Datainspektionen - DI-2018-9274: Difference between revisions
(Keep DPA’s old logo on old decisions) |
|||
(2 intermediate revisions by 2 users not shown) | |||
Line 3: | Line 3: | ||
|Jurisdiction=Sweden | |Jurisdiction=Sweden | ||
|DPA-BG-Color= | |DPA-BG-Color= | ||
|DPAlogo= | |DPAlogo=LogoSE-Datainspektionen.png | ||
|DPA_Abbrevation=Datainspektionen | |DPA_Abbrevation=Datainspektionen | ||
|DPA_With_Country=Datainspektionen (Sweden) | |DPA_With_Country=Datainspektionen (Sweden) | ||
Line 58: | Line 58: | ||
}} | }} | ||
The Swedish DPA imposed a fine of 75 million Swedish kronor (approximately € 7 million) on Google for failing to fulfill its obligation in respect of the right to be forgotten (Article 17 GDPR). | The Swedish DPA (Datainspektionen) imposed a fine of 75 million Swedish kronor (approximately € 7 million) on Google for failing to fulfill its obligation in respect of the right to be forgotten (Article 17 GDPR). | ||
==English Summary== | ==English Summary== |
Latest revision as of 11:43, 7 April 2022
Datainspektionen - DI-2018-9274 | |
---|---|
Authority: | Datainspektionen (Sweden) |
Jurisdiction: | Sweden |
Relevant Law: | Article 5(1)(b) GDPR Article 5(1)(a) GDPR Article 6 GDPR Article 9 GDPR Article 10 GDPR Article 17 GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | 10.03.2020 |
Published: | 10.03.2020 |
Fine: | 75000000 SEK |
Parties: | n/a |
National Case Number/Name: | DI-2018-9274 |
European Case Law Identifier: | n/a |
Appeal: | Not appealed |
Original Language(s): | Swedish |
Original Source: | Datainspektionen (in SV) |
Initial Contributor: | Charlotte Godhe |
The Swedish DPA (Datainspektionen) imposed a fine of 75 million Swedish kronor (approximately € 7 million) on Google for failing to fulfill its obligation in respect of the right to be forgotten (Article 17 GDPR).
English Summary
Facts
The Swedish DPA finalised an audit of Google’s handling of individuals’ right to have search result listings for searches that includes their name in 2017. In its decision, the DPA concluded that a number of search result listings should be removed and subsequently ordered Google to do so.
During the DPA’s follow-up audit in 2018, it was critical to the fact that Google did not properly remove two of the search result listings that the DPA had ordered them to remove back in 2017. In one of the cases, Google has done a too narrow interpretation of what web addresses need to be removed from the search result listing. In the second case, Google has failed to remove the search result listing without undue delay. Google claimed it had followed the order and that the handling of the delisting requests had been lawful.
Further, when Google removes a search result listing, it notifies the website to which the link is directed in a way that gives the site-owner knowledge of which webpage link was removed and who was behind the delisting request. This allows the site-owner to re-publish the webpage in question on another web address that will then be displayed in a Google search. The DPA criticised this practice, alleging it puts the right to delisting out of effect. However, Goggle claimed this practice has been in accordance with Article 6.1(f) GDPR.
Dispute
The dispute concerned whether Google had followed the DPA’s order and sufficiently removed search links on request of data subjects or not.
It was also in dispute if Google’s practice to inform site-owners of the removal of search results had a legal basis.
Holding
The DPA held that Google had not complied with the previous order by the DPA by failing to remove search links sufficiently and within a reasonable time. Google had, therefore, processed personal data in violation of the GDPR.
The DPA also held that Google had processed personal data in violation of Articles 5(1)(b) and 6 GDPR by sending notifications to webmasters that search results had been deleted. Furthermore, the notice given to data subjects concerning these notifications was found misleading in a manner contrary to Article 5 (1)(a) GDPR.
Comment
For a deeper understanding of the right to request delisting under Article 17 GDPR, the following case and EDPB guidelines can be helpful:
Case C-131/12, Google Spain SL and Google Inc. v Agencia Española de Protección de Datos (AEPD) and Mario Costeja González, judgment of 13 May 2014.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Swedish original. Please refer to the Swedish original for more details.
Decision Diary No. 1 (31) 2020-03-10 DI-2018-9274 Google LLC Amphitheater Parkway, Mountain View, CA 94043 United States Supervision according to the EU Data Protection Regulation 2016/679 - Google's handling of requests on removal from its search services Table of Contents The Data Inspectorate's decision ....................................... 2 1 Report on the supervisory matter ............................. 4 1.1 General ................................................ .................................................. ........ 4 1.2 The content of previous decisions as far as is now relevant .......................................... ..6 1.2.1 Order concerning complaints 2 and 8 ......................................... ... 6 1.2.2 Obligation to investigate the circumstances of a request ....................... 7 1.2.3 Communication to webmasters that removal has taken place .......... 8 2 Grounds for the decision ........................................... 8 2.1 Starting points for the assessment of follow-up complaints ....................... 8 2.2 Follow-up of complaint 2 ............................................. ........................... 9 2.2.1 What has emerged during the proceedings ............................ 9 2.2.2 The Data Inspectorate's assessment ............................................. .............. 11 2.3 Follow-up of complaint 8 ............................................. ............................ 12 2.3.1 What has emerged during the proceedings ........................... 12 2.3.2 The Data Inspectorate's assessment ............................................. .............. 13 2.4 Communication to webmasters that search results have been deleted and information about this to individuals ............................................ ............... 14 2.4.1 What has emerged during the proceedings ........................... 14 Postal address: Box 8114, 104 20 Stockholm E-mail: datainspektionen@datainspektionen.se Website: www.datainspektionen.se Phone: 08-657 61 00Datainspektionen DI-2018-9274 2 (31) 2.4.2 The Data Inspectorate's assessment ............................................. ............. 15 3 Choice of intervention ........................................... 23 3.1 Possible intervention measures ............................................... ........................ 23 3.2 Injunction ................................................ .............................................. 24 3.3 Circumstances of significance for whether a penalty fee should be imposed ......... 25 3.3.1 What Google has stated ........................................... ........................... 25 3.3.2 Assessment of the infringement concerning complaint 2 .......................... 25 3.3.3 Assessment of the infringement concerning complaint 8 .......................... 26 Assessment of the infringement relating to notification to webmasters and information to individuals ............................................ 27 3.3.5 Penalty fees shall be imposed ............................................ ................. 28 3.4 Determining the size of the penalty fee ............................................ 28 3.4.1 General provisions ............................................. ......................... 28 3.4.2 The amount for which penalty fees can be set .................... 29 3.4.3 Determining the size of the penalty fee .................................... 30 3.5 Appendices ................................................ .................................................. ....... 30 4 How to appeal .......................................... 31 The Data Inspectorate's decision 1. The Data Inspectorate finds that Google LLC (Google) has not taken measures so that a certain search result in complaint 2 in the Data Inspectorate's earlier supervisory decision with registration number 1013-2015 is not displayed for searches on the complainant's name using Google's search services that can be made from Sweden during the period May 25, 2018 to October 12, 2018. Google has through this processed personal data in violation of Article 9 of the Data Protection Regulation by dealing with sensitive personal data consisting of data on ethnicity, religious REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the Data Inspectorate DI-2018-9274 3 (31) conviction, mental health and sexual life, without having for treatment a valid exemption from the ban on treating sensitive personal data. Article 10 of the Data Protection Regulation by considering personal data relating to offenses consisting of data on prosecution and preliminary investigation without the treatment being allowed. Article 17 of the Data Protection Regulation by not unnecessarily have delayed the complainant's request for removal. 2. The Data Inspectorate finds that Google has not taken any action so that a certain search result in complaint 8 in the Data Inspectorate's previous supervisory decision with registration number 1013-2015 is not displayed for searches on the complainant's name with using Google's search services that can be made from Sweden during the period May 25, 2018 to June 11, 2018. Google has dealt with this personal data in violation of Article 10 of the Data Protection Regulation by considering personal data relating to offenses consisting of data on allegations of crime and preliminary investigation without processing been allowed. Article 17 of the Data Protection Regulation by not unnecessarily have delayed the complainant's request for removal. 3. The Data Inspectorate finds that Google since May 25, 2018 regularly informs webmasters of websites when the company has taken deleted a URL as a result of a removal request. Google thereby processes personal data in violation of Article 5 (1) (b) of the Data Protection Regulation in that the procedure constitutes a personal data processing that is incompatible with the original purpose for which the data were collected. Article 6 of the Data Protection Regulation by not having a legal basis for the treatment. 4. The Data Inspectorate states that Google since 25 May 2018 in its Web forms for removal requests inform individuals about and requires them to agree that Google may inform them free flow of such data and repealing Directive 95/46 / EC (General Data Protection Ordinance) .Data Inspectorate DI-2018-9274 4 (31) webmasters for such URLs that are removed from the search results to as a result of individual requests. Google deals with this personal data in violation of Article 5 (1) (a) in that the procedure is intended to persuade individuals to refrain from exercising its right to request removal. 5. The Data Inspectorate decides on the basis of ch. Section 3 of the Data Protection Act and 2 Articles 58 (2) and 83 of the Data Protection Regulation require Google to pay a administrative penalty fee of SEK 75,000,000 (seventy-five million). 6. The Data Inspectorate submits pursuant to Article 58 (2) (d) i Google's Data Protection Regulation that, as far as removal requests are concerned of displaying search results when searching for individuals' names using Google search services that can be done from Sweden, stop informing webmasters of URLs when Google has granted a request except in cases where the individual has requested the. cease to display the text “If URLs are removed from ours search results as a result of your request, we can provide information to them webmasters for the deleted URLs ”in their web form for request for removal or provide similar information to individuals if it is not clear that webmasters are only informed about that a request has been granted if the individual has requested it. 1 Report on the supervisory matter 1.1 General In May 2015, the Swedish Data Inspectorate started with the support of the Personal Data Act (1998: 204) and the Data Protection Directive a supervisory case with a record number 1013-2015 (the former case) against Google Inc. whose legal successor is Google LLC (Google or Company). The review was about how Google handles it requests from natural persons that certain search results should not be displayed at 2 The Act (2018: 218) with supplementary provisions to the EU Data Protection Regulation. 3 Directive 95/46 / EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free flow of such information.Datainspektionen DI-2018-9274 5 (31) searches on their name on the company's search services (removal request). The review took place in the light of the ruling that stated that individuals are right to be granted in certain cases a request for removal and 4 data protection authorities' guidelines for interpreting the judgment (WP225- 5 guidelines) and this right (right of removal). In addition to Google's handling of removal requests in general included in The review also includes 13 complaints received by the Data Inspectorate from individuals who believed that the company had incorrectly rejected their respective request on removal. The review was terminated by decision of 2 May 2017 (the previous decision). In the decision, the Data Inspectorate presented Google with the latest take action on 2 August 2017 regarding five of the complaints (Nos. 2, 4, 5, 8) and 9) in such a way that the specified search results are not displayed during searches on the names of the complainants. The Data Inspectorate also made recommendations on how such requests should be handled. Google appealed the injunction regarding complaint no. 8. The appeal was rejected on 2 May 2018 in this part and entered into force on 24 May 2018. 7 On 25 May 2018, the Data Protection Ordinance began to be applied. Based on tips from the public that Google had not followed the decision and the judgment, the Data Inspectorate stated during an inspection on 8 June 2018 that search results from complaints 2 and 8 were still displayed. Against this background this supervisory matter was initiated. 4 Judgment of the European Court of Justice of 13 May 2014, Google Spain and Google, C-131/12. 5 Article 29 Working Party on Data Protection, “Guidelines on the Enforcement of Judgments [Google Spain and Google] ”of 26 November 2014 (WP 225). The working group has in and with the entry into force of the Data Protection Regulation replaced by the European Data Protection Board (EDPB) (see Articles 68 and 94 (2) of the Data Protection Regulation). 6 The decision in its wording following the decision on reconsideration of 14 July 2017. References to the decision in the following refers to the decision in this wording. 7 The Administrative Court in Stockholm's judgment of 2 May 2018 in case no. 16590-17. The Data Inspectorate appealed the Administrative Court's judgment in the part in which it went The Data Inspectorate received, ie. repeal of the injunction 'in the part intended to remove search results that can be displayed when searching on the registrant's name using Google LLC's search services that can be done from countries other than Sweden ”. The Court of Appeal decided on 3 December 2018 in case no. 4635-18 not to grant leave to appeal, which was established by the decision of the Supreme Administrative Court on 11 September 2019 in case no. 6887-18.Data Inspectorate DI-2018-9274 6 (31) The supervision has taken place through correspondence. The review is about how Google is doing handled the complainants' requests and the Data Inspectorate's injunctions concerning complaints 2 and 8 in the previous decision. Against the background of what has emerged, the Data Inspectorate has also followed up on certain issues as well highlighted in the recommendations of the decision. This refers to how Google investigates removal requests as well as Google's routine to provide regular information webmasters for relevant URLs once a request has been granted and Google's information to individuals about this in Google's web form for request for removal. 1.2 The content of previous decisions as far as is now relevant 1.2.1 Order concerning complaints 2 and 8 In the previous decision, the Data Inspectorate stated that Google "processes personal data in violation of section 5 a, second paragraph of the Personal Data Act on display of search results after searching for the complainant's name in Google's search services regarding the search results referred to in Complaint 2 (Google No. 0-5877000003906) […] [och] complaint 8 (Google no. 1-8544000003955), the search hit that links to one article on the website www.sydsvenskan.se. ” The Data Inspectorate instructed Google to “take action to address the above the search results are not displayed when searching on the complainant's name using Google search services that can be done from Sweden "and stated that" [the] measures must be completed by 2 August 2017. " The Data Inspectorate stated in the reasons for the previous decision regarding complaints 2 that the public interest in having access to the information on the appellant in the current discussion thread via search in Google search services does not justifies the breaches of privacy that the treatment entails. This against given that the current discussion thread is extensive survey of the complainant and reports fairly extensively and at most private information about the complainant's ethnicity, religious beliefs, mental health, sexual preferences, offenses (information on prosecution and preliminary investigation), family and address. Google was thus ordered to cease with the treatment. The company did not appeal the decision. Data Inspectorate DI-2018-9274 7 (31) The Data Inspectorate stated in the reasons for the previous decision regarding complaints 8 that the Data Inspectorate limited its review to the search result that leads to an article published on Sydsvenskan's website with information about crime which the complainant is alleged to have committed (information on allegations of crime and ongoing preliminary investigation). The Data Inspectorate judged that such information may be considered particularly sensitive to privacy and instructed Google to cease the treatment. The company appealed the decision to the administrative court as in the judgment of 2 May 2018 agreed with the Data Inspectorate's assessment and confirmed 8 the decision. 1.2.2 Obligation to investigate the circumstances of a request In the previous decision, the Data Inspectorate mainly stated the following (see pp. 11–14). There are no formal requirements for a request for rectification under the Data Protection Directive or the Personal Data Act. When it comes to handling a request may, even if the provision in section 28 of the Personal Data Act is not directly applicable in this case, the preparatory work for that provision serve as guidance. According to these, it is sufficient that it appears from a request that the data subject is dissatisfied with the processing in any particular respect and wants correction to be taken. If such a request is made, it should personal data controllers urgently investigate the allegations the remarks are justified and, if so, make corrections as soon as possible. The scope of the investigation may depend on the remarks made by it registered have produced. It should in the first instance be the responsibility of the individual to state sufficient information to enable Google to process his request. Information on which search hit is meant by a request should preferably be made is identified by entering the URL of the web page being searched links to. In cases where the individual refers to the name of a website, a blog or similar and it is possible to identify the website and it information on the website in question, it should be the responsibility of Google to take action to identify the search result to which the request relates. The same goes for it individual has mistaken the top level domain in the web address for example .se i instead of .com and it appears from, among other things, the search result which search result to which the individual refers. About Google, despite investigative measures taken, considers that it is not possible to identify the search hit as the individual has requested that Google remove or if Google does not accept the individual 8 The Administrative Court in Stockholm's judgment of 2 May 2018 in case no. 16590-17, p. 12 para. 2.Datainspektionen DI-2018-9274 8 (31) facts of the case, the individual should be informed of this and given opportunity to complete their tasks. Against this background, the Data Inspectorate recommended that Google take action necessary measures to investigate a vague and incomplete request to: search results should be deleted. 1.2.3 Communication to webmasters that removal has taken place In the previous decision, the Swedish Data Inspectorate mainly stated the following (p. 19-20). When Google deletes a search result, the company sends another message the webmaster whose web page is affected if he or she has signed up Google's Webmaster Tools service. In the complaints examined occur usually only one or a few names of the web pages that the search hits links to. It should therefore be relatively easy for the webmaster to determine who has requested removal. Google must therefore assume that information about which web pages are affected by a deletion indirectly involves a personal data processing. Against this background, the Data Inspectorate recommended that Google only send information to webmasters when it is clear that such information does not infringe on the privacy of data subjects. 2 Grounds for the decision 2.1 Starting points for the assessment of follow-up complaints A search engine provider must, within the framework of its responsibilities, its qualifications and ensure that the processing of personal data in the business meets the requirements of the data protection rules, since the business can significantly affect fundamental rights regarding 9 privacy and the protection of personal data of the persons concerned. The characteristics of a search engine's business do not mean that it is excluded the prohibitions and restrictions on the processing of sensitive data and Judgment of the European Court of Justice of 13 May 2014, Google Spain and Google, C-131/12, paragraph 38 and 83. Judgment of the European Court of Justice of 13 May 2014, Google Spain and Google, C-131/12, paragraph 41.Data Inspectorate DI-2018-9274 9 (31) criminal information, but these apply when the search engine has received a request on removal. 11 The Data Inspectorate states that if a personal data controller has taken receive a request for removal from a registrant, but does not remove the information without undue delay or rejects the request on incorrect grounds; the further processing takes place in violation of the Data Protection Regulation. When it is the question of search engine services does this require prompt handling particularly relevant as the dissemination of personal data risks becoming very extensive and an alternative attitude would erode the individual opportunities to exercise their rights and the protection of the personal integrity. The Data Inspectorate has already in the previous decision assessed the outcome of the balance in complaints 2 and 8 and then found that the treatment took place in violation with the Personal Data Act and the Data Protection Directive. Current legislation (Data Protection Regulation) and the practices that have been added do not there is reason to make a new assessment in this regard. During previous inspections, the Data Inspectorate has found deficiencies in the handling of complaints 2 and 8. Deficiencies have existed since the Data Inspectorate's decision won legal force in each part, or when measures were to be implemented at the latest, which was before the Data Protection Ordinance came into force on 25 May 2018. The regulation entails enhanced rights for individuals and provides The Data Inspectorate significantly more powerful powers. Starting point for the Data Inspectorate's assessment regarding continued violations is taken therefore on the date of implementation of the Regulation, ie 25 May 2018. 2.2 Follow-up of complaints 2 2.2.1 What has emerged during the proceedings During a control search on 8 June 2018 of complaint 2, the Data Inspectorate found that the search result specified in the decision ”is displayed as the first search result in the search result in a search performed on October 10, 2016 ”(search result 2) was still displayed at search on the complainant's name and therefore requested that Google comment. Judgment of the European Court of Justice of 24 September 2019, G.C. and others, C-136/17, points 43-47.Data Inspectorate DI-2018-9274 1 0 (31) Google stated in a response on June 15, 2018 that the company regarding complaint 2 per on 18 May 2017 had fixed a specific web address (search result 1). The Data Inspectorate stated in a letter dated 9 July 2018 to Google in essentially the following. The documents in the previous case show that it search result described in the reasons for the previous decision was search result 2. The URLs in search results 1 and 2 are identical except that the latter has two extra character at the end ("p2") which is an abbreviation for "page two" in one discussion thread on a forum. The URL in search result 1 identifies both the whole discussion thread and its first page. The Data Inspectorate pointed out that there may be reason to consider a request identifying one URL, which thus both identifies the entire discussion thread and constitutes its first page, not only includes search results leading to the first page but also to subsequent pages, such as search hit 2. This is especially true if individuals provide information that points in this direction, such as the complainant can be considered to have done by in addition to what is stated in the form clarifies that "the whole thread specified" violates the complainant's privacy (the original request). If Google nevertheless did not consider itself obliged to remedy search result 2, the Data Inspectorate reminded of the company duty of investigation and information in the event of an unclear or incomplete request. Google stated the following in its response on 30 August 2018 to the Swedish Data Inspectorate request to state whether action would be taken in relation to search results 2 and how similar situations are handled. Google took action regarding two other pages in the current thread in 2014 and another page in August 2018 in connection with the Data Inspectorate's request. Google will not take action concerning search hit 2, as the appellant did not specifically request it. One such request "is a personal right" which "can only be exercised by it registered "and Google" therefore respects the extent to which it registrants have given their request '. According to Google, this has support in WP225- the guidelines stating that data subjects must “identify the specifics the URLs ”. The obligation to investigate or inform has not arisen. 12The previous case, file appendix 1 appendix 2 p. 2. 13WP225 guidelines, p. 14 (Data Inspectorate's translation). Data Inspectorate DI-2018-9274 1 1 (31) The complainant contacted the Data Inspectorate on 9 October 2018 regarding search hit 2 and then received information about the company's attitude and opportunity to make a new request in addition to the current examination of it original request, which the complainant made on 12 October 2018 (the new one) request). Google stated the following in its response on October 25, 2018 to the Swedish Data Inspectorate request to state its assessment of the new request. Google remedied application meeting 2 on 12 October 2018 due to the appellant made the new request. Google deleted the search result because the content on the web page is basically the same as on the web pages that have been taken before away and especially when the website does not contain information about the complainant has been released. 2.2.2 The Data Inspectorate's assessment The Data Inspectorate notes that the original request in complaint 2 included search hit 2. This is because the appellant in a sufficient manner identified it by entering the URL that both identifies the entire discussion thread and its first page (search result 1) in the web form, partly refer to the whole thread in its supplement. In addition, a discussion thread must be judged as a whole and can not as Google has done is solely assessed on the basis of the information provided appears on the page that a search result links to. As the Svea Court of Appeal established, this follows from the fact that for an Internet user linked to one page in a discussion thread it is obvious that it does not only include posts on that page and that it is not possible based on the posts on just one page overview the content of the discussion. 14 Because Google has not processed the request, but the search hit continued has been shown until 12 October 2018, when the complainant made a new request on removal, Google has not addressed the request without undue delay in the meaning of Article 17 (1) of the Data Protection Regulation. Google has processed personal data in breach of Article 17 of the the Data Protection Regulation. 14Svea Court of Appeal judgment of 6 October 2017 in case no. FT 494-17, p. 4 with agreement in the assessment of the lower instance (p. 16 f.). Datainspektionen DI-2018-9274 1 2 (31) As stated in the previous decision is processed at the web address provided the search results lead to sensitive personal data and criminal data about the appellant within the meaning of Articles 9 and 10 of the Data Protection Regulation. During the current period, ie the 25th May to October 12, 2018, Google is responsible for the referral to the URL and in particular because the link appears in the search results as 15 presented to Internet users searching for the complainant's name. Something support for processing such data under the Data Protection Regulation not existed. Google has thus processed personal data in violation of Articles 9 and 10 of the Data Protection Regulation. Furthermore, the Data Inspectorate states that the injunction in the previous decision regarding complaint 2 included search result 2. What Google has stated about that the injunction shall be interpreted in the light of the reasons for the decision does not change it assessment. It is not clear from the wording of the decision that the injunction was limited to certain search results in complaint 2, which it did, however for example, complaints 8 and 9 (see section 1.2.1 above). It further appears from the reasons for the decision that search result 2 was the search result that was displayed when the search result was checked during the processing and thus what The Data Inspectorate assessed in the decision. Google could easily have detected this by checking the scope of the request and the search results provided was shown when the company took measures to comply with the injunction in May 2017. Because Google took action on search hit 2 only on October 12th 2018, ie after the date specified in the injunction in the previous decision, Google has failed to comply with an injunction that The Data Inspectorate announced on the basis of section 45 of the Personal Data Act and the Data Protection Directive. 2.3 Follow-up of complaints 8 2.3.1 What has emerged during the proceedings During a control search on 8 June 2018, the Data Inspectorate found that the search match from complaint no. 8 (search result 1) was still shown. The Data Inspectorate pointed this out in a letter to Google and referred to the Administrative Court Judgment of the European Court of Justice of 24 September 2019, G.C. and others, C-136/17, paragraph 46. 16See previous decision, p. 23.Data Inspectorate DI-2018-9274 1 3 (31) judgment of 2 May 2018 which upheld the injunction. It was further pointed out that According to the court, the verdict had been served on Google on the same day as it was announced and thus gained legal force on 24 May 2018. Google contacted the Data Inspectorate on 11 June 2018. Google then stated that the company was not notified of the judgment until 23 may 2018 and that it would therefore win entered into force on 14 June 2018 and that Google was still considering the ruling would be appealed. The Data Inspectorate then clarified that the Data Inspectorate had checked specifically with the administrative court that the task of the court provided on the day of service was not a misunderstanding, but reminded Google 17 on the possibility of obtaining judicial review of whether the judgment has become final. Google stated in a letter dated June 15, 2018 that the company on June 11, 2018 decided not to appeal the judgment and therefore that day had remedied application date 1. In support of the fact that service must have taken place on 23 May 2018 Google submits a service receipt signed and dated by the company agent. In addition, correspondence has taken place regarding a search match with identical content and leading to the same article as search hit 1 on the same site but with a different URL (search result 2). According to Google, there was that search hit not when the request to delete search hit 1 was made. Google has, however granted a request for deletion of search hit 2 on February 13, 2019 after a new request was received from the complainant on February 11, 2019. Google considered that that request could be granted without the need for a new balancing of interests done because the content of the web page was identical to the web page for search result 1. 2.3.2 The Data Inspectorate's assessment The Data Inspectorate finds that Google has not processed the request in complaint 8 in the previous decision so that search result 1 is not displayed during the period from 25 May 2018 to 11 June 2018. With regard to the Swedish Data Inspectorate had previously clarified in its decision that the request would be granted, which also had been confirmed by the administrative court in a judgment that Google according to its own information had in any case been served on May 23, 2018, Google can not be considered to have processed the request without undue delay within the meaning of Article 17 (1) (i) 17Acts Appendix 7 and 10–12.Data Inspectorate DI-2018-9274 1 4 (31) the Data Protection Regulation. Google has thus processed personal data in in breach of Article 17 of the Data Protection Regulation. As stated in the previous decision is processed at the web address provided the search leads to criminal information about the appellant within the meaning of Article 10 of the Data Protection Regulation. During the current period, it wants say May 25 to June 11, 2018, Google is responsible for the referral to the web page and in particular because the link appears in the search results as 18 presented to Internet users searching for the complainant's name. Something support for processing such data under the Data Protection Regulation not existed. Google has thus processed personal data in violation of Article 10 of the Data Protection Regulation. Furthermore, the Data Inspectorate finds that Google has not shown that the company has followed the injunction in the previous decision concerning complaint 8 within that time limit which was stated in the decision, which through the company's appeal may be considered to have been when the injunction became final. The Data Inspectorate states that this was on May 24, 2018, which is not changed by the circumstances and the evidence as invoked by Google. Google has thereby failed to comply an injunction issued by the Swedish Data Inspectorate on the basis of section 45 the Personal Data Act and the Data Protection Directive. Regarding search result 2, the Data Inspectorate finds that it was not covered by the original request or the Data Inspectorate's injunction because it according to Google, did not exist when the request was made. 2.4 Communication to webmasters that search results have been deleted and information about this to individuals 2.4.1 What has emerged during the proceedings If Google grants a removal request, Google has a routine to notify webmasters (that is, anyone who subscribes to Google) service "Search Console" formerly "Webmaster Tools") about which URL which has been removed and that this was done as a result of a request for removing. Judgment of the European Court of Justice of 24 September 2019, G.C. and others, C-136/17, point 46. Data Inspectorate DI-2018-9274 1 5 (31) Google's removal request webpage contains the text '[o] m URLs are removed from our search results as a result of your request we may provide information to the webmasters of the deleted URLs ”. IN connection to the text, the individual is encouraged to read the information and check a box that they approve such treatment. 19 Google has reported that 5,690 URLs have been removed upon request from Sweden during the period May 25, 2018 to February 11, 2019. The Data Inspectorate can thereby establish that information has been provided webmasters in a large number of cases. Google has further stated in essence the following. First is The Data Inspectorate is not the competent supervisory authority regarding Google's routine to send such messages. Secondly, such messages are not Processing of personal data. Third, such treatment is not included in violation of the Data Protection Regulation. This is because the messages are in compliance with the purpose limitation principle set out in Article 5.1.b, as the purpose is to facilitate the right to be forgotten. Furthermore, processing a legal basis, as Google has a legitimate interest to process the data in order to increase the impact of the right to be forgotten as well as to inform the webmaster in its capacity as concerned interested. Fourth, Google complies with the principle of proportionality obliged to balance the right to be forgotten against opinion and freedom of information. Fifth, the routine is an appropriate and proportionate action and industry practice. 2.4.2 The Data Inspectorate's assessment 2.4.2.1 The Data Inspectorate is authorized to exercise supervision in the matter The Data Inspectorate's competence follows from the main rule that each supervisory authority is competent in the territory of its own Member State (Article 55 (1) of the Data Protection Regulation). The current treatment is a step 20 in Google's search engine business and is affiliated with it obligation arising from such activities to ensure that the activities 19 Appendix 27.2, pp. 2-3. 20 See the judgment of the European Court of Justice of 13 May 2014, Google Spain and Google, C-131/12, paragraph 41 and the judgment of 24 September 2019, G.C. and others, C-136/17 point 35.Datainspektionen DI-2018-9274 1 6 (31) 21 meets the requirements of the Data Protection Regulation. Google has in letter of the 12th December 2018 to the data protection authorities stated that it is Google (it that is, Google LLC based in the United States) which determines the purposes and the means of that treatment and that this is not affected by them organizational changes that the company made on January 22, 2019. The 22 organizational changes referred to is that Google from this date has a principal place of business in Ireland regarding parts of their business. A principal place of business shall have the authority to: make decisions regarding the purposes and means of the treatment in question (Article 4.16 and recital 36). Google has not shown that Google Ireland has such powers in the field of search engine business. The Data Inspectorate considers because the single point of contact mechanism (Articles 56 and 60) does not is applicable and that the Data Inspectorate is thus the competent supervisory authority in the case. 2.4.2.2 The messages constitute personal data processing The Data Inspectorate finds that the messages in question are personal data and that the fact that Google sends the messages means that Google processes personal data for the following reasons. As can be seen from the expression “each information "in the definition of the concept of personal data (Article 4 (1)) shall: the term is given a broad meaning. It includes both objective and subjective information if they "refer" to a specific person, which is the case they, because of their content, purpose or effect, are attached to a person. 23 The information that Google has granted a search hit to a particular URL to be deleted refers to a person, especially since the use of the data affects the person's rights and interests, for example by being able to 24 be used to counter the purpose of the request. For that to be the case a personal data is not required that the information itself makes it possible to identify the person or that all information necessary for identification is held by a person. The question of whether someone is identifiable should assessed on the basis of the aids that can reasonably be used by someone to identify the person. A person is not considered identifiable if the risk of it in practice is negligible. In the present case, the risk is not 21EU Court Judgment of 24 September 2019, G.C. and others, C-136/17 paragraph 43. 22 Appendix 50 50 appendices 1 and 2. Judgment of the European Court of Justice of the European Communities of 20 December 2017, Nowak, C-434/16, paragraphs 34-35. 24See by analogy the judgment of the European Court of Justice of 20 December 2017, Nowak, C-434/16, paragraph 39. 25 Judgment of the European Court of Justice of 19 October 2016, Breyer, C-582/14, paragraphs 41, 43 and 46. Data Inspectorate DI-2018-9274 1 7 (31) negligible, since a granted request for removal is by definition linked to a person's name. Identification can thus be done directly about it there is only one name on the web page that the search results lead to. If it exists several names on the website, you can instead take one name at a time and search the name of the search engine. In one of these searches, the search result does not appear appear and thereby indirectly reveal that it is the person who requested and granted removal. 2.4.2.3 There is no legal support for sending the messages The Data Inspectorate finds that Google has no legal basis for the treatment and that it is also not permitted on the basis that it would be consistent with the original purposes for which the data were collected in. Google thus processes personal data without having a valid legal basis grounds for processing in breach of Articles 5 and 6 of the Data Protection Regulation. The reasons for the assessment are set out below. The notices are not supported by a legal obligation Google claims that the processing is based on a legal obligation (Article 6.1 (c) in accordance with Article 17 (2) of the Data Protection Regulation or, as may be understood, in accordance with Article 5 (4) of the EU Platforms Regulation, and that it is also to be considered as industry practice according to proposals and recommendations from the Commission. The Data Inspectorate finds that the processing is not supported by Article 17 (2) the Data Protection Regulation for the following reasons. The wording states that the provision imposes personal data controllers who have published personal data an obligation to take reasonable steps to inform personal data controllers who then reuse this personal data via links, copies or reproductions. Such an obligation to provide information does not apply search engine providers when engaging in the activity that the right to removal applies in relation to, namely to locate information such as contains personal data that has been published or posted on the internet by third men, index it automatically, store it temporarily and finally make it available to internet users according to a certain priority scheme. In addition, search engine providers, who has received a request to delete a search hit, informs it 26 Regulation (EU) 2019/1150 of the European Parliament and of the Council of 20 June 2019. 27 Judgment of the European Court of Justice of 13 May 2014, Google Spain and Google, C-131/12, paragraph 41 and the judgment of September 24, 2019, G.C. et al., C-136/17 point 33 and 35.Datainspektionen DI-2018-9274 1 8 (31) third party who published the information on the internet as the search hit refers to. The purpose of the obligation under Article 17 (2) is to add greater responsibility for the personal data controller for the original publication which the search hit refers to and that individuals should not be forced to produce several requests for deletion. The requirements are higher for the one who originally has published the data shall grant a request for deletion than to a a search engine provider shall grant a request for deletion of a search result which refers to the original publication of the data. It can notes that the opinion of the Article 29 Working Party in the WP225 Guidelines, that messages such as those in the case current from search engine providers to webmasters do not have a legal basis under the data protection rules, 28 is still valid. The Data Inspectorate finds that the processing is not supported by Article 5 (4) i the Platform Regulation for the following reasons. First, note The Data Inspectorate that the regulation was adopted on 20 June 2019 and will be applied only from 12 July 2020 (Article 19) and thus not yet valid. For it others, it is clear from the purpose and scope of that regulation that it shall be without prejudice to Union law applicable to, inter alia in the field of data protection (Article 1.5). It is further stated that the requirements in the Platforms Regulation should not be seen as an obligation for a search engine provider to disseminate personal information to its business users and that any processing of personal data should take place in accordance with the legal framework of the Union for the protection of individuals with regard to processing of personal data and respect for privacy and protection of personal data, in particular the Data Protection Regulation (recital 35). As noted in the previous paragraph and developed in the following two sections (on legitimate interest and purpose limitation) speaks the circumstances of it the present case against the treatment being allowed or justified because the display of a search hit may be illegal without the original the publication is. A webmaster's interest in knowing that a search hit does not appear when searching on a person's name is weak compared to those interests that apply in the cases covered by the Platforms Regulation protect (recitals 1-5). Against the same background, the treatment can not, such as 28Se EDPB, Guidelines 5/2019 “on the Criteria of the Right to be Forgotten in the search engine cases under the GDPR ”(part 1), adopted on 2 December 2019 for the public consultation, pp. 4-5, with reference to the WP225 guidelines, item 23.Data Inspectorate DI-2018-9274 1 9 (31) Google alleged, is considered compatible with established and prevalent industry practice. The messages are not supported by a legitimate interest Google claims that the treatment is based on Google's legitimate interest (Article 6 (1) (f)) of 'informing the webmaster, as a key stakeholder, that a URL that links to the webmaster's webpage has been removed having regard to the [Data Protection Regulation] '. Google states that consideration should ensure that the individual is informed of and can expect treatment, which can have a positive effect on him by removing the data from the original web page. Furthermore, Google believes that the information does not constitute specific categories of personal data, minimized as far as possible and only shared with a recipient who already has access to them. The Data Inspectorate finds that Google's processing is not permitted reference to any of the interests expressed by Google. None of the conditions of Article 6 (1) (f) are met, namely the existence of a legitimate interest of the controller or third party, that the treatment is necessary for the legitimate interest sought and that the interests of the individual or fundamental freedoms and rights do not weigh heavier and requires protection of personal data. 30 Google has first stated that the treatment may lead to it webmaster deletes the original data, i.e. what gets perceived as the webmaster's interest in trying their own possible obligation to delete the information from the website. The Data Inspectorate notes, however, that the interest relied on by Google is hypothetical the time of processing, because Google does not know about it webmasters have an interest in making any such assessment. It is thus not a legitimate interest within the meaning of the Data Protection Regulation. 31 The treatment can then also not be considered necessary. The webmaster interests can, in a balance of interests, also not be considered to outweigh those registered fundamental rights and freedoms. 29Act Annex 45, p. 14. 30 See the judgment of the European Court of Justice of 4 May 2017, Rīgas satiksme, C ‑ 13/16, paragraph 28. Judgment of the European Court of Justice of the European Communities of 11 December 2019, TK, C ‑ 708/18, paragraph 44.Datainspektionen DI-2018-9274 2 0 (31) In addition, Google has invoked the public's legitimate interest in Google does not make erroneous removal decisions. The Data Inspectorate finds that Google only sends the messages after Google has already deleted one search hit, ie after Google has already made the required balance in order not to make wrong decisions. It is thus not an actual interest in the time of treatment. It is thus not a legitimate interest in 32 meaning of the Data Protection Regulation. If what Google has stated regarding incorrect decisions should instead be perceived as that the legitimate interest is the public interest in making wrong decisions whether deleting search results afterwards can be corrected to is The Data Inspectorate's assessment is that the processing is not necessary. The information that Google has removed a URL is not sufficient to the webmaster should be able to assess whether the decision is incorrect, then it webmasters lack knowledge of what the individual has stated in their request. The Data Inspectorate also assesses that the individual's interests weigh heavier based on the following circumstances. The fact that the data protection authorities in the WP225 guidelines (paragraph 23) explicitly advised against search engine providers from submitting such messages argue that it would be permissible in a balance of interests. Only Google and the individual know that Google has granted one request for removal. By Google disclosing the information to third parties this is a more serious violation than if the data had been publicly available.33 The disclosure of the information to the webmaster also takes place without adequate safeguards, as Google has not shown that the company can guarantee or have any opportunity to influence that the webmaster does not use the information in an improper manner or that the information is not disclosed to third-party webmasters who are not subject to adequate safeguards. As for the legitimate expectations of the individual, Google certainly has informed in its web form that the treatment may take place, but Judgment of the Court of Justice of the European Communities of 11 December 2019, TK, C ‑ 708/18, paragraph 44. 33 Judgment of the European Court of Justice of 24 November 2011, Asociación Nacional de Establecimientos Financieros de Crédito, C ‑ 468/10 and C ‑ 469/10, paragraph 45. Data Inspectorate DI-2018-9274 2 1 (31) has done this in a misleading way that gives the impression that the treatment must be approved by the individual for the removal request to is handled, or that the processing follows from Google's legal obligation to handle request. It must be borne in mind that Google has not informed them registered that the legal basis for the processing is justified interest pursuant to Article 6 (1) (f) (Article 13 (1) (c)), the company or third parties legitimate interests which make the treatment necessary (Article 13 (1) (d)) or the company's intention to transfer the data to third countries (Article 13 (1) (f)). It has nor has it emerged that Google has expressly notified the individual on the right of the individual under Article 21 (1) to object at any time treatment based on a legitimate interest and clearly stated, clear and distinct from other information (Article 21 (4)). Against this background, the treatment is not allowed on the basis of a justified interest. The messages are not compatible with the original purpose Finally, Google claims that the sending of the message is compatible with the original purpose for which the data was collected, ie Google obligation to remove search results in certain cases on request (Article 17 (1) and (3)). According to Google, the purpose of the treatment is to “give the webmaster one possibility to delete the actual content of the web page, as this increases impact on the right to be forgotten ”. Google thus claims that the company sends these messages in accordance with Article 6 (4) of the Data Protection Regulation. The Data Protection Regulation contains criteria for determining whether a processing for other purposes is consistent with the purposes for which the data originally collected or if the treatment violates the principle of purpose limitation in Article 5 (1) (b) of the Data Protection Regulation (points (a) to (e) (i) Article 6 (4) and recital 50). Several of the circumstances that are relevant according to these criteria have already been described in the previous section and will therefore only summarized here. The Data Inspectorate states that the current processing is unfounded with the consent of the data subject or Union law or that of the Member States national law. Furthermore, the Data Inspectorate states in accordance with the criteria in Article 6 (4) that the link between the objectives (point (a)) is weak; as stated in the previous section, the possibilities of the data subjects and rights regarding requests to search engine suppliers and the Swedish Data Inspectorate DI-2018-9274 2 2 (31) website owners are not equivalent. The context is not like that either that the latter treatment is what the individual can typically expect (point (b)), which is not altered by the information provided by Google the treatment in its web form as that information is misleading. To a request for removal made and granted may in itself be considered as personal data of a privacy-sensitive nature (point c). In addition, it speaks for itself that a request for removal has been granted to the underlying the information on the website is often such particularly sensitive information or criminal offenses referred to in Articles 9 and 10 of the Data Protection Regulation. The consequences of the subsequent treatment (point d) can generally be considered negative for the individual and can even be used to counteract the purpose of request. The individual is also not obliged to turn first or at the same time to the webmaster where the data was published and request that it be deleted and can also be assumed to have a worse chance of success with one request due to the fact that the original publication may have a stronger freedom of expression protection. In addition, knowledge of the search engine granted a request is assumed to entail the risk that some webmasters will try circumvent the deletion decision by republishing the information on a other address or otherwise disseminate them. As stated above, Google has has not shown that the company has set up any guarantees or protective measures to counteract this (point e). Google does not test the suitability of sending the messages in the individual case and also does not offer the individual any opportunity to object. Google's routine in general to deal with deletion, namely only based on specific URLs, with requirements for new requests even when the same content is republished, entails a risk that individuals are exposed to unnecessary suffering as a result of the treatment. An example of this is search result 2 i complaint 8, where the company had blocked the search hit as the Data Inspectorate resubmitted, but where the same content reappeared in the search results then the webmaster republished the content on the same site, but on a new URL. The individuals themselves must monitor and react to any republishing in the company's search services. This erodes the effectiveness of their rights and is therefore not in their interest. Judgment of the European Court of Justice of 13 May 2014, Google Spain and Google, C-131/12, paragraph 83 and 85 and the judgment of September 24, 2019, G.C. and others, C-136/17, paragraph 52 and Opinion of the Advocate General at the sitting, Item 81.Data Inspectorate DI-2018-9274 2 3 (31) The Data Inspectorate finds that Google does not support Article 6 (4) and that the procedure infringes the principle of purpose limitation in Article 5 (1) (b) of the Data Protection Regulation. 2.4.2.4 The information to individuals violates the principle of transparency Google has stated that the purpose of the information to the individuals in the web form that messages are sent to webmasters is that meet the requirements of the right to information and the principle of legality, accuracy and transparency and that this follows from practice. 35 The Data Inspectorate does not question that Google is obliged to inform them registered which recipients will have access to their information pursuant to Article 13 (1) (e), but notes that the obligation to provide information is intended to: protect the data subjects. As stated in the previous section, it is current transfer is illegal and to the detriment of the individual. Like there too Google has provided misleading information to individuals about it legal basis on which the treatment is based. In addition, the data protection authorities jointly, and the Data Inspectorate in particular, previously alerted Google to the shortcomings of the routine of submitting such messages without Google fixing it. In addition, Google requires that they individuals approve the procedure for submitting a request for removing. Against this background, the information provided by Google appears leaves to individuals about the treatment as misleading in a way that may considered to be conducive to persuading individuals to refrain from exercising their right to request removing. By doing so, Google is processing personal data in violation of the principle of transparency in Article 5 (1) (a) of the Data Protection Regulation. 3 Choice of intervention 3.1 Possible intervention measures The Data Inspectorate has a number of corrective powers available according to Article 58 (2) (a) to (j) of the Data Protection Regulation, inter alia to impose it Judgment of the European Court of Justice of 16 January 2019, Deutche Post AG, C-496/17, paragraph 59 and Judgment of 1 October 2015, Bara and Others, C-201/14, paragraph 34. Judgment of the European Court of Justice of 7 May 2009, Rijkeboer, C-553/07, paragraphs 34-35. Data Inspectorate DI-2018-9274 2 4 (31) personal data controller to ensure that the processing takes place in accordance with Regulation and, if necessary, in a specific way and within a specific period. Of point (i) of Article 58 (2) and Article 83 (2) of the Data Protection Regulation it appears that the Data Inspectorate has the authority to impose administrative penalty fees in accordance with Article 83. Depending on the circumstances of in the individual case, administrative penalty fees shall be imposed in addition to or in instead of the other measures referred to in Article 58 (2). Furthermore, it appears from the article 83.2 which factors are to be taken into account when deciding on administrative penalty fees shall be imposed and in determining the size of the fee. If it is a question of a minor violation, the Data Inspectorate receives according to what set out in recital 148 of the Data Protection Regulation instead of imposing a issue a reprimand in accordance with Article 58 (2) (c) aggravating and mitigating circumstances in the case, such as the infringement nature, severity and duration as well as previous violations of relevance. 3.2 Order The Data Inspectorate has found that Google by regularly submitting notification to webmasters that search results have been removed processing personal data in breach of Articles 5 (1) (b) and 6 of the Data Protection Regulation. Furthermore, it has been found that Google provides misleading information about the transmission of such messages in a manner contrary to Article 5 (1) (a) (i) the Data Protection Regulation. Google should therefore be instructed to ensure that the processing of these parts takes place in in accordance with the Data Protection Regulation as follows. The Data Inspectorate submits pursuant to Article 58 (2) (d) i Google's Data Protection Regulation that, as far as removal requests are concerned of displaying search results when searching for individuals' names using Google search services that can be done from Sweden, stop informing webmasters of URLs when Google has granted a request except in cases where the individual has requested det.Datainspektionen DI-2018-9274 2 5 (31) cease to display the text “If URLs are removed from ours search results as a result of your request, we can provide information to them webmasters for the deleted URLs ”in their web form for request for removal or provide similar information to individuals if it is not clear that webmasters are only informed about that a request has been granted if the individual has requested it. 3.3 Circumstances of significance for whether a penalty fee is to be imposed 3.3.1 What Google has stated Google has stated that in the case of complaints 2 and 8, these are isolated cases events concerning two individual data subjects and are consequences of acceptable and well-founded interpretations of applicable law. It can not be consistent with the intent or overall purpose of the Data Protection Regulation to impose excessive penalties for infringements relating to individual material interpretations of existing right with little or no impact on data subjects. In the present case has no damage was shown at all with respect to the alleged the infringements. If high levels of sanctions were to be applied for relatively small infringements and isolated events and with little or no impact on registered, they would risk as a tool to ensure compliance lose its effect because data controllers would have nothing incentives to strive for compliance at a systematic level. In summary, Google claims that the following circumstances should considered mitigating. It is a matter of isolated events, which have been going on for a limited time and concerns a limited number of registered who have not suffered any damage as a result of the alleged infringements. Google has notified the data subjects that they can complain to the Data Inspectorate. Google has has not been intentional or has been negligent and cannot be considered as principal or solely responsible. Google complies with the Data Protection Regulation on a systematic level and act in accordance with a code of conduct by following WP225 guidelines. Google has cooperated with the Data Inspectorate. Google have not gained any financial benefits or avoided losses. 3.3.2 Assessment of the infringement concerning complaints 2 In the mitigating direction, the circumstance speaks that the infringement only concerns one person.Datainspektionen DI-2018-9274 2 6 (31) The following circumstances point in an aggravating direction. The violation is a step in a systematic procedure because it follows the procedures of Google. Further are the current categories of data, such as sensitive data and criminal offenses, particularly worthy of protection. If a search result leads to a web page with such personal information about a person, it can have a significant impact on his fundamental rights with respect to privacy and the protection of personal data and constitute an exceptional 37 serious intervention. It should typically result in damaged reputation, unauthorized disclosure and significant financial disadvantage for individuals, whereby it should be mentioned that the appellant in the present case has likened the effect of the violation that a professional ban would have been issued against him. 38 Google has not taken sufficient measures to alleviate the damage, but let the search meeting remains despite the Data Inspectorate's previous decision. The infringement has lasted for about 4.5 months during the time that the Data Protection Ordinance has been applicable. Because the procedure followed Google's procedures, this is not the case an individual mistake without the action has been done intentionally. It can too finds that Google has failed to comply with the order The Data Inspectorate announced in the previous decision on the basis of section 45 the Personal Data Act and the Data Protection Directive to cease the treatment. Because Google requires individuals to enter an exact URL in Google's web form and does not investigate requests covers more than that, the company at least indirectly avoids costs. 3.3.3 Assessment of the infringement concerning complaints 8 In the mitigating direction, the circumstances indicate that the infringement only concerns one person and that the time the infringement has been going on while data protection ordinance has been applicable, about two weeks, is a relative short time. The following circumstances speak in an aggravating direction. The Data Inspectorate has found that Google had failed to comply with the order the supervisory authority announced in the previous decision on the basis of § 45 the Personal Data Act and the Data Protection Directive to cease processing and which became final on May 24, 2018. Google has done regarding that the company intended to comply with a legally binding agreement 37 European Court of Justice judgment of 24 September 2019, G.C. and others, C-136/17, paragraphs 44 and 46. 38 See file appendix 31, p. 2.Data Inspectorate DI-2018-9274 2 7 (31) injunction, but on the other hand has not shown due diligence by correcting itself at the discretion of the regulatory authority by temporarily restricting the display of the search results pending court review or even when Google according to own information on 23 May 2018 was served the judgment that upheld Data Inspectorate assessment. Regarding the current categories of information has been about criminal information, which is particularly sensitive to privacy. If a search result leads to a web page with such personal information about one person, it can have a significant impact on their fundamentals rights regarding respect for privacy and the protection of personal data and constitute a particularly serious interference. It dared typically result in damaged reputation, unauthorized disclosure and significant financial disadvantage for individuals, whereby it should be mentioned that the appellant in it The present case has been likened to the effect of the infringement by a professional ban should have been communicated to him. Google has not taken enough measures to alleviate the damage, but left the search hit in spite The Data Inspectorate's decision and the court's judgment. Because the procedure followed Google's routines have been intentional. Assessment of the infringement regarding notification to webmasters and information to individuals The following circumstances are aggravating. The infringement intended to send message is such that it erodes the effectiveness of the right to removal and affects anyone who has been granted a removal request. For the current period, potentially 5,690 people can be covered by procedure. The infringement regarding misleading information affects anyone who may have an interest in making such a request. The current category of information, ie that someone has requested and been granted removal, may typically considered to be a task for which the individual does not want to be disclosed the webmaster or someone else, as the task can be used for to counteract the purpose of the request. The infringements thus cause damage in form of lost opportunity for the individual to exercise their rights, lack of control over their personal data and unauthorized disclosure. The infringements has been going on since May 25, 2018 and is still going on. It appears from the investigation into the case that Google has been aware of the treatment and so that it was done intentionally. Since the procedure can be assumed to entail that Judgment of the European Court of Justice of 24 September 2019, G.C. and others, C-136/17, paragraphs 44 and 46. 40The previous decision, p. 31.Data Inspectorate DI-2018-9274 2 8 (31) Individuals refrain from requesting removal Google avoids in any case indirect costs. 3.3.5 Penalty fees shall be imposed The proceedings covered by this supervision concerning complaints 2 and 8 thereof previous decision has meant that Google processes data such as The Data Inspectorate in previous decisions found that Google treated in violation of the Personal Data Act and the Data Protection Directive and instructed Google to cease. It can thus not be considered an excuse, material misinterpretations. It also shows a lack of respect for the rights of individuals and are thus not minor infringements within the meaning of recital 148 in the preamble the Data Protection Regulation. There is thus no reason to replace one penalty fee with a reprimand. There is no other corrective action current. Google will therefore be subject to administrative penalty fees for the infringements. The procedure to send message to webmasters and the information provided to the individual in the web form is done systematically and at risk to put the right to removal out of play. It's not about less infringements. There is no reason to replace a penalty fee with one reprimand. Nor is it enough that Google is ordered to cease with the procedure. Google will therefore be subject to administrative penalty fees also for these violations. 3.4 Determination of the amount of the penalty fee 3.4.1 General provisions According to Article 83 (1) of the Data Protection Regulation, each supervisory authority shall: ensure that the imposition of administrative penalty fees in each individual cases are effective, proportionate and dissuasive. The Data Inspectorate has found that Google has violated Articles 5, 6, 9, 10 and 17 of the Data Protection Regulation. These Articles are covered by Article 83 (5), which means that a higher penalty amount can be imposed. According to ch. 6 Section 3 of the Data Protection Act, the Data Inspectorate may also levy one penalty for infringements of Article 10 of the Data Protection Regulation and shall then apply Article 83 (1), (2) and (3) and determine the amount of the fee pursuant to Article 83 (5). Data Inspectorate DI-2018-9274 29 (31) According to Article 83 (3), the administrative penalty fee may not exceed the amount of the most serious infringement in the case of one or the same data processing or interconnected data processing. As regards the calculation of the amount, Article 83 (5) (i) the Data Protection Regulation that companies that commit infringements are the ones in question may be subject to penalty fees of up to EUR 20 million or four percent of total global annual sales in the previous financial year, depending on which value is highest. 3.4.2 The amount at which penalty fees can be determined When determining the maximum amount for a penalty fee to be imposed on one companies, the definition of the term company must be used as the European Court of Justice apply in application of Articles 101 and 102 of the TFEU (see recital) 150 of the Data Protection Regulation). It is clear from the case - law of the Court that this includes any entity engaged in economic activities, regardless of the entity's legal form and method of financing and whether the entity in legal meaning consists of several natural or legal persons. 41 The Data Inspectorate assesses that the company's turnover is to be added basis for calculating the administrative penalty fees that Google can imposed is Google's parent company Alphabet Inc (Alphabet). Of collected data, Alphabet's global annual sales in 2018 were approximately 136,819,000,000 US dollars (USD), which is equivalent to approximately 119,500,000,000 euros 43 44 (EUR). This corresponds to approximately SEK 1,280,000,000,000. The highest the amount of the sanction that can be determined in the case is four percent of this amount, that is to say about 51 200 000 000 (fifty-one billion two hundred million) kronor. 41Article 29 Working Group, Guidelines for the application and determination of administrative penalty fees in accordance with Regulation 2016/679 (WP253 Guidelines), p. 6. 42A ktbilaga 40, s. 47. 43 Based on the exchange rate USD to EUR as of March 9, 2020 according to European central banks, 0.8729. 44Due to the exchange rate EUR to SEK as of March 9, 2020 according to European central bank, 10.7203.Data Inspectorate DI-2018-9274 3 0 (31) 3.4.3 Determining the size of the penalty fee In order for penalty fees to be effective and dissuasive, according to The Data Inspectorate's opinion on the turnover of the data controller be taken into account in determining the size of the penalty fees. One proportionality assessment must also be made in each individual case. In a proportionality assessment, one must ensure that the penalty fee does not become too high in relation to the current infringements. Thereby shall take into account that the complaints concern two people and that the routine to regularly notify webmasters of deletion and information to individual refers Sweden and in the current case can amount to 5,690 registered. At the same time penalty fees must be effective and dissuasive. Overall, the Data Inspectorate finds that an efficient, proportionate and dissuasive penalty for the infringements found Complaints 2 and 8 are SEK 25,000,000 (twenty-five million) message to webmasters and misleading information to individuals is 50,000,000 (fifty million) kronor. Against this background, the Data Inspectorate decides with the support of ch. § 3 the Data Protection Act and Articles 58 (2) and 83 of the Data Protection Regulation that Google will pay an administrative penalty fee of 75,000,000 (seventy-five) million). This decision was made by Director General Lena Lindgren Schelin after presentation by the lawyer Olle Pettersson. At the final processing also has General Counsel Hans-Olof Lindblom, Unit Manager Catharina Fernquist and lawyer Nidia Nordenström participated. Lena Lindgren Schelin, 2020-03-10 (This is an electronic signature) 3.5 Appendices Appendix 1 - How to pay a penalty feeData Inspectorate DI-2018-9274 3 1 (31) 4 How to appeal If you want to appeal the decision, you must write to the Data Inspectorate. Enter i the letter which decision is being appealed and the change you are requesting. The appeal must have been received by the Data Inspectorate no later than three weeks from the day you received the decision. The Data Inspectorate sends the appeal on to the Administrative Court in Stockholm for review if the inspection does not yourself change the decision in the way you have requested. You can e-mail the appeal to the Data Inspectorate if it does not contain any privacy-sensitive personal information or information that may be covered by secrecy. The authority's contact information can be found on the first page of the decision.