AEPD (Spain) - PS/00140/2020: Difference between revisions
From GDPRhub
No edit summary |
No edit summary |
||
Line 28: | Line 28: | ||
|Currency=EUR | |Currency=EUR | ||
|GDPR_Article_1=Article 6 GDPR | |GDPR_Article_1=Article 6(1)(a) GDPR | ||
|GDPR_Article_Link_1=Article 6 GDPR | |GDPR_Article_Link_1=Article 6 GDPR#1a | ||
|GDPR_Article_2=Article | |GDPR_Article_2=Article 6(1)(f) GDPR | ||
|GDPR_Article_Link_2=Article | |GDPR_Article_Link_2=Article 6 GDPR#1f | ||
|GDPR_Article_3= | |GDPR_Article_3=Article 17 GDPR | ||
|GDPR_Article_Link_3= | |GDPR_Article_Link_3=Article 17 GDPR | ||
|GDPR_Article_4= | |GDPR_Article_4=Article 58(2)(d) GDPR | ||
|GDPR_Article_Link_4= | |GDPR_Article_Link_4= Article 58 GDPR#2d | ||
|GDPR_Article 5=Article Article 83 GDPR | |||
|GDPR_Article_Link_5= Article 83 GDPR | |||
|EU_Law_Name_1= | |EU_Law_Name_1= |
Revision as of 09:06, 1 June 2022
AEPD - PS/00140/2020 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 6(1)(a) GDPR Article 6(1)(f) GDPR Article 17 GDPR Article 58(2)(d) GDPR {{{GDPR_Article_5}}} [[Category:{{{GDPR_Article_5}}}]] |
Type: | Complaint |
Outcome: | Upheld |
Started: | 15.10.2018 |
Decided: | |
Published: | 18.05.2022 |
Fine: | 10000000 EUR |
Parties: | Google LLC |
National Case Number/Name: | PS/00140/2020 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | n/a |
The Spanish DPA issued a fine of €10,000,000 against Google LLC for unlawfully transferring personal data to a third party and for impeding the exercise of the right to erasure.
English Summary
Facts
X
Holding
X
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/137 File No.: PS/00140/2020 RESOLUTION OF PUNISHMENT PROCEDURE Of the procedure instructed by the Spanish Agency for Data Protection and based on to the following BACKGROUND FIRST: A.A.A. (hereinafter, the complainant) dated September 13 and 29, 2018 and October 15, 2018, filed two complaints with the Spanish Agency Data Protection. The complaints are directed against GOOGLE LLC (hereinafter, GOOGLE LLC, the claimed entity or the claimed entity) for the communication of data to the “Lumen Project” (hereinafter, “Lumen Project”, “Organization Lumen” or “Lumen”), to the “lumendatabase.org” website. The reasons on which he bases the complaints are as follows: Complaint of September 13, 2018: “[…] Any Internet user can find on Google or in their products/tools (Google +, YouTube, Google Drive, Blogspot Blogs, etc.), circumstances such as the following: . Personal data (which is not only in the search engine, but in its products such as the blogs of Google, Google +, etc.). . Defamation (publishing, in addition, personal data). . Illicit content declared in a court order. . Trademark or copyright infringement. . Issues related to AutoComplete or Related Search. . Other legal incidents. […] Google has made specific communication channels available to those affected (on line, and distributed by different subjects), so that they can transfer to Google complaints (identifying the conflicting site or URL, your name and surname, email, document identification, etc.), and a decision can be made in this regard. The so-called "forms of contact” are the following: https://support.google.com/legal/contact/lr_dmca?product=news&uraw=&hl=es [Form Google 1] https://support.google.com/legal/troubleshooter/1114905? rd=2#ts=1115655%2C1282900%2C1115974 [Google Form 2] https://support.google.com/legal/troubleshooter/1114905#ts=1115645 [Google Form 3] https://support.google.com/legal/troubleshooter/1114905#ts=1115658%2C1115662 [Form Google 4] C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 2/137 https://support.google.com/legal/troubleshooter/1114905#ts=1115658%2C7565832 [Form Google 5] https://support.google.com/legal/troubleshooter/1114905#ts=1115658%2C1115673 [Form Google 6] https://support.google.com/legal/troubleshooter/1114905#ts=1115658%2C6387768 [Google Form 7] https://support.google.com/legal/troubleshooter/1114905#ts=1115658%2C7308762 [Form Google 8] https://support.google.com/legal/troubleshooter/1114905#ts=1115658%2C1115676 [Form Google 9] https://support.google.com/legal/troubleshooter/1114905#ts=1115658%2C1115686 [Form Google 10] https://support.google.com/legal/contact/lr_dmca?product=news&uraw=&hl=es [Form Google 11] https://support.google.com/legal/troubleshooter/1114905#ts=1115658%2C7494925 [Form Google 12] https://support.google.com/legal/troubleshooter/1114905#ts=1115658%2C7529574 [Form Google 13] https://support.google.com/legal/troubleshooter/1114905#ts=1115658%2C7282135 [Form Google 14] https://support.google.com/legal/troubleshooter/1114905#ts=1115658%2C7367058 [Form Google 15] https://support.google.com/legal/troubleshooter/1114905#ts=1115658%2C7546357 [Form Google 16] https://support.google.com/legal/troubleshooter/1114905#ts=1115658%2C9053853 [Form Google 17] https://support.google.com/legal/troubleshooter/1114905#ts=1115648 [Google Form 18] https://support.google.com/legal/troubleshooter/1114905#ts=1115652 [Google Form 19] https://support.google.com/legal/troubleshooter/1114905#ts=1115681 [Google Form 20] https://support.google.com/legal/troubleshooter/1114905#ts=1349036 [Google Form 21] https://support.google.com/legal/troubleshooter/1114905#ts=1115681%2C7689505 [Form Google 22] https://support.google.com/legal/troubleshooter/1114905#ts=1115655%2C1282900 [Form Google 23] […] The problem with the previous “contact forms” is simple: Google imposes on the user who uses them the transfer of their personal data and their claim to a C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 3/137 organization called Lumendatabase.org. Google announces what is exposed in the “forms” of the following way: “Please note that we may send a copy of each notification that we receive to the Lumendatabase project (https://www.lumendatabase.org) to its publication and annotation. Lumendatabase will remove personal contact information of the sender (i.e., the telephone number, the email address and the home). To consult an example of this type of publication, access the page https://www.lumendatabase.org/notices/5838. We may also send the original notification to the alleged infringer or the owner of the rights if we have reason to suspect the validity of your claim. We may also post similar information from your notification on our transparency report. For more information about this report, please click here". […] According to the criteria of the GTA29, Google cannot communicate the censorship to the web pages affected by it, nor inform the users of their browser about the censorship. With the above reasoning, it makes no sense for Google to reserve the power to communicate personal data to Lumendatabase.org. Communications from Google to Lumendatabase.org reveal who has requested the exercise of censorship (of any kind) in Internet, your previous specific personal situation, and your personal data, being completely communication unnecessary. […] In light of the GDPR, there is no justification for Google to transmit to Lumendatabase.org personal data. It is quite possible that Google will argue that, if there is no personal data in the Lumendatabase.org posts (for Lumendatabase.org having anonymized them prior to publicize them), there is no infringement, but the truth is that the infringement occurs from the same moment in which a transfer of personal data is made, before these are anonymize On the other hand, they are not always anonymised by Lumendatabse.org. In some assumptions the publications that are made in Lumendatabase.org have not eliminated the name and surname of the applicants and in other cases do not eliminate the URLs object of claims, so anyone who accesses Lumendatabase.org can know the identity of the applicants. The transfer system devised by Google does not respond to the principles of the RGPD: the risks of processing unnecessarily, and cannot be based on legitimate interest (the form does not allow opposition, and it is unquestionable that it does not pass a minimum weighting). Neither can transfers be based on the user's consent, since -in the case of notice the assignment, whose consent is not requested separately and as a box intended for this purpose - is forced to provide it, if you want to complete the form (if you do not want complete it due to the mention of Lumendatabase we would be facing one more infraction, consisting of hindering the exercise of rights). It is not legal that: . An affected party is obliged to consent to the aforementioned assignment when using the form. . Google LLC. transmit personal data to an organization absolutely unrelated to the decision adopted on the claim of the interested party. The assignment is unnecessary, and harmful, especially in those cases in which intimate or private situations are revealed that they have deserved the censorship of Google. What real legitimating base exists? None. . All the indicated principles of the RGPD are transgressed. 28001 – Madrid 6 sedeagpd.gob.es, 4/137 . A user is unable to use the Google form for fear of assignment carried out, which hinders the exercise of their rights. […] Cases that affect Spain, published in Lumendatabase.org since August 2018. (…) [Link Lumendatabase 1] (…) [Link Lumendatabase 2] (…) [Link Lumendatabase 3] (…) [Link Lumendatabase 4] (…) [Link Lumendatabase 5] (…) [Link Lumendatabase 6] (…) [Link Lumendatabase 7] [...]”. Complaint of September 28, 2018. It refers to four new cases “affecting Spain, published in Lumendatabase.org since August 2018.” Regarding the first case, it indicates that the person is identified with their name and surnames, understanding therefore that the data is not always anonymized for publication in lumendatabase.org. Review the following links: (…) [Link Lumendatabase 8] (…) [Link Lumendatabase 9] (…) [Link Lumendatabase 10] (…) [Link Lumendatabase 11] (…) [Link Lumendatabase 12] In relation to the following three cases, he points out that in the publication of “lumendatabase.org” the word “Redacted” appears in the petitioner and highlights that if GOOGLE LLC would have provided this data for anonymization and if it were personal would have violated data protection regulations. The links corresponding to These cases are the following: (…) [Link Lumendatabase 13] (…) [Link Lumendatabase 14] (…) [Link Lumendatabase 15]”. Provides screenshots corresponding to links 8 to 14. The description of these screenshots is as follows: . Link Lumendatabase 8 . Header: Addressed to GOOGLE LLC by a Spanish user anonymous by defamation grounds. . Claim: (...). . Link:(…). C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 5/137 . Links Lumendatabase 9 to 12 This is the same assumption as the previous link, but in these links 9 to 12, in the paragraph showing part of the claim filed with GOOGLE LLC, the name appears as follows: “B.B.B.” (link 9), “B.B.B.” (link 10), “B.B.B.” (links 11) and “B.B.B.” (link 12). The link address shows “B.B.B.” (link 9), “B.B.B.” (links 10 and 11) or “B.B.B.” (link 12). . Link Lumendatabase 13 . Header: Addressed to GOOGLE LLC by a Spanish user anonymous by defamation grounds. . Claim: (...). . Link: (…) . . Link Lumendatabase 14 . Header: Addressed to GOOGLE LLC by a Spanish user anonymous by defamation grounds. . Claim: (...). . Link: (…). Complaint of October 15, 2018. “A person sent Google LLC a Judgment, which has been forwarded by Google to Lumendatabase.org in September 2018 for publication along with your name and surnames, without the communication to Lumendatabase being protected by the principles of the GDPR”. The links to which this complaint refers are the following: (…) [Link Lumendatabase 16] (…) [Link Lumendatabase 17] Provide a screenshot corresponding to these links, with the details following: . Link Lumendatabase 16: . Header: Addressed to GOOGLE LLC by C.C.C. on ***DATE.1 as as a result of a court ruling. . Claim: (...). C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 6/137 . Link: (…) . Documents: Icon that would point to an attached document in .pdf format which would mean support for content removal. . Lumendatabase 17 link: the provided screenshot corresponds to a fragment of the first page of the (...) presumably accessible through the previous link. It also provides a complete copy of this Judgment, in which the names and surnames of all the people involved in the process (judge who dictates it, party plaintiff (C.C.C.), defendant, their representatives, Public Prosecutor and (...) (D.D.D.), as well as all the circumstances of the process, which is motivated by a article published in a blog (the URL that leads to said article is indicated). The ruling condemns the defendant to suppress the content of the article published in his Blog. SECOND: Prior to admission for processing, these complaints will be transferred to GOOGLE LLC, in accordance with the provisions of article 9.4 of the Royal Decree-Law 5/2018, of July 27, on urgent measures for the adaptation of the Spanish law to the regulations of the European Union regarding the protection of data. On 12/28/2018, this Agency received a written answer to the referred to in the previous paragraph, in which it states the following: “[…] That, through this document, Google provides the information and documentation requested in the Transfer of Claim and Request for Information and, specifically: 1. Copy of the communications, of the adopted decision that has been sent to the claimant regarding the transfer of this claim, and proof that the claimant has received communication of that decision. The communication sent by Google on December 28, 2018 in connection with the claims filed by… (name and surname of the complainant), as well as proof of sending by burofax. 2. Report on the causes that have motivated the incidence that has originated the claim. Google does not know the relationship between the claimant and the two web pages to which are referenced in your claims. The claimant has not provided no explanation in this regard and no information has been provided to us about whether the claimant has proven to the AEPD to have any relationship or capacity to represent the interested party in question. 3. Report on the measures adopted to prevent incidents from occurring Similar. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 7/137 Despite the lack of clarity of the claims and the fact that no the allegedly affected data subject, Google LLC has contacted the organization Lumendatabase, and, after that, has warned that the two URLs mentioned in the claims (see 2 above) are no longer accessible, as can be seen from the prints provided as DOCUMENT #3. […] That it is appropriate to reject the claims presented by… (name and surnames of the complainant), by virtue of the provisions of article 9.3 of the Royal Decree-Law 5/2018, of July 27, on urgent measures for the adaptation of the Spanish law to the regulations of the European Union regarding the protection of data, or article 65.3 of the current Organic Law 3/2018, of December 5, of Protection of Personal Data and Guarantee of Digital Rights in view of that, regardless of the fact that at this time it is not possible for us to know what the relationship between the complainant and the referenced web pages in your claims, the web pages are no longer accessible, so we understand that additional corrective action would not even be necessary for lack of object […]” The links referred to in GOOGLE LLC's reply brief are those contained in the complaint of 10/15/2018 (“Lumendatabase links 16 and 17”). THIRD: On dates 02, 03, 05, 07 and 09/01/2019, the complainant presents new complaints to the Spanish Agency for Data Protection about new cases that they would incur in the same infraction denounced in the First Background. Complaint of January 2, 2019: “I note that searching for the name of C.C.C. in Google, it appears linked, at the bottom of search results, a specific content removal notice. When looking for the name of his father, now deceased, D.D.D., another specific notice of removal of content, which hyperlinks to lumendatabase.org, where we can find a content removal request and a statement, in which declares the violation of the right to honor of both. […]” Attach two screenshots of the search, dated January 2, 2019 and in the “Google Search Engine”, of the terms “C.C.C.” and “D.D.D.”, in which a footnote indicating that several results have been deleted and a highlighted hyperlink to “LumenDatabase.org” [Google Search 1 and 2]. Also, attach a screenshot corresponding to the URL (...) [Link Lumendatabase 18] Description of the impression provided: . Header: Addressed to GOOGLE LLC by C.C.C., on ***DATE.2, as a result of a court ruling. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 8/137 . Claim: “(…)” . . Links: (…) (…) . Documents: Possibility of downloading a document in .pdf format Resubmits the aforementioned judgment issued by the (...). This sentence corresponds with the content of Link Lumendatabase 17 referred to above. Complaint of January 3, 2019: Complaint that through the URL (...) [Link Lumendatabase 19], you can access information provided by GOOGLE LLC that identifies censorship applicants. Attach a copy of the information available at said internet address and the document accessible through it. In the information header there is which corresponds to a request addressed to GOOGLE LLC by (...), prior to the validity of the RGPD. Complaint of January 5, 2019: Complaint referred to the URL (...) [Link Lumendatabase 20], in which it appears published the name of a person and offers the possibility of downloading from two documents in .pdf format. It is verified that the information available in this link corresponds to a request addressed to GOOGLE LLC by the person cited, in date *** DATE.3, prior to the entry into force of the RGPD. Complaint of January 7, 2019: Complaint referred to the URL (...) [Link Lumendatabase 21], in which it appears published the name of a person. In the header of the information it is stated that corresponds to a request addressed to GOOGLE LLC by (...), prior to the validity of the GDPR. Complaint of January 9, 2019: “I inform and denounce before the AEPD facts related to the following link: (…) [Link Lumendatabase 22] In the aforementioned link, a judicial notification is being published (in an annexed form) in the that the name of the (...) is included: E.E.E.. Apparently, GOOGLE LLC has sent to lumendatabase.org the judicial document without any anonymization”. Description of the impression provided: . Header: Addressed to GOOGLE LLC by F.F.F., on 01/03/2019, as as a result of a court ruling. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 9/137 . Claim: (...). . Links: (…) . Documents: Possibility of downloading a document in .pdf format A copy of the (...) is attached to the complaint. However, it is not proven that the document was obtained through the publication in “lumendatabase.org”. FOURTH: On February 1, 2019, the Spanish Data Protection Agency gave transfer of the complaints described in the previous points to Data Protection Commission of Ireland (hereinafter DPC Ireland) so that said control authority Assess whether it holds the status of main control authority based on article 56 of the RGPD, since the entity GOOGLE IRELAND LTD. is located in that country, the establishment of the person in charge who decides, for Europe, the ends and the means in the processing of personal data. In a first communication, dated April 10, 2019, DPC Ireland communicates that it is not considered competent in this case because the complaints are filed prior to DPC Ireland becoming the enforcement authority main control for matters related to the protection of personal data, in the territorial scope of the RGPD, in which GOOGLE is involved. Subsequently, on August 20, 2019, DPC Ireland addressed a communication to this Agency requesting transfer to the complainant of a series of issues related to the complaints filed. Thus, it asks the complainant to confirm if you have contacted GOOGLE in relation to the complaint and provide a copy of the correspondence maintained that it considers pertinent. In the same way, he asks confirm your consent for the purposes of a possible transfer of the complaint by from DPC Ireland to GOOGLE. In another order of things, DPC Ireland expresses its reservations in relation to the status of interested party of the complainant On November 4, 2019, this Agency received a written response from the complainant, in which he defends his status as affected and interested; what is the entity claimed which must prove to the control authority the reasons for those that force users who use their forms to accept the transfer of data personal information to “lumendatabase.org”, on which it has provided evidence, including to nationals of other countries; and that the seriousness of this fact is not diminished by the modifications made by “lumendatabase.org” to anonymize the publications. With his writing, the complainant provides the communication that was sent by GOOGLE on 12/28/2018, on the occasion of the transfer process and a screenshot with a series of statistical indicators on publications which, according to the whistleblower, “lumendatabase.org” has published since May 2019 until the date of 04/11/2019. The Spanish Agency for Data Protection agreed to the provisional file of the file on January 16, 2020. By communication of January 22, 2020, DPC Ireland rejects the competition C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 10/137 in the processing of complaints when considering that the data controller does not would be GOOGLE IRELAND LTD., but rather GOOGLE LLC, since the treatment consists of the communication, to a US database, of data related to content removal requests handled by GOOGLE LLC. FIFTH: On December 1, 2020, the complainant files a new brief before Spanish Agency for Data Protection, in which it refers to its complaints and to the file agreed by the AEPD in January 2020, for the referral of his complaint to the Irish Data Protection Authority, noting that therein only his complaint of 09/13/2018 is mentioned; that the Irish Authority communicated to him, in date 04/30/2020, that the competent authority is the AEPD. On the other hand, it informs “the existence of the following publications in Lumendatabase.org, in order to be incorporated into the PROCEDURE that is still in the AEPD Court Postings in Lumendatabase, Initially Referred to Google LLC, from 27.11.2029: (…) [Link Lumen 23] (…) [Link Lumen 24] (…) [Link Lumen 25 (…) [Link Lumen 26] (…) [Link Lumen 27] It is highly significant that all these petitions are still published today. Google is responsible for notifying Lumen of their withdrawal. (…) [ Link Lumen 28] VIII.- It should be noted that when searching Google for the name and surnames, between quotation marks, of “C.C.C.”, and "D.D.D." appears at the bottom of the search engine a link that shows the censorship in Google. Have both been warned by Google that this would take place? practice, what is differentiated data processing? have they consented clearly? Has it been verified by the AEPD and has it been investigated? IX.- In the following link personal data referring to C.C.C. and G.G.G. (Has the latter consented to this data processing???). (…) [Link Lumen 29]”. SIXTH: By the Subdirectorate General for Data Inspection, screen prints of the links that appear in the complaints reviewed, to verify that they correspond to those provided by the complainant, as well as to make a description of what appears in them in those cases in which they do not capture or impression would have been provided in the complaints filed. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 11/137 googleforms a) Google Forms 1 and 11: this is the form enabled by GOOGLE LLC to report suspected copyright infringement. The textual references to “lumendatabase.org” in this form are the following: Regardless of whether Google may be liable for such infringement under the country-specific legislation or United States law, our response may include the removal of any material against which a claim has been made for incurring in an infringing activity, the disabling of access to said material or the cancellation of subscriber accounts. If we remove material or disable access to it in response to this type of notification, we will contact the owner or administrator of the content or website in question so that you can file a counter notification. Also, in accordance with our policy, we document all notifications of suspected violations we receive, including sending a copy of the notice to one or various third parties, or its publication. You can see an example of this type of publication in the page https://www.lumendatabase.org/notices/2069”. “Please note that a copy of each legal notice we receive is sent to a third party, that you could publish it and annotate it (without your personal information). So the content of this form will be forwarded to Lumen (http://www.lumendatabase.org) so that it can be published. To see an example of this type of publication, access the page http://www.lumendatabase.org/dmca512/notice.cgi?NoticeID=861. In the case of products such as Google Web Search, a link to the posted notice will appear in the search results. Google search instead of removed content.” This form includes mandatory fields for the applicant to provide the following information: country of residence, applicant's full name, copyright holder's full name, email address of contact, protected work, where can I see an authorized example of the work? Allegedly infringing URL and signature. b) Google Forms 2, 4, 5, 7, 9, 17, 21 and 23: these are entry pages for the request for removal of content in which various products of the company and where the applicant would choose which of said products his content removal request. Includes the following text: “How to remove content from Google This page will allow you to access the right place to report the content you want withdraw from Google services in accordance with applicable laws. Provide us complete information so that we can investigate your query. If you have non-legal issues related to the "Terms of Service" or with the Google Product Policies, go to http://support.google.com. You must send a notification for each Google service in which the content appears. What Google product does your request refer to? ( ) Google search ( ) Blogger/Blogspot ( ) Google Maps and related products ( ) Google Play: Apps ( ) Youtube ( ) Google images ( ) A Google ad C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 12/137 ( ) Drive and Documents ( ) Google Photos and Picasa Web Albums ( ) Google Shopping ( ) See more products”. When clicking on the “See more products” option, a new list is displayed: “Select an option from the following list. ( ) Google+ ( ) Google AMP Cache ( ) Google Arts & Culture ( ) Google Assistant ( ) Chrome Web Store/Extension Gallery ( ) Google Classroom ( ) Cloud Firestore ( ) Google Cloud Platform ( ) DataStudio ( ) Google domains ( ) Feedburner ( ) Firebase ( ) Gmail ( ) Google URL Shortener (goo.gl) ( ) Google Groups ( ) Google Help Communities ( ) Google Lens ( ) Navlekha ( ) Google news ( ) Google Play Books and Google Books ( ) Poly ( ) Google Sites (Google's web page and wiki creation tool) ( ) Stadia. c) Google Forms 3, 6, 8, 10, 12, 13, 14, 15, 16, 19, 20 and 22. These are the entry pages to the content removal forms relating to different GOOGLE LLC products: Google Form 3: Blogger/Blogspot product. Google Form 6: Chrome Web Store product/extension gallery. Google Form 8: Google Classroom product. Google Form 10: Google Groups product. Google product form 12: Google Help Communities. Google Form 13: Poly product. Google Form 14: Feedburner product. Google Form 15: Data Studio product. Google Form 16: Cloud Firestore product. Google Form 19: Google Photos and Picasa Web Album product. Google Form 20: Drive and Documents product. Google Form 22: page similar to number 20, differing in that it is already is selected the option "Personal information: the information includes my personal data” as a reason to request the removal of content. All of them include the same information outlined in section b) above (“As remove content from Google…”). C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 13/137 Textual references to “lumendatabase.org” in these forms are the following: “Please note that we may send a copy of each notification legal documents that we receive to the Lumen project (https://www.lumendatabase.org) for publication and annotation. Lumen will remove the sender's personal contact information (i.e., the phone number, email address and home address). To consult an example of this type of publication, go to the page https://www.lumendatabase.org/notices/5838”. And added: “In addition, we may publish similar information from your notification on our website. transparency report. For more information on this report, click here.” The following options are offered: . Google Forms 3 “How can we help you? ( ) I would like to report malware, phishing, disclosure of private data or other similar incidents. ( ) I want to report a blog that impersonates my identity. ( ) I want to report the disclosure of private nude images or information ( ) I want to report bullying and harassing content. ( ) Intellectual property issue: report copyright infringement, circumvention etc. ( ) Other legal problem: report content for another legal reason not included in the list”. . Google Form 6 “How can we help you? ( ) Copyright Infringement: My copyrighted work is being using illegally without authorization ( ) Counter Notice: An appeal intended to restore content that was removed due to a copyright infringement claim ( ) Brand: my brand is being used in a way that may cause confusion ( ) Court order: a court ruling has determined that a specific content is illegal ( ) Circumvention: a tool circumvents technological measures for the protection of rights From author ( ) Material with images of child sexual abuse: visual representation of practices explicit sex with minors. Google Forms 8, 12, 13, 14 (except the first option, in the last 3 cases), 15 (except for the first option and the one related to “Legal problem”) and 16 (except for the first option and those related to “Avoidance” and “Legal problem”) “How can we help you? ( ) I have a question about the Classroom program policies ( ) Copyright Infringement: My copyrighted work is being C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 14/137 using illegally without authorization ( ) Counter Notice: An appeal intended to restore content that was removed due to a copyright infringement claim ( ) Circumvention: a tool circumvents technological measures for the protection of rights From author ( ) Court order: a court ruling has determined that a specific content is illegal ( ) Legal problem: legal problem that does not appear on the list ( ) Material with images of child sexual abuse: visual representation of practices explicit sex with minors. Google forms 10, 19 (except the first option) “How can we help you? ( ) Report violent or hateful content, disclosure of personal data, or the promotion of goods and services ( ) Copyright Infringement: My copyrighted work is being using illegally without authorization ( ) Counter Notice: An appeal intended to restore content that was removed due to a copyright infringement claim ( ) Personal information: the content includes my personal data ( ) Court order: a court ruling has determined that a specific content is illegal ( ) Legal problem: legal problem that does not appear on the list ( ) Material with images of child sexual abuse: visual representation of practices explicit sex with minors. Google Form 20 “How can we help you? ( ) I want to report a case of identity theft, spam, malicious software or Other misuse of a Google Docs or Google Drive file ( ) Copyright Infringement: My copyrighted work is being using illegally without authorization ( ) Counter Notice: An appeal intended to restore content that was removed due to a copyright infringement claim ( ) Circumvention: a tool circumvents technological measures for the protection of rights From author ( ) Personal information: the content includes my personal data ( ) Other legal problem: report content for other legal reasons not included in the list”. d) Google Form 18: corresponds to the entry page to the forms of removal of content related to the product “Google Images”, which does not contain references to “lumendatabase.org”. The information provided is the following: “How to remove content from Google… (the same information outlined in section b) previous)". “Even if Google removes a web page or image from our search results, it doesn't we may remove content from websites that host it. The page may continue existing on the website, meaning it can be found via the site's URL web, in social networks where it has been shared or in other search engines. We recommend to contact the owner of the website to ask him to remove the content in question. 28001 – Madrid 6 sedeagpd.gob.es, 15/137 Visit “this page” for more information on how to contact the owner of a w.b site” The following options are offered on this page: “How can we help you? ( ) I want to report malware, phishing, or similar issues. ( ) Content that I requested to be removed continues to appear in search results, even though the webmaster has already removed it. ( ) Right to be forgotten: request to withdraw information in accordance with European legislation in terms of data protection ( ) Defamation: the content defames me or my company or organization ( ) Intellectual property issue: report copyright infringement, circumvention, etc. ( ) Other legal problem: report content for another legal reason not included in the list”. Lumendatabase Links . Link Lumendatabase 1 . Heading: Removal request for defamation. Directed at GOOGLE LLC on ***DATE.4 by an anonymous Spanish user. . Claim: (...). . Link: (…) . Link Lumendatabase 2 . Heading: Removal request for defamation. Directed at GOOGLE LLC on ***DATE.5 by an anonymous Spanish user. . Claim: (...). . Link: (…) . Link Lumendatabase 3 . Heading: Removal request for defamation. Directed at GOOGLE LLC on ***DATE.6 by an anonymous Spanish user. . Claim: “(…)” . . Link: (…) . Link Lumendatabase 4 . Heading: Removal request for defamation. Directed at GOOGLE LLC by an anonymous Spanish user. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 16/137 . Claim: “(…)”. . Link: (…) (…) (…) (…) (…) . Link Lumendatabase 5 . Heading: Removal request for defamation. Directed at GOOGLE LLC on ***DATE.7 by an anonymous Spanish user. . Claim: “(…) ”. . Link: (…) . Link Lumendatabase 6 . Heading: Removal request for defamation. Directed at GOOGLE LLC on ***DATE.8 by an anonymous Spanish user. . Claim: “(…)”. . Link: (…) . Link Lumendatabase 7 This impression corresponds to the search engine of “lumendatabase.org” composed through a series of simple and advanced search boxes. The search box simple appears filled with the term "Google", supposedly used by the complainant to carry out the searches that he presents as evidence before this Agency. . Link Lumendatabase 8 It is verified that the information of this link substantially coincides with the capture screenshot attached to the letter of complaint dated September 28, 2018 (See Facts First), presenting the following differences: . The date of the request is stated, this being ***DATE.9. . The address of the link that was the subject of the removal request has been removed any reference to the personal name, subsisting this in the summary of the content request. . Link Lumendatabase 9 to 12 It is verified that the information of this link substantially coincides with the capture screenshot attached to the letter of complaint dated September 28, 2018 (See Facts First), presenting the following differences: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 17/137 . The date of the request is stated, this being ***DATE.9. . In the link address, only “(…)” is indicated. . Link Lumendatabase 13 It is verified that the information of this link substantially coincides with the capture screenshot attached to the letter of complaint dated September 28, 2018 (See Facts First), presenting the following differences: . The date of the request is stated, this being ***DATE.10. . The link address has been simplified. . Link Lumendatabase 14 It is verified that the information of this link substantially coincides with the capture screenshot attached to the letter of complaint dated September 28, 2018 (See Facts First), presenting the following differences: . The date of the request is stated, this being ***DATE.11. . The link address has been simplified. . Link Lumendatabase 15 . Heading: Withdrawal requirement due to application of local regulations. Addressed to GOOGLE LLC on ***DATE.10 by an anonymous Spanish user. . Link: (…). . Link Lumendatabase 16 The page presents a 404 error, which is consistent with what was stated by GOOGLE SPAIN S.L. in his letter of December 28, 2018 . Link Lumendatabase 17 This link does not allow the download of the document, which is consistent with what manifested by GOOGLE SPAIN S.L. in his letter of December 28, 2018. . Link Lumendatabase 18 It is verified that the information of this link substantially coincides with the printing of the web page attached to the complaint letter of January 2, 2019 (See facts First), presenting the following differences: . Only the link (...) remains. . Link Lumendatabase 19 It is verified that the information on this link corresponds to a request addressed to C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 18/137 GOOGLE LLC prior to the entry into force of the RGPD. Also, it is verified that the possibility of downloading the judicial document has disappeared. . Link Lumendatabase 20 It is verified that the information on this link corresponds to a request addressed to GOOGLE LLC prior to the entry into force of the RGPD. Also, it is verified that the possibility of downloading documents has been limited to one. . Link Lumendatabase 21 It is verified that the information on this link corresponds to a request addressed to GOOGLE LLC on date ***DATE.12, prior to the entry into force of the RGPD. . Link Lumendatabase 22 It is verified that the information of this link substantially coincides with the printing of the web page attached to the complaint letter of January 9, 2019 (See Acts First). . Link Lumendatabase 23 Link Description: This is a page that provides search results content removal requirements. Joins the performances the first of the pages, which reviews requests from December 2019, January and February 2020, addressed to GOOGLE LLC based on court decisions. . Link Lumendatabase 24 Description of the link: Page that offers the search results of content removal requirements addressed to GOOGLE LLC based on judicial resolutions, in Spanish. . Link Lumendatabase 25 Link description: . Heading: Removal request for defamation. Directed at GOOGLE LLC on ***DATE.13 by an anonymous Spanish user. . Claim: “(…)”. . Link: (…) (…) (…) (…) . Link Lumendatabase 26 Link description: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 19/137 . Heading: Withdrawal request as a result of a failure judicial. Addressed to GOOGLE LLC on ***DATE.14 by H.H.H. . Explanation:"(…)" . Link: (…) (…) . Link Lumendatabase 27 Link Description: Refers to a content removal requested by a Italy user. . Link Lumendatabase 28 Description of the link: Page that offers the search results of publications on the Lumen website based on the terms “EU-Right to Oblivion” and “Google”. Corresponds to requests from 2014, 2015 and 2016. . Link Lumendatabase 29 This is the same link as number 18 already sent in the complaint filed on January 2, 2019. Below the links indicated in the publications reviewed with the numbers 1, 2, 3, 4, 5, 6, 8, 9, 10, 11, 12, 13, 14, 15, 18, 19, 20, 21, 22, 25, 26 and 29 shows the phrase “Click here to request access and see full URLs” (whose translation would be “Pinche here to request access see full URL”) in hyperlink format. Google searches 1. The terms “C.C.C.” are introduced. in the "Google Search", resulting in removed reference to “lumendatabase.org”. 2. The terms “D.D.D.” are introduced. in the "Google Search", verifying that makes specific reference to deleted results and directs, for more information, to a hyperlink from “lumendatabase.org”. SEVENTH: On 06/09/2021, the Director of the Spanish Protection Agency of Data agreed to initiate sanctioning proceedings against the entity GOOGLE LLC, with in accordance with the provisions of articles 63 and 64 of Law 39/2015, of October 1, of the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP), for the alleged infringement of article 17 of the RGPD in ideal competition with an infringement of article 6.1 of the RGPD, which are typified in article 83.5 of the same norm. In the opening agreement it was determined that the sanctions that could correspond, C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 20/137 attended the existing evidence at the time of opening and without prejudice to what resulting from the investigation, would be 5,000,000.00 euros for the relative infringement to article 17 of the RGPD and 5,000,000.00 euros for the infringement related to article 6.1 of the GDPR. However, considering that both offenses concur in ideal bankruptcy regime, the total resulting from the sanction to be imposed would amount to 5,000,000.00 euros. In the same agreement to open the procedure, it was warned that the infractions imputed, if confirmed, may lead to the imposition of measures, in accordance with the provisions of the aforementioned article 58.2 d) of the RGPD. EIGHTH: Notification of the aforementioned initial agreement and extension of the term granted for formulate allegations, the claimed entity, having received a copy of the proceedings, filed a brief dated 07/21/2021, requesting: "one. The nullity of the Sanctioning Procedure for infraction of regulatory norms of the sanctioning procedure of a fundamental and essential nature that causes the defenselessness of Google. 2. Subsidiarily to the foregoing, the non-existence of alleged violations of articles 6.1 and 17 of the RGPD, and the file of the proceedings. 3. In the alternative to the foregoing, and in the unlikely event that Google is deemed responsible for the infringement of articles 6.1 and/or 17 RGPD, the imposition of the amount of the corresponding sanction in its minimum degree. Prior to presenting the allegations on which said request is based, GOOGLE LLC indicates that it does not discuss the application of the RGPD to the activities of treatment in question, while disagreeing with the Agency's analysis of the alternative assumptions (and not cumulative) provided for in articles 3.1 and 3.2.(a) GDPR. You understand that article 3.2.(a) RGPD does not apply, since it has with various establishments in countries of the European Union, in addition to Spain. (...). (…) This occurs in a complex legal and regulatory context, which requires an evaluation careful consideration and weighing of all the rights at stake in the operation of a successful content moderation program, especially the freedom of expression and information, the right to data protection, the protection of honor, privacy and other personality rights, intellectual property rights, freedom of the arts and sciences, the protection of consumers and the principles of transparency and responsibility. Among other requirements, it draws the attention of the Agency on the legal frameworks derived from Regulation (EU) 2019/1150 of the European Parliament and of the Council, of June 20, 2019, on the promotion of fairness and transparency for professional users of information services online intermediation (the “P2B Regulation”) and the European Commission Proposal Regulation on a Single Market for Digital Services (Digital Services Act, “DSA”). Both normative instruments impose high standards of transparency and accountability on the way in which service providers intermediary services moderate the content, including the requirement to publish all content removal decisions in an access database C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 21/137 public, as it would “contribute to mitigating possible abuses” (see art. 15.4 of the DSA and Recital 26 of the P2B Regulation). It is in this context that the relationship of GOOGLE LLC with “lumendatabase.org” (“Lumen”). Specific: “Lumen” is a project of the Berkman Klein Center for Internet & Society at the Harvard University, whose main objective is to study the “cease and termination letters” desistimiento” (cease and desist letters) relating to online content. lumen collects and analyzes requests to remove materials from the web with the aim of educating the public, facilitate research on the different types of complaints and Takedown requests being sent to publishers and service providers of the Internet, and to provide as much transparency as possible about the "ecology" of such communications, in terms of who is sending them and why, and for what purpose. Although one principle “Lumen” focused on requests submitted voluntarily by companies under the United States Digital Millennium Copyright Act (United States' Digital Millennium Copyright Act, “DMCA”), now also includes claims relating to other issues, including trademarks, defamation, court decisions, etc. In the above context, GOOGLE LLC, along with other major players in the digital society (See: https://lumendatabase.org/pages/about for more information in this regard), contributes to the "Lumen Project" for purposes of transparency and accountability, as well as to prevent abuse and fraud and shares with Lumen content removal requests in relation to intellectual property rights (DMCA), circumvention/avoidance, counterfeiting, non-confidential court decisions, libel and takedown notices based on local law. The positive contribution of the "Lumen Project" to society is evident. For example, it was thanks to Lumen that a very recent fraudulent use of the content removal tools by a Spanish entity (which came to the point of pretending to be the European Commission) and cites the links: (...). (...): a) (…). b) (...). c) (...). The aforementioned entity bases its request on the following considerations: 1. Violation of the LOPDGDD, which provides for a sanctioning procedure for a maximum duration of 21 months, taking into account the duration of the actions prior investigation (art. 67.2) and the penalty procedure itself (art. 64.2), because it keeps GOOGLE LLC under investigation for more than two years, ignoring the expiration of previous investigation actions. Furthermore, art. 65.5 LOPDGDD establishes that "The decision on the admission or inadmissibility for processing, as well as the one that determines, in its case, the remission of the claim to the main control authority that is deemed competent, must C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 22/137 notify the claimant within three months. In this case, the first claim filed is from 09/13/2018, so you can understood admitted on 12/13/2018, although the Agency did not issue any resolution in this date. More than a year later, on 01/16/2020, the AEPD decided to file provisionally the file and direct it to the data protection authority of Ireland (Irish Data Protection Commission); and more than a year and a half later, the 06/23/2021, the Start Agreement was notified (the Agency has taken almost 3 years since the first claim to initiate the Penalty Procedure). In accordance with the foregoing, the previous investigative actions expired on 12/13/2019, so the information collected in the framework of said actions previous investigations cannot be used in the Sanctioning Procedure, among other things, because they are investigations that have expired and are no longer correct from a factual point of view, they are not up to date. Using them would violate provided in art. 95.3 of Law 39/2015, of October 1, on Procedure Common Administrative Law of Public Administrations ("LPAC"), as well as the laws and principles that regulate the sanctioning administrative procedure. These facts, which hinder the right of defense of GOOGLE LLC, imply the nullity of the Start Agreement and the Sanctioning Procedure, proceeding the file of the performances. 2. There has been no violation of art. 6 GDPR: application of the base legitimate interest Clarifies that the legitimating basis on which it relies to share personal data with Lumen is not the consent, but the legitimate interest, interpreted of in accordance with Opinion 06/2014, on the concept of legitimate interest of the data controller under article 7 of the Directive 95/46/EC, which is applicable to the case at hand. Consider GOOGLE LLC that (A) there are multiple overriding legitimate interests in the data transfer with Lumen, and (B) that said legitimate interests prevail over the rights and freedoms of the interested. A. There is a legitimate interest of both GOOGLE LLC and "Lumen" (in this case, a third party), in the transfer of requests relating to the removal of content (which may or may not include personal data, depending on the type of withdrawal request and the solicitor): a) The legitimate interest of "Lumen" consists of promoting education, investigation and transparency, which, ultimately, fall within the interest of society as a whole and find support in many different laws (including the Spanish Constitution itself (arts. 27 and 44.2 of the Spanish Constitution, related to education and research, respectively) and Organic Laws (Law Organic Law 2/2006, of May 3, on Education; LOPDGDD; Organic Law 1/1982, of 5 of May, on civil protection of the right to honor, to personal and family privacy and in his own image, etc.), and even in the Opinion of Legitimate Interest, which establishes that: “The nature of the interest may vary. Some interests may be compelling and C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 23/137 beneficial to society in general, such as the interest of the press in publish information about government corruption or interest in carrying out scientific research (subject to adequate safeguards)”. b) GOOGLE LLC also has a clear legitimate interest in sharing with “Lumen” content removal requests. Specifically, these assignments constitute an important mechanism for the Google group to ensure that their content removal practices are transparent and accountable, and are not related to the exercise of data protection rights, but with other rights (for example, intellectual property rights, right to honor, trademarks, etc.). "Lumen" provides transparency and serves to account for the content moderation processes implemented by the Google group (which is not a public entity or authority), to demonstrate the existence of procedures for withdrawal reagents, to encourage a clear understanding of the types of content in line that are the subject of withdrawal requests, the fairness between similar matters in different countries and regions, as well as to mitigate the risk of misuse or fraudulent use of content removal tools. In addition to the community of researchers, the general public and public authorities benefit from this transparency. The importance of these transparency objectives is reflected in the framework itself applicable legal system (such as the P2B Regulation), and even in legal provisions that are yet to come (such as the DSA). These legitimate interests are also recognized in the Opinion of Legitimate Interest, which establishes the following examples of legitimate interests: “the exercise of the right of freedom of expression or information, including situations in which it is exercised said right in the media”, “the prevention of fraud, the use misuse of services or money laundering”, “treatment for historical purposes, scientific or statistical” and the “publication of data for purposes of transparency and responsibility". The AEPD itself also recognizes in the Start Agreement that complying with the transparency standards may constitute a legitimate interest. B. These legitimate interests are not outweighed by the interests or rights and freedoms of the interested parties. In the opinion of GOOGLE LLC, the affirmation of the AEPD in the Initiation Agreement -without any evidentiary support- that the communication from GOOGLE LLC to Lumen of content removal requests “have a high impact on the interests and rights of the interested party” lacks any support for the following reasons: a) The interested parties who complete the “Google” content removal forms are sufficiently informed about the communication of requests to “Lumen”: Specifically, the interested parties are clearly informed about the communication of your personal data to Lumen at the time you provide your data to GOOGLE LLC, including by means of a prominent disclaimer posted displayed in the “Google” legal troubleshooting tool (reproduces the information on the possibility of sending a copy of the notifications to the Project C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 24/137 Lumen” and to publish them in the “Google Transparency Report”, already outlined in the Sixth Antecedent). b) GOOGLE LLC limits the personal data that is shared with “Lumen” and “Lumen” proceeds to anonymize the requests that GOOGLE LLC shares. (...). (...). Finally, it is the practice of "Lumen" to anonymize certain personal data of the requests prior to publication, including shared request categories by GOOGLE LLC in the case analyzed in the Startup Agreement (these are, those related to defamation, non-confidential judicial decisions and those related to local regulations other than data protection), in order to Minimize the personal data included in the publications. The protocol of Anonymization of Lumen is clearly available to the public on its page website (https://www.lumendatabase.org/pages/lumen-notice-basics). On this issue, he provides a screenshot where you can see the information regarding requests for defamation or for a court ruling (This coincides with the information provided on the “lumendatabase.org” website, in the document "Basic concepts of the Lumen notice information", which consists outlined in Annex 4. The foregoing does not prevent errors from being made on an occasional basis and that some Lumen posts are not fully anonymized. In these cases, those affected can go to both GOOGLE LLC (to notify Lumen of such errors) as well as Lumen directly asking for the correction of the anonymization. c) Access to full URLs and court decisions is limited to researchers from good faith: "Lumen" operates gradual data access, so that access to URLs completed forms and attached documents related to a publication (such as a court decision) does not remain available to the general public and can only be access them upon individual request by email. "Lumen" only gives access to this information to bona fide researchers, which limits access to such information and appropriately weighs the interests of the community of investigators with those of the subjects who submit requests for withdrawal of content to GOOGLE LLC. d) The legitimate interest at stake is important and compelling: the communication of content removal requests to “Lumen” for reasons of transparency and research benefits the general public, which, according to the Opinion of the Legitimate Interest is a key element to consider when performing the weighting test: “In general, the fact that the data controller acts not only in his or her own legitimate interest (for example, your company), but also in the interest of the community at large can give more 'weight' to their interest. The more pressing be it the public interest or the interest of the community at large, and the more clearly the community and stakeholders recognize and expect the responsible of the treatment can act and treat the data to pursue these interests, more C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 25/137 Such legitimate interest will have weight in the balance”. i) (...): i. (…) ii. (…) iii. (…) 3. Art. 17 GDPR: GOOGLE LLC respects the right to individuals' right to be forgotten/deletion A. (…). Regarding requests for the Right to be Forgotten, the “Lumen” website (https://www.lumendatabase.org/pages/lumen-notice-basics) expressly indicates that GOOGLE LLC "does not share with Lumen, at this time, requests it receives of EU citizens regarding the so-called “Right to be Forgotten (“RTBF”)(…)” (Unofficial translation). (…) The essential element that determines the application of article 17 RGPD is the purpose of the request and, consequently, the right invoked and exercised by the individual. Furthermore, unintended and unexpected consequences would occur if all requests that involve the withdrawal of personal data are treated in a automatic as exercises of the right of suppression under the protection of art. 17 GDPR, with independence of the legal regime in which the subject bases the withdrawal request of content. Content removal requests are assessed by performing legal analyzes and tests in depending on the reason you are submitting your request. For example, requests for deindexation for defamation reasons, in the absence of a judicial decision, are analyzed according to the local legislation that regulates defamation and the legal framework of the Directive of Electronic Commerce, and not on the basis of the RGPD, in such a way that they are taken into account account the facts and, depending on local regulations, the opinions contained in that content and other relevant factors (including legal doctrine). In the Spanish case, this would involve analyzing, among others, article 7 of Organic Law 1/1982, of May 5, of civil protection of the right to honor, to personal and family privacy and to one's own image, or articles 205 and following of the Penal Code in relation to crimes against honor; as well as Law 34/2002, of July 11, on services of the society of information and electronic commerce. B. The form for the exercise of the Right to be Forgotten made available by GOOGLE LLC, accessible at the address “https://www.google.com/webmasters/tools/legal-removal-request? complaint_type=rtbf”, does not include any reference to the communication of information to Lumen because such requests are not shared with Lumen. In this way, there is no construe that the Right to be Forgotten Form hinders in any way the rights of the interested parties under article 17 of the RGPD for an alleged imposition of the communication of information to Lumen. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 26/137 The documentation and information included in the file of the Procedure Sanctioning are inconsistent with that statement. none of the forms mentioned by the complainant in his complaints (and later confirmed by the Subdirectorate General for Inspection, the "Investigated Forms") refer to the Right to be Forgotten Form. The Investigated Forms are intended to submitting content removal requests for various legal reasons not related to data protection (e.g. copyright infringements), and not the Right to be Forgotten. (…) (…) 4. In relation to the graduation of sanctions, considers that they should be taken into account account the following extenuating circumstances: a) Any measure taken by the controller or processor to alleviate the damages suffered by the interested parties (article 83.2.c RGPD): GOOGLE LLC has contacted “Lumen” to let her know that she must carry out additional anonymizations of some of your publications related to requests for removal of content identified by the AEPD in the Basis of Law II of the Home Agreement. From this, "Lumen" has carried out new actions aimed either at anonymizing information or withdrawing publications (provides screen printing corresponding to Links Lumendatabase 3, 5, 8, 9, 10, 11, 18, 22 and 26). b) The benefits obtained as a result of committing the offense (art. 76.2.c LOPDGDD): the communication of information to "Lumen" is carried out with the purposes of increasing transparency and accountability, educating the public and facilitate research, all of which benefits society as a whole (being these purposes also promoted throughout the RGPD). GOOGLE LLC does not obtain any commercial benefit or income as a result of these communications. 5. Notwithstanding the foregoing allegations, GOOGLE LLC is in the currently in the process of reviewing its practices in relation to the communication of content removal requests to “Lumen”. GOOGLE LLC considers the protection of personal data as an extremely relevant issue and takes careful note of the comments made by the AEPD in the Start Agreement. GOOGLE LLC reviews its practices on an ongoing basis to ensure that it reaches a correct balance between transparency and data protection rights of users individuals. GOOGLE LLC hopes to have the opportunity to present and comment on its new practices with the AEPD soon. NINTH: On 10/05/2021, this Agency received a letter of supplemental allegations filed by GOOGLE LLC. (...). C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 27/137 (...). (...): a) (…). b) (...). c) (...). d) (...). (…) (…) (…) (...). TENTH: On 12/30/2021, the instructor of the procedure agreed to open a period of practice of evidence, considering reproduced for evidentiary purposes the complaints filed and their documentation, the documents obtained and generated during the phase of admission to processing of the complaints and the checks carried out by the General Subdirectorate of Data Inspection for verify that the links mentioned in the complaints and their content are correspond to the screen prints provided by the complainant or to access said content in cases in which it had not provided the capture of corresponding screen; and for presenting the allegations made by GOOGLE LLC and the documentation that accompanies them. Likewise, it was agreed to include in the actions the information and/or documentation Next: “a) Financial information relating to the entity GOOGLE LLC, obtained from the websites “es.investing.com” and “es.tradingview.com”. b) Copy of the "forms" mentioned in the Background of the agreement to initiate the reference sanctioning procedure, enabled by GOOGLE LLC so that the Interested parties may request the removal of content, accessible through the addresses that are also mentioned in said agreement (Google Forms 1 to 23). c) Copy of the information accessible through the links to “lumendatabase.org” that are mentioned in the Background of the agreement to initiate the sanctioning procedure of reference (Lumendatabase Links 1 to 29). d) Copy of the first page of search results in the Google search engine with the terms "D.D.D." e) Copy of the “Withdrawal under EU privacy law” form, accessible via from the “google.com” website (“https://www.google.com/webmasters/tools/legal-removal-request? complaint_type=rtbf&visit_id=637759350971490255-235171692&hl=es&rd=1”). C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 28/137 f) Copy of the Privacy Policy accessible through the website "google.com" in its version current, in force since 07/01/2021, and some versions of it in force as of 05/25/2018. g) Copy of the information accessible through the URL cited by GOOGLE LLC in point 3.3 of your pleadings brief dated 07/21/2021 (“https://www.lumendatabase.org/pages/lumen-notice-basics”). h) Information available on the “lumendatabase.org” website regarding the “Lumen Project”. Said test practice was notified to GOOGLE LLC, warning it that the result of the same could give rise to the realization of others and that against said act of procedure there is no room for the filing of an administrative appeal, notwithstanding that the The interested party may file the appropriate appeals against the resolution that end of the procedure, by virtue of the provisions of article 112.1 of the LPACAP. For On the other hand, it was warned about the right to know, at any time, the state of the processing of the procedure and to formulate allegations, use the means of defense admitted by the Legal System, and to provide documents in any phase of the procedure prior to the hearing process. A) Result of the test indicated with the letter a): (…). (...). B. Result of the test indicated with the letter b): It is verified that the content and structure of the verified forms coincide with the detail outlined in the Sixth Antecedent. On the other hand, the following observations are made: a) “Google Forms 1 and 11”: form enabled by GOOGLE LLC to report alleged copyright infringement. Access the link "https://www.lumendatabase.org/notices/2069", which corresponds to a notice of copyright infringement from a company located in the United States United States, dated September 2003. Click on the link that leads to one of the application support documents and access to a Lumen form that allows you to request "full access to complaints" from the company in question before Google, which has the following structure: “To access this notice enter your email address and solve the captcha. After you submit the form, we will send you an email with a one-time link. use to notice. Email address (space to record email address) C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 29/137 ( ) Select to receive a notification when new documents are added. notification (or when existing notification documents are updated). Deliver (button)”. This form includes a link to access the “instructions for filing a DMCA notification for each product”, which leads to a document with the label “American Copyright Act (DBCA)”. b) “Google Forms 2, 4, 5, 7, 9, 17, 21 and 23”: entry pages for the application removal of content in which various products of the company are listed and where the applicant would choose which of said products his application for content removal. Regarding the list of products that is outlined in the Sixth Antecedent, it is check that the product “Navlekha” disappears and “Google Workspace Marketplace”. 1. You access the page to which the link to the product “Search for Google” (“Google Form 24”), verifying that it does not include any reference to the communication of information to Lumen. Options are provided on this page. following: “How can we help you? ( ) I want to report malware, phishing, or similar issues. ( ) Content that I requested to be removed continues to appear in search results, even though the webmaster has already removed it. ( ) Remove personal information from Google in accordance with our product policies (personally identifiable information, doxxing, explicit non-consensual images, etc.). ( ) Personal information: request that my personal information be removed from the results of Google search. ( ) Intellectual property issue: report copyright infringement, circumvention, etc. ( ) Other legal problem: report content for another legal reason not included in the .ista” With the option “Personal information: request that my personal information be removed from Google search results” takes you to a new page for removal of content, in which GOOGLE LLC informs that "it is possible that the search results include a notice to indicate that some results"; and new options are offered to the interested party: “Choose one of the following options: ( ) Remove personal information from Google in accordance with our product policies (personally identifiable information, doxxing, non-consensual explicit images, etc.) ( ) Right to be forgotten: request to withdraw information in accordance with European legislation in terms of data protection ( ) Defamation: the content defames me or my company or organization”. Selecting one of these options allows you to create a request (“Click on Create request to send a request to our team”). The option “Right to be forgotten” leads to the form “Withdrawal under the law of C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 30/137 EU privacy. For the “Defamation” option, a data collection form is displayed with the following information: “Request removal of content for legal reasons If you think you have found content that is illegal in your country, you can use this form to submit a claim. Please identify the exact URLs of the content in question and explain in detail why you believe that content is illegal. We will evaluate your request taking into account our privacy policies. removal of content, we will review it and take appropriate action." “For Google Search claims, you must identify the URL of each web page that contains allegedly infringing material. Check out this article if you need help search the URLs”. “To be as accurate as possible, please cite exactly the text of the URLs listed above that you believe violates your rights. If the allegedly infringing content is a image or video, please provide a detailed description of that content so that we can locate it at the URL in question”. “If the violation affects multiple Google products, you must submit a notification for each affected product. This form includes fields for the applicant to provide the following data: country of residence, full name of the applicant, name of the company, name of the company or organization whose legal rights it represents, email address contact email, allegedly infringing URL and signature. It is also requested to applicant to “Explain in detail why you believe that the content of the URLs above is illegal and cite the specific legal provisions if possible.” 2. You access the page to which the link to the “Google Maps and Maps” product leads. related products” (“Google Form 25”), verifying that it includes the Next information: “How to remove content from Google This page will take you to the right place to report the content you want withdraw from Google services in accordance with applicable laws. Provide us complete information so that we can investigate your query. If you have non-legal issues with the Terms of Service or Privacy Policies Google products, visit http://support.google.com. You must submit an individual notification for each Google service in which the content" . This page offers new “product” options (Local listings, Google Maps, Street View and My Business website). By selecting the option “Files local (including business listings, reviews, posts and photos)”, is displayed an informative text that refers to the communication of data to the "Project Lumen” (the same reference to “lumendatabase.org” that appears in the “Forms of Google 3, 6, 8, 10, 12, 13, 14, 15, 16, 19, 20 and 22”, reproduced in the Background Sixth), as well as the publication of information in the transparency report of “Google (“We may also publish similar information from your notification in our transparency report. For more information on this report, click here”). C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 31/137 The following options are also displayed regarding the reason for the request: “How can we help you? ( ) I want to change the incorrect information on my local file ( ) I want to know why the information on my local listing has changed ( ) Personal information: the content includes my personal data ( ) Intellectual property issue: reporting copyright infringement, circumvention, etc. ( ) Court order: a court ruling has determined that a specific content is illegal ( ) Legal problem: legal problem that does not appear in the list ( ) Material with images of child sexual abuse: visual representation of sexual practices explicit with minors”. Selecting one of these options allows you to create a request (“Click on Create request to send a request to our team”). for option “Personal information: the content includes my personal data” a message is displayed. data collection form with the following information: “Form to request the withdrawal of personal information For privacy reasons, you may have the right to request that certain personal information related to you. This form is used to request the withdrawal of certain content of the product from Google you have selected. If you wish to request the removal of personal information from another Google product, submit a request through the corresponding product form, available on our “How to remove content from Google” page. For example, if you want to request that certain Search results be removed from Google for queries that include your name, please submit a request through the corresponding Google Search form. Upon receipt of a request, Google strikes a balance between the individual's right to privacy affected and the right of the general public to have access to information, as well as the right from other users to distribute it. For example, Google may refuse to remove certain information about financial scams, professional negligence, criminal convictions, or public behavior of government officials. “I agree to the processing of the personal information I submit, as described below: Google LLC or Google Ireland, for users in the European Economic Area or Switzerland, will use the personal information you provide on this form (such as your email address) email and all identity data) and personal information you submit in other messages to process your request and comply with our legal obligations. google can share information from your application with data protection authorities, but only if the request to investigate or review a decision Google has made. This usually happens if has contacted the national data protection authority in relation to our decision. Once the content has been removed from our products, We will inform the corresponding owners. Please note that if you are signed in to your Google account, we may associate your application to that account. ( ) Check the box to confirm. This form includes fields for the applicant to provide their data related to country of residence, full name and contact email address; So such as the name and surname of the person it represents, URL of the content that include the personal information you want removed, the personal information you you want it to be withdrawn and the reasons for the withdrawal. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 32/137 3. You access the page that leads to the link to the “Google +” product (“Form Google 26"), verifying that it includes the same information outlined in the case above (“Google Maps”), including reference to the communication of data to Lumen and to the “Google Transparency Report”. As for the options, they offer the following: “How can we help you? ( ) I want my profile removed from search results. ( ) I want to file a phishing claim. ( ) Other legal problem: report content for another legal reason not included in the list”. Selecting one of these options allows you to create a request (“Click on Create request to send a request to our team”). For the option "I want my profile to be removed from the search results" displays a link to the following information: “Allow or prevent web search engines from crawling your Google+ profile In Google+ settings you can allow or prevent web search engines track your profile. 1. On your computer, open Google+. 2. Click Menu Settings. 3. Go to "Profile". 4. Activate or deactivate the option "Allow other users to find my profile in the Search results". “Do you use Google Currents at work or school? The person in your organization who manages your Google Workspace account, called "system administrator" will choose whether web browsers can crawl your profile page or not. If you don't like the option you've chosen, you can change it." 4. You access the page to which the link to the “Google News” product leads (“Google Form 27”), verifying that it includes the same information outlined in section 2 above, except for the reference to the communication of data to the "Project Lumen” and the “Google Transparency Report”. The following options are offered on this page: “How can we help you? ( ) Copyright Infringement: My copyrighted work is being used illegally without authorization ( ) Counter Notice: An appeal intended to restore content that was removed due to a copyright infringement claim ( ) Circumvention: a tool circumvents the technological measures for the protection of the rights of Author ( ) Personal information: the content includes my personal data ( ) Court order: a court ruling has determined that a specific content is illegal ( ) Legal problem: legal problem that does not appear in the list ( ) Material with images of child sexual abuse: visual representation of sexual practices explicit with minors”. Selecting one of these options allows you to create a request (“Click on C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 33/137 Create request to send a request to our team”). for option “Personal information: the content includes my personal data” a message is displayed. data collection form with the same information that appears in section 2 above, corresponding to the application form available for this same option, in the “Google Maps” product. This form includes fields for the applicant to provide their data related to country of residence, full name and contact email address; So such as the name and surname of the person it represents, URL of the content that include the personal information you want removed, the personal information you you want it to be withdrawn and the reasons for the withdrawal. c) Google Forms 3, 6, 8, 10, 12, 13, 14, 15, 16, 19, 20 and 22. These are the entry pages to the content removal forms relating to different GOOGLE LLC products, which are detailed in Precedent Six. The link provided in these forms is accessed to be able to examine a example post on “lumendatabase.org” (https://www.lumendatabase.org/notices/5838). Corresponds to a withdrawal of defamation content filed in April 2005 by a UK company that is not identified. Nor is there any personal information of the client of the requesting entity, and no URL or supporting documentation is included. Click on the link included in this publication “to request access and see the URLs complete" and access to the usual "Lumen" form, in which the email address of the person who wishes to access the information, the that later said entity sends an email with a link to the information of single use. These forms include a link to obtain information about the report of transparency of GOOGLE LLC (“In addition, we may publish similar information from your notification in our transparency report. to get more information about this report, click here”). On the other hand, in the content removal form corresponding to the product “Drive and documents”, the option “Personal information: the content includes my personal data”, which leads to the page where the creation of the request (Google Form 22). For this option, a data collection form with the same information contained in section 2 above, corresponding to the application form available for this same option, in the “Google Maps” product. This form includes fields for the applicant to provide their data related to country of residence, full name and contact email address; So such as the name and surname of the person it represents, URL of the content that include the personal information you want removed, the personal information you you want it to be withdrawn and the reasons for the withdrawal. d) Google Form 18: entry page to content removal forms related to the product “Google Images”. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 34/137 You access the link "Visit this page", through which you access the information provided on how to contact the webmaster of a website. At the end of the document, it is indicated: “If the webmaster has already made the changes you requested to a website listed on search results, you can ask us to remove outdated information by a “website removal request”. By means of this link "web page removal request" you access a Google Search outdated content removal tool. In the It indicates the following: “Guidelines . This tool only works with pages or images that have already been modified or removed from the web. . To remove personal information or content with legal problems that is still present on one page, "submit a legal request." . See more information in “this document”. New request" Through the "document consultation" inserted in that information, it allows access to a page with the label “Remove obsolete content tool”, which allows “update Google search results of pages or images removed or of pages with removed content. Through the link “send a legal request”, also inserted in the information reviewed, you access the page that includes the "Create application" button. This page reports the following: “Report content for legal reasons We take inappropriate content very seriously If you see content in a Google product that you think violates the law or your rights, contact in contact with us. We will review the material and study the possibility of blocking it, limit or withdraw access to such material. Behaviors such as impersonation of identity (phishing) or the presence of violent or explicit content may lead to the Violation of our “product policies” and lead to possible removal of products. content of Google products. We recommend that you report the possible content violation on the relevant product page before creating a request. Create a request (button). Protect your information Our goal is to provide you with the most powerful security and privacy tools of the world. Security and privacy are very important to us, so we We strive to offer you maximum protection. Read our "Privacy Policy" to learn how Google uses information and what can do to protect yourself. Our “Safety Center” can help you and your family stay safe at Internet. Check it out for more information on the topic and how Google protects users, their computers and the entire Web against cybercrime. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 35/137 Transparency is essential for us Transparency is one of Google's core values. In our desire to be transparent, we can send a copy of each legal notice that Let's receive the "Lumen project" (link to the website "lumendatabase.org") for publication. Lumen is an independent research project led by the Berkman Klein Center for Internet & Society at Harvard Law School. The Lumen database contains Millions of content removal requests that various companies have shared volunteer, including Google. Its objective is to facilitate academic and sectoral research on the availability of online content. Lumen will hide the personal contact information of the sender, such as your phone number, email address, and mailing address. You can see an example of a Lumen post “on this page”. Likewise, we could publish similar information from your notice in our “Report of transparency”, which provides data on the requests sent to us by both holders of copyrights such as governments to get us to remove information from our products. Copyright Information In accordance with Google's policy, we must comply with notices of infringement of copyright under the United States Copyright Protection Act. author (DMCA). See more information about our copyright policies and all the requirements that a notice must meet in the “Copyright Help Center”. C. Result of the test indicated with the letter c): The information published in the Lumendatabase Links 6, 7, 13, 15, 16, 17, 19, 27, 28 and 29 coincides with that outlined in the First and Sixth Background. In all other cases, the following findings are made: . Link Lumendatabase 1 In the indication of the link appears: "(...)". (…) Likewise, the link “Click here to request access and see full URLs” is accessed, which gives access to the “(…)” page. This page appears with the label “Request full access to defamation complaint against Google”, with the following text: “To access this notice, enter your email address and solve the problem. captcha After submitting the form, we will send you an email with a one-time link to notice. Email address (space to add email address) ( ) Select to receive a notification when new documents are added. notification (or when existing notification documents are updated). Deliver (Button)”. . Link Lumendatabase 2 C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 36/137 The published content coincides with that outlined in the previous Background. The link “Click here to request access and see full URLs” is accessed, which gives access to the “(…)” page, with the same structure as the one outlined in the Link Lumendatabase 1. . Link Lumendatabase 3 In the text of the complaint, the data “(…)” and the URL “(…)” have been deleted. The link “Click here to request access and see full URLs” is accessed, which gives access to the “(…)” page, with the same structure as the one outlined in the Link Lumendatabase 1. . Link Lumendatabase 4 Indicates the date of the request addressed to GOOGLE LLC ***DATE.12 and the links appear as follows: (…) (…) (…) (…) (…) (...). . Link Lumendatabase 5 In the text of the claim, the data “I.I.I.” Y “*** COMPANY.1”. . Link Lumendatabase 8 In the text of the claim, the data “B.B.B.” Y (…) ; and the link appears with the review “(…)”. . Links Lumendatabase 9 to 12 In the text of the claim, the data “B.B.B.” (link 9), “B.B.B.” (link 10), “B.B.B.” (links 11) and “B.B.B.” (link 12). . Link Lumendatabase 13 The published content coincides with that outlined in the previous Background. . Link Lumendatabase 14 The link indicates “(…)”. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 37/137 . Link Lumendatabase 18 In the header the data “C.C.C.” has been suppressed, and in the text of the claim, the information “(…)” has been suppressed. . Link Lumendatabase 19 The information coincides with that outlined in the previous Background information (request prior to the entry into force of the GDPR). . Link Lumendatabase 20 The published content coincides with that outlined in the previous Background (request prior to the validity of the RGPD). . Link Lumendatabase 21 The published content coincides with that outlined in the previous Background (request prior to the validity of the RGPD). The blog “(…)” is accessed and it is verified that it has been eliminated. . Link Lumendatabase 22 The applicant's name has been removed from the header. The blog “(…)” is accessed and it is verified that it has been eliminated. . Link Lumendatabase 23 Page similar to the previous one, with requests addressed to GOOGLE LLC based on judicial resolutions. . Link Lumendatabase 24 Page similar to the previous one, with requests addressed to GOOGLE LLC based on judicial resolutions. You access some of the links on the results page of the search corresponding to Spanish users, verifying the following: . (…) (Lumendatabase 30 link) . Header: Addressed to GOOGLE LLC by J.J.J., on 07/06/2020, as a result of a court ruling. . Claim: “(…)”. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 38/137 . Link: (…) . Documents: Possibility of downloading two supporting documents in Pdf format. On the other hand, you access the link “Support documents. Support PDF. Click here to get…”, which gives access to the “(…)” page. This page, which appears with the label “Request Full Access to the Court Order Complaint to Google”, offers the option of requesting information related to this notification: “To access this notice, enter your email address and solve the problem. captcha After submitting the form, we will send you an email with a one-time link to notice. Email address (space to add email address) ( ) Select to receive a notification when new documents are added. notification (or when existing notification documents are updated). . (…) (Lumendatabase link 31) . Header: Addressed to GOOGLE LLC by K.K.K., on ***DATE.16, as a result of a court ruling. . Claim: “(…)”. . Link: (…) . (…) (Lumendatabase link 32) . Header: Addressed to GOOGLE LLC by L.L.L., on ***DATE.17, as a result of a court ruling. . Claim: “(…)” . Links: (…) . Documents: Possibility of downloading two supporting documents in Pdf format. . (…) (Lumendatabase link 33) . Header: Addressed to GOOGLE LLC by M.M.M., on ***DATE.18, as a result of a court ruling. . Links: (…) (…) . Link Lumendatabase 25 C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 39/137 Page not found . Link Lumendatabase 26 The data “H.H.H.” has been removed from the header. D) Result of the test indicated with the letter d): The first page of search results in the Google search engine with the terms “D.D.D.”. Check that at the bottom of the page The following disclaimer is included: “Some results may have been removed in accordance with European data protection law. More information". E) Result of the test indicated with the letter e): a) The “Google.com” website is accessed and a copy of the “Withdrawal under EU privacy law” form (“https://www.google.com/webmasters/tools/legal-removal-request? complaint_type=rtbf&visit_id=637759350971490255-235171692&hl=es&rd=1”), which It is reproduced in full in Annex 2. b) Click on the link “How to remove content from Google” inserted in the form above and it is verified that it gives access to the Google login page for the request for removal of content in which various products of the company, in which the applicant can choose which of said products his content removal request (Google Forms 2, 4, 5, 7, 9, 17, 21 and 23). F) Result of the test indicated with the letter f): A copy of the Privacy Policy accessible through the website “google.com” in its current version, valid from 07/01/2021, and a copy of the versions of said Privacy Policy dated 05/25/2018, 01/22/2019 and 03/31/2020. From the content of the update of the Privacy Policy dated 05/25/2018, the sections that are outlined in Annex 1 stand out. The update of 01/22/2019 includes the same sections as the previous one and expressed in the same terms, except for the changes indicated in Annex 1 (it is introduces a new section with the label “European requirements”). In the same way, the update of 03/31/2020 has the same structure as the above and is expressed in the same terms, with the changes indicated in Annex 1, among which the incorporation of a new section regarding the “Data Retention”. The update of this Privacy Policy on 07/01/2021, which corresponds to the version currently in force includes the same sections as the previous version C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 40/137 and are expressed in the same terms, with the changes indicated in Annex 1. All versions of the Privacy Policy examined include the link “request content to be removed”. This link is clicked and it is verified, in all the cases, which gives access to the entry page to the content removal request in which lists various products of the company, in which the applicant can choose which of those products your content removal request relates to (Google Forms 2, 4, 5, 7, 9, 17, 21 and 23). G) Result of the test indicated with the letter g): a) The internet address “https://www.lumendatabase.org/pages/lumen- notice-basics” and the information contained therein is incorporated into the proceedings. From the information contained in this document, which appears with the label "Concepts basics of the information of the notice of Lumen”, the fragments that are reproduced in Annex 4. b) The Internet address is accessed “https://support.google.com/websearch/troubleshooter/3111061#ts=2889054%2C2889 099”, included in the previous document, in the section “OTHER TYPES OF NOTICES”. It leads to an informative document from “Google” about the withdrawal of information, the which is also reproduced in Annex 4. H) Result of the test indicated with the letter h): a) The website “lumendatabase.org” is accessed, to the section called “About” and the information available in said section is incorporated into the actions, which It is reproduced in Annex 3. b) The "Legal Notice" inserted in "lumendatabase.org" is accessed and incorporated into the actions the information available in said section, which is reproduced in Annex 3. c) The website “lumendatabase.org” is accessed, to the section called “Investigators”, and the information available in said report is incorporated into the proceedings. section, which is reproduced in Annex 3. ELEVENTH: On 01/31/2022, a resolution proposal was issued in the following sense: 1. That the Director of the AEPD sanction the entity GOOGLE LLC, for a infringement of article 6 of the RGPD, typified in article 83.5.a) and qualified as very serious for prescription purposes in article 72.1.b) of the LOPDGDD, with a fine amounting to 5,000,000 euros (five million euros). 2. That the Director of the AEPD sanction the entity GOOGLE LLC, for a infringement of article 17 of the RGPD, typified in article 83.5.b) and qualified as very serious for prescription purposes in article 72.1.k) of the LOPDGDD, with a fine amounting to 5,000,000 euros (five million euros). C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 41/137 3. That the Director of the AEPD impose the entity GOOGLE LLC, within the term to be determined, the adoption of the necessary measures to adapt to the regulations protection of personal data, treatment operations and procedures exercise of the right object of the actions, with the scope expressed in the Legal basis X of the proposed resolution. TWELFTH: Notification of the proposed resolution, extension of the term granted for the formulation of allegations and sent a copy of the proceedings incorporated into the procedure, a letter was received from GOOGLE LLC requesting the Next: 1. That the nullity of the procedure be declared null and void for not taking into account consideration the rules of the cooperation mechanism, and break the rules regulations of the sanctioning procedure of a fundamental nature and of the principle of legitimate expectations (letter e) of article 47.1 of the LPACAP). 2. Subsidiarily to the foregoing, the annulment of the Procedure in the terms contemplated in article 48 LPACAP, due to the existence of an action by the Agency that involves an infraction of the legal system and that causes the helplessness of the defendant. 3. Subsidiarily to the foregoing, the non-existence of the alleged infractions of the art. 6.1 and 17 of the RGPD, and the file of the actions. 4. Subsidiarily to the foregoing, the imposition of the amount of the sanction corresponding in its minimum degree and the limitation of the scope of the orders or corrective measures only for data processing attributable to GOOGLE LLC, granting a reasonable term to comply with them. After declaring his previous writings and information reproduced, he formulates the following considerations, on which you base your request: 1. The initial object of the procedure, referred to the "communication of data related to requests or requests for removal of content made by GOOGLE LLC. to the Lumendatabase project”, has been expanded by the AEPD in the proposed resolution to treatments for which GOOGLE LLC is not responsible, thereby violating the regulations. GOOGLE LLC indicates that the Agency initiated the procedure with a defined object, such as the analysis of the communication of data related to requests for withdrawals of content to the "Lumen Project", and the fulfillment of the article 17 of the RGPD in relation to these communications. About this issue, GOOGLE LLC expressly declares the following: “In effect… Google LLC, is the entity responsible for the processing of personal data that has taken place in the context of communications of withdrawal requests to Lumen. Precisely for this reason, the present procedure was correctly initiated against Google LLC”. It adds that, notwithstanding the foregoing, in the aforementioned proposal a new alleged infringement of article 17 GDPR based on deficiencies (quod non) found in the forms and procedures for the removal of content accessible through Google products and services, which are offered to users C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 42/137 users located in the European Economic Area (“EEA”) and Switzerland (including Blogger/Blogspot, Drive, Google Photos, Google Play, YouTube, etc.) by Google Ireland Limited, so this entity is responsible for data processing associated with the use of these services and the Irish Data Protection Commission (or “IDPC”) the lead supervisory authority for any cross-border processing related to such personal data. Nor is GOOGLE LLC responsible for the procedures and forms for the removal of content or personal data processed in this context. By not considering whether the cooperation mechanism of Article 60 of the GDPR should activated with the extension of the procedure, the AEPD has infringed the regulations applicable, which irremediably entails the nullity of this procedure in accordance with the provisions of article 47.1.e) of the LPACAP or, in any case, the annulment of the procedure in the terms contemplated in article 48 LPACAP. 2. The facts show that the processing of claims, the involvement of the IDPC and the investigation and verification actions carried out by the Agency have been delayed for more than what is allowed in the applicable regulations, not subject to the procedures provided for in said regulations. The previous investigation actions have widely exceeded the term of 12 months established in article 67.2 of the LOPDGDD, since the IDPC rejected its competence (understood, then, that the competence corresponded to the AEPD) on 01/22/2020. Faced with this, the provisional filing of the file declared by the 01/16/2020 in accordance with article 66.2 of the same Organic Law, which only it can be extended until the moment in which the AEPD confirms its competence. In At this point the provisional file is lifted and the file recovers everything its vigour. In this case, it is appropriate to apply, by analogy, a criterion in line with what establishes article 64.4 of the LOPDGDD, according to which the suspension of deadlines of the procedures ends at the moment in which the control authority of the other State Member proceeds to the "notification of the pronouncement to the Spanish Agency of Data Protection". Thus, although the Agency declared at the time the provisional file of the procedure, said file must be understood as raised on 01/22/2020, once the AEPD "recovered" its jurisdiction over the knowledge of claims. In consequently, the provisional file of the procedure is ineffective to avoid the expiration of actions. Likewise, the lack of declaration by the AEPD of the formal lifting of the provisional file cannot have any effect at this respect, since it is evident that the procedure continued. In this situation, the previous investigative actions would have expired, therefore that the information collected within the framework of the same could not be used in this Procedure. This circumstance was highlighted by this party in its arguments to the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 43/137 Home Agreement. Given this, in the resolution proposal, the Agency states that agreed to open the procedure without having developed prior actions of investigation and, that being so, the expiration of some actions cannot be invoked that have not taken place. Although the Agency denies these previous actions, it is clear that it did lead to carried out a series of actions aimed at "better determining the facts and the circumstances that justify the processing of the procedure” and that can only be qualify as investigations or verifications and that have been reflected in the Original File (p. 194 et seq. and p. 275 et seq. of Annex 1), as well as in the background indicated in the resolution proposal. The existence of these tasks research is an incontestable fact. The AEPD does not provide any explanation about how to qualify the work then of research that he actually carried out prior to the initiation agreement, nor nor the legal framework in which they would have been carried out. It is simply limited to deny having carried out any investigation, which is clearly not consistent with the reality. In view of this, there are only two possibilities, leading both to the infringement of the legal system by the AEPD: a) That although the opening of proceedings prior to the failure to there is an agreement by which its initiation was decided, such previous actions should be understood as open in any case, given the research work that, effectively, the Agency did carry out. If such were the case, said actions previous reports would have exceeded the legally permitted period of time and should understood expired for the reasons stated above. b) That, since there is no formal agreement to initiate the preliminary actions, the Agency would have carried out investigation, investigation and verification actions, outside the legally established framework for prior actions, (i) exercising powers and investing resources and human and material means, without legal protection or a legally established legal framework (which in itself entails legal reproach) and (ii) thus reprehensibly circumventing the time limit established by the LOPDGDD for previous actions. In relation to the possibility of carrying out investigation tasks without formal opening of preliminary investigations, GOOGLE LLC indicates that it does not share the interpretation that the Agency does with respect to article 67 of the LOPDGDD and the optional nature of the same. By virtue of this article, the Agency may or may not carry out prior actions of investigation before adopting the initiation agreement, but in case of making any investigation or verification, the legal channel provided for it must be those mentioned preliminary investigative actions. On the other hand, the 12-month period established for preliminary actions is due to to the will of the legislator to ensure the efficiency of the work of the AEPD and protect those administered against the excessive dilation of the procedures. Can not C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 44/137 accept that the AEPD can carry out actions aimed at the "best determination of the facts and circumstances that justify the processing of the procedure” indefinitely, without formally considering them “prior actions investigation”, even more so when, as in our case, it is invoked precisely to circumvent the time constraints imperatively imposed by the Article 67.2 of the LOPDGDD. Therefore, the Agency has violated the provisions of the LOPDGDD regarding the sanctioning administrative procedure and its processing, invalidating the initiation agreement and the procedure as established in the article. 47.1.e) of the LPACAP for having totally and absolutely dispensed with the procedure legally established. 3. Considers GOOGLE LLC that it has not violated article 6 of the RGPD, which proceeds apply the legitimating basis of legitimate interest to data communications made to Lumen. The Agency rejects the application of legitimate interest and denies the possibility of resorting to consent. Regarding this last alternative, he indicates that it has never been defended by GOOGLE LLC, so it does not refer to it in its allegations, although he warns that he disagrees with the reasoning contained in the proposal, although offers no explanation for it. The respondent understands that, according to Opinion 06/2014 on the concept of interest legitimate interest of the data controller, (a) there are various interests legitimate interests in the transfer of data with Lumen, and (b) said legitimate interests prevail on the rights and freedoms of the interested parties; in line with what is indicated in the arguments to the initial agreement, which is reproduced almost literally in this new writing of arguments to the proposal. Reiterates what was stated in the pleadings brief at the opening of the proceeding about the legitimate interests of GOOGLE LLC, Lumen and society in general in the transfer of information on requests regarding the removal of content, and points out, in response to what is indicated in the resolution proposal, that such legitimate interests they do not have a supervening character, but existed before the activities were carried out. transfers to Lumen and met the necessary requirements to constitute the base legitimizer of such assignments; and that it cannot be argued that said communication of data defrauds the expectation of privacy of users, since these are reported on the forms. On the other hand, GOOGLE LLC clarifies that it is not true that it shares with Lumen the e-mail address of the claimants, and that this could only happen in the In the event that it is the claimant himself who includes his email address in the free field of the form intended to motivate or explain your withdrawal request. Finally, the respondent alleges that none of the circumstances indicated by the Agency to question the application of this legal basis may deny their own interest legitimate, that of Lumen or of society in general, nor can it be understood that tilt the weighting test in favor of the rights and freedoms of interested. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 45/137 4. The AEPD imputes to GOOGLE LLC an infringement of art. 17 of the GDPR, referring to right of suppression, although from a very different perspective than the one analyzed in the initial agreement, and reproaches the "non-attention and obstruction of the right of deletion of personal data” based on the analysis of procedures and various forms that the entities of the Google group make available to their users to request the removal of illegal content or content that is contrary to the terms of service or the content policies of each respective service or Google product. GOOGLE LLC is not the controller of the personal data processed in the context of many of those forms and the associated withdrawal processes, which entails the impossibility that the Agency can impute the infringement of the article 17 of the RGPD regarding these treatments. In addition, the AEPD does not provide any evidence of the existence of a single right of deletion "unattended" or "hindered" by the claimed and bases the violation in an opinion on the lack of simplicity and clarity of withdrawal forms Contents. The aforementioned imputation is devoid of any evidence or objective criteria and absolutely disconnected from the complaints that originated the procedure. The AEPD ignores that GOOGLE LLC has more open channels for communication with its users and those interested in exercising a right under the regulations of data protection, being possible to contact the Data Protection Office of Google through the channels enabled for this, generic forms are offered to formulate any type of legal claim and, in the same way, the entity receives regularly all kinds of postal mail related to removals of content or with the exercise of rights. The AEPD "speculates" that the lack of attention and obstruction exists because the content removal forms are not clear, but this is not enough to prove the infraction, which is situated before a case of effective exercise of a right of suppression, which is infringed only when it is really frustrated, either by prevent its exercise, either because the personal data was not deleted when appropriate. But the commission of the offending type requires as a "condition sine qua non" the existence of a right of suppression that, well it was tried to exercise and was not achieved by preventing illicitly exercised, or was exercised and the data was not deleted when proceeded. The AEPD bears the burden of proving the real existence of this exercise of right of deletion that did not come to fruition due to "not having been attended to or having been hindered." However, the Agency proves no such thing. Faced with this, although it is not required of anyone to prove their innocence, GOOGLE LLC can provide numerous evidence that the right of suppression is met correctly and in no case is it hindered. (…) C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 46/137 On the other hand, the AEPD ignores the set of help pages and resources specifically intended to inform and assist applicants for the right of suppression before GOOGLE LLC. This is the case, among others, of the help page "General description of the right to be forgotten" (provides the detail of this page), which includes, according to said entity, very detailed information, in simple, clear and concise on the law, as it has been recognized by the CJEU and is applying and interpreting the courts and data protection authorities in their decisions and guides. It also makes video tutorials available to claimants to explain the channels and procedures to exercise your right of deletion (“right to be forgotten”) effectively (provides screen print available on Youtube). Considers it unheard of that the AEPD understands that GOOGLE LLC hinders the exercise of rights, when it invests so many resources and means to explain to claimants How can you exercise it? The AEPD also seems to have overlooked the fact that the Third Chamber of the Court Supreme has had the opportunity to evaluate forms for the removal of content offered by Google LLC in various sentences, and has done so in the following terms: “offers interested parties complete information on the exercise of their right, facilitates the corresponding forms and provides precise instructions for completing them. See, for all, Judgment no. 1917/2016, of July 21, 2016 (Recourse no. 2866/2015), Judgment no. 3713/2016 of July 21, 2016 (Appeal no. 3279/2015) or Judgment no. 1912/2016 of July 21, 2016 (Appeal no. 1867/2015). In view of the absence of evidence, in the opinion of the respondent, it turns out that the AEPD is trying to reorient the purpose of article 17 RGPD and to create a new construction on how the requests of the interested parties should be channeled. A new interpretation that has no connection with the evidence collected by the AEPD, its conclusions and the complaints filed. As on previous occasions, it seems that the AEPD is using a sanctioning procedure inappropriately to establish interpretive criteria (when said procedure is clearly unsuitable for this) and, as the Agency is well aware, such behavior is not allowed by law. This was established by the Contentious-Administrative Chamber of the National High Court in its ruling of April 23, 2019 (appeal no. 88/2017), precisely as a result of a resource of GOOGLE LLC: “In short, the Chamber considers that the AEPD, in this case, has not proceeded to initiate a sanctioning procedure, based on the denunciation of specific facts, and in which, respecting the principles that govern such a procedure, has reached a resolution sanctioning authority after making a reasonable assessment of the evidence, but, as she itself comes to recognize, has made use of a sanctioning procedure, to establish a interpretive criterion regarding the issues raised by the complainants – the disagreement with the criteria already established by the AEPD itself in a press release- in accordance with the guidelines of the Group of Data Protection Authorities of the European Union. (F.V, page 41 of the resolution), a criterion that cannot be shared by the Chamber at all, according C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 47/137 with the previously exposed.” There is also no complaint or complaint from any citizen about this in the file. particular. Thus, the conclusions of the motion for a resolution are manifestly contrary to the principle of legitimate expectations contained in art. 3.1(e) of Law 40/2015, of 1 October, of the Legal Regime of the Public Sector, taking into account that the AEPD has been linking and inviting citizens to use the set of forms of removal of content, as can be seen on its website: Right of deletion ("at oblivion"): internet search engines, Delete photos and videos from the internet, Guide for citizen (page no. 23) or its recent Priority Channel (reviews the links that lead to this information posted on the AEPD website). GOOGLE LLC states that it is open to improving the procedures and mechanisms enabled for the withdrawal of content and the exercise of rights to under the data protection regulations, in accordance with the considerations that transfer the AEPD, but does not consider that it is hindering its exercise. What is stated in this allegation entails, according to the claim, the non-existence of the infringement of article 17 of the RGPD, as well as the nullity of the start-up agreement and the procedure in accordance with the provisions of art. 47.1(e) LPACAP and, subsidiarily, the annulment of the same in the terms contemplated in art. 48 LPACAP. 5. In relation to the graduation of sanctions, GOOGLE LLC formulates subsidiary the following allegations: a) The AEPD has taken into consideration content removal forms related to products and services provided by GOOGLE IRELAND LTD and processing for which GOOGLE LLC is not responsible. Understand that since have reduced the products and services under analysis, the sanctions must be subject to an equally proportional reduction. b) The mitigating circumstances specified below must be considered. continuation: . Article 83.2.c of the RGPD: GOOGLE LLC has instructed Lumen to carry out additional anonymisations of requests for removal of content identified by the AEPD, as stated in the performances. He rejects the assessment made by the Agency regarding these measures when indicates that they do not modify the basic fact of the infraction so as not to take them into account as mitigating factors. Mitigating circumstances, by definition, do not change the fact that an infringement has occurred, but rather contribute to mitigating the liability of the offender for the offense committed. If such measures are not valid for these purposes, the respondent raises what the Agency considers to be It would be a mitigating circumstance appropriate to the indicated precept. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 48/137 Nor can it be accepted that the accompanying measures (described in the Complementary Allegations), aimed at reinforcing the protection of the rights of stakeholders, should not be taken into consideration because they are insufficient, according to the criterion of the AEPD, which seems to want to discourage the taking of measures by those responsible before a procedure. He adds that the fact that they did not "reach remedy the infraction” does not imply that they cannot be configured as mitigating (especially, taking into account art. 83.2.k of the RGPD does not limit the type of mitigating factors to resort to). . Article 76.2.c of the LOPDGDD: GOOGLE LLC does not derive any commercial benefit or income as a result of communications to Lumen. The Agency has indicated that the absence of benefits cannot be measured exclusively in commercial or monetary terms and, furthermore, in the case of a company that bases its activity on the processing of personal data, cannot It can be said, without further qualification, that GOOLGE LLC makes no commercial profit. Yes the Agency considers that the respondent entity has obtained benefits, whether commercial or of any other type, you must prove it, not corresponding to GOOGLE LLC demonstrate a negative fact (and constituting "evil evidence"), such as the lack of benefits obtained in this aspect. c) The object of the imputed infractions is reduced solely to the treatment of data attributable to GOOGLE LLC in Spain, which implies a clear and direct impact in the aggravating circumstances (which that entity rejects in its entirety) under the articles 83.2(a), (g) and (k) of the RGPD indicated by the AEPD. d) In accordance with the principle of legitimate expectations, it is manifestly incoherent that the Agency itself has been linking and promoting the Withdrawal Forms for years Google Content on your websites, guides and publications, if you really considered that they were an obstacle or barrier to the exercise of rights. turns out how much less shocking than it is up to now, and nothing less than at the headquarters of a Proposal for a sanctioning Resolution, the first time this issue has been raised. According to the defendant, the advertising carried out by the AEPD of the forms of Google should be considered a mitigating circumstance under art. 83.2 (k) GDPR, that directly mitigates the potential malicious or negligent behavior of Google LLC (quod non). e) It is also not possible to accept the recrimination that the AEPD makes about the lack of statement by GOOGLE LLC, in its allegations to the initiation agreement, about the graduation factors stated in said Startup agreement. GOOGLE LLC totally rejects the aggravating circumstances indicated by the AEPD and its lack of statement in this regard in the allegations to the initial agreement does not produce no effect in this regard. 6. In relation to the measures that GOOGLE LLC must take to adjust its action to the personal data protection regulations, reiterates that in the territory Spanish can only be considered responsible for the treatment derived from the communication of withdrawal requests to Lumen and in relation to certain data present in the information indexed and displayed in the services of “Google Search” and “Google Maps”. Any measure that the AEPD establishes C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 49/137 should be limited to those specific treatments. In this regard, it warns that any type of measure that affects its processes internal demands significant engineering resources and implies the need to undertake various tasks of planning, coordination, management, error testing and supervision, with the added difficulty that the claimed company is a foreign company that will have to coordinate different teams at an international level. On this basis, it requests that grant a sufficient term to guarantee a correct implementation of the measures in question and that allow safeguarding the rights of the interested parties and not jeopardize the quality and stability of the entity's systems. Of the actions carried out in this procedure and the documentation in the file, the following have been accredited: PROVEN FACTS 1. GOOGLE LLC is a company with registered office in California (United States), which has a subsidiary in Spain that acts under the legal form of a limited liability company. limited liability, with the name GOOGLE SPAIN, S.L. and what has like corporate purpose “Promote, promote and market online advertising services, Through Internet". GOOGLE LLC develops an activity of an economic nature whose purpose is the offer of products and the provision of online services, which include, among others, operating systems, applications for mobile devices, email e-mail, social networks, maps, video, blogs, Cloud services and applications specific for companies. This entity offers its products and services to people residing in Spain, are natural persons (such as “Search”, “Maps”, “Gmail”, “YouTube”, “Drive”, "Blogger") or legal. In some cases, the use of the products or services is offers to users who have previously registered as such (eg, Gmail), but products and services are also offered (Search, Maps, Youtube, etc.) that can be used without logging in as a registered user. GOOGLE LLC has a subsidiary in Ireland, with the name GOOGLE IRELAND LIMITED. This subsidiary, from 01/22/2019 (date of update of the Privacy Policy that informs about the offer of products and services of "Google" by this entity in the European Economic Area), acts as responsible for the processing of personal data of the users of the services of “Google” that are located in the European Economic Area, “unless indicated otherwise in a service-specific privacy notice” (Privacy Policy). Privacy). As of that date, “Google LLC is the data controller. information indexed and displayed in services such as Google Search and Google Maps” (Privacy Policy), regardless of the user’s location. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 50/137 2. The Privacy Policy of GOOGLE LLC is accessible on the website "Google com". Since the date 05/25/2018, there are eight updates to this Privacy Policy, four of which have been incorporated into the proceedings (those dated 05/25/2018, 01/22/2019, 03/31/2020 and 07/01/2021, which corresponds to currently valid version). As indicated in this information, the Privacy Policy applies to all services offered by GOOGLE LLC and its affiliates, except “for services that are subject to independent privacy policies”. The entire content of this Privacy Policy, in its different versions, is declares reproduced in this act for evidentiary purposes. Some of this content is incorporated into this act as Annex 1. 3. GOOGLE LLC has established a specific procedure so that interested parties may request, "for privacy reasons", the withdrawal of results obtained in searches with the name of the person as criteria and enabled a form specifically called “Withdrawal under EU privacy law”. East form is accessible through the “google.com” website, at the URL “https://www.google.com/webmasters/tools/legal-removal-request? complaint_type=rtbf&visit_id=637759350971490255-235171692&hl=es&rd=1”. In this form, GOOGLE LLC declares itself responsible for data processing personal data by providing results from “Google Search” and managing the withdrawal requests submitted using this form. It incorporates a link “How to remove content from Google” that leads to the page on which that various "Google" products are listed, through which you can access the content removal forms enabled for each of these products (in the Sixth Antecedent the complete list of products and services is detailed included in it). This page coincides with the one outlined as “Forms Google 2, 4, 5, 7, 9, 17, 21 and 23”. The full content of this form, which is incorporated into this act as Annex 2, is declares reproduced for evidentiary purposes. 4. Through the website “google.com” you can access the page “How to withdraw Google content”, which coincides with the one described as “Google Forms 2, 4, 5, 7, 9, 17, 21 and 23”. This page gives entry to the forms enabled by GOOGLE LLC so that Users can request the removal of content online for each of the products that are listed in it (according to the information offered, "This page will allow you to access the appropriate site to report the content you want to remove from Google services in accordance with applicable laws”). The Sixth Precedent details the complete list of products and services C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 51/137 included on this page. Verifications have been carried out in the actions (they are detailed in the Background Sixth and Tenth) in relation to the Blogger/Blogspot products, Chrome Web Store/extension gallery, Google Classroom, Google Groups, Google Help Communities, Poly, Feedburner, Data Studio, Cloud Firestore, Google Images, Google Photos and Picasa Web Album, Drive and Documents, Search Google, Google Maps and related products, Google + and Google News (“Google Forms 3, 6, 8, 10, 12, 13, 14, 15, 16, 18, 19, 20, 22, 24, 25, 26 and 27, respectively). In general, when you click on a product on the page “How to remove content from Google” you access a new page that allows you to create a request for withdrawal of online content. The application includes fields for the applicant to provide their data relating to the country of residence, full name and contact email address; just like him name and surname of the person you represent, URL of the content that includes the personal information you want removed, the personal information you want to withdraw and the reasons for the withdrawal. “Google Forms 3, 6, 8, 10, 12, 13, 14, 15, 16, 19, 20 and 22” include the following informative text: “In addition, we may publish similar information from your notification on our website. transparency report. For more information on this report, click here.” The content of these forms, which is outlined in Background Information Sixth and Tenth, it is declared reproduced for evidentiary purposes. 5. GOOGLE LLC has provided a specific form to report alleged copyright infringements (“Google Forms 1 and 11”), accessible through the website “Google.com”. This complaint may entail “the withdrawal of any material against which a claim has been made for incurring a infringing activity, the disabling of access to said material or the cancellation of subscriber accounts. These forms include the following informative text: “Furthermore, according to our policy, we document all notifications of alleged violations we receive, including sending a copy of the notice to one or various third parties, or its publication”. The content of these forms, which is outlined in Background Information Sixth and Tenth, it is declared reproduced for evidentiary purposes. 6. The “Google Forms 3, 6, 8, 10, 12, 13, 14, 15, 16, 19, 20, 22, 25 and 26” display the following informative text, which refers to the communication of data to “Project Lumen” by GOOGLE LLC: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 52/137 “Please note that we may send a copy of each notification legal documents that we receive to the Lumen project (https://www.lumendatabase.org) for publication and annotation. Lumen will remove the sender's personal contact information (i.e., the phone number, email address and home address). To consult an example of this type of publication, go to the page https://www.lumendatabase.org/notices/5838”. Through the "Google Form 18", corresponding to the Google Images product, accesses a tool for removal of “outdated content from Search Search”. Google". This tool offers the option of submitting a “legal request” to “remove personal information or content with legal problems that are still present in a page". In relation to this request, the following is indicated: Transparency is essential for us Transparency is one of Google's core values. In our desire to be transparent, we can send a copy of each legal notice that let's welcome the "Lumen project" (link to lumendatabase.org website) for publication. Lumen is an independent research project led by the Berkman Klein Center for Internet & Society at Harvard Law School. The Lumen database contains Millions of content removal requests that various companies have shared volunteer, including Google. Its objective is to facilitate academic and sectoral research on the availability of online content. Lumen will hide the personal contact information of the sender, such as your phone number, email address, and mailing address. You can see an example of a Lumen post “on this page”. The "Google Forms 1 and 11", arranged to request removal of content in line for copyright infringement, include the following references to "Lumen Project": “Furthermore, according to our policy, we document all notifications of alleged violations we receive, including sending a copy of the notice to one or various third parties, or its publication. You can see an example of this type of publication in the page https://www.lumendatabase.org/notices/2069”. “Please note that a copy of each legal notice we receive is sent to a third party, that you could publish it and annotate it (without your personal information). So the content of this form will be forwarded to Lumen (http://www.lumendatabase.org) so that it can be published. To see an example of this type of publication, access the page http://www.lumendatabase.org/dmca512/notice.cgi?NoticeID=861. In the case of products such as Google Web Search, a link to the posted notice will appear in the search results. Google search instead of removed content.” 7. GOOGLE LLC communicates to the "Lumen Project", created by the entity Berkman Klein Center for Internet & Society at Harvard University, both based in United States, requests for removal or deletion of online content that manages, motivated by copyright infringement, defamation, court rulings, trademarks, applications based on local law (legal problem). The information included in the "Google Forms" shows other reasons for that are selected by the interested parties, which may also lead to the sending of notification of content removal to "Project Lumen". C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 53/137 This communication occurs in relation to requests for removal of content in line that are formulated with respect to the products that are mentioned in the Facts Tried 4 and 5. GOOGLE LLC communicates to the "Lumen Project" all the information corresponding to these requests, including the identification of the applicant and the affected party, if applicable, their email address, the reasons alleged (the text of the claim) and the claimed URL, as well as supporting documentation, if any. 8. The entity responsible for the "Lumen Project" publishes the withdrawal notices online content that you receive from GOOGLE LLC on the website of its ownership, lumendatabase.org. The notice is published with the information that is transmitted to the "Lumen Project", although, This entity informs on its website that it executes automatic processes to anonymize some personal data (email addresses, telephone numbers or National identification or Social Security numbers, names included within a URL or in the text of the notice), in the manner indicated in the Proven Facts following. The publication of these notifications or notices has the following structure: . Header: reason for the request, natural person or entity making the request, date of the request, country of origin, entity to which the request is addressed and entity that has sent the notice to the “Lumen Project”. . Content Removal Request Summary – Includes a text box in which the factual circumstances of the request and its motivation and the URL are reproduced that gives access to the deleted content. . Link to the support documentation in “pdf” format. A link is included at the bottom of these posts, “Click here to request access and see full URLs” (whose translation would be “Click here to request access see address full URL”) leads to a page (“https://lumendatabase.org/notices/.../request_access”) in which you can request the “Lumen Project” access to the complete information of the corresponding notice of content removal. Clicking on this link takes you to a page with the label “Request full access to the complaint”, which includes a form that is requested the email address of the person who wishes to access the information, to which later the "Lumen Project" sends an email with a link to the single-use information. The structure of this form is as follows: Click on the link included in this publication “to request access and see the URLs complete” and access a form available at “lumendatabase.org”, at “To access this notice enter your email address and solve the captcha. After you submit the form, we will send you an email with a one-time link. use to notice. Email address C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 54/137 (space to record email address) ( ) Select to receive a notification when new documents are added. notification (or when existing notification documents are updated). Deliver (button)”. 9. It is declared reproduced in this act, for evidentiary purposes, the information available on the website "lumendatabae.org", in the sections "About", "Legal Notice" and “Researchers”, and in the document called “Basic concepts of the information of the notice of Lumen”, whose content is fully outlined in Annexes 3 and 4. 10. The detail of various publications is included in the proceedings made on the website "lumendatabase.org" corresponding to notifications of removal of online content submitted by GOOGLE LLC, related to requests addressed to this entity by Spanish users under the validity of the RGPD. The content of these publications, which is outlined in the Background of this act, is declared reproduced for evidentiary purposes. Said content can be accessed publicly, without restrictions, through the URLs that are mentioned in the Background of this act, outlined as "Link Lumendatabase” and marked with the numbers 1, 2, 3, 4, 5, 6, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 22, 25, 26, 29, 30, 31, 32 and 33. The content deletion notifications accessible through the “Link Lumentadabase” indicated with the numbers 1, 2, 3, 4, 5, 6, 8, 9, 10, 11, 12, 13, 14, and 25 were sent by GOOGLE LLC as notices regarding requests for reasons defamation. On the reasons for the request, in relation to the “Links Lumendatabase 3, 14 and 25”, consists of the following: . “Lumendatabase 3 Link”: Remitted as a request for libel purposes, but it refers to the removal of search results from the “Search Finder”. Google" "(…)". . “Lumendatabase 14 Link”: Remitted as a request for libel purposes, but it refers to the deletion of personal data (“Data about me is given, email address…"). . “Lumendatabase 25 Link”: Submitted by GOOGLE LLC as a request for motives of defamation, but the text of the same refers to the elimination of search results of “Google Search” “(…)”. The content deletion notifications accessible through the “Link Lumentadabase” indicated with the numbers 16, 17, 18, 22, 26, 29, 30, 31, 32 and 33 were sent by GOOGLE LLC as notices regarding requests based on a Judicial failure. The content deletion notification accessible through the “Link Lumentadabase 15” was sent by GOOGLE LLC as a notice regarding C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 55/137 withdrawal requests by application of local regulations. The publications accessible through the "Lumentadabase Links" marked with numbers 16, 18, 22, 26, 29, 30, 31, 32 and 33 include the data in the header information of the applicants related to name and two surnames (except number 32, that only mentions a first name and a last name). The publications accessible through the "Lumentadabase Links" marked with the numbers 3, 5, 8 to 12, 18, 25, 29 and 30 include in the text box that reproduces the request for removal of content, detailing, in addition to the factual circumstances that motivate said request, the identification of one or more people (whether they are the interested parties to whom the removed content refers or other affected or implicated in the events); postal addresses; review of some url that includes the mention of a person's first and last name or a postal address; the commercial name of an establishment; the reference of a statement (number, date) and the name of the persons involved as parties in the process (plaintiff and defendant); or the profession of an affected party: “Lumentadabase 3 link”: postal address and URL with postal address. “Lumentadabase 5 link”: name and two surnames of a person and name merchant of an establishment. “Links Lumentadabase 8 to 12”: name and two surnames of the affected party (8), name and a surname of the same person (9 and 10), only a name of the same person (11 and 12). “Link Lumentadabase 18 and 29”: reference of a judgment (number, date) and the name of the people who intervene as parties in the process (plaintiff and defendant). “Base 25 Lumented Bond”. name and surname of a person and their profession. “Lumentadabase 30 link”: name and surname of two people involved in a court proceeding. The publications accessible through the "Lumentadabase Links" marked with the numbers 4, 8, 9 to 12, 13, 16, 18 and 32 include the URL that gives access to the content eliminated, in which personal data appears integrated in the address of Internet. These URLs appear in the post as follows: “Lumentadabase 4 link”: "(...)". "(...)". "(...)". "(...)". "(...)". “Lumentadabase 8 link”: "(...)". “Link Lumentadabase 9 to 12”: These links correspond to the same request for removal of content from “Link Lumendatabase 8”. In these cases, the address of the link shows “B.B.B.” (link 9), “B.B.B.” (links 10 and 11) or “B.B.B.” (link 12). C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 56/137 “Base 13 Lumented Link”: "(...)". “Base 16 Lumented Link”: "(...)". “Base 18 Lumented Link”: "(...)". “Base 32 Lumented Link”: "(...)". In relation to the "Link Lumentadabase 16", the complainant provided a capture of screenshot of the “lumendatabase.org” website (“Lumendatabase 17 Link”), at showing a fragment of the first page of the (...), accessible through the “Link Lumendatabase 16”. It also provided a complete copy of this Judgment, in which includes the names and surnames of all the people involved in the process (judge who dictates it, plaintiff "C.C.C.", defendant, their representatives, the Public Prosecutor and (...) “D.D.D.”, as well as all the circumstances of the process, (…). This sentence is also support of the publication indicated as “Link Lumendatabase 18”. The checks carried out in the test phase of the procedure have allowed verify that the personal data and information accessible through the links reviewed has changed in the following sense: “Enlace Lumentadabase 3”: In the text of the claim, the address has been deleted postcard and the URL that was mentioned. “Link Lumentadabase 4”: Three URLs have been anonymized, while the two others as follows: "(...)". "(...)". “Link Lumentadabase 5”: In the text of the claim the data has been suppressed of name and surnames and the commercial name of the establishment. “Links Lumentadabase 8 to 12”: In the text of the claim and in the address of the link personal data relating to name and surname have been deleted. “Lumentadabase 13 Link”: The URL object of the content removal request appears anonymous. “Links Lumentadabase 18 and 29”: In the header the data of the applicant; in the text of the complaint the name of the persons has been deleted that intervene as parties in the process and the URLs have been suppressed. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 57/137 “Link Lumentadabase 22 and 26”: The name of the applicant has been removed from the header. “Lumentadabase links 16, 17 and 25”: The page is not accessible. During the testing phase of the procedure, the following URLs were accessed, mentioned in the "Link Lumentadabase" that are indicated, which correspond to the respective internet addresses that were the subject of the withdrawal request. online content. This access returned the following information: “Lumentadabase 1 Link”: Access to the blog available at the address "(...)", which contains the date ***DATE.19. It is verified that it corresponds to a blog created, as indicated, (...). The heading indicates “(…)”. “Lumentadabase 4 link”: The internet address “(…)” is accessed and it is verified that it gives access to a document dated ***DATE.20, with the label (...). (...). 11. In a search carried out by the complainant with the “Google Search Engine”, with the name and surname of the applicant to whom the "Lumendatabase Links" correspond 16, 17 and 18” as query criteria, a page of results is obtained that includes a footnote indicating that several results have been deleted and is highlighted a hyperlink to “lumendatabase.org”: “In response to a legal requirement sent to Google, we have removed 3 result(s) from this page. If you wish, you can read more information about this requirement at LumenDatabase.org”. In a search carried out by the complainant with the "Google Search", with the name and surname of the affected party to whom the “Lumendatabase 16 Links, 17 and 18” as the query criteria, a results page is obtained that includes at the bottom two notes indicating that several results have been eliminated and a highlighted hyperlink to “lumendatabase.org”: “In response to a legal requirement sent to Google, we have removed 3 result(s) from this page. If you wish, you can read more information about this requirement at LumenDatabase.org”. “In response to a legal requirement sent to Google, we have removed 1 result(s) from this page. If you wish, you can read more information about this requirement at LumenDatabase.org”. 12. For evidentiary purposes, the statements made by the GOOGLE LLC in its brief of complementary allegations, dated 10/05/2021, the which is declared reproduced for such purposes. (...). C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 58/137 (...): . (...). . (...). . (...). . (…) . (...). . (...). FOUNDATIONS OF LAW I By virtue of the powers that article 58.2 of the RGPD recognizes to each Authority of Control and, as established in articles 47, 64.2 and 68.1 of the LOPDGDD, the Director of the Spanish Data Protection Agency is competent to initiate this procedure. Article 63.2 of the LOPDGDD determines that: "The procedures processed by the Spanish Agency for Data Protection will be governed by the provisions of the Regulation (EU) 2016/679, in this organic law, by the provisions regulations issued in its development and, as long as they do not contradict them, with a subsidiary, by the general rules on administrative procedures. II Previously, it is considered opportune to analyze the exceptions alleged by GOOGLE LLC, based on which requests the declaration of nullity of the actions, due to infringement of rules regulating the sanctioning procedure cause of defenselessness. 1. Considers that the AEPD has ignored the expiration of the previous actions of investigation and has kept the claimed entity under investigation for more of two years, despite the fact that the LOPDGDD provides for a sanctioning procedure of a maximum duration of 21 months, taking into account the duration of twelve months of the preliminary investigation actions (article 67.2) and the nine months of the penalty procedure (article 64.2). Warns that the previous actions expired on 12/13/2019, considering that the first complaint is from 09/13/2018 and that art. 65.5 LOPDGDD establishes that the admission or inadmissibility for processing, the claimant must be notified within a period of three months. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 59/137 And it adds that the AEPD did not dictate any agreement on the admission for processing and it was not until 01/16/2020 when he decided to provisionally archive the file and direct it to the Irish Data Protection Commission. The initiation agreement was notified on 06/23/2021, almost three years after the first complaint. Considering this expiration of the previous actions, it alleges that the information collected during the same cannot be used in the procedure, in accordance with the provisions of article 95.3 of the LPACAP. In this regard, it should be noted that the facts revealed by GOOGLE LLC to maintain this claim are incomplete and do not fully conform to the antecedents that must be assessed to appreciate or not the nullity invoked. In this case, eight complaints (8) were received between the dates 09/13/2018 and the 01/09/2019, and one more dated 12/01/2020. The first complaints received were transferred, on 02/01/2019, to the authority of Ireland Data Protection Act (Ireland DPC), in accordance with section 56 of the RGPD, to assess whether or not it held the status of control authority principal, as the entity GOOGLE IRELAND LTD. is located in that country, in so much so that establishment of the person in charge who decides, for Europe, the aims and the means in the processing of personal data. In a first communication, dated 04/10/2019, DPC Ireland reported that no considered competent to resolve this case. However, later, following the mutual assistance mechanism regulated in article 61 of the RGPD, requested the collaboration of this Agency to transfer the complainant various issues related to the complaints made. Once this procedure has been completed and the complainant's answers known, DPC Ireland rejected the competence in the processing of complaints through communication of 01/22/2020, considering that GOOGLE LLC is the controller, consisting of the communication of personal data related to requests for removal of content managed by GOOGLE LLC, carried out by this entity in the United States to an American database. After this procedure, which determined the competence of this AEPD to resolve the issues raised in those complaints, on 06/09/2021 it was agreed to opening of this sanctioning procedure, without having carried out actions prior investigation. This being the case, the expiration of actions that have not had place. The decision to carry out these preliminary investigation actions is a power of the AEPD, which may or may not agree to its initiation (article 67 of the LOPDGDD). In this case, said actions were not agreed upon and, therefore, were not did any research. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 60/137 No legal consequences can be attributed to the fact of not having agreed to the opening of previous investigative actions, nor to the time elapsed since the rejection of the complaints by DPC Ireland and the opening of the procedure, since there is no rule that limits the time available to the Administration to initiate this type of procedure, beyond the rule of the prescription and the effects attributed to it. On the other hand, it should be noted that the approach that GOOGLE LLC makes on the maximum duration of the sanctioning procedure, which is set at 21 months, taking into account takes into account the duration of twelve months of the previous investigation actions (article 67.2) and the nine months of the sanctioning procedure itself (article 64.2), no adjust to Law. On the one hand, as has been indicated, there is no standard applicable to the sanctioning procedure regarding the protection of personal data that establishes a preclusive term to agree on its opening; and, on the other hand, the term of expiration of the sanctioning procedure is established in nine months and computed from the date on which its start is agreed, resulting inadmissible to add to this computation, in order to measure the duration of the administrative file, no other period, such as the time of the preliminary investigation actions, in case of that its realization had been agreed. The Spanish procedural rules (LPACAP), establish that the procedures of sanctioning nature will always be initiated ex officio by agreement of the body competent. GOOGLE LLC responds to the above reasoning in its allegations to the motion for a resolution, pointing out that the preliminary investigation actions have dilated more than what is allowed in the norm, without being able to oppose the file provisional file of the declared file due to the procedures followed before the DPC Ireland, since this entity rejected the case on 01/22/2020. Right now that provisional file must be understood as raised and the file recovers its “vigour”. The consequence of this, according to GOOGLE LLC, is the expiration of the actions previous, whose existence is an incontestable fact in the opinion of said entity, for as the Agency, before the opening of the procedure, carried out a series of actions aimed at the "better determination of the facts and circumstances that justify the processing of the procedure” (article 67 of the LOPDGDD) that only They can be classified as investigations, which are reflected in this act. This supposes, in the opinion of the defendant, an infraction of the legal system by part of the Agency, whether the preliminary proceedings are considered open by the investigative work carried out, in which case these actions would be expired; as for the exercise of these powers of investigation without having formally agreed upon their initiation, circumventing the established time limit. According to GOOGLE LLC, the only possibility to carry out investigative work is through through these preliminary actions, whose duration is set at 12 months to protect to those administered indefinite investigations and excessive dilations in the procedures. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 61/137 However, as stated above, this Agency does not oppose the aforementioned provisional file to justify the time elapsed until the opening of the penalty procedure. As can be seen, in the preceding paragraphs This Agency details the procedure followed in accordance with articles 56 and 61 of the GDPR and it is clearly stated that DPC Ireland has rejected competition in the processing of complaints dated 01/22/2020, to then add that no no consequence can be attributed to the time elapsed until the opening of the procedure, unless the prescription of the infractions had occurred. This is so considering, as this Agency understands, that no previous investigative actions prior to the opening of this process. Screenshots were only obtained of the links that appear in the complaints, to verify that they correspond to what was stated by the complainant. It should be clarified in this regard that in some cases the links that motivate the complaint, but without accompanying its content. And this is done by of the complainant knowing that access to information is public and the review of the URL that leads to that information is sufficient for this Agency to be able to verify the reasons or manifestations of the complaint. It is the same thing that GOOGLE LLC does in its allegations to the proposed resolution in relation to the infringement of article 17 of the RGPD that is analyzed in the Foundation of Law VII. In these allegations he invokes the principle of trust legitimate considering that the website of the AEPD inviting citizens to use the set of online content withdrawal forms enabled by said entity and includes links to access them. GOOGLE LLC details URLs that lead to this information inserted in the website of this Agency (“aepd.es”), but without providing the information offered. To respond to these allegations in this Resolution, this Agency has accessed the information alleged by the claimed and checked the links to the forms in question, and it cannot be said that this verification is investigative in nature. Therefore, no action was developed for the "better determination of the facts and the circumstances that justify the processing of the procedure”, as GOOGLE says LLC. 2. On the other hand, in its brief of arguments to the proposed resolution, GOOGLE LLC questions the extension of the object of the procedure carried out in the motion for a resolution, which has added a new alleged infringement of Article 17 of the GDPR. In this regard, it argues that said infringement is based on forms and procedures for the removal of content accessible through the products and Google services offered by GOOGLE IRELAND LTD. Understand, therefore, that it is this entity and not GOOGLE LLC, which is responsible for those procedures and forms and the processing of personal data associated with the use of these services; and what is the Irish Data Protection Commission (or “IDPC”) the main supervisory authority for any cross-border processing related to such personal data. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 62/137 Therefore, it considers that this extension of the object of the procedure has been carried out without resorting to the cooperation mechanism regulated in article 60 of the RGPD, vitiating the present procedure as null or void. This Agency does not share with GOOGLE LLC that to declare the infringement of the article 17 it is necessary to go to the cooperation mechanism regulated in the article 60 quoted. This file analyzes exclusively the responsibility of GOOGLE LLC in the issues raised, considering the complaints made and the documentation reviewed in the file. It follows that from the moment the GDPR became fully applicable, in May 2018, and at the time the allegations are made, GOOGLE LLC was responsible for data processing associated with the use of all products and Google services, as well as all withdrawal procedures and forms online content and the processing of personal data that its content entails. utilization. This situation continued until 01/22/2019, the date on which, as reported to users in the Privacy Policy available on the website "google.com", the subsidiary of GOOGLE LLC in Ireland, trading as GOOGLE IRELAND LTD, became charge of providing some products and services of "Google" for the Space European Economic and Swiss. And not only that. It is accredited that GOOGLE LLC has been the responsible entity in our territory for certain products and services throughout this period and it still is today. According to the aforementioned Privacy Policy, “Google LLC is the controller of the information indexed and displayed in services such as Google Search and Google Maps”, regardless of the user location. It can even be said, as expressed in the Privacy Policy Privacy, that the products “Google Search” and “Google Maps” are mentioned as an example, implying that there may be other products or services of the that GOOGLE LLC is the responsible entity, other than the two mentioned in the Privacy Policy. This is the specific responsibility of GOOGLE LLC that is assessed in the proceedings, in which nothing is resolved with respect to GOOGLE IRELAND LTD, of so that the provisions of article 60 do not apply to this case the GDPR. Also in relation to this violation of the provisions of article 17 of the RGPD, GOOGLE LLC, in addition to questioning what said entity qualifies as a extension of the object of the procedure, indicates that this imputation is disconnected from the complaints that have given rise to the procedure and that in the itself, interpretive criteria are established improperly, contrary to what declared by the National High Court in its judgment of 04/23/2019 (appeal no. 88/2017), issued by reason of an appeal from the claimed entity itself. This Agency does not share the conclusion expressed by GOOGLE LLC. how can C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 63/137 verified in this act, the agreements that are adopted are based on what expressed in the applicable regulations and in consolidated interpretations thereof. In addition, the doctrine established in the cited judgment is applicable to events prior to the RGPD, which establishes a new and different legal regime that must be taken into account account in the procedure and that, unlike what was reported in the sentence, in the This resolution makes reference to the specific complaints, makes a assessment of the tests carried out around them, which are related with specific and individualized behaviors in relation to certain people physical, but also transcend these complaints. On the other hand, this Agency understands that the decisions adopted in this resolution are directly linked to the complaints outlined in the Background, which refers to numerous cases of requests for withdrawal of online content and the specific forms under analysis. In any case, the intervention of this Agency is not restricted by complaints formulated. The RGPD has established its own and specific regime regarding the Procedures before the control authorities in matters of data protection. In Chapter VIII of the RGPD, which is entitled “Remedies, liability and sanctions”, establishes the right to file a claim with a control authority if a data processing is considered to infringe the Regulation (article 77) and the right to effective judicial protection in case of violation of the rights established in said Regulation (article 79). The LOPDGDD has also reflected this distinction, so that the claim of an individual can give rise to two types of procedures, one of them related to infractions of the RGPD, in general, and another for violation of their rights (article 63.1). The LOPDGDD does not foresee any additional type of procedure in case of possible violation of the data protection regulations, so that all the functions and powers that the RGPD grants to the control authorities in the articles 57 and 58 RGPD will have to be exercised through said procedures in case of possible violation of data protection regulations. There are no others. Also taking into account article 64 LOPDGDD, when the procedure is directs exclusively to the lack of attention to a request of the rights articles 15 to 22 RGPD a claim will be necessary, but (art. 64.2 LOPDGDD) [w]hen the purpose of the procedure is to determine the possible existence of an infringement of the provisions of Regulation (EU) 2016/679 and of this law organic, will be initiated by means of a start-up agreement adopted on its own initiative or as consequence of claim. In other words, both the RGPD and the LOPDGDD consider that a claim from an affected party may be the way or means of carrying out knowledge of the control authority a possible infringement of the regulation of data protection, but in no case restricts the action of the data protection authority. control to the specific and concrete complaint of those affected. Control Authority can act when the confluence of several claims of people individuals affected, an action by the person responsible for C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 64/137 general character (that is, not only in the specific cases presented by the claimants) which shows that these specific cases are the reflection of a pattern or common policy applied to all those affected persons who are in the same case those interested. When an action that is considered incorrect derives from a general policy adopted by the data controller, so that these are not cases specific, but these cases are just the sample of a general policy adopted that is considered in violation of the RGPD, the violation does not reside exclusively in the cases examined but in the general action followed by the responsible. It will be said general action that constitutes an infringement of the RGPD, and not just the specific offenses based on it. To do otherwise would be inconsistent with the purpose and will of the Community legislator, expressly embodied in the RGPD, according to which the control authorities must control and enforce the GDPR; and with the possibility that “breaches” of the data protection regulations may transcend claims individual formulated through which they are revealed. In any case, no rule prevents the body that exercises the power sanctioning, when it determines the opening of a sanctioning procedure, always ex officio (article 63.1 law 39/2015, of October 1), determine its scope according to the circumstances revealed, even if they do not fit strictly to the statements and claims of the complainant. That is, the agreement to initiate the sanctioning procedure is not constrained by the complaint (the same happens with the claim in the scope of the RGPD) presented by the particular. This is not the case in the case of procedures carried out at the request of the interested, in which article 88.2 of the LPACAP requires that the resolution be consistent with the requests made by him. Even in this case, it remains except for the power of the Administration to initiate a new procedure ex officio. This same article 88 of the LPACAP, referring to the content of the resolution, in its Paragraph 1 establishes the obligation to decide all the issues raised by the interested parties and those others that derive from the procedure, including questions related not raised by the interested parties. In the sanctioning procedure, even the facts that are reveal during their instruction, which will be determined in the resolution proposal, and may motivate the modification of the imputations contained in the agreement to initiate the procedure or its legal qualification. In this sense, when referring to the specialties of the resolution in the procedures sanctioning, article 90 of the LPACAP establishes that "The resolution does not may accept facts other than those determined in the course of the procedure, regardless of their different legal assessment…”. For all these reasons, the aforementioned claims of nullity must be rejected. III C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 65/137 The purpose of this proceeding is to analyze the presumed illegality of the communication of personal data related to the removal of content in line carried out by GOOGLE LLC, either at the request of the affected party or at the request in some instance, to the "Lumen Project"; as well as a possible infringement of the right of deletion of personal data regulated in article 17 of the RGPD. To analyze these issues, the information provided by the entity claimed from users, mainly the one provided in the application forms enabled by said entity and in the "Privacy Policy of Google". It also takes into account the personal data management system that is made available to users and the mechanisms for the exercise of rights. Rights recognized to interested parties in terms of data protection. However, this act does not contain any pronouncement on the legality of this information and the personal data management processes designed and implemented by GOOGLE LLC, other than the one specifically analyzed in the present procedure. In the same way, although the information obtained from the “Links Lumendatabase” incorporated into the actions, is not part of the object of the procedure the analysis of the treatment of personal data that entails the receipt and processing of online content removal notices that the "Lumen Project" receives from the respondent, the publication of these notices that this entity performs through its website "lumendatabase.org", nor the communication of data that said entity performs to third parties, to whom it gives access to complete information regarding these requests. On the other hand, in relation to the publications made in “lumendatabase.org” (“Lumendatabase Links”) of the documents provided by the complainant and the verification of these links by the Subdirectorate General for Inspection of Data, indications are obtained of an effective communication of data by GOOGLE LLC to the "Lumen Project" under the validity of the RGPD in the cases corresponding to requests for removal of content subsequent to the entry into force of this Regulation, on 05/25/2018. Therefore, requests prior to this date are excluded from the purpose of the procedure. date. Also those that correspond to requests made by users of other countries. In accordance with the foregoing, the conclusions that could be derived from this procedure will not imply any pronouncement regarding the aspects previously discarded. IV GOOGLE LLC is a company with registered office in California (United States) that develops its activity as a provider of online products and services, which are offered in the European Union territory. This entity has a subsidiary in Ireland, under the name GOOGLE IRELAND C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 66/137 LTD, which, since 01/22/2019, is the provider of products and services of “Google” for the European Economic Area and Switzerland. Thus, from that date, GOOGLE IRELAND LTD acts as the controller of the personal data of the users of “Google” services who are in the Economic Area European, "unless otherwise indicated in a specific privacy notice of a service” (Privacy Policy). Until that date of January 2019, GOOGLE LLC was the entity in charge of this provision of products and provision of services in its entirety. After that date, it still is for certain products, such as "Google Search" and “Google Maps” (according to the Privacy Policy, “Google LLC is the responsible for processing the information indexed and displayed in services such as Google Search and Google Maps”, regardless of the location of the Username). This proceeding is directed against GOOGLE LLC for considering this company as responsible for the processing of data consisting of the transfer to a third party (“Project Lumen”) of the data related to the withdrawal requests content of its products and/or internet services. In this case, as has been said, the processing of data subject to the procedure consists of a communication of data related to requests or requirements of content withdrawal that GOOGLE LLC makes to the “Lumen Project”. Therefore, this proceeding is directed against GOOGLE LLC, as an entity responsible for that communication of personal data to a third party (the position of third party that is granted to the “Lumen Project” is carried out in accordance with the definition reflected in article 4.10) of the RGPD: “third party: natural or legal person, authority public, service or body other than the interested party, the data controller, of the person in charge of the treatment and of the persons authorized to treat the data under the direct authority of the person in charge or the person in charge”). Thus, in the case of a company with headquarters in a third country, it is appropriate to analyze the territorial scope of the GDPR. Article 3 of the RGPD establishes the assumptions related to the territorial scope in which the The Regulation itself and the European regulations are applicable to the processing of personal information. Specifically, the article in question, based in turn on Considering 22 to 25 of the same legal text, establishes: "1. This Regulation applies to the processing of personal data in the context of the activities of an establishment of the controller or processor in the Union, regardless of whether the processing takes place in the Union or not. 2. This Regulation applies to the processing of personal data of interested parties who are are in the Union by a controller or processor not established in the Union, when the treatment activities are related to: a) the offer of goods or services to said interested parties in the Union, regardless of whether they are required to pay, or C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 67/137 b) the control of their behavior, to the extent that it takes place in the Union. 3. This Regulation applies to the processing of personal data by a responsible that is not established in the Union but in a place where the law of the Member States is applicable under public international law. These RGPD application criteria, in light of the transcribed article, are susceptible grouped into two large groups: on the one hand, the one that refers to the place of establishment of the person in charge (or person in charge, as the case may be) and on the other, the place of location of the target audience of the activities of the person in charge (or person in charge, in his/her case), even when it cannot be considered established in the European Union. Finally, the article points out that it also falls within the scope of the RGPD those cases in which, by virtue of the application of the rules of law international public, it is considered that the law applicable to the place of establishment responsible is that of a Member State. With regard to this sanctioning procedure, and whenever considers GOOGLE LLC. responsible for the processing of personal data, it is necessary to examine whether the GDPR is applicable to the US entity and in Under what criteria? Beginning the examination with the first of the two great criteria, the one that makes reference to the place of establishment of the person in charge, it is necessary that two elements: the existence of an establishment in the territory of the European Union and that the data processing is carried out in the “context of the activities of the establishment of the person in charge or in charge”, regardless of whether the treatment takes place in the European Union or not. Regarding the first of the mentioned elements, Recital 22 offers us an interpretation of what should be considered as an establishment: “[…] An establishment implies the effective and real exercise of an activity through stable modalities. The legal form of such modalities, whether it is a branch or a subsidiary with legal personality, is not the determining factor in this regard”. In this sense, we find that, regardless of the designation, for part of the parent company, GOOGLE IRLELAND LTD. as a provider of services within the scope of the European Economic Area and Switzerland, GOOGLE LLC. follow maintaining subsidiaries in various member territories that can be considered “stable” establishments for the purposes of the provisions of the RGPD. Thus, it is worth remembering ruled by the Court of Justice of the European Union (hereinafter CJEU) in the Judgment delivered on May 13, 2014 in case C-131/12 (GOOGLE SPAIN SL and Google Inc. v. Spanish Data Protection Agency and N.N.N.) when points out that “[…] it is not disputed that Google Spain is dedicated to the effective and real of an activity through a stable facility in Spain. Furthermore, being endowed with its own legal personality, is thus a subsidiary of Google Inc. in Spanish territory, and, therefore, an "establishment", in the sense of article 4, paragraph 1, letter a), of Directive 95/46. […]”, whose literal tenor was “[…] the treatment is carried out within the framework of the activities of an establishment of the controller in the territory of the Member State […]”. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 68/137 Regarding the second of the elements that come into play, the determining factor would not be so much so that the data processing is carried out by the establishment itself based in the European Union, but that the activities carried out by the latter are inextricably linked to the data processing activities carried out by the person in charge. On this point, the CJEU, in the same ruling cited in paragraph above considered the following: “[…] it is appropriate to consider that the processing of personal data carried out in order to operation of a search engine such as Google Search, managed by a company which has its registered office in a third State but which has an establishment in a Member State, is carried out 'within the activities' of that establishment if this is intended for the promotion and sale in said Member State of the spaces search engine advertising, which serve to monetize the service offered by the motor. Indeed, in such circumstances, the activities of the operator of the search engine and those of its establishment located in the Member State in question are inextricably linked, given that the activities related to advertising spaces constitute the means for the search engine in question is economically profitable and since this engine is, at At the same time, the medium that allows the aforementioned activities to be carried out. Furthermore, with regard to the application of the RGPD to the treatment of data subject to this sanctioning procedure, it should be noted that, not However, the concurrence of the territorial element under article 3.1 examined, It can also be concluded that the processing of data subject to this procedure would be collected under the umbrella of the aforementioned article 3.2.a), finding the foundation to determine the concurrence of the mentioned precept, in the Considering 23 of the same legal text: "In order to ensure that natural persons are not deprived of the protection to which they have the right under this Regulation, the processing of personal data of interested parties who are in the Union by a person in charge or a person in charge not established in the Union should be governed by this Regulation if the processing activities are refer to the offer of goods or services to said interested parties, regardless of whether half payment. To determine if said person in charge or person in charge offers goods or services to stakeholders who are located in the Union, it must be determined whether it is clear that the responsible or the person in charge plans to offer services to interested parties in one or more of the Member States of the Union. Although the mere accessibility of the website of the person in charge or manager or an intermediary in the Union, an email address or other contact details, or the use of a language generally used in the third country where you reside the person in charge of the treatment, is not enough to determine said intention, there are factors, such as the use of a language or currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mention of clients or users residing in the Union, which may reveal that the data controller plans to offer goods or services to those interested in the Uni.n” Examining the factual assumption, its fit with the aforementioned article is observed. 3.2.a) of the RGPD and with the criteria of Considering 23, namely, existence of a processing of personal data of interested parties located in the European Union European; by a person in charge not established in the Union; and that is related to the offer of goods and services to said interested parties in the Union: . GOOGLE LLC, in the development of its activity as a service provider of C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 69/137 Internet, offer products and services online in the territory of the European Union, the which include, among others, operating systems, applications for devices mobile, email, social networks, maps, video, blogs, Cloud services and specific applications for companies. These products and services are offered to persons residing in said territory, whether natural persons (such as "Search", “Maps”, “Gmail”, “YouTube”, “Drive”, “Blogger”) or legal. As indicated, until 01/22/2019, GOOGLE LLC was the entity in charge of this provision of products and provision of services in its entirety. After that date, it still is for certain products, such as "Google Search" and Google Maps. This activity makes the claimed entity responsible for data processing. personal data involved in its development. As such, it manages the requests made by users for the removal of content from the products and services offered in the territory of the European Union, in accordance with the applicable regulations, and is responsible for the data processing that motivates the actions, consisting of communicating to a third entity the personal data contained in those requests from interested parties found in the repeated territory. GOOGLE LLC, in its pleadings brief at the opening of the proceeding, indicates that it does not dispute the application of the GDPR to the processing activities in question, if either considers that the assumptions provided for in articles 3.1 and 3.2.a) of the RGPD are alternatives and that the latter is not applicable, given that it has various establishments in European Union countries, in addition to Spain. This Agency does not share said consideration, on which GOOGLE LLC does not contribute any argument. v Article 5.1 of the RGPD lists the principles to which the personal data processing: “a) processed lawfully, loyally and transparently in relation to the interested party (“lawfulness, loyalty and transparency"); b) collected for specific, explicit and legitimate purposes, and will not be processed further in a manner incompatible with said purposes; according to article 89, paragraph 1, the further processing of personal data for purposes of archiving in the public interest, purposes of scientific and historical research or statistical purposes shall not be considered incompatible with the initial purposes (“purpose limitation”); c) adequate, pertinent and limited to what is necessary in relation to the purposes for which they are processed (“data minimization”); d) accurate and, if necessary, updated; All reasonable steps will be taken to that personal data that is inaccurate with respect to regarding the purposes for which they are processed (“accuracy”); e) kept in a way that allows the identification of the interested parties for no more C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 70/137 time necessary for the purposes of the processing of personal data; the data Personal data may be kept for longer periods as long as they are treated exclusively for archival purposes in the public interest, scientific research purposes or historical or statistical purposes, in accordance with article 89, paragraph 1, without prejudice to the application of the appropriate technical and organizational measures imposed by this Regulation in order to protect the rights and freedoms of the interested party (“limitation of the term of conservation"); f) processed in such a way as to ensure adequate security of personal data, including protection against unauthorized or unlawful processing and against loss, accidental destruction or damage, through the application of technical and organizational measures appropriate (“integrity and confidentiality”)”. Recital 39 also affects these principles applicable to all treatment of data. SAW - About the "Lumen Project" Before analyzing the processing of personal data that involves the communication of data that GOOGLE LLC makes to the "Lumen Project" and if said treatment violates the RGPD, it is considered convenient to outline some considerations related to the "Project Lumen”. According to the information available on the website “lumendatabae.org”, in the sections “About”, “Legal Notice” and “Investigators”, or in the document called "Basic concepts of the information of the Lumen notice", whose contents consist incorporated into this act in Annexes 3 and 4, "Lumen" is a project of the entity Berkman Klein Center for Internet & Society at Harvard University, based in the city of Cambridge (Massachusetts, United States), born in 2002, whose main mission lies in the collection and availability, both of investigators as well as interested persons, requests for removal of content of web pages inside and outside the United States. Its purpose would be to contribute to carrying out a study as ecological as possible of the types of requests, their applicants and their recipients, enhancing transparency about internet. Thus, it is said that its purpose, as a research project independently, (i) the study of requests for withdrawal or elimination of content online that are formulated to Internet publishers, search engines and providers of services; (ii) facilitate the investigation of its different types; (iii) and provide the greatest possible transparency about who sends them and why and with respect to what content online; (iv) and educate the public. Lumen's database grows by more than 40,000 listings per week, with voluntary submissions provided by companies, such as “Google”, or by the persons responsible for originally sending or receiving the notices. at the end of As of 2021, the project hosts more than eighteen million ads, referencing nearly four and a half billion URLs. In 2021, the project website was visited more than nineteen million times by more than one million unique users of virtually every country in the world. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 71/137 Regarding these requests for removal of content, on said website it is clarified that the basis Lumen's data only includes the notices that are notified to you and only with the information included in these notices; of all varieties, such as applications filed under copyright, trademark registered, defamation and privacy, national and international, and orders judicial; and that, generally, the notices are presented by the "Lumen Project" in the way they are shared with you. From said information, the content that, in the opinion of the project, could be sensitive or personal, as well as the contact information of the original applicant of content removal. About the confidential content that may include the notice, informs that “a person or company that sends a notice directly to the database Lumen data may have chosen not to share with Lumen, or keep in private, certain information in the notice”; that the Lumen staff makes an effort to remove sensitive or personal information from the notice text, such as phone numbers telephone, email addresses or other forms of identification number (with Social Security or national identification numbers), mailing addresses, or allegedly defamatory content (it is said: “Our writing processes automatically seek to identify and eliminate” that information). Regarding the copies of court orders, in particular, he points out that he generally shows them in the form in which they have been shared with "Lumen" and "further makes a good faith effort to do so in accordance with the applicable law of the jurisdiction from which the order arose.” The “Lumen” database, which includes content withdrawal notices in online, it can be consulted by the general public. In the document called “Researchers”, inserted in the website “lumendatbase.org”, includes the information Next: “Who is Lumen for? Lumen is designed for casual use by both curious lay Internet users about an ad they may have come across, perhaps in the news, or out of interest staff…as well as by journalists, NGOs, policymakers, academics, and other researchers law firms conducting more in-depth and focused research or studying broader trends extensive on the removal of online content… If you or your organization are interested in conducting your own journalistic investigation, academic, legal, or policy-focused, or if you have more ideas about how we can improve the database and its interfaces, email us at team@lumendatabase.org. see a notice For non-investigators, Lumen currently offers access to a full notice by email address every twenty-four (24) hours. Submit an email address email through the request form will provide a single-use URL for that particular notice that will display the full content of the notice. Access through this URL will last for 24 hours. See here for more details. How does it work? Most users will find that the web interface will be sufficient to navigate and discover within the database. However, for those who need to access large amounts of data for your research, or for those interested in submitting copies of takedown notices to Lumen, we offer our API. Read on to get C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 72/137 more information". Removed content notices are posted on the website “lumendatabase.org”, which includes a search tool. They are also offered through the "Lumen Project" API, which is planned “for those who need to access large amounts of data or create processes automated” and requires obtaining an “API key” to consult the database. It is also reported that “API queries to the database sent without a token will be limited to the first 25 results and 5 requests per day”. About the "Download of results in a massive way" it is indicated: "To better manage its resources, Lumen limits the requests to its API, as well as the use of the interface of web-based user. For those interested in less restricted access to the database via the API, see "Getting an API key"…”. Being this as it has been said, and being known by GOOGLE LLC, the allegation that this entity raises when it states in its defense that the information full is limited to "bona fide investigators." The publication of these notifications or notices in “lumendatabase.org” has the following structure: . Header: reason for the request, natural person or entity making the request, date of the request, country of origin, entity to which the request is addressed and entity that has sent the notice to the organization. . Content Removal Request Summary – Includes a text box in which the factual circumstances of the request and its motivation and the URL are reproduced that gives access to the deleted content. . Link to the support documentation in “pdf” format. A link is included at the bottom of these publications (“Click here to request access and see full URLs”) that leads to a page (“https://lumendatabase.org/notices/.../request_access”) in which you can request the "Lumen Organization" access to the complete information of the corresponding content removal notice. This page appears with the label “Request access to the defamation complaint against Google” and includes the following text: “To access this notice enter your email address and solve the captcha. After you submit the form, we will send you an email with a one-time link. use to notice. Email address (space to add email address) ( ) Select to receive a notification when new documents are added. notification (or when existing notification documents are updated). Deliver (Button). This same form is also used to access the support documentation C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 73/137 of the notice in question. In relation to "Google", the document "Basic concepts of the information of the Lumen notice” available at “lumendatabase.org”, reports the following: On the same website "lumendatabase.org" it is indicated that "Google" is the most popular sender. of the “Lumen Project”, both for the total volume of advertisements and for the number of possible types of notices that such entity has chosen to share with the “Project Lumen” (DMCA, defamation, circumvention, court orders, ads based on local legislation, etc.), which can be received by “Google” regarding your various products (search, Blogger, Drive and Documents, Groups, search for images, etc). Regarding notices based on court orders received from “Google”, the “Project Lumen” indicates that they are presented in the form in which they are received from “Google” and clarifies that if this entity is prohibited from sharing the content of a court order that has received, you must explicitly indicate it in the text of the notice. However, he adds that “Project Lumen” makes an effort to remove foreign court orders in accordance with any local law, including the names, addresses or aspects of the URLs in question. About the notices related to requests for defamation reasons it is said: “As a matter of internal Google policies, Google does not share with Lumen the names of the senders of defamation notices. Also, if the name of a Sender/Principal appears in some form within one of the claimed URLs that are the subject of the notice, or within any text within the prompt, that text will also be removed. For example, an original URL of https://www.blogger.com/JohnQPublicistheworst.com would be shared by Google with Lumen as https://www.blogger.com/[removed]is the worst.com In addition, Google does not share with Lumen the text entered by a complainant in the “To ensure specificity, please cite the exact text…” field in the Google web form. Text entered by a whistleblower in the "Please explain in detail why you believe the content of the above URLs is illegal, citing specific legal provisions whenever possible". Google shares the web form field with Lumen and is displayed as part of the notice in Lumen as is, subject solely to Lumen's automatic redaction processes. Please note that if the subject of the alleged defamation is not the sender of the notice, the that subject's name will not be automatically removed from the notice. Notify Lumen if the name of the person allegedly defamed is still present in a notice.” And on “Other types of notices” it is indicated: “…at this time, Google does NOT share with Lumen the notices it receives from citizens of the EU as part of the so-called "Right to be Forgotten ("RTBF") or notices sent through the Google form to report sexually explicit images. In this section “Other types of notices” of the document “Basic concepts of the Lumen notice information”, includes an Internet address that leads to an informative document on the withdrawal of information from “Google”, which is incorporated C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 74/137 in Annex 4. - Information shared by GOOGLE LLC with the "Lumen Project". GOOGLE LLC communicates to “Project Lumen” (“send a copy”) requests for withdrawal or elimination of online content of Spanish users that it manages. I know deals with requests made regarding its products and services (the mentioned in Proven Facts 4 and 5). The requests sent to the "Lumen Project" are motivated by infringement of copyright, defamation, court decisions, trademarks, applications based on the local legislation (legal problem), although in the “Google Forms” they show other reasons for them to be selected by the interested parties, who may also be sent to the "Lumen Project", according to the information that is included in the own forms. Although GOOGLE LLC indicates in its allegations that it only shares these requests related to intellectual property rights (DMCA), Circumvention/Avoidance, Forgery, Judgments, Defamation and Notifications of removal of content based on local regulations (which coincides with the information provided on the website "lumendatabase.org"), and which does not refer in any case requests for the exercise of rights recognized in the regulations for the protection of personal data, there are circumstances that introduce doubts about the effectiveness of this decision or that can generate confusion in users when pointing out the reason for your requests. An example of this is found in the “Lumendatabase Links 3, 14 and 25”, which are outlined in Proven Fact 10, in which the request of the interested party was related to the deletion of personal data or the withdrawal of search results in the "Google Search", although all of them were sent by GOOGLE LLC as notifications based on defamation grounds. In other cases, such as the one corresponding to “Lumendatabase Links 16, 17 and 18”, are referred to "Project Lumen" as notices based on a court ruling, but this bug is related to the removal of content on a blog, which included personal information. The application forms themselves do not contribute to certainty about this issue, as explained in the Legal Basis below. serve these effects all the circumstances that are revealed in said Foundation. I know Here are some examples of the doubts raised by these forms: . The "Google Forms 18 and 24", corresponding to "Google Images" and the "Google Search", they do not inform about the communication of data to "Lumen", but they do include among the reasons for the request defamation, violations of rights copyright or deletion of personal information. . Other “Google Forms”, such as those indicated with the numbers 3, 6, 10, 18 (“Google Images” form for the removal of obsolete content), 19, 20, C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 75/137 22, 25 and 27, which do warn about sending the request to the "Lumen Project", They refer to the exercise of the right to delete personal data. Between the reasons shown for the use of these removal forms contents includes the "disclosure of private data", "disclosure of personal data personal” and “Personal information: the content includes my personal data”. . The form marked with number 25, corresponding to "Google Maps", is offers the option to change the user's "local record" for the following reasons: “I want to change the incorrect information on my local file”, “I want to know why the information in my local file has been changed”, “Personal information: the content includes my personal data”. . Search results from “Google Search” report links to content from other GOOGLE LLC products (Blogger/Blogspot, etc.). This does difficult to differentiate when a user requests the removal of information from the search engine or the specific product. In the first case, no copy is sent to the "Project Lumen”, according to the claimed, and in the second it would be sent, according to the information contained in the forms. GOOGLE LLC communicates to the "Lumen Project" all the information corresponding to these requests, including the identification of the applicant and the affected party, if applicable, their email address, the reasons alleged (the text of the claim) and the claimed URL, as well as supporting documentation, if any. GOOGLE LLC has not denied this communication of personal data. has been limited to state that none of the withdrawal requests that you transfer or notify to the "Lumen Project" is related to the exercise of rights in terms of personal data protection. However, this question, which will be analyzed in the The following legal basis does not modify the fact that the communication of personal data to a third party organization takes place, regardless of the request for removal of online content that serves as a basis. The Background contains the detail of the checks carried out in “lumendatabase.org”, regarding posting of content takedown notices on line originating from requests addressed to GOOGLE LLC by users Spanish, subsequently notified by this entity to the Lumen organization. Also, in Proven Fact 10 there is a summary of these details. These checks have made it possible to verify that the deletion notifications verified content were sent by GOOGLE LLC as notices regarding to requests based on defamation, based on a court ruling or by application of local regulations. According to the state in which they were initially published, it is known that nine of them included in the header the personal data of the applicants regarding the name and two last names (except for one case, which only mentions a first name and a last name). In eleven verified cases, the text box of the request, in which the the reasons given by the applicant to justify the elimination, is reproduced in the publication and details the factual circumstances that motivate said request, the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 76/137 identification of one or several persons (whether they are the interested parties referred to in the content removed or others affected or involved in the events); postal addresses; review of a URL that includes the mention of a person's first and last name or a postal address; the commercial name of an establishment; the reference of a Judgment (number, date) and the name of the persons intervening as parties in the process (plaintiff and defendant); or the profession of an affected party: And in ten notices, the URL that gives access to the removed content, which is also included in the publication, contains personal data integrated in the address itself from Internet. Two of these URLs were also verified, verifying that they made it possible to access to personal information, with personal data of names and surnames of several people. In addition, one of the published notices allowed access to a Judgment in which contain the names and surnames of all the people involved in the process, as well as all the circumstances of the same. Obviously, these postings of takedown notices on “lumendatabase.org” show that GOOGLE LLC notified the respective requests of Spanish users without deleting the personal data that have been referred. (...). (...). These are ineffective measures if we consider that data is included personal data in other sections of the removal notice sent to the “Project Lumen”, as occurs in the cases of the “Lumentadabase link” indicated with the numbers 3, 4, 5, 8, 9 to 12 and 13, which include personal data in the text of the claim or integrated into the Internet address itself that gives access to the content removed. In any case, the interest of these actions is aimed at the communication of personal data that GOOGE LLC makes to the "Lumen Project" and does not to the publication that this last entity makes in “lumendatabase.org”. During the test phase, it was found that almost all personal data that initially appeared in the publication of these withdrawal notices in “lumendatabase.org” have been suppressed, both in the header of the notice, and in the text of the claim and in the URLs. It should be understood that this deletion does not affects the purposes intended by GOOGLE LLC and by the "Lumen Project" with the actions they carry out. On the other hand, the respondent entity has stated in its pleadings that The legal framework applicable to this communication of personal data is determined by Regulation (EU) 2019/1150 of the European Parliament and of the Council, of June 20, 2019, on the promotion of equity and transparency for professional users of online intermediation services, and the Proposal of the European Commission of Regulation Relating to a Single Market for Services Digital, which reflect the importance of transparency objectives on the way in which intermediation service providers moderate the content, including the requirement to post all content removal decisions on C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 77/137 a publicly accessible database. And he cites article 15.4 of the DSA and the Recital 26 of the P2B Regulation. This Agency does not share that position. Regulation 2019/1150 applies “to online intermediation services and online search engines that are provided or proposed to be used by users professionals and users of corporate websites, respectively”; and regulates aspects such as the decisions that these suppliers can adopt in order to restrict, suspend or terminate the provision of its services to a user professional; or the difference in treatment that these providers may give to some users professionals in relation to others. The same Regulation orders these suppliers to establish an internal system of claims that should be made available to professional users and that It will be based on the principles of transparency and equal treatment. It is in relation to these claims that establishes the obligation of said service providers of online intermediation of submitting information on the operation of the system internal complaint handling system and make that data publicly available. Nothing to do, therefore, with the matter at hand; and neither this regulation contains no provision enabling the making available to the public of personal data. On the Proposal for a Regulation of the European Commission that is invoked by GOOGLE LLC, just indicate that the same article that this entity cites indicates that the data hosting service providers will publish in a database of public access managed by the Commission decisions on removing elements of specific information provided by recipients of the service, or disable the access to them; and expressly provides that such information shall not contain personal information. - Information offered by GOOGLE LLC to users about the communication of personal data to the “Lumen Project” The only information offered by GOOGLE LLC to users about the communication to the "Lumen Project" of the personal data that they may include in their requests for removal of content from the entity's products consists of a notice inserted in the application forms themselves (“Google Forms”). The details of these notices and the forms in which they are inserted are outlined in the Proven Fact 6. The information offered therein is limited to warning about the possibility of “sending a copy of each of the legal notifications that let us receive the Lumen project for its publication and annotation”, noting that “Lumen will remove the personal contact information of the sender (i.e., the number of phone number, e-mail address and home address). Based on this information, GOOGLE LLC does not delete any information contained in the requests it receives and admits that it is the "Lumen Project" who anonymizes the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 78/137 contact details of the applicant so that they are not published. It is also concluded that the publication of the notification in "lumendatabase.org" will be made without suppressing the identity of the applicant. Of the forms checked, only in "Google Form 18", corresponding to the product "Google Images", in the tool provided for removal of “outdated content from Google Search”, in the option “remove personal information or content with legal problems that is still present in one page”, an informative text is included in which “transparency” is mentioned as a reason for GOOGLE LLC to transfer the information to "Project Lumen" and cites the entity responsible for this project and its objective (“facilitate research academic and sectoral information on the availability of online content”). On the other hand, the Privacy Policy of GOOGLE LLC, which is accessible on the “google.com” website and applies to all services offered by this entity and its affiliates (except “for services that are subject to privacy policies independent”) does not mention this treatment of personal data of the users, nor among the purposes for which said personal data will be processed does not include the communication of personal data to the "Lumen Project", nor the purposes manifested by GOOGLE LLC for which this communication of personal data is carried out. This Privacy Policy includes a specific section related to "information staff” that said entity shares externally, noting that “No we share your personal information with companies, organizations or individuals unrelated to Google”, unless the interested party gives his consent or for reasons legal (when Google believes, "in good faith", that it is necessary to disclose them to comply with any requirement provided by applicable law or regulation or to attend a legal process or a requirement of a competent authority; comply with the applicable terms of service, including the investigation of possible violations; detect, prevent, or otherwise remedy fraud or security problems security or technical; o protect Google, users and the general public from damage to your rights and property or your safety to the extent required or permitted by the law). Regarding the deletion of personal data, it is reported that there is the possibility to remove specific products from "Google", including the information associated with the product, or "Delete your Google Account entirely." Specifically, it informs that it is possible to “request that content be removed” from certain services of “Google” in accordance with applicable laws. This information includes a link that gives access to the page in which various products of the company are listed so that the user selects the product to which the content that he intends corresponds delete (“Google Forms 2, 4, 5, 7, 9, 17, 21 and 23”), but not this time The communication of these content removals to third parties is reported. - Legal basis of the treatment Within the principles relating to the processing of personal data set forth in the article 5.1 of the RGPD, deserves to bring up in the case at hand the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 79/137 related to "legality, loyalty and transparency" and "limitation of purpose". And this happens since the "Google Forms" object of study have as objective the collection of a series of data and documents in order to a purpose clear, such as requesting the removal of content from a product or the complaint of copyright infringements, but to which a different one is added (since neither media nor is it essential for the management of the aforementioned removal of content) as is is the communication of data to a third party, such as the "Lumen Project". It will therefore be a priority to analyze whether a legitimating basis can be inferred confer legality to the aforementioned communication of data by GOOGLE LLC to "Lumen Project". In this regard, article 6.1 of the RGPD, establishes the assumptions that allow the processing of personal data to be considered lawful. “The treatment will only be lawful if at least one of the following conditions is met: a) The interested party gave his consent for the processing of his personal data for one or various specific purposes; b) The treatment is necessary for the execution of a contract in which the interested party is a party or for the application at the request of the latter of pre-contractual measures; c) The treatment is necessary for the fulfillment of a legal obligation applicable to the data controller; d) The treatment is necessary to protect the vital interests of the interested party or another person physical; e) The treatment is necessary for the fulfillment of a mission carried out in the public interest or in the exercise of public powers conferred on the data controller; f) The treatment is necessary for the satisfaction of legitimate interests pursued by the responsible for the treatment or by a third party, provided that said interests are not prevail the interests or the fundamental rights and freedoms of the interested party that require the protection of personal data, in particular when the interested party is a child. The provisions of letter f) of the first paragraph shall not apply to the treatment carried out by public authorities in the exercise of their functions. In relation to the above, in the case of data processing consisting of the transfer of information related to the request for removal of content to the "Project Lumen” by GOOGLE LLC, we would find that the legality of the treatment should be based either on the existence of consent, or on the existence of a legitimate interest, since a brief analysis of the rest of the assumptions They make us see that they could not be applicable (due to the very nature of the facts and of the parties involved). legitimate interest The entity claimed, in its pleadings at the opening of the procedure and the motion for a resolution, turns to this legal basis to substantiate the communication of personal data that concerns us, understanding that there are interests legitimate, both their own and the "Lumen Project". C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 80/137 After highlighting the objectives sought by the "Lumen Project", already mentioned (educating the public, facilitating research, providing transparency, etc.), alleges that it contributes to this project for transparency and accountability purposes. accounts, as well as to prevent abuse and fraud. According to GOOGLE LLC, the legitimate interest of the "Lumen Project" consists precisely in that, in promoting education, research and transparency, which, in Ultimately, they fall within the interest of the whole society as a whole. On legitimate self-interest, it also refers to the importance of these data communications to ensure that your content removal practices be transparent and accountable; adding that they serve to account for the content moderation processes implemented, to demonstrate the existence of reactive recall procedures, to foster an understanding of the types of online content that are subject to takedown requests, the fairness between similar matters in different countries and regions, as well as to mitigate the risk of improper or fraudulent use of the content removal tools. In addition to the benefit that this transparency represents for the community of researchers, the general public and public authorities. And it points out in this regard that Opinion 06/2014, on the concept of legitimate interest, supports these legitimate interests, including “compelling and beneficial” interests for society in general, such as… the interest in carrying out research (subject to adequate guarantees"; and that the AEPD itself also recognizes in the Home Agreement that meeting transparency standards can constitute a legitimate interest. An important aspect that is worth highlighting first of all has to do with the information provided to users. As has been stated, this information is contained in a text notice inserted in the forms themselves content removal request and is limited to warning about the possibility of send to “Project Lumen” a copy of the notifications, without any mention of the legal basis that legitimizes the processing of personal data or the interests legitimate rights indicated in the pleadings brief. In the Privacy Policy of GOOGLE LLC, the only information on the basis The legal basis for data processing generally refers to the provision of a service, compliance with legal obligations, consent of the interested party (“We request your authorization to treat your information for certain purposes and you have the right to revoke your consent at any time”) and the exercise of legitimate interests, own and third parties. Among the "objectives" that are intended with the processing of personal data based on legitimate interest, the Privacy Policy mentions in general the following: . Detect, prevent, or otherwise remedy fraud, abuse, and security issues or technicians related to our services. . Protect Google, our users and the general public from harm to their rights and property or your safety to the extent required or permitted by law, including C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 81/137 disclosure of information to government authorities. . Conduct research to improve our services to users and benefit the general public. With this information, it cannot be understood that the user has been duly informed about the legal basis that would justify the communication of your data to the "Lumen Project", nor about the legitimate interests of themselves or of invoked third parties, if legitimate interest is the legal basis. On the contrary, taking into account the information that in the Privacy Policy is offers about the personal information that is shared externally, outlined in the previous section (“We do not share your personal information with companies, organizations or individuals outside of Google”, unless the interested party provides consent or for legal reasons), the more it seems that the conclusion that can be obtain the user on the legal basis that protects the communication of data to a external entity such as the "Lumen Project" is the provision of consent. In relation to the legal basis of legitimate interest, article 6 cited establishes: "one. The treatment will only be lawful if at least one of the following conditions is met: f) the treatment is necessary for the satisfaction of legitimate interests pursued by the responsible for the treatment or by a third party, provided that said interests are not prevail the interests or the fundamental rights and freedoms of the interested party that require the protection of personal data, in particular when the interested party is a child...”. Regarding the legitimate interest, the two cumulative requirements of its statement: the existence of a legitimate interest pursued by the person responsible for the treatment or the third party to whom the data is communicated and the non-prevalence of the rights and freedoms of the interested party. Recital 47 of the RGPD specifies the content and scope of this base legitimizer of the treatment: “(47) The legitimate interest of a controller, including that of a controller to whom may communicate personal data, or of a third party, may constitute a legal basis for treatment, provided that the interests or the rights and freedoms of the user do not prevail. data subject, taking into account the reasonable expectations of data subjects based on their relationship with the person in charge. Such legitimate interest could occur, for example, when there is a relevant and appropriate relationship between the data subject and the controller, such as in situations where which the interested party is a client or is at the service of the person in charge. In any case, the existence of a legitimate interest would require careful assessment, even if a The interested party can reasonably foresee, at the time and in the context of the collection of personal data, which may be processed for this purpose. In particular, the interests and the fundamental rights of the interested party could prevail over the interests of the responsible for the treatment when proceeding to the treatment of personal data in circumstances in which the data subject does not reasonably expect that a further treatment. Since it is up to the legislator to establish by law the legal basis for the processing of personal data by public authorities, this legal basis does not should apply to processing carried out by public authorities in the exercise of their duties. functions. The processing of personal data strictly necessary for the prevention of fraud also constitutes a legitimate interest of the data controller. that it is The processing of personal data for direct marketing purposes may be considered carried out for legitimate interest”. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 82/137 The interpretative criteria that are extracted from this Considering are, among others, (i) that the legitimate interest of the person in charge prevails over the interests or rights and fundamental freedoms of the owner of the data, in view of the expectations reasonable that he has, based on the relationship he maintains with the person in charge of the treatment; (ii) it will be essential to carry out a "meticulous evaluation" of the rights and interests at stake, also in those cases in which the interested party can reasonably foresee, at the time and in the context of the data collection, which may be processed for this purpose; (iii) interest and fundamental rights of the owner of the personal data could prevail against the legitimate interests of the person in charge when the processing of the data is carried out in such circumstances in which the data subject "does not reasonably expect" carry out further processing of your personal data. The entity complained against has not justified having carried out this prior analysis and there is evidence that it has not duly informed the interested parties about this legitimate basis, as has been said. In the specific case that concerns us, it is pertinent to start from the basis that the claimed does not offer sufficient information about the communication of data to the "Project Lumen" in order to ascertain what legitimate interest would be at the base of the aforementioned data communication. Making an inference from the mention made in the forms of content removal request to a transparency report and the mission of the “Lumen Project”, it could be concluded that the legitimate interest underlying could be to comply with certain standards of transparency. Once course the above, however, it is necessary that the data controller the data demonstrates that, once the weighting test is applied, your interest real and current legitimate prevails over the interests or rights of individuals. Taking into account the deficient information offered about the purpose and basis legitimizing data communication, it is not possible to assess the weighting of interests and conclude the prevalence of the legitimate interest of the person in charge or of third parties. The interested party, for his part, due to the lack of information regarding the weighting test, is deprived of his right to know the legal basis of the treatment alleged by the responsible, and specifically, when referring to the legitimate interest, is deprived of his right to know what are said legitimate interests alleged by the person in charge or of a third that would justify the treatment. In the same way, the interested party is deprived of his right to claim for what reasons Said legitimate interest of the person in charge of the treatment could be counteracted by the rights or interests of the interested party. Not having given the interested party an opportunity to allege them against the person in charge, any weighing carried out by the person in charge without taking into account the circumstances that the interested party could allege, to whom it was not allowed to do so would be vitiated, as it is an act contrary to a mandatory norm. It is not possible, therefore, to invoke this legal basis of legitimate interest on the occasion of a administrative procedure, such as that of allegations at the opening of a procedure C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 83/137 sanctioning Accepting it would be the same as admitting a supervening legitimate interest, or posteriori, in respect of which the requirements set forth in the personal data protection regulations and about which the users are not informed. interested. Although the legitimate interest is not applicable, it is interesting to analyze the terms in which it must carry out the weighting provided for in article 6.1.f) of the RGPD between the legitimate interest of the person responsible for the data or a third party and the protection of personal data interest of the interested party, that is, how said legitimate interest plays, if applicable. The CJEU, in its ruling of 05/04/2017, C-13/16, Rigas Satskime, sections 28 to 34, determined what are the requirements for a treatment to be lawful on the basis of legitimate interest. The CJEU ruling of 07/29/2019, C-40/17, Fashion ID, Echoing the sentence cited, it collects said requirements. 28. In this regard, article 7, letter f), of Directive 95/46 -(current article 6.1.f) of the RGPD)- sets three cumulative requirements for the processing of personal data to be lawful: first, that the data controller or the third party or third parties to whom they are communicated the data pursues a legitimate interest; second, that the treatment is necessary for the satisfaction of that legitimate interest and, third, that the rights and freedoms fundamentals of the interested party in the protection of data. This legal basis requires the existence of real interests, not speculative and that, Also, they are legitimate. And not only does the existence of that legitimate interest mean that those treatment operations can be carried out. It is also necessary that these treatments are necessary to satisfy that interest and consider the repercussion for the interested party, the level of intrusion on their privacy and the effects that may negatively impact it. Even if the data controller has said legitimate interest, this does not, in itself, mean considered, that this legal basis can simply be invoked as a basis of the treatment. The legitimacy of this interest is only a starting point, one of only items to be weighed. In this case, it is considered that the processing of personal data carried out by GOOGLE LLC is not necessary or strictly necessary for the satisfaction of the alleged legitimate interest (the cited judgment of 05/04/2017, C-13/16, Rigas Satskime, in its section 30, it declares “Regarding the requirement that the treatment of data is necessary, it should be remembered that the exceptions and restrictions at the beginning protection of personal data must be established without exceeding the limits of what is strictly necessary”). This principle, according to which the treatment must be strictly necessary for the satisfaction of legitimate interest, it must be interpreted in accordance with what established in article 5.1.c) RGPD, which refers to the principle of data minimization, noting that personal data will be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are treaties”. Thus, less invasive means of serving a patient should always be preferred. same end. Necessity implies here that the treatment is essential for the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 84/137 satisfaction of said interest, so that, if said objective can be achieved reasonable manner in another manner that is less impactful or less intrusive, the Legitimate interest cannot be invoked. The term “necessity” used in article 6.1 f) of the RGPD has, in the opinion of the CJEU, a own and independent meaning in Community law. It's about a “autonomous concept of Community Law” (STJUE of 12/16/2008, case C- 524/2006, section 52). On the other hand, the European Court of Human Rights (ECHR) has also offered guidelines to interpret the concept of necessity. In its Judgment of 03/25/1983 specified that, without prejudice to the treatment of data of the claimants is "useful", "desirable" or "reasonable", as specified by the ECHR in its Judgment of 3/25/1983, the term “necessary” does not have the flexibility that is implicit in those expressions. The more "negative" or "uncertain" the impact of treatment may be, the more It is unlikely that the processing as a whole can be considered legitimate. As can be seen, what was stated above is in line with the doctrine of Constitutional Court on the proportionality trial that must be carried out on a restrictive measure of a fundamental right. According to this doctrine, they should three requirements must be verified: suitability (if the measure allows the objective proposed); necessity (that there is no other more moderate measure); proportionality in strict sense (more benefits or advantages than harm). Furthermore, in the event that due weighting attributed a preference to the legitimate interest of the person in charge or of the third party, it must be guaranteed that it is safe the right of opposition to the treatment of article 21.1 of the RGPD by the particular: “The interested party shall have the right to oppose at any time, for reasons related to your particular situation, that personal data that concerns you are subject to treatment based on the provisions of article 6, paragraph 1, letters e) or f), including the preparation of profiles on the basis of those provisions. The controller will stop processing personal data, unless it proves compelling legitimate reasons for the treatment that prevail over the interests, rights and freedoms of the intestacy, or for the formulation, exercise or defense of claims”. In short, it is understood that the communication of personal data to the "Project Lumen” that the respondent entity performs is excessive, considering that there are other less intrusive ways to satisfy the legitimate interests claimed. This means that, in this case, the requirement of necessity is not met, since the communication of the personal data included in the withdrawal requests online content formulated by users is not strictly necessary, in the indicated terms. GOOGLE LLC has not provided a single reason that justifies include personal data in the content removal notices that you transfer to the “Lumen Project” to satisfy its own legitimate interests or those of the third party. A) Yes, it is not even necessary to analyze if such interests exist, that is, if they are real and not speculative, nor whether or not such interests are legitimate. (…) C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 85/137 About the use of personal data for the purposes intended by GOOGLE LLC and the "Lumen Project" it is appropriate to consider the provisions of article 89.1 of the RGPD, referring to the guarantees and exceptions applicable to treatment for purposes, among others, for scientific or historical research or statistical purposes, according to which these treatments will be subject “to the adequate guarantees, in accordance with this Regulation, for the rights and freedoms of the interested parties”, and obliges to have technical and organizational measures, in particular to ensure respect for the principle of minimization of personal data. It is added that “Such measures may include pseudonymization, provided that in this way they can be achieved said purposes. Provided that those purposes can be achieved by processing that does not allow or no longer allows the identification of the interested parties, those purposes They will be achieved that way.” And what is established in article 21.6 of the same Regulation, referring to the right of opposition, about which nothing is indicated in this case to the interested parties in relation to data communication to “Lumen”: “6. When personal data is processed for the purpose of scientific or historical research or statistical purposes in accordance with article 89, paragraph 1, the data subject shall have the right, for reasons related to your particular situation, to oppose the processing of data personal information that concerns him, unless it is necessary for the fulfillment of a mission carried out for reasons of public interest” It is also necessary to consider the repercussion for the interested party of the communication of data to a third party, the level of intrusion on your privacy and the effects that can negatively affect you, especially considering the use that is made with them, which includes their disclosure on the third party's website, lumendatabase.org. It is not possible to ignore that the aforementioned communication of data to the "Lumen Project" by the entity claimed for publication by this project has a high impact on the interests and rights of the interested party due to to the following reasons: 1º It can hardly be considered as an expectation of the interested party that the information regarding which you have requested your withdrawal from the Google product is again accessible through another page. Thus, as follows from the “Google Search 2”, when entering the search terms in the “Google Search Google” (name and surname of the affected person), an informative note appears that sends, to through a hyperlink, to a page of "lumendatabase.org", in order to obtain more information about the removed content, which would mean in practice emptying of content the request or request for withdrawal of information made. In the "Google Forms 1 and 11", enabled to report violations of copyright, they also refer in the information they contain to the communication of the "content of this form" to the "Lumen Project" so that it can be published, and it is expressly noted that “In the case of products such as the Google web search, a link to the posted notice will appear in the results Google search engine instead of the removed content.” 2º GOOGLE LLC communicates the data related to the requests for withdrawal of content without anonymizing the personal data of applicants and third parties, and delegates to the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 86/137 “Project Lumen” this function. However, this anonymization is sometimes deficient, as the cases of the following links show: 1. “Lumendatabase 3 link”: In the text that shows the part of the content of the content removal request a full address appears, ***ADDRESS.1, which would identify the person requesting the withdrawal of content and that, in addition, according to what he states, would be linked to his mobile phone number. 3. “Lumendatabase 5 link”: In the link claim section, the link appears. name "I.I.I." This name does not correspond to the person who has requested the withdrawal of the content, but of a third party with respect to which it attributes a conduct you consider illegal. In this case, therefore, it is even exposing the identifying name of a person with respect to which some manifestations with legal implications. 4. “Lumendatabase 8 and 9 to 12 links”: These links are about the same content removal request. The presence of personal data in the section claim of the link ranges from the proof of the full name and the two surnames (“B.B.B.”) in link no. 8 until the appearance of only the name “(…)” in link no. 11. The rest of the links publish various combinations of the name and any of the surnames, as has been shown in Background. 5. “Lumendatabase 18 link”. In this link subsists without anonymizing the name from the sender of the content removal request (“C.C.C.”) and in which, in addition, two other proper names “G.G.G.” -in the section link claim- and “D.D.D.” -in the direction of the link. 6. “Lumendatabase 22 link”: As in the previous case, in this case also subsists the name of the sender of the notification of withdrawal of content “F.F.F.”. 7. “Lumendatabase 25 link”. In the summary section of the withdrawal request, the name “P.P.P.” appears, which would correspond to the person affected by the alleged defamation. 8. “Lumendatabase 26 link”: As in other related cases above, the name of the sender of the withdrawal notice subsists content, "H.H.H." 3º GOOGLE LLC communicates complete judicial documents to the "Lumen Project" without anonymize any personal data. It cannot be ignored that the "Lumen Project", even when it states that it will try to respect the applicable regulations depending on the territorial scope in which the judicial body is located, is located in a country that does not exercise censorship over them due to the consideration of public documents that enjoy judicial documents in the United States and therefore does not apply correctly the appropriate measures to ensure that the publication of judicial documents is in accordance with the regulations of the country in which they were issued. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 87/137 In the specific case of Spain, court rulings are not a source of access general public and its publication by the bodies in charge of this (with exceptions pertaining to rulings of the Constitutional Court) is carried out anonymizing and dissociating the data of natural persons. The disclosure of data personal character from sentences can only be carried out in the assumptions determined by the Organic Law 6/1985, of July 1, of the Judicial Power and in those cases in which, according to the doctrine issued by the Court Constitutional, it can be considered that in that, carried out the mandatory weighting between the rights guaranteed by articles 18 and 20 of the Spanish Constitution, It can be affirmed that freedom of expression prevails over the right to protection of personal information. On the other hand, it is recalled that access to court rulings must be carried out in accordance with Royal Decree 937/2003, of July 18, of modernization of judicial archives. An assumption that would refer to what is referred to in the previous paragraphs is made up of the judicial document that could be downloaded through the “Lumendatabase Link 18” in which, according to the documentation provided by the complainant, there are names of various natural persons who have taken part in the legal proceedings. 4º Regardless of what is indicated in the previous ordinals, it is also possible to access the original link removed or deindexed, since the "Lumen Project" facilitates a full link access request mechanism. 5º Finally, it is pointed out that the same information can be accessible through different “lumendatabase.org” links, which would show the absence of a protocol or implementation of technical measures to verify the information that is published in the “lumendatabase.org” database. It is possible to find these cases in: 1. The aforementioned assumption regarding “Lumendatabase Links 8 and 9 to 12”, which when referring to the same request for content suppose the disposal of these data in a quintupled manner. 2. On the other hand, in a written response to the transfer, the respondent stated I manifest the withdrawal of the content of the “Lumendatabase Link 16”. Nevertheless, the information contained in that link has subsequently persisted through of the “Lumendatabase 18 Link”. Consequently, in accordance with all the foregoing, the interest legitimate invoked by GOOGLE LLC does not prevail over the rights and freedoms of those interested in the protection of their personal data, for which It cannot be considered that the processing of personal data that it carries out is protected by the legitimate interest provided for in article 6.1.f) of the RGPD. Consent In another order, it cannot be said that the signature of the withdrawal request form C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 88/137 contained in the products of GOOGLE LLC, in which the transfer is reported of the deletion notification to “Project Lumen”, including personal data that are reflected in it, can be considered a provision of consent valid for said data communication to take effect. In order for the assumption of consent of the interested party to concur, it is necessary that the It is linked to the specific purposes of processing your data. In respect of its form, in accordance with article 4 of the RGPD, must be a "manifestation of free, specific, informed and unequivocal will by which the interested party accepts, either through a declaration, or a clear affirmative action, the treatment of the personal data that concerns you”. Likewise, according to Recital 32: “Consent must be given by means of a clear affirmative act that reflects a manifestation free, specific, informed and unequivocal will of the interested party to accept the treatment of personal data concerning you, such as a written statement, including by electronic means, or a verbal statement. This could include checking a box on a website on the internet, choose technical parameters for the use of services of the information society, or any other statement or conduct that clearly indicates in this context that the interested party accepts the proposal for the processing of their personal data […] Consent must be given for all treatment activities carried out with the same or the same ends. When the treatment has several purposes, the consent for all of them [...]”. Expanding on this need for a clear and unequivocal statement, Recital 42 establishes that: “When the treatment is carried out with the consent of the interested party, the person in charge of the treatment must be able to demonstrate that he has given his consent to the operation of treatment. In particular in the context of a written statement made about another matter, there must be guarantees that the interested party is aware of the fact that he gives his consent and the extent to which it does so. In accordance with Directive 93/13/CEE of the Council [of April 5, 1993, on abusive clauses in contracts entered into with consumers], a model declaration of consent prepared previously by the person in charge of the treatment with an intelligible and easily accessible formulation that uses clear and simple language, and that does not contain abusive clauses. So that the consent is informed, the interested party must know at least the identity of the responsible for the treatment and the purposes of the treatment for which the data is intended personal. Consent should not be considered freely given when the interested party does not have true or free choice or cannot withhold or withdraw consent without suffering any harm”. Likewise, article 7 of the RGPD lists the conditions that must be met to the granting of consent: "one. When the treatment is based on the consent of the interested party, the person in charge must be able to demonstrate that they consented to the processing of their personal data. 2. If the data subject's consent is given in the context of a written statement that also refers to other matters, the request for consent will be presented in such a way clearly distinguishable from other matters, in an intelligible and easily accessible manner and using clear and simple language. No part of the declaration will be binding. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 89/137 constitutes an infringement of this Regulation. 3. The interested party shall have the right to withdraw their consent at any time. The retreat of consent will not affect the legality of the treatment based on the consent prior to his withdrawal. Before giving their consent, the interested party will be informed of it. It will be so easy Withdraw consent as give it. 4. When assessing whether consent has been freely given, it will be taken into account to the greatest extent possible whether, among other things, the performance of a contract, including the provision of a service, is subject to the consent of personal data that is not necessary for the execution of said contract. Consequently, and in accordance with the transcribed precepts, to consider valid the consent granted, this must be informed, refer specifically to specific purposes, be provided freely and be unequivocal. First, in relation to the need for informed consent, it will be necessary to go to article 13 of the RGPD, which becomes the vector of the principle of transparency enshrined in article 5.1 of the RGPD. Regarding the deficient information provided, the arguments expressed previously. Analyzing the forms that GOOGLE LLC makes available to users to request the withdrawal of information, it is noted that in the links related with the complaint of violations related to copyright (“Forms of complaint”). Google 1 and 11”) it is reported that a copy of the notifications will be “sent” to one or various third parties (giving the "Lumen Project" as an example), while in the regarding content removal requests “Google Forms 3, 6, 8, 10, 12, 13, 14, 15, 16, 19, 20, 22, 25 and 26”) it is stated that “it is possible that” a copy of notifications to "Project Lumen" for publication. In the latter case, let It is clear that the "Lumen Project" will be the one in charge of removing the information from personal contact, which adds to the fact that it is the project itself that anonymizes the information that you consider sensitive. The comparison between article 13 of the RGPD with the information provided in the forms, highlights the lack of essential information, such as the relative for all purposes of the treatment (in the event of removal of content, there is no clear whether the information provided, in addition to being used to analyze and manage the withdrawal will or will not be communicated and in what cases), the third parties to whom communicate the data (in complaints of copyright infringement, speaks of one or several third parties), as well as something fundamental, such as the information reference about the legal basis that serves as the basis for said communication of data or if it responds to any legitimate interest of the person in charge or of the third party. Second, the requirement of specificity is closely linked to the requirement of "informed" consent, so that by not complying with the latter, as has been exposed, it will be difficult for the interested party to obtain precise information about a different purpose in the treatment of your data than the management of the withdrawal of content. At this point it is necessary to remember, as has been pointed out above, that the communication of data to "Project Lumen" (or any other C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 90/137 third) is not an essential requirement for the effective management of content removal by GOOGLE LLC. In order to comply with the consent requirement specific, GOOGLE LLC should enable it to be granted in a manner independent of the request for content removal, through the modality that is It has been called granular or layered. Thirdly, freely given consent means that the data subject who fill out the form must have a real option not to grant the consent of communication of your data to the "Lumen Project", without this implying any penalty in the use of the content removal or claim service. Without However, in the forms studied this does not occur, since the transfer of data to the “Project Lumen” is unconditionally included with the withdrawal request itself of content or denunciation, without the possibility of choosing this assignment or not and with the aggravating circumstance that not granting global consent implies not being able to file the report or request the content, something that could violate the right to suppression set forth in article 17 of the RGPD. As was the case with compliance with the specificity requirement, in order to be configured as a free requirement, it is necessary guarantee that the consent of data communication to the "Lumen Project" is provided independently and unrelated to the request for withdrawal of content or claim infringement. Lastly, fourthly and with regard to non-equivocalness, this requirement is would state that, from the use of the content removal service made by the concerned, the indubitable conclusion should be drawn that the said person accepts that your data be communicated to the "Lumen Project". However, given, as as stated in the previous paragraphs, that no information is offered clear and precise about the purpose and its legal basis, and that it cannot The presumed consent granted should be considered free since it has a nature conditional (if you do not want to transfer your data you cannot request the removal of content), It is not possible to conclude in a rational way that we are faced with a clear and unambiguous statement that the interested party wishes to communicate the data of their request to a third party as the “Lumen Project”. Faced with everything stated in this Foundation of Law VI, in his writing of allegations to the proposed resolution GOOGLE LLC is limited to pointing out that the alleged legitimate interests, of the claimed entity itself, of the "Lumen Project" and of society in general, are not supervening, but are prior to transfers to Lumen; and that the expectation of privacy of the users is not disappointed, given that are reported on the forms. In response to this allegation, it suffices to refer to what has already been stated above. about the defects appreciated in the information that the claimed offers to the interested parties in relation to the communications made to the "Lumen Project", in the that the legal basis that legitimizes the communication of data is not even mentioned. The Legitimate interest is only mentioned in the response briefs provided to this Agency by GOOGLE LLC, but in no way in the information provided to the users. (...). C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 91/137 GOOGLE LLC ends by stating in its brief of allegations that "None of the circumstances indicated by the Agency to question the application of said legal basis may deny the legitimate interest of Google LLC, Lumen and the company in nor can it be understood that they tilt the weighting test in favor of the rights and freedoms of the interested parties”, but does not present any reasoning to defend this claim. Lastly, it is interesting to note that in the written arguments regarding the proposal for resolution presented by GOOGLE LLC, this entity declares itself responsible for the communication of data related to requests for removal of content to the "Lumen Project". On this matter, GOOGLE LLC expressly states that Next: “In effect… Google LLC, is the entity responsible for the processing of personal data that has taken place in the context of communications of withdrawal requests to Lumen. Precisely for this reason, the present procedure was correctly initiated against Google LLC”. Consequently, in accordance with the exposed evidence, the aforementioned facts represent a violation of the provisions of article 6 of the RGPD, which gives rise to the application of the corrective powers that article 58 of the aforementioned Regulation grants to the Spanish Data Protection Agency. 7th The right of deletion (“Right to be forgotten”) is regulated in article 17 of the RGPD, which provides the following: "one. The interested party shall have the right to obtain, without undue delay, from the data controller the deletion of personal data that concerns you, which you will be obliged to delete without undue delay personal data when any of the circumstances following: a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise treated; b) the interested party withdraws the consent on which the treatment is based in accordance with the Article 6(1)(a) or Article 9(2)(a) and this is not based on another legal basis; c) the interested party opposes the treatment in accordance with article 21, paragraph 1, and does not other legitimate reasons for the treatment prevail, or the interested party opposes the treatment according to article 21, paragraph 2; d) the personal data has been illicitly processed; e) the personal data must be deleted for the fulfillment of a legal obligation established in the Law of the Union or of the Member States that applies to the data controller; C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 92/137 f) the personal data has been obtained in relation to the offer of services of the company of the information mentioned in article 8, paragraph 1. 2. When you have made the personal data public and are obliged, by virtue of the provisions in section 1, to delete said data, the data controller, taking into account the available technology and the cost of its application, will take reasonable measures, including technical measures, with a view to informing those responsible for processing the data of the request of the interested party to suppress any link to said data personal information, or any copies or replicas thereof. 3. Sections 1 and 2 will not apply when the treatment is necessary: a) to exercise the right to freedom of expression and information; b) for the fulfillment of a legal obligation that requires the treatment of data imposed by the Law of the Union or of the Member States that applies to the person responsible for the treatment, or for the fulfillment of a mission carried out in the public interest or in the exercise of public powers conferred on the person responsible; c) for reasons of public interest in the field of public health in accordance with the article 9, paragraph 2, letters h) and i), and paragraph 3; d) for archival purposes in the public interest, scientific or historical research purposes or statistics, in accordance with Article 89, paragraph 1, insofar as the right indicated in section 1 could make impossible or seriously impede the achievement of the purposes of such processing, or e) for the formulation, exercise or defense of claims”. Regarding the right to be forgotten, Recital 65 also pronounces, when it states what: “Interested parties must have the right to have the personal data they provide rectified. concern and a "right to be forgotten" if the retention of such data violates this Regulation or the Law of the Union or of the Member States applicable to the person responsible for the treatment. In particular, data subjects must have the right to have their personal data delete and stop processing if they are no longer necessary for the purposes for which they were collected or otherwise processed, if the interested parties have withdrawn their consent for the processing or oppose the processing of personal data concerning them, or if the processing of your personal data otherwise breaches this Regulation. East right is relevant in particular if the data subject gave his consent as a child and it is not is fully aware of the risks involved in processing, and later wants to delete such personal data, especially on the internet. The interested party must be able to exercise this right even if he is no longer a child. However, further retention of personal data must be lawful when necessary for the exercise of freedom of expression and information, for the fulfillment of a legal obligation, for the fulfillment of a mission carried out in public interest or in the exercise of public powers vested in the data controller, for reasons of public interest in the field of public health, for archiving purposes in the interest public, scientific or historical research purposes or statistical purposes, or for the formulation, exercise or defense of claims. In this case, it is interesting to highlight some aspects of the systems designed and mechanisms enabled by GOOGLE LLC so that interested parties can manage or request the deletion of your personal data processed by this entity. 28001 – Madrid 6 sedeagpd.gob.es, 93/137 In relation to the exercise of the rights that the RGPD recognizes to the interested parties holders of personal data, the Privacy Policy available on the website “google.com” contains the following single reference: “If the data protection regulations of the European Union are applicable to the treatment of your information, we will provide you with the controls described in this policy so that You can exercise your right to request access to your data, update them, withdraw them and restrict your treatment. You also have the right to object to the processing of your information or to export it to another service” (paragraph introduced for the first time in the date update 01/22/2019, in which a new section was added with the label "European requirements"). Also, in addition to pointing out that there are specific privacy functions in the Google products, various options are offered for the management and control of the personal data (personal information can be reviewed and updated at any moment by logging in to the “Google account”, there is a space for set activity controls, set up ads, or control what information is will share with other users…). Links to different tools enabled for this are also inserted, such as the following: . “Privacy Review”, to adjust the search history, reproductions and Youtube history or ad settings; . “My activity”, to consult and delete the activity on Google websites and in applications, or the history of location and Youtube; . “Control panel”, which allows “managing the information associated with products specific”, such as YouTube, Gmail, Google Play, Calendar and others; . The “Your personal information” space, through which you can manage the contact information, such as name, email address, phone number phone numbers or profiles displayed when using Google products. Regarding the deletion of personal data, it is added that there is the possibility to remove personal content from “specific Google services”; search items specific and delete them from the user account through "My Activity"; "remove specific Google products”, including information associated with the product; either "Delete your Google Account completely." Specifically, it is reported in the Privacy Policy that it is possible to "request content to be removed” from certain Google services in accordance with the laws applicable. This information includes a link that gives access to the entry page of Google for the content removal request in which various company products. On this page, the applicant can choose which of these products refers your request for removal of content and, once selected the product in question, the system makes available to the user the form specific authorized by GOOGLE LLC to make the request, according to the details that are exposed later (Google Forms 2, 4, 5, 7, 9, 17, 21 and 23). Despite the complexity of this system implemented by GOOGLE LLC, the Privacy Policy does not refer to or contain any link that leads to a specific form for exercising rights regarding data protection C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 94/137 personal. It has provided a specific procedure so that interested parties can request, “for privacy reasons”, the withdrawal of results obtained in searches with the name of the person as criteria and enabled a specific form called “Withdrawal under EU privacy law”, which is not mentioned in the Policy Of privacy. This form, the only one available that contains an express reference to the personal data protection regulations, is accessible through the website “google.com”, at the URL “https://www.google.com/webmasters/tools/legal- removal-request?complaint_type=rtbf&visit_id=637759350971490255- 235171692&hl=es&rd=1”. In this form, GOOGLE LLC declares itself responsible for data processing personal data by providing results from “Google Search” and managing the withdrawal requests submitted using this form. The applicant must indicate the personal information they wish to withdraw and their location (“the URLs of the content that includes the personal information you want removed”), the name which, if used as a search query, produces the results to which refers to the deletion request and the reason for deletion for each URL (“(1) how the personal information identified above is related to the individual on whose behalf you are submitting this application; and (2) why you believe this information staff must leave”). The same form expressly informs: “With this form, you can request that certain results be removed from the Search from Google returned in queries that include your name.” “If you want to request that personal information be removed from another Google product, please submit a request through the form of that product, which you can find on the page “How to remove content from Google. For example, if you want to request the withdrawal of information Blogger staff, please submit a request via the corresponding Blogger form.te…” The link “How to remove content from Google” inserted in this information leads to the page that lists various "Google" products, through which access the content removal forms enabled for each of these products. This page is the same one that is accessed through the link “request that content be removed” included in the Privacy Policy, indicated above. Through the website "google.com" you can also access the page "How to remove content from Google”, which coincides with the one described as “Google Forms 2, 4, 5, 7, 9, 17, 21 and 23”. This page gives entry to the forms enabled by GOOGLE LLC so that Users can request the removal of content online for each of the products that are listed in it (according to the information offered, "This page will allow you to access the appropriate site to report the content you want to remove from Google services in accordance with applicable laws”). The Sixth Precedent details the complete list of products and services included on this page. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 95/137 Verifications have been carried out in the actions (they are detailed in the Background Sixth and Tenth) in relation to the Blogger/Blogspot products, Chrome Web Store/extension gallery, Google Classroom, Google Groups, Google Help Communities, Poly, Feedburner, Data Studio, Cloud Firestore, Google Images, Google Photos and Picasa Web Album, Drive and Documents, Search Google, Google Maps and related products, Google + and Google News (“Google Forms 3, 6, 8, 10, 12, 13, 14, 15, 16, 18, 19, 20, 22, 24, 25, 26 and 27, respectively). In general, when you click on a product on the page “How to remove content from Google” you access a new page that allows you to create a request for withdrawal of online content. Previously, different options are offered on the reason for the request. A Listed below are the various reasons shown on these forms, in the section "How can we help you?", so that the interested party can select the that serves as the basis for your request (in the sixth Antecedent it is indicated which of these reasons are included in each of the forms included in the proceedings): ( ) I want to change the incorrect information on my local file ( ) I want to know why the information on my local listing has changed ( ) Personal information: the content includes my personal data ( ) Intellectual property issue: reporting copyright infringement, circumvention, etc. ( ) Court order: a court ruling has determined that a specific content is illegal ( ) Legal problem: legal problem that does not appear in the list ( ) Material with images of child sexual abuse: visual representation of sexual practices explicit with minors”. ( ) Copyright Infringement: My copyrighted work is being used illegally without authorization ( ) Counter Notice: An appeal intended to restore content that was removed due to a copyright infringement claim ( ) Circumvention: a tool circumvents the technological measures for the protection of the rights of Author ( ) I would like to report malware, phishing, disclosure of private data or other similar incidents. ( ) I want to report a blog that impersonates my identity. ( ) I want to report the disclosure of private nude images or information ( ) I want to report bullying and harassing content. ( ) Brand: my brand is being used in a way that may cause confusion ( ) Report violent or hateful content, the disclosure of personal data, or the promotion of goods and services ( ) I want to report a case of phishing, spam, malware or other Misuse of a Google Docs or Google Drive file ( ) Right to be forgotten: request to withdraw information in accordance with European legislation in terms of data protection ( ) Defamation: the content defames me or my company or organization When selecting one of these options, a new page is accessed, in which allows you to create the request (“Click Create Request to send a request to our team"). In relation to the products “Google Maps”, “Google News” and “Drive and Documents”, C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 96/137 the process has been verified by selecting the option among the reasons for the request “Personal information: the content includes my personal data”. In all cases A data collection form was displayed with the following information: “Form to request the withdrawal of personal information For privacy reasons, you may have the right to request that certain personal information related to you. This form is used to request the withdrawal of certain content of the product from Google you have selected. If you wish to request the removal of personal information from another Google product, submit a request through the corresponding product form, available on our “How to remove content from Google” page. For example, if you want to request that certain Search results be removed from Google for queries that include your name, please submit a request through the corresponding Google Search form Upon receipt of a request, Google strikes a balance between the individual's right to privacy affected and the right of the general public to have access to information, as well as the right from other users to distribute it. For example, Google may refuse to remove certain information about financial scams, professional negligence, criminal convictions, or public behavior of government officials”. It has been verified that the link “Google Search form” inserted in that informative text leads to the request form “Withdrawal under the law of privacy of the EU. The request that is generated with the described process, which the interested party must complete and send, includes fields for the applicant to provide their data regarding country of residence, full name and email address of Contact; as well as the name and surname of the person he represents, “URL of the content that includes the personal information you want removed”, “the information you want to be removed” and “the reasons for the removal”. It is important to note, on the other hand, that the page “How to remove content from Google” in which various “Google” products are listed, through which access the content removal forms enabled for each of them, the product “Google Search” is also included. By clicking on this product you access a new page that allows you to create a request online content removal. The following options are offered on this page: “How can we help you? ( ) I want to report malware, phishing, or similar issues. ( ) Content that I requested to be removed continues to appear in search results, even though the webmaster has already removed it. ( ) Remove personal information from Google in accordance with our product policies (personally identifiable information, doxxing, explicit non-consensual images, etc.). ( ) Personal information: request that my personal information be removed from the results of Google search. ( ) Intellectual property issue: report copyright infringement, circumvention, etc. ( ) Another legal problem: report content for another legal reason not included in the li.ta” With the option “Personal information: request that my personal information be removed from Google search results” takes you to a new page for C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 97/137 removal of content, in which new options are offered to the interested party: “Choose one of the following options: ( ) Remove personal information from Google in accordance with our product policies (personally identifiable information, doxxing, non-consensual explicit images, etc.) ( ) Right to be forgotten: request to withdraw information in accordance with European legislation in terms of data protection ( ) Defamation: the content defames me or my company or organization”. Selecting one of these options allows you to create the request (“Click Create request to submit a request to our team”). The option “Right to be forgotten” leads to the form “Withdrawal under the law of EU privacy. For the “Defamation” option, a data collection form is displayed with the following information: “Request the removal of content for legal reasons. If you think you have found content that is illegal in your country, you can use this form to submit a claim. Please identify the exact URLs of the content in question and explain in detail why you believe that content is illegal. We will evaluate your request taking into account our privacy policies. removal of content, we will review it and take appropriate action." “To be as accurate as possible, please cite exactly the text of the URLs listed above that you believe violates your rights. If the allegedly infringing content is a image or video, please provide a detailed description of that content so that we can locate it at the URL in question”. “If the violation affects multiple Google products, you must submit a notification for each affected product. This form includes fields for the applicant to provide the following data: country of residence, full name of the applicant, name of the company, name of the company or organization whose legal rights it represents, email address contact email and the allegedly infringing URL. It is also requested to applicant to “Explain in detail why you believe that the content of the URLs above is illegal and cite the specific legal provisions if possible.” These forms, which appear in the actions indicated as "Forms of Google 3, 6, 8, 10, 12, 13, 14, 15, 16, 19, 20, 22, 25, 26 and 27”, as already indicated, inform users that GOOGLE LLC may send (“we may send”) a copy of the legal notifications that you receive to the "Lumen Project" for your publication and annotation. The information that is communicated to “Lumen” and the publication that this entity carries out on its website "lumendatabase.org" has been exposed in the Basis of previous Law. It is also indicated that the entity GOOGLE LLC itself may publish in its "Report of Transparency” information of the withdrawal notification “similar” to that published in lumendatabase.org. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 98/137 (…) (…) It adds in this regard that the essential element that determines the application of the article 17 RGPD is the purpose of the request and, consequently, the right invoked and exercised by the individual, the legal regime in which the subject bases the content removal request. And it clarifies that these content removal requests are valued by carrying out analyzes legal and test depending on the reason for submitting your request. For example, De-indexation requests for defamation grounds, in the absence of a decision judicial, they are analyzed according to the local regulations that regulate defamation and not on the GDPR basis. However, in cases of removal of content from products and services analyzed it is difficult to deduce if the request is made invoking the regulations of protection of personal data, simply because this regulation is not mentioned in any of the forms, regardless of the reason that the interested party select from among the proposed options, except in the form called “Withdrawn under EU privacy law”, the only one available that contains an express reference to this regulation, as has been said. If we take into account what was stated by GOOGLE LLC, this means that said entity believes that online content removal requests for the products of "Google" that are formulated using the mechanisms to which the page "How to remove content from Google", in no case is it considered an exercise of right of suppression regulated in article 17 of the RGPD and in no case analyzed and resolved by the responsible entity in accordance with the protection regulations of personal data. This is so despite the fact that many of the reasons shown on the forms in question to be marked by interested users are directly related to the processing of personal data, or may be in the intention of it when making your selection. See for example the following options, keeping in mind at all times that the issue analyzed has to do with online content removal requests: ( ) I want to change the incorrect information on my local file ( ) Personal information: the content includes my personal data ( ) I would like to report malware, phishing, disclosure of private data or other similar incidents. ( ) I want to report a blog that impersonates my identity. ( ) I want to report the disclosure of private nude images or information ( ) Report violent or hateful content, the disclosure of personal data, or the promotion of goods and services With the option “Personal information: the content includes my personal data”, even, a form is accessed that is presented as "Form to request the withdrawal of personal information. For reasons of privacy…”, which also does not invoke the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 99/137 personal data protection regulations. And not only that. These forms do not even use the terms “personal data”. In addition, the system designed by GOOGLE LLC, which leads the interested party through of various pages to complete your request, previously forcing you to check the options that are offered, it can cause it to end up marking a option that suits the reasons that you consider appropriate to your interest, but that deviates from its original intention, which may be clearly linked to the protection of your personal data, unaware that these options place you in a regime different normative because GOOGLE LLC has wanted it that way or that your request is will resolve according to the internal policies established by this same entity. Nor does anything ensure that a user has not noticed the existence of the content that you intend to withdraw through the "Google Search", which also offers among the search results contained in other "Google" products, and that your intention was the deindexation of said content and your personal data. In the cases analyzed, only GOOGLE LLC knows which requests respond to a criterion or another, which is to say that only GOOGLE LLC knows which requests are will be resolved in accordance with some rules or others. It is as much as leaving it to the discretion of GOOGLE LLC the decision on when the RGPD applies and when not, and this would mean accept that this entity can avoid the application of the data protection regulations personal data and, more specifically for this case, accept that the right of deletion of personal data is conditioned by the system of elimination of content designed by the responsible entity. The effect may be that personal data that the interested party wishes are not deleted. delete in cases where the personal data protection regulations protect this suppression. There is no other form on exercising personal data protection rights than the so-called “Removal under EU privacy law”, and GOOGLE LLC correctly treats it as an exercise of the right to be forgotten because it is intended for requests to remove results from “Google Search” in searches with a person's name as criteria. But there is no other form for the right to delete data regulated by the RGPD. We already know that the exercise of these rights is not subject to form and that a The interested party can formulate the request with a simple writing prepared by himself. But what is analyzed here is the suitability and legality of the mechanisms enabled by GOOGLE LLC so that a user can request the deletion of their data when this deletion involves the removal of online content from the products and services that the entity provides, considering that the existence of these means can lead the interested party to use them, not knowing the true scope and effects that will have in relation to its purposes the fact of using they. It is important to note that the information that the Privacy Policy offers about the right of deletion, the way to exercise it and the means available to the interested party, C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 100/137 in the section “Export, withdraw and delete your information”, expressly informs that You can “request to remove content from certain Google services from in accordance with the applicable laws”. This information includes a link that gives access to the “How to remove content from Google” page that lists the products and services and leading to the forms being analyzed. It is understood that if Privacy Policy refers to "removal of information" and "remove content" is referring to the right to delete personal data. It cannot be accepted, therefore, that the Privacy Policy leads to this site web, in which means are made available to the user for the exercise of the right of suppression, with which the elimination of contents is pursued (it must be understood that refers to personal data) and, subsequently, the requests made are not treated as such, at the discretion of the responsible entity. For the correct assessment of what is discussed here, it is necessary to consider the level of social implantation of the products and services of GOOGLE LLC, almost global with respect to of the population of the territories in which these products are offered and provided those services. And consider, likewise, that this content removal system in line and its effects, requires for its correct understanding a level of training in the matter that does not occur in the profile of the average citizen. This system not only causes those difficulties and effects on the interested party. on trial of this Agency, as well as the management of the requests that must be made by the claimed entity may be affected. Proof of this are the cases to which the “Lumendatabase 3 Links, 14 and 25”, which are outlined in Proven Fact 10. These publications of "lumendatabase.org" correspond to requests for deletion of personal data (removed from search results in “Google Search”), but they were sent by GOOGLE LLC as notifications based on defamation grounds. What is striking, on the other hand, is the existence of two forms for the elimination content in the "Google Search Engine", outlined above, which does not contribute to clarify the issue. One of them, “Withdrawal under EU privacy law”; and another, the available through the “How to remove content from Google” page, which is also include this product in the list it contains. In the first of these forms, according to the information provided, used solely for the removal of "personal information" in the results of search when a name is used as the search query (“With this form, you can request that certain search results be removed from Google returned in queries that include your name”). In the second case, the form has the same mechanics as those indicated previously. The interested party must mark one of the reasons for the claim that is shown in the section “How can we help you?”, similar to those already expressed (such as “A piece of content that I requested to be removed continues to appear in the search results, even though the webmaster has already removed it”, “Remove C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 101/137 personal information from Google in accordance with our product policies (personally identifiable information, doxxing, non-consensual explicit images, etc.)”, “Personal information: request that my personal information be removed from the Google search results”, or “Another legal problem: reporting content for other legal reason not included in the list”). With the option “Personal information: request that my personal information be removed from Google search results” takes you to a new page for removal of content, in which new options are offered to the interested party: “Choose one of the following options: ( ) Remove personal information from Google in accordance with our product policies (personally identifiable information, doxxing, non-consensual explicit images, etc.) ( ) Right to be forgotten: request to withdraw information in accordance with European legislation in terms of data protection ( ) Defamation: the content defames me or my company or organization”. Selecting one of these options allows you to create the request (“Click Create request to submit a request to our team”). The option “Right to be forgotten” leads to the form “Withdrawal under the law of EU privacy. For the “Defamation” option, a data collection form is shown in which it is reported that the request will be evaluated and resolved taking into account the "policies of content removal” of GOOGLE LLC. Therefore, requests made using this form will never be will resolve in accordance with the data protection regulations: . If the removal of content refers to search results with the name of a person as a criterion, it is resolved in accordance with the regulations for the protection of data, but using the form enabled for the "Withdrawal under the law of privacy of the EU”, to which the second of the three previous options leads. . The first and third options above are resolved in accordance with the "policies of content removal” of GOOGLE LLC. In this way, the removal of content in the product "Google Search" in other cases different from the previous one (eg, searches with the phone number as a query) is resolved according to criteria of the responsible entity, established by itself, although that content include personal data (the first option includes removal of "personal information identifiable”; and the second talks about content that defames a person). It should also be added that the result that the interested party obtains from the use of the “EU Privacy Law Withdrawal” form does not extend to the deletion of online content, but only results in the deindexation of those contents, and only in searches by name as query criteria, avoiding that in these cases the content is displayed in the results of the "Search Engine". of Google". In the other cases of exercise of the right through the application forms of removal of content online the result in accordance with the requirements of the RGPD is the effective deletion of information. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 102/137 For this reason, although the “Withdrawal under the privacy law” form is operational of the EU”, the only one that mentions the data protection regulations personal, this cannot be the only form that GOOGLE LLC uses to understand exercised the right of suppression. Once the request for removal of online content has been submitted and the right has been met, it is That is, once the deletion of personal data has been agreed, there is no further processing thereof, such as the communication that GOOGLE LLC makes to the "Project Lumen”. Communication of content removal request data from GOOGLE LLC to “Lumen Project”, analyzed in the previous Legal Basis, considering that all the information contained in the application is sent so that it can be included in another database accessible to the public and to be disclosed through a website, It supposes in practice to frustrate the purpose of the exercise of the right of suppression. In addition, this communication of data by GOOGLE LLC to "Project Lumen" imposed on the user who intends to use the repeated forms, who does not have to want the option to oppose it. This conditionality in the exercise of a right recognized to the interested parties, which is the deletion, does not find accommodation in the RGPD to the extent that an additional treatment of the data is generated. data on which the deletion request relates when communicating them to a third party. Moreover, if we consider that on the results page of the "Google Search", in searches carried out with the name of the interested parties as a criterion of the query, a footnote is included noting that a result “in response to a legal requirement” and includes a hyperlink to “lumendatabase.org” for that the user can access the information (“If you wish, you can read more information on this requirement at LumenDatabase.org”). About this note in search results are expressly informed to those interested in the “Google Forms 1 and 11”, arranged to request online content removals for copyright infringement (“In the case of products such as Web Search of Google, a link to the published notice will appear in the search results of Google instead of the removed content”). To this we must add that the entity GOOGLE LLC itself informs in the forms in question about the possibility of publishing information similar to that communicated to the “Lumen Project” in its “Transparency Report”. Regarding this breach of article 17 of the RGPD, GOOGLE LLC points out that the AEPD does not provide any evidence of the existence of a single right of deletion "not served" or "hindered" by the claimed, necessary for it to be understood breached article 17 of the RGPD, either by preventing the exercise or by not delete the data when appropriate. Highlights the number of applications for right of suppression (“right to be forgotten”) that receives and attends each year in Spain and that of legal protection procedures processed by the Agency without critical comment some. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 103/137 As GOOGLE LLC indicates, the impediment of exercise has been taken into account of the right of suppression that supposes the use of the repeated forms by the interested parties and the procedure for managing these requests applied by the claimed party, as well as the numerous individual cases analyzed in the proceedings, which are outlined in the Proven Facts in full detail, some of which correspond to exercises of "right to be forgotten", in which GOOGLE LLC did not suppress the personal data of the interested parties. These conclusions do not change in any way. number of requests for the right of deletion that said entity attends or the procedures of exercises of right promoted by the interested parties before this Agency, all of them referring to the “right to be forgotten”. It also adds the entity claimed that the AEPD ignores other channels and resources arranged by the same for communication with its users and interested in relation to the exercise of rights. But this does not counteract the fact that the forms object of these actions have been enabled by GOOGLE LLC for the exercise of the right of deletion, as explained in its Privacy Policy. Privacy, through which you can access them. Although it may exist other ways, given the freedom of form for the exercise of rights provided by the applicable regulations, the interested party may choose to use those provided by the entity to which it is directed. It can even be said that he is led to the use of these forms. Nor can the claimant ensure that when a Interested party opts for these forms does so knowing and having previously agreed to those other channels and resources to which he refers in his allegations. On the other hand, GOOGLE LLC understands that the conclusions of the proposal of resolution, which coincide with those expressed above, are manifestly Contrary to the principle of legitimate expectations contained in art. 3.1.e) of the Law 40/2015, of October 1, on the Legal Regime of the Public Sector, taking into account that the AEPD has spent years linking and inviting citizens to use the set of content withdrawal forms, as can be seen on its website. In said allegations, it has detailed the URLs that lead to this information inserted on the website of this Agency (“aepd.es”): 1. The first of these links (“https://www.aepd.es/es/areas-de-actuacion/internet-y- social-networks/right-to-be-forgotten”), within the “Areas of action” tab. Internet and Social Networks”, leads to the section “Right of suppression (“to be forgotten”): Internet search engines", in which interested parties are offered several "key points" to exercise this right. In point 4 “How to exercise it?” the following is reported: “The data protection regulations establish that to exercise the right of deletion (and, therefore, the 'right to be forgotten') it is essential that the citizen go first to the entity that is processing your data, in this case the search engine. Major search engines have enabled their own forms (Google...) to receive requests to exercise this right in this field. The “Google” link in this text allows you to access the GOOGLE form LLC called “Withdrawn under EU privacy law”, which is not listed among the reported forms. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 104/137 2. The second URL (“https://www.aepd.es/es/areas-de-actuacion/internet-y-redes- social/delete-photos-and-videos-from-the-internet”), within the same tab indicated in the previous section, leads to the section “Delete photos and videos from the internet”, in the which is reported as follows: “Do you know how to request the removal of photos or videos posted on the internet? Your image it is a personal data, whether you appear in a photo or in a video. Your image, both a photo and a video in which you appear, is personal data. Diffusion of images or videos published in different internet services without legitimation to deal with this data of yours, especially in social networks, is an issue that arises with frequently before the Agency. The General Data Protection Regulation recognizes the people the exercise of the right of suppression... What should you do? The exercise of the right of suppression can only be requested by the affected person or, in the event of be minors under 14 years of age, their parents or legal guardians. Whenever circumstances allow it, it is advisable to contact the person who uploaded the content requesting its removal. If you did not achieve your goal, you should necessarily request the deletion to the platform that has provided the means for publication, that is, the social network or video portal on that these images or videos have been published, proving your identity and indicating what links are the ones that contain the data you want to cancel… The most popular social networks, meanwhile, have established mechanisms for notify them of privacy violations or inappropriate content through their own forms. Here are some of the methods they offer… Google The company has a page from which you can request the removal of content of its different services. In the case of the YouTube video service, you will be offered different options in case of abuse or harassment, violations of privacy, reporting of sexual content, violent content or other issues. On the other hand, if you consider that a video posted on YouTube includes inappropriate content you can use the icon with form of flag (Report) to warn of the content and for the company to review it”. The link "The withdrawal of content" that appears in this text allows access to the page "How to remove content from Google", of "google.com", which is the page of Google's entry for the content removal request in which they are listed various products of the company, through which you can access the forms enabled for each product. This page coincides with the one reviewed in the Actions such as "Google Forms 2, 4, 5, 7, 9, 17, 21 and 23". The rest of the links (“abuse or harassment”, “privacy violations”, complaint of sexual content”, “violent content” and “other problems”), basically, allows access to the information offered by the claimed on withdrawals of content on Youtube according to the policies of the entity itself (“Rules of the Youtube Community”): “The safety of our creators, viewers and partners is our highest priority, and we hope that each of you Help protect this unique and vibrant community. It is important that you C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 105/137 Familiarize yourself with our Community Guidelines and understand the role play in our shared responsibility to maintain safety in Youtube. You can also consult the complete list of our policies”. 3. Through the third URL (“https://www.aepd.es/sites/default/files/2020-05/guia- citizen.pdf") accesses the "Citizen's Guide" prepared by this Agency, which is available on the website of this entity, in the tab “Guides and tools". Section 5.4 of this Guide provides information on the “Right to deletion (“Right to be forgotten”)”, with the following text: “On the other hand, the most popular social networks offer help services that allow inform you, through your own forms, when there has been a violation of privacy or inappropriate content. Some of these services are the following: Google: Content removal Report abuse or harassment (Youtube) Violation of privacy (Youtube) Report sexual content (Youtube) Report violent content (Youtube). They are the same links as in section 2 above. 4. The fourth URL (“https://www.aepd.es/sites/default/files/2020-02/infografia-canal- priority.pdf”) accesses information related to the “Priority Channel” enabled by the AEPD to communicate the dissemination of sensitive content and request its withdrawal. East document includes the following information: “What can I do if images in which I appear are spread? In general, the affected by these behaviors should contact the Internet service provider requesting the removal of images that are being disseminated without their consent. then it The links to some of the major service providers are detailed: Google…" . By clicking on the “Google” link that appears in this information, you access the “Withdraw Google Information” page, from “google.com”. This page informs how to contact the webmaster of a website to request the removal of content and links are included to access the removal tool removal of obsolete content, removal of images, fake pornography, practices abusive, financial, medical information or personal identification documents, Doxxing content or images of minors. It also includes a link to the forms object of the actions (“Legal Problem Resolution Form”). The aforementioned principle of legitimate expectations is contained in article 3 from the LRJSP: “Article 3. General principles. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 106/137 1. The Public Administrations objectively serve the general interests and act in in accordance with the principles of efficiency, hierarchy, decentralization, deconcentration and coordination, with full submission to the Constitution, the Law and the Law. They must respect the following principles in their actions and relationships: (…) e) Good faith, legitimate trust and institutional loyalty. It is a manifestation of the doctrine of "proper acts" and is related to the principle of legal certainty. The principle of legitimate expectations can be understood as the confidence of citizens in the future action of the Administrations Public according to their past performances, considering the expectations that generate, although always safeguarding the principle of legality, so that the principle cannot be invoked to save situations contrary to the norm. This follows from the STS of 12/18/2007, which refers to the principle of protection of legitimate expectations citing the terms of a previous Judgment of 05/10/1999: "Thus, the STS of 10-5-99 (RJ 1999, 3979), recalls "the doctrine on the principle of protection of legitimate trust, related to the most traditional in our system of legal certainty and good faith in relations between the Administration and individuals, and entails, according to the doctrine of the Court of Justice of the European Communities and the jurisprudence of this Chamber, the fact that the public authority cannot adopt measures that result contrary to the hope induced by reasonable stability in its decisions, and on the basis of which individuals have adopted certain decisions. […] For other On the other hand, in the STS of 1-2-99 (RJ 1999, 1633), it is recalled that "this principle cannot invoked to create, maintain or extend, in the field of public law, situations contrary to the legal system, or when the preceding act results in a contradiction with the purpose or interest protected by a legal norm that, by its nature, is not susceptible to protect one discretionary conduct by the Administration that supposes the recognition of some rights and/or obligations arising from acts of the same. […] One thing is irrevocability of the declarative acts of rights themselves outside the review channels established in the Law (articles 109 and 110 of the Administrative Procedure Law of 1958 [ RCL 1958, 1258, 1469, 1504 and RCL 1959, 585], 102 and 103 of the Law of Legal Regime of Public Administrations and Common Administrative Procedure, Law 30/1992 [ RCL 1992, 2512, 2775 and RCL 1993, 246] , modified by Law 4/1999 [ RCL 1999, 114, 329] ), and another on respect for the legitimate trust generated by one's own actions, which must necessarily be projected into the field of discretion or autonomy, not that of regulated aspects or normative requirements against which, in Administrative Law, the resolved in act or in precedent that was contrary to those. Or, in other words, not It can be said that the trust placed in an act or precedent that is contrary to mandatory rule. The STS of 02/22/2016 (rec.1354/2014), for its part, refers to the requirements that must concur to assess legitimate expectations: “It should be borne in mind that legitimate expectations ultimately require the concurrence of three essential requirements. Namely, that it is based on undeniable and external signs (1); that the hopes generated in the administered must be legitimate (2); and that the final conduct of the Administration is contradictory with the previous acts, is surprising and inconsistent (3). Exactly what happens in the case examined, according to the facts above reported, which is pointless to insist. Let us remember that, with respect to legitimate expectations, we have been repeatedly declaring, for all, Judgment of December 22, 2010 (contentious-administrative appeal no. 257/2009), that "the principle of good faith protects legitimate expectations that are justified C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 107/137 may have deposited in the behavior of others and imposes the duty of coherence in the own behaviour. Which is as much as to say that the principle implies the requirement of a duty of behavior that consists of the need to observe in the future the con- conduct that the previous acts made anticipate and accept the binding consequences that are arise from the acts themselves, constituting an assumption of injury to legitimate expectations of the parties "venire contra factum propium". This same Judgment refers to the confidence in the stability of criteria of the Administration, evidenced in previous acts in the same sense. On the other hand, the STS of September 21, 2015 (rec.721/2013), in its Basis of Fourth Law, declares the following: “In the aforementioned judgment of this jurisdictional Chamber of February 23, 2000, the application of the principle of protection of legitimate expectations is conditioned not so much to the fact that produce any type of psychological conviction in the benefited individual, but rather to that the existence of external signs produced by the Administration "what sufficiently conclusive" so as to reasonably induce you to rely on the legality of administrative action.” Therefore, this hope or confidence generated must be "legitimate" and be based on previous external acts, whose meaning is undoubtedly contrary to what was agreed subsequently, without it being necessary to include in this principle of legitimate expectations a mere psychological conviction of the individual. In this case, it is stated that the website of this Agency includes general information addressed to internet users about the exercise of the right of deletion and warns users themselves, in various sections, on the possibility of using the forms for this specific authorized by different service providers, among which is the entity "Google". For this reason, in said information links are inserted that lead to the forms enabled by GOOGLE LLC. Among these links it is worth highlighting, for its special interest for the performances, those included in the section “Delete photos and internet videos” and in the “Guide for the citizen”, which give access to the page “How to remove content from Google”, from “google.com”, through which you access the forms object of this procedure. This fact does not represent an external act of the Administration that could have influence the conduct of GOOGLE LLC determining the violation of article 17 of the RGPD, to the extent that the inclusion of these links on the AEPD website does not may mislead said entity or allow it to conclude that in those forms there is no element that contravenes the provisions of the RGPD and LOPDGDD. This being the case, it cannot be said that GOOGLE LLC has been surprised for the aforementioned infringement of the RGPD that is imputed in this act. Therefore, GOOGLE LLC does not have external events prior to this resolution. (“external undeniable signs”) that may be considered favorable to said entity of conclusively and sufficient to have induced it to think that the AEPD validated repeated content removal forms. There are no previous decisions of the AEPD, nor recommendations, nor any act in which a criterion is transmitted that C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 108/137 is now being modified. That inclusion of links to the forms in informative documents inserted in the website "aepd.es" does not constitute any regulated action or an act with content legally binding, nor does it imply any pronouncement on the issues to which which the allegations refer. In short, they do not represent external acts of the Administration from which a future violation of the principle of "legitimate trust of the company", now invoked. The actions of this Agency have not influenced in any way the conduct of GOOGLE LLC determining the infringement analyzed, nor does it influence the design of those forms or in their use for the management of rights in matters of protection of personal data or legal claims in general that give rise to the application of its own internal policies for the removal of content or other regulations other than personal data protection; nor has this Agency performed any other action that has allowed said entity to conclude the suitability of his action. GOOGLE LLC cannot provide any statement or action of this Agency that led to this alleged confusion, simply because there is no action in that sense. The Agency has limited itself to informing citizens of their rights and how can exercise them, including a link to the forms of those responsible for the treatment. The inclusion of said links does not imply a validation of those forms, something that, on the other hand, does not correspond to the AEPD, but is responsibility of the claimed entity, which is obliged to seek the compliance with data protection regulations in accordance with the principle of proactive responsibility. Proof of this is that the defendant can at any moment to vary the content of the information to which the repeated links lead inserted in the web "aepd.es", or the design of the forms themselves, without any prior pronouncement and without the knowledge of this Agency. With the inclusion of these links, as has already been said, the AEPD is not deciding or recommending anything that legally binds this Agency, the claimed or third parties. It is now, in the exercise of the corrective powers that the RGPD grants to the Control authority, when the infraction is detected, of which only GOOGLE LLC is responsible. In short, projecting the doctrine of the Supreme Court to the present case, and in the terms of the STS of 12/18/2007, it turns out that there are no circumstances that allow us to understand that GOOGLE LLC has been surprised by the actions of the Management. It is worth insisting, in any case, on what was previously expressed about the prevalence of the principle of legality, which prevents invoking legitimate expectations to save situations contrary to the norm. For all these reasons, the allegation of violation of the principle of trust must be rejected. legitimate and, otherwise, reaffirm the full responsibility of GOOGLE LLC in in relation to the online content removal forms designed by the same and the management that applies due to its use by the interested parties. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 109/137 viii In the event that there is an infringement of the provisions of the RGPD, between the corrective powers available to the Spanish Data Protection Agency, as a control authority, article 58.2 of said Regulation contemplates the following: “2 Each control authority will have all the following corrective powers indicated below: continuation: (…) b) sanction any person responsible or in charge of the treatment with a warning when the treatment operations have violated the provisions of this Regulation;” (...) d) order the person responsible or in charge of the treatment that the treatment operations be comply with the provisions of this Regulation, where appropriate, of a given manner and within a specified time; (…) i) impose an administrative fine under article 83, in addition to or instead of the measures mentioned in this section, according to the circumstances of each case particular;". According to the provisions of article 83.2 of the RGPD, the measure provided for in letter d) above is compatible with the sanction consisting of an administrative fine. IX The exposed facts do not comply with the provisions of articles 6 and 17 of the RGPD, with the scope expressed in the previous Legal Foundations. In the agreement to open the procedure, the violation of article 17 was considered linked to the breach of the provisions of article 6, both of the RGPD, to the extent that the communication to the "Lumen Project" of the data included in online content removal requests means no respond to this request for deletion of personal data. However, the actions carried out during the investigation of the procedure have revealed serious deficiencies in the process designed for the formulation, reception and management of these requests for deletion of personal data that directly affects the very exercise of this right recognized to interested in the RGPD and its resolution in accordance with this regulation, as is exposed in the Foundation of Law VII. This fact violates article 17 of the RGPD and constitutes a differentiated infringement of data communication to the "Lumen Project", to the extent that it results from conduct differentiated. Failure to comply with article 17 of the RGPD, for the reasons stated in the aforementioned Foundation of Rights, occurs regardless of whether the personal data included in the request that the interested party makes is communicated or not to “Project Lumen”. Ultimately, these are separate conducts that must be sanctioned by C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 110/137 separate. Failure to comply with the provisions of articles 6 and 17 of the RGPD implies the commission of two offenses classified in sections 5.a) and b) of article 83 of the GDPR, respectively. This article 83.5, under the heading "General conditions for the imposition of administrative fines”, provides the following: "5. Violations of the following provisions will be sanctioned, in accordance with the section 2, with administrative fines of a maximum of EUR 20,000,000 or, in the case of a company, of an amount equivalent to a maximum of 4% of the total annual turnover of the previous financial year, opting for the highest amount: a) the basic principles for the treatment, including the conditions for the consent to tenor of articles 5, 6, 7 and 9. b) the rights of the interested parties according to articles 12 to 22”. In this regard, the LOPDGDD, in its article 71 establishes that "They constitute infractions the acts and behaviors referred to in sections 4, 5 and 6 of the Article 83 of Regulation (EU) 2016/679, as well as those that are contrary to the present organic law”. For the purposes of the limitation period for infractions, the infractions indicated in the previous paragraph are considered very serious and prescribe after three years, in accordance with article 72.1.b) and k) of the LOPDGDD, which establishes: “Based on the provisions of article 83.5 of Regulation (EU) 2016/679, they are considered very serious and will prescribe after three years the infractions that suppose a violation substance of the articles mentioned therein and, in particular, the following: b) The processing of personal data without the concurrence of any of the conditions of legality of the treatment established in article 6 of Regulation (EU) 2016/679. k) The impediment or the hindrance or the repeated non-attention of the exercise of the rights established in articles 15 to 22 of Regulation (EU) 2016/679”. In order to determine the administrative fine to be imposed, the provisions of articles 83.1 and 83.2 of the RGPD, precepts that indicate: "one. Each control authority will guarantee that the imposition of administrative fines with in accordance with this article for the infringements of this Regulation indicated in the sections 4, 9 and 6 are in each individual case effective, proportionate and dissuasive. 2. Administrative fines will be imposed, depending on the circumstances of each case individually, in addition to or as a substitute for the measures referred to in article 58, section 2, letters a) to h) and j). When deciding to impose an administrative fine and its amount In each individual case, due account shall be taken of: a) the nature, seriousness and duration of the offence, taking into account the nature, scope or purpose of the treatment operation in question as well as the number of affected parties and the level of damages they have suffered; b) intentionality or negligence in the infringement; c) any measure taken by the person responsible or in charge of the treatment to alleviate the damages suffered by the interested parties; d) the degree of responsibility of the data controller or processor, taking into account of the technical or organizational measures that they have applied by virtue of articles 25 and 32; C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 111/137 e) any previous infringement committed by the person in charge or the person in charge of the treatment; f) the degree of cooperation with the supervisory authority in order to remedy the infringement and mitigate the possible adverse effects of the infringement; g) the categories of personal data affected by the infringement; h) the way in which the supervisory authority became aware of the infringement, in particular if the The person responsible or the person in charge notified the infringement and, if so, to what extent; i) when the measures indicated in article 58, section 2, have been ordered previously against the person in charge or the person in charge in question in relation to the same matter, compliance with said measures; j) adherence to codes of conduct under Article 40 or certification mechanisms approved under article 42, and k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits obtained or losses avoided, directly or indirectly, through the infraction”. For its part, article 76 “Sanctions and corrective measures” of the LOPDGDD has: "one. The sanctions provided for in sections 4, 5 and 6 of article 83 of the Regulation (EU) 2016/679 will be applied taking into account the graduation criteria established in the section 2 of the aforementioned article. 2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679, also may be taken into account: a) The continuing nature of the offence. b) The link between the activity of the offender and the performance of data processing personal. c) The profits obtained as a result of committing the offence. d) The possibility that the conduct of the affected party could have induced the commission of the crime. infringement. e) The existence of a merger by absorption process subsequent to the commission of the infraction, that cannot be attributed to the absorbing entity. f) Affectation of the rights of minors. g) Have, when not mandatory, a data protection delegate. h) Submission by the person in charge or person in charge, on a voluntary basis, to alternative conflict resolution mechanisms, in those cases in which there are controversies between them and any interested party”. In this case, considering the seriousness of the infractions found, the imposition of an administrative fine and the adoption of measures. In this regard, the fine imposed must be, in each individual case, effective, proportionate and dissuasive, in accordance with the provisions of article 83.1 of the RGPD. In accordance with the precepts indicated, in order to set the amount of the penalties to impose in the present case, it is considered appropriate to graduate the fines of according to the following criteria: 1. Infringement of article 6 of the RGPD, typified in article 83.5.a) of the RGPD and classified as very serious for prescription purposes in article 72.1.b) of the LOPDGDD. The following graduation criteria are considered concurrent as aggravating: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 112/137 . Article 83.2.a) of the RGPD: “a) the nature, seriousness and duration of the infringement, taking into account the nature, scope or purpose of the operation of treatment in question as well as the number of interested parties affected and the level of damages they have suffered. . The nature and seriousness of the infraction, considering that the communication of data that is sanctioned is made to a third entity in a third country, and is carried out without the interested party having the opportunity to oppose it. In addition, this communication of data is related to online content in all the entity's products and services claimed and originates from requests made by the interested parties to that such content be removed. All this affects the ability to interested parties to exercise true control over their personal data. . In relation to the duration of the infringement, it is stated in the proceedings that the data communication had been taking place since before the entry into force of the RGPD, on 08/25/2018, and remains current. . The nature, scope or purpose of the processing operation to be process: the personal data included in the withdrawal requests online content are communicated by GOOGLE LLC to “Project Lumen” for its publication on a publicly accessible web page and for its publication available to the public, together with an explanation of the circumstances and reasons that in the opinion of the interested party would justify the withdrawal of the content in question and the documentation that supports said request, among which are those related to judicial processes, such as sentences. . The number of interested parties: the infraction affects requests from all products and services of an entity that has a global social implantation, as evidenced by the fact that the "Lumen Project" reports on its website that GOOGLE LLC is the entity that reports the most information to the project. . The damages suffered by the interested parties: taking into account all the circumstances set forth above, it is clear that the interested parties have seen their rights limited and the risks to their privacy increased. . Article 83.2.b) of the RGPD: "b) the intention or negligence in the infringement". The negligence in the commission of the infraction on the part of the person in charge, since knows the consequences of the communication of data to the third party (article 83.2.b) GDPR). This negligence is appreciated, taking into account, on the one hand, the "nature and seriousness of the infraction” and the “nature and purpose of the operation of data treatment"; and, on the other hand, the level of professionalism in the treatment of the data that must be required from GOOGLE LLC. Regarding this last circumstance, the National High Court, in a Judgment of 10/17/2007 (rec. 63/2006), in relation to the entities whose activity has coupled with the continuous processing of customer data, indicates that "... the Court Supreme has understood that there is imprudence whenever it is neglected a legal duty of care, that is, when the offender does not behave with the due diligence. And in assessing the degree of diligence, it must be weighed especially the professionalism or not of the subject, and there is no doubt that, in the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 113/137 case now examined, when the activity of the appellant is constant and abundant handling of personal data, it must be insisted on the rigor and exquisite care to adjust to the legal precautions in this regard”. It is a company that performs personal data processing of users of its products and services in a systematic and continuous way, as as the central object of its activity, and therefore must take extreme care in the compliance with its data protection obligations. . Article 83.2.d) of the RGPD: “d) the degree of responsibility of the person in charge or of the data processor, taking into account the technical or organizational measures that they have applied by virtue of articles 25 and 32”. The imputed entity does not have adequate procedures in place for action processing of personal data, in what refers to the Use of information contained in content removal requests online, so that the infringement is not the result of an anomaly in the operation of these procedures but a defect in the management system of the personal data designed by the person in charge. This procedure is adopted by the defendant on its own initiative without meeting the regulatory provisions applicable. . Article 83.2.g) of the RGPD: “g) the categories of personal data affected by the infringement. The “Lumendatabase Links” examined in the proceedings include data personal of a sensitive nature. In addition, in general, in the case of online content removal requests, it cannot be ruled out that they may also be affected "Special categories of personal data", according to defines the RGPD in article 9. . Article 76.2.b) of the LOPDGDD: “b) The link between the activity of the offender with the processing of personal data”. The processing of personal data is the central objective of the activities and services developed by GOOGLE LLC and its level of implementation in our territory and population is global. . Article 83.2.k) of the RGPD: “k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as the financial benefits obtained or losses avoided, directly or indirectly, through the infringement”. . The volume of data and processing that constitutes the object of the file. . The status of large company and volume of business of GOOGLE LLC. Considering the exposed factors, the valuation reached by the fine, for the Violation of article 6 of the RGPD, it is 5,000,000 euros (five million euros). 2. Violation of article 17 of the RGPD, typified in article 83.5.b) of the same C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 114/137 Regulation, classified as very serious for prescription purposes in article 72.1. k) of the LOPDGDD. . Article 83.2.a) of the RGPD: “a) the nature, seriousness and duration of the infringement, taking into account the nature, scope or purpose of the operation of treatment in question as well as the number of interested parties affected and the level of damages they have suffered. . The nature of the infraction, since the lack of attention to the right of deletion affects the ability of the interested parties to exercise a true control over your personal data. . The number of interested parties: the infringement affects all the interested parties that have exercised the right of deletion or intend to do so, very numerous considering the level of implementation of the claim. . The nature of the damage caused to the interested persons, which see neglected one of their basic rights in terms of protection of personal data and increased risk to your privacy. . Article 83.2.b) of the RGPD: "b) the intention or negligence in the infringement". This negligence is appreciated, taking into account, on the one hand, the "nature and seriousness of the infraction” and of the damages caused; and, on the other hand, the level of professionalism in the processing of data that must be required of GOOGLE LLC. . Article 83.2.d) of the RGPD: “d) the degree of responsibility of the person in charge or of the data processor, taking into account the technical or organizational measures that they have applied by virtue of articles 25 and 32”. The imputed entity does not have adequate procedures in place for performance in the collection and processing of personal data, in what refers to the management of requests for the exercise of rights, so that the infringement is not the consequence of an anomaly in the functioning of said procedures but a defect in the personal data management system designed by the person in charge. Said procedure was adopted by the respondent to own initiative. . Article 83.2.g) of the RGPD: “g) the categories of personal data affected by the infringement. The requests for deletion of personal data referred to in the actions include personal data of a sensitive nature. Also, with In general, in the case of requests for the removal of online content, it can be ruled out that they may also be affected “Special categories of personal data”, as defined by the RGPD in article 9. . Article 76.2.b) of the LOPDGDD: “b) The link between the activity of the offender with the processing of personal data”. The high link between the activity of the offender and the performance of treatment of personal data, taking into account the reasons already expressed when exposing the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 115/137 prior offense ranking factors. . Article 83.2.k) of the RGPD: “k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as the financial benefits obtained or losses avoided, directly or indirectly, through the infringement”. . The volume of data and processing that constitutes the object of the file, taking into account the level of information that the requested person has accessing its services. . The status of large company and volume of business of GOOGLE LLC. Considering the exposed factors, the valuation reached by the fine, for the Violation of article 17 of the RGPD, it is 5,000,000 euros (five million euros). It should be noted that GOOGLE LLC, in its pleadings brief at the opening of the procedure has not made any statement about the graduation factors indicated in the start-up agreement, related to the scope of the operation of processing and the number of data subjects affected, the intent or negligence in the commission of the infraction, and the linking of the activities and services developed by GOOGLE LLC with the processing of personal data. And in his arguments to the motion for a resolution, in relation to the factors previously valued, it limits itself to stating, without further explanation, that it "rejects In its whole". On the other hand, according to the factors and circumstances exposed, it is not possible to admit the request made subsidiarily by GOOGLE LLC to sanction "for the amount of the corresponding sanction in its minimum degree”, considering that, At the request of the respondent herself, "Lumen" has anonymized the requests for withdrawal of content identified in these proceedings or withdrawn publication in some cases; that GOOGLE LLC does not derive any commercial benefit or income as a result of these communications; and which is currently in process of reviewing its practices in relation to the communication of requests for removal of content to “Lumen”. This approach was already rejected in the motion for a resolution for the reasons following: . The anonymization of the information published in "lumendatabase.org" of the "Links" included in the claims do not change the underlying fact of the infringement, as is the communication of the data to the "Lumen Project" without a legitimate basis. In this regard, GOOGLE LLC has argued that mitigating circumstances, for definition, do not change the fact that an infringement has occurred, but rather They help mitigate the offender's responsibility for the offense committed. In the opinion of this Agency, in this case, the circumstance invoked as mitigating, as is the request for anonymization made by the claimed to the "Lumen Project" it does not contribute to mitigating the responsibility of the offender. It must be emphasized that the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 116/137 infraction is determined by the communication of data to "Lumen" and not by the dissemination of these data by the third party assignee. GOOGLE LLC has not taken any measure to mitigate the effects of that communication of data to Lumen that could influence the graduation of the sanction. . The absence of benefits cannot be measured exclusively in terms commercial or monetary. In addition, being a company that bases its activity in the processing of personal data, it cannot be said, without further accreditation, that obtain commercial benefits. This Agency does not share the position defended by GOOGLE LLC in its allegations to the proposal, according to which in order not to apply this mitigation, the Agency must prove that the defendant has obtained benefits, especially considering that it is GOOGLE LLC who has requested the assessment of this circumstance as extenuating. This Agency understands that the graduation factors must be derived clearly from the actions so that they can be considered in the quantification of the sanction. In any case, article 76.2 of the LOPDGDD, in its letter c), includes among the criteria that must be weighed when setting the amount of the sanction “the benefits obtained as a consequence of the commission of the infraction” and not the absence of these benefits. In this regard, the AN Judgment of 05/05/2021, rec. 1437/2020, refers to the need for the de facto “budget” contemplated in the norm to concur in order to that a certain graduation criterion can be applied, and, as has been said, the absence of benefits is not among the circumstances regulated in the cited article. In this Judgment it is indicated: “…the fact that the budget for its application entails that it cannot be taken into consideration, but does not imply or allows, as the plaintiff claims, its application as a mitigating factor”. This graduation criterion is established in the LOPDGDD in accordance with the provisions in article 83.2.k) of the RGPD, according to which administrative fines will be imposed taking into account any “aggravating or mitigating factor applicable to the circumstances of the case, such as the financial benefits obtained or the losses avoided, directly or indirectly, through the infraction”, it being understood that avoiding a loss has the same nature for these purposes as a gain. If we add to this that the sanctions must be effective "in each individual case", proportionate and dissuasive, in accordance with the provisions of article 83.1 of the RGPD, admitting the absence of benefits as a mitigating factor is not only contrary to the presuppositions of facts contemplated in article 76.2.c), but also contrary to what is established in article 83.2.k) of the RGPD and the indicated principles. Thus, assessing the absence of benefits as a mitigating factor would nullify the effect dissuasive of the fine, to the extent that it reduces the effect of the circumstances that effectively affect its quantification, reporting to the person in charge a benefit to the that has not been deserved. It would be an artificial reduction of the sanction that can lead to understand that violating the norm without obtaining benefits, financial or of the type Whatever it may be, it will not produce a negative effect proportional to the seriousness of the act C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 117/137 offender. In any case, the administrative fines established in the RGPD, in accordance with the established in its article 83.2, are imposed based on the circumstances of each individual case and, at present, the absence of benefits is not considered to be a adequate and decisive grading factor to assess the seriousness of the behavior offending Only in the event that this absence of benefits is relevant to determine the degree of unlawfulness and culpability present in the specific infringing action may be considered as a mitigating action, in application of article 83.2.k) of the RGPD, which refers to “any other aggravating or mitigating factor applicable to the circumstances of the case. . The measures "in process" or "complementary" are insufficient to "put remedy to the infringement and mitigate the possible adverse effects of the infringement”, according to the terms of article 83.2.f) of the RGPD, or “to mitigate the damages suffered by the interested parties”, according to section 2.c) of the same article. GOOGLE LLC considers that this reasoning of the Agency discourages the taking measures aimed at reinforcing the protection of the rights of data subjects and It adds that, although they do not remedy the infringement, they can be configured as mitigating factors. Being as the claimed one says, that is, if the measures do not remedy the infraction, it is It is clear that such measures do not comply with the regulatory provision regulated in the aforementioned article 83.2, sections c) and f), which requires that remedy of the infraction, or mitigate adverse effects or mitigate damage. In this case, the measures that GOOGLE LLC says it plans to implement are not aimed at mitigating the damage of the data communications already made to the "Lumen Project". In addition, the adoption of measures, without further ado, cannot have the mitigating effects intended without a clear analysis of their suitability. On the other hand, in the allegations to the proposed resolution, GOOGLE LLC has requested that the sanction be reduced considering that the infractions are reduced to the processing of personal data attributable to said entity in Spain and to the products and services provided by GOOGLE IRELAND LTD and not by GOOGLE LLC. However, it is obvious that these circumstances have already been considered when define the object of the procedure, as was well exposed in the foundations of previous right. Finally, in relation to the sanction for non-compliance with article 17 of the RGPD, The respondent states that the advertising carried out by the AEPD of the “Google” forms should be considered a mitigating circumstance under art. 83.2 (k) RGPD, which directly mitigates the malicious or negligent behavior of the entity. Regarding this issue, it is worth referring to what was expressed in the Basis of Right VII to dismiss the legitimate expectations alleged by GOOGLE LLC, in the that it is sufficiently reasoned that the responsibility for the repeated forms is exclusive to GOOGLE and that responsibility is not modified by the links C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 118/137 to the online content removal forms embedded in the information offered by this Agency on its website. X The infractions committed may lead to the imposition of the person responsible for the adoption of appropriate measures to adjust its actions to the aforementioned regulations in this act, in accordance with the provisions of the aforementioned article 58.2.d) of the RGPD, according to which each control authority may "order the person in charge or in charge of the treatment that the treatment operations comply with the provisions of the this Regulation, where appropriate, in a certain way and within a specified period…”. Thus, it is appropriate to require the responsible entity, GOOGLE LLC, to cease the infringing conduct and adapt to the personal data protection regulations the treatment operations carried out, in relation to the communication of data to the "Lumen Project", and the processes of exercise and attention to the right of suppression, in in connection with requests to remove online content from its products and services, as well as the information offered to its users regarding both issues. All this, with the scope expressed in the Foundations of Law of the this agreement and referred to users of its products and services of "Google" in the Spanish territory. Likewise, GOOGLE LLC must correct the effects of the infringement committed, which entails the deletion of all personal data that has been the subject of a request for the right of deletion not duly attended due to the communication of data to the "Lumen Project", as well as the obligation to urge this I project the deletion and cessation of the use of personal data that GOOGLE LLC has communicated to you on the occasion of a data deletion request personal. GOOGLE LLC must provide the means of proof of compliance with the required. (...). (...): . (…) . (...). . (...). There is no complete and sufficient information on these exceptions for can be properly valued. In any case, this procedure is not the adequate framework for analysis. This Agency considers, on the other hand, that the aforementioned actions, given the evidence obtained in this case, are a requirement of the principle of C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 119/137 proactive responsibility and diligence regarding compliance with the regulations of data protection that should be expected from an entity such as GOOGLE LLC and that the RGPD itself expressly imposes, including the obligation to review and update the organizational measures that guarantee the adequacy of your data processing with the GDPR. GOOGLE LLC has indicated that its responsibility in relation to the measures arranged is limited, in Spanish territory, to communications of requests for withdrawal to Lumen related to personal data present in the information indexed and displayed in the “Google Search” and “Google Maps” services. However, this does not coincide with what was stated by the entity GOOGLE LLC itself, that has been declared responsible for the communication of data related to online content removal requests to “Project Lumen”. It is warned that not meeting the requirements of this organization may be considered as a serious administrative infraction by “not cooperating with the Authority of control” before the requirements made, being able to be valued such behavior to the time of the opening of an administrative sanctioning procedure with a fine pecuniary Therefore, in accordance with the applicable legislation and having assessed the criteria for graduation of sanctions whose existence has been proven, the Director of the Spanish Data Protection Agency RESOLVES: FIRST: IMPOSE the entity GOOGLE LLC, with NIF 770493581, for a infringement of article 6 of the RGPD, typified in article 83.5.a) and qualified as very serious for prescription purposes in article 72.1.b) of the LOPDGDD, a fine for an amount of 5,000,000 euros (five million euros). SECOND: IMPOSE the entity GOOGLE LLC, for a violation of article 17 of the RGPD, typified in article 83.5.b) of the same Regulation and qualified as very serious for prescription purposes in article 72.1.k) of the LOPDGDD, a fine for an amount of 5,000,000 euros (five million euros). THIRD: TO REQUIRE the entity GOOGLE LLC so that, within a period of six months, counted from the notification of this resolution, adopt the measures necessary to adapt to the personal data protection regulations treatment operations and the procedures for exercising the right object of the actions, with the scope expressed in the Basis of Law X. Likewise, in The text of the resolution establishes the infractions committed and the facts that have given rise to the violation of data protection regulations, of which clearly infers what are the measures to be adopted, without prejudice to the fact that the type of procedures, mechanisms or specific instruments to implement them corresponds to the sanctioned party, since it is the data controller who fully knows your organization and has to decide, based on the responsibility proactive and risk-focused, how to comply with the RGPD and the LOPDGDD. FOURTH: NOTIFY this resolution to the entity GOOGLE LLC. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 120/137 FIFTH: Warn the sanctioned party that he must make the imposed sanction effective once Once this resolution is enforceable, in accordance with the provisions of the art. 98.1.b) of Law 39/2015, of October 1, on Administrative Procedure Common Public Administrations (hereinafter LPACAP), within the payment term voluntary established in art. 68 of the General Collection Regulations, approved by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003, of December 17, through its entry, indicating the NIF of the sanctioned and the number of procedure that appears in the heading of this document, in the account restricted number ES00 0000 0000 0000 0000 0000, opened on behalf of the Agency Spanish Department of Data Protection in the banking entity CAIXABANK, S.A.. In case Otherwise, it will be collected in the executive period. Received the notification and once executed, if the date of execution is between the 1st and 15th of each month, both inclusive, the term to make the payment voluntary will be until the 20th day of the following month or immediately after, and if between the 16th and last day of each month, both inclusive, the payment term It will be until the 5th of the second following month or immediately after. In accordance with the provisions of article 76.4 of the LOPDGDD and given that the amount of the sanction imposed is greater than one million euros, it will be subject to publication in the Official State Gazette of the information that identifies the offender, the offense committed and the amount of the penalty. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the Interested parties may optionally file an appeal for reconsideration before the Director of the Spanish Agency for Data Protection within a month from counting from the day following the notification of this resolution or directly contentious-administrative appeal before the Contentious-Administrative Chamber of the National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-administrative jurisdiction, within a period of two months from the day following the notification of this act, as provided in article 46.1 of the aforementioned Law. Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP, may provisionally suspend the firm resolution in administrative proceedings if the The interested party expresses his intention to file a contentious-administrative appeal. If this is the case, the interested party must formally communicate this fact by writing addressed to the Spanish Agency for Data Protection, presenting it through Electronic Register of the Agency [https://sedeagpd.gob.es/sede-electronica- web/], or through any of the other registers provided for in art. 16.4 of the aforementioned Law 39/2015, of October 1. You must also transfer to the Agency the documentation proving the effective filing of the contentious appeal- administrative. If the Agency was not aware of the filing of the appeal contentious-administrative within a period of two months from the day following the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 121/137 notification of this resolution would end the precautionary suspension. 938-150222 Sea Spain Marti Director of the Spanish Data Protection Agency C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 122/137 APPENDIX 1 “GOOGLE” PRIVACY POLICY a) PRIVACY POLICY, UPDATE OF 05/25/2018: “The objective of this Privacy Policy is to inform you about what data we collect, why we collect them and how you can update, manage, export and delete them. Google develops a variety of services that allow millions of users to explore the world and interact with it differently on a daily basis. These services include: . Google apps, websites and devices, such as Google Search, YouTube and Google Home. . Platforms, such as the Chrome browser and the Android operating system. . Products that are integrated into third-party applications and websites, such as advertisements and embedded maps from Google Maps. You can use our services in different ways to manage your privacy. For For example, if you want to create and manage content, such as emails and photos, or check most relevant search results, you can sign up for a Google. You can also use various Google services after you've closed logged into your account or without even creating one, such as by making a searching on Google or watching videos on YouTube. You can also surf the Internet privately in Chrome with incognito mode. Also, you can adjust the settings privacy policy on all of our services to control what information we collect and how we use it”. “We use the information we collect from all our services with the following purposes: . Provide our services... . Maintain and improve our services… . Develop new services... . Offer personalized services, including content and ads… . Measure performance... . Communicate with you... . Protect Google, our users and the general public… We will ask for your consent before using your information for a purpose that is not include in this Privacy Policy”. “Your privacy controls You can choose what information we collect and how we use it. This section describes the main controls that allow you to manage privacy in all our services. You can also access the “privacy review” to Check and modify important privacy options. In addition to these tools, we offer specific privacy features in our products. you can get more information in the "guide to privacy in Google products". Manage, review and update your information If you are logged in, you can review and update the information whenever you want accessing the services you use. For example, Photos and Drive are designed to C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 123/137 help you manage specific types of content you've saved to Google. We have also created a space where you can review and control the information you have saved in your Google Account. Your “Google Account” includes: . privacy controls . Activity controls. Decide what type of activity you want to save to your account... . Ad settings… You can modify your interests, decide if your information personal is used to show you more relevant ads… . Over you. Control the information that other users see about you on the Services. Google. . Shared recommendations. Decide if you want your name and photo to appear together to your activity, such as reviews and recommendations shown in ads. . Data shared by you. Control who you share information with through your account on Google+. . Ways to review and update your information . My Activity. It allows you to review and control the data that is created when you use the Google services, such as searches performed or visits to Google Play. Can you consult by date or by topic and delete the activity partially or completely. . Google Dashboard. It allows you to manage the information associated with products specific. . Your personal information. Manage your contact information, such as name, email address and phone number. By logging out, you can manage the information associated with your browser or your device, including the following: . Search customization without logging in… . Youtube settings: pause and delete your “search history” … and from "reproductions"... . Ad Settings… Export, withdraw and delete your information... You can also "request content to be removed" from certain Google services by in accordance with applicable laws. To delete your information, you can: . Remove your content from “specific Google services”. . Search for specific items and remove them from your account using “My Activity”. . “Remove specific products from Google”, including your information associated with those products. . "Delete your Google Account completely." Finally, you can use "Inactive Account Manager" to allow other users access to parts of your Google account in case you cannot use it properly unexpected. You can use other methods to control the information that Google collects whether you have signed in to a Google Account as if not, for example: . Browser settings… . Device configuration…”. “Sharing your information… When Google shares your information We do not share your personal information with companies, organizations or individuals outside of C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 124/137 Google except in the following cases: . Consent. We will share personal information outside of Google if we have with your consent... . External treatment. We provide personal information to our affiliates and other trusted companies and people to treat it on our behalf… . Legal reasons. We will share personal information outside of Google if we believe in good faith that it is reasonably necessary to access that data or use, retain or disclose them for the following purposes: . Comply with any requirement provided for in the applicable law or regulation or to attend a legal process or a requirement of a competent authority… . Comply with applicable Terms of Service, including investigation of potential infractions. . Detect, prevent or otherwise solve fraud or security or technical problems. . Protect Google, our users and the general public from damage to their rights and property or your safety to the extent required or permitted by law. We may share non-personally identifiable information publicly and with our partners, such as publishers, advertisers, developers or rights holders. For For example, we share information publicly to show trends about usage Overview of our services. We also allow certain partners to collect information from your browser or device for measurement and advertising purposes through their own cookies or similar technologies…”. “Export and delete your information… In some cases, we retain data for limited periods for legal or regulatory purposes. legitimate business…” When does this policy apply? This Privacy Policy applies to all services offered by Google LLC and its affiliates… This Privacy Policy does not apply to services that are subject to separate privacy policies that do not incorporate this Privacy Policy.” “Other Helpful Resources Below are links to helpful resources that offer more information about our privacy practices and settings. . “Your Google Account” houses many of the options you can use to manage your account. . The “privacy checkup” guides you through the most important privacy options for your Google account. . The "Google Security Center" offers advice on protection and security. . The "Google privacy website" provides you with more information on how We keep your information private and secure…” b) PRIVACY POLICY, UPDATE OF 01/22/2019: It includes the same sections transcribed above and expressed in the same terms (except for the reference to "Google's privacy website" which has been deleted in the “Other useful resources” section), but this update added the following section: 28001 – Madrid 6 sedeagpd.gob.es, 125/137 “European requirements If the data protection regulations of the European Union are applicable to the treatment of your information, we will provide you with the controls described in this policy so that You can exercise your right to request access to your data, update them, withdraw them and restrict your treatment. You also have the right to object to the processing of your information or to export it to another service. The person responsible for processing the data of users with habitual residence in the European Economic Area or Switzerland is Google Ireland Limited, unless otherwise noted. otherwise in a service-specific privacy notice. In other words, Google Ireland Limited is the associated entity of Google responsible for the processing of your data and the compliance with applicable privacy laws. We treat your information for the purpose described in this policy in accordance with the following legal bases: Consent We request your authorization to treat your information for certain purposes and you have right to revoke your consent at any time. For example, we ask your consent to offer you personalized services, such as advertisements. We also ask for your consent when we collect your voice and audio activity for speech recognition. You can manage these options in your “Google account”. In the exercise of legitimate interests We process your information to achieve our legitimate interests and those of third parties and, by At the same time, we apply adequate protection measures to guarantee your privacy. This means that we treat your information with the following objectives: . Provide, maintain and improve our services to meet the needs of our users. . Develop new products and features that are useful to our users. . Know how users use our services to ensure and improve their performance. . Customize our services to offer you a better user experience. . Promote our services to users. . Offer advertising so that users can freely access many of the our services. . Detect, prevent, or otherwise remedy fraud, abuse, and security issues or technicians related to our services. . Protect Google, our users and the general public from damage to their rights and property or your safety to the extent required or permitted by law, including disclosure of information to government authorities. . Conduct research to improve our services to users and benefit the general public. . Fulfill obligations to our partners, such as developers and license holders Rights. . Respond to legal claims, including investigation of potential privacy violations the applicable terms of service. To provide a service We treat your data to provide a service that you have requested under a contract. For For example, we process your payment details when you buy more storage for Google Drive. To comply with legal obligations C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 126/137 We will treat your data to comply with a legal obligation that requires it, for example, to respond to a legal process or a requirement of a competent authority. If you have any questions, "you can contact Google and our office of Data Protection". You can also contact your data protection authority local data if you have any questions about your rights under local law.” c) PRIVACY POLICY, UPDATE OF 03/31/2020: The sections included in this version coincide with those of the previous one and are expressed in the same terms, except for the reference to the offer of advertising in exercise of legitimate interests, which is expressed as follows: “Google shows advertising, which allows many of its services to be free (in the case of personalized ads, we ask for your consent)”; although this update has incorporated a new section related to “Data Conservation”. “Keep your data Google keeps the data it collects for different periods of time depending on the type data they are, how Google uses them, and how you configure your settings. . There is data that you can delete whenever you want, such as the content you create or upload. You can also delete information about the activity saved in your account or have automatically deleted after a certain period. . Other data is automatically deleted or anonymized after a period determined, such as advertising data in server logs. . There is data that Google keeps until you delete your account, such as information about the how often you use Google services. . There is also data that Google retains for longer periods to legitimate legal or business purposes, such as security, fraud prevention and abuse or preservation of financial records. When you delete data, Google follows a process to make sure your data is deleted completely and securely from our servers or to be kept only for anonymously. Google tries to ensure that its services prevent information from being accidentally or maliciously deleted. For this reason, delays may occur from the time you delete content until the copies disappear from the active systems and backup systems. You can get more information about Google's "data retention periods", including how long it takes to delete your information.” d) PRIVACY POLICY, UPDATE OF 07/01/2021 (VERSION CURRENT): The sections included in this version coincide with those of the previous one, dated 03/31/2020 and are expressed in the same terms, except in the following aspects: . In the “Privacy controls” section, the indication “Shared data for you. Control who you share information with through your Google+ account. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 127/137 . In the "European requirements" section, the information about the person in charge of the treatment and on the treatment of the data based on the consent of the interested is as follows: Unless otherwise stated in a service-specific privacy notice, the responsible for the treatment of your information depends on the place where you are: . Google Ireland Limited for users of Google services located in the European Economic Area or in Switzerland. . Google LLC for users of Google services located in the United Kingdom United. Google LLC is the data controller for the information indexed and displayed on services like Google Search and Google Maps, regardless of your location. “Google requests your authorization to process your information for certain purposes, and You have the right to revoke your consent at any time. For example, you are asked consent to provide you with personalized services, such as advertisements based on your interests. We also ask for your consent when we collect your voice and audio activity. for voice recognition. You can manage these settings in your Google account. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 128/137 APPENDIX 2 “WITHDRAWAL PURSUANT TO THE EU PRIVACY LAW” FORM. “Withdrawal under EU privacy law Form to request the withdrawal of personal information For privacy reasons, you may have the right to request the removal of certain personal information related to you. With this form, you can request that certain results be removed from Search from Google returned in queries that include your name. Google LLC is responsible for treatment of personal data when determining the results that are shown in Google Search and to manage removal requests submitted through this form. If you want to request that personal information be removed from another Google product, please submit a request through the form of that product, which you can find on the page “How to remove content from Google. For example, if you want to request the withdrawal of information Blogger staff, please submit a request via the appropriate Blogger form… Your information… (This section includes fields enabled for the applicant to provide their data relating to country of origin, name and surname, email address, as well as to indicate whether acts on their own behalf or on behalf of another person (client, relative, friend or others). For this case, it informs that the applicant must have legal authority to act on behalf of the principal and that Google may request documentation confirming that legal representation). Identify the personal information you want removed and its location If this notification is related to multiple grounds that have been the subject of a violation, send only the first one below. Then click on the link "Add a new group" that appears below the text boxes to add another pattern. The URLs of the content that includes the personal information you want to remove… (space to indicate the URL) Enter a URL on each line (1000 lines maximum). Reason for deletion For each of the URLs you provide, you must indicate the following: (1) how the personal information identified above is related to the individual in whose name you submit this application; Y (2) why you think this personal information should be removed For example: "(1) This page is related to me because a, b and c. (2) This page should be removed because x, y and z”. (space to indicate reasons for deletion) C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 129/137 Add a new group (10 groups maximum) Name used to perform searches * This should be the name that, if used as a search query, produces the results you want to remove from the registry. If you want to submit multiple names (for example, if your maiden name is different from the one you use now), use a forward slash ("/") to separate them. For example, "Ana Garcia / Ana Diaz." (space to indicate the name used to perform searches) Declared jurisdictions Please read the following statements and check their boxes to confirm that you have read them and you accept ( ) I have read and confirm that I have understood the explanation of the treatment of the information personnel I send, as described below: Google LLC will use the personal information you provide in this form (such as your address email address and all identification data) and the personal information you submit in other messages to process your request and comply with our legal obligations. Google may share information from your request with data protection authorities, but only if they request it to investigate or review a decision Google has made. This This usually happens if you have contacted the national data protection authority in relation to our decision. If, due to your request, URLs have been removed from our search results, Google may provide information to webmasters of those URLs. Please note that if you are signed in to your Google account, we may associate your request to that account. ( ) I declare that the information on this application is accurate and that I am authorized to submit it. ( ) I understand that Google LLC will not be able to process my request if the form has not been filled out correctly or if the application is incomplete. Signature… Send (button)”. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 130/137 ANNEX 3 1. INFORMATION AVAILABLE ON THE “LUMENDATABASE.ORG” WEBSITE, "ABOUT" SECTION. “Lumen is a project of the Berkman Klein Center for Internet & Society at the University of Harvard. Lumen is an independent research project that studies termination letters and withdrawal related to online content. We collect and analyze requests to remove material from the web. Our goals are to facilitate research on the different types of complaints and removal requests, both legitimate and questionable, that are sent to Internet publishers, search engines and service providers, and provide as much transparency as possible about… such notices, in terms of who sends them and why, and with what effect… Lumen is not the original sender or recipient of requests and notices within its database… Lumen documents the notification and removal process… reporting that notice or request was sent and received, by whom and for whom, and with respect to what online content. Lumen has no more information about a particular notice than what is is present in a notice and cannot provide contact information for senders or recipients of the notice. We also cannot provide legal advice. … the database now includes complaints from all varieties, including brands registered, defamation and privacy, national and international, and court orders. The Lumen's database grows by more than 40,000 listings per week, with submissions volunteers provided by companies like Google… By the end of 2021, the project houses more than eighteen million ads, referencing about four thousand five hundred millions of URLs. In 2021, the project website was visited more than nineteen million times. times by more than a million unique users from virtually every country in the world… Contact Us… You can also send notices by mail: Lumen The Berkman Klein Center for Internet and Society 23 Everett St. Cambridge, MA 02138”. 2. INFORMATION AVAILABLE ON THE “LUMENDATABASE.ORG” WEBSITE, "LEGAL NOTICE" SECTION. "Legal notices Neither the Lumen website nor the Lumen team can provide legal advice individual: we cannot analyze your particular website or activity, or a takedown notice received… What we can do is help present the problems as they are. lawyers think about them, and answer general questions… We hope that the database in as a whole is a useful resource... Please note that the presence of a notice in the Lumen database does not mean that Lumen has made no judgment as to the validity of the statements it makes, or that it has 28001 – Madrid 6 sedeagpd.gob.es, 131/137 authenticated…All notices and requests in the Lumen database have been voluntarily shared with us by the companies or persons responsible for send or receive the notices originally. Therefore, we generally present notices in how they have been shared with us. …In some cases, at the request of the entity that shared a notice with Lumen…we may remove a notice from our public database..." 3. INFORMATION AVAILABLE ON THE “LUMENDATABASE.ORG” WEBSITE, “RESEARCHERS” SECTION. “Lumen tools for researchers An introduction to Project Lumen What is Lume? Lumen is an independent research project that studies termination letters and withdrawal related to online content. We collect and analyze requests to remove material from the web. Our goals are to educate the public, facilitate research on the different types of complaints and removal requests, both legitimate as questionable, which are sent to Internet service providers and publishers, and provide as much transparency as possible about the “ecology” of such notices, in terms of who sends them and why, and with what effect… …focused initially on applications filed under the Copyright Act author of the United States digital millennium. As the Internet and its use have evolved, so has Lumen, and the database now includes complaints from all the varieties, including trademarks, defamation and privacy, national and international, and court orders. Lumen database grows by over 40,000 ads per week, with voluntary submissions provided by companies like Google... As of summer 2019, the project hosts approximately twelve million ads, referencing nearly four billion URLs. In 2018, the project website was visited more than ten million times by users from practically every country in the world. world… A notice or job contains "[redacted]": what is missing? Lumen staff make a good faith effort to review and redact any notice potentially confidential information received by the project in order to eliminate confidential or staff of the text of the notices. Such information may include telephone numbers, email addresses or allegedly defamatory content. Also, one person or company that submits a notice directly to the Lumen database may have decided not to share with Lumen, or keep private, certain information in the notice. Finally, Lumen runs automated processes to remove certain information confidential notices and job descriptions of your associates when possible. Please note that for DMCA notices, Lumen does not normally remove the name of the rights holder making the request or the URL(s) of the material claimed. Without the location of the reported material and the complainant, the notices do not make sense from a perspective of transparency or investigation, not to mention that they do not offer information about the possible misuse of takedown notices as a vehicle for censorship. When a business shares copies of court orders it has received with us, 28001 – Madrid 6 sedeagpd.gob.es, 132/137 Lumen generally displays those orders in the form that they have been shared with Lumen and further makes a good faith effort to do so in accordance with applicable law of the jurisdiction from which the order arose. United States court orders, unless that they are sealed, they are public documents... Who is Lumen for? Lumen is designed for casual use by both curious lay Internet users about an ad they may have come across, perhaps in the news, or out of interest staff…as well as by journalists, NGOs, policymakers, academics, and other researchers law firms conducting more in-depth and focused research or studying broader trends extensive on the removal of online content… If you or your organization are interested in conducting your own journalistic investigation, academic, legal, or policy-focused, or if you have more ideas about how we can improve the database and its interfaces, email us at team@lumendatabase.org. see a notice For non-investigators, Lumen currently offers access to a full notice by email address every twenty-four (24) hours. Submit an email address email through the request form will provide a single-use URL for that particular notice that will display the full content of the notice. Access through this URL will last for 24 hours. See here for more details. How does it work? Most users will find that the web interface will be sufficient to navigate and discover within the database. However, for those who need to access large amounts of data for your research, or for those interested in submitting copies of takedown notices to Lumen, we offer our API. Read on to get more information. Basic facts about the API and the database API Documentation Lumen API documentation can be found here… Database search Most users will find that the web interface will be sufficient to navigate and discover within the database. However, for those who need to access large amounts of data or create automated processes to digest trends in data, we offer our new API. The search in the database, either through the web interface or with the API, is performed using a full text search. The default search is to search all possible warning fields and facets. Searches can also be refined based on specific segments of the database or specific facets of the data. see the documentation for applicable notification parameters and metadata. Query the database with the API Get an API key C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 133/137 An authentication key is needed to query the database at will via the API. Please contact Lumen staff at team@lumendatabase.org to have provide you with one. API queries to the database sent without a token are will limit to the first 25 results and 5 requests per day... Running these search queries through the API will allow you to search over a period of time, as well as download the search results to use and reuse them in the Applications. You can find a full list of search parameters here. Request for a playlist The database classifies the notices in one or more themes, of which you can add more over time. Certain topics are classified as subtopics of a larger root topic and complete. For example, such as "DMCA", "fair use" and "anti-circumvention" all fall under "Copyright". Each topic has a unique numerical ID in the database… Looking for the notices In the web interface, above a certain number of results, the results will be paginated of your search. By default, results are sorted by relevance falling. Full-text search results contain the same data as notices requested individually, with the addition of a punctuation field that articulates the relevance of the result to the query term; higher numbers are more relevant. Terms are joined with an 'O' by default. Bulk download of results To better manage your resources, Lumen limits requests to its API, as well as the use of the web-based user interface. For those interested in less access restricted to the database via the API, see "Getting an API key"…”. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 134/137 ANNEX 4 1. INFORMATION AVAILABLE ON THE “LUMENDATABASE.ORG” WEBSITE, DOCUMENT “BASIC CONCEPTS OF THE INFORMATION OF THE NOTICE OF LUMEN”. “Every takedown notification and takedown request in the Lumen database is there because one of the parties involved in sending or receiving the notification (usually usually, but not always, your receipt) has chosen to share a copy of that notice with lume. That being the case, Lumen only has the information that the sharing entity has chosen to share with Lumen regarding that notice… Our automated redaction processes seek to identify and remove the following: Emails electronics Telephone numbers Other forms of identification number (for example, Social Security numbers, national ID) Lumen also makes a good faith effort not to display the mailing addresses of persons who are the senders or recipients of the notices if that information has been included in a notice... Generally, Lumen does NOT remove the names of the person or entity that owns the rights in question that the notice seeks to exercise. DMCA Notices In general, when Lumen receives a DMCA notice, it displays the notice as received. Lumen, subject only to the automatic redactions described above. This means that Lumen displays the name of the requesting rights holder on the as it originally appeared in the notice sent. Lumen usually too displays the URL location(s) of the reported material, albeit truncated to the domain of top level of the URL text. We include claimed URLs as raw text only and we use robots.txt to request that the URLs, as well as all the content of the pages of notification, are not indexed by search engines. Without the location of the material reported and the identity of the reporting person, the notices are meaningless from the perspective of investigation or public transparency, not to mention that they do not offer information on the potential misuse of takedown notices as a vehicle for censorship or other purposes. libel notices Lumen displays the defamation notices it receives in the form it receives them, but it does a good faith effort to remove any allegedly defamatory language that may have been included... court orders United States court orders are publicly available documents and therefore Lumen generally shares them in the form in which they were received, without censorship. For court orders issued from jurisdictions other than the United States United States, Lumen makes a good faith effort to draft them in a manner consistent with the relevant legal restrictions of the jurisdiction in question… Google Google is the largest sender of Lumen both by total ad volume and by number of possible types of notices. Below is an updated list of 28001 – Madrid 6 sedeagpd.gob.es, 135/137 types of ads Google has chosen to share with Lumen, sorted by ad type (DMCA, defamation, circumvention, etc.) and a list of the various Google products (search, blogger, images, etc.) for which Google may receive notices that it then share with Lumen. Types of Ads that Google shares with Lumen DMCA Elusion Falsification court orders Defamation Notices Based on Laws Outside the US - "Local Law" A list of Google products for which Lumen may have notices related blogging Drive and Documents Google URL Shortener groups image search Search sites Relevant Google Ad Types DMCA NOTICES As described above, Google's DMCA notices, like all DMCA notices DMCA on Lumen, are posted in the form in which they were originally submitted. Lumen makes a good faith effort to remove personally identifiable information other than the Sender's name, which will be displayed in the form in which it was shared with Lumen. ELUSION Circumvention notices Lumen receives from Google are published in the form in which they were sent originally. Lumen makes a good faith effort to remove information from personal identification other than the Sender's name, which will be displayed on the form in which was shared with Lumen. COUNTERFEITING (as of June 2020) Google's help page on this topic describes these notices as follows: “Upon notice, Google will remove websites selling counterfeit products from our search results. Counterfeit products contain a trademark or logo that is identical to or substantially indistinguishable from another's trademark. imitate the brand characteristics of the product in an attempt to impersonate a product genuine from the brand owner. This policy only applies to specific web pages that sell counterfeit products and does not apply to trademark issues not falsified. If complaints under this policy are not limited to websites that sell counterfeit products, future complaints may be restricted from submitting. COURT ORDERS Google shares with Lumen copies of court takedown orders it receives, both from U.S. domestic and foreign courts. As described above, U.S. court orders, unless sealed, are public record, and those court orders are served on Lumen in the form Lumen receives them from Google. Yes Google is prohibited from sharing the content of a court order it has received, that is explicitly stated in the text of the notice. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 136/137 Lumen makes a good faith effort to draft foreign court orders that are shared with Lumen in accordance with any applicable local law in the jurisdiction of origin of the order. These redactions will generally include names, addresses, and other forms of PII, and may include aspects of the URLs in question. The other newsrooms that are present in a document may vary from country to country. DEFAMATION NOTICES As a matter of internal Google policies, Google does not share names with Lumen. of the senders of defamation notices. Also, if the name of a Sender/Principal appears in some form within one of the claimed URLs that are the subject of the notice, or within any text within the prompt, that text will also be removed. For example, an original URL of https://www.blogger.com/JohnQPublicistheworst.com would be shared by Google with Lumen as https://www.blogger.com/[removed]it's the worst.com In addition, Google does not share with Lumen the text entered by a complainant in the “To ensure specificity, quote the exact text…” field in the Google web form. Text entered by a whistleblower in the "Please explain in detail why you believe the content of the above URLs is illegal, citing specific legal provisions whenever possible". Google shares the web form field with Lumen and is displayed as part of the notice in Lumen as is, subject solely to Lumen's automatic redaction processes. Please note that if the subject of the alleged defamation is not the sender of the notice, the that subject's name will not be automatically removed from the notice. Notify Lumen if the name of the allegedly defamed person is still present in a notice. NOTICES AND COURT ORDERS SENT TO GOOGLE REGARDING LAWS OUTSIDE THE UNITED STATES - "Local Law" Notices sent to Google from Senders in countries other than the United States States are generally governed by the local law of the country of origin. In such cases, in addition to Lumen's good faith effort standard redactions, redactions are made in accordance with in accordance with applicable local law in the jurisdiction of origin of the order. these redactions will include names, addresses, and other forms of PII, and may include aspects of URLs in question. The other redactions that are present in a document may vary from one country to country, as well as in accordance with Google's internal policy decisions, of which Lumen has no knowledge. OTHER TYPES OF NOTICES Please note that, at this time, Google does NOT share with Lumen the notices that receives from EU citizens as part of the so-called "Right to be Forgotten ("RTBF") or the notices sent through the Google form to report sexually. images explicit, which can be found here.*** https://support.google.com/websearch/troubleshooter/3111061#ts=2889054%2C2889099 Google sometimes indicates, by referring to a "placeholder" notice on Lumen, when you have received requests to remove material about which you cannot share more information. 1. https://lumendatabase.org/notices/18516 2. https://www.lumendatabase.org/notices/9415 [Germany] 3. https://lumendatabase.org/notices/10929 [UK] 4. https://lumendatabase.org/notices/11062657 [France] 5. https://www.lumendatabase.org/notices/15710816 [for notices not yet available at Lumen] 6. https://www.lumendatabase.org/notices/17158812 [Canada] 7. https://www.lumendatabase.org/notices/13678481 [Privacy grievances] 8. https://www.lumendatabase.org/notices/18639436 [AU] 9. https://www.lumendatabase.org/notices/18639403 [New Zealand] C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 137/137 10. https://lumendatabase.org/notices/20174812”. 2. Information available at the Internet address “https://support.google.com/websearch/troubleshooter/3111061#ts=2889054%2C2889 099”, included in the previous document, in the section “OTHER TYPES OF NOTICES”. It leads to an information document on the removal of information from “Google” : “Remove information from Google We realize that sometimes you may want content about you to be removed that you found on Google Search. In some cases, Google may remove links to information from Google Search. Important: Google Search displays information that has been collected from websites. Even if we remove content from Google Search, it may still exist on the web. This means that it will still be possible to find the content on the page that hosts it, the social networks, with other search engines or in other ways. For this reason, we recommend that you contact the webmaster of the site and ask them to remove the content. See how to contact a webmaster. If the website owner removes the information, it will eventually be removed from Search from Google as part of our regular update process. However, also you can notify us of outdated content using the takedown tool of outdated content. Personal information that will be removed by Google If you can't get a website owner to remove material from the site, Google may remove personal information that poses a significant risk of identity theft, financial fraud or other specific types of damage. The following articles provide information on the types of withdrawals available: . Remove non-consensual explicit or intimate personal images from Google . Remove Fake Porn Posted Without Consent From Google . Remove content about me from Google on sites where practices take place abusive removal of content . Remove financial, medical, and identification document information from Google national . Remove "doxxing" content; that is, content that exposes information from contact with intent to harm someone . Remove images of minors from Google search results We recommend that you consult the article corresponding to the type of content from which you you want to request withdrawal. If you believe your application meets the requirements described in that article, you can submit a content removal request as directed in that article. Other information Google will remove Google also removes content for specific legal reasons, such as privacy violations. DMCA copyright and child sexual abuse images. To request a removal of content for a legal reason, use the troubleshooting form legal”. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es