to be ordered to pay the costs of the proceedings, | |||
to prohibit the respondent by way of an interim injunction pursuant to § 123 VwGO from integrating the service "C[xxx]bot" for the purpose of obtaining consents in such a way that personal data or data that can be related to personal data of the applicant (including his IP address) are transmitted to companies of the Ak. Technologies Inc. group companies, in particular by transmitting it to the server "consent.c[xxx]bot.com". | |||
17 | |||
The defendant joined in the declaration of satisfaction and otherwise requested that the application be rejected, | |||
to dismiss the application. | |||
18 | |||
It submits the entry on C[xxx]bot in its list of processing activities, divided into the sections "Shared responsibility" and "Commissioned processing", whereby in the latter section the deletion period for the data type cookieconsent is noted as 12 months and for the data type IP address "With purpose fulfilment". With Cy. A/S, the provider of C[xxx]bot, no standard contractual clause had been concluded. The standard contractual clause concluded between Cy. A/S and Ak. Technologies, is submitted by the defendant as an unfilled blank contract of the "Standard Contractual Clauses (Processors)" or in the original text Standard Contractual Clauses (Processors) (p. 191 et seq. of the court file). | |||
19 | |||
It is of the opinion that the application is not admissible. Articles 12 to 22 of the GDPR do not give rise to an individual claim for an injunction which the applicant is asserting. In particular, Article 79 of the GDPR precludes recourse to Section 1004 of the German Civil Code. The applicant also sought a prohibited anticipation of the merits of the case. It was not apparent what serious and unreasonable disadvantages the applicant would suffer as a consequence of the use of the services in dispute until a decision in the main action. In any case, the fundamental right to informational self-determination was not violated beyond the margins of the fundamental right, since the dynamic shortened IP address that would be processed via the services at issue did not reveal any relevant information about the applicant. | |||
20 | |||
Furthermore, the service C[xxx]bot had been used lawfully. The operation of the website www.hs-rm.de was necessary for public relations pursuant to § 12 para. 5 sentence 4 and para. 6 sentence 1 of the Hessian Higher Education Act (HHG). In order to operate the website, it was necessary to use cookies that were not only technically necessary, for which the consent of the persons concerned had to be obtained. C[xxx]bot is used for this purpose as a consent management system. | |||
21 | |||
Only the anonymised IP address with the last three digits set to zero, the date and time of the consent, the user agent of the browser of the data subject, the URL from which the consent was sent, an anonymous, random and encrypted key as well as the consent status of the data subject are transmitted to Cy. | |||
22 | |||
Insofar as an unabbreviated IP address is transmitted to the server of Ak.-Technologies Inc. to establish a technically necessary connection to the servers, this is not processed or stored. Effective consent to data processing could be obtained via C[xxx]bot. Even a faulty consent would only lead to a legally unjustified use of cookies or cookie-based services, but would have no effect on the integration of the consent management system. The respondent and Cy. A/S were not jointly responsible persons, but separately responsible persons, because Cy. A/S and the respondent do not jointly decide on the purposes and means of the processing. Cy. A/S is also not a processor, as it does not process any data. Ak. Technologies Inc. is exclusively a processor of Cy. A/S, there is no subcontracting relationship with the respondent. Accordingly, the transmission between Cy. A/S and Ak. Technologies Inc. was the sole responsibility of Cy. A/S. The respondent had no influence on this. | |||
23 | |||
Finally, there is also no reason for an injunction. The requested regulation order was not necessary to avert substantial disadvantages or to prevent imminent violence. The encroachment through the processing of dynamic, shortened IP addresses was in any case extremely small, as it did not involve sensitive data. The applicant also did not suffer a substantial infringement of his fundamental right, as the alleged loss of control over his data did not exist. In contrast, the respondent had a substantial interest in continuing to be able to obtain consent for cookies on its website, for which it could not use any other service due to contractual obligations with the old service. | |||
24 | |||
With regard to the list of processing activities of the respondent, the applicant replicates that no information on deletion periods is included. The fact that the sub-processor of Cy. A/S is A. Technologies GmbH does not change the fact that the infrastructure of the parent company Ak. Technologies Inc. was used and thus the transfer to the US company was made possible. The categories of data indicated were not complete. The applicant disputes the encryption of the transmitted data as alleged in the directory. Since clear data was obviously processed by the Ak. server, it could in any case only be a case of transport encryption, in which the sender and recipient IP address and other usage data were necessarily transmitted in clear text. This therefore does not constitute a sufficient protective measure in the sense of the ECJ's Schrems II ruling. | |||
25 | |||
At the hearing on 1 September 2021, in addition to the parties to the present emergency application, Mr W. was also present as an expert for the Hessian Data Protection Commissioner and was heard. Please refer to the minutes of the hearing for the content of the statements. | |||
26 | |||
For further details of the facts of the case and the dispute, reference is made to the contents of the documents in the court file which were the subject of the decision. | |||
II. | |||
27 | |||
Insofar as the proceedings were declared closed by mutual agreement, they are to be discontinued, § 92.3 sentence 1 VwGO analogously. | |||
28 | |||
In all other respects, the applicant's application is admissible and well-founded. The defendant is obliged to terminate the integration of the service "C[xxx]bot" for the purpose of obtaining consent on its website www.hs-rm.de, as the integration is accompanied by the unlawful transmission of personal data of the website users and thus in particular of the applicant. | |||
29 | |||
Pursuant to § 123 (1) sentence 2 VwGO, which is the only provision that comes into consideration here, the court may, upon application, issue an interim injunction to regulate a provisional state of affairs with regard to a legal relationship at issue, even before an action has been filed, if this regulation appears necessary, especially in the case of permanent legal relationships, in order to avert substantial disadvantages or to prevent imminent violence or for other reasons. The factual prerequisites of the asserted claim and the reason for the necessary provisional settlement must be made credible (section 920 subs. 2 ZPO in conjunction with section 123 subs. 3 VwGO). | |||
30 | |||
The applicant is entitled to injunctive relief under public law pursuant to § 1004 of the German Civil Code (BGB) analogously in conjunction with Article 79(1) and Article 5(1)(a) of the GDPR. | |||
31 | |||
Pursuant to Article 79(1) of the GDPR, every data subject shall have the right to an effective judicial remedy if he or she considers that his or her rights under this Regulation have been infringed as a result of the processing of his or her personal data which does not comply with this Regulation. The phrase "rights under this Regulation" is not a reference (alone) to Chapter 3 of the GDPR ("data subject's rights"). In addition to rights to which the data subject is entitled "by virtue of" the GDPR, violated rights may also be rights "by virtue of" the Regulation, i.e. also rights granted by other legal acts (cf. recital 146, sentence 5). The prerequisite for the facts is thus an infringement of the data subject by a processing of personal data that does not comply with substantive data protection law (cf. Paal/Pauly/Martini, 3rd ed. 2021, GDPR Art. 79 para. 19; BeckOK DatenschutzR/Mundil, 37th ed. 1.2.2020, GDPR Art. 79 para. 4). | |||
32 | |||
Contrary to the view of the defendant, Article 79 of the GDPR does not have the effect of blocking further judicial remedies. This is because the enumeration of the "administrative or extrajudicial remedy", which is to apply without prejudice to Art. 79 GDPR, is not an exhaustive list of further available remedies. This also does not follow from recitals 9, 11 and 13 of the GDPR, which speak of a "uniform level of protection". For it does not follow from this that stricter regulations in national law should not be valid. It would also contradict the principle of effectiveness of European law as well as the right to an "effective" judicial remedy pursuant to Art. 79 GDPR to deny the applicant legal protection in judicial proceedings and instead refer him to a complaint to the supervisory authority pursuant to Art. 77 GDPR. | |||
33 | |||
The requirements for injunctive relief under public law are fulfilled. The applicant's legally protected interests are impaired by a sovereign measure. | |||
34 | |||
The website is not privately operated by the respondent. Rather, the use of the "C[xxx]bot" service is carried out as part of the public relations work of the higher education institution (section 12(5) sentence 4, (6) sentence 1 of the HHG) and thus as a sovereign measure. | |||
35 | |||
The applicant's right to lawful processing of his personal data, which follows from Art. 6(1) DS-GVO, Art. 7, 8 EU Charter of Fundamental Rights (GrCh), is violated by the respondent's use of "C[xxx]bot". | |||
36 | |||
a) To the conviction of the court, the defendant processes the applicant's unabbreviated IP address on its website www.hs-rm.de, among other things. This is done by using the "C[x]" service offered by the company Cy. A/S, which in turn stores and processes the full IP address of the website user. The fact that, contrary to the view of the defendant, it is the full IP address and not a shortened IP address is clear from the information provided by Cy. itself (Annex AS 33, p. 668 of the court file) as well as from the order processing agreement provided by Ak. for its clients, which in its Annex I, No. 2b contains the provision that Ak. processes personal data contained in log files when providing the services to the client. The data included, inter alia, the IP address of the end users, the URLs of the visited websites with timestamps with associated IP address, the geographical location based on the IP address as well as telemetry data (p. 659 of the court file). In addition, the representative of the Hessian Data Protection Commissioner also comprehensibly stated in his written statement of 20 October 2021 that "the logging of complete IP addresses by providers of internet services regularly takes place within the framework of usual purposes, such as the trouble-free operation of such services". | |||
37 | |||
The respondent has also not substantiatedly countered these statements. It does claim that only an anonymised IP address is transmitted, in which the last three digits are set to zero. However, this is contradicted by Cy.'s own statement to the contrary. Even if the service C[xxx]bot only transmits the unabbreviated IP address when it is loaded for the first time, this is still a processing operation that is significant under data protection law. The collection and transmission of personal data already constitutes processing pursuant to Article 4(2) of the GDPR. | |||
38 | |||
The unabbreviated IP address also constitutes personal data, because the IP address enables the precise identification of users (see ECJ, judgment of 19.10.2016 - C-582/14; BGH, judgment of 16.5.2017 - VI ZR 135/13; ECJ, judgment of 24 November 2011 - C-70/10, para. 51). It is true that Cy. claims in the notification that Ak. does not store or process any personal data of the end users. However, this is contradicted by the fact that, as explained above, the full IP address of the end users is processed. | |||
39 | |||
The provider Cy. A/S uses the services of the company Ak. Technologies Inc. for the service "C[xxx]bot" by using server capacities of Ak. This results not least from the communication of the Cy. company to a Ms. A. B. or, according to the applicant, to the latter (Annex AS 33, p. 671 of the court file). Contrary to the view of the respondent, it is completely irrelevant to whom the information was given. There are no indications that this is not a genuine correspondence. Accordingly, Cy. uses Ak.'s Content Delivery Network to retrieve the C[xxx]bot consent script, which is located on an Ak. server. | |||
40 | |||
As the processed data, i.e. also the personal data of the applicant, are processed on servers of Ak., a data transfer to a third country, namely the USA, takes place pursuant to Art. 44 DS-GVO. It is irrelevant whether the concrete contractual partner of Cy. A/S is the company Ak. Technologies Inc. or the company A. Technologies GmbH. In any case, the company headquarters is located in Cambridge, Massachusetts, USA (https://www.Ak..com/de/company/facts-figures; last accessed on 23.11.2021). This is a non-permissible transfer according to Art. 48, 49 DS-GVO. | |||
41 | |||
This is because Ak. Technologies Inc., as a US company, is subject to the US Cloud Act, a US federal law of 6.2.2018. According to this law, US providers of electronic communication or remote computing services are obliged to disclose all data in their possession, custody or control, regardless of whether the data is stored inside or outside the USA (Title 18 U. S. C. § 2713) (cf. Kühling/Buchner/Schröder, 3rd ed. 2020, GDPR Art. 48 para. 25). | |||
42 | |||
According to Art. 48 GDPR, a transfer of personal data on the basis of a decision of a foreign court or administrative authority may in principle only take place if it can be based on an international agreement in force, such as a mutual legal assistance agreement between the requesting third country and the European Union or a member state. Since such an international agreement between the EU and the US, which could serve as a legal basis for a data transfer, does not exist (cf. Kühling/Buchner/Schröder, 3rd ed. 2020, DS-GVO Art. 48 para. 26), Art. 49 DS-GVO applies, according to which a data transfer to a third country is only permissible under one of the conditions set out in Art. 49(1) p. 1 lit. a) to f) and p. 2 DS-GVO. | |||
43 | |||
None of the conditions set out in Art. 49 (1), sentences 1 and 2 of the GDPR are met in the present case. It is undisputed that a user of the website www.hs-rm.de is not asked for his or her consent for the transfer to the USA and is also not informed about the possible risks involved (Art. 49 para. 1 sentence 1 lit. a) of the GDPR). The transfer is also not necessary for important reasons of public interest (Art. 49 (1) sentence 1 lit. d) DS-GVO). Irrespective of whether the public relations work of the respondent constitutes such a public interest, a data transfer to the USA is not necessary for this purpose in any case. The other possible conditions of Article 49 (1) sentence 1 of the GDPR are obviously not relevant either. Article 49 (1) sentence 2 of the GDPR is already not applicable because the data transfer takes place with regard to countless website users, i.e. it neither "does not occur repeatedly" nor concerns a limited number of data subjects. It is therefore no longer relevant whether the "other provisions" of the GDPR, in particular Art. 5, 6 GDPR, are complied with, the requirements of which must also be met in the case of a data transfer to a third country pursuant to Art. 44 GDPR. | |||
44 | |||
The respondent is also responsible for this data processing within the meaning of Article 24, Article 4(7) of the GDPR. Accordingly, the controller is the body which alone or jointly with others determines the purposes and means of the processing of personal data. This is the case here. By deciding to use the service "C[xxx]bot" on its website, the respondent decides in any case on the means of data processing. For merely by integrating the service on its website, it decides that the collection and transmission of the website users' personal data, which also takes place on Ak.'s servers, will take place. It also decides, at least indirectly, on the purposes of the processing. For in knowledge of the information provided by Cy. and Ak., which it has obtained at the latest in the course of the present proceedings, it can decide in favour of or against the service being used on its website and thus data processing possibly also taking place for the purposes specified by Cy. or Ak. or, conversely, by removing the service it can ensure that data processing for these purposes no longer takes place. It may no longer be jointly responsible for subsequent operations, such as storage and use by Ak., as this is a different phase of data processing (see ECJ, judgment of 29.07.2019 - C-40/17 - Fashion-ID, paras 79, 84). Ak. is responsible for the collection and transmission directly triggered by the integration of the service on the defendant's website. For the responsibility of an actor, in particular in the context of joint responsibility, it is also irrelevant according to the case law of the ECJ that each responsible party has access to the personal data in question (ECJ, judgment of 10.7.2018 - C-25/17 - Jehovah's Witnesses, para. 69). | |||
45 | |||
b) Furthermore, a processing of personal data also takes place by setting a so-called cookie key in connection with the other transmitted data. This results from the illustrative statement of the representative of the Hessian Data Protection Commissioner. The latter visualised the content of a cookie set by C[xxx]bot in text form: | |||
illustration of the decision | |||
46 | |||
He then explained in a comprehensible manner that the value "stamp" (yellow) is presumably an ID that identifies the website visitor. This is supported in particular by the fact that the value is consistent over several website visits, but changes when the existing cookies are deleted. The green, blue, red and pink values then represented the website user's selection of certain categories of cookies (green), the version of the C[xxx]bot consent banner (blue), the time the banner was activated (red) and the geographical region from which the website user comes (pink). | |||
47 | |||
The representative of the Hessian Data Protection Commissioner then explains that the value "stamp" (yellow) does represent an ID or a "key" or "fingerprint". However, this in itself did not actually allow the identification of a specific natural person. However, this is possible in combination with the IP address that is also transmitted. | |||
48 | |||
The court was convinced that this was the case. According to C[xxx]bot's "Privacy Policy" (https://www.C[xxx]bot.com/en/privacy-policy/, last accessed on 26.11.2021), C[xxx]bot also stores an "anonymous, random and encrypted" key in the end user's browser, which allows the website to "automatically read and follow the end user's consent in all subsequent page requests and future end user sessions for up to 12 months". The key can therefore be uniquely associated with the website user and their cookie preferences, otherwise the service would not be able to associate the website user and their previously stated cookie preferences. Together with the likewise transmitted (see above) unabbreviated IP address of the website user, the user is thus clearly identifiable by C[xxx]bot. The key may be "anonymous" in that it cannot be linked to the name of the end user. However, this does not preclude individualisation with the help of the other existing data about the end user, because the user can be identified due to the storage of the key, even if his name is not known. This means that it is a personal data. | |||
49 | |||
It does not matter whether the defendant is the controller alone or jointly with another entity, such as the companies Cy. or Ak. Pursuant to Article 26(3) of the GDPR, the data subject may assert his or her rights under the GDPR in the event of joint responsibility with and against each of the controllers. | |||
50 | |||
3 The impairment is also still ongoing. Since, according to the respondent, the "C[xxx]bot" service is still integrated on its website, there is a renewed risk of the infringement described above every time the website is used. | |||
51 | |||
The infringement of the applicant's rights can only be stopped by removing the service from the website altogether. A partial shutdown of the service vis-à-vis the applicant is naturally not possible. Therefore, the respondent is obliged to remove the service "C[xxx]bot" from its website. | |||
52 | |||
With the present summary proceedings, the applicant can only achieve a provisional settlement of the current situation. A final settlement is reserved for the main proceedings. | |||
53 | |||
For this reason, the order is limited to four weeks from notification in the event that main proceedings are not brought within four weeks of notification of this decision by the applicant. Otherwise, this order shall lose its effect. | |||
54 | |||
The decision on costs shall be made in accordance with § 154 (1) and § 161 (2) VwGO. | |||
55 | |||
Insofar as the proceedings have been declared closed, the applicant must be ordered to pay the costs of the proceedings, since the respondent already informed the applicant by letter of 7 June 2021 that it was no longer using Google Tag Manager, but the applicant did not file the present application until 8 June 2021 and thus after the occurrence of the closing event. The applicant's interest in the two applications originally filed is similar, so that the costs are to be set off against each other. | |||
56 | |||
Insofar as the applicant was successful in the interlocutory proceedings, the costs were to be ordered against the respondent. | |||
57 | |||
The determination of the amount in dispute follows from § 52.2, § 53.2 no. 2 GKG. Since the state of the facts and the dispute do not provide sufficient indications for the determination of the amount in dispute, an amount in dispute of EUR 5,000 each is to be assumed for the claim regarding the service "Google Tag Manager" and regarding the service "C[xxx]bot". This is to be halved in each case in the proceedings for interim relief (cf. no. 1.5 of the catalogue of amounts in dispute for administrative jurisdiction). | |||
</pre> | </pre> |
Latest revision as of 09:07, 22 December 2021
VG Wiesbaden - 6 L 738/21.WI | |
---|---|
Court: | VG Wiesbaden (Germany) |
Jurisdiction: | Germany |
Relevant Law: | Article 4(7) GDPR Article 24 GDPR Article 48 GDPR Article 49 GDPR Article 79 GDPR |
Decided: | 01.12.2021 |
Published: | |
Parties: | RheinMain University of Applied Sciences |
National Case Number/Name: | 6 L 738/21.WI |
European Case Law Identifier: | |
Appeal from: | |
Appeal to: | Pending |
Original Language(s): | German |
Original Source: | rewis.io (in German) |
Initial Contributor: | Giel Ritzen |
The Administrative Court of Wiesbaden ordered the RhineMain University of Applied Sciences to stop using the consent manager “Cookiebot” to obtain user’s consent, because website visitor’s personal data was unlawfully transferred to the United States.
English Summary
Facts
Controller is the RhineMain University of Applied Sciences. On its website (https://www.hs-rm.de), it used the consent manager “Cookiebot” to obtain users' consent to the use of cookies, and the "Google Tag Manager". Data subject regularly visits the website to look for specialist literature in their online catalogue, and found that their IP address is automatically transmitted to Google’s server each time they visit the website, without having given consent. In addition to their IP address, all kinds of information on the hardware and software of the user’s terminal device is sent, i.e., the accessed’ website, their operating system and its version, the browser and its version, the screen resolution etc.
Moreover, Cookiebot is a service offered by the Danish provider Cybot. Although the company is established in Denmark, the target domain “consent.cookiebot.com” refers to a server with an IP address registered with the US-based cloud company Akamai Technologies Inc. (hereafter: Akamai). Although the server might be located in the EU, the cloud company has access to the data on this server. Therefore, the US Cloud Act applies, which means that US governmental agencies can request access to this data, without a court order or mutual legal assistance agreement.
After the data subject had written three warning letters to the controller, the latter responded on 7 June 2021 that it no longer used the Google Tag Manager, but refused to submit the obligation to cease and desist regarding Cookiebot. Hence, on 8 June 2021, the data subject applied for interim relief.
Holding
The Court upheld the appeal and ordered controller to terminate the integration of Cookiebot for the purpose of obtaining consent on its website, since the transmission of personal data is unlawful.
First, it noted that the data subject could invoke the right to effective judicial remedy, pursuant to Article 79 GDPR, and that this provision does not have a blocking effect for further judicial remedies. Second, the Court confirmed that the conditions of the right to injunctive relief have been fulfilled. It considered that the controller processes the unabridged IP-address of data subject, after which the company behind “Cookiebot”, Cybot, also processes this IP-address. Although the controller claimed that this was an anonymised version of the IP-address, it follows from the information provided by Cybot that this is not the case. Moreover, the Court noted, referring to Breyer (Case C-582/14), that an IP address is personal data. Because Cybot uses the processing services of Akamai by storing their data on its servers, a data transfer to a third country, namely the USA, takes place. The Court acknowledged that the data might be stored on the servers of the European affiliate of Akamai, namely A Technologies GmbH. However, according to the Court, this was irrelevant since the company's headquarters are located in Cambridge, Massachusetts, USA.
Then, the Court stated that this transfer is inadmissible according to Article 48, and Article 49 GDPR. Because Akamai is an American company, it is subject to the US Cloud Act, and therefore obliged to disclose all data in their possession. There is no international agreement between the EU and USA to serve as a legal basis, so Article 48 GDPR does not apply. Moreover, the Court considered that none of the conditions referred to in Article 49(1) and Article 49(2) GDPR is fulfilled, so this provision does also not apply. Lastly, the Court stipulated that the controller is responsible for the data transfer, pursuant to Article 24, in conjunction with Article 4(7) GDPR, although the controller does not transmit the data itself. The Court concluded that, because the controller embedded Cookiebot on its website, it indirectly decided on the purposes of the processing.
Comment
Although one must consider that this decision is one of the first decisions in this particular field, and there is not a lot of case law to build on, one can also ask questions about the Court's reasoning. First, the Court never evaluated whether a transfer actually occurred, but it assumed it. Second, although the Court acknowledged the use of standard contractual clauses, the Court did not refer to the SCC's in its decision, and only discussed the lawfulness of the data transfer in relation to Article 48 and Article 49 GDPR. Third, the Court never assessed whether the US Cloud Act would undermine the SCC's as safeguards.
However, it seems that the University have lodged an appeal against this decision, since the decision has been made more than two weeks ago, and a party must lodge an appeal within two weeks of the decision pursuant to § 146 (1) VwGO. Hence, it will be the Hessian Administrative Court in Kassel that will decide whether the reasoning of the Administrative Court of Wiesbaden will be upheld.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the German original. Please refer to the German original for more details.
Subject Interim prohibition of the use of the "C[xxx]-Bot" content service Tenor The proceedings are discontinued insofar as they have been declared closed by mutual agreement. The defendant is prohibited by way of interim injunction from integrating the "C[xxx]bot" service for the purpose of obtaining consents in such a way that personal or referable data of the applicant (including his IP address) are transmitted to servers operated by companies of the Akamai Technologies Inc. group, including the server "consent.c[xxx]bot.com". This order is valid until the final conclusion of the main proceedings, which must be initiated within four weeks after notification of this decision. Otherwise, the order shall lose its effect four weeks after notification. The costs of the proceedings shall be set off against each other. The value in dispute is set at 5,000 euros. Reasons I. 1 The applicant still seeks a ban on the integration of the service "C[xxx]bot" on the website of the defendant (www.hs-rm.de) after a concurrent declaration of settlement. 2 The applicant states that he regularly inquires as a user in the online catalogue of the university library on the website of the defendant about available specialist literature. He had noticed that his personal data were transmitted to third parties in an inadmissible manner. 3 In a letter dated 26.5.2021, the applicant sent the respondent a warning for various infringements and requested the respondent to issue a cease-and-desist declaration with penalty clause regarding the services "G[xxx] Tag Manager" and "C[xxx]bot". 4 The "G[xxx] Tag Manager" is a service intended to facilitate the integration of other code fragments and thus other services into a website. "C[xxx]bot", according to the service's website (www.c[xxx]bot.com/en/), makes it possible to obtain the consent of the users of a website to the use of cookies. The service monitors the cookies used and blocks those cookies for which consent has not been given. 5 With regard to the service "G[xxx] Tag Manager", the applicant states that his IP address is transmitted to G.'s servers every time a page is called up, without consent having been given. In addition, as a result of the contact between the user's computer and the G. server initiated by the defendant, G. read out further information about the hardware and software of the user's terminal device and was able to evaluate it. This concerned the internet page accessed, the operating system and its version, the browser used and its version, the language and number of colours set, the type of screen (e.g. touch screen), the screen resolution, the support of script languages and the fonts of plug-ins installed on the computer. This information combined to create a unique digital fingerprint of the user, because no other person had exactly the same combination of all parameters at the same time. This would enable G. to create surfing profiles. 6 With regard to the service "C[xxx]bot", a consent manager of the Danish provider Cy. A/S, the applicant states that the same data as for the "G. Tag Manager" are transmitted to C[xxx]bot. This service is offered by a company based in Denmark. However, the target domain consent.c[xxx]bot.com refers to a server with an IP address registered to the US-based cloud hosting company Ak. Technologies Inc., a cloud hosting company based in the USA. Even though the server may be located in the EU, the US company has access to it, so the US Cloud Act applies. 7 Under the Cloud Act, US government agencies could request personal data from US companies unilaterally, without a court order and without a mutual legal assistance agreement. This contradicts Articles 7, 8, 11 and 52 (1) GrCh and the interpretation of these norms by the ECJ, according to which official access to traffic data is only permitted in cases of suspicion of serious crime and is subject to the reservation of the judge or an independent authority. The US legal situation, on the other hand, allows the initial suspicion of any crime to suffice. Thus, the respondent, as the controller, exposed the applicant's personal data to the risk of unauthorised access, which constituted a breach of confidentiality under Article 32(1)(b) of the GDPR. 8 Since 3 (letter to the applicant dated 7.6.2021) or 2.6.2021 (letter dated 22.7.2021), the respondent, according to its information, no longer uses the G. Tag Manager. It informed the applicant of this in a letter dated 7.6.2021. 9 By letter of 7.6.2021, the respondent refused to give the cease-and-desist undertaking. 10 On 8.6.2021 the applicant applied for interim relief. 11 He essentially relies on the grounds of his warning to the respondent. Furthermore, he is of the opinion that the respondent, as a public body, cannot rely on Article 6(1)(f) of the GDPR, since, according to the last sentence of Article 6(1) of the GDPR, this does not apply to processing carried out by public authorities in the performance of their tasks. 12 Finally, he doubts the necessity of the consent manager "C[xxx]bot". This is because the consent for cookies obtained by the service is invalid because the consent checkbox for "Statistics" is set by default and thus no unambiguous consent within the meaning of Article 4(11) of the GDPR is generated. The consent could also not be revoked, as the corresponding banner was hidden after consent had been given. 13 The respondent had not concluded any standard contractual clauses with Cy. It was also not sufficient for Cy. to have agreed certain standard data protection clauses with its contractor Ak. The submitted standard contractual clause between Cy. and Ak. lacks supplementary safeguards against unauthorised data transfers to the USA. 14 In this respect, Cy. and the defendant were jointly responsible. This is because the defendant transfers user data to Cy. for the administration of the consents granted and determines the processing purposes. Cy. is responsible for the technical design and helps to determine the means of processing, as Cy. decides on the categories of data collected. However, the respondent could also use services running in the EU which did not use US sub-processors such as Ak. Technologies. 15 The right to an injunction arises from the fact that the applicant's personal data is transferred to insecure third countries and the subsequent retrieval and deletion of that data is impossible. The respondent could achieve its processing objectives as countervailing interests through alternative products that refrained from transferring data to third countries. After extensive pleadings had already been exchanged in the summary proceedings, the added value of main proceedings was low. 16 After the applicant declared the proceedings with regard to the "G. Tag Manager" to be settled at the hearing on 1.9.2021, it now still applies for the defendant to be ordered to pay the costs of the proceedings, to prohibit the respondent by way of an interim injunction pursuant to § 123 VwGO from integrating the service "C[xxx]bot" for the purpose of obtaining consents in such a way that personal data or data that can be related to personal data of the applicant (including his IP address) are transmitted to companies of the Ak. Technologies Inc. group companies, in particular by transmitting it to the server "consent.c[xxx]bot.com". 17 The defendant joined in the declaration of satisfaction and otherwise requested that the application be rejected, to dismiss the application. 18 It submits the entry on C[xxx]bot in its list of processing activities, divided into the sections "Shared responsibility" and "Commissioned processing", whereby in the latter section the deletion period for the data type cookieconsent is noted as 12 months and for the data type IP address "With purpose fulfilment". With Cy. A/S, the provider of C[xxx]bot, no standard contractual clause had been concluded. The standard contractual clause concluded between Cy. A/S and Ak. Technologies, is submitted by the defendant as an unfilled blank contract of the "Standard Contractual Clauses (Processors)" or in the original text Standard Contractual Clauses (Processors) (p. 191 et seq. of the court file). 19 It is of the opinion that the application is not admissible. Articles 12 to 22 of the GDPR do not give rise to an individual claim for an injunction which the applicant is asserting. In particular, Article 79 of the GDPR precludes recourse to Section 1004 of the German Civil Code. The applicant also sought a prohibited anticipation of the merits of the case. It was not apparent what serious and unreasonable disadvantages the applicant would suffer as a consequence of the use of the services in dispute until a decision in the main action. In any case, the fundamental right to informational self-determination was not violated beyond the margins of the fundamental right, since the dynamic shortened IP address that would be processed via the services at issue did not reveal any relevant information about the applicant. 20 Furthermore, the service C[xxx]bot had been used lawfully. The operation of the website www.hs-rm.de was necessary for public relations pursuant to § 12 para. 5 sentence 4 and para. 6 sentence 1 of the Hessian Higher Education Act (HHG). In order to operate the website, it was necessary to use cookies that were not only technically necessary, for which the consent of the persons concerned had to be obtained. C[xxx]bot is used for this purpose as a consent management system. 21 Only the anonymised IP address with the last three digits set to zero, the date and time of the consent, the user agent of the browser of the data subject, the URL from which the consent was sent, an anonymous, random and encrypted key as well as the consent status of the data subject are transmitted to Cy. 22 Insofar as an unabbreviated IP address is transmitted to the server of Ak.-Technologies Inc. to establish a technically necessary connection to the servers, this is not processed or stored. Effective consent to data processing could be obtained via C[xxx]bot. Even a faulty consent would only lead to a legally unjustified use of cookies or cookie-based services, but would have no effect on the integration of the consent management system. The respondent and Cy. A/S were not jointly responsible persons, but separately responsible persons, because Cy. A/S and the respondent do not jointly decide on the purposes and means of the processing. Cy. A/S is also not a processor, as it does not process any data. Ak. Technologies Inc. is exclusively a processor of Cy. A/S, there is no subcontracting relationship with the respondent. Accordingly, the transmission between Cy. A/S and Ak. Technologies Inc. was the sole responsibility of Cy. A/S. The respondent had no influence on this. 23 Finally, there is also no reason for an injunction. The requested regulation order was not necessary to avert substantial disadvantages or to prevent imminent violence. The encroachment through the processing of dynamic, shortened IP addresses was in any case extremely small, as it did not involve sensitive data. The applicant also did not suffer a substantial infringement of his fundamental right, as the alleged loss of control over his data did not exist. In contrast, the respondent had a substantial interest in continuing to be able to obtain consent for cookies on its website, for which it could not use any other service due to contractual obligations with the old service. 24 With regard to the list of processing activities of the respondent, the applicant replicates that no information on deletion periods is included. The fact that the sub-processor of Cy. A/S is A. Technologies GmbH does not change the fact that the infrastructure of the parent company Ak. Technologies Inc. was used and thus the transfer to the US company was made possible. The categories of data indicated were not complete. The applicant disputes the encryption of the transmitted data as alleged in the directory. Since clear data was obviously processed by the Ak. server, it could in any case only be a case of transport encryption, in which the sender and recipient IP address and other usage data were necessarily transmitted in clear text. This therefore does not constitute a sufficient protective measure in the sense of the ECJ's Schrems II ruling. 25 At the hearing on 1 September 2021, in addition to the parties to the present emergency application, Mr W. was also present as an expert for the Hessian Data Protection Commissioner and was heard. Please refer to the minutes of the hearing for the content of the statements. 26 For further details of the facts of the case and the dispute, reference is made to the contents of the documents in the court file which were the subject of the decision. II. 27 Insofar as the proceedings were declared closed by mutual agreement, they are to be discontinued, § 92.3 sentence 1 VwGO analogously. 28 In all other respects, the applicant's application is admissible and well-founded. The defendant is obliged to terminate the integration of the service "C[xxx]bot" for the purpose of obtaining consent on its website www.hs-rm.de, as the integration is accompanied by the unlawful transmission of personal data of the website users and thus in particular of the applicant. 29 Pursuant to § 123 (1) sentence 2 VwGO, which is the only provision that comes into consideration here, the court may, upon application, issue an interim injunction to regulate a provisional state of affairs with regard to a legal relationship at issue, even before an action has been filed, if this regulation appears necessary, especially in the case of permanent legal relationships, in order to avert substantial disadvantages or to prevent imminent violence or for other reasons. The factual prerequisites of the asserted claim and the reason for the necessary provisional settlement must be made credible (section 920 subs. 2 ZPO in conjunction with section 123 subs. 3 VwGO). 30 The applicant is entitled to injunctive relief under public law pursuant to § 1004 of the German Civil Code (BGB) analogously in conjunction with Article 79(1) and Article 5(1)(a) of the GDPR. 31 Pursuant to Article 79(1) of the GDPR, every data subject shall have the right to an effective judicial remedy if he or she considers that his or her rights under this Regulation have been infringed as a result of the processing of his or her personal data which does not comply with this Regulation. The phrase "rights under this Regulation" is not a reference (alone) to Chapter 3 of the GDPR ("data subject's rights"). In addition to rights to which the data subject is entitled "by virtue of" the GDPR, violated rights may also be rights "by virtue of" the Regulation, i.e. also rights granted by other legal acts (cf. recital 146, sentence 5). The prerequisite for the facts is thus an infringement of the data subject by a processing of personal data that does not comply with substantive data protection law (cf. Paal/Pauly/Martini, 3rd ed. 2021, GDPR Art. 79 para. 19; BeckOK DatenschutzR/Mundil, 37th ed. 1.2.2020, GDPR Art. 79 para. 4). 32 Contrary to the view of the defendant, Article 79 of the GDPR does not have the effect of blocking further judicial remedies. This is because the enumeration of the "administrative or extrajudicial remedy", which is to apply without prejudice to Art. 79 GDPR, is not an exhaustive list of further available remedies. This also does not follow from recitals 9, 11 and 13 of the GDPR, which speak of a "uniform level of protection". For it does not follow from this that stricter regulations in national law should not be valid. It would also contradict the principle of effectiveness of European law as well as the right to an "effective" judicial remedy pursuant to Art. 79 GDPR to deny the applicant legal protection in judicial proceedings and instead refer him to a complaint to the supervisory authority pursuant to Art. 77 GDPR. 33 The requirements for injunctive relief under public law are fulfilled. The applicant's legally protected interests are impaired by a sovereign measure. 34 The website is not privately operated by the respondent. Rather, the use of the "C[xxx]bot" service is carried out as part of the public relations work of the higher education institution (section 12(5) sentence 4, (6) sentence 1 of the HHG) and thus as a sovereign measure. 35 The applicant's right to lawful processing of his personal data, which follows from Art. 6(1) DS-GVO, Art. 7, 8 EU Charter of Fundamental Rights (GrCh), is violated by the respondent's use of "C[xxx]bot". 36 a) To the conviction of the court, the defendant processes the applicant's unabbreviated IP address on its website www.hs-rm.de, among other things. This is done by using the "C[x]" service offered by the company Cy. A/S, which in turn stores and processes the full IP address of the website user. The fact that, contrary to the view of the defendant, it is the full IP address and not a shortened IP address is clear from the information provided by Cy. itself (Annex AS 33, p. 668 of the court file) as well as from the order processing agreement provided by Ak. for its clients, which in its Annex I, No. 2b contains the provision that Ak. processes personal data contained in log files when providing the services to the client. The data included, inter alia, the IP address of the end users, the URLs of the visited websites with timestamps with associated IP address, the geographical location based on the IP address as well as telemetry data (p. 659 of the court file). In addition, the representative of the Hessian Data Protection Commissioner also comprehensibly stated in his written statement of 20 October 2021 that "the logging of complete IP addresses by providers of internet services regularly takes place within the framework of usual purposes, such as the trouble-free operation of such services". 37 The respondent has also not substantiatedly countered these statements. It does claim that only an anonymised IP address is transmitted, in which the last three digits are set to zero. However, this is contradicted by Cy.'s own statement to the contrary. Even if the service C[xxx]bot only transmits the unabbreviated IP address when it is loaded for the first time, this is still a processing operation that is significant under data protection law. The collection and transmission of personal data already constitutes processing pursuant to Article 4(2) of the GDPR. 38 The unabbreviated IP address also constitutes personal data, because the IP address enables the precise identification of users (see ECJ, judgment of 19.10.2016 - C-582/14; BGH, judgment of 16.5.2017 - VI ZR 135/13; ECJ, judgment of 24 November 2011 - C-70/10, para. 51). It is true that Cy. claims in the notification that Ak. does not store or process any personal data of the end users. However, this is contradicted by the fact that, as explained above, the full IP address of the end users is processed. 39 The provider Cy. A/S uses the services of the company Ak. Technologies Inc. for the service "C[xxx]bot" by using server capacities of Ak. This results not least from the communication of the Cy. company to a Ms. A. B. or, according to the applicant, to the latter (Annex AS 33, p. 671 of the court file). Contrary to the view of the respondent, it is completely irrelevant to whom the information was given. There are no indications that this is not a genuine correspondence. Accordingly, Cy. uses Ak.'s Content Delivery Network to retrieve the C[xxx]bot consent script, which is located on an Ak. server. 40 As the processed data, i.e. also the personal data of the applicant, are processed on servers of Ak., a data transfer to a third country, namely the USA, takes place pursuant to Art. 44 DS-GVO. It is irrelevant whether the concrete contractual partner of Cy. A/S is the company Ak. Technologies Inc. or the company A. Technologies GmbH. In any case, the company headquarters is located in Cambridge, Massachusetts, USA (https://www.Ak..com/de/company/facts-figures; last accessed on 23.11.2021). This is a non-permissible transfer according to Art. 48, 49 DS-GVO. 41 This is because Ak. Technologies Inc., as a US company, is subject to the US Cloud Act, a US federal law of 6.2.2018. According to this law, US providers of electronic communication or remote computing services are obliged to disclose all data in their possession, custody or control, regardless of whether the data is stored inside or outside the USA (Title 18 U. S. C. § 2713) (cf. Kühling/Buchner/Schröder, 3rd ed. 2020, GDPR Art. 48 para. 25). 42 According to Art. 48 GDPR, a transfer of personal data on the basis of a decision of a foreign court or administrative authority may in principle only take place if it can be based on an international agreement in force, such as a mutual legal assistance agreement between the requesting third country and the European Union or a member state. Since such an international agreement between the EU and the US, which could serve as a legal basis for a data transfer, does not exist (cf. Kühling/Buchner/Schröder, 3rd ed. 2020, DS-GVO Art. 48 para. 26), Art. 49 DS-GVO applies, according to which a data transfer to a third country is only permissible under one of the conditions set out in Art. 49(1) p. 1 lit. a) to f) and p. 2 DS-GVO. 43 None of the conditions set out in Art. 49 (1), sentences 1 and 2 of the GDPR are met in the present case. It is undisputed that a user of the website www.hs-rm.de is not asked for his or her consent for the transfer to the USA and is also not informed about the possible risks involved (Art. 49 para. 1 sentence 1 lit. a) of the GDPR). The transfer is also not necessary for important reasons of public interest (Art. 49 (1) sentence 1 lit. d) DS-GVO). Irrespective of whether the public relations work of the respondent constitutes such a public interest, a data transfer to the USA is not necessary for this purpose in any case. The other possible conditions of Article 49 (1) sentence 1 of the GDPR are obviously not relevant either. Article 49 (1) sentence 2 of the GDPR is already not applicable because the data transfer takes place with regard to countless website users, i.e. it neither "does not occur repeatedly" nor concerns a limited number of data subjects. It is therefore no longer relevant whether the "other provisions" of the GDPR, in particular Art. 5, 6 GDPR, are complied with, the requirements of which must also be met in the case of a data transfer to a third country pursuant to Art. 44 GDPR. 44 The respondent is also responsible for this data processing within the meaning of Article 24, Article 4(7) of the GDPR. Accordingly, the controller is the body which alone or jointly with others determines the purposes and means of the processing of personal data. This is the case here. By deciding to use the service "C[xxx]bot" on its website, the respondent decides in any case on the means of data processing. For merely by integrating the service on its website, it decides that the collection and transmission of the website users' personal data, which also takes place on Ak.'s servers, will take place. It also decides, at least indirectly, on the purposes of the processing. For in knowledge of the information provided by Cy. and Ak., which it has obtained at the latest in the course of the present proceedings, it can decide in favour of or against the service being used on its website and thus data processing possibly also taking place for the purposes specified by Cy. or Ak. or, conversely, by removing the service it can ensure that data processing for these purposes no longer takes place. It may no longer be jointly responsible for subsequent operations, such as storage and use by Ak., as this is a different phase of data processing (see ECJ, judgment of 29.07.2019 - C-40/17 - Fashion-ID, paras 79, 84). Ak. is responsible for the collection and transmission directly triggered by the integration of the service on the defendant's website. For the responsibility of an actor, in particular in the context of joint responsibility, it is also irrelevant according to the case law of the ECJ that each responsible party has access to the personal data in question (ECJ, judgment of 10.7.2018 - C-25/17 - Jehovah's Witnesses, para. 69). 45 b) Furthermore, a processing of personal data also takes place by setting a so-called cookie key in connection with the other transmitted data. This results from the illustrative statement of the representative of the Hessian Data Protection Commissioner. The latter visualised the content of a cookie set by C[xxx]bot in text form: illustration of the decision 46 He then explained in a comprehensible manner that the value "stamp" (yellow) is presumably an ID that identifies the website visitor. This is supported in particular by the fact that the value is consistent over several website visits, but changes when the existing cookies are deleted. The green, blue, red and pink values then represented the website user's selection of certain categories of cookies (green), the version of the C[xxx]bot consent banner (blue), the time the banner was activated (red) and the geographical region from which the website user comes (pink). 47 The representative of the Hessian Data Protection Commissioner then explains that the value "stamp" (yellow) does represent an ID or a "key" or "fingerprint". However, this in itself did not actually allow the identification of a specific natural person. However, this is possible in combination with the IP address that is also transmitted. 48 The court was convinced that this was the case. According to C[xxx]bot's "Privacy Policy" (https://www.C[xxx]bot.com/en/privacy-policy/, last accessed on 26.11.2021), C[xxx]bot also stores an "anonymous, random and encrypted" key in the end user's browser, which allows the website to "automatically read and follow the end user's consent in all subsequent page requests and future end user sessions for up to 12 months". The key can therefore be uniquely associated with the website user and their cookie preferences, otherwise the service would not be able to associate the website user and their previously stated cookie preferences. Together with the likewise transmitted (see above) unabbreviated IP address of the website user, the user is thus clearly identifiable by C[xxx]bot. The key may be "anonymous" in that it cannot be linked to the name of the end user. However, this does not preclude individualisation with the help of the other existing data about the end user, because the user can be identified due to the storage of the key, even if his name is not known. This means that it is a personal data. 49 It does not matter whether the defendant is the controller alone or jointly with another entity, such as the companies Cy. or Ak. Pursuant to Article 26(3) of the GDPR, the data subject may assert his or her rights under the GDPR in the event of joint responsibility with and against each of the controllers. 50 3 The impairment is also still ongoing. Since, according to the respondent, the "C[xxx]bot" service is still integrated on its website, there is a renewed risk of the infringement described above every time the website is used. 51 The infringement of the applicant's rights can only be stopped by removing the service from the website altogether. A partial shutdown of the service vis-à-vis the applicant is naturally not possible. Therefore, the respondent is obliged to remove the service "C[xxx]bot" from its website. 52 With the present summary proceedings, the applicant can only achieve a provisional settlement of the current situation. A final settlement is reserved for the main proceedings. 53 For this reason, the order is limited to four weeks from notification in the event that main proceedings are not brought within four weeks of notification of this decision by the applicant. Otherwise, this order shall lose its effect. 54 The decision on costs shall be made in accordance with § 154 (1) and § 161 (2) VwGO. 55 Insofar as the proceedings have been declared closed, the applicant must be ordered to pay the costs of the proceedings, since the respondent already informed the applicant by letter of 7 June 2021 that it was no longer using Google Tag Manager, but the applicant did not file the present application until 8 June 2021 and thus after the occurrence of the closing event. The applicant's interest in the two applications originally filed is similar, so that the costs are to be set off against each other. 56 Insofar as the applicant was successful in the interlocutory proceedings, the costs were to be ordered against the respondent. 57 The determination of the amount in dispute follows from § 52.2, § 53.2 no. 2 GKG. Since the state of the facts and the dispute do not provide sufficient indications for the determination of the amount in dispute, an amount in dispute of EUR 5,000 each is to be assumed for the claim regarding the service "Google Tag Manager" and regarding the service "C[xxx]bot". This is to be halved in each case in the proceedings for interim relief (cf. no. 1.5 of the catalogue of amounts in dispute for administrative jurisdiction).