DSB (Austria) - 2021-0.586.257: Difference between revisions

From GDPRhub
Line 123: Line 123:
== Further Resources ==
== Further Resources ==
''Share blogs or news articles here!''
''Share blogs or news articles here!''
== English Machine Translation of the Decision ==
The decision below is a machine translation of the German original. Please refer to the German original for more details.


<pre>
<pre>
                                                                                  Barichgasse 40-42
Barichgasse 40-42
A-1030 Wien
Tel.: +43-1-52152 302565
E-Mail: official in charge


                                                                                      A-1030 Vienna
official in charge: [REDACTED]
                                                                            Tel .: + 43-1-52152 302565


                                                                                Email: dsb@dsb.gv.at
Case: D155.027
2021-0.586.257


zH NOYB - European Center for Digital Rights
[REDACTED]
Goldschlagstraße 172/4/3/2
1140 Wien


GZ: D155.027 Clerk: XXX XXX
Data protection complaint (Art. 77 (1) DSGVO)
    2021-0.586.257
[REDACTED]/1. [REDACTED] Verlags GmbH (formerly: [REDACTED]at GmbH), 2. Google LLC
 
    XXX XXX
 
    zH NOYB - European Center for Digital Rights
 
    Goldschlagstrasse 172/4/3/2
    1140 Vienna
 
 
 
 
 
 
Data protection complaint (Art. 77 Para. 1 GDPR)
XXX XXX / 1. XXX GmbH (formerly: XXX.at GmbH), 2. Google LLC


(101 Dalmatians)
(101 Dalmatians)


by e-delivery/email [REDACTED].


PARTICIPATION DECISION


by email delivery / email legal@noyb.eu
ORDER
 
 
 
 
 
 
                                  T E I L B E S C H E I D
 
 
                                          S P R U C H
 
 
The data protection authority decides on the data protection complaint from XXX XXX
 
(Complainant) of August 18, 2020, represented by NOYB - European Center for Digital
Rights, Goldschlagstrasse 172/4/3/2, 1140 Vienna, ZVR: 1354838270, against 1) XXX GmbH (formerly: XXX.at GmbH) (respondent first), represented by DORDA
 
Rechtsanwälte GmbH, Universitätsring 10, 1010 Vienna and 2) Google LLC, 1600 Amphitheater
 
Parkway, Mountain View, CA 94043, USA (Second Respondent), represented by Baker McKenzie
 
Lawyers LLP & Co KG, Schottenring 25, 1010 Vienna, because of a violation of the general
Principles of data transfer according to Art. 44 GDPR as follows:
 
 
  1. The decision of the data protection authority of October 2, 2020, Zl. D155.027, 2020-0.527.385,
 
      will be fixed.
 
 
  2. The complaint against the First Respondent is allowed and it is determined
 
      that
 
        a) the first respondent as the person responsible by implementing the tool
 
              "Google Analytics" on their website at www.XXX.at at least on August 14th - 2 -
 
 
              2020 personal data of the complainant (these are at least
              unique user identification numbers, IP address and browser parameters)
 
              has transmitted the second respondent,
 
 
        b) the standard data protection clauses that the first respondent with the
 
              Second Respondent has concluded no adequate level of protection in accordance with
              Art. 44 GDPR, there
 
 
              i) the Second Respondent as a provider of electronic
 
                      Communication services within the meaning of 50 U.S. Code § 1881 (b) (4) too
                      qualify and as such of surveillance by US intelligence agencies
 
                      according to 50 U.S. Code § 1881a (“FISA 702”), and
 
 
              ii) the measures in addition to those mentioned in point 2. b)
 
                      Standard data protection clauses are not effective as these
                      the possibilities of surveillance and access by US intelligence services
 
                      do not eliminate,
 
 
        c) In the present case, no other instrument pursuant to Chapter V of the GDPR for the in
 
              Spruchpunkt 2.a) mentioned data transmission can be used and the
              First Respondent therefore for the in the context of ruling point 2.a)
 
              The data transfer mentioned does not provide an adequate level of protection in accordance with Art. 44
 
              GDPR has guaranteed.
 
 
  3. The complaint against the second respondent because of a violation of the general
      The principles of data transfer in accordance with Art. 44 GDPR are rejected.
 
 
Legal bases: Art. 4 no. 1, no. 2, no. 7 and 8, Art. 5, Art. 44, Art. 46 Paragraph 1 and Paragraph 2 lit. c, Art. 51
 
Paragraph 1, Art. 57 Paragraph 1 lit. d and lit. f, Art. 77 Paragraph 1, Art. 80 Paragraph 1 and Art. 93 Paragraph 2 of the Regulation
 
(EU) 2016/679 (General Data Protection Regulation, GDPR), OJ No. L 119 of 4.5.2016 p. 1; §§ 18
Paragraph 1 and 24 Paragraph 1, Paragraph 2 Item 5 and Paragraph 5 of the Data Protection Act (DSG), Federal Law Gazette I No. 165/1999
 
idgF; Section 68 (2) of the General Administrative Procedure Act 1991 (AVG), Federal Law Gazette 51/1991 as amended. - 3 -
 
 
                                  REASON
 
A. Arguments of the parties and course of the procedure
 
 
A.1. The complainant summarized in his submission of August 18, 2020
 
The following:
 
 
On August 14, 2020, at 10:45 a.m., he had the website of the Respondent at
www.XXX.at/ visited. During the visit he was logged into his Google account,


which is linked to the complainant's email address, XXX.XXX@gmail.com. the
The data protection authority decides on the data protection complaint of [REDACTED] (complainant) of 18. August 2020, represented by NOYB - European Center for Digital Rights, Goldschlagstraße 172/4/3/2, 1140 Vienna, ZVR: 1354838270, against 1) Verlags GmbH (formerly: [REDACTED]at GmbH) (first respondent), represented by [REDACTED] and 2) Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (second respondent), represented by [REDACTED] for a violation of the general principles of data transfer pursuant to Article 44 GDPR as follows:


First Respondent has an HTML code for Google services (including
1. the decision of the data protection authority of 2 October 2020, no. D155.027, 2020-0.527.385, is repealed.


Google Analytics) embedded. In the course of the visit, the first respondent said
2. the complaint against the first respondent is upheld and it is found that
personal data, namely at least the IP address and the cookie data of the


Complainant processed. Let some of this data be sent to the second respondent
a) the first respondent, as the responsible party, by implementing the "Google Analytics" tool on its website at www.[REDACTED]at, transmitted personal data of the complainant (these are at least unique user identification numbers, IP address and browser parameters) to the second respondent at least on August 14, 2020,


has been transmitted. Such a data transfer requires a legal basis in accordance with the
(b) the standard data protection clauses concluded by the first respondent with the second respondent do not provide an adequate level of protection pursuant to Article 44 GDPR, since
Art. 44 ff GDPR.


(i) the Second Respondent qualifies as an electronic communications service provider within the meaning of 50 U.S. Code § 1881(b)(4) and, as such, is subject to surveillance by U.S. intelligence agencies pursuant to 50 U.S. Code § 1881a ("FISA 702"); and


According to the judgment of the European Court of Justice of July 16, 2020, Case C-11/18 (“Schrems II”), the
(ii) the measures taken in addition to the standard data protection clauses set forth in item 2.(b) are not effective because they do not eliminate the possibility of surveillance and access by U.S. intelligence agencies,


Respondents no longer respond to a data transfer to the USA
c) in the present case, no other instrument pursuant to Chapter V of the GDPR can be used for the data transfer referred to in item 2.a) and the first respondent has therefore not ensured an adequate level of protection pursuant to Art. 44 GDPR for the data transfer referred to in item 2.a).


Support adequacy decision ("Privacy Shield") according to Art. 45 GDPR. the
3) The complaint against the respondent to the second complaint on the grounds of a violation of the general
The first respondent is also not allowed to transfer data to standard data protection clauses
principles of data transfer pursuant to Art. 44 GDPR is dismissed.  


support if the third country of destination does not provide an appropriate one in accordance with EU law
Legal basis: Art. 4 (1), (2), (7) and (8), Art. 5, Art. 44, Art. 46 (1) and (2) (c), Art. 51 (1), Art. 57 (1) (d) and (f), Art. 77 (1), Art. 80 (1) and Art. 93 (2) of Regulation (EU) 2016/679 (General Data Protection Regulation, GDPR), OJ. No. L 119, 4.5.2016 p. 1; Sections 18(1) and 24(1), (2)(5) and (5) of the Data Protection Act (DSG), Federal Law Gazette I No. 165/1999, as amended; Section 68(2) of the General Administrative Procedure Act 1991 (AVG), Federal Law Gazette 51/1991, as amended.


Protection of the personal transmitted on the basis of standard data protection clauses
REASONS


Data guarantee. The second respondent is said to be an electronic provider
A. Submission of the parties and course of proceedings
Communication services within the meaning of 50 U.S. Code § 1881 (b) (4) qualify and are subject to


those of surveillance by US intelligence agencies pursuant to 50 U.S. Code § 1881a ("FISA 702"). the
A.1 In his submission of August 18, 2020, the complainant submitted the following in summary:


Second Respondent complained to the U.S. government under 50 U.S. Code § 1881a active
He had visited the website of the first respondent at www.[REDACTED]at/ on August 14, 2020, at 10:45 a.m.. During the visit, he had been logged into his Google account, which was linked to the complainant's email address, [REDACTED]. The first respondent had embedded HTML code for Google services (including Google Analytics) on its website. In the course of the visit, the first respondent had processed personal data, namely at least the IP address and cookie data of the complainant. In the process, some of these data had been transmitted to the second respondent. Such data transfer required a legal basis pursuant to Art. 44 et seq. of the GDPR.
personal data available.


Following the ECJ's judgment of July 16, 2020, Rs C-11/18 ("Schrems II"), the respondents could no longer rely on an adequacy decision ("Privacy Shield") under Article 45 GDPR for a data transfer to the US. The first respondent would also not be allowed to base the data transfer on standard data protection clauses if the third country of destination does not ensure adequate protection of personal data transferred on the basis of standard data protection clauses in accordance with Union law. The Second Respondent qualifies as an electronic communications service provider within the meaning of 50 U.S.Code § 1881(b)(4) and, as such, is subject to surveillance by U.S. intelligence agencies pursuant to 50 U.S.Code § 1881a ("FISA 702"). Second Respondent actively provides personal information to the U.S. Government pursuant to 50 U.S.Code § 1881a.


As a result, the respondents are not in a position to adequately protect the
As a result, the Respondents are unable to provide adequate protection of the Complainant's personal information when the Complainant's information is transferred to the Second Respondent. The transfer of the complainant's data to the USA was unlawful. Several enclosures were attached to the complaint.


to ensure the complainant's personal data if his data is sent to
A.2 In its statement of December 16, 2020, the first respondent submitted the following in summary:


Second respondent will be transmitted. The transmission of the complainant's data to the
The first respondent was only domiciled in Austria. It was responsible for the decision to embed the tool on the [REDACTED]at website. The tool is used to enable general statistical evaluations of the behavior of website visitors. However, the tool does not allow the content to be adapted to a specific website user, as the evaluation is carried out anonymously and no reference to a specific user is made possible. User IP addresses are also anonymized before storage or transmission ("IP anonymization"). The so-called user agent string is used to inform the server of the system specification with which the user is accessing the server. Only the device, operating system and operating system version, browser and browser version, and the device type would be displayed without any personal reference. In the best case, an assignment to a specific device would be possible, but never to a specific person using the device. The anonymous statistics are processed predominantly in data centers in Europe, but also by the second respondent on servers outside the EEA.
USA is illegal. Several enclosures were attached to the complaint.


If the GDPR is applicable, the first respondent is the controller and the second respondent is the processor. A processor agreement had been concluded. Since no personal data would be transferred, the judgment of the ECJ of July 16, 2020 in Case C311/18 was not applicable. However, in order to take precautions for a possible transfer of personal data to the second respondent - e.g., in the event that IP anonymization is deactivated due to a data breach - the first respondent had concluded a processor agreement with the second respondent, as well as included standard data protection clauses (SDK). This had been implemented purely as a precautionary measure. The second respondent had implemented further technical and organizational measures to provide a high level of data protection for the data processed via the tools. Several enclosures were attached to the Opinion.


A.2. In a statement dated December 16, 2020, the respondent first brought
A.3 In its Opinion of January 22, 2021, the complainant submitted the following in summary:


summarized the following:
In the case of a processor in a third country, a breach of anonymization is not enforceable or ascertainable. When in doubt, 50 U.S.C § 1881a applies, not an advertising blurb on Google's website. The personal data processed first would only be anonymized subsequently in a second step. This anonymization, which may have occurred after the transfer, would not affect the prior processing. The opinion contains a more detailed technical description at this point.


Apart from that, the complainant did not only rely on the processing of his IP address, but also of other personal data, such as cookie data. At the time of the website visit, he was logged into his private Google account. Google" cookies had been set. In order to prevent a violation of Art. 44 et seq. of the GDPR, a complete removal of the tool was necessary and a change to another tool without data transfer to the USA was recommended. If the first respondent is convinced that no personal data is processed, the conclusion of order processing conditions is absurd. Several enclosures were attached to the statement.


The first respondent is only based in Austria. She is in favor of the decision
A.4 In its statement of April 9, 2021, the second respondent submitted its responses to the questionnaire of the data protection authority.
responsible for embedding the tool on the XXX.at website. The tool is used to


to enable general statistical evaluations of the behavior of the website visitors. The
A.5 In its statement of May 4, 2021, the first respondent submitted the following in summary regarding the second respondent's statement of April 9, 2021:


However, the tool does not allow the content to be adapted to a specific website user, as the - 4 -
The first respondent was only using the free version of Google Analytics. In doing so, it had agreed to both the terms of use and the SDK. In doing so, neither the Google Analytics 4 version had been implemented nor the data release setting had been activated. The code had been embedded with the anonymization function. The second respondent was only used as a processor. The first respondent issued the instructions via the settings of the Google Analytics user interface and via the global website tag. Google Signals is not used. The first respondent does not have its own authentication system and does not use a user ID function. Currently, it does not rely on the exception of Article 49 (1) of the GDPR.


A.6 In its statement of May 5, 2021, the complainant submitted the following in summary regarding the statement of the second respondent of April 9, 2021:


Evaluation is carried out anonymously and no reference to a specific user is made possible.
The complaint was directed against the first and second respondents. Google Ireland Limited was not a party to the proceedings. The data protection authority is directly responsible for the second respondent, which violated Art. 44 et seq. of the GDPR. As a processor, the second respondent is the norm addressee of Chapter V of the GDPR. The second respondent disputes that all data collected by Google Analytics is hosted in the USA.
User IP addresses would also be anonymized before storage or transmission ("IP


Anonymization "). The so-called user agent string is used to inform the server which
At least some of the cookies set on the occasion of the website visit on August 14, 2020 would contain unique user identification numbers. In the transaction between the complainant's browser and https://tracking.[REDACTED]at, which was started on the specified date, the user identification numbers "_gads", _"ga" and "_gid" were set. These numbers were subsequently transmitted to https://www.google-analytics.com/. The numbers are "online identifiers" which serve to identify natural persons and can be specifically assigned to a user. With regard to the IP address, it should be noted that Chapter V of the GDPR does not provide for any exceptions for "subsequently anonymized data". It had to be assumed that the complainant's IP address had not even been anonymized in all transactions. The request for the imposition of a fine was withdrawn; this was now a suggestion.


System specification of the user to access the server. Without reference to a person, only devices
A.7 In its statement of June 10, 2021, the second respondent submitted the following in summary:
Operating system and version, browser and browser version and the device type are displayed. in the


the best case scenario is an assignment to a specific device, but never to a specific person,
The complainant's right to bring an action had not been established, as it had not been proven that the data transmitted constituted personal data of the complainant. The cookies in question were first party cookies that had been set under the domain [REDACTED]at. They were therefore cookies of the first and not of the second respondent. Accordingly, they were not unique Google Analytics cookie IDs per user, which were used on several websites that used Google Analytics. A user had different cid numbers for different websites. It was not established that the numbers at issue would make the complainant identifiable. At this point, the submission contains further technical explanations regarding the cookies used. With regard to the IP address, it had to be examined whether the IP address of the device connected to the Internet could actually be attributed to the complainant and whether the controller or "another person" had the legal means to obtain connection owner information from the provider in question.


who use the device, possible. The processing of the anonymous statistics takes place predominantly in
As a processor, the second respondent provided the website operator with numerous configuration options of Google Analytics. Based on the information received, it should be noted that the first respondent had configured Google Analytics as indicated. Due to a possible configuration error, the first respondent had not activated the IP anonymization function in all cases. Under normal operating conditions and as far as users based in the EU are concerned, a web server is located in the EEA, which is why the IP anonymization is generally performed within the EEA. In the present case, normal operating conditions existed.


Data centers in Europe, but also by the second respondent on servers outside of the country
On August 14, 2020, the [REDACTED] account enabled the Web & App Activities setting. However, the account had not opted to include activities from websites that used Google services. According to the First Respondent, since the First Respondent had also not enabled Google Signals, the Second Respondent would not be able to determine that the user of the [REDACTED] account had visited that website.
of the EEA.


With regard to international data traffic, it should be noted that - even assuming that the data were personal data of the complainant - they were limited in terms of quantity and quality. To the extent that the data transferred qualified as personal data at all, it would also be pseudonymous data. Standard contractual clauses had been concluded with the first respondent, and additional measures had been implemented. The second respondent does not disclose user data pursuant to EO 12333. FISA § 702 was irrelevant in the present case in view of the encryption and anonymization of IP addresses. Art. 44 et seq. of the GDPR could not be the subject of a complaint procedure pursuant to Art. 77(1) of the GDPR, and the complaint should therefore be rejected in this respect. Articles 44 et seq. of the GDPR are also not applicable with regard to the second respondent as data importer.


If the GDPR is applicable, the first respondent is responsible and the
A.8 In its comments of June 18 and 24, 2021, the first respondent submitted the following in summary:


Second respondent is a processor. It is a processor agreement
As part of an asset deal, the website www.[REDACTED]at was transferred to [REDACTED] GmbH in Munich with effect from February 1, 2021. Subsequently, the first respondent was renamed from [REDACTED]at GmbH to [REDACTED] Verlags GmbH. In addition, the first respondent had instructed the second respondent to immediately delete all data collected via the Google Analytics properties. The configuration error in connection with the IP anonymization function had been corrected. In the meantime, the second respondent had confirmed the final deletion of all data, and an enclosure was submitted as proof. It is suggested that the proceedings be discontinued pursuant to Section 24 (6) of the Austrian Data Protection Act.


been completed. Since no personal data would be transmitted, the verdict is
A.9 In its comments of July 9, 2021, the second respondent submitted the following in summary:
of the ECJ of July 16, 2020 in case C311 / 18 not applicable. However, in order for any


Making arrangements for the transfer of personal data to the second respondent
According to the European Data Protection Board (EDSA), an adequacy assessment is not limited to an examination of the legal provisions of the third country, but must also take into account all specific circumstances of the transfer at issue. This was relevant for the case at hand. Pseudonymization is an effective supplementary measure here - in accordance with the EDSA guidelines. It was not to be expected that US authorities would have additional information that would enable them to identify the data subjects behind the first party cookie values "gid" and "cid" or behind an IP address. The complainant had also not requested a finding that his rights had been violated in the past.


- e.g. in the event that IP anonymization is deactivated due to a data breach - have
A.10. In comments dated July 9, 2021, the complainant submitted, in summary, the following:
the first respondent entered into a data processing agreement with the second respondent


completed, as well as standard data protection clauses (SDK) included. This is purely from
There had been a processing of personal data, this had been proven, inter alia, by the enclosures submitted. If it was ultimately only a prerequisite for the identification of a website visitor whether he or she made certain declarations of intent in his or her account (such as the activation of "ad personalization"), all possibilities of identifiability would be available for the second respondent. Otherwise, the second respondent would not be able to comply with a user's wishes expressed in the account settings for "personalization" of the advertising information received.


Implemented as a precaution. The second respondent had further technical and
The UUID (Universally Unique Identifier) in the _gid cookie with the UNIX timestamp 1597223478 had been set on Wednesday, August 12, 2020 at 11:11 and 18 seconds CET, those in the cid cookie with the UNIX timestamp 1597394734 on Friday, August 14, 2020 at 10:45 and 34 seconds CET. It followed from this that these cookies had already been used prior to the visit that was the subject of the complaint and that longer-term tracking had also taken place. To his knowledge, the complainant had not immediately deleted these cookies and had also repeatedly visited the website [REDACTED]at.


Organizational measures are set to ensure a high level of data protection for those using the tools
The second respondent fails to take into account the broad understanding of the GDPR when assessing the existence of personal data. The actual IP address used was also no longer ascertainable for the complainant. However, this is irrelevant, as there is a clear personal reference in the cookies via the UUID anyway. In particular, the combination of cookie data and IP address allows tracking and the evaluation of geographical localization, Internet connection and context of the visitor, which can be linked to the cookie data already described. However, this would also include data such as the browser used, the screen resolution or the operating system ("device fingerprinting").
to provide processed data. Several enclosures were attached to the opinion.


What is more relevant in the context of the complaint is that U.S. authorities use data that is easy for intelligence agencies to determine, such as the IP address, as a starting point for monitoring individuals. It was the standard procedure of intelligence agencies to "shimmy on" from one date to another. If, for example, the complainant's computer repeatedly appeared on the Internet via the IP address of [REDACTED], this could be used to spy on the work of [REDACTED] and to target the complainant. In a further step, other identifiers would then be searched for in the data, such as the aforementioned UUIDs, which in turn would allow the individual to be identified for surveillance elsewhere. In this context, U.S. intelligence services are therefore "other persons" within the meaning of recital 26 of the GDPR. The Complainant works [REDACTED] but also has a relevant role in these efforts as a model complainant. Thus, under U.S. law, surveillance of the Complainant under 50 USC § 1881a (as well as of all other persons entrusted with this complaint) is legally possible at any time. Even applying the supposed "risk-based approach," the case at issue was a prime example of high risk.


A.3. With a statement of January 22, 2021, the complainant summarized
The e-mail address [REDACTED] had to be assigned to the complainant, who had used the last name [REDACTED] until a marriage. However, the old Google account was still being used. It was not explained to what extent the indisputably available data was linked, evaluated or the result of an evaluation was only not displayed to the user.


The following:
Furthermore, Chapter V of the GDPR does not know a "risk-based approach". This can only be found in certain articles of the GDPR, such as Art. 32 leg.cit. The new standard contractual clauses in the Implementing Decision (EU) 2021/914 are not relevant to the facts of the case due to their lack of temporal validity. A "transfer" is not a unilateral act of a data exporter, every "transfer" also requires a receipt of the data. Accordingly, Chapter V of the GDPR is also applicable to the second respondent, it is a joint action of data exporter and importer.


Even if the respondent had not violated Art. 44 et seq. of the GDPR, the provisions pursuant to Art. 28(3)(a) and Art. 29 of the GDPR had to be taken into account as a "catch-all provision". If the second respondent complies with a corresponding instruction from a U.S. intelligence agency, it thereby makes the decision to process personal data beyond the first respondent's specific order pursuant to Art. 28 and Art. 29 GDPR and the corresponding contractual documents. This would make the second respondent itself the controller pursuant to Art. 28(10) GDPR. As a result, the second respondent must also comply with the provisions of Art. 5 et seq. of the GDPR. A secret transfer of data to U.S. intelligence services in accordance with U.S. law would undoubtedly not be compatible with Art. 5(1)(f) GDPR, Art. 5(1)(a) GDPR and Art. 6 GDPR.


In the case of a processor in a third country, a breach of anonymization is not enforceable
A.9 In its final submission of August 12, 2021, the Second Respondent submitted in summary the following:
or detectable. In case of doubt, 50 U.S.C § 1881a applies and not an advertising text on the Google website.


The personal data processed first would only be processed subsequently in a second step
The complainant had not established its legitimacy to lodge a complaint. He had not answered any questions raised by the second respondent regarding the identifiability of his person on the basis of the IP address. With regard to the _gid number and cid number, it should be noted that no directory existed in order to make the complainant identifiable. However, the fact that recital 26 of the GDPR mentions "segregation" as a possible means of identification does not change the understanding of the words "identify" or "identification" or "identifiability".


be anonymized. This anonymization, which may have taken place after the transfer, is effective
The identifiability of the complainant presupposed at least that his identification was possible on the basis of the data in question and by means that were likely to be used according to general discretion. This had not been established and could not be assumed and, on the contrary, was even unlikely, if not impossible. Also, the fact that the second respondent had entered into processor agreements did not mean that the data that were the subject of these proceedings were personal data, nor did it mean that they were the complainant's data.
does not rely on previous processing. The statement contains a more detailed one at this point


technical description.
The complainant's view that the transfer of data was not to be assessed according to a risk-based approach ("all-or-nothing") could not be accepted. This was not in line with the GDPR and had to be seen against Recital 20 of the European Commission's Implementing Decision (EU) 2021/914. Likewise, this is evident from the different versions of EDSA Recommendation 01/2020. Even if access to the above-mentioned numbers by U.S. authorities was "legally possible at any time", it had to be examined how likely this was. The Complainant has not presented any convincing arguments as to why or how the "cookie data" related to his visit to a publicly accessible, and widely used, Austrian website such as the one at issue is "foreign intelligence information" and thus could become a target of the purpose-restricted data collection under Section 702.  


B. Subject Matter of the Complaint


Apart from that, the complainant does not only refer to the processing of his IP address,
Based on the complainant's submissions, it can be seen that the subject matter of the complaint is, in any event, the question


but also other personal data, such as cookie data. At the time of the website
- whether the first respondent, by implementing the Google Analytics tool on its website www.[REDACTED]at, transmitted personal data of the complainant to the second respondent and,
During the visit, he was logged into his private Google account. "Google" cookies are set


been. In order to prevent a violation of Art. 44 ff GDPR, a complete removal of the
- whether an adequate level of protection pursuant to Art. 44 GDPR was ensured for this data transfer.


Tools required and a change to another tool without data transmission to the USA is recommended.
In this context, it must also be clarified whether, in addition to the first respondent (as data exporter), the second respondent (as data importer) was also obliged to comply with Art. 44 GDPR.


If the first respondent is convinced that no personal data
It is not necessary to rule on the request to impose an immediate ban on data transfers to the second respondent against the first respondent (as the responsible party), since - as will be explained below - the responsibility for operating the website www.[REDACTED]at was transferred to [REDACTED] GmbH, headquartered in Munich, in the course of the complaint proceedings (although only after the data transfer relevant to the complaint). With regard to the imposition of such a ban, the data protection authority would have to take the case to the competent German supervisory authority.
would be processed, the conclusion of order processing conditions is absurd. the


Several enclosures were attached to the statement. - 5 -
Likewise, there is no need to rule on the application for the imposition of a fine, as this was withdrawn by the complainant in its statement of May 5, 2021, and this is now to be understood as a suggestion.


Finally, it should be noted that the partial decision at issue does not address the alleged violations of the second respondent pursuant to Art. 5 et seq. in connection with Art. 28 Par. 3 lit. a and Art. 29 GDPR. In this regard, further investigative steps are necessary and will be discussed in a further decision.


A.4. The second respondent submitted his answers in a statement dated April 9, 2021
C. Findings of Fact
to the questionnaire of the data protection authority.


C.1 The first respondent was in any case the website operator of www.[REDACTED]at on August 14, 2020. The Austrian version of [REDACTED] is an information portal on the subject of health. The website www.[REDACTED]at is only offered in German. The first respondent did not operate any other versions of the website www.[REDACTED]at in the EU. Furthermore, the first respondent is only based in Austria and has no other branches in other EU countries. For Germany, there is a German version of [REDACTED] at www.[REDACTED]de, which, however, was not operated by the first respondent.


A.5. With a statement of May 4, 2021, the Respondent brought the
Evaluation of evidence regarding C.1: The findings made are based on the statement of the first respondent dated December 16, 2020 (questions 1 to 3) and were not disputed by the complainant in this respect.


Second respondent of April 9, 2021 summarized the following:
C.2. As of February 1, 2021, the website www.[REDACTED]at was transferred to [REDACTED] GmbH, based in Munich, as part of an asset deal. Subsequently, the first respondent was renamed from [REDACTED]at [REDACTED] GmbH to [REDACTED] Verlags GmbH. The first respondent managed the website www.[REDACTED]at for [REDACTED] GmbH until August 2021. Since August 2021, the first respondent has no longer been the operator of www.[REDACTED]at and also no longer makes the decision as to whether the Google Analytics tool is used.


Evaluation of evidence regarding C.2: The findings made are based on the statement of the first respondent dated June 18, 2021 and were not disputed by the complainant. In addition, the findings are based on an official search by the data protection authority in the company register for Zl. FN [REDACTED].


The First Respondent only uses the free version of Google Analytics. Included
C.3 The second respondent developed the Google Analytics tool. Google Analytics is a measurement service that enables customers of the Second Respondent to measure traffic characteristics. This includes measuring the traffic of visitors who visit a specific website. This allows tracking the behavior of website visitors and measuring how they interact with a specific website. Specifically, a website owner can create a Google Analytics account to view reports about the website using a dashboard. Similarly, Google Analytics can be used to measure and optimize the effectiveness of advertising campaigns that website owners run on Google ad services.
both the terms of use and the SDK have been approved. Neither is that


Google Analytics 4 version implemented, the data sharing setting has been activated. the
There are two versions of Google Analytics: a free version and a paid version called Google Analytics 360. In any case, the free version was made available by the second respondent until the end of April 2021. Since the end of April 2021, both Google Analytics versions have been provided by Google Ireland Limited.  


Code was embedded with the anonymization function. The second respondent will only
Evaluation of evidence regarding C.3: The findings made are based on the second respondent's statement of April 9, 2021 (p. 3 as well as questions 1 and 2) and were not disputed by the complainant in this respect.  
used as a processor. The Respondent gave the instructions via the


Settings in the Google Analytics user interface and via the global website tag. Google
C.4 The first respondent - as the website operator - in any case made the decision on the cut-off date of August 14, 2020 to use the free version of the Google Analytics tool for the website www.[REDACTED]at. For this purpose, it has incorporated a JavaScript code ("tag") provided by the second respondent into the source code of its website. The first respondent used the tool to enable general statistical analyses of the behavior of website visitors. The additional tool Google Signals was not activated.


Signals are not used. The first respondent did not have her own
In any case, these evaluations are used by the first respondent to present the content of the website www.[REDACTED]at according to the general interest in the topic in such a way that the channels that are most in demand are given priority and the presentation can be adjusted according to the topicality of a specific topic. The first respondent created a Google Analytics account for this purpose. The Google Analytics account ID with the account name [REDACTED] is [REDACTED]. The first respondent can perform the above analyses by logging into the [REDACTED] Google Analytics account and viewing reports on traffic from www.[REDACTED]at in the dashboard. The reports are divided into the categories real-time, target group, acquisition, behavior and conversions. The first respondent can select user-defined defaults for the report generation; the second respondent has no influence on this. The Second Respondent also has no influence on the extent to which the First Respondent subsequently uses the reports created.


Authentication system and don't use any user ID function either. Currently one does not support oneself
The dashboard is excerpted as follows (formatting not reproduced 1:1):
to the exception of Art. 49 Para. 1 GDPR.


[REDACTED]


A.6. With an opinion of 5 May 2021, the complainant brought the
Evaluation of evidence regarding C.4: The findings made are based on the submission of the first respondent dated December 16, 2020 and were not disputed by the complainant. The screenshots cited were taken from Exhibits ./1 and ./10; the presentation of the reporting version is set out in detail in Exhibit ./1.


Second respondent of April 9, 2021 summarized the following:
C.5 The Google Analytics tool works as follows: When visitors view the website www.[REDACTED]at, JavaScript code inserted in the source code of the website refers to a JavaScript file previously downloaded to the user's device, which then performs the tracking operation for Google Analytics. The tracking operation retrieves data about the page request by various means and sends this information to the Analytics server via a list of parameters attached to a single pixel GIF image request.


The data collected using Google Analytics on behalf of the website operator comes from the following sources:


The complaint is directed against the first and second respondents. Google Ireland Limited is
- The user's HTTP request;
not party to the proceedings. The data protection authority is direct for the second respondent
- Browser/system information;
- (first-party) cookies.


responsible for violating Art. 44 ff GDPR. The Second Respondent was said to be
An HTTP request for any website contains details about the browser and computer making the request, such as host name, browser type, referrer, and language. In addition, the browser DOM interface (the interface between HTML and dynamic JavaScript) provides access to more detailed browser and system information, such as Java and Flash support and screen resolution. Google Analytics uses this information. Google Analytics also sets and reads first-party cookies on a user's browsers that allow it to measure user session and other information from the page request.


Processor standard addressee of Chapter V GDPR. The second Respondent also asserts
When all of this information is collected, it is sent to the Analytics servers in the form of a long list of parameters sent to a single GIF image request (the meaning of the GIF request parameters is described here) to the google-analytics.com domain. The data contained in the GIF request is that which is sent to the Analytics servers and then further processed, ending up in the website operator's reports.


Dispute that all data collected by Google Analytics would be hosted in the United States.
On the secondary respondent's information page on the Google Analytics tool, the following information can be found in excerpts (formatting not reproduced 1:1, retrieved on December 22, 2021):


At least some of the cookies set when you visited the website on August 14, 2020 would be
[begin screenshot]


contain unique user identification numbers. In the transaction between the browser of the
gtag.js and analytics.js (Universal Analytics) - cookie usage


Complainant and https://tracking.XXX.at, which was started on the stated date,
The analytics.js JavaScript library or the gtag.js JavaScript library can be used for Universal Analytics. In both cases, the libraries use first-party cookies to:
the user identification numbers "_gads", _ "ga" and "_gid" were set. These numbers


were subsequently transmitted to https://www.google-analytics.com/. It is with the
- Distinguish unique users
- Throttle the request rate


Numbers around "online identifiers" that were used to identify natural persons and a
When using the recommended JavaScript snippet cookies are set at the highest possible domain level. For example, if your website address is blog.example.co.uk , analytics.js and gtag.js will set the cookie domain to .example.co.uk. Setting cookies on the highest level domain possible allows measurement to occur across subdomains without any extra configuration.


Users would be specifically assigned. With regard to the IP address, it should be noted that
* Note: gtag.js and analytics.js do not require setting cookies to transmit data to Google Analytics.
Chapter V GDPR does not provide for any exceptions for "subsequently anonymized data". Let it be


assume that the complainant's IP address is not even used in all transactions
gtag.js and analytics.js set the following cookies:


had been anonymized. The application for the imposition of a fine is withdrawn, this is
Cookie Name        | Default expiration time | Description
now a suggestion.
-------------------|-------------------------|--------------------------------------
_ga                | 2 years                | Used to distinguish users.


_gid              | 24 hours                | Used to distinguish users.


A.7. In a statement dated June 10, 2021, the second respondent summarized
_gat              | 1 minute                | Used to throttle request rate. If Google
                                              Analytics is deployed via Google Tag
                                              Manager, this cookie will be named
                                              _dc_gtm_<property-id>.
   


The following before: - 6 -
AMP_TOKEN          | 30 seconds to 1 year    | Contains a token that can be used to
                                              retrieve a Client ID from AMP Client ID
                                              service. Other possible values indicate
                                              opt-out, inflight request or an error
                                              retrieving a Client ID from AMP Client
                                              ID service.


_gac_<property-id> | 90 days                | Contains campaign related information
                                              for the user. If you have linked your
                                              Google Analytics and Google Ads accounts,
                                              Google Ads website conversion tags will
                                              read this cookie unless you opt-out.
                                              Learn more.


The complainant's legitimacy to act was not established because it had not been proven
[end screenshot]
that the data transmitted are personal data of the complainant.


The cookies in question are first-party cookies that are stored under the domain XXX.at
Evaluation of evidence regarding C.5: The findings made are based on the second respondent's statement of April 9, 2021 (question 2) and an official search by the data protection authority at https://developers.google.com/analytics/devguides/collection/gajs/cookie-usage and https://developers.google.com/analytics/devguides/collection/gtagjs/cookies-user-id (both retrieved on December 22, 2021).


had been set. They are therefore cookies of the first and not of the
C.6 The First and Second Respondents entered into a contract entitled "Order Processing Terms and Conditions for Google Advertising Products". This contract was valid in the version of August 12, 2020 at least on August 14, 2020. The contract governs order processing conditions for "Google advertising products". It applies to the provision of order processing services and related technical support services for customers of the second respondent. The aforementioned contract in the version dated August 12, 2020 (Exhibit ./7) shall form the basis for the findings of fact.
Second respondent. Accordingly, these are not unique Google Analytics cookie IDs


per user that would be used on multiple websites using Google Analytics. One user
In addition, on August 12, 2020, the First and Second Respondents entered into a second contract entitled "Google Ads Data Processing Terms: Model Contract Clauses, Standard Contractual Clauses for Processors." These are standard contractual clauses for international data traffic. The above-mentioned second contract in the version dated August 12, 2020 (Exhibit ./11) also forms the basis for the findings of fact.


have different cid numbers for different websites. It is not stated that the
With regard to the data categories listed in Annex 1 of the second contract, reference is made to the link https://privacy.google.com/businesses/adsservices/. Under the aforementioned link, the following is displayed in excerpts (red emphasis on the part of the data protection authority, formatting not reproduced 1:1, retrieved on December 22, 2021)


numbers would make the complainant identifiable. The submission
[begin screenshot]
contains further technical information on the cookies used at this point. With regard


the IP address is to be checked whether the IP address of the device connected to the Internet is actually
Order data processing terms and conditions:


to be assigned to the complainant and whether the responsible person or "another person" the
Order processing services
have legal means to receive subscriber information from the provider in question.


The following Google services fall within the scope of the Google Advertising Products Order Data Processing Terms:


As a processor, the second respondent provided the website operator with numerous
- Ads Data Hub
- Audience Partner API (formerly known as DoubleClick Data Platform)
- Campaign Manager 360 (former name: Campaign Manager)
- Display & Video 360 (former name: DoubleClick Bid Manager)
- Advanced Conversions
- Google Ads Manager order processing capabilities
- Googel Ads Manager 360 order processor features
- Google Ads customer matching
- Google Ads store sales (direct upload)
- Google Analytics
- Google Analytics 360
- Google Analytics for Firebase
- Google Data Studio
- Google Optimize
- Google Optimize 360
- Google Tag Manager
- Google Tag Manager 360
- Google Search Ads 360 (former name: DoubleClick Search)
Google may update this list in accordance with the terms of the Google Advertising Products Order Processing Terms.


Configuration options from Google Analytics are available. Based on the received
Types of personal data


Information should be noted that the First Respondent configured Google Analytics in this way
With respect to the Google Advertising Products Order Data Processing Terms (and depending on which processor services are used under each agreement), the following types of Personal Data may constitute Customer Personal Data.
got as stated. The First Respondent had a possible configuration error


the IP anonymization function is not activated in all cases. Under normal operating conditions and
Processor Services | Types of Personal Data |
-----------------------------------------------------------------------|-------------------------------------|
Ads Data Hub                                              | Online identifiers (including cookie identifiers),
                                                            Internet Protocol addresses and device identifiers,
                                                            customer-assigned identifiers


as far as users based in the EU are concerned, a web server is located in the EEA, which is why the IP
Audience Partner API (formerly DoubleClick Data Platform) | Online identifiers (including cookie identifiers)
                                                            and device identifiers


Anonymization is generally carried out within the EEA. In the present case they are normal
Campaign Manager 360 (formerly Campaign Manager)          | Online identifiers (including cookie identifiers),
Operating conditions exist.
                                                            Internet Protocol addresses and device identifiers,
                                                            precise location data, client-assigned identifiers


Display & Video 360                                      | Online identifiers (including cookie identifiers),
                                                            Internet Protocol addresses and device identifiers,
                                                            precise location data, customer-assigned identifiers


On August 14, 2020 the account XXX.XXX@gmail.com has the web & app activities
Advanced Conversions                                      | Names, email addresses, phone numbers, addresses,
                                                            customer-provided identifiers, online identifiers
                                                            (including internet protocol addresses)


Setting activated. However, the account did not choose website activity
Google Ad Manager Order Processor Features                | Encrypted Signals
include those who used Google services. As the first respondent stated that it was


also did not activate Google signals, the second respondent was therefore not in a position to
Google Ad Manager 360 Order Processor Features            | Encrypted Signals


determine that the user of the account XXX.XXX@gmail.com has visited this website.
Google Ads Customer Matching                              | Names, Email Addresses, Addresses and
                                                            Partner-Provided Identifiers


Google Ads store sales (direct upload)                    | names, email addresses, phone numbers and addresses


With regard to international data traffic, it should be noted that - even assuming
Google Analytics                                          | Online identifiers (including cookie identifiers),
that it concerns personal data of the complainant - these by their nature im
                                                            Internet Protocol addresses and device identifiers,
                                                            customer-provided identifiers


Are limited in terms of quantity and quality. As far as the transmitted data is at all as
Google Analytics 360                                      | Online identifiers (including cookie identifiers),
                                                            Internet Protocol addresses and device identifiers,
                                                            customer-assigned identifiers


personal data are to be qualified, it would also be pseudonymous data.
[end screenshot]


Standard contractual clauses were also concluded with the respondent
In addition to concluding standard contractual clauses, the second respondent has implemented further contractual, organizational and technical measures. These measures supplement the obligations contained in the standard contractual clauses. The measures are described in the Second Respondent's comments of April 9, 2021, Question 28. This description is used as the basis for the findings of fact.
supplementary measures have been implemented. The second respondent did not submit any
 
User data according to EO 12333 open. FISA § 702 is in the present case in view of the
 
Encryption and anonymization of IP addresses are irrelevant. Art. 44 ff GDPR could
not be the subject of a complaint procedure according to Art. 77 Para. 1 GDPR, which is why the
 
The complaint is to be rejected in this regard. The Art. 44 ff GDPR are with regard to the
 
Second respondent as data importer also not applicable. - 7 -
 
 
A.8. With comments from June 18 and 24, 2021, the respondent first brought
summarized the following:
 
 
As part of an asset deal, the website www.XXX.at will be available on February 1, 2021
 
XXX GmbH in Munich. Subsequently, the first respondent was from
 
XXX.at GmbH has been renamed XXX GmbH. In addition, got
the first respondent instructed the second respondent to use Google Analytics
 
Properties to delete collected data immediately. The configuration error related to the
 
IP anonymization function has been fixed. In the meantime, the
Second Respondent confirms the final deletion of all data, as evidence
 
Enclosure presented. It is suggested to discontinue the procedure in accordance with Section 24 (6) DSG.
 
 
A.9. With statements of July 9, 2021, the second respondent summarized
 
The following:
 
In the opinion of the European Data Protection Board, an adequacy assessment was made
 
(EDSA) is not limited to examining the legal provisions of the third country, but must also
 
take into account all specific circumstances of the transfer in question. This is for the
 
relevant case. The pseudonymization is here - in line with the EDSA guidelines
- an effective complementary measure. It is not expected that US authorities will have additional
 
Had information that enabled them to understand what was behind the first party cookie values "gid" and
 
Identify “cid” or data subjects behind an IP address. the
The complainant also did not request a declaration that his rights were in the past
 
had been injured.
 
 
A.10. With comments of July 9, 2021, the complainant summarized
 
The following:
 
There is a processing of personal data, among other things through the submitted
 
Side dishes occupied. If in the end it is only a prerequisite for the identification of a website visitor
 
whether he makes certain declarations of intent in his account (such as the activation of “Ad
 
personalization ”), all possibilities of identifiability would be available for the second respondent
are present. Otherwise, the second respondent can use the account settings
 
expressed wishes of a user for "personalization" of the advertising information received
 
do not match.
 
 
The UUID (Universally Unique Identifier) in the _gid cookie with the UNIX time stamp 1597223478 is
on Wednesday, August 12, 2020 at 11:11 and 18 seconds CET, those in the cid cookie
 
the UNIX timestamp 1597394734 on Friday, August 14, 2020 at 10:45 and 34 seconds CET.
 
It follows that these cookies are used before the visit to which the complaint is made - 8 -
 
 
and longer-term tracking has taken place. The complainant had
to the best of his knowledge, these cookies are not deleted immediately, and neither is the XXX.at website
 
visited repeatedly.
 
 
The second respondent misunderstood the broad understanding of the GDPR when assessing the
 
Presence of personal data. The specific IP address used is also for the
Complainant can no longer be identified. However, this is irrelevant because the UUID in the cookies
 
In any case, there is a clear personal reference. Especially the combination of cookie data and IP
 
Address allow tracking and the evaluation of geographic location, internet connection and
Context of the visitor, which can be linked to the cookie data already described. For this
 
but would also include data such as the browser used, the screen resolution or the operating system
 
("Device Fingerprinting") come.
 
 
In the context of the complaint, it is more relevant that US authorities are easy for secret services in particular
discoverable data, such as the IP address, as a starting point for monitoring
 
Individuals would use. It is the standard practice of secret services to get away from you
 
Date to “go on” to others. When the complainant's computer keeps coming back
If the IP address of NOYB appears on the Internet, this can be used to facilitate the work of the
 
To spy out the NOYB association and to target the complainant. In another
 
Step would then look for other identifiers in the data, such as the UUIDs mentioned, what
 
in turn, an identification of the individual person for monitoring in other places
enable. In this context, US intelligence services are “different
 
Person "within the meaning of recital 26 GDPR. The complainant does not only work for
 
NOYB, but also had a relevant role as a model complainant in these efforts.
According to US law, this would mean that the complainant would be monitored in accordance with 50 USC § 1881a (also
 
as of all other persons entrusted with this complaint) legally possible at any time. Even at
 
the application of the supposed “risk-based approach” is the case at hand
 
Prime example of high risk.
 
The email address XXX.XXX@gmail.com should be assigned to the complainant, who was up to
 
had the surname "XXX" during a marriage. The old Google account will, however
 
still used. It is not explained to what extent the undisputed data are linked,
 
evaluated or the result of an evaluation is just not displayed to the user.
 
In addition, Chapter V GDPR does not know a "risk-based approach". This can only be found in
 
certain articles of the GDPR, such as in Art. 32 leg.cit. The new standard contractual clauses in
 
Implementing decision (EU) 2021/914 are not applicable to the matter due to lack of temporal validity
 
relevant. A "transfer" is not a unilateral act by a data exporter, every "transfer"
also request receipt of the data. Accordingly, Chapter V of the GDPR is also applicable to the - 9 -
 
 
Second Respondent applicable, it was a matter of joint action by
Data exporter and importer.
 
 
Even if the second respondent did not violate Art. 44 ff GDPR, they are
 
Provisions according to Art. 28 Para. 3 lit. a and Art. 29 GDPR as "standard rules"
 
consider. If the Second Respondent provides a corresponding instruction from a US
Secret service consequence, he makes the decision to transfer personal data about the
 
specific order of the first respondent in accordance with Art. 28 and Art. 29 GDPR and the
 
to process the corresponding contractual documents. This becomes the
Second respondent according to Art. 28 Para. 10 GDPR himself as the person responsible. Consequently
 
In particular, the second respondent was also entitled to the provisions of Art. 5 ff GDPR
 
follow. A secret data transfer to US secret services according to US law is without
 
Doubt not compatible with Art. 5 Para. 1 lit. f GDPR, Art. 5 Para. 1 lit. a GDPR and Art. 6 GDPR.
 
A.9. With the last statement dated August 12, 2021, the second respondent brought
 
summarized the following:
 
 
The complainant had not shown his active legitimation to lodge a complaint. He
 
did not have any questions raised by the second respondent about the identifiability of his
Person answered based on the IP address. Regarding the _gid number and cid number, let
 
to record that there was no directory in order to identify the complainant
 
close. The fact that in Recital 26 GDPR the "segregation" as a possible means of
Identification should be mentioned, but does not change the understanding of the words "identify" or
 
"Identification" or "Identifiability".
 
 
The identifiability of the complainant presupposes at least that his identification on
 
Basis of the present data and with means is possible at the general discretion
would likely be used. This has not been established and cannot and is not assumed
 
on the contrary, even improbable, if not impossible. Also the fact that the
 
Second Respondent has concluded processor agreements does not mean
that the data that are the subject of this procedure are personal data
 
act, nor that it concerns the complainant's data.
 
 
The complainant's view that the data transfer was not according to a risk-based
 
Approach to be assessed (“all-or-nothing”) is not to be followed. This is not in line with the
GDPR and be in recital 20 of the implementation decision (EU) 2021/914 of the European
 
To see commission. This is also due to the different versions of the
 
EDSA recommendation 01/2020 recognizable. Even if you have access to the above numbers
 
is possible “legally at any time” by US authorities, it should be checked how likely this is. the
The complainants had not put forward any convincing arguments as to why or how the - 10 -
 
 
"Cookie data" in connection with his visit to a publicly available, and by many
used Austrian website such as the "Foreign Intelligence Information" in question
 
and thus could become the goal of the purpose-restricted data collection according to § 702.
 
 
B. Subject matter of the complaint
 
 
Based on the submission of the complainant, it can be seen that the subject of the complaint
at least the question is
 
 
          - whether the First Respondent by implementing the Google Analytics tool
 
              their website www.XXX.at provides the complainant's personal data
 
              has forwarded the second respondent and,
          - whether there is an appropriate level of protection for this data transfer in accordance with Art. 44 GDPR
 
              was guaranteed.
 
 
In this context, it must also be clarified whether in addition to the first respondent (as
 
Data exporter) also the second respondent (as data importer) to comply with Art. 44
GDPR was committed.
 
 
On the application, against the first respondent (as the person responsible) now
 
an immediate ban on the transmission of data to the second respondent is to be imposed
not to be discussed because - as will be explained below - the responsibility for the operation of the
 
Website www.XXX.at in the course of the complaint procedure (but only after the
 
transmission of data relevant to complaints) to XXX GmbH based in Munich
 
is. Regarding the imposition of such a ban, the data protection authority would have the case to the
contact the competent German supervisory authority.
 
 
Likewise, the application for the imposition of a fine is not to be discussed, as this is on the part of the
 
Was withdrawn with an opinion of 5 May 2021 and this is now as
 
Suggestion is to be understood.
 
Finally, it should be noted that the present partial notification does not cover the alleged
 
Violations by the second respondent in accordance with Art. 5 ff in conjunction with Art. 28 Paragraph 3 lit. a and Art. 29 GDPR
 
is discussed. In this regard, further steps are necessary and will be discussed here
agreed in a further notification.
 
 
C. Factual Findings
 
 
C.1. In any case, the first Respondent was the website operator of on August 14, 2020
 
www.XXX.at. The Austrian version of "XXX" is a
Information portal on the subject of health. The website www.XXX.at is only available in German
 
Language offered. The Respondent did not operate any other versions of the website - 11 -
 
 
www.XXX.at in the EU. The first respondent is also only based in Austria
and has no further branches in other EU countries. There is one for Germany
 
German version of "XXX" at www.XXX.de, which, however, is not provided by the
 
First Respondent was operated.
 
 
Assessment of evidence re C.1 .: The findings made are based on the opinion of the
First respondent dated December 16, 2020 (questions 1 to 3) and were therefore not on the part of
 
disputed by the complainant.
 
 
C.2. On February 1, 2021, the website www.XXX.at was transferred to the
XXXGmbH based in Munich. Subsequently, the first respondent became
 
Renamed from XXX.at GmbH to XXX GmbH. the
 
First Respondent has the website www.XXX.at for XXX GmbH until August 2021
 
supervised. The first respondent has ceased to be the operator of www.XXX.at since August 2021
and no longer makes the decision about whether to use the Google Analytics tool.
 
 
Evaluation of evidence re C.2 .: The findings are based on the opinion of the
 
First Respondent from June 18, 2021 and were therefore not on the part of the Appellant
 
disputed. In addition, the findings are based on an official research by
Data protection authority in the commercial register for Zl. FN 186415 s.
 
 
C.3. The second respondent developed the Google Analytics tool. With Google Analytics
 
it is a measurement service that enables customers of the second respondent to
 
Measure traffic characteristics. This also includes the measurement of traffic from visitors who have a
visit specific website. This enables the behavior of website visitors to be traced
 
and measure how they interact with a specific website. Specifically, a
 
Website operators create a Google Analytics account and use a dashboard to create reports on the
Look at website. Likewise, the effectiveness of
 
Measured and measured advertising campaigns that website owners run on Google Ad Services
 
be optimized.
 
 
There are two versions of Google Analytics: a free version and a paid version
called Google Analytics 360. The free version was approved by the second respondent
 
at least made available by the end of April 2021. Since the end of April 2021, both have been Google
 
Analytics versions provided by Google Ireland Limited.
 
Assessment of evidence re C.3 .: The findings made are based on the opinion of the
 
Second respondent dated April 9, 2021 (p. 3 and questions 1 and 2) and were therefore not
 
disputed by the complainant.
 
 
C.4. The first Respondent - as the website operator - has at least as of August 14 - 12 -
 
 
In 2020 made the decision to use the free version of the Google Analytics tool for the website
www.XXX.at to be used. For this purpose, it has a JavaScript code ("tag") that the
 
Second respondent is made available, built into the source code of their website. the
 
First Respondent used the tool to make general statistical evaluations about the
Enable website visitor behavior. The additional tool Google Signals was not
 
activated.
 
 
In any case, these evaluations will be used by the Respondent to assess the
 
To present the content of the website www.XXX.at in accordance with the general interest in the topic
that the channels that meet the most demand are placed in the foreground and the presentation
 
can be adapted depending on the topicality of a specific topic.
 
 
The first respondent has set up a Google Analytics account for this purpose. The Google Analytics
 
Account ID with the account name "XXX" is 259349. The above evaluations can
the First Respondent by logging into the "XXX" Google Analytics account
 
logs in and can view reports on the traffic from www.XXX.at in the dashboard. Reports
 
are divided into the categories real-time, target group, acquisition, behavior and conversions. the
First Respondent can select custom reporting preferences that
 
Second Respondent has no influence on this. The second respondent also accepts
 
has no influence on the extent to which the Respondent subsequently uses the reports prepared
 
used.
 
The dashboard is designed as follows (formatting not reproduced 1: 1): - 13 -
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
Evaluation of evidence re C.4 .: The findings made are based on the input of the
 
First Respondent from December 16, 2020 and were not on the part of the Appellant
disputed. The above screenshots were taken from enclosures ./1 and ./10, the
 
A detailed description of the reporting process is given in Appendix ./1.
 
 
C.5. The Google Analytics tool works as follows: When visitors visit the website - 14 -
 
 
www.XXX.at, the JavaScript code inserted in the source text of the website refers to a
JavaScript file previously downloaded to the user's device, which will then operate the tracking
 
for Google Analytics. The tracking operation also retrieves data about the page request
 
various means and sends this information via a list of parameters to the
Analytics server attached to a single pixel GIF image request.
 
 
The data that are collected using Google Analytics on behalf of the website operator,
 
come from the following sources:
 
 
    - the user's HTTP request;
    - browser / system information;
 
    - (First-party) cookies.
 
 
An HTTP request for each website contains details about the browser and computer that is hosting the
 
Requests, such as host name, browser type, referrer and language. In addition, the DOM
Interface the browser (the interface between HTML and dynamic JavaScript) access to
 
more detailed browser and system information, such as Java and Flash support and
 
Screen resolution. Google Analytics uses this information. Google Analytics sets and reads too
 
First-party cookies on one user's browsers that measure the user's session and others
Enable information from the page request.
 
 
When all this information is collected, it will be sent to the Analytics server in the form of a
 
long list of parameters sent to a single GIF image request (the meaning of the GIF
 
Request parameter is described here) to the domain google-analytics.com. the
The data contained in the GIF request are those that are sent to the analytics server and then
 
are further processed and end up in the reports of the website operator.
 
 
The information page of the second respondent on the Google Analytics tool can be found
The following information (formatting not reproduced 1: 1, requested on
 
December 22, 2021): - 15 -
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
Assessment of evidence re C.5 .: The findings are based on the opinion of the
 
Second respondent dated April 9, 2021 (question 2) as well as an official search by
 
Data protection authority at https://developers.google.com/analytics/devguides/collection/gajs/cookie-
usage and https://developers.google.com/analytics/devguides/collection/gtagjs/cookies-user-id
 
(both queried on December 22, 2021).
 
 
C.6. First and second respondents have a contract with the title
 
"Processor conditions for Google advertising products" concluded. This contract had in
the version of August 12, 2020 is valid at least on August 14, 2020. The contract regulates
 
Order processing conditions for "Google advertising products". It applies to the provision of
 
Order processing services and related technical support services for
Customers of the Second Respondent. The aforementioned contract in the version dated August 12, 2020
 
(Enclosure ./7) is used as the basis for the findings of the facts.
 
 
In addition, first and second respondents have a second contract on August 12, 2020 - 16 -
 
 
entitled "Google Ads Data Processing Terms: Model Contract Clauses, Standard Contractual
Clauses for Processors ”completed. These are standard contractual clauses for the
 
international traffic. Also the mentioned second contract in the version of August 12, 2020
 
(Enclosure ./11) is used as the basis for the findings of the facts.
 
 
With regard to the data categories listed in Annex 1 of the second contract, the link
https://privacy.google.com/businesses/adsservices/ referenced. Under the link mentioned is
 
The following is displayed in extracts (highlighted in red by the data protection authority,
 
Formatting not reproduced 1: 1, requested on December 22, 2021): - 17 -
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
In addition to the conclusion of standard contractual clauses, the second respondent has additional clauses
 
contractual, organizational and technical measures implemented. These measures
supplement the obligations contained in the standard contractual clauses. The measures will be
 
described in the second respondent's statement of April 9, 2021, question 28. This
 
Description is used as a basis for the determinations of the facts.
 
 
The second respondent publishes so-called transparency reports on a regular basis
("Transparency Reports") on data requests from US authorities. These are available at:


The Second Respondent regularly publishes so-called transparency reports ("Transparency Reports") on data requests from US authorities. These are available at:


https://transparencyreport.google.com/user-data/us-national-security?hl=en
https://transparencyreport.google.com/user-data/us-national-security?hl=en


Evaluation of evidence regarding C.6: The findings made are based on the first respondent's statement of December 16, 2020, question 15. The cited enclosures ./7 and ./11 are included in the file and are known to all parties. Furthermore, the findings made are based
findings are based on an official search by the data protection authority at https://privacy.google.com/businesses/adsservices/ (queried on December 22, 2021). The findings made with regard to the "additional measures implemented" result from the second respondent's statement of April 9, 2021 (question 28). The second respondent's statement of April 9, 2021 is included in the file and is known to all parties. The finding with regard to the transparency reports results from an official search by the data protection authority at https://transparencyreport.google.com/user-data/us-nationalsecurity?hl=en (queried on December 22, 2021).


Assessment of evidence re C.6 .: The findings made are based on the opinion of the
C.7 In the course of using the Google Analytics tool, the option to use an "IP anonymization function" is offered. In any case, this function was not implemented correctly on www.[REDACTED]at on August 14, 2020.
 
First respondent of December 16, 2020, question 15. The cited enclosures ./7 and ./11
are included in the act and known to all involved. In addition, the struck are based
 
Findings based on an official search by the data protection authority under
 
https://privacy.google.com/businesses/adsservices/ (accessed on December 22, 2021). the
Findings made with regard to the "additionally implemented measures" result
 
from the statement of the second respondent from 9. April 2021 (question 28). The opinion
 
of the second respondent dated April 9, 2021 is included in the file and is known to all parties involved.
 
The finding with regard to the transparency reports results from an official research
the data protection authority at https://transparencyreport.google.com/user-data/us-national-
 
security? hl = en (accessed on December 22, 2021). - 18 -
 
 
C.7. In the course of using the Google Analytics tool, the option is offered to use an "IP
Anonymization function . In any case, this function did not become effective on August 14, 2020
 
correctly implemented on www.XXX.at.
 
 
Evaluation of evidence re C.7 .: The findings made are based on the opinion of the
 
First Respondent dated June 18, 2021. Therein she admits that the aforementioned "IP
Anonymization function ”was not implemented properly due to a code error.
 
 
C.8. The complainant visited the website at least on August 14, 2020, at 10:45 a.m.
 
www.XXX.at. During the visit, he was logged into his Google account, which was linked to the
Email address XXX.XXX@gmail.com is linked. The email address belongs to the
 
Complainant. The complainant had the last name "XXX" in the past.
 
 
A Google account is a user account that is used for authentication
 
serves the second respondent's various Google online services. So is a google account
for example, a prerequisite for the use of services such as "Gmail" or "Google Drive" (a file hosting
 
Service).
 
 
Assessment of evidence re C.8 .: The findings are based on the input of the


Complainant of August 18, 2020 (p. 3) and were not on the part of the respondents
Evaluation of evidence regarding C.7: The findings made are based on the statement of the first respondent dated June 18, 2021, in which it admits that the "IP anonymization function" mentioned was not implemented properly due to a code error.
disputed. The findings made with regard to the basic functions of a Google


Accounts are based on official research by the data protection authority at
C.8. The complainant visited the website www.[REDACTED]at at least on August 14, 2020, at 10:45 am. During the visit, he was logged into his Google account, which is linked to the email address [REDACTED]. The e-mail address belongs to the complainant. The complainant had the last name [REDACTED] in the past.


https://support.google.com/accounts/answer/27441?hl=de and https://policies.google.com/privacy
A Google account is a user account that is used for authentication with various Google online services of the second respondent. For example, a Google account is a prerequisite for using services such as "Gmail" or "Google Drive" (a file hosting service).  
(both queried on December 22, 2021).


Evaluation of evidence regarding C.8: The findings made are based on the submission of the complainant dated August 18, 2020 (p. 3) and were not disputed by the respondents. The findings made with regard to the basic functions of a Google account are based on an official search by the data protection authority at https://support.google.com/accounts/answer/27441?hl=de and https://policies.google.com/privacy (both retrieved on December 22, 2021).


C.9. In the transaction between the complainant's browser and
C.9. in the transaction between the complainant's browser and https://tracking.[REDACTED]at/, unique user identification numbers were set at least in the cookies "_ga" and _"gid" on August 14, 2020, at 12:46:19.344 CET. Subsequently, on August 14, 2020, at 12:46:19.948 CET, these identification numbers were transmitted to https://www.google-analytics.com/ and thus to the Second Respondent.


https://tracking.XXX.at/ were unique user-
Specifically, the following user identification numbers located in the Complainant's browser were transmitted to the Second Respondent (identical values that occurred in different transactions were color-coded orange and green, respectively):


Identification numbers are set at least in the cookies "_ga" and _ "gid". As a result, these were
[begin screenshot]
Identification numbers on August 14, 2020 at 12:46: 19.948 CET at https://www.google-analytics.com/ and
Domain Name Value Purpose
https://tracking.[REDACTED]at/ _ga GA1.2.1284433117.1597223478 Google Analytics
https://tracking.[REDACTED]at/ _gid GA1.2.929316258.1597394734 Google Analytics
https://tracking.[REDACTED]at/ _gads ID=D7767ed5b074d05:T=1597223569:S=ALNI_MZcJ9EjC13lsaY1Sn8Qu5ovyKMhPw Google Advertising
https://www.google-analytics.com/ _gid 929316258.1597394734 Google Analytics
https://www.google-analytics.com/ cid 1284433117.1597223478 Google Analytics
[end screenshot]


thus transmitted to the second respondent.
These identification numbers each contain a UNIX timestamp at the end, which indicates when the respective cookie was set. The _gid cookie with the UNIX timestamp "1597394734" was set on Wednesday, August 14, 2020, at 11:11 and 18 seconds CET, and the cid cookie with the UNIX timestamp "1597223478" was set on Friday, August 12, 2020, at 10:45 and 34 seconds CET.


With the help of these identification numbers, it is possible for the respondents to distinguish website visitors and also to obtain the information whether it is a new or a returning website visitor to www.[REDACTED]at.


Specifically, the following user identification numbers were found in the complainant's browser
In addition, the following information (parameters) was in any case also transmitted to the second respondent via the complainant's browser in the course of requests to https://www.google-analytics.com/collect (excerpt from HAR file, request URL https://www.google-analytics.com/collect, excerpt of request with time stamp 2020-08- 14T10:46:19.924+02:00):
 
are transmitted to the second respondent (same values, each in different
Transactions that have occurred are each color-coded with orange and green): - 19 -
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
These identification numbers each contain a UNIX time stamp at the end, which shows when
 
the respective cookie was set. The identification number in the _gid cookie with the UNIX time stamp
"1597394734" was set on Wednesday, August 14, 2020, at 11:11 and 18 seconds CET
 
cid cookie with the UNIX timestamp "1597223478" on Friday, August 12, 2020 at 10:45 and 34
 
Seconds CET.
 
 
With the help of these identification numbers it is possible for the respondents to website visitors
differentiate and also get the information whether it is a new one or a
 
returning website visitors from www.XXX.at.
 
 
In addition, the following information (parameters) was also obtained via the browser of the
Complainant in the course of inquiries to https://www.google-analytics.com/collect
 
transmitted to the second respondent (excerpt from the HAR file, request URL
 
https://www.google-analytics.com/collect, extract of the request with time stamp 2020-08-
 
14T10: 46: 19.924 + 02: 00):
 
general
 
 
    - Request URL https://www.google-analytics.com/collect
 
    - Request method GET
 
    - HTTP VersionHTTP / 2
    - Remote Address 172.217.23.14


General
- Request URL https://www.google-analytics.com/collect
- Request Method GET
- HTTP Version HTTP/2
- Remote Address 172.217.23.14


Headers
Headers
 
- Accept: image/webp,*/*
 
- Accept-Encoding: gzip, deflate, br
    - Accept: image / webp, * / *
- Accept-Language: en-US,en;q=0.7,en;q=0.3
 
- Connection: keep-alive
    - Accept-Encoding: gzip, deflate, br
- Host: www.google-analytics.com  
    - Accept-Language: en-US, de; q = 0.7, en; q = 0.3
- Referer: https://www.[REDACTED]at/
 
- TE: Trailers
    - Connection: keep-alive
- User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:79.0) Gecko/20100101 Firefox/79.0
 
    - Host: www.google-analytics.com - 20 -
 
 
    - Referer: https://www.XXX.at/
    - TE: Trailers
 
    - User agent: Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv: 79.0) Gecko / 20100101
 
        Firefox / 79.0
 


Query Arguments
Query Arguments
 
- _gid: 929316258.1597394734
    - _gid: 929316258.1597394734
- _s: 1
 
- _u: QACAAEAB~
    - _s: 1
- _v: j83
 
- a: 443943525
    - _u: QACAAEAB ~
- cid: 1284433117.1597223478
    - _v: j83
- en: UTF-8
 
- dl: https://www.[REDACTED]at/
    - a: 443943525
- dt: [REDACTED]at home page - [REDACTED]
 
- ea: /
    - cid: 1284433117.1597223478
- ec: scroll depth
 
- el: 25
    - de: UTF-8
- gjid:
    - dl: https://www.XXX.at/
- gtm: 2wg871PHBM94Q
 
- ea: 0
    - dt: XXX.at homepage - your independent health portal
- jid:
 
- ni: 0
    - ea: /
- sd: 24-bit
    - ec: scroll depth
- sr: 1280x1024
 
- t: event
    - el: 25
- tid: UA-259349-1
 
- ul: en-us
    - gjid:
- v: 1
 
- vp: 1263x882
    - gtm: 2wg871PHBM94Q
- z: 1764878454
    - each: 0
 
    - yid:
 
    - ni: 0
    - sd: 24-bit
 
    - sr: 1280x1024
 
    - t: event
 
    - tid: UA-259349-1
    - ul: en-us
 
    - v: 1
 
    - vp: 1263x882
    - z: 1764878454
 


Size
Size
- Headers 677 bytes
- Body 0 bytes
- Total 677 bytes


From these parameters, it is thus possible to draw conclusions about the browser used, the browser settings, language selection, the website visited, color depth, screen resolution and AdSense link number.


  - Headers 677 bytes
The remote address 172.217.23.14, is that of the second respondent.
  - Body 0 bytes
  - Total 677 bytes - 21 -
 
 
From these parameters, conclusions can be drawn about the browser used, which
Browser settings, language selection, the website visited, the color depth, the screen resolution
 
and the AdSense linking number will be drawn.
 
 
The remote address 172.217.23.14 is that of the second respondent.
 
 
The IP address of the complainant's device is used as part of these inquiries
https://www.google-analytics.com/collect transmitted to the second respondent.
 
 
The content of the HAR file (Enclosure ./4), which the complainant submitted with the entry of
 
August 18, 2020, the factual findings will be used as the basis.
 
 
Assessment of evidence re C.9 .: The findings are based on the input of the
Complainant of August 18, 2020 and the HAR file presented therein, enclosure ./4. At a
 
HAR file is an archive format for HTTP transactions. The HAR file was created by
 
checked by the data protection authority. The complainant's arguments agree with those therein
archive data contained. The presented HAR file (or its content) is the participant
 
known. In addition, the findings are based on the opinion of the
 
Complainant of May 5, 2021 (p. 8 ff) and the screenshots contained therein. As above
 
carried out, according to the information provided by the second respondent, the purpose of the identification numbers is
Distinguish users. The times determined when the cookies were set are calculated from the
 
respective UNIX timestamps. The Unix time is a time definition that is used by the Unix operating system
 
was developed and established as a POSIX standard. The Unix time counts the seconds that have passed
since Thursday, January 1st 1970, 00:00 UTC. The finding with regard to the remote
 
The address results from an official Who-Is query of the data protection authority at
 
https://who.is/whois-ip/ip-address/172.217.23.14 (accessed on December 22, 2021).
 
 
C.10. As far as the Google Analytics tool is implemented on a website, the
Second respondent the technical possibility to get the information that a
 
certain Google account users visited this website (on which Google Analytics is implemented)
 
if this Google account user is logged into the Google account during the visit.
 
 
Assessment of evidence re C.10 .: In his statement of April 9, 2021, the second respondent
in question 9, it was argued that he would only get such information if certain
 
Requirements are met, such as the activation of specific settings in the Google
 
Account. In the opinion of the data protection authority, this argument is not convincing.
Namely, if the request of a Google account user for "personalization" of the received
 
Advertising information can be complied with on the basis of a declaration of intent in the account, so there is
 
from a purely technical point of view the possibility of displaying the information about the visited website of the Google
 
Account user. In this context, the data protection law - 22 -
 
 
Accountability to point out which in the context of the legal assessment in more detail
is received. For the establishment of the facts, this means data protection law
 
Accountability that the respondents (or in any case the first respondent as
 
Controller) - and not the complainant or the data protection authority - one
must provide sufficient evidence. Such sufficient evidence - that is, that from technical
 
There is no possibility of data receipt for the second respondent - was in this one
 
Context not established, especially since it is an essential part of the Google concept
 
Analytics is to be implemented on as many websites as possible in order to be able to collect data.
 
C.11. The first respondent has the second respondent in the course of the proceedings
 
instructed to use all data collected through the Google Analytics Properties for the website
 
www.XXX.at to delete. The second respondent has confirmed the deletion.
 
 
Assessment of evidence re C.11 .: The findings are based on the opinion of the
First Respondent dated June 18 and 24, 2021 as well as the copy of the correspondence presented
 
between first and second respondents.
 
 
D. From a legal point of view, it follows:
 
 
D.1. General
 
a) To the competence of the data protection authority
 
 
The European Data Protection Board (hereinafter: EDPB) has already dealt with the relationship between
 
GDPR and Directive 2002/58 / EC ("e-Data Protection Directive") dealt with (cf.
 
Opinion 5/2019 on the interaction between the e-Data Protection Directive and the GDPR from
March 12, 2019).
 
 
With a decision of November 30, 2018, the data protection authority
 
Zl. DSB-D122.931 / 0003-DSB / 2018, with the relationship between GDPR and the national
 
Implementation provision (in Austria now: TKG 2021, Federal Law Gazette I No. 190/2021 as amended)
dealt with.
 
 
It was basically stated that the e-Data Protection Directive (or the respective national
 
Implementation provision) of the GDPR acts as a lex specialis. Art. 95 GDPR stipulates that the
 
Regulation natural or legal persons in relation to processing in connection with
the provision of publicly available electronic communication services in public
 
Communication networks in the Union do not impose any additional obligations insofar as they are specific in
 
of the e-Data Protection Directive are subject to obligations that pursue the same goal. - 23 -
 


In the e-Data Protection Directive, however, there are no obligations within the meaning of Chapter V of the GDPR for the
The IP address of the complainant's device is transmitted to the second respondent as part of these requests to https://www.google-analytics.com/collect.
Case of the transfer of personal data to third countries or to international ones


Organizations.
The content of the HAR file (Exhibit ./4), which was submitted by the complainant in its submission of August 18, 2020, will form the basis for the findings of fact.  


Evaluation of evidence regarding C.9: The findings made are based on the complainant's submission of August 18, 2020 and the HAR file, Annex ./4, submitted therein. A HAR file is an archive format for HTTP transactions. The HAR file was reviewed by the data protection authority. The complainant's submission is consistent with the archive data contained therein. The HAR file submitted (or its contents) is known to the parties involved. Furthermore, the findings made are based on the complainant's statement of May 5, 2021 (p. 8 ff) and the screenshots contained therein. As already stated above, according to the second respondent, the purpose of the identification numbers is to distinguish users. The established times of cookie setting are calculated from the respective UNIX time stamps. Unix time is a time definition developed for the Unix operating system and established as a POSIX standard. Unix time counts the elapsed seconds since 00:00 UTC on Thursday, January 1, 1970. The determination with regard to the RemoteAddress results from an official Who-Is query of the data protection authority at https://who.is/whois-ip/ip-address/172.217.23.14 (queried on December 22, 2021).


It should be noted at this point again that the responsibility for the operation of the website
C.10. To the extent that the Google Analytics tool is implemented on a website, the Second Respondent has the technical possibility to obtain the information that a certain Google Account user has visited this website (on which Google Analytics is implemented), provided that this Google Account user is logged into the Google Account during the visit.


www.XXX.at only after the complaint-relevant data has been transmitted on August 14, 2020 to a
Evaluation of evidence regarding C.10.: In his statement of April 9, 2021, the second respondent argued in question 9 that he only receives such information if certain requirements are met, such as the activation of specific settings in the Google account. In the opinion of the data protection authority, this argument is not convincing. Indeed, if the request of a Google account user for "personalization" of the advertising information received can be complied with on the basis of a declaration of intent in the account, then from a purely technical point of view it is possible to receive the information about the website visited by the Google account user. In this context, explicit reference must be made to the accountability under data protection law, which will be discussed in more detail in the context of the legal assessment. For the determination of the facts, this accountability under data protection law means that the respondent (or, in any case, the first respondent as the responsible party) - and not the complainant or the data protection authority - must provide sufficient proof. Such sufficient proof - i.e., that from a technical point of view there is no possibility for the second respondent to obtain data - was not provided in this context, especially since it is precisely an essential part of the concept of Google Analytics to be implemented on as many websites as possible in order to be able to collect data.
German society has passed over.


C.11. In the course of the proceedings, the first respondent instructed the second respondent to delete all data collected via Google Analytics Properties for the website www.[REDACTED]at. The respondent to the second complaint confirmed the deletion.


Against this background, the GDPR is applicable and still exists for such data transmission
Evaluation of evidence regarding C.11.: The findings made are based on the statement of the first respondent dated June 18 and June 24, 2021, as well as the submitted copy of the correspondence between the first and second respondents.


thus a competence of the data protection authority to handle the complaint in question
D. In legal terms, it follows that:
according to Art. 77 Para. 1 GDPR.


D.1 General


b) On Art. 44 GDPR as a subjective right
a) On the competence of the data protection authority


The European Data Protection Board (hereinafter: EDSA) has already addressed the relationship between the GDPR and Directive 2002/58/EC ("ePrivacy Directive") (see Opinion 5/2019 on the interaction between the ePrivacy Directive and the GDPR of March 12, 2019).


Based on the previous rulings by the data protection authority and the courts, it should be noted that
The data protection authority also addressed the issue in its decision of November 30, 2018, no. DSB-D122.931/0003-DSB/2018, dealt with the relationship between the GDPR and the national implementation provision (in Austria now: TKG 2021, BGBl. I No. 190/2021 as amended).


that both the legality of the data processing according to Art. 5 Para. 1 lit. a in conjunction with Art. 6 ff GDPR
It was basically stated that the ePrivacy Directive (or the respective national implementation provision) takes precedence over the GDPR as lex specialis. Thus, Art. 95 GDPR states that the Regulation does not impose any additional obligations on natural or legal persons with regard to processing in connection with the provision of publicly available electronic communications services in public communications networks in the Union, insofar as they are subject to specific obligations set forth in the ePrivacy Directive which pursue the same objective.  


as well as the data protection rights postulated in Chapter III of the regulation as
However, the ePrivacy Directive does not contain any obligations within the meaning of Chapter V of the GDPR in case of transfer of personal data to third countries or to international organizations.
Subjective right can be asserted in the context of a complaint in accordance with Art. 77 Para. 1 GDPR


be able.
It should be noted again at this point that the responsibility for operating the website www.[REDACTED]at was only transferred to a German company after the data transfer relevant to the complaint took place on August 14, 2020.


Against this background, the GDPR applies to such a data transfer and the data protection authority is therefore competent to deal with the complaint in question pursuant to Art. 77 (1) GDPR.


The transfer of personal data to a third country, which in the sense of Art. 44 GDPR
b) Regarding Art. 44 GDPR as a subjective right
(allegedly) an adequate level of protection has not yet been guaranteed


Subject of the complaint in the context of a complaint procedure before the data protection authority.
Based on the previous practice of the data protection authority and the courts, it should be noted that both the lawfulness of data processing pursuant to Art. 5(1)(a) in conjunction with Art. 6 et seq. of the GDPR and the data subject rights postulated in Chapter III of the Regulation can be asserted as a subjective right in the context of a complaint pursuant to Art. 77(1) of the GDPR.


The transfer of personal data to a third country that does not (allegedly) ensure an adequate level of protection within the meaning of Art. 44 GDPR has not yet been the subject of a complaint in the context of a complaint procedure before the data protection authority.


In this context, it should be noted that Art. 77 Para. 1 GDPR (and otherwise also the
In this context, it should be noted that Art. 77(1) GDPR (and, incidentally, the national provision of Section 24(1) DPA) only requires that "[...] the processing of personal data relating to them infringes this Regulation" in order to invoke the right of appeal.


national provision of Section 24 (1) DSG) for exercising the right of appeal only
The ECJ also assumed in its judgment of July 16, 2020 that the finding that "[...] the law and practice of a country do not ensure an adequate level of protection [...]" as well as "[...] the compatibility of this (adequacy) decision with the protection of privacy and the freedoms and fundamental rights of individuals [...]" in the context of a complaint under Art. 77(1) GDPR as a subjective right (see the ECJ judgment of 16 July 2020, CǦ311/18 para 158).
requires that "[...] the processing of the personal data concerning them against them


Regulation violates ".
While it should be noted that the question referred in the aforementioned proceedings did not concern the "scope of the right of appeal under Article 77(1) GDPR", the ECJ obviously considered the fact that a breach of provisions of Chapter V GDPR can also be invoked in the context of a complaint under Article 77(1) GDPR as a necessary condition. If it had been considered otherwise, the ECJ would probably have stated that the question of the validity of an adequacy decision cannot be clarified at all in the context of an appeal procedure.


As far as the second respondent furthermore denies the assertion of Art. 44 GDPR as a subjective right - with reference to the wording of recital 141 leg.cit. - it must be countered that the aforementioned recital is linked to the fact that the "rights under this Regulation" are accessible to a complaint under Article 77(1) of the GDPR (and not, for example, "the rights under Chapter III of this Regulation").


In its judgment of July 16, 2020, the ECJ also assumed that the finding that
Although the term "rights of a data subject" is used in certain places in the GDPR, this does not mean by implication that other norms in which this wording is not chosen cannot also be invoked as a subjective right. Most of the provisions of the GDPR are, on the one hand, an obligation of the controller (and partly of the processor), but on the other hand, they can also be asserted as a subjective right of a data subject. For example, it is undisputed that Art. 13 and Art. 14 GDPR establish a subjective right to information, although the right to information is not defined in Art. 12 para. 2 leg. cit. as "their rights" (i.e., "rights of the data subject") and Art. 13 and Art. 14 GDPR are designed according to the wording as an information obligation of the controller.


"[...] the law and practice of a country do not guarantee an adequate level of protection [...]"
The decisive factor is whether a data subject's individual legal position is affected by an alleged infringement. The alleged infringement must therefore have a negative impact on the data subject and affect him or her.
as well as "[...] the compatibility of this (adequacy) decision with the protection of privacy


as well as the freedoms and fundamental rights of persons [...] "in the context of a complaint according to Art. 77
Apart from that, while the recitals are an important tool for interpreting the GDPR, they cannot be used to reach a result that is inconsistent with the text of the regulation (here, as stated above, the fact that the administrative remedy is generally linked to "the processing") (cf. the judgment of the ECJ of 12 May 2005, C-444/03 para. 25 and the further case law cited there).


Paragraph 1 GDPR can be asserted as a subjective right (see the judgment of the ECJ of
Finally, also according to the national case law of the Administrative Court, it is to be assumed in case of doubt that norms which prescribe an official procedure also and especially in the interest of the person concerned grant him a subjective right, i.e. a right which can be enforced by way of appeal (cf. e.g. VwSlg. 9151 A/1976, 10.129 A/1980, 13.411 A/1991, 13.985 A/1994).
July 16, 2020, C ‑ 311/18 margin no.158).


Against the background of the wording of Art. 77 (1) GDPR and the cited case law of the ECJ and the Administrative Court, it must be noted as an interim result that the obligation for controllers and processors to ensure the level of protection for natural persons guaranteed by the Regulation, which is standardized in Chapter V and in particular in Art. 44 GDPR, can conversely also be asserted as a subjective right before the competent supervisory authority pursuant to Art. 77 (1) GDPR.


It should be noted that the question referred in the above procedure does not cover the “scope of the
c) The declaratory competence of the data protection authority


Right of appeal under Art. 77 Para. 1 GDPR ”; but the ECJ has
According to the case law of the VwGH and the BVwG, the data protection authority has a declaratory competence with regard to violations of the right to secrecy in appeal proceedings (thus explicitly the ruling of the BVwG of May 20, 2021, Zl. W214 222 6349-1/12E; implicitly the finding of the Administrative Court of February 23, 2021, Ra 2019/04/0054, in which the Administrative Court dealt with the determination of a past violation of the obligation to maintain secrecy without addressing the lack of competence of the authority against which the complaint was filed).


The fact that a violation of the provisions of Chapter V GDPR in the context of a
There are no factual reasons not to use the declaratory competence pursuant to Art. 58 (6) GDPR in conjunction with Art. 24 (2) No. 5 GDPR and Art. 5 DPA also for the determination of a violation of Art. 44 DPA, since also in the case at hand, among other things a violation of the law in the past - namely a data transfer to the USA - is complained about and the right to complain pursuant to Section 24 (1) DSG - as well as Article 77 (1) DSGVO - is generally linked to a violation of the DSGVO. Indeed, if the award of an official notice in an appeal procedure could exclusively contain instructions pursuant to Art. 58(2) GDPR, there would be no room for Sections 24(2)(5) and 24(5) DPA as a result.
Complaint according to Art. 77 Para. 1 GDPR can be asserted, obviously as necessary


Considered a prerequisite. Looking at it differently, the ECJ would have said that the question - 24 -
Contrary to the view of the respondents, Section 24 (6) DSG is not applicable to the subject matter of the complaint relevant here, since the complaint concerns a data transfer in the past. In other words, the alleged unlawfulness (here: incompatibility with Art. 44 DPA) of a data transfer that has already been completed is not amenable to a conclusion of proceedings pursuant to Section 24 (6) DPA.


Against the background of the above, it can be stated as a further interim result that the data protection authority has the competence to make a determination in the present appeal proceedings.


the validity of an adequacy decision in the context of a complaint procedure not at all
D.2. ruling point 1
can be clarified.


As stated, the data protection authority discontinued the proceedings in question by decision of October 2, 2020, Zl. D155.027, 2020-0.527.385, until it is determined which authority is responsible for the substantive conduct of the proceedings (lead supervisory authority) or until a decision is made by a lead supervisory authority or the EDSA.


Insofar as the second respondent also asserts Article 44 GDPR as
Based on the current investigation results, it must be noted that there is no cross-border data processing within the meaning of Article 4(23) in conjunction with Article 56(1) of the GDPR with regard to the subject matter of the complaint - a data transfer to the USA in August 2020 - and the "one-stop store" mechanism pursuant to Article 60 of the GDPR therefore does not apply to this:


Subjective law - with reference to the wording of recital 141 leg.cit. - is denying that
Thus, according to the first respondent's own statements (cf. statement of December 16, 2020, question 2), the first respondent is neither established in more than one Member State (data processing within the meaning of Art. 4(23)(a) GDPR in the context of the activities of establishments in more than one Member State can therefore not exist), nor does the data transfer and thus the processing of personal data of the first respondent have a significant impact on data subjects in more than one Member State (Art. 4(23)(b) leg. cit.).


to counter that the mentioned recital is linked to the fact that the "rights according to this regulation"
With regard to the effects of the data processing in question, it is clear from the findings of fact that the target audience of the www.[REDACTED]at website relevant here is (primarily) persons resident in Austria, also because there is a separate version for the German audience in the form of the www.[REDACTED]de website. According to the information provided by the first respondent (cf. the statement of December 16, 2020, question 2), the latter was (at least in August 2020) only responsible for the Austrian version of www.[REDACTED]at.
a complaint according to Art. 77 Para. 1 GDPR are accessible (and not, for example: "the rights according to


Chapter III of this regulation ").
The theoretical possibility that German-speaking persons from a Member State other than Austria can access www.[REDACTED]at does not constitute grounds for the "impact on data subjects in more than one Member State" under Article 4(23)(b) of the GDPR. If this were not the case, any complaint against the operator of a website - regardless of the intended target audience of the website - would have to be dealt with in accordance with the rules under Art. 60 et seq. of the GDPR. This would lead to an overly broad interpretation of Article 4(23)(b) of the GDPR (and consequently to an overly broad scope of application of the "one-stop store"), which - in the opinion of the data protection authority - cannot be intended by the legislator.


Consequently, with regard to the subject matter of the complaint relevant here, the complaint was to be dealt with exclusively by the Austrian data protection authority pursuant to Art. 55(1) GDPR.


Although the term "rights of a data subject" is used in certain places in the GDPR,
Since ex officio decisions from which no right has accrued to anyone can be revoked or amended both by the authority that issued the decision and by the relevant higher authority in the exercise of its supervisory right, and since no right to a non-decision accrues to a party to the proceedings as a result of a stay of proceedings, the above-mentioned decision of October 2, 2020 was amenable to a remedy pursuant to Section 68 (2) AVG.
Conversely, however, this does not mean that other standards in which this


Wording is not chosen, as a subjective right can be invoked. Most
D.2. ruling point 2. a)


The provisions of the GDPR are on the one hand an obligation of the person responsible (and partly
a) General information on the term "personal data


of the processor), but on the other hand can also apply as a subjective right of data subjects
The material scope of application of Art. 2 (1) GDPR - and thus the success of this complaint - fundamentally presupposes that "personal data" are processed.  
be made. For example, it is undisputed that Art. 13 and Art. 14 GDPR are subjective


Establish the right to information, although the right to information is not specified in Art. 12 para. 2 leg. Cit. as "their
According to the legal definition of Article 4(1) of the GDPR, "personal data means any information relating to an identified or identifiable natural person (hereinafter 'data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person".


Rights ”(ie“ rights of the data subject ”) and Art. 13 and Art. 14 GDPR the wording
As can be seen from the findings of fact (see point C.9.), the first respondent - as operator of the website - implemented the Google Analytics tool on its website. As a result of this implementation - i.e. triggered by the JavaScript code executed when visiting the website - at least the following information was transmitted from the browser of the complainant who visited the website www.[REDACTED]at to the servers of the second respondent:
are designed as an information obligation of the person responsible.


- unique online identifiers ("unique identifiers") that identify both the complainant's browser or device and the first respondent (through the Google Analytics account ID of the first respondent as website operator);


The decisive factor is whether a data subject is affected by an alleged violation of the law in a
- The address and HTML title of the website and the subpages visited by the complainant;


individual legal position is impaired. The alleged infringement must therefore
- Information about the browser, operating system, screen resolution, language selection and the date and time of the website visit;


negatively affect and affect the person concerned.
- the IP address of the device used by the complainant.


It must be verified whether this information falls under the definition of Art. 4 Z 1 DSGVO, i.e. whether it is personal data of the complainant.


Apart from that, the ErwGr are an important instrument for interpreting the GDPR, however
b) Identification numbers as "personal data".
they cannot be used to contradict the text of the regulation


standing result (here, as stated above, the fact that the administrative
With regard to the online identifiers, it should be recalled once again that the cookies at issue, "_ga" or "cid" (Client ID) and "_gid" (User ID), contain unique Google Analytics identifiers and were stored on the end device or in the browser of the complainant. As stated, it is possible for certain bodies - in this case, for example, the respondents - to distinguish website visitors with the aid of these identification numbers and also to obtain information as to whether they are new or returning website visitors to www.[REDACTED]at. In other words, only the use of such identification numbers makes it possible to distinguish between website visitors, which was not possible prior to this assignment.


Remedy generally linked to "the processing") (cf. the judgment of the ECJ of
In the opinion of the data protection authority, an infringement of the fundamental right to data protection pursuant to Art. 8 EU-GRC and Art. 1 DSG already exists if certain bodies take measures - in this case the assignment of such identification numbers - to individualize website visitors in this way.
May 12, 2005, C-444/03 margin no.25 and the further judicature cited there).


A standard of "identifiability" to the effect that it must also be immediately possible to associate such identification numbers with a specific "face" of a natural person - i.e., in particular with the name of the complainant - is not required (cf. in this regard already Opinion 4/2007, WP 136, 01248/07/DE of the former Art. 29 Data Protection Working Party on the term "personal data" p. 16 f; cf. the March 2019 guidance of the supervisory authorities for telemedia providers, p. 15).


Finally, according to the domestic judicature of the VwGH, in case of doubt it can be assumed that
Such an interpretation is supported by Recital 26 of the GDPR, according to which the question of whether a natural person is identifiable takes into account "[...] any means reasonably likely to be used by the controller or by any other person to identify the natural person, directly or indirectly, such as singling out" (English language version of the regulation: "singling out"). The term "singling out" is to be understood as "picking out from a crowd" (cf. https://www.duden.de/rechtschreibung/aussondern, retrieved on December 22, 2021), which corresponds to the considerations on the individualization of website visitors cited above.


Standards that prescribe an official procedure also and especially in the interest of the person concerned,
In the literature, it is also explicitly argued that a "digital footprint", which allows devices - and subsequently the specific user - to be clearly individualized, already constitutes personal data (cf. Karg in Simitis/Hornung/Spiecker, DSGVO Kommentar Art. 4 Z 1 Rz 52 mwN). This consideration can be applied to the case at hand due to the uniqueness of the identification numbers, especially since - which will be discussed in more detail below - these identification numbers can also be combined with other elements.


Grant this a subjective right that can be enforced through the appeal process (cf.
To the extent that the respondents argue that no "means" are used to link the identification numbers at issue here with the person of the complainant, it must again be countered that the implementation of Google Analytics at www.[REDACTED]at results in a segregation within the meaning of Recital 26 of the GDPR. In other words: Anyone who uses a tool that makes such segregation possible in the first place cannot take the position that, according to "general discretion", no means are used to make natural persons identifiable.
VwSlg. 9151 A / 1976, 10.129 A / 1980, 13.411 A / 1991, 13.985 A / 1994).
 
 
Against the background of the wording of Art. 77 Para. 1 GDPR and the cited case law of the
 
The ECJ and the VwGH should be noted as an interim result that the information in Chapter V and in particular
 
the obligation for controllers and processors standardized in Art. 44 GDPR, which is carried out by
ensure the level of protection for natural persons guaranteed by the regulation, and vice versa
 
valid as a subjective right before the competent supervisory authority in accordance with Art. 77 Para. 1 GDPR
 
can be done. - 25 -
 
 
c) On the determination competence of the data protection authority
 
According to the judicature of the VwGH and the BVwG, the data protection authority comes a
 
Assessment competence with regard to violations of the right to secrecy in
 
Complaints procedure (so expressly the decision of the BVwG of May 20, 2021,
 
Zl. W214 222 6349-1 / 12E; implicitly the decision of the VwGH of February 23, 2021, Ra 2019/04/0054,
in which this is related to the establishment of a past
 
Has dealt with the breach of confidentiality, without the lack of jurisdiction of the alleged
 
Authority to pick up).
 
There are no factual reasons to suspect the determination competence according to Art. 58 Para. 6 GDPR in conjunction with
 
§ 24 para. 2 no. 5 GDPR and para. 5 DSG not also for the determination of a violation of Art. 44
 
DSGVO to be used, as in the present case, among other things, one that was in the past
 
Violation of the law - namely a data transfer to the USA - is complained about and that
Right to lodge a complaint in accordance with Section 24 (1) GDPR - as well as Article 77 (1) GDPR - generally to one
 
Violation of the GDPR. When the verdict of a notice in one
 
Complaint procedures contain only instructions according to Art. 58 Para. 2 GDPR
could, as a result, there would be no room for Section 24 (2) 5 and 24 (5) DSG.
 
 
Contrary to the opinion of the respondents, Section 24 (6) DSG applies to the one relevant here
 
The subject of the complaint cannot be considered, as data transmission has been complained about in the past
 
will. In other words: the alleged illegality (here: incompatibility with Art. 44 GDPR)
an already completed data transfer is a process completion according to § 24 para. 6
 
DSG not accessible.
 
 
Against the background of these remarks, it should be noted as a further interim result that the
 
Determination competence of the data protection authority in the present complaint procedure
given is.
 
 
D.2. Ruling point 1
 
 
As stated, the data protection authority set the procedure in question with a decision of
 
October 2, 2020, Zl. D155.027, 2020-0.527.385, until it is determined which authority is responsible for the content
Procedural management is responsible (lead supervisory authority) or until a decision is made by a
 
lead supervisory authority or the EDPB.
 
 
Based on the results of the investigation, it should be noted that a
 
Cross-border data processing within the meaning of Art. 4 Z 23 in conjunction with Art. 56 Paragraph 1 GDPR
on the subject of the complaint - a data transfer to the USA in August 2020 - is not available
 
and the "one-stop-shop" mechanism in accordance with Art. 60 GDPR therefore does not apply
 
finds: - 26 -
 
 
According to its own statements (see statement of December 16, 2020,
Question 2) neither established in more than one Member State (data processing within the meaning of
 
Art. 4 Z23 lit. a GDPR in the context of the activities of branches in more than one member state
 
can therefore not be present), nor has the data transmission and thus the processing
Personal data of the first respondent have a significant impact on those affected
 
Persons in more than one member state (Art. 4 No. 23 lit. b leg. Cit.).
 
 
With regard to the effects of the present data processing, the
 
Factual findings that the target audience of the relevant website www.XXX.at
namely (primarily) persons resident in Austria, also because it is with the website
 
www.XXX.de gives its own version for the German audience. According to the
 
This was the first respondent (see the statement of December 16, 2020, question 2)
 
(at least in August 2020) only responsible for the Austrian version of www.XXX.at.
 
The theoretical possibility that German-speaking people from a Member State other than
 
Austria can access www.XXX.at, the fact "Effects on
 
affected persons in more than one member state "according to Art. 4 Z 23 lit. b GDPR
establish. In the event of a different view, every complaint against the operator would be
 
of a website - regardless of the intended target audience of the website - according to the rules
 
To deal with Art. 60 ff GDPR. This would lead to a too broad interpretation of Art. 4 No. 23 lit. b
 
GDPR (and consequently lead to too wide a scope of application of the "one-stop-shop"), which -
in the opinion of the data protection authority - cannot be wanted by the regulator.
 
 
The complaint related to the subject matter of the complaint was consequential
 
exclusively from the Austrian data protection authority in accordance with Art. 55 Para. 1 GDPR
 
treat.
 
As ex officio notices from which no one has a right, both from the
 
Authority that issued the decision, as well as in exercising the supervisory right of the factual
 
relevant higher authority can be canceled or changed, and as a result of a
Suspension of proceedings of a party to the proceedings does not give rise to a right of non-decision was the
 
The above-mentioned notification of October 2, 2020 is available for rectification in accordance with Section 68 (2) AVG.
 
 
D.2. Ruling point 2. a)
 
 
a) General information on the term "personal data"
 
 
The material scope of Art. 2 Para. 1 GDPR - and thus the success of this
Complaint - fundamentally requires that "personal data" are processed. - 27 -
 
 
According to the legal definition of Art. 4 No. 1 GDPR, "personal data is all information,
referring to an identified or identifiable natural person (hereinafter "data subject")
 
relate; A natural person is regarded as identifiable if, directly or indirectly,
 
in particular by means of assignment to an identifier such as a name, to an identification number
Location data, an online identifier or one or more special features
 
can be identified that express the physical, physiological, genetic, psychological,
 
economic, cultural or social identity of this natural person
 
can".
 
As can be seen from the factual findings (see point C.9.), The Respondent has
 
- as the operator of the website - implemented the tool Google Analytics on your website. As a result
 
this implementation - i.e. triggered by the JavaScript executed when visiting the website
 
Code - at least the following information was received from the complainant's browser, which the
Visited the website www.XXX.at, transmitted to the server of the second respondent:
 
 
    - Unique online identifiers, which both the browser and the device of the
 
        Complainant as well as the First Respondent (through the Google Analytics Account
        Identify the ID of the first respondent as the website operator);
 
    - the address and the HTML title of the website, as well as the sub-pages that the complainant had
 
        has visited;
 
    - Information on the browser, operating system, screen resolution, language selection and
        Date and time of the website visit;
 
    - the IP address of the device that the complainant used.
 
 
It must be checked whether this information falls under the definition of Art. 4 No. 1 GDPR, i.e. whether it is
 
the complainant's personal data is involved.
 
b) Identification numbers as "personal data"
 
 
With regard to the online IDs, it should again be remembered that the representational
 
Cookies “_ga” or “cid” (Client ID) and “_gid” (User ID) unique Google Analytics identification numbers
 
and were stored on the device or in the complainant's browser. As
established, it is possible for certain bodies - here, for example, the respondents - to use them
 
Identification numbers to distinguish website visitors and also to get the information whether it is
 
is a new or a returning website visitor from www.XXX.at. With
In other words: Only the use of such identification numbers enables a distinction to be made between website
 
Visitors who were not possible before this assignment. - 28 -
 
 
In the opinion of the data protection authority, there is an interference with the fundamental right to data protection
Art. 8 EU-GRC as well as § 1 DSG already then when certain bodies take measures - here the
 
Assignment of such identification numbers - in order to individualize website visitors in this way.
 
 
A measure of “identifiability” to the effect that it must be immediately possible to do so
 
Identification numbers also with a certain "face" of a natural person - in particular with
the name of the complainant - is not required (see already
 
Opinion 4/2007, WP 136, 01248/07 / DE of the former Art. 29 Data Protection Working Party on
 
Term "personal data" p. 16 f; see the guidance of the supervisory authorities for
Telemedia provider from March 2019, p. 15).
 
 
Recital 26 GDPR speaks in favor of such an interpretation, according to which the question of whether a natural person
 
is identifiable, "[...] all means are taken into account by the person responsible or by a
 
other person, according to general discretion, likely to be used to the natural person
to identify directly or indirectly, such as segregation ”(English language version of
 
Regulation: "singling out"). The term "sorting out" means "searching out of a crowd"
 
to understand (see https://www.duden.de/rechtschreibung/aussondern, requested on December 22nd
2021), which corresponds to the above considerations for the individualization of website visitors
 
is equivalent to.
 
 
In the literature it is also expressly stated that there is already a "digital footprint" that it
 
allows devices - and subsequently the specific user - to be clearly individualized
represents a personal date (see Karg in Simitis / Hornung / Spiecker, GDPR Comment Art. 4
 
Z 1 margin no. 52 with further references). This consideration can be due to the uniqueness of the identification numbers on the
 
present case, especially since - which is to be discussed in more detail immediately - this
 
Identification numbers can also be combined with other elements.
 
As far as the Respondents point out that no “means” have been used to counteract the here
 
to bring the reference numbers in connection with the person of the complainant
 
Against them to counter that the implementation of Google Analytics on
www.***.at results in a separation within the meaning of Recital 26 GDPR. In other words: who
 
a tool that has just made such a removal possible cannot affect the
 
Take the position not to use "general discretion" means to avoid natural persons
 
to make identifiable.
 
As an interim result, it should be noted that the Google Analytics
 
Identification numbers for personal data (in the form of an online identifier) in accordance with Art. 4 No. 1 GDPR
 
could be. - 29 -


As an interim result, it must therefore be noted that the Google Analytics identification numbers at issue here may constitute personal data (in the form of an online identifier) pursuant to Article 4(1) of the GDPR.


c) Combination with other elements
c) Combination with other elements


The fulfillment of the requirements of Art. 4 Z 1 GDPR becomes even more clearly recognizable if one
The fulfillment of Article 4(1) of the GDPR becomes even more apparent if one considers that the identification numbers can be combined with other elements:


takes into account that the identification numbers can be combined with other elements:
By combining all of these elements - i.e., unique identification numbers and the other information listed above, such as browser data or IP address - it is all the more likely that the complainant can be identified (see again Recital 30 of the GDPR). The complainant's "digital footprint" is made even more unique by such a combination.


In this regard, the respondents' arguments around the "anonymization function of the IP address" can be left aside, as the respondents have admitted that this function was not implemented correctly (at the time subject to the complaint) (see, for example, the first respondent's statement of 18 June 2021).


By combining all of these elements - that is, unique identification numbers and the others above
Likewise, the question of whether an IP address in isolation is a personal data can be left open, since - as mentioned - it can be combined with other elements (in particular the Google Analytics identification number). In this context, it should be noted that according to the case law of the ECJ, the IP address can constitute a personal data (cf. the judgments of the ECJ of June 17, 2021, CǦ597/19, para. 102, as well as of October 19, 2016, CǦ582/14, para. 49) and this does not lose its characteristic as a personal data merely because the means of identifiability lie with a third party.
 
cited information such as browser data or IP address - is it all the more likely
that the complainant can be identified (see again recital 30 GDPR). The "digital
 
Such a combination makes the complainant's footprint even more unique.
 
 
The respondents' submissions about the "anonymization function of the IP
 
Address "remain open, since the respondents have admitted that this function (for
at the time of the complaint) was not implemented correctly (see for example the
 
Opinion of the Respondent dated June 18, 2021).
 
 
Likewise, the question of whether an IP address, viewed in isolation, is personal data,
 
remain open, as these - as mentioned - with further elements (in particular the Google
Analytics identification number) can be combined. In this context it should be noted that the
 
According to the case law of the European Court of Justice, the IP address can represent a personal date (see the judgments
 
of the ECJ of June 17, 2021, C ‑ 597/19, margin no. 102, as well as of October 19, 2016, C ‑ 582/14, margin no. 49) and
this does not lose its status as a personal date simply because it has the means to
 
Identifiability lie with a third party.
 
 
Finally, the data protection authority points out that it is an essential part of the
 
The concept of Google Analytics (at least in the free version) is based on as many as possible
Websites to be implemented to collect information about website visitors.
 
Accordingly, it would be with the basic right to data protection according to Art. 8 EU-GRC or § 1 DSG
 
incompatible with the applicability of the GDPR to those related to the Google Analytics tool
standing data processing - in which individual website visitors using Google Analytics
 
Identification number can be individualized - to be excluded.


Finally, the data protection authority points out that it is precisely an essential part of the concept of Google Analytics (at least in the free version) to be implemented on as many websites as possible in order to collect information about website visitors. Accordingly, it would be incompatible with the fundamental right to data protection under Article 8 EU-GRC or Section 1 DSG to exclude the applicability of the GDPR to the data processing operations related to the Google Analytics tool - where individual website visitors are individualized on the basis of the Google Analytics identification number.


d) Traceability to the complainant
d) Traceability to the complainant


Irrespective of the above considerations, however, traceability to the "face" of the complainant - such as his or her name - must be assumed in any case:


Regardless of the above considerations, however, there is any traceability to the
It is not necessary that the respondents can establish a personal reference on their own, i.e. that all information required for identification is with them (cf. the ECJ judgments of December 20, 2017, C-434/16, para. 31, as well as of October 19, 2016, C-582/14, para. 43). Rather, it is sufficient that anyone - with legally permissible means and reasonable effort - can establish this personal reference (see Bergauer in Jahnel, DSGVO Kommentar Art. 4 Z 1 Rz 20 mVa Albrecht/Jotzo, Das neue Datenschutzrecht der EU 58).
 
"Face" of the complainant - such as his name - to go out:
 
It is not necessary that the respondents each have a personal reference
 
so that all information required for identification is with them
 
(see the rulings of the European Court of Justice of December 20, 2017, C-434/16, margin number 31, as well as of October 19, 2016,
C 582/14, margin no.43). Rather, it is sufficient that someone - with legally permissible means and - 30 -
 
 
reasonable effort - can establish this personal reference (see Bergauer in Jahnel, GDPR
Comment Art. 4 no. 1 margin no. 20 mVa Albrecht / Jotzo, The new data protection law of the EU 58).
 
 
Such an interpretation of the scope of Art. 4 No. 1 GDPR is - in addition to the
 
cited legal and literature sources - derived from Recital 26 GDPR, according to which the question of
 
Identifiability not only the means of the person responsible (here: the first respondent)
are to be taken into account, but also those of "another person" (English language version of
 
Regulation: "by another person"). This also arises from the idea of affected persons
 
to offer the greatest possible protection for your data.
 
The ECJ has repeatedly stated that the scope of the GDPR is "very broad"
 
is to be understood (see for example the rulings of the European Court of Justice of June 22, 2021, C ‑ 439/19, margin no. 61;
 
comparable legal situation, the judgments of December 20, 2017, C ‑ 434/16, margin no.33, as well as of May 7
 
2009, C ‑ 553/07, margin no.59).
 
 
It is not overlooked that, according to Recital 26 GDPR, it must also be taken into account with which
"Probability" means anyone who uses means to directly or indirectly affect an individual
 
identify. In fact, in the opinion of the Data Protection Authority, the term "anyone" -
 
and thus the scope of Art. 4 No. 1 GDPR - not to be interpreted so broadly,
that some unknown actor could theoretically have special knowledge to relate to a person
 
to manufacture; this would mean that almost all information in the
 
The scope of the GDPR falls and a demarcation to non-personal data
 
becomes difficult or even impossible.
 
Rather, the decisive factor is whether it can be identified with justifiable and reasonable effort
 
can be produced (see the notification of December 5, 2018, GZ DSB-D123.270 / 0009-
 
DSB / 2018, according to which personal data is no longer available if the person responsible or
a third party can only establish a personal reference with disproportionate effort).
 
 
In the present case, however, there are certain actors who have special knowledge, which
 
it makes it possible to establish a reference to the complainant in the sense of the above and
 
therefore identify him.
 
First of all, this is the second respondent:
 
 
As can be seen from the factual findings, the complainant was at the time of
 
Visiting the website www.XXX.at with his Google account XXX.XXX@gmail.com
 
logged in. The Second Respondent stated that because of the fact that the
Tool Google Analytics is implemented on a website, receives information. This includes the
 
Information that a certain Google account user has visited a certain website (cf.
 
Opinion of April 9, 2021, question 9). - 31 -
 
 
This means that the Second Respondent has at least received the information that the
User of the Google account XXX.XXX@gmail.com has visited the website www.XXX.at.
 
 
So even if one takes the view that the above online IDs are a
 
must be assignable to certain "faces", such an assignment can in any case via the Google
 
Account of the complainant.
 
The further statements made by the second respondent that for a
 
such assignment must meet certain requirements, such as the activation of


specific settings in the Google account (see again its statement of April 9, 2021,
Such an interpretation of the scope of application of Art. 4(1) GDPR can be derived - in addition to the cited sources of law and literature - from Recital 26 GDPR, according to which not only the means of the controller (here: the first respondent) are to be taken into account in the question of identifiability, but also those of "another person" (English language version of the Regulation: "by another person"). This also follows from the idea of offering data subjects the greatest possible protection of their data.
Question 9).


Thus, the ECJ has repeatedly stated that the scope of application of the GDPR is to be understood "very broadly" (see, for example, the judgments of the ECJ of June 22, 2021, C-439/19, para 61; for the legal situation comparable in this respect, the judgments of December 20, 2017, C-434/16, para 33, as well as of May 7, 2009, C-553/07, para 59).


If, however - and this was convincingly stated by the complainant - the identifiability
It is not overlooked that according to Recital 26 of the GDPR, the "likelihood" of anyone using means to directly or indirectly identify natural persons must also be taken into account. In fact, in the opinion of the data protection authority, the term "anyone" - and thus the scope of application of Art. 4 No. 1 GDPR - should not be interpreted so broadly that any unknown actor could theoretically have special knowledge in order to establish a reference to a person; this would lead to almost any information falling within the scope of application of the GDPR and a demarcation from non-personal data would become difficult or even impossible.


of a website visitor only depends on whether certain declarations of intent have been made in the account
Rather, the decisive factor is whether an identifiability can be established with a justifiable and reasonable effort (cf. in this regard the decision of December 5, 2018, GZ DSB-D123.270/0009-DSB/2018, according to which personal data are not - anymore - present if the controller or a third party can only establish a personal reference with a disproportionate effort).


there are (from a technical point of view) all possibilities for identifiability. With others
In the case at hand, however, there are now certain actors who possess special knowledge that makes it possible to establish a reference to the complainant in the sense of the above statements and therefore to identify him.
Consideration could be the secondary respondent as expressed in the account settings


No wish of a user to “personalize” the advertising information received
First of all, this is the second respondent:


correspond.
As can be seen from the findings of fact, the complainant was logged in with his Google account [REDACTED] at the time he visited the website www.[REDACTED]at. The second respondent has stated that due to the fact that the Google Analytics tool is implemented on a website, the latter receives information. This includes the information that a certain Google Account user has visited a certain website (see the opinion of April 9, 2021, question 9).  


This means that the second respondent has at least received the information that the Google account user [REDACTED] has visited the website www.[REDACTED]at.


In this context, the unambiguous wording of Art. 4 no. 1
Thus, even if one takes the view that the online identifiers listed above must be assignable to a certain "face", such an assignment can in any case be made via the complainant's GoogleAccount.
GDPR, which is linked to a skill ("can be identified") and not to whether a


Identification is ultimately also made.
Not to be overlooked are the further statements of the second respondent that for such an allocation certain requirements have to be fulfilled, such as the activation of specific settings in the Google account (cf. again its statement of April 9, 2021, question 9).


However, if - and this has been convincingly explained by the complainant - the identifiability of a website visitor depends only on whether certain declarations of intent are made in the account, all possibilities for identifiability are present (from a technical point of view). Viewed otherwise, the second respondent could not comply with a user's wishes expressed in the account settings for "personalization" of the advertising information received.


The accountability of the
In this context, it is necessary to explicitly refer to the unambiguous wording of Article 4(1) of the GDPR, which is linked to a capability ("can be identified") and not to whether an identification is ultimately also made.


First respondent - as the person responsible, further below - to be indicated in accordance with Art. 5
Likewise, it must be expressly pointed out that the first respondent - as the responsible party, see below - has an accountability obligation under the GDPR to implement appropriate technical and organizational measures in accordance with Article 5 (2) in conjunction with Article 24 (1) in conjunction with Article 28 (1) of the GDPR in order to ensure and provide evidence that the processing (with the help of a processor) is carried out in accordance with the Regulation. This is therefore an obligation to provide evidence.
Paragraph 2 in conjunction with Art. 24 Paragraph 1 in conjunction with Art. 28 Paragraph 1 GDPR suitable technical and organizational


Take measures to ensure and to be able to provide evidence that the
This also includes proof that a processing operation is not subject to the Regulation. Such proof was not provided - despite several opportunities to do so.


Processing (with the help of a processor) is carried out in accordance with the regulation. It is therefore
Irrespective of the second respondent, however, the U.S. authorities must be taken into account - and this is of greater relevance to the case:
an obligation to deliver.


As the complainant has just as correctly pointed out, intelligence services in the U.S. take certain online identifiers (such as the IP address or unique identification numbers) as a starting point for monitoring individuals. In particular, it cannot be ruled out that these intelligence services have already collected information with the help of which the data transmitted here can be traced back to the person of the complainant.


This also includes proof that processing is currently not subject to the regulation. A
The fact that this is not merely a "theoretical danger" is demonstrated by the judgment of the ECJ of July 16, 2020, CǦ311/18, which ultimately also declared the EU-US adequacy decision ("Privacy Shield") invalid due to the incompatibility of such methods and access possibilities of the US authorities with the fundamental right to data protection pursuant to Article 8 EU-GRC.


such was not provided - despite the possibilities granted several times.
In particular, this is shown by the transparency report of the second respondent - cited in the findings of fact - which proves that there are data requests from U.S. authorities to the second respondent. In the process, metadata and content data may be requested by the Second Respondent.


While it is not misjudged that it is admittedly not possible for the first respondent to check whether such accesses by US authorities occur in individual cases - i.e. per website visitor - and what information US authorities already possess; conversely, however, this circumstance cannot be held against affected persons, such as the complainant. Thus, it was ultimately the first respondent as (then) website operator who - despite publication of the aforementioned ECJ ruling of July 16, 2020 - continued to use the Google Analytics tool.


Independent of the second respondent, however - and this is case-related of greater
As a further interim result, it must therefore be noted that the information cited in the findings of fact under C.9. (at least in combination) constitutes personal data pursuant to Art. 4 Z 1 DSGVO.
Relevance - the US authorities to consider:


e) Allocation of roles


As the complainant has also correctly pointed out, the intelligence services of the
As already explained, the first respondent, as the website operator, made the decision to implement the "Google Analytics" tool on the website www.[REDACTED]at at the time relevant to the complaint. Specifically, it inserted a JavaScript code ("tag") provided on the part of the second respondent into the source code of its website, whereby this JavaScript code was executed in the complainant's browser when the website was visited. The first respondent has stated in this regard that the said tool is used for the purpose of statistical evaluations of the behavior of website visitors (see statement of December 16, 2020, question 2).


USA certain online identifiers (such as the IP address or unique identification numbers) as s
In this way, the first respondent has decided on the "purposes and means" of the data processing in connection with the tool, which is why it is (in any case) to be regarded as a controller within the meaning of Article 4(7) of the GDPR.


Starting point for monitoring individuals. In particular, it cannot
As far as the second respondent is concerned, it should be noted that the subject matter of the complaint relevant here relates (only) to the transfer of data to the second respondent in the USA. A possible further data processing of the information cited in the findings of fact under C.9. (by Google Ireland Limited or the second respondent) is not the subject of the complaint and was therefore not addressed.
subject of the complaint and was therefore not investigated in more detail in this direction.


it can be ruled out that these intelligence services have already collected information
As far as the data processing in connection with the Google Analytics tool is concerned, it should be noted that the second respondent merely makes this tool available and also has no influence on whether and to what extent the first respondent makes use of the tool functions and which specific settings it selects.
whose help the data transferred here can be traced back to the person of the complainant. - 32 -


Insofar as the second respondent therefore only provides Google Analytics (as a service), it has no influence on the "purposes and means" of the data processing and is therefore to be qualified as a processor in accordance with Article 4(8) of the GDPR.


The fact that this is not just a "theoretical danger" is evident from the judgment
These considerations are made without prejudice to a further official review procedure pursuant to Art. 58 (1) b of the GDPR and without prejudice to the data protection role of the second respondent with regard to possible further data processing.
of the ECJ of July 16, 2020, C ‑ 311/18, which due to the incompatibility of such methods and


Access possibilities of the US authorities with the basic right to data protection according to Art. 8 EU-GRC
D.3 Heading 2. b)


ultimately also declared the EU-US adequacy decision ("Privacy Shield") to be invalid.
a) Scope of application of Chapter V of the GDPR


First, it must be verified whether the first respondent is subject to the obligations standardized in Chapter V of the Regulation.


This can be seen in particular in the transparency report - cited in the factual findings
According to Article 44 of the GDPR, any "[...] transfer of personal data already processed or to be processed after their transfer to a third country or an international organization [...] shall only be allowed if the controller and processor comply with the conditions laid down in this chapter and also with the other provisions of this Regulation, including any onward transfer of personal data from the third country or international organization concerned to another third country or international organization. All the provisions of this chapter shall be applied to ensure that the level of protection afforded to natural persons by this Regulation is not undermined."
of the Second Respondent, who proves that there are data requests from US authorities to the


Second Respondent comes. Metadata and content data from
In "Guidelines 5/2021 on the relationship between the scope of Art. 3 and the requirements for international data flows under Chapter V of the GDPR" (currently still in public consultation), the EDSA has identified three cumulative conditions for when a "transfer to a third country or an international organization" as defined in Art. 44 of the GDPR exists (ibid. para. 7):


Second respondents can be requested.
- the controller or a processor is subject to the GDPR for the processing in question;


- that controller or processor ("data exporter") discloses, by transmission or otherwise, personal data which are the subject of that processing to another controller, joint controller or processor ("data importer");


It is true that it is not overlooked that it is of course not possible for the respondent to check,
- the Data Importer is located in a third country or is an international organization, whether or not such Data Importer is subject to the GDPR with respect to the Processing in question pursuant to Article 3.
whether there is such access by US authorities in individual cases - i.e. per website visitor


and what information US authorities already have; but this can be reversed
The first respondent is based in Austria and was the data controller for the operation of the website www.[REDACTED]at at the time subject to the complaint. In addition, the first respondent (as data exporter) disclosed personal data of the complainant by proactively implementing the Google Analytics tool on its website www.[REDACTED]at and as a direct result of this implementation, among other things, a data transfer to the second respondent (to the USA) took place. Finally, the Second Respondent, in its capacity as a processor (and data importer), is located in the United States.


data subjects, such as the complainant, are not accused. So it was ultimately that
Since all the conditions set forth in the EDSA Guidelines are met, the First Respondent is subject to the provisions of Chapter V of the Regulation as a data exporter.
First Respondent as (then) website operator who - despite the publication of the


mentioned judgment of the European Court of Justice of July 16, 2020 - continued to use the Google Analytics tool.
b) Regulatory framework of Chapter V of the GDPR


Subsequently, it is necessary to verify whether the data transfer to the USA took place in accordance with the provisions of Chapter V of the GDPR.


As a further interim result, it should be noted that the in the
Chapter V of the Regulation provides three instruments to ensure the adequate level of protection required by Art. 44 GDPR for data transfers to a third country or an international organization:


Factual findings under C.9. listed information (at least in combination)
- Adequacy Decision (Art. 45 GDPR);
personal data in accordance with Art. 4 No. 1 GDPR.
- Appropriate safeguards (Art. 46 GDPR);
- Exemptions for specific cases (Art. 49 GDPR).  


c) Adequacy Decision


e) Distribution of roles
The ECJ has pronounced that the EU-US adequacy decision ("Privacy Shield") - without maintaining its effect - is invalid (see the judgment of 16 July 2020, CǦ311/18 para 201 f).


The data transfer at issue therefore does not find coverage in Article 45 GDPR.


As already stated, the First Respondent as the website operator has to
d) Appropriate safeguards


At the time of the complaint, the decision was made to use the "Google Analytics" tool
As can be seen from the findings of fact, on August 12, 2020, the respondents entered into standard data protection clauses (hereinafter: SDK) pursuant to Art. 46(2)(c) of the GDPR for the transfer of personal data to the United States ("Google Ads Data Processing Terms: Model Contract Clauses, Standard Contractual Clauses for Processors"). Specifically, at the time under appeal, the clauses in question were those in the version of the Implementing Decision of the European Commission 2010/87/EU of February 5, 2010 on standard contractual clauses for the transfer of personal data to processors in third countries pursuant to Directive 95/46/EC of the European Parliament and of the Council, OJ L 2010/39, p. 5.
the website www.XXX.at to implement. Specifically, it has a JavaScript code ("tag") that


is made available by the second respondent, inserted in the source text of their website,
In the aforementioned judgment of July 16, 2020, the ECJ stated that SDKs as an instrument for international data flows are not objectionable on the merits, but the ECJ also pointed out that SDKs are by their nature a contract and, accordingly, cannot bind authorities from a third country:


which causes this JavaScript code to appear in the complainant's browser when visiting the website
"Accordingly, while there are situations in which the recipient of such a transfer can, in the light of the legal situation and practice in the third country concerned, guarantee the necessary data protection on the basis of the standard data protection clauses alone, there are also situations in which the rules contained in those clauses may not constitute a sufficient means of ensuring, in practice, the effective protection of the personal data transferred to the third country concerned. This is the case, for example, when the law of that third country allows its authorities to interfere with the rights of data subjects with respect to those data" (ibid. para. 126).
was executed. In this regard, the Respondent stated that the aforementioned tool


is used for the purpose of statistical evaluations of the behavior of website visitors
However, a more detailed analysis of the legal situation of the USA (as a third country) can be omitted here, as the ECJ has already dealt with this in the cited judgment of July 16, 2020. It came to the conclusion that the EU-US adequacy decision does not ensure an adequate level of protection for natural persons due to the relevant US law and the implementation of official surveillance programs - based, inter alia, on Section 702 of FISA and E.O. 12333 in conjunction with PPD-28 (ibid., para. 180 et seq.).


(see opinion of December 16, 2020, question 2).
These considerations can be applied to the case at hand. Thus, it is evident that the Second Respondent qualifies as a provider of electronic communications services within the meaning of 50 U.S.Code § 1881(b)(4) and is thus subject to surveillance by U.S. intelligence agencies pursuant to 50 U.S.Code § 1881a ("FISA 702"). Accordingly, Second Respondent has an obligation to provide personally identifiable information to U.S. authorities pursuant to 50 U.S.Code § 1881a.


As can be seen from the Second Respondent's Transparency Report, such requests are also regularly made to it by U.S. authorities (see https://transparencyreport.google.com/user-data/us-national-security?hl=en, accessed December 22, 2021).


As a result, the Respondent has “purposes and means” in connection with the tool
However, if the EU-US adequacy decision has already been declared invalid due to the legal situation in the USA, it cannot be assumed that the (mere) conclusion of SDKs ensures an adequate level of protection pursuant to Art. 44 GDPR for the data transfer in question.
standing data processing, which is why this (at least) as the person responsible within the meaning of Art. 4


Z 7 GDPR is to be considered.
Against this background, the ECJ also stated in the cited judgment of July 16, 2020 that "[...] standard data protection clauses cannot, by their very nature, provide guarantees that go beyond the contractual obligation to ensure compliance with the level of protection required by Union law [...]" and that it "[...] may be necessary, depending on the situation prevailing in a particular third country, for the controller to take additional measures to ensure compliance with that level of protection" (ibid. para. 133).
 
 
As far as the second respondent is concerned, it should be noted that the relevant here
 
The subject of the complaint (only) relates to the data transfer to the second respondent in the USA
relates. A possible further data processing of the factual determinations under C.9.
 
cited information (by Google Ireland Limited or the second respondent) is not
 
Subject of the complaint and was therefore not determined in more detail in this direction. - 33 -
 
 
As for the data processing in connection with the Google Analytics tool, is
to state that the Second Respondent only makes this available and also does not
 
Has an influence on whether and to what extent the first respondent benefits from the tool functions
 
Makes use and what specific settings she chooses.
 
 
Insofar as the second respondent therefore only provides Google Analytics (as a service), takes
this has no influence on the "purposes and means" of data processing and is therefore within the meaning of Art. 4 no. 8
 
GDPR qualify as a processor on a case-by-case basis.
 
 
These considerations are without prejudice to a further official review procedure in accordance with Art. 58
Para. 1 lit.b GDPR and without prejudice to the data protection role of the second respondent
 
with a view to possible further data processing.
 
 
D.3. Ruling point 2. b)
 
 
a) Scope of Chapter V GDPR
 
 
First of all, it must be checked whether the Respondent complies with Chapter V of the Ordinance
is subject to standardized obligations.
 
 
According to Art. 44 GDPR, any "[...] transmission of personal data that is already
 
processed or after their transmission to a third country or an international organization
 
are to be processed, [...] only permitted if the controller and the processor have the
comply with the conditions laid down in this chapter and the other provisions of these
 
Regulation are complied with; this also applies to any further transmission of personal data
 
Data from the relevant third country or the relevant international organization
another third country or another international organization. All provisions of this chapter
 
are to be applied to ensure that the level of protection guaranteed by this Ordinance
 
is not undermined for natural persons. "
 
 
In the “Guidelines 5/2021 on the relationship between the scope of Art. 3 and the
Specifications for international data traffic according to Chapter V GDPR "(currently still in public
 
Consultation), the EDPB has identified three cumulative conditions for when a “transmission to
 
a third country or an international organization "within the meaning of Art. 44 GDPR exists (ibid. margin no. 7):
 
 
    - the controller or a processor is subject to the
      relevant processing of the GDPR;
 
    - the person responsible for the processing or the processor ("data exporter")
 
      by submitting or otherwise personal data that is the subject of this
      Processing are, one other person responsible for the processing, one joint
 
      Controller or a processor, open ("data importer"); - 34 -
 
 
    - the data importer is located in a third country or is an international organization,
      regardless of whether this data importer in relation to the processing in question in accordance with
 
      Art. 3 of the GDPR is subject or not.
 
 
The first respondent is based in Austria and was on the subject of the complaint
 
Time for the operation of the website www.XXX.at responsible for data protection.
In addition, the Respondent (as the data exporter) has personal data of the
 
The complainant disclosed by proactively using the Google Analytics tool on their website
 
www.XXX.at has implemented and as a direct consequence of this implementation a
Data was transferred to the second respondent (to the USA). After all, he has
 
Second respondent in his capacity as a processor (and data importer)
 
Based in the USA.
 
 
Since all the requirements set out in the EDPB guidelines are met, the
First Respondent as data exporter complies with the provisions of Chapter V of the Ordinance.
 
 
b) Regulations of Chapter V GDPR
 
 
It is then necessary to check whether the data transmission complies with the requirements of
 
Chapter V GDPR has taken place in the USA.
 
Chapter V of the regulation provides three instruments to achieve what is required by Art. 44 GDPR
 
appropriate level of protection for data transfers to a third country or an international one
 
To ensure organization:
 
 
    - Adequacy decision (Art. 45 GDPR);
    - Appropriate guarantees (Art. 46 GDPR);
 
    - Exceptions for certain cases (Art. 49 GDPR).
 
 
c) Adequacy decision
 
 
The ECJ has ruled that the EU-US adequacy decision ("Privacy Shield") - without
Maintaining its effect - is invalid (see the judgment of July 16, 2020, C ‑ 311/18 margin no. 201 f).
 
 
The present data transfer is therefore not covered by Art. 45 GDPR.
 
 
d) Appropriate guarantees
 
 
As can be seen from the factual findings, the respondents on August 12, 2020
 
Standard data protection clauses (hereinafter: SDK) according to Art. 46 Para. 2 lit. c GDPR for the transmission
of personal data to the USA ("Google Ads Data Processing Terms: Model
 
Contract Clauses, Standard Contractual Clauses for Processors "). Specifically, on - 35 -
 
 
at the time of the complaint about those clauses in the version of
Implementing decision of the European Commission 2010/87 / EU of February 5, 2010 on
 
Standard contractual clauses for the transmission of personal data to processors in
 
Third countries according to Directive 95/46 / EC of the European Parliament and of the Council, OJ L 2010/39,
P. 5.
 
 
In the aforementioned ruling of July 16, 2020, the ECJ stated that SDK was an instrument for the
 
International data traffic are basically not objectionable, however, the ECJ has
 
also noted that SDKs are by their nature a contract and therefore made up of authorities
cannot bind a third country:
 
 
"Accordingly, there are situations in which the recipient of such a transmission is considering
the legal situation and practice in the third country concerned, the necessary data protection is solely based on the
Can guarantee on the basis of the standard data protection clauses, but also situations in which the in
 
The provisions contained in these clauses may not be a sufficient means of getting into
in practice, the effective protection of personal data transferred to the third country in question
Data to ensure. This is the case, for example, if the law of this third country is its authorities
Intervention in the rights of the data subjects with regard to this data is permitted ”(ibid. Margin no. 126).
 
A more detailed analysis of the legal situation in the USA (as a third country) can be omitted at this point,
 
as the ECJ already dealt with this in the cited judgment of July 16, 2020
 
has. He came to the conclusion that the EU-US adequacy decision due to
of relevant US law and the implementation of regulatory
 
Monitoring programs - based on Section 702 of FISA and the E.O. 12333 in connection
 
with PPD-28 - no adequate level of protection guaranteed for natural persons (ibid.
 
180 ff).
 
These considerations can be transferred to the present case. So it is evident
 
that the second respondent as a provider of electronic communication services within the meaning of
 
50 U.S. Code § 1881 (b) (4) is to qualify and thus the surveillance by US intelligence services
 
subject to 50 U.S. Code Section 1881a ("FISA 702"). Accordingly, the Second Respondent has the
Obligation to notify US authorities under 50 U.S. Code § 1881a personal data for
 
To make available.
 
 
As emerges from the second respondent's "Transparency Report",
such inquiries are also regularly made to them by US authorities (cf.
 
https://transparencyreport.google.com/user-data/us-national-security?hl=en, requested on
 
December 22, 2021).
 
 
If now, however, already the EU-US adequacy decision due to the legal situation in the USA
has been declared invalid, it cannot be assumed, on a case-by-case basis, that the (mere)
 
Conclusion of SDK an appropriate level of protection according to Art. 44 GDPR for the subject
 
Data transfer guaranteed. - 36 -
 
 
Against this background, the ECJ also stated in the cited judgment of July 16, 2020 that
"[...] By their nature, standard data protection clauses cannot offer guarantees that go beyond the
 
contractual obligation to ensure compliance with the level of protection required by Union law,
 
go beyond [...] "and it" [...] may be necessary depending on the situation in a particular third country
[may] be that the person responsible takes additional measures to ensure compliance with this
 
To ensure the level of protection (ibid. Margin no. 133).
 
 
The present data transfer can therefore not only relate to the between the
 
Standard data protection clauses concluded by respondents in accordance with Article 46 (2) c
GDPR supported.


Therefore, the data transfer at issue cannot be based solely on the standard data protection clauses concluded between the respondents pursuant to Article 46(2)(c) GDPR.


e) General information on "additional measures"
e) General information on "additional measures"


In its "Recommendations 01/2020 on measures to supplement transfer tools to ensure the level of protection of personal data under Union law", the EDSA has stated that in case the law of the third country has an impact on the effectiveness of appropriate safeguards (such as SDK), the data exporter must either suspend the data transfer or implement additional measures ("supplementary measures") (ibid. para. 28 et seq. as well as para. 52).


In his "Recommendations 01/2020 on measures to supplement transmission tools for
According to the recommendations of the EDSA, such "supplementary measures" within the meaning of the ECJ ruling of July 16, 2020 can be of a contractual, technical or organizational nature (ibid., para. 47):
 
Guaranteeing the level of protection under Union law for personal data ”is the responsibility of the EDPS
stated that in the event that the law of the third country affects the effectiveness of appropriate
 
Guarantees (such as SDK) means that the data exporter will either suspend the data transfer
 
or has to implement additional measures (“supplementary measures”) (ibid. margin no. 28 ff as well as
 
52).
 
Such "additional measures" within the meaning of the judgment of the European Court of Justice of July 16, 2020, can according to the
 
EDSA recommendations of a contractual, technical or organizational nature (ibid. Margin no. 47):
 
 
With regard to contractual measures, it is stated that these "[...] the guarantees that the
 
The transmission tool and the relevant legislation in the third country provide, complement and
reinforce, as far as the guarantees, taking into account all circumstances of the transmission, do not
 
meet all requirements that are necessary to ensure a level of protection that corresponds to the
 
is essentially equivalent in the EU. Since the contractual measures are by their nature the
Third country authorities generally cannot bind them if they are not themselves a contracting party
 
they must be combined with other technical and organizational measures in order to
 
to ensure the required level of data protection. Just because you got one or more of these
 
Having selected and applied measures, this does not necessarily mean that it is systematic
it is ensured that the intended transmission meets the requirements of Union law
 
(Guarantee of an essentially equivalent level of protection) is sufficient ”(ibid. Margin no. 93).
 
 
Regarding organizational measures, it is stated that "[...] are internal strategies,
Organizational methods and standards [can] act, those responsible and
 
Apply processors to themselves and impose on data importers in third countries
 
could. […] Depending on the particular circumstances of the transmission and the one carried out
 
Assessment of the legal situation in the third country requires organizational measures to supplement the - 37 -


With regard to contractual measures, it is stated that they "[...] complement and reinforce the safeguards offered by the transfer instrument and the relevant legislation in the third country to the extent that the safeguards, taking into account all the circumstances of the transfer, do not fulfil all the conditions necessary to ensure a level of protection substantially equivalent to that existing in the EU. Since contractual measures, by their nature, generally cannot bind the authorities of the third country if they are not themselves party to the contract, they must be combined with other technical and organizational measures to ensure the required level of data protection. Just because one or more of these measures has been selected and applied does not necessarily mean that it is systematically ensured that the envisaged transfer meets the requirements of Union law (ensuring a substantially equivalent level of protection)" (ibid. para. 93).


contractual and / or technical measures required to ensure that the protection of the
Regarding organizational measures, it is stated that they "[...] may be internal policies, organizational methods and standards that controllers and processors might apply to themselves and impose on data importers in third countries. [...] Depending on the specific circumstances of the transfer and the assessment carried out of the legal situation in the third country, organizational measures are necessary to complement the contractual and/or technical measures in order to ensure that the protection of personal data is substantially equivalent to the level of protection ensured in the EU (ibid. para. 122).
personal data is essentially equivalent to the level of protection guaranteed in the EU


is (ibid. margin no.122).
Regarding technical measures, it is stated that these are intended to ensure that "[...] access to the transferred data by authorities in third countries does not undermine the effectiveness of the appropriate safeguards listed in Article 46 of the GDPR. Even if the access by authorities is in compliance with the law in the country of the data importer, these measures should be considered if the access by authorities goes beyond what is a necessary and proportionate measure in a democratic society. These measures aim to eliminate potentially infringing access by preventing authorities from identifying data subjects, inferring information about them, identifying them in other contexts, or linking the transferred data to other data sets held by authorities, including data on online identifiers of devices, applications, tools, and protocols used by data subjects in other contexts (ibid. para. 74).


Finally, the EDSA has stated that such "additional measures" are to be considered effective within the meaning of the judgment of 16 July 2020 only "[...] if and to the extent that the measure precisely closes the legal protection gaps identified by the data exporter in its examination of the legal situation in the third country. If it is ultimately not possible for the data exporter to achieve a substantially equivalent level of protection, it may not transfer the personal data" (ibid. para. 70).


With regard to technical measures, it is stated that these are intended to ensure that "[...]
Applied to the case at hand, this means that it must be examined whether the "additional measures taken" by the second respondent close the legal protection gaps identified in the context of the ECJ ruling of June 20, 2020 - i.e., the access and surveillance possibilities of U.S. intelligence services.  


the access of the authorities in third countries to the transmitted data the effectiveness of the data set out in Article 46
f) "Additional Measures" of the Second Respondent.
GDPR does not undermine the appropriate guarantees listed. Even if the government has access to


is in accordance with the law of the country of the data importer, these measures are to be considered
The second respondent has now implemented various measures in addition to the conclusion of the SDK (see its statement of April 9, 2021, question 28).


pull when the authority's access goes beyond what is in a democratic society
With regard to the contractual and organizational measures outlined, it is not apparent to what extent notifying the data subject of data requests (should this be permissible at all in individual cases), publishing a transparency report or a "guideline for handling government requests" are effective in the sense of the above considerations. Similarly, it is unclear to what extent "careful consideration of any data access request" is an effective measure, given that the ECJ pronounced in the aforementioned judgment of June 20, 2020 that permissible (i.e., legal under U.S. law) requests from U.S. intelligence agencies are not compatible with the fundamental right to data protection under Article 8 of the EU CFR.
is a necessary and proportionate measure. These measures aim to


Eliminate potentially infringing access by preventing the authorities from
Insofar as the technical measures are concerned, it is likewise not discernible - and was also not comprehensibly explained on the part of the respondents - to what extent the protection of communications between Google services, the protection of data in transit between data centers, the protection of communications between users and websites or an "on-site security" actually prevent or restrict the access possibilities of US intelligence services on the basis of US law.


to identify data subjects, to develop information about them, to use them in other contexts
Insofar as the second respondent subsequently refers to encryption technologies - for example, to the encryption of "data at rest" in the data centers - the EDSA's Recommendations 01/2020 must once again be countered. Indeed, it is stated there that, with respect to imported data in its possession or custody or under its control, a data importer (such as the Second Respondent) subject to 50 U.S. Code § 1881a ("FISA 702") has a direct obligation to provide access to or surrender such data. This obligation may expressly extend to the cryptographic keys without which the data cannot be read (ibid. para. 76).


to determine or to link the transmitted data with other data records held by the authorities,
As long as the second respondent has the possibility to access data in plain text, the technical measures cited cannot be considered effective in the sense of the above considerations.
including data on online IDs of the devices, applications, tools and protocols


that the data subjects have used in other contexts (ibid. margin no.74).
As a further technical measure, the second respondent argues that insofar as "[...] Google Analytics data for measurement by website owners is personal data, [...] it must be considered pseudonymous" (see its opinion of April 9, 2021, p. 26). However, this must be countered by the convincing view of the German Data Protection Conference, according to which "[...] the fact that users are made identifiable, for example via IDs or identifiers, does not constitute a pseudonymization measure within the meaning of the GDPR. Moreover, the use of IP addresses, cookie IDs, advertising IDs, unique user IDs or other identifiers to (re)identify users does not constitute appropriate safeguards to comply with data protection principles or to safeguard the rights of data subjects. This is because, unlike in cases where data is pseudonymized in order to disguise or delete the identifying data so that the data subjects can no longer be addressed, IDs or identifiers are used to make the individuals distinguishable and addressable. Consequently, there is no protective effect. They are therefore not pseudonymizations within the meaning of Recital 28, which reduce the risks for the data subjects and assist data controllers and processors in complying with their data protection obligations" (cf. the March 2019 guidance of the supervisory authorities for telemedia providers, p. 15).


Furthermore, the second respondent's argument is also not to be followed because the Google Analytics identifier - as explained above - can be combined with further elements anyway and can even be associated with a Google account indisputably attributable to the complainant.


Finally, the EDPS has stated that such “additional measures” can only be considered effective
The "anonymization function of the IP address" mentioned is not relevant in relation to the case, as this was not implemented correctly - as also explained above. Apart from that, the IP address is in any case only one of many "puzzle pieces" of the complainant's digital footprint.
in the sense of the judgment of July 16, 2020 are to be considered, "[...] if and to the extent that the measure is precise


the legal protection loopholes that the data exporter closes when examining the legal situation in the third country
As a further interim result, it must therefore be noted that the "additional measures" at issue are not effective, as they do not close the legal protection gaps identified in the context of the ECJ's ruling of June 20, 2020 - i.e., the access and monitoring possibilities of U.S. intelligence services.
 
Has been established. Should the data exporter ultimately not be able to do an essentially
 
to achieve an equivalent level of protection, he may not transmit the personal data "(ibid.
70).
 
 
Applied to the present case, this means that it must be investigated whether the “additionally
 
Measures taken "by the second respondent in the context of the ECJ ruling of
 
Legal protection gaps identified on June 20, 2020 - i.e. the access and monitoring options
from US intelligence services - close.
 
 
f) "Additional Measures" by the Second Respondent
 
 
The second respondent now has various measures in addition to completing the SDK
 
implemented (see his statement of April 9, 2021, question 28).
 
With regard to the contractual and organizational measures outlined, it is not apparent
 
to what extent a notification of the data subject about data requests (this should be done on a case-by-case basis
 
be allowed at all), the publication of a transparency report or a “guideline for the
 
Dealing with Government Inquiries ”are effective for the purposes of the above considerations. It is also unclear
to what extent the "careful examination of every data access request" is an effective measure,
 
since the European Court of Justice stated in the aforementioned judgment of June 20, 2020 that permissible (i.e. according to - 38 -
 
 
US law legal) requests from US intelligence services do not interfere with the fundamental right
Data protection according to Art. 8 EU-GRC are compatible.
 
 
If the technical measures are affected, it is also not recognizable - and was on the part of the
 
Respondent also not comprehensibly explained - to what extent the protection of communication
 
between Google services, the protection of data in transit between data centers, the protection of the
Communication between users and websites or an "on-site security" the access options
 
actually prevent or prevent from US intelligence services based on US law
 
restrict.
 
Insofar as the second respondent subsequently relies on encryption technologies - such as the
 
Encryption of "data at rest" in the data centers - refers to him again
 
To oppose recommendations 01/2020 of the EDPS. There it is stated that a
 
Data importer (such as the second respondent), the 50 U.S. Code § 1881a ("FISA 702") is subject to,
with regard to the imported data in his possession or custody or under his
 
Is in control, has a direct obligation to grant access to, or has a direct obligation to provide access to it
 
to surrender. This obligation can expressly also apply to the cryptographic key
without which the data cannot be read (ibid. margin no. 76).
 
 
As long as the second respondent has the option of accessing data in plain text
 
to access, the technical measures taken cannot be considered effective within the meaning of the
 
considerations above.
 
As a further technical measure, the second respondent adds that to the extent that "[...]
 
Google Analytics data is used to measure personal data by website owners, […] them
 
should be regarded as a pseudonym ”(cf. his statement of April 9, 2021, p. 26).
 
 
However, this is countered by the convincing view of the German Data Protection Conference,
according to which "[...] the fact that the user can be identified using IDs or identifiers
 
no pseudonymization measure i. S. d. GDPR represents. Besides, it is not
 
suitable guarantees for compliance with data protection principles or for safeguarding rights
 
data subjects, if for (re) recognition of the user IP addresses, cookie IDs, advertising IDs,
Unique user IDs or other identifiers are used. Because, unlike in cases in
 
which data is pseudonymized in order to disguise or delete the identifying data,
 
IDs or identifiers are used so that the persons concerned can no longer be addressed
used to make the individual individuals distinguishable and addressable. One
 
As a result, there is no protective effect. It is therefore not a matter of pseudonymizations i. S. d.
 
Recital 28, which lower the risks for the data subjects and those responsible and the
 
Support processors in compliance with their data protection obligations "(cf. the
Guideline from the supervisory authorities for providers of telemedia from March 2019, p. 15). - 39 -
 
 
In addition, the submission of the second respondent cannot be accepted because
the Google Analytics identifier - as stated above - combined with other elements anyway
 
and even in connection with a Google account which is undisputedly attributable to the complainant
 
can be brought.
 
 
The mentioned "anonymization function of the IP address" is not relevant on a case-by-case basis, because
this - as also stated above - was not implemented correctly. Apart from that, the
 
In any case, the IP address is just one of the many “pieces of the puzzle” in the digital footprint of the
 
Complainant.
 
As a further interim result, it should be noted that the “additional
 
Measures "are not effective, since they are the ones in the framework of the judgment of the European Court of Justice of June 20, 2020
 
identified legal protection gaps - i.e. the access and monitoring options of US
 
Intelligence services - do not close.


The data transfer in question is therefore not covered by Art. 46 GDPR.
The data transfer in question is therefore not covered by Art. 46 GDPR.


D.4. bullet point 2. c)


D.4. Ruling point 2. c)
a) Regarding Art. 49 GDPR
 
 
a) On Art. 49 GDPR
 
 
According to the Respondent's own statements, the exemption under Art. 49


GDPR is not relevant for the present data transfer (see the opinion of
According to the first respondent's own statements, the exemption pursuant to Art. 49 GDPR was not relevant for the data transfer at issue (cf. the Opinion of December 16, 2020).
December 16, 2020).


Consent pursuant to Art. 49(1)(a) of the GDPR was not obtained. The data protection authority also fails to see how any other element of Art. 49 GDPR is fulfilled.


Consent in accordance with Article 49 (1) (a) GDPR was not obtained. For the
Therefore, the data transfer in question cannot be based on Art. 49 GDPR.
 
The data protection authority is also not discernible to what extent another offense under Art. 49 GDPR
should be fulfilled.
 
 
The present data transfer can therefore not be based on Art. 49 GDPR.
 


b) Result
b) Result


Since no adequate level of protection was ensured by an instrument of Chapter V of the Regulation for the data transfer at issue by the first respondent to the second respondent (in the USA), there is a violation of Art. 44 GDPR.


As for the relevant data transmission from the Respondent to the
The first respondent was (at any rate) responsible for the operation of the website www.[REDACTED]at at the time relevant to the complaint - i.e. August 14, 2020. The relevant data protection violation against Art. 44 of the GDPR is therefore attributable to the first respondent.
 
is attributable to the first respondent.
Second Respondent (in the USA) does not have an adequate level of protection through an instrument of
Chapter V of the regulation was guaranteed, there is a violation of Art. 44 GDPR.
 
 
The first respondent was (at least) at the time relevant to the complaint - i.e. on the 14th
 
August 2020 - responsible for the operation of the website www.XXX.at. The one relevant here
 
The first respondent is therefore the breach of data protection law against Art. 44 GDPR
attributable.
 
 
It was therefore to be decided according to the ruling. - 40 -
 
 
D.5. To the remedial powers
 
In the opinion of the data protection authority, the tool Google Analytics (at least in version
 
dated August 14, 2020) can therefore not be used in accordance with the requirements of Chapter V GDPR.
 
 
Since the responsibility for the operation of the website www.XXX.at during the
 
Complaint procedure (but only after August 14, 2020) to XXX GmbH based in
Munich passed and Google Analytics was still implemented at the time of the decision,
 
becomes the data protection authority with regard to the (possible) use of the remedial powers
 
refer the case to the competent German supervisory authority in accordance with Art. 58 (2) GDPR.
 
 
D.6. Ruling point 3
 
It must be checked whether the second respondent (as data importer) also complies with the requirements set out in Chapter V of the
 
Regulation is subject to standardized obligations.
 
 
Based on the above-mentioned guidelines 5/2021 of the EDPB, it should again be stated that
 
a transfer to a third country or an international organization "within the meaning of Art. 44 GDPR only then
exists if, among other things, the person responsible for the processing or the processor (data exporter)
 
by submitting or otherwise personal data that is the subject of this
 
Processing are, one other person responsible for the processing, one joint
Data controller or a processor (data importer).
 
 
In the present case, this requirement does not apply to the second respondent, as this (as
 
Data importer) does not disclose the complainant's personal data, but them
 
(only) receives. In other words: The requirements of Chapter V GDPR are from the data exporter, not
however, to be observed by the data importer.
 
 
The complainant's argument that a data transfer
 
necessarily requires a recipient and that the second respondent (at least from
 
technical view) is part of the data transmission. However, it can be countered that the
data protection responsibility for a processing operation (from a legal point of view) anyway
 
"Share", so depending on the phase of the processing process, a different degree of
 
Can give responsibility (see EDPB guidelines 7/2020 on the concept of responsible persons
and contract processors, margin no. 63 ff with further references).
 
 
A violation of Art. 44 GDPR by the second respondent is in the opinion of
 
Data protection authority therefore not before.
 
 
Overall, therefore, a decision had to be made in accordance with the ruling. - 41 -
 
 
Finally, it should be pointed out that the question of the (possible) violation of Art. 5 ff in conjunction with
Art. 28 Para. 3 lit. a and Art. 29 GDPR by the second respondent with another
 
Notification is discussed.
 
 
 
 
 
                    R E C H T S M I T T E L B E L E H R U N G
 
You can lodge a written complaint against this notification within four weeks of delivery
 
to the Federal Administrative Court. The complaint is with the data protection authority
 
bring in and must
 
- the name of the contested decision (GZ, subject)
 
- the name of the authority concerned,
 
- the reasons on which the allegation of illegality is based,
- the desire as well
 
- the information required to assess whether the complaint has been submitted in good time,
 
contain.
 
 
The data protection authority has the option to either through within two months
 
The preliminary decision on the complaint to change your decision or the complaint with the files of the
Procedure to be submitted to the Federal Administrative Court.
 
 
The complaint against this decision is subject to a fee. The fixed fee for a


the corresponding entry including attachments is 30 euros. The fee is stating the
Therefore, the decision had to be made in accordance with the ruling.  


To be paid for the purpose of use to the account of the Austrian tax office.
D.5 Remedial powers


The fee is generally to be transferred electronically using the “tax office payment” function. When
In the opinion of the data protection authority, the Google Analytics tool (at least in the version of August 14, 2020) can thus not be used in accordance with the provisions of Chapter V of the GDPR.


The recipient is to indicate the Austrian Tax Office - Special Responsibilities Office or
Since the responsibility for operating the website www. at was transferred to the GmbH with its registered office in Munich in the course of the complaint procedure (but only after August 14, 2020) and Google Analytics continued to be implemented at the time of the decision, the data protection authority will refer the case to the competent German supervisory authority with regard to the (possible) use of the remedial powers pursuant to Article 58 (2) of the GDPR.


(IBAN: AT83 0100 0000 0550 4109, BIC: BUNDATWW). Furthermore they are
D.6 Point 3


Tax number / tax account number 10 999/9102, the tax type "EEE complaint fee", the
It is necessary to verify whether the second respondent (as data importer) is also subject to the obligations set forth in Chapter V of the Regulation.
State the date of the decision as the period and the amount.


Based on the EDSA Guidelines 5/2021 already cited above, it should be noted once again that a "transfer to a third country or an international organization" within the meaning of Article 44 GDPR only exists if, among other things, the controller or processor (data exporter) discloses personal data that are the subject of such processing to another controller, joint controller or processor (data importer) by means of transfer or otherwise.


If the e-banking system of your bank does not have the "tax office payment" function,
This requirement does not apply to the second respondent in the present case, as the second respondent (as data importer) does not disclose the personal data of the complainant, but (only) receives them. In other words, the requirements of Chapter V of the GDPR must be complied with by the data exporter, but not by the data importer.


the eps procedure can be used in FinanzOnline. From an electronic transfer can
The complainant's argument that a data transfer necessarily presupposes a recipient and that the second respondent is part of the data transfer (at least from a technical point of view) is not overlooked. However, it should be countered that data protection responsibility in a processing operation can nevertheless be "shared" (from a legal point of view), i.e., there can be a different degree of responsibility depending on the phase of the processing operation (cf. EDSA Guidelines 7/2020 on the concept of controllers and processors, para. 63 ff. mwN).


can only be waived if no e-banking system has been used so far (even if the
In the opinion of the data protection authority, there was therefore no violation of Article 44 of the GDPR by the second respondent.
Taxpayer has an internet connection). Payment must then be made by means of


Payment instructions take place, paying attention to the correct allocation. Further information
Overall, the decision was therefore in accordance with the ruling.


can be obtained from the tax office and in the manual “Electronic payment and reporting for payment of
Finally, it should be noted that the issue of a (possible) violation of Art. 5 ff in conjunction with Art. 28 Par. 3 lit. a and Art. 29 of the GDPR by the second respondent will be addressed in a further decision.  
Self-assessment taxes ". - 42 -


LEGAL REMEDY


The fee is paid when the complaint is lodged with the
An appeal against this decision may be filed in writing with the Federal Administrative Court within four weeks of service. The appeal must be filed with the data protection authority and must
Data Protection Authority by means of a payment receipt or a


Proof of a printout that a payment order has been issued. The fee won't
- the designation of the contested decision (GZ, subject)
- the name of the authority against which the appeal has been lodged
- the grounds on which the allegation of illegality is based,
- the request and
- the information necessary to assess whether the appeal was filed in time,


or not fully paid, a report is sent to the responsible tax office.
shall be included.


The data protection authority has the option of either amending its decision within two months by means of a preliminary decision on the complaint or submitting the complaint together with the files of the proceedings to the Federal Administrative Court.


Has a timely and admissible complaint to the Federal Administrative Court
The appeal against this decision is subject to a fee. The fixed fee for a corresponding submission including enclosures is 30 euros. The fee is to be paid to the account of the Tax Office Austria, stating the purpose of use.
suspensive effect. The suspensive effect can be excluded in the ruling of the decision


have been or have been excluded by a separate decision.
The fee must always be transferred electronically using the "Tax Office Payment" function. The Tax Office Austria - Special Responsibilities Department is to be indicated or selected as the recipient (IBAN: AT83 0100 0000 0550 4109, BIC: BUNDATWW). Furthermore, the tax number/levy account number 10 999/9102, the type of levy "EEE -Appeal Fee", the date of the notice as the period and the amount are to be indicated.


If your bank's e-banking system does not have the "Finanzamt payment" function, the eps procedure in FinanzOnline can be used. An electronic transfer can only be dispensed with if no e-banking system has been used so far (even if the taxpayer has an Internet connection). In this case, the payment must be made by means of a payment order, and care must be taken to ensure that it is correctly allocated. For more information, contact the tax office and refer to the manual "Electronic Payment and Notification for Payment of Self-Assessment Taxes".


                                      December 22, 2021
Proof of payment of the fee must be provided when filing the complaint with the DPA by means of a payment voucher to be attached to the submission or a printout showing that a payment order has been issued. If the fee is not paid or not paid in full, a notification will be sent to the competent tax office.


                            For the head of the data protection authority:
A timely and admissible appeal to the Federal Administrative Court has a suspensive effect. The suspensive effect may have been excluded in the ruling of the decision or may be excluded by a separate decision.


                                          XXX
December 22, 2021
For the head of the data protection authority:
[REDACTED]
</pre>
</pre>

Revision as of 15:16, 14 January 2022

DSB (Austria) - 2021-0.586.257 (D155.027)
LogoAT.png
Authority: DSB (Austria)
Jurisdiction: Austria
Relevant Law: Article 4(1) GDPR
Article 4(2) GDPR
Article 4(7) GDPR
Article 4(8) GDPR
Article 5 GDPR
Article 44 GDPR
Article 46(1) GDPR
Article 46(2)(c) GDPR
Article 51(1) GDPR
Article 57(1)(d) GDPR
Article 57(1)(f) GDPR
Article 77(1) GDPR
Article 80(1) GDPR
Article 93(2) GDPR
§ 18 Abs 1 Austrian Data Protection Act (Datenschutzgesetz - DSG)
§ 24 Austrian Data Protection Act (Datenschutzgesetz - DSG)
Type: Complaint
Outcome: Partly Upheld
Started:
Decided: 22.12.2021
Published:
Fine: None
Parties: website visitor and Google user (data subject and complainant)
Austrian website provider (data exporter and respondent #1)
Google LLC (data importer and respondent #2)
National Case Number/Name: 2021-0.586.257 (D155.027)
European Case Law Identifier: unknown
Appeal: Unknown
Original Language(s): German
Original Source: noyb.eu (in DE)
Initial Contributor: n/a

The Austrian DPA held that the use of Google Analytics by an Austrian website provider led to transfers of personal data to Google LLC in the U.S. in violation of Chapter V. of the GDPR.

English Summary

Facts

Background

About a month after the "Schrems II ruling" by the CJEU (CJEU - C-311/18 - Schrems II) the NGO noyb filed 101 complaints regarding data transfers from EEA based websites to Google LLC and Facebook Inc. in the U.S (see here and here). In order to coordinate the work of all involved DPAs, the EDPB created a special task force. The Austrian DPA (Datenschutzbehörde - DSB) now issued the first decision on one of these 101 complaints.

Website visit and data transfer to Google LLC

On 14.08.2020, the data subject visited a website on health topics hosted by an Austrian company while logged into his personal Google account. The website used Google Analytics, a tool provided by Google LLC used to measure and track website use. According to the website provider and Google LLC, the website controller qualifies as controller (Article 4(7) GDPR) and Google LLC as processor (Article 4(8) GDPR) for data processing in connection with Google Analytics. Furthermore, according to the privacy documents provided on the website or included via hyperlink, the website provider and Google LLC entered into standard contractual clauses under Article 46(2)(c) GDPR (Commission Decision2010/87 of 05.02.2010; SCCs) as a mechanism for transfers of personal data with regard to Google Analytics.

On 18.08.2020, the data subject (represented by noyb) filed a complaint with the DSB against both the website provider (in its role as data exporter) and Google LLC (in its role as data importer), arguing that both respondents violated Articles 44 et. seqq. GDPR in light of the "Schrems II" ruling by transferring their personal data to Google LLC. As Google LLC qualifies as "electronic communication service provider" under 50 U.S. Code § 1881(b)(4), it is subject to surveillance by U.S. intelligence services and can be ordered to disclose data of European citizens - such as the data subject - to them.

In the course of the procedure, which took almost one and a half years and included the exchange of multiple submissions between the parties, the respondents essentially argued that even if there had been a data transfer to Google LLC in the U.S., the transferred data do not qualify as personal data under Article 4(1) GDPR as they could not be assigned to the data subject. Furthermore, the respondent argued that they had put sufficient additional measures in place in case of an actual transfer of personal data. Lastly, they brought forward the argument that Chapter V GDPR and the concluded SCCs follow a "risk based approach" and that there was a very low risk of the data subject actually having been subject to U.S. surveillance. Google LLC in particular also argued that Chapter V. GDPR only applied to the data exporter (i.e. the entity actually transferring the data to a third country) but not to Google LLC in its role as mere data importer.

Holding

On Google LLC

In its decision, the DSB mostly followed the data subject's arguments and waived most of the objections raised by the respondents. However, with regard to Google LLC, the DSB held that Chapter V. of the GPPR only imposes legal duties on the data exporter but not on the data recipient. Consequently, the DSB dismissed the complaint against Google LLC, but declared that it will conduct an ex officio investigation and issue a separate decision on the question if Google LLC violated Articles 5 et seqq. GDPR in connection with Article 28(3)(a) and Article 29 GDPR.

On the website provider

The DSB fully upheld the complaint with regard to the website provider. It held that:

  • the website had transferred the data subject's personal data to Google LLC on 14.08.2020, including user identifiers, IP address and browser parameters;
  • The SCCs concluded between the respondents do not offer an adequate level of protection, because
    • Google LLC qualifies as as "electronic communication service provider" under 50 U.S. Code § 1881(b)(4) and is subject to surveillance by US intelligence services and
    • any additional safeguards which have been put into place in addition to where insufficient as they could not prevent US intelligence services from accessing the data subject's personal data.
  • the website provider could not rely on other transfer mechanisms under Chapter V. of the GDPR. Consequently, the website provider failed to provide an adequate level of protection within the meaning of Articles 44 et seqq. GDPR.

In its legal reasoning, the DSB pointed out the following aspects in particular:

  • The DSB considered itself competent under Article 55(1) GDPR. The fact that Google LLC argued that Google Analytics was allegedly provided by Google Ireland Ltd since April 2021 was not considered relevant, as the violation occurred in August 2020.
  • IP addresses and online identifiers qualify as personal data under Article 4(1) GDPR, especially because they allow to single out a data subject within the meaning of recital 26 of the GDPR. It is sufficient that the data subject can be identified; an actual identification is not necessary.
  • It is irrelevant that the website provider might require additional information from Google LLC in order to identify the data subject. According to CJEU 20.12.2017, C-434/16 and 19.10.2016, C‑582/14, there is no requirement that all the information enabling the identification of the data subject must be in the hands of one person.
  • The fact that Google allows user to opt in and out of personalized ads shows that Google LLC possesses all means to identify the data subject.

On the supplementary measures

Google relies on the SCCs and so-called "supplementary measures" or "technical and organizational measures", but neither respondent showed the existence of additional measures that would provide an adequate level of protection within the meaning of Articles 44 et seqq. GDPR together with the concluded SCCs. Google LLC in particular had tried to frame basic technical and organisational measures under Article 32 GDPR as "additional measures" (see submission of Google here, at page 23), which were rejected by the DSB as irrelevant in relation to US surveillance laws (see decision, page 37 and 38).

Comment

This decision is the first DPA decision following noyb's 101 complaints regarding EEA-US data transfers. The EDPB formed a "task force" on these cases to come to similar decisions in the EEA. Further decisions are expected soon. For details see here and here.

Further Resources

Share blogs or news articles here!

Barichgasse 40-42
A-1030 Wien
Tel.: +43-1-52152 302565
E-Mail: official in charge

official in charge: [REDACTED]

Case: D155.027 
2021-0.586.257

zH NOYB - European Center for Digital Rights
[REDACTED]
Goldschlagstraße 172/4/3/2
1140 Wien

Data protection complaint (Art. 77 (1) DSGVO)
[REDACTED]/1. [REDACTED] Verlags GmbH (formerly: [REDACTED]at GmbH), 2. Google LLC

(101 Dalmatians)

by e-delivery/email [REDACTED].

PARTICIPATION DECISION

ORDER

The data protection authority decides on the data protection complaint of [REDACTED] (complainant) of 18. August 2020, represented by NOYB - European Center for Digital Rights, Goldschlagstraße 172/4/3/2, 1140 Vienna, ZVR: 1354838270, against 1) Verlags GmbH (formerly: [REDACTED]at GmbH) (first respondent), represented by [REDACTED] and 2) Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (second respondent), represented by [REDACTED] for a violation of the general principles of data transfer pursuant to Article 44 GDPR as follows:

1. the decision of the data protection authority of 2 October 2020, no. D155.027, 2020-0.527.385, is repealed.

2. the complaint against the first respondent is upheld and it is found that

a) the first respondent, as the responsible party, by implementing the "Google Analytics" tool on its website at www.[REDACTED]at, transmitted personal data of the complainant (these are at least unique user identification numbers, IP address and browser parameters) to the second respondent at least on August 14, 2020, 

(b) the standard data protection clauses concluded by the first respondent with the second respondent do not provide an adequate level of protection pursuant to Article 44 GDPR, since

(i) the Second Respondent qualifies as an electronic communications service provider within the meaning of 50 U.S. Code § 1881(b)(4) and, as such, is subject to surveillance by U.S. intelligence agencies pursuant to 50 U.S. Code § 1881a ("FISA 702"); and

(ii) the measures taken in addition to the standard data protection clauses set forth in item 2.(b) are not effective because they do not eliminate the possibility of surveillance and access by U.S. intelligence agencies,

c) in the present case, no other instrument pursuant to Chapter V of the GDPR can be used for the data transfer referred to in item 2.a) and the first respondent has therefore not ensured an adequate level of protection pursuant to Art. 44 GDPR for the data transfer referred to in item 2.a).

3) The complaint against the respondent to the second complaint on the grounds of a violation of the general
principles of data transfer pursuant to Art. 44 GDPR is dismissed. 

Legal basis: Art. 4 (1), (2), (7) and (8), Art. 5, Art. 44, Art. 46 (1) and (2) (c), Art. 51 (1), Art. 57 (1) (d) and (f), Art. 77 (1), Art. 80 (1) and Art. 93 (2) of Regulation (EU) 2016/679 (General Data Protection Regulation, GDPR), OJ. No. L 119, 4.5.2016 p. 1; Sections 18(1) and 24(1), (2)(5) and (5) of the Data Protection Act (DSG), Federal Law Gazette I No. 165/1999, as amended; Section 68(2) of the General Administrative Procedure Act 1991 (AVG), Federal Law Gazette 51/1991, as amended. 

REASONS

A. Submission of the parties and course of proceedings

A.1 In his submission of August 18, 2020, the complainant submitted the following in summary:

He had visited the website of the first respondent at www.[REDACTED]at/ on August 14, 2020, at 10:45 a.m.. During the visit, he had been logged into his Google account, which was linked to the complainant's email address, [REDACTED]. The first respondent had embedded HTML code for Google services (including Google Analytics) on its website. In the course of the visit, the first respondent had processed personal data, namely at least the IP address and cookie data of the complainant. In the process, some of these data had been transmitted to the second respondent. Such data transfer required a legal basis pursuant to Art. 44 et seq. of the GDPR.

Following the ECJ's judgment of July 16, 2020, Rs C-11/18 ("Schrems II"), the respondents could no longer rely on an adequacy decision ("Privacy Shield") under Article 45 GDPR for a data transfer to the US. The first respondent would also not be allowed to base the data transfer on standard data protection clauses if the third country of destination does not ensure adequate protection of personal data transferred on the basis of standard data protection clauses in accordance with Union law. The Second Respondent qualifies as an electronic communications service provider within the meaning of 50 U.S.Code § 1881(b)(4) and, as such, is subject to surveillance by U.S. intelligence agencies pursuant to 50 U.S.Code § 1881a ("FISA 702"). Second Respondent actively provides personal information to the U.S. Government pursuant to 50 U.S.Code § 1881a.

As a result, the Respondents are unable to provide adequate protection of the Complainant's personal information when the Complainant's information is transferred to the Second Respondent. The transfer of the complainant's data to the USA was unlawful. Several enclosures were attached to the complaint.

A.2 In its statement of December 16, 2020, the first respondent submitted the following in summary:

The first respondent was only domiciled in Austria. It was responsible for the decision to embed the tool on the [REDACTED]at website. The tool is used to enable general statistical evaluations of the behavior of website visitors. However, the tool does not allow the content to be adapted to a specific website user, as the evaluation is carried out anonymously and no reference to a specific user is made possible. User IP addresses are also anonymized before storage or transmission ("IP anonymization"). The so-called user agent string is used to inform the server of the system specification with which the user is accessing the server. Only the device, operating system and operating system version, browser and browser version, and the device type would be displayed without any personal reference. In the best case, an assignment to a specific device would be possible, but never to a specific person using the device. The anonymous statistics are processed predominantly in data centers in Europe, but also by the second respondent on servers outside the EEA.

If the GDPR is applicable, the first respondent is the controller and the second respondent is the processor. A processor agreement had been concluded. Since no personal data would be transferred, the judgment of the ECJ of July 16, 2020 in Case C311/18 was not applicable. However, in order to take precautions for a possible transfer of personal data to the second respondent - e.g., in the event that IP anonymization is deactivated due to a data breach - the first respondent had concluded a processor agreement with the second respondent, as well as included standard data protection clauses (SDK). This had been implemented purely as a precautionary measure. The second respondent had implemented further technical and organizational measures to provide a high level of data protection for the data processed via the tools. Several enclosures were attached to the Opinion. 

A.3 In its Opinion of January 22, 2021, the complainant submitted the following in summary:

In the case of a processor in a third country, a breach of anonymization is not enforceable or ascertainable. When in doubt, 50 U.S.C § 1881a applies, not an advertising blurb on Google's website. The personal data processed first would only be anonymized subsequently in a second step. This anonymization, which may have occurred after the transfer, would not affect the prior processing. The opinion contains a more detailed technical description at this point.

Apart from that, the complainant did not only rely on the processing of his IP address, but also of other personal data, such as cookie data. At the time of the website visit, he was logged into his private Google account. Google" cookies had been set. In order to prevent a violation of Art. 44 et seq. of the GDPR, a complete removal of the tool was necessary and a change to another tool without data transfer to the USA was recommended. If the first respondent is convinced that no personal data is processed, the conclusion of order processing conditions is absurd. Several enclosures were attached to the statement. 

A.4 In its statement of April 9, 2021, the second respondent submitted its responses to the questionnaire of the data protection authority.

A.5 In its statement of May 4, 2021, the first respondent submitted the following in summary regarding the second respondent's statement of April 9, 2021:

The first respondent was only using the free version of Google Analytics. In doing so, it had agreed to both the terms of use and the SDK. In doing so, neither the Google Analytics 4 version had been implemented nor the data release setting had been activated. The code had been embedded with the anonymization function. The second respondent was only used as a processor. The first respondent issued the instructions via the settings of the Google Analytics user interface and via the global website tag. Google Signals is not used. The first respondent does not have its own authentication system and does not use a user ID function. Currently, it does not rely on the exception of Article 49 (1) of the GDPR. 

A.6 In its statement of May 5, 2021, the complainant submitted the following in summary regarding the statement of the second respondent of April 9, 2021:

The complaint was directed against the first and second respondents. Google Ireland Limited was not a party to the proceedings. The data protection authority is directly responsible for the second respondent, which violated Art. 44 et seq. of the GDPR. As a processor, the second respondent is the norm addressee of Chapter V of the GDPR. The second respondent disputes that all data collected by Google Analytics is hosted in the USA.

At least some of the cookies set on the occasion of the website visit on August 14, 2020 would contain unique user identification numbers. In the transaction between the complainant's browser and https://tracking.[REDACTED]at, which was started on the specified date, the user identification numbers "_gads", _"ga" and "_gid" were set. These numbers were subsequently transmitted to https://www.google-analytics.com/. The numbers are "online identifiers" which serve to identify natural persons and can be specifically assigned to a user. With regard to the IP address, it should be noted that Chapter V of the GDPR does not provide for any exceptions for "subsequently anonymized data". It had to be assumed that the complainant's IP address had not even been anonymized in all transactions. The request for the imposition of a fine was withdrawn; this was now a suggestion.

A.7 In its statement of June 10, 2021, the second respondent submitted the following in summary: 

The complainant's right to bring an action had not been established, as it had not been proven that the data transmitted constituted personal data of the complainant. The cookies in question were first party cookies that had been set under the domain [REDACTED]at. They were therefore cookies of the first and not of the second respondent. Accordingly, they were not unique Google Analytics cookie IDs per user, which were used on several websites that used Google Analytics. A user had different cid numbers for different websites. It was not established that the numbers at issue would make the complainant identifiable. At this point, the submission contains further technical explanations regarding the cookies used. With regard to the IP address, it had to be examined whether the IP address of the device connected to the Internet could actually be attributed to the complainant and whether the controller or "another person" had the legal means to obtain connection owner information from the provider in question.

As a processor, the second respondent provided the website operator with numerous configuration options of Google Analytics. Based on the information received, it should be noted that the first respondent had configured Google Analytics as indicated. Due to a possible configuration error, the first respondent had not activated the IP anonymization function in all cases. Under normal operating conditions and as far as users based in the EU are concerned, a web server is located in the EEA, which is why the IP anonymization is generally performed within the EEA. In the present case, normal operating conditions existed.

On August 14, 2020, the [REDACTED] account enabled the Web & App Activities setting. However, the account had not opted to include activities from websites that used Google services. According to the First Respondent, since the First Respondent had also not enabled Google Signals, the Second Respondent would not be able to determine that the user of the [REDACTED] account had visited that website.

With regard to international data traffic, it should be noted that - even assuming that the data were personal data of the complainant - they were limited in terms of quantity and quality. To the extent that the data transferred qualified as personal data at all, it would also be pseudonymous data. Standard contractual clauses had been concluded with the first respondent, and additional measures had been implemented. The second respondent does not disclose user data pursuant to EO 12333. FISA § 702 was irrelevant in the present case in view of the encryption and anonymization of IP addresses. Art. 44 et seq. of the GDPR could not be the subject of a complaint procedure pursuant to Art. 77(1) of the GDPR, and the complaint should therefore be rejected in this respect. Articles 44 et seq. of the GDPR are also not applicable with regard to the second respondent as data importer.

A.8 In its comments of June 18 and 24, 2021, the first respondent submitted the following in summary:

As part of an asset deal, the website www.[REDACTED]at was transferred to [REDACTED] GmbH in Munich with effect from February 1, 2021. Subsequently, the first respondent was renamed from [REDACTED]at GmbH to [REDACTED] Verlags GmbH. In addition, the first respondent had instructed the second respondent to immediately delete all data collected via the Google Analytics properties. The configuration error in connection with the IP anonymization function had been corrected. In the meantime, the second respondent had confirmed the final deletion of all data, and an enclosure was submitted as proof. It is suggested that the proceedings be discontinued pursuant to Section 24 (6) of the Austrian Data Protection Act.

A.9 In its comments of July 9, 2021, the second respondent submitted the following in summary:

According to the European Data Protection Board (EDSA), an adequacy assessment is not limited to an examination of the legal provisions of the third country, but must also take into account all specific circumstances of the transfer at issue. This was relevant for the case at hand. Pseudonymization is an effective supplementary measure here - in accordance with the EDSA guidelines. It was not to be expected that US authorities would have additional information that would enable them to identify the data subjects behind the first party cookie values "gid" and "cid" or behind an IP address. The complainant had also not requested a finding that his rights had been violated in the past. 

A.10. In comments dated July 9, 2021, the complainant submitted, in summary, the following:

There had been a processing of personal data, this had been proven, inter alia, by the enclosures submitted. If it was ultimately only a prerequisite for the identification of a website visitor whether he or she made certain declarations of intent in his or her account (such as the activation of "ad personalization"), all possibilities of identifiability would be available for the second respondent. Otherwise, the second respondent would not be able to comply with a user's wishes expressed in the account settings for "personalization" of the advertising information received.

The UUID (Universally Unique Identifier) in the _gid cookie with the UNIX timestamp 1597223478 had been set on Wednesday, August 12, 2020 at 11:11 and 18 seconds CET, those in the cid cookie with the UNIX timestamp 1597394734 on Friday, August 14, 2020 at 10:45 and 34 seconds CET. It followed from this that these cookies had already been used prior to the visit that was the subject of the complaint and that longer-term tracking had also taken place. To his knowledge, the complainant had not immediately deleted these cookies and had also repeatedly visited the website [REDACTED]at.

The second respondent fails to take into account the broad understanding of the GDPR when assessing the existence of personal data. The actual IP address used was also no longer ascertainable for the complainant. However, this is irrelevant, as there is a clear personal reference in the cookies via the UUID anyway. In particular, the combination of cookie data and IP address allows tracking and the evaluation of geographical localization, Internet connection and context of the visitor, which can be linked to the cookie data already described. However, this would also include data such as the browser used, the screen resolution or the operating system ("device fingerprinting").

What is more relevant in the context of the complaint is that U.S. authorities use data that is easy for intelligence agencies to determine, such as the IP address, as a starting point for monitoring individuals. It was the standard procedure of intelligence agencies to "shimmy on" from one date to another. If, for example, the complainant's computer repeatedly appeared on the Internet via the IP address of [REDACTED], this could be used to spy on the work of [REDACTED] and to target the complainant. In a further step, other identifiers would then be searched for in the data, such as the aforementioned UUIDs, which in turn would allow the individual to be identified for surveillance elsewhere. In this context, U.S. intelligence services are therefore "other persons" within the meaning of recital 26 of the GDPR. The Complainant works [REDACTED] but also has a relevant role in these efforts as a model complainant. Thus, under U.S. law, surveillance of the Complainant under 50 USC § 1881a (as well as of all other persons entrusted with this complaint) is legally possible at any time. Even applying the supposed "risk-based approach," the case at issue was a prime example of high risk.

The e-mail address [REDACTED] had to be assigned to the complainant, who had used the last name [REDACTED] until a marriage. However, the old Google account was still being used. It was not explained to what extent the indisputably available data was linked, evaluated or the result of an evaluation was only not displayed to the user.

Furthermore, Chapter V of the GDPR does not know a "risk-based approach". This can only be found in certain articles of the GDPR, such as Art. 32 leg.cit. The new standard contractual clauses in the Implementing Decision (EU) 2021/914 are not relevant to the facts of the case due to their lack of temporal validity. A "transfer" is not a unilateral act of a data exporter, every "transfer" also requires a receipt of the data. Accordingly, Chapter V of the GDPR is also applicable to the second respondent, it is a joint action of data exporter and importer.

Even if the respondent had not violated Art. 44 et seq. of the GDPR, the provisions pursuant to Art. 28(3)(a) and Art. 29 of the GDPR had to be taken into account as a "catch-all provision". If the second respondent complies with a corresponding instruction from a U.S. intelligence agency, it thereby makes the decision to process personal data beyond the first respondent's specific order pursuant to Art. 28 and Art. 29 GDPR and the corresponding contractual documents. This would make the second respondent itself the controller pursuant to Art. 28(10) GDPR. As a result, the second respondent must also comply with the provisions of Art. 5 et seq. of the GDPR. A secret transfer of data to U.S. intelligence services in accordance with U.S. law would undoubtedly not be compatible with Art. 5(1)(f) GDPR, Art. 5(1)(a) GDPR and Art. 6 GDPR.

A.9 In its final submission of August 12, 2021, the Second Respondent submitted in summary the following: 

The complainant had not established its legitimacy to lodge a complaint. He had not answered any questions raised by the second respondent regarding the identifiability of his person on the basis of the IP address. With regard to the _gid number and cid number, it should be noted that no directory existed in order to make the complainant identifiable. However, the fact that recital 26 of the GDPR mentions "segregation" as a possible means of identification does not change the understanding of the words "identify" or "identification" or "identifiability".

The identifiability of the complainant presupposed at least that his identification was possible on the basis of the data in question and by means that were likely to be used according to general discretion. This had not been established and could not be assumed and, on the contrary, was even unlikely, if not impossible. Also, the fact that the second respondent had entered into processor agreements did not mean that the data that were the subject of these proceedings were personal data, nor did it mean that they were the complainant's data.

The complainant's view that the transfer of data was not to be assessed according to a risk-based approach ("all-or-nothing") could not be accepted. This was not in line with the GDPR and had to be seen against Recital 20 of the European Commission's Implementing Decision (EU) 2021/914. Likewise, this is evident from the different versions of EDSA Recommendation 01/2020. Even if access to the above-mentioned numbers by U.S. authorities was "legally possible at any time", it had to be examined how likely this was. The Complainant has not presented any convincing arguments as to why or how the "cookie data" related to his visit to a publicly accessible, and widely used, Austrian website such as the one at issue is "foreign intelligence information" and thus could become a target of the purpose-restricted data collection under Section 702. 

B. Subject Matter of the Complaint

Based on the complainant's submissions, it can be seen that the subject matter of the complaint is, in any event, the question

- whether the first respondent, by implementing the Google Analytics tool on its website www.[REDACTED]at, transmitted personal data of the complainant to the second respondent and,

- whether an adequate level of protection pursuant to Art. 44 GDPR was ensured for this data transfer.

In this context, it must also be clarified whether, in addition to the first respondent (as data exporter), the second respondent (as data importer) was also obliged to comply with Art. 44 GDPR.

It is not necessary to rule on the request to impose an immediate ban on data transfers to the second respondent against the first respondent (as the responsible party), since - as will be explained below - the responsibility for operating the website www.[REDACTED]at was transferred to [REDACTED] GmbH, headquartered in Munich, in the course of the complaint proceedings (although only after the data transfer relevant to the complaint). With regard to the imposition of such a ban, the data protection authority would have to take the case to the competent German supervisory authority.

Likewise, there is no need to rule on the application for the imposition of a fine, as this was withdrawn by the complainant in its statement of May 5, 2021, and this is now to be understood as a suggestion.

Finally, it should be noted that the partial decision at issue does not address the alleged violations of the second respondent pursuant to Art. 5 et seq. in connection with Art. 28 Par. 3 lit. a and Art. 29 GDPR. In this regard, further investigative steps are necessary and will be discussed in a further decision. 

C. Findings of Fact

C.1 The first respondent was in any case the website operator of www.[REDACTED]at on August 14, 2020. The Austrian version of [REDACTED] is an information portal on the subject of health. The website www.[REDACTED]at is only offered in German. The first respondent did not operate any other versions of the website www.[REDACTED]at in the EU. Furthermore, the first respondent is only based in Austria and has no other branches in other EU countries. For Germany, there is a German version of [REDACTED] at www.[REDACTED]de, which, however, was not operated by the first respondent.

Evaluation of evidence regarding C.1: The findings made are based on the statement of the first respondent dated December 16, 2020 (questions 1 to 3) and were not disputed by the complainant in this respect.

C.2. As of February 1, 2021, the website www.[REDACTED]at was transferred to [REDACTED] GmbH, based in Munich, as part of an asset deal. Subsequently, the first respondent was renamed from [REDACTED]at [REDACTED] GmbH to [REDACTED] Verlags GmbH. The first respondent managed the website www.[REDACTED]at for [REDACTED] GmbH until August 2021. Since August 2021, the first respondent has no longer been the operator of www.[REDACTED]at and also no longer makes the decision as to whether the Google Analytics tool is used. 

Evaluation of evidence regarding C.2: The findings made are based on the statement of the first respondent dated June 18, 2021 and were not disputed by the complainant. In addition, the findings are based on an official search by the data protection authority in the company register for Zl. FN [REDACTED].

C.3 The second respondent developed the Google Analytics tool. Google Analytics is a measurement service that enables customers of the Second Respondent to measure traffic characteristics. This includes measuring the traffic of visitors who visit a specific website. This allows tracking the behavior of website visitors and measuring how they interact with a specific website. Specifically, a website owner can create a Google Analytics account to view reports about the website using a dashboard. Similarly, Google Analytics can be used to measure and optimize the effectiveness of advertising campaigns that website owners run on Google ad services.

There are two versions of Google Analytics: a free version and a paid version called Google Analytics 360. In any case, the free version was made available by the second respondent until the end of April 2021. Since the end of April 2021, both Google Analytics versions have been provided by Google Ireland Limited. 

Evaluation of evidence regarding C.3: The findings made are based on the second respondent's statement of April 9, 2021 (p. 3 as well as questions 1 and 2) and were not disputed by the complainant in this respect. 

C.4 The first respondent - as the website operator - in any case made the decision on the cut-off date of August 14, 2020 to use the free version of the Google Analytics tool for the website www.[REDACTED]at. For this purpose, it has incorporated a JavaScript code ("tag") provided by the second respondent into the source code of its website. The first respondent used the tool to enable general statistical analyses of the behavior of website visitors. The additional tool Google Signals was not activated. 

In any case, these evaluations are used by the first respondent to present the content of the website www.[REDACTED]at according to the general interest in the topic in such a way that the channels that are most in demand are given priority and the presentation can be adjusted according to the topicality of a specific topic. The first respondent created a Google Analytics account for this purpose. The Google Analytics account ID with the account name [REDACTED] is [REDACTED]. The first respondent can perform the above analyses by logging into the [REDACTED] Google Analytics account and viewing reports on traffic from www.[REDACTED]at in the dashboard. The reports are divided into the categories real-time, target group, acquisition, behavior and conversions. The first respondent can select user-defined defaults for the report generation; the second respondent has no influence on this. The Second Respondent also has no influence on the extent to which the First Respondent subsequently uses the reports created.

The dashboard is excerpted as follows (formatting not reproduced 1:1): 

[REDACTED]

Evaluation of evidence regarding C.4: The findings made are based on the submission of the first respondent dated December 16, 2020 and were not disputed by the complainant. The screenshots cited were taken from Exhibits ./1 and ./10; the presentation of the reporting version is set out in detail in Exhibit ./1.

C.5 The Google Analytics tool works as follows: When visitors view the website www.[REDACTED]at, JavaScript code inserted in the source code of the website refers to a JavaScript file previously downloaded to the user's device, which then performs the tracking operation for Google Analytics. The tracking operation retrieves data about the page request by various means and sends this information to the Analytics server via a list of parameters attached to a single pixel GIF image request.

The data collected using Google Analytics on behalf of the website operator comes from the following sources:

- The user's HTTP request;
- Browser/system information;
- (first-party) cookies.

An HTTP request for any website contains details about the browser and computer making the request, such as host name, browser type, referrer, and language. In addition, the browser DOM interface (the interface between HTML and dynamic JavaScript) provides access to more detailed browser and system information, such as Java and Flash support and screen resolution. Google Analytics uses this information. Google Analytics also sets and reads first-party cookies on a user's browsers that allow it to measure user session and other information from the page request. 

When all of this information is collected, it is sent to the Analytics servers in the form of a long list of parameters sent to a single GIF image request (the meaning of the GIF request parameters is described here) to the google-analytics.com domain. The data contained in the GIF request is that which is sent to the Analytics servers and then further processed, ending up in the website operator's reports.

On the secondary respondent's information page on the Google Analytics tool, the following information can be found in excerpts (formatting not reproduced 1:1, retrieved on December 22, 2021): 

[begin screenshot]

gtag.js and analytics.js (Universal Analytics) - cookie usage

The analytics.js JavaScript library or the gtag.js JavaScript library can be used for Universal Analytics. In both cases, the libraries use first-party cookies to:

- Distinguish unique users
- Throttle the request rate

When using the recommended JavaScript snippet cookies are set at the highest possible domain level. For example, if your website address is blog.example.co.uk , analytics.js and gtag.js will set the cookie domain to .example.co.uk. Setting cookies on the highest level domain possible allows measurement to occur across subdomains without any extra configuration.

* Note: gtag.js and analytics.js do not require setting cookies to transmit data to Google Analytics.

gtag.js and analytics.js set the following cookies:

Cookie Name        | Default expiration time | Description
-------------------|-------------------------|--------------------------------------
_ga                | 2 years                 | Used to distinguish users.

_gid               | 24 hours                | Used to distinguish users.

_gat               | 1 minute                | Used to throttle request rate. If Google 
                                               Analytics is deployed via Google Tag 
                                               Manager, this cookie will be named 
                                               _dc_gtm_<property-id>.
    

AMP_TOKEN          | 30 seconds to 1 year    | Contains a token that can be used to 
                                               retrieve a Client ID from AMP Client ID 
                                               service. Other possible values indicate 
                                               opt-out, inflight request or an error 
                                               retrieving a Client ID from AMP Client 
                                               ID service.

_gac_<property-id> | 90 days                 | Contains campaign related information 
                                               for the user. If you have linked your 
                                               Google Analytics and Google Ads accounts, 
                                               Google Ads website conversion tags will 
                                               read this cookie unless you opt-out. 
                                               Learn more.

[end screenshot]

Evaluation of evidence regarding C.5: The findings made are based on the second respondent's statement of April 9, 2021 (question 2) and an official search by the data protection authority at https://developers.google.com/analytics/devguides/collection/gajs/cookie-usage and https://developers.google.com/analytics/devguides/collection/gtagjs/cookies-user-id (both retrieved on December 22, 2021).

C.6 The First and Second Respondents entered into a contract entitled "Order Processing Terms and Conditions for Google Advertising Products". This contract was valid in the version of August 12, 2020 at least on August 14, 2020. The contract governs order processing conditions for "Google advertising products". It applies to the provision of order processing services and related technical support services for customers of the second respondent. The aforementioned contract in the version dated August 12, 2020 (Exhibit ./7) shall form the basis for the findings of fact.

In addition, on August 12, 2020, the First and Second Respondents entered into a second contract entitled "Google Ads Data Processing Terms: Model Contract Clauses, Standard Contractual Clauses for Processors." These are standard contractual clauses for international data traffic. The above-mentioned second contract in the version dated August 12, 2020 (Exhibit ./11) also forms the basis for the findings of fact.

With regard to the data categories listed in Annex 1 of the second contract, reference is made to the link https://privacy.google.com/businesses/adsservices/. Under the aforementioned link, the following is displayed in excerpts (red emphasis on the part of the data protection authority, formatting not reproduced 1:1, retrieved on December 22, 2021)

[begin screenshot]

Order data processing terms and conditions:

Order processing services

The following Google services fall within the scope of the Google Advertising Products Order Data Processing Terms:

- Ads Data Hub
- Audience Partner API (formerly known as DoubleClick Data Platform)
- Campaign Manager 360 (former name: Campaign Manager)
- Display & Video 360 (former name: DoubleClick Bid Manager)
- Advanced Conversions
- Google Ads Manager order processing capabilities
- Googel Ads Manager 360 order processor features
- Google Ads customer matching
- Google Ads store sales (direct upload)
- Google Analytics
- Google Analytics 360
- Google Analytics for Firebase
- Google Data Studio
- Google Optimize
- Google Optimize 360
- Google Tag Manager
- Google Tag Manager 360
- Google Search Ads 360 (former name: DoubleClick Search)
Google may update this list in accordance with the terms of the Google Advertising Products Order Processing Terms.

Types of personal data

With respect to the Google Advertising Products Order Data Processing Terms (and depending on which processor services are used under each agreement), the following types of Personal Data may constitute Customer Personal Data.

Processor Services | Types of Personal Data |
-----------------------------------------------------------------------|-------------------------------------|
Ads Data Hub                                              | Online identifiers (including cookie identifiers),
                                                            Internet Protocol addresses and device identifiers,
                                                            customer-assigned identifiers

Audience Partner API (formerly DoubleClick Data Platform) | Online identifiers (including cookie identifiers)
                                                            and device identifiers

Campaign Manager 360 (formerly Campaign Manager)          | Online identifiers (including cookie identifiers),
                                                            Internet Protocol addresses and device identifiers,
                                                            precise location data, client-assigned identifiers 

Display & Video 360                                       | Online identifiers (including cookie identifiers),
                                                            Internet Protocol addresses and device identifiers,
                                                            precise location data, customer-assigned identifiers

Advanced Conversions                                      | Names, email addresses, phone numbers, addresses,
                                                            customer-provided identifiers, online identifiers
                                                            (including internet protocol addresses)

Google Ad Manager Order Processor Features                | Encrypted Signals

Google Ad Manager 360 Order Processor Features            | Encrypted Signals

Google Ads Customer Matching                              | Names, Email Addresses, Addresses and 
                                                            Partner-Provided Identifiers

Google Ads store sales (direct upload)                    | names, email addresses, phone numbers and addresses

Google Analytics                                          | Online identifiers (including cookie identifiers),
                                                            Internet Protocol addresses and device identifiers,
                                                            customer-provided identifiers

Google Analytics 360                                      | Online identifiers (including cookie identifiers),
                                                            Internet Protocol addresses and device identifiers,
                                                            customer-assigned identifiers 

[end screenshot]

In addition to concluding standard contractual clauses, the second respondent has implemented further contractual, organizational and technical measures. These measures supplement the obligations contained in the standard contractual clauses. The measures are described in the Second Respondent's comments of April 9, 2021, Question 28. This description is used as the basis for the findings of fact.

The Second Respondent regularly publishes so-called transparency reports ("Transparency Reports") on data requests from US authorities. These are available at:

https://transparencyreport.google.com/user-data/us-national-security?hl=en

Evaluation of evidence regarding C.6: The findings made are based on the first respondent's statement of December 16, 2020, question 15. The cited enclosures ./7 and ./11 are included in the file and are known to all parties. Furthermore, the findings made are based
findings are based on an official search by the data protection authority at https://privacy.google.com/businesses/adsservices/ (queried on December 22, 2021). The findings made with regard to the "additional measures implemented" result from the second respondent's statement of April 9, 2021 (question 28). The second respondent's statement of April 9, 2021 is included in the file and is known to all parties. The finding with regard to the transparency reports results from an official search by the data protection authority at https://transparencyreport.google.com/user-data/us-nationalsecurity?hl=en (queried on December 22, 2021). 

C.7 In the course of using the Google Analytics tool, the option to use an "IP anonymization function" is offered. In any case, this function was not implemented correctly on www.[REDACTED]at on August 14, 2020.

Evaluation of evidence regarding C.7: The findings made are based on the statement of the first respondent dated June 18, 2021, in which it admits that the "IP anonymization function" mentioned was not implemented properly due to a code error.

C.8. The complainant visited the website www.[REDACTED]at at least on August 14, 2020, at 10:45 am. During the visit, he was logged into his Google account, which is linked to the email address [REDACTED]. The e-mail address belongs to the complainant. The complainant had the last name [REDACTED] in the past.

A Google account is a user account that is used for authentication with various Google online services of the second respondent. For example, a Google account is a prerequisite for using services such as "Gmail" or "Google Drive" (a file hosting service). 

Evaluation of evidence regarding C.8: The findings made are based on the submission of the complainant dated August 18, 2020 (p. 3) and were not disputed by the respondents. The findings made with regard to the basic functions of a Google account are based on an official search by the data protection authority at https://support.google.com/accounts/answer/27441?hl=de and https://policies.google.com/privacy (both retrieved on December 22, 2021). 

C.9. in the transaction between the complainant's browser and https://tracking.[REDACTED]at/, unique user identification numbers were set at least in the cookies "_ga" and _"gid" on August 14, 2020, at 12:46:19.344 CET. Subsequently, on August 14, 2020, at 12:46:19.948 CET, these identification numbers were transmitted to https://www.google-analytics.com/ and thus to the Second Respondent.

Specifically, the following user identification numbers located in the Complainant's browser were transmitted to the Second Respondent (identical values that occurred in different transactions were color-coded orange and green, respectively):

[begin screenshot]
Domain Name Value Purpose
https://tracking.[REDACTED]at/ _ga GA1.2.1284433117.1597223478 Google Analytics
https://tracking.[REDACTED]at/ _gid GA1.2.929316258.1597394734 Google Analytics
https://tracking.[REDACTED]at/ _gads ID=D7767ed5b074d05:T=1597223569:S=ALNI_MZcJ9EjC13lsaY1Sn8Qu5ovyKMhPw Google Advertising
https://www.google-analytics.com/ _gid 929316258.1597394734 Google Analytics
https://www.google-analytics.com/ cid 1284433117.1597223478 Google Analytics 
[end screenshot]

These identification numbers each contain a UNIX timestamp at the end, which indicates when the respective cookie was set. The _gid cookie with the UNIX timestamp "1597394734" was set on Wednesday, August 14, 2020, at 11:11 and 18 seconds CET, and the cid cookie with the UNIX timestamp "1597223478" was set on Friday, August 12, 2020, at 10:45 and 34 seconds CET.

With the help of these identification numbers, it is possible for the respondents to distinguish website visitors and also to obtain the information whether it is a new or a returning website visitor to www.[REDACTED]at.

In addition, the following information (parameters) was in any case also transmitted to the second respondent via the complainant's browser in the course of requests to https://www.google-analytics.com/collect (excerpt from HAR file, request URL https://www.google-analytics.com/collect, excerpt of request with time stamp 2020-08- 14T10:46:19.924+02:00):

General
- Request URL https://www.google-analytics.com/collect
- Request Method GET
- HTTP Version HTTP/2
- Remote Address 172.217.23.14

Headers
- Accept: image/webp,*/*
- Accept-Encoding: gzip, deflate, br
- Accept-Language: en-US,en;q=0.7,en;q=0.3
- Connection: keep-alive
- Host: www.google-analytics.com 
- Referer: https://www.[REDACTED]at/
- TE: Trailers
- User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:79.0) Gecko/20100101 Firefox/79.0

Query Arguments
- _gid: 929316258.1597394734
- _s: 1
- _u: QACAAEAB~
- _v: j83
- a: 443943525
- cid: 1284433117.1597223478
- en: UTF-8
- dl: https://www.[REDACTED]at/
- dt: [REDACTED]at home page - [REDACTED]
- ea: /
- ec: scroll depth
- el: 25
- gjid:
- gtm: 2wg871PHBM94Q
- ea: 0
- jid:
- ni: 0
- sd: 24-bit
- sr: 1280x1024
- t: event
- tid: UA-259349-1
- ul: en-us
- v: 1
- vp: 1263x882
- z: 1764878454

Size
- Headers 677 bytes
- Body 0 bytes
- Total 677 bytes

From these parameters, it is thus possible to draw conclusions about the browser used, the browser settings, language selection, the website visited, color depth, screen resolution and AdSense link number.

The remote address 172.217.23.14, is that of the second respondent.

The IP address of the complainant's device is transmitted to the second respondent as part of these requests to https://www.google-analytics.com/collect. 

The content of the HAR file (Exhibit ./4), which was submitted by the complainant in its submission of August 18, 2020, will form the basis for the findings of fact. 

Evaluation of evidence regarding C.9: The findings made are based on the complainant's submission of August 18, 2020 and the HAR file, Annex ./4, submitted therein. A HAR file is an archive format for HTTP transactions. The HAR file was reviewed by the data protection authority. The complainant's submission is consistent with the archive data contained therein. The HAR file submitted (or its contents) is known to the parties involved. Furthermore, the findings made are based on the complainant's statement of May 5, 2021 (p. 8 ff) and the screenshots contained therein. As already stated above, according to the second respondent, the purpose of the identification numbers is to distinguish users. The established times of cookie setting are calculated from the respective UNIX time stamps. Unix time is a time definition developed for the Unix operating system and established as a POSIX standard. Unix time counts the elapsed seconds since 00:00 UTC on Thursday, January 1, 1970. The determination with regard to the RemoteAddress results from an official Who-Is query of the data protection authority at https://who.is/whois-ip/ip-address/172.217.23.14 (queried on December 22, 2021). 

C.10. To the extent that the Google Analytics tool is implemented on a website, the Second Respondent has the technical possibility to obtain the information that a certain Google Account user has visited this website (on which Google Analytics is implemented), provided that this Google Account user is logged into the Google Account during the visit. 

Evaluation of evidence regarding C.10.: In his statement of April 9, 2021, the second respondent argued in question 9 that he only receives such information if certain requirements are met, such as the activation of specific settings in the Google account. In the opinion of the data protection authority, this argument is not convincing. Indeed, if the request of a Google account user for "personalization" of the advertising information received can be complied with on the basis of a declaration of intent in the account, then from a purely technical point of view it is possible to receive the information about the website visited by the Google account user. In this context, explicit reference must be made to the accountability under data protection law, which will be discussed in more detail in the context of the legal assessment. For the determination of the facts, this accountability under data protection law means that the respondent (or, in any case, the first respondent as the responsible party) - and not the complainant or the data protection authority - must provide sufficient proof. Such sufficient proof - i.e., that from a technical point of view there is no possibility for the second respondent to obtain data - was not provided in this context, especially since it is precisely an essential part of the concept of Google Analytics to be implemented on as many websites as possible in order to be able to collect data.

C.11. In the course of the proceedings, the first respondent instructed the second respondent to delete all data collected via Google Analytics Properties for the website www.[REDACTED]at. The respondent to the second complaint confirmed the deletion.

Evaluation of evidence regarding C.11.: The findings made are based on the statement of the first respondent dated June 18 and June 24, 2021, as well as the submitted copy of the correspondence between the first and second respondents. 

D. In legal terms, it follows that:

D.1 General

a) On the competence of the data protection authority

The European Data Protection Board (hereinafter: EDSA) has already addressed the relationship between the GDPR and Directive 2002/58/EC ("ePrivacy Directive") (see Opinion 5/2019 on the interaction between the ePrivacy Directive and the GDPR of March 12, 2019).

The data protection authority also addressed the issue in its decision of November 30, 2018, no. DSB-D122.931/0003-DSB/2018, dealt with the relationship between the GDPR and the national implementation provision (in Austria now: TKG 2021, BGBl. I No. 190/2021 as amended).

It was basically stated that the ePrivacy Directive (or the respective national implementation provision) takes precedence over the GDPR as lex specialis. Thus, Art. 95 GDPR states that the Regulation does not impose any additional obligations on natural or legal persons with regard to processing in connection with the provision of publicly available electronic communications services in public communications networks in the Union, insofar as they are subject to specific obligations set forth in the ePrivacy Directive which pursue the same objective. 

However, the ePrivacy Directive does not contain any obligations within the meaning of Chapter V of the GDPR in case of transfer of personal data to third countries or to international organizations.

It should be noted again at this point that the responsibility for operating the website www.[REDACTED]at was only transferred to a German company after the data transfer relevant to the complaint took place on August 14, 2020.

Against this background, the GDPR applies to such a data transfer and the data protection authority is therefore competent to deal with the complaint in question pursuant to Art. 77 (1) GDPR. 

b) Regarding Art. 44 GDPR as a subjective right

Based on the previous practice of the data protection authority and the courts, it should be noted that both the lawfulness of data processing pursuant to Art. 5(1)(a) in conjunction with Art. 6 et seq. of the GDPR and the data subject rights postulated in Chapter III of the Regulation can be asserted as a subjective right in the context of a complaint pursuant to Art. 77(1) of the GDPR.

The transfer of personal data to a third country that does not (allegedly) ensure an adequate level of protection within the meaning of Art. 44 GDPR has not yet been the subject of a complaint in the context of a complaint procedure before the data protection authority.

In this context, it should be noted that Art. 77(1) GDPR (and, incidentally, the national provision of Section 24(1) DPA) only requires that "[...] the processing of personal data relating to them infringes this Regulation" in order to invoke the right of appeal.

The ECJ also assumed in its judgment of July 16, 2020 that the finding that "[...] the law and practice of a country do not ensure an adequate level of protection [...]" as well as "[...] the compatibility of this (adequacy) decision with the protection of privacy and the freedoms and fundamental rights of individuals [...]" in the context of a complaint under Art. 77(1) GDPR as a subjective right (see the ECJ judgment of 16 July 2020, CǦ311/18 para 158).

While it should be noted that the question referred in the aforementioned proceedings did not concern the "scope of the right of appeal under Article 77(1) GDPR", the ECJ obviously considered the fact that a breach of provisions of Chapter V GDPR can also be invoked in the context of a complaint under Article 77(1) GDPR as a necessary condition. If it had been considered otherwise, the ECJ would probably have stated that the question of the validity of an adequacy decision cannot be clarified at all in the context of an appeal procedure.

As far as the second respondent furthermore denies the assertion of Art. 44 GDPR as a subjective right - with reference to the wording of recital 141 leg.cit. - it must be countered that the aforementioned recital is linked to the fact that the "rights under this Regulation" are accessible to a complaint under Article 77(1) of the GDPR (and not, for example, "the rights under Chapter III of this Regulation"). 

Although the term "rights of a data subject" is used in certain places in the GDPR, this does not mean by implication that other norms in which this wording is not chosen cannot also be invoked as a subjective right. Most of the provisions of the GDPR are, on the one hand, an obligation of the controller (and partly of the processor), but on the other hand, they can also be asserted as a subjective right of a data subject. For example, it is undisputed that Art. 13 and Art. 14 GDPR establish a subjective right to information, although the right to information is not defined in Art. 12 para. 2 leg. cit. as "their rights" (i.e., "rights of the data subject") and Art. 13 and Art. 14 GDPR are designed according to the wording as an information obligation of the controller.

The decisive factor is whether a data subject's individual legal position is affected by an alleged infringement. The alleged infringement must therefore have a negative impact on the data subject and affect him or her.

Apart from that, while the recitals are an important tool for interpreting the GDPR, they cannot be used to reach a result that is inconsistent with the text of the regulation (here, as stated above, the fact that the administrative remedy is generally linked to "the processing") (cf. the judgment of the ECJ of 12 May 2005, C-444/03 para. 25 and the further case law cited there).

Finally, also according to the national case law of the Administrative Court, it is to be assumed in case of doubt that norms which prescribe an official procedure also and especially in the interest of the person concerned grant him a subjective right, i.e. a right which can be enforced by way of appeal (cf. e.g. VwSlg. 9151 A/1976, 10.129 A/1980, 13.411 A/1991, 13.985 A/1994).

Against the background of the wording of Art. 77 (1) GDPR and the cited case law of the ECJ and the Administrative Court, it must be noted as an interim result that the obligation for controllers and processors to ensure the level of protection for natural persons guaranteed by the Regulation, which is standardized in Chapter V and in particular in Art. 44 GDPR, can conversely also be asserted as a subjective right before the competent supervisory authority pursuant to Art. 77 (1) GDPR. 

c) The declaratory competence of the data protection authority

According to the case law of the VwGH and the BVwG, the data protection authority has a declaratory competence with regard to violations of the right to secrecy in appeal proceedings (thus explicitly the ruling of the BVwG of May 20, 2021, Zl. W214 222 6349-1/12E; implicitly the finding of the Administrative Court of February 23, 2021, Ra 2019/04/0054, in which the Administrative Court dealt with the determination of a past violation of the obligation to maintain secrecy without addressing the lack of competence of the authority against which the complaint was filed).

There are no factual reasons not to use the declaratory competence pursuant to Art. 58 (6) GDPR in conjunction with Art. 24 (2) No. 5 GDPR and Art. 5 DPA also for the determination of a violation of Art. 44 DPA, since also in the case at hand, among other things a violation of the law in the past - namely a data transfer to the USA - is complained about and the right to complain pursuant to Section 24 (1) DSG - as well as Article 77 (1) DSGVO - is generally linked to a violation of the DSGVO. Indeed, if the award of an official notice in an appeal procedure could exclusively contain instructions pursuant to Art. 58(2) GDPR, there would be no room for Sections 24(2)(5) and 24(5) DPA as a result.

Contrary to the view of the respondents, Section 24 (6) DSG is not applicable to the subject matter of the complaint relevant here, since the complaint concerns a data transfer in the past. In other words, the alleged unlawfulness (here: incompatibility with Art. 44 DPA) of a data transfer that has already been completed is not amenable to a conclusion of proceedings pursuant to Section 24 (6) DPA.

Against the background of the above, it can be stated as a further interim result that the data protection authority has the competence to make a determination in the present appeal proceedings. 

D.2. ruling point 1

As stated, the data protection authority discontinued the proceedings in question by decision of October 2, 2020, Zl. D155.027, 2020-0.527.385, until it is determined which authority is responsible for the substantive conduct of the proceedings (lead supervisory authority) or until a decision is made by a lead supervisory authority or the EDSA.

Based on the current investigation results, it must be noted that there is no cross-border data processing within the meaning of Article 4(23) in conjunction with Article 56(1) of the GDPR with regard to the subject matter of the complaint - a data transfer to the USA in August 2020 - and the "one-stop store" mechanism pursuant to Article 60 of the GDPR therefore does not apply to this: 

Thus, according to the first respondent's own statements (cf. statement of December 16, 2020, question 2), the first respondent is neither established in more than one Member State (data processing within the meaning of Art. 4(23)(a) GDPR in the context of the activities of establishments in more than one Member State can therefore not exist), nor does the data transfer and thus the processing of personal data of the first respondent have a significant impact on data subjects in more than one Member State (Art. 4(23)(b) leg. cit.).

With regard to the effects of the data processing in question, it is clear from the findings of fact that the target audience of the www.[REDACTED]at website relevant here is (primarily) persons resident in Austria, also because there is a separate version for the German audience in the form of the www.[REDACTED]de website. According to the information provided by the first respondent (cf. the statement of December 16, 2020, question 2), the latter was (at least in August 2020) only responsible for the Austrian version of www.[REDACTED]at.

The theoretical possibility that German-speaking persons from a Member State other than Austria can access www.[REDACTED]at does not constitute grounds for the "impact on data subjects in more than one Member State" under Article 4(23)(b) of the GDPR. If this were not the case, any complaint against the operator of a website - regardless of the intended target audience of the website - would have to be dealt with in accordance with the rules under Art. 60 et seq. of the GDPR. This would lead to an overly broad interpretation of Article 4(23)(b) of the GDPR (and consequently to an overly broad scope of application of the "one-stop store"), which - in the opinion of the data protection authority - cannot be intended by the legislator.

Consequently, with regard to the subject matter of the complaint relevant here, the complaint was to be dealt with exclusively by the Austrian data protection authority pursuant to Art. 55(1) GDPR.

Since ex officio decisions from which no right has accrued to anyone can be revoked or amended both by the authority that issued the decision and by the relevant higher authority in the exercise of its supervisory right, and since no right to a non-decision accrues to a party to the proceedings as a result of a stay of proceedings, the above-mentioned decision of October 2, 2020 was amenable to a remedy pursuant to Section 68 (2) AVG. 

D.2. ruling point 2. a)

a) General information on the term "personal data

The material scope of application of Art. 2 (1) GDPR - and thus the success of this complaint - fundamentally presupposes that "personal data" are processed. 

According to the legal definition of Article 4(1) of the GDPR, "personal data means any information relating to an identified or identifiable natural person (hereinafter 'data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person".

As can be seen from the findings of fact (see point C.9.), the first respondent - as operator of the website - implemented the Google Analytics tool on its website. As a result of this implementation - i.e. triggered by the JavaScript code executed when visiting the website - at least the following information was transmitted from the browser of the complainant who visited the website www.[REDACTED]at to the servers of the second respondent:

- unique online identifiers ("unique identifiers") that identify both the complainant's browser or device and the first respondent (through the Google Analytics account ID of the first respondent as website operator);

- The address and HTML title of the website and the subpages visited by the complainant;

- Information about the browser, operating system, screen resolution, language selection and the date and time of the website visit;

- the IP address of the device used by the complainant.

It must be verified whether this information falls under the definition of Art. 4 Z 1 DSGVO, i.e. whether it is personal data of the complainant. 

b) Identification numbers as "personal data".

With regard to the online identifiers, it should be recalled once again that the cookies at issue, "_ga" or "cid" (Client ID) and "_gid" (User ID), contain unique Google Analytics identifiers and were stored on the end device or in the browser of the complainant. As stated, it is possible for certain bodies - in this case, for example, the respondents - to distinguish website visitors with the aid of these identification numbers and also to obtain information as to whether they are new or returning website visitors to www.[REDACTED]at. In other words, only the use of such identification numbers makes it possible to distinguish between website visitors, which was not possible prior to this assignment. 

In the opinion of the data protection authority, an infringement of the fundamental right to data protection pursuant to Art. 8 EU-GRC and Art. 1 DSG already exists if certain bodies take measures - in this case the assignment of such identification numbers - to individualize website visitors in this way.

A standard of "identifiability" to the effect that it must also be immediately possible to associate such identification numbers with a specific "face" of a natural person - i.e., in particular with the name of the complainant - is not required (cf. in this regard already Opinion 4/2007, WP 136, 01248/07/DE of the former Art. 29 Data Protection Working Party on the term "personal data" p. 16 f; cf. the March 2019 guidance of the supervisory authorities for telemedia providers, p. 15).

Such an interpretation is supported by Recital 26 of the GDPR, according to which the question of whether a natural person is identifiable takes into account "[...] any means reasonably likely to be used by the controller or by any other person to identify the natural person, directly or indirectly, such as singling out" (English language version of the regulation: "singling out"). The term "singling out" is to be understood as "picking out from a crowd" (cf. https://www.duden.de/rechtschreibung/aussondern, retrieved on December 22, 2021), which corresponds to the considerations on the individualization of website visitors cited above.

In the literature, it is also explicitly argued that a "digital footprint", which allows devices - and subsequently the specific user - to be clearly individualized, already constitutes personal data (cf. Karg in Simitis/Hornung/Spiecker, DSGVO Kommentar Art. 4 Z 1 Rz 52 mwN). This consideration can be applied to the case at hand due to the uniqueness of the identification numbers, especially since - which will be discussed in more detail below - these identification numbers can also be combined with other elements. 

To the extent that the respondents argue that no "means" are used to link the identification numbers at issue here with the person of the complainant, it must again be countered that the implementation of Google Analytics at www.[REDACTED]at results in a segregation within the meaning of Recital 26 of the GDPR. In other words: Anyone who uses a tool that makes such segregation possible in the first place cannot take the position that, according to "general discretion", no means are used to make natural persons identifiable.

As an interim result, it must therefore be noted that the Google Analytics identification numbers at issue here may constitute personal data (in the form of an online identifier) pursuant to Article 4(1) of the GDPR. 

c) Combination with other elements

The fulfillment of Article 4(1) of the GDPR becomes even more apparent if one considers that the identification numbers can be combined with other elements:

By combining all of these elements - i.e., unique identification numbers and the other information listed above, such as browser data or IP address - it is all the more likely that the complainant can be identified (see again Recital 30 of the GDPR). The complainant's "digital footprint" is made even more unique by such a combination.

In this regard, the respondents' arguments around the "anonymization function of the IP address" can be left aside, as the respondents have admitted that this function was not implemented correctly (at the time subject to the complaint) (see, for example, the first respondent's statement of 18 June 2021).

Likewise, the question of whether an IP address in isolation is a personal data can be left open, since - as mentioned - it can be combined with other elements (in particular the Google Analytics identification number). In this context, it should be noted that according to the case law of the ECJ, the IP address can constitute a personal data (cf. the judgments of the ECJ of June 17, 2021, CǦ597/19, para. 102, as well as of October 19, 2016, CǦ582/14, para. 49) and this does not lose its characteristic as a personal data merely because the means of identifiability lie with a third party.

Finally, the data protection authority points out that it is precisely an essential part of the concept of Google Analytics (at least in the free version) to be implemented on as many websites as possible in order to collect information about website visitors. Accordingly, it would be incompatible with the fundamental right to data protection under Article 8 EU-GRC or Section 1 DSG to exclude the applicability of the GDPR to the data processing operations related to the Google Analytics tool - where individual website visitors are individualized on the basis of the Google Analytics identification number. 

d) Traceability to the complainant

Irrespective of the above considerations, however, traceability to the "face" of the complainant - such as his or her name - must be assumed in any case:

It is not necessary that the respondents can establish a personal reference on their own, i.e. that all information required for identification is with them (cf. the ECJ judgments of December 20, 2017, C-434/16, para. 31, as well as of October 19, 2016, C-582/14, para. 43). Rather, it is sufficient that anyone - with legally permissible means and reasonable effort - can establish this personal reference (see Bergauer in Jahnel, DSGVO Kommentar Art. 4 Z 1 Rz 20 mVa Albrecht/Jotzo, Das neue Datenschutzrecht der EU 58).

Such an interpretation of the scope of application of Art. 4(1) GDPR can be derived - in addition to the cited sources of law and literature - from Recital 26 GDPR, according to which not only the means of the controller (here: the first respondent) are to be taken into account in the question of identifiability, but also those of "another person" (English language version of the Regulation: "by another person"). This also follows from the idea of offering data subjects the greatest possible protection of their data.

Thus, the ECJ has repeatedly stated that the scope of application of the GDPR is to be understood "very broadly" (see, for example, the judgments of the ECJ of June 22, 2021, C-439/19, para 61; for the legal situation comparable in this respect, the judgments of December 20, 2017, C-434/16, para 33, as well as of May 7, 2009, C-553/07, para 59).

It is not overlooked that according to Recital 26 of the GDPR, the "likelihood" of anyone using means to directly or indirectly identify natural persons must also be taken into account. In fact, in the opinion of the data protection authority, the term "anyone" - and thus the scope of application of Art. 4 No. 1 GDPR - should not be interpreted so broadly that any unknown actor could theoretically have special knowledge in order to establish a reference to a person; this would lead to almost any information falling within the scope of application of the GDPR and a demarcation from non-personal data would become difficult or even impossible. 

Rather, the decisive factor is whether an identifiability can be established with a justifiable and reasonable effort (cf. in this regard the decision of December 5, 2018, GZ DSB-D123.270/0009-DSB/2018, according to which personal data are not - anymore - present if the controller or a third party can only establish a personal reference with a disproportionate effort).

In the case at hand, however, there are now certain actors who possess special knowledge that makes it possible to establish a reference to the complainant in the sense of the above statements and therefore to identify him.

First of all, this is the second respondent: 

As can be seen from the findings of fact, the complainant was logged in with his Google account [REDACTED] at the time he visited the website www.[REDACTED]at. The second respondent has stated that due to the fact that the Google Analytics tool is implemented on a website, the latter receives information. This includes the information that a certain Google Account user has visited a certain website (see the opinion of April 9, 2021, question 9). 

This means that the second respondent has at least received the information that the Google account user [REDACTED] has visited the website www.[REDACTED]at. 

Thus, even if one takes the view that the online identifiers listed above must be assignable to a certain "face", such an assignment can in any case be made via the complainant's GoogleAccount.

Not to be overlooked are the further statements of the second respondent that for such an allocation certain requirements have to be fulfilled, such as the activation of specific settings in the Google account (cf. again its statement of April 9, 2021, question 9).

However, if - and this has been convincingly explained by the complainant - the identifiability of a website visitor depends only on whether certain declarations of intent are made in the account, all possibilities for identifiability are present (from a technical point of view). Viewed otherwise, the second respondent could not comply with a user's wishes expressed in the account settings for "personalization" of the advertising information received.

In this context, it is necessary to explicitly refer to the unambiguous wording of Article 4(1) of the GDPR, which is linked to a capability ("can be identified") and not to whether an identification is ultimately also made.

Likewise, it must be expressly pointed out that the first respondent - as the responsible party, see below - has an accountability obligation under the GDPR to implement appropriate technical and organizational measures in accordance with Article 5 (2) in conjunction with Article 24 (1) in conjunction with Article 28 (1) of the GDPR in order to ensure and provide evidence that the processing (with the help of a processor) is carried out in accordance with the Regulation. This is therefore an obligation to provide evidence.

This also includes proof that a processing operation is not subject to the Regulation. Such proof was not provided - despite several opportunities to do so.

Irrespective of the second respondent, however, the U.S. authorities must be taken into account - and this is of greater relevance to the case:

As the complainant has just as correctly pointed out, intelligence services in the U.S. take certain online identifiers (such as the IP address or unique identification numbers) as a starting point for monitoring individuals. In particular, it cannot be ruled out that these intelligence services have already collected information with the help of which the data transmitted here can be traced back to the person of the complainant. 

The fact that this is not merely a "theoretical danger" is demonstrated by the judgment of the ECJ of July 16, 2020, CǦ311/18, which ultimately also declared the EU-US adequacy decision ("Privacy Shield") invalid due to the incompatibility of such methods and access possibilities of the US authorities with the fundamental right to data protection pursuant to Article 8 EU-GRC.

In particular, this is shown by the transparency report of the second respondent - cited in the findings of fact - which proves that there are data requests from U.S. authorities to the second respondent. In the process, metadata and content data may be requested by the Second Respondent.

While it is not misjudged that it is admittedly not possible for the first respondent to check whether such accesses by US authorities occur in individual cases - i.e. per website visitor - and what information US authorities already possess; conversely, however, this circumstance cannot be held against affected persons, such as the complainant. Thus, it was ultimately the first respondent as (then) website operator who - despite publication of the aforementioned ECJ ruling of July 16, 2020 - continued to use the Google Analytics tool.

As a further interim result, it must therefore be noted that the information cited in the findings of fact under C.9. (at least in combination) constitutes personal data pursuant to Art. 4 Z 1 DSGVO. 

e) Allocation of roles

As already explained, the first respondent, as the website operator, made the decision to implement the "Google Analytics" tool on the website www.[REDACTED]at at the time relevant to the complaint. Specifically, it inserted a JavaScript code ("tag") provided on the part of the second respondent into the source code of its website, whereby this JavaScript code was executed in the complainant's browser when the website was visited. The first respondent has stated in this regard that the said tool is used for the purpose of statistical evaluations of the behavior of website visitors (see statement of December 16, 2020, question 2).

In this way, the first respondent has decided on the "purposes and means" of the data processing in connection with the tool, which is why it is (in any case) to be regarded as a controller within the meaning of Article 4(7) of the GDPR.

As far as the second respondent is concerned, it should be noted that the subject matter of the complaint relevant here relates (only) to the transfer of data to the second respondent in the USA. A possible further data processing of the information cited in the findings of fact under C.9. (by Google Ireland Limited or the second respondent) is not the subject of the complaint and was therefore not addressed.
subject of the complaint and was therefore not investigated in more detail in this direction.

As far as the data processing in connection with the Google Analytics tool is concerned, it should be noted that the second respondent merely makes this tool available and also has no influence on whether and to what extent the first respondent makes use of the tool functions and which specific settings it selects.

Insofar as the second respondent therefore only provides Google Analytics (as a service), it has no influence on the "purposes and means" of the data processing and is therefore to be qualified as a processor in accordance with Article 4(8) of the GDPR.

These considerations are made without prejudice to a further official review procedure pursuant to Art. 58 (1) b of the GDPR and without prejudice to the data protection role of the second respondent with regard to possible further data processing. 

D.3 Heading 2. b)

a) Scope of application of Chapter V of the GDPR

First, it must be verified whether the first respondent is subject to the obligations standardized in Chapter V of the Regulation.

According to Article 44 of the GDPR, any "[...] transfer of personal data already processed or to be processed after their transfer to a third country or an international organization [...] shall only be allowed if the controller and processor comply with the conditions laid down in this chapter and also with the other provisions of this Regulation, including any onward transfer of personal data from the third country or international organization concerned to another third country or international organization. All the provisions of this chapter shall be applied to ensure that the level of protection afforded to natural persons by this Regulation is not undermined."

In "Guidelines 5/2021 on the relationship between the scope of Art. 3 and the requirements for international data flows under Chapter V of the GDPR" (currently still in public consultation), the EDSA has identified three cumulative conditions for when a "transfer to a third country or an international organization" as defined in Art. 44 of the GDPR exists (ibid. para. 7):

- the controller or a processor is subject to the GDPR for the processing in question;

- that controller or processor ("data exporter") discloses, by transmission or otherwise, personal data which are the subject of that processing to another controller, joint controller or processor ("data importer"); 

- the Data Importer is located in a third country or is an international organization, whether or not such Data Importer is subject to the GDPR with respect to the Processing in question pursuant to Article 3.

The first respondent is based in Austria and was the data controller for the operation of the website www.[REDACTED]at at the time subject to the complaint. In addition, the first respondent (as data exporter) disclosed personal data of the complainant by proactively implementing the Google Analytics tool on its website www.[REDACTED]at and as a direct result of this implementation, among other things, a data transfer to the second respondent (to the USA) took place. Finally, the Second Respondent, in its capacity as a processor (and data importer), is located in the United States.

Since all the conditions set forth in the EDSA Guidelines are met, the First Respondent is subject to the provisions of Chapter V of the Regulation as a data exporter.

b) Regulatory framework of Chapter V of the GDPR

Subsequently, it is necessary to verify whether the data transfer to the USA took place in accordance with the provisions of Chapter V of the GDPR.

Chapter V of the Regulation provides three instruments to ensure the adequate level of protection required by Art. 44 GDPR for data transfers to a third country or an international organization:

- Adequacy Decision (Art. 45 GDPR);
- Appropriate safeguards (Art. 46 GDPR);
- Exemptions for specific cases (Art. 49 GDPR). 

c) Adequacy Decision

The ECJ has pronounced that the EU-US adequacy decision ("Privacy Shield") - without maintaining its effect - is invalid (see the judgment of 16 July 2020, CǦ311/18 para 201 f).

The data transfer at issue therefore does not find coverage in Article 45 GDPR.

d) Appropriate safeguards

As can be seen from the findings of fact, on August 12, 2020, the respondents entered into standard data protection clauses (hereinafter: SDK) pursuant to Art. 46(2)(c) of the GDPR for the transfer of personal data to the United States ("Google Ads Data Processing Terms: Model Contract Clauses, Standard Contractual Clauses for Processors"). Specifically, at the time under appeal, the clauses in question were those in the version of the Implementing Decision of the European Commission 2010/87/EU of February 5, 2010 on standard contractual clauses for the transfer of personal data to processors in third countries pursuant to Directive 95/46/EC of the European Parliament and of the Council, OJ L 2010/39, p. 5.

In the aforementioned judgment of July 16, 2020, the ECJ stated that SDKs as an instrument for international data flows are not objectionable on the merits, but the ECJ also pointed out that SDKs are by their nature a contract and, accordingly, cannot bind authorities from a third country:

"Accordingly, while there are situations in which the recipient of such a transfer can, in the light of the legal situation and practice in the third country concerned, guarantee the necessary data protection on the basis of the standard data protection clauses alone, there are also situations in which the rules contained in those clauses may not constitute a sufficient means of ensuring, in practice, the effective protection of the personal data transferred to the third country concerned. This is the case, for example, when the law of that third country allows its authorities to interfere with the rights of data subjects with respect to those data" (ibid. para. 126).

However, a more detailed analysis of the legal situation of the USA (as a third country) can be omitted here, as the ECJ has already dealt with this in the cited judgment of July 16, 2020. It came to the conclusion that the EU-US adequacy decision does not ensure an adequate level of protection for natural persons due to the relevant US law and the implementation of official surveillance programs - based, inter alia, on Section 702 of FISA and E.O. 12333 in conjunction with PPD-28 (ibid., para. 180 et seq.).

These considerations can be applied to the case at hand. Thus, it is evident that the Second Respondent qualifies as a provider of electronic communications services within the meaning of 50 U.S.Code § 1881(b)(4) and is thus subject to surveillance by U.S. intelligence agencies pursuant to 50 U.S.Code § 1881a ("FISA 702"). Accordingly, Second Respondent has an obligation to provide personally identifiable information to U.S. authorities pursuant to 50 U.S.Code § 1881a.

As can be seen from the Second Respondent's Transparency Report, such requests are also regularly made to it by U.S. authorities (see https://transparencyreport.google.com/user-data/us-national-security?hl=en, accessed December 22, 2021).

However, if the EU-US adequacy decision has already been declared invalid due to the legal situation in the USA, it cannot be assumed that the (mere) conclusion of SDKs ensures an adequate level of protection pursuant to Art. 44 GDPR for the data transfer in question. 

Against this background, the ECJ also stated in the cited judgment of July 16, 2020 that "[...] standard data protection clauses cannot, by their very nature, provide guarantees that go beyond the contractual obligation to ensure compliance with the level of protection required by Union law [...]" and that it "[...] may be necessary, depending on the situation prevailing in a particular third country, for the controller to take additional measures to ensure compliance with that level of protection" (ibid. para. 133).

Therefore, the data transfer at issue cannot be based solely on the standard data protection clauses concluded between the respondents pursuant to Article 46(2)(c) GDPR. 

e) General information on "additional measures"

In its "Recommendations 01/2020 on measures to supplement transfer tools to ensure the level of protection of personal data under Union law", the EDSA has stated that in case the law of the third country has an impact on the effectiveness of appropriate safeguards (such as SDK), the data exporter must either suspend the data transfer or implement additional measures ("supplementary measures") (ibid. para. 28 et seq. as well as para. 52).

According to the recommendations of the EDSA, such "supplementary measures" within the meaning of the ECJ ruling of July 16, 2020 can be of a contractual, technical or organizational nature (ibid., para. 47):

With regard to contractual measures, it is stated that they "[...] complement and reinforce the safeguards offered by the transfer instrument and the relevant legislation in the third country to the extent that the safeguards, taking into account all the circumstances of the transfer, do not fulfil all the conditions necessary to ensure a level of protection substantially equivalent to that existing in the EU. Since contractual measures, by their nature, generally cannot bind the authorities of the third country if they are not themselves party to the contract, they must be combined with other technical and organizational measures to ensure the required level of data protection. Just because one or more of these measures has been selected and applied does not necessarily mean that it is systematically ensured that the envisaged transfer meets the requirements of Union law (ensuring a substantially equivalent level of protection)" (ibid. para. 93).

Regarding organizational measures, it is stated that they "[...] may be internal policies, organizational methods and standards that controllers and processors might apply to themselves and impose on data importers in third countries. [...] Depending on the specific circumstances of the transfer and the assessment carried out of the legal situation in the third country, organizational measures are necessary to complement the contractual and/or technical measures in order to ensure that the protection of personal data is substantially equivalent to the level of protection ensured in the EU (ibid. para. 122).

Regarding technical measures, it is stated that these are intended to ensure that "[...] access to the transferred data by authorities in third countries does not undermine the effectiveness of the appropriate safeguards listed in Article 46 of the GDPR. Even if the access by authorities is in compliance with the law in the country of the data importer, these measures should be considered if the access by authorities goes beyond what is a necessary and proportionate measure in a democratic society. These measures aim to eliminate potentially infringing access by preventing authorities from identifying data subjects, inferring information about them, identifying them in other contexts, or linking the transferred data to other data sets held by authorities, including data on online identifiers of devices, applications, tools, and protocols used by data subjects in other contexts (ibid. para. 74).

Finally, the EDSA has stated that such "additional measures" are to be considered effective within the meaning of the judgment of 16 July 2020 only "[...] if and to the extent that the measure precisely closes the legal protection gaps identified by the data exporter in its examination of the legal situation in the third country. If it is ultimately not possible for the data exporter to achieve a substantially equivalent level of protection, it may not transfer the personal data" (ibid. para. 70).

Applied to the case at hand, this means that it must be examined whether the "additional measures taken" by the second respondent close the legal protection gaps identified in the context of the ECJ ruling of June 20, 2020 - i.e., the access and surveillance possibilities of U.S. intelligence services. 

f) "Additional Measures" of the Second Respondent.

The second respondent has now implemented various measures in addition to the conclusion of the SDK (see its statement of April 9, 2021, question 28).

With regard to the contractual and organizational measures outlined, it is not apparent to what extent notifying the data subject of data requests (should this be permissible at all in individual cases), publishing a transparency report or a "guideline for handling government requests" are effective in the sense of the above considerations. Similarly, it is unclear to what extent "careful consideration of any data access request" is an effective measure, given that the ECJ pronounced in the aforementioned judgment of June 20, 2020 that permissible (i.e., legal under U.S. law) requests from U.S. intelligence agencies are not compatible with the fundamental right to data protection under Article 8 of the EU CFR.

Insofar as the technical measures are concerned, it is likewise not discernible - and was also not comprehensibly explained on the part of the respondents - to what extent the protection of communications between Google services, the protection of data in transit between data centers, the protection of communications between users and websites or an "on-site security" actually prevent or restrict the access possibilities of US intelligence services on the basis of US law.

Insofar as the second respondent subsequently refers to encryption technologies - for example, to the encryption of "data at rest" in the data centers - the EDSA's Recommendations 01/2020 must once again be countered. Indeed, it is stated there that, with respect to imported data in its possession or custody or under its control, a data importer (such as the Second Respondent) subject to 50 U.S. Code § 1881a ("FISA 702") has a direct obligation to provide access to or surrender such data. This obligation may expressly extend to the cryptographic keys without which the data cannot be read (ibid. para. 76).

As long as the second respondent has the possibility to access data in plain text, the technical measures cited cannot be considered effective in the sense of the above considerations.

As a further technical measure, the second respondent argues that insofar as "[...] Google Analytics data for measurement by website owners is personal data, [...] it must be considered pseudonymous" (see its opinion of April 9, 2021, p. 26). However, this must be countered by the convincing view of the German Data Protection Conference, according to which "[...] the fact that users are made identifiable, for example via IDs or identifiers, does not constitute a pseudonymization measure within the meaning of the GDPR. Moreover, the use of IP addresses, cookie IDs, advertising IDs, unique user IDs or other identifiers to (re)identify users does not constitute appropriate safeguards to comply with data protection principles or to safeguard the rights of data subjects. This is because, unlike in cases where data is pseudonymized in order to disguise or delete the identifying data so that the data subjects can no longer be addressed, IDs or identifiers are used to make the individuals distinguishable and addressable. Consequently, there is no protective effect. They are therefore not pseudonymizations within the meaning of Recital 28, which reduce the risks for the data subjects and assist data controllers and processors in complying with their data protection obligations" (cf. the March 2019 guidance of the supervisory authorities for telemedia providers, p. 15).

Furthermore, the second respondent's argument is also not to be followed because the Google Analytics identifier - as explained above - can be combined with further elements anyway and can even be associated with a Google account indisputably attributable to the complainant.

The "anonymization function of the IP address" mentioned is not relevant in relation to the case, as this was not implemented correctly - as also explained above. Apart from that, the IP address is in any case only one of many "puzzle pieces" of the complainant's digital footprint.

As a further interim result, it must therefore be noted that the "additional measures" at issue are not effective, as they do not close the legal protection gaps identified in the context of the ECJ's ruling of June 20, 2020 - i.e., the access and monitoring possibilities of U.S. intelligence services.

The data transfer in question is therefore not covered by Art. 46 GDPR.

D.4. bullet point 2. c)

a) Regarding Art. 49 GDPR

According to the first respondent's own statements, the exemption pursuant to Art. 49 GDPR was not relevant for the data transfer at issue (cf. the Opinion of December 16, 2020).

Consent pursuant to Art. 49(1)(a) of the GDPR was not obtained. The data protection authority also fails to see how any other element of Art. 49 GDPR is fulfilled.

Therefore, the data transfer in question cannot be based on Art. 49 GDPR.

b) Result

Since no adequate level of protection was ensured by an instrument of Chapter V of the Regulation for the data transfer at issue by the first respondent to the second respondent (in the USA), there is a violation of Art. 44 GDPR.

The first respondent was (at any rate) responsible for the operation of the website www.[REDACTED]at at the time relevant to the complaint - i.e. August 14, 2020. The relevant data protection violation against Art. 44 of the GDPR is therefore attributable to the first respondent.
is attributable to the first respondent.

Therefore, the decision had to be made in accordance with the ruling. 

D.5 Remedial powers

In the opinion of the data protection authority, the Google Analytics tool (at least in the version of August 14, 2020) can thus not be used in accordance with the provisions of Chapter V of the GDPR.

Since the responsibility for operating the website www. at was transferred to the GmbH with its registered office in Munich in the course of the complaint procedure (but only after August 14, 2020) and Google Analytics continued to be implemented at the time of the decision, the data protection authority will refer the case to the competent German supervisory authority with regard to the (possible) use of the remedial powers pursuant to Article 58 (2) of the GDPR.

D.6 Point 3

It is necessary to verify whether the second respondent (as data importer) is also subject to the obligations set forth in Chapter V of the Regulation.

Based on the EDSA Guidelines 5/2021 already cited above, it should be noted once again that a "transfer to a third country or an international organization" within the meaning of Article 44 GDPR only exists if, among other things, the controller or processor (data exporter) discloses personal data that are the subject of such processing to another controller, joint controller or processor (data importer) by means of transfer or otherwise.

This requirement does not apply to the second respondent in the present case, as the second respondent (as data importer) does not disclose the personal data of the complainant, but (only) receives them. In other words, the requirements of Chapter V of the GDPR must be complied with by the data exporter, but not by the data importer.

The complainant's argument that a data transfer necessarily presupposes a recipient and that the second respondent is part of the data transfer (at least from a technical point of view) is not overlooked. However, it should be countered that data protection responsibility in a processing operation can nevertheless be "shared" (from a legal point of view), i.e., there can be a different degree of responsibility depending on the phase of the processing operation (cf. EDSA Guidelines 7/2020 on the concept of controllers and processors, para. 63 ff. mwN).

In the opinion of the data protection authority, there was therefore no violation of Article 44 of the GDPR by the second respondent.

Overall, the decision was therefore in accordance with the ruling.

Finally, it should be noted that the issue of a (possible) violation of Art. 5 ff in conjunction with Art. 28 Par. 3 lit. a and Art. 29 of the GDPR by the second respondent will be addressed in a further decision. 

LEGAL REMEDY

An appeal against this decision may be filed in writing with the Federal Administrative Court within four weeks of service. The appeal must be filed with the data protection authority and must

- the designation of the contested decision (GZ, subject)
- the name of the authority against which the appeal has been lodged
- the grounds on which the allegation of illegality is based,
- the request and
- the information necessary to assess whether the appeal was filed in time,

shall be included.

The data protection authority has the option of either amending its decision within two months by means of a preliminary decision on the complaint or submitting the complaint together with the files of the proceedings to the Federal Administrative Court.

The appeal against this decision is subject to a fee. The fixed fee for a corresponding submission including enclosures is 30 euros. The fee is to be paid to the account of the Tax Office Austria, stating the purpose of use.

The fee must always be transferred electronically using the "Tax Office Payment" function. The Tax Office Austria - Special Responsibilities Department is to be indicated or selected as the recipient (IBAN: AT83 0100 0000 0550 4109, BIC: BUNDATWW). Furthermore, the tax number/levy account number 10 999/9102, the type of levy "EEE -Appeal Fee", the date of the notice as the period and the amount are to be indicated.

If your bank's e-banking system does not have the "Finanzamt payment" function, the eps procedure in FinanzOnline can be used. An electronic transfer can only be dispensed with if no e-banking system has been used so far (even if the taxpayer has an Internet connection). In this case, the payment must be made by means of a payment order, and care must be taken to ensure that it is correctly allocated. For more information, contact the tax office and refer to the manual "Electronic Payment and Notification for Payment of Self-Assessment Taxes". 

Proof of payment of the fee must be provided when filing the complaint with the DPA by means of a payment voucher to be attached to the submission or a printout showing that a payment order has been issued. If the fee is not paid or not paid in full, a notification will be sent to the competent tax office.

A timely and admissible appeal to the Federal Administrative Court has a suspensive effect. The suspensive effect may have been excluded in the ruling of the decision or may be excluded by a separate decision.

December 22, 2021
For the head of the data protection authority: 
[REDACTED]