AEPD (Spain) - E/10529/2021: Difference between revisions
mNo edit summary |
(→Facts) |
||
Line 67: | Line 67: | ||
}} | }} | ||
The Spanish DPA dismissed a complaint regarding the use of Google Analytics by a Spanish public law institution, indicating that the controller did not process any data that could have identified a particular user, and that the controller had stopped using Google Analytics short after the Schrems II ruling, so there was no violation of Chapter V of the GDPR. | |||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
==== Background ==== | ==== Background ==== | ||
About a month after the "Schrems II ruling" by the CJEU ([[CJEU - C-311/18 - Schrems II]]) the NGO ''noyb'' filed 101 complaints regarding data transfers from EEA based websites to Google LLC and Facebook Inc. in the U.S (s''ee [https://noyb.eu/en/101-complaints-eu-us-transfers-filed here] and [https://noyb.eu/en/update-noybs-101-complaints-eu-us-data-transfers here]).'' In order to coordinate the work of all involved DPAs, the EDPB created a [https://edpb.europa.eu/news/news/2020/european-data-protection-board-thirty-seventh-plenary-session-guidelines-controller_en?mkt_tok=eyJpIjoiTVRrMVlqRmpOMlF3TnpCbCIsInQiOiJFekdLKzFydWlOSHpaU1RDUTNUaHVWR2JxTVN4MnRDUm9jYTRkOGRxWG1LSDBWY1lBQkhaM2dsTkdoSEdYNlQrN2lFbm84d1Y3STRWMFlXZk5lM0dzeGFMd2p2NGFjVmltS1wvNnlCSmhrK3Nra1dGcGNjd2lEQWN6UW9EQVdtNmsifQ%3D%3D special task force]. | About a month after the "Schrems II ruling" by the CJEU ([[CJEU - C-311/18 - Schrems II]]) the NGO ''noyb'' filed 101 complaints regarding data transfers from EEA based websites to Google LLC and Facebook Inc. in the U.S (s''ee [https://noyb.eu/en/101-complaints-eu-us-transfers-filed here] and [https://noyb.eu/en/update-noybs-101-complaints-eu-us-data-transfers here]).'' In order to coordinate the work of all involved DPAs, the EDPB created a [https://edpb.europa.eu/news/news/2020/european-data-protection-board-thirty-seventh-plenary-session-guidelines-controller_en?mkt_tok=eyJpIjoiTVRrMVlqRmpOMlF3TnpCbCIsInQiOiJFekdLKzFydWlOSHpaU1RDUTNUaHVWR2JxTVN4MnRDUm9jYTRkOGRxWG1LSDBWY1lBQkhaM2dsTkdoSEdYNlQrN2lFbm84d1Y3STRWMFlXZk5lM0dzeGFMd2p2NGFjVmltS1wvNnlCSmhrK3Nra1dGcGNjd2lEQWN6UW9EQVdtNmsifQ%3D%3D special task force]. | ||
Line 84: | Line 82: | ||
The controller alleged that it is a public law institution that uses Google Analytics tools solely and exclusively for fulfilling the general interest purposes that constitute its ultimate goal, which is to ensure the development, dissemination, proper use and update of the Spanish language; in order to achieve that, it is necessary to have access to statistical data related to the access and use of these instruments, and also to know its evolution and adaptation to the reality of the use of the language at any given moment (e.g. statistics related to the use of terms not included in the dictionary can allow a better knowledge of the evolution in the use of the language and the possible inclusion of such terms in the future). | The controller alleged that it is a public law institution that uses Google Analytics tools solely and exclusively for fulfilling the general interest purposes that constitute its ultimate goal, which is to ensure the development, dissemination, proper use and update of the Spanish language; in order to achieve that, it is necessary to have access to statistical data related to the access and use of these instruments, and also to know its evolution and adaptation to the reality of the use of the language at any given moment (e.g. statistics related to the use of terms not included in the dictionary can allow a better knowledge of the evolution in the use of the language and the possible inclusion of such terms in the future). | ||
Through the use of Google Analytics, the controller can know essential information related to the use of the language and its diffusion worldwide | Through the use of Google Analytics, the controller can know essential information related to the use of the language and its diffusion worldwide. | ||
The controller also alleged that it only had access to aggregated data that did not allow for identification of users. The controller had no access to personal data whatsoever, nor IPs or any other information. Hence, no personal data was processed. | |||
The controller also indicated that it had subscribed a contract with Google LLC (Conditions for the Processing of Data) and that therefore the RAE was a controller while Google was a processor. | |||
Furthermore, the controller alleged that it had only used the most basic functionalities of Google Analytics, guaranteeing the minimization of the use of data, so only aggregated data was processed. | |||
Only the following data was gathered: | |||
# Identification of the geographic area (city and country) from which the user of the user accessed the website and statistics by country. | |||
# Language. | |||
# Source from which the visit originates. | |||
# Statistical flow of visits to the Web Site. | |||
# Statistical analysis of visits, offering percentages of recurrent or first access visits. | |||
# Browser used for access. | |||
# Type of mobile device used. | |||
# Screen resolution of the device and its operating system. | |||
Nor Google Signals nor Comparatives were activated. | |||
On 08.09.2020, the AEPD verified that the code of the website included the creation and storage of Google Analytics cookies. | |||
On 27.10.2021, the AEPD confirmed that such code was not on the website anymore. | |||
=== Holding === | === Holding === | ||
[in | The AEPD decided to accept the allegations of the controller and considered that the controller had not violated [[Article 45 GDPR]] nor any of the subsequent Articles from Chapter V of the GDPR. The AEPD took into account that the controller had stopped using Google Analytics short after the Schrems II ruling and that it had never used the obtained information to identify specific users. | ||
Therefore, the DPA concluded that, at the time of issuing the decision, the controller was not in breach of the GDPR under the competential scope of the AEPD. | |||
== Comment == | == Comment == |
Revision as of 22:12, 24 January 2023
AEPD - E-10529-2021 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 45 GDPR Article 46 GDPR |
Type: | Complaint |
Outcome: | Rejected |
Started: | |
Decided: | |
Published: | 15.12.2022 |
Fine: | n/a |
Parties: | GOOGLE LLC REAL ACADEMIA ESPAÑOLA noyb – European Centre for Digital Rights |
National Case Number/Name: | E-10529-2021 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | Carmen Villarroel |
The Spanish DPA dismissed a complaint regarding the use of Google Analytics by a Spanish public law institution, indicating that the controller did not process any data that could have identified a particular user, and that the controller had stopped using Google Analytics short after the Schrems II ruling, so there was no violation of Chapter V of the GDPR.
English Summary
Facts
Background
About a month after the "Schrems II ruling" by the CJEU (CJEU - C-311/18 - Schrems II) the NGO noyb filed 101 complaints regarding data transfers from EEA based websites to Google LLC and Facebook Inc. in the U.S (see here and here). In order to coordinate the work of all involved DPAs, the EDPB created a special task force.
Complaint
On 18.08.2020, a data subject (represented by noyb) filed a complaint with the DSB against both the website provider (in its role as data exporter) and Google LLC (in its role as data importer), arguing that both respondents violated Articles 44 et. seqq. GDPR in light of the "Schrems II" ruling by transferring their personal data to Google LLC. As Google LLC qualifies as "electronic communication service provider" under 50 U.S. Code § 1881(b)(4), it is subject to surveillance by U.S. intelligence services and can be ordered to disclose data of European citizens - such as the data subject - to them.
The complaint was filed against the Spanish Royal Academy (Real Academia Española, "RAE").
The controller alleged that it is a public law institution that uses Google Analytics tools solely and exclusively for fulfilling the general interest purposes that constitute its ultimate goal, which is to ensure the development, dissemination, proper use and update of the Spanish language; in order to achieve that, it is necessary to have access to statistical data related to the access and use of these instruments, and also to know its evolution and adaptation to the reality of the use of the language at any given moment (e.g. statistics related to the use of terms not included in the dictionary can allow a better knowledge of the evolution in the use of the language and the possible inclusion of such terms in the future).
Through the use of Google Analytics, the controller can know essential information related to the use of the language and its diffusion worldwide.
The controller also alleged that it only had access to aggregated data that did not allow for identification of users. The controller had no access to personal data whatsoever, nor IPs or any other information. Hence, no personal data was processed.
The controller also indicated that it had subscribed a contract with Google LLC (Conditions for the Processing of Data) and that therefore the RAE was a controller while Google was a processor.
Furthermore, the controller alleged that it had only used the most basic functionalities of Google Analytics, guaranteeing the minimization of the use of data, so only aggregated data was processed.
Only the following data was gathered:
- Identification of the geographic area (city and country) from which the user of the user accessed the website and statistics by country.
- Language.
- Source from which the visit originates.
- Statistical flow of visits to the Web Site.
- Statistical analysis of visits, offering percentages of recurrent or first access visits.
- Browser used for access.
- Type of mobile device used.
- Screen resolution of the device and its operating system.
Nor Google Signals nor Comparatives were activated.
On 08.09.2020, the AEPD verified that the code of the website included the creation and storage of Google Analytics cookies.
On 27.10.2021, the AEPD confirmed that such code was not on the website anymore.
Holding
The AEPD decided to accept the allegations of the controller and considered that the controller had not violated Article 45 GDPR nor any of the subsequent Articles from Chapter V of the GDPR. The AEPD took into account that the controller had stopped using Google Analytics short after the Schrems II ruling and that it had never used the obtained information to identify specific users.
Therefore, the DPA concluded that, at the time of issuing the decision, the controller was not in breach of the GDPR under the competential scope of the AEPD.
Comment
This decision is the first DPA decision following noyb's 101 complaints regarding EEA-US data transfers. The EDPB formed a "task force" on these cases to come to similar decisions in the EEA. Further decisions are expected soon. For details see here and here.
Some decisions have already been published by European DPAs. E.g. see here and here.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/15 File No.: E/10529/2021 RESOLUTION OF ACTIONS FILE Of the actions carried out by the Spanish Agency for Data Protection and based on the following: FACTS FIRST: Don A.A.A. (hereinafter, the claiming party), dated August 21, 2020, filed a claim with the Spanish Agency for Data Protection. The The claim is directed against GOOGLE LLC and the ROYAL SPANISH ACADEMY (in forward, this last RAE or the claimed party). The reasons on which the claim is based are the following: - Through HTML code embedded in the WWW.RAE.ES web page, collected personal data from the claimant and have transferred it to the US through the Google Analytics and Google Ads services contracted by the person in charge of the portal, the RAE. - During the visit of the complaining party to the mentioned website, the person in charge treated your personal data (at least IP address and "cookies"), and, apparently, some of this data was transferred to Google LLC. The complaining party had signed in to your Google account associated with your email inbox. - The complaining party maintains that the transfer of personal data to the US by part of the person in charge through his treatment manager has no legal basis, since the CJEU has invalidated the decision on the "EU-US Privacy Shield" in the ruling C-311/18 ("Schrems II"), and the controller can no longer base the transfer of data to Google in the USA in an adequacy decision pursuant to Art. 45 of the GDPR. - The person in charge cannot base the transfer of data on the clauses contractual type provided for in arts. 46.2.c and 46.2.d of the GDPR, if the third country of destination does not guarantee adequate protection of the personal data transferred under those clauses, in accordance with EU law. The CJEU has ruled explicitly that onward transfers to companies covered by the Article 50 of the United States Code (USC), as is the case of Google, violate the relevant articles of Chapter 5 of the GDPR, since, by virtue of this regulations (50 USC Par. 1881, or "FISA 702"), are subject to surveillance by the US intelligence. As can be seen from the "Snowden Slides" and from the Google Transparency Report, this entity is actively providing data personal data to the US government under that precept. - The controller and Google have continued to rely on the "EU-US Privacy Shield" and on the standard data protection clauses for the aforementioned transfers of data. Therefore, it requests that the claim be fully investigated and that the following be established: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 2/15 1. What personal data was transferred from the controller to Google LLC in USA or any other third country and international organization. 2. In which transfer mechanism under article 44 et seq. of the GDPR the controller based this data transfer. 3. If the provisions of the Google Analytics Terms of Service and the new Conditions for the treatment of data of Google Ads in its current version and with effect from 08/31/2020 they comply with the requirements of article 28 GDPR regarding the transfer of personal data to third countries. 4. Immediately impose a ban or suspension of any flow of data to Google LLC in the USA and order the return of that data to the EU/EEA or to another country offering adequate protection under Articles 58(2)(d), (f) and (j) GDPR. 5. That an administrative fine be imposed on the person responsible and on Google. And, among other things, attach the following documentation: - HAR file containing, among others: a. A GET request with the following header: “Host www.rae.es User Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:79.0) Gecko/20100101 Firefox/79.0 Accepttext/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/ *;q=0.8 Accept-Language en-GB,en;q=0.5 Accept-Encoding gzip, deflate, br Connection keep-alive Cookie _ga=GA1.2.345900854.1597222413; cookie-agreed=2; __unam=67c8073-173e205d800-f576793-2; TS018cf77a=017ccc203c9e7bc4149f20e42e6a3643881397eb41e025f2c54bb e7141c720c53441c2483c; has_js=1; _gid=GA1.2.1837808855.1597415922; _gat=1 Upgrade-Insecure-Requests 1 If-None-Match" 1597405902-1" Cache-Control max-age=0” b. A GET request with the following header and url-encoded parameters: https://www.google-analytics.com/collect? v=1&_v=j83&a=1005550321&t=pageview&_s=1&dl=https%3A%2F %2Fwww.rae.es%2F&ul=en-gb&de=UTF-8&dt=Real%20Academia %20Spain%C3%B1ola&sd=24- bit&sr=1920x1080&vp=1903x716&je=0&_u=AACAAEAB~&jid=&gjid=&cid =345900854.1597222413&tid=UA-44263049- 1&_gid=1837808855.1597415922&z=1892337212 “Host www.google-analytics.com C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 3/15 User Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:79.0) Gecko/20100101 Firefox/79.0 Accept image/webp,*/* Accept-Language en-GB,en;q=0.5 Accept-Encoding gzip, deflate, br Referer https://www.rae.es/ Connection keep-alive TE Trailers” Parameters encoded in the url: v 1 _v j83 to 1005550321 t page view _s 1 dl https://www.rae.es/ ul en-gb from UTF-8 dt Royal Spanish Academy 24-bit sd mr 1920x1080 vp 1903x716 heh 0 _u AACAAEAB~ jid gjid cid 345900854.1597222413 time UA-44263049-1 _gid 1837808855.1597415922 z 1892337212” SECOND: On October 5, 2020, the claim was admitted for processing presented by the claimant, under the provisions of article 65.5 of the LOPDGDD. THIRD: The General Subdirectorate of Data Inspection proceeded to carry out of previous investigative actions to clarify the facts in matter, by virtue of the investigative powers granted to the authorities of control in article 58.1 of Regulation (EU) 2016/679 (General Regulation of Data Protection, hereinafter GDPR), and in accordance with the provisions of the Title VII, Chapter I, Second Section, of the LOPDGDD, being aware of the following extremes: - On September 8, 2020, it is verified that in the url www.rae.es/info/aviso-legal contains the following information: 1. The identification and contact of the person in charge, about the purpose, legitimizing basis, as well as conservation period, exercise of rights of the personal data collected. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 4/15 2. It is stated "The RAE does not carry out international data transfers or transfers of information provided by users”. - On December 10, 2020, the RAE sends this Agency the following information and demonstrations: 1. That the RAE is a public law corporation integrated into the Institute of Spain since: a. According to art. 4 of the RAE Regulation "in accordance with the provisions In its statutes, the main mission of the Academy is to ensure the unity of the Spanish language, in close collaboration with all the academies integrated into the Association of Academies of the Spanish Language (ASALE)" b. According to art- 1.2.a) of Royal Decree 1160/2010 of September 17 by which regulates the Institute of Spain, the RAE is part of the Institute of Spain, which according to article 1.1 of the worthy Royal Decree "is a corporation governed by public law, with legal personality and capacity to act for the fulfillment of its purposes, which brings together the Royal Academies of national level that are listed in the following section, for the coordination of the functions that they must perform in common". 2. That according to section 1 of article XXXVIII of the RAE Statutes: "The funds of the Academy will consist of: 1.9 In the ordinary allocation that is granted in the budgets of the State, and in the extraordinary ones with which the Government and donors or private founders want to favor the activities of the corporation.” 3. That according to article 39 of its Regulations "the assets and resources of the Royal Spanish Academy will include the movable and immovable property, the rights and rents of any kind that to which they belong, the ordinary allocation provided for in the State budget, as well as the subsidies and aid agreed by any administration public. It will count among its income the donations that sponsors private parties agree to grant it, especially those coming from the Foundation pro-RAE. The profits derived from the exploitation will integrate its patrimony economics of his works. Likewise, the subsidies, legacies, donations or personal benefits that you receive and accept, perpetually or temporary". 4. That all this means that, although the use of Google tools Analytics may be aimed at obtaining commercial or business revenue, In the case of the RAE, said use has the sole and exclusive purpose of compliance with the purposes of general interest that constitute its object which are guarantee the development, dissemination, diffusion, good use and updating of the language Spanish. 5. That it is essential to have tools that allow you to know data statistics related to the access and use of said instruments, C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 5/15 allowing you not only to configure strategies that guarantee a better knowledge and diffusion of our language and grammar but also to know its evolution and adaptation to the reality of the use of the language at all times (e.g. statistics related to the use of terms not included in the dictionary may allow a better knowledge of the evolution in the use of the language and the possible inclusion of such terms in the future). 6. That through the use of Google Analytics they could know information related to the use of the Spanish language and its diffusion worldwide, being able to access in an aggregated way about the geographical origin of the visitors to your website, with a minimum level of aggregation by city, your flow visit the website, the settings of your browsing devices, as well as such as the browser and operating system, screen resolution and the recurrence of your visits. 7. That the use of Google Analytics has been limited solely and exclusively to the access to statistical and aggregate information that will not allow the aforementioned to be identified users. 8. That he did keep the Google Analytics tool embedded on his website. 9. That no data was obtained that could be considered as data personal, as information that identifies or allows direct or direct identification is not processed. indirectly to those users. 10. That they did not have access to the IP address of the users or any information that could be considered personal data. 11. That the only information that could individualize the users would be the related to the random ID that Google gives to its users. that the RAE does not may, based on that information, take any action to achieve its reidentification. 12. That all the pages of the domain rae.es are established in Spain. That the RAE is not established in any other state. 13. That since December 3, 2020 no RAE domain makes use of the Google Analytics tool. 14. That the legal relationship between RAE and Google LLC is that of the relationship existing between the person in charge and the person in charge of the treatment, being RAE the person in charge and Google in charge of the treatment. That this is stated in the Conditions for the Processing of Google Ads Data both in its previous versions and in its last version dated August 16, 2020 and in the Terms of Service of Google Analytics. 15. That in response to the measures adopted so that Google does not process personal data for your own purposes or for the purposes of third parties, you refer to the section 5.2. and 5.3. of the Conditions for the Treatment of Data of Google Ads. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 6/15 16. That in relation to the guarantees that Google grants to the RAE for the purposes of verifying compliance with the provisions is referred to sections 7.5.1. and 7.5.2 of the Google Ads Data Processing Conditions. Provide a copy of the Google Ads Data Processing Conditions where consists: "[…] 5.2 Customer Instructions. By entering into these Conditions of data processing, the Client instructs Google to carry out the processing of Customer Personal Data only in accordance with the applicable law: (a) to provide the Services of the processor of the treatment and any related technical support; (b) as further specified through Customer's use of the Services of the in charge of the treatment (including the configuration and other functionalities of Processor Services) and any technical support related; (c) as documented by the Agreement, including any these Conditions of data processing; and (d) as documented in other instructions provided in writing by the Customer and recognized by Google as constitutive instructions for the purposes of these Conditions of data processing. 5.3 Compliance with instructions by Google. gooqle will comply the instructions described in Section 5.2 (Customer Instructions) (including those relating to data transfers), unless the Leves European or National to which Google is subject requires another treatment of personal data by Gooqle, in which case Gooqle will inform the Customer (unless Google is prohibited by any such law from doing so for important reasons of public interest). […] 7.5.1 Security Documentation Reviews. To demonstrate the Google's performance of its obligations under the present Conditions of data processing, Google will provide the Security documentation Will be reviewed by the Client. 7.5.2 Customer Audit Rights. (a) Google will allow the Client or an external auditor designated by the Client perform audits (including inspections) to verify that Google comply with the obligations contracted under these Conditions of the data processing in accordance with Section 7.5.3 (Terms additional commercial for audits). Google will contribute to such audits as described in Section 7.4 (Safety Certification) and in the this Section 7.5 (Regulatory Compliance Audits and Reviews). (b) If the Standard Contractual Clauses apply under Section 10.2 (Data Transfers), Gooq will allow the Client or an external auditor designated by the Client to carry out audits as described in Clauses Contractual Type in accordance with Section 7.5.3 (Conditions of Business additional for audits). (c) The Client may also perform an audit to verify the Google's compliance with its obligations under the present Conditions of data processing by reviewing the certificate issued for ISO 27001 Certification (reflecting the result of an audit by an external auditor)." C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 7/15 Provide a copy of the Google Analytics Terms of Service where it states: “[…] 7. Privacy The User must not send information to Google that Google may consider personally identifiable information or use as such, nor must you allow a third party to do it, nor help him to do it. The User must have a Privacy Policy Adequate privacy and comply with it. You must also comply with all laws, applicable policies and regulations related to the collection of information of Users and publish a Privacy Policy that notifies the use of cookies, mobile device identifiers (eg, the identifier of advertising for Android or the advertising identifier for iOS) or technology similar to collect data. In addition, you must disclose the use of Google Analytics and the way in which this Service collects and processes the data. To do this, you can include a prominent link on the website "How Google uses the information from websites or apps used by our partners" (which located at www.google.com/polici es/privacy/partners/ or at any another URL provided by Google). The User must take measures commercially reasonable to ensure that Users receive complete and clear information about the storage of cookies and the access to them or any other information about the device of the Users, and that they give their consent in this regard, when such activity occurs in connection with the Service and when required by law provide such information and obtain such consent. […]” 17. That the RAE did not provide or communicate any data that could be derived from the use of Google Analytics to any third party. That he has not accessed data either any staff so it is hardly possible to make a transfer to third parties. That you cannot specify the specific suppliers or locations to which that Google may have transmitted the data collected by Google Analytics. That Links are included in the Google Ads Data Processing Conditions with the identification of the sub-processors https://privacy.google.com/ businesses/subprocessors/ and with geographic locations https://www.google.com/intl/es/about/datacenters/locations/ 18. That only the basic functionalities of Google Analytics were used guaranteeing the minimization of the impact on the privacy of users so that there is no processing of information referring to persons identified or identifiable but only aggregate information. that they have not carried out any data processing related to the users' IP. 19. That they have only had access to the following aggregate information provided by Google Analytics: a. Identification of the geographical area (city and country) from which the Website user accesses it and access statistics by country. b. Idiom. c. Source from which the visit comes. d. Statistical flow of visits to the Website. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 8/15 and. Statistical analysis of visits, offering percentages of visits recurring or first access. F. Browser used in your access. g. Type of mobile device used. h. Screen resolution of the device and its operating system. Provide screenshots of Google Analytics where the classifications of: a. language with at least 10 different values b. country with at least 10 different values c. city with at least 10 different values d. System with subsections: Yo. browser with at least 10 different values ii. Operating system with at least 10 different values iii. Service provider and. Mobile with the subsections of: Yo. Operating system with at least 10 different values ii. Service provider iii. Screen resolution with at least 10 different values. F. Mobile devices/devices with at least 9 different values. There is no data on age or sex. There are no data of interest. Google Signals is not activated. The Comparisons are not activated. There are no custom or user-defined variables. On the contrary, the RAE has not made use of any of the information advanced capabilities provided by Google Analytics, which require a specific enablement within the tool. They have not had access to: a. Age. b. Sex. c. Affinity categories. d. Segments with purchase intent. and. Multi-device section. F. Comparison sections. 20. That there are no treatments of special categories of data. 21. That, since they did not process age data, they do not have information to specify if any of the users of the website could be minors. 22. That art. 22.2 of the LSSI since its activity must be classified as providing a public service. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 9/15 23. "On the other hand, in the denied assumption that my client had carried out carry out a treatment of personal data of the users of its website, the same would have been developed for the fulfillment of the purposes established in its Statutes and its Regulations, such treatment being necessary for compliance with a mission of public interest and thus being covered by article 6.1 e) of the GDPR.” 24. “Regarding data transmissions to Google LLC, as has already been indicated in a previous place of this writing, were based on the condition of person in charge of the treatment of the aforementioned entity and in its adherence to the "Privacy Shield" Agreement, pursuant to the Enforcement Decision (EU) 2016/1250 of the Commission, of July 12, 2016, as well as, subsequently, in the application, as of August 12, 2020, of the standard contractual clauses for international data transfers between controllers and processors treatment, approved by Commission Decision 2010/87/UE, of February 5, 2010.” 25. That Google Analytics establishes a predefined period of conservation of the information collected for 26 months. 26. That according to clause 6.2 of the Conditions for the Treatment of Data of Google Ads establishes "Deletion at the expiration of the validity period. To the expiration of the term, Customer instructs Google to delete all Customer Personal Data (including existing copies) from the Google systems in accordance with applicable law. Google will comply with the present instructions as soon as reasonably possible and within a maximum period of 180 days, unless European or National Laws require its storage." - On 06/01/2021, the ROYAL SPANISH ACADEMY sends this Agency the following information and representations: 1. That the RAE is a public law corporation, having established the having established the Supreme Court in its judgment of November 17, 2015 (appeal 764/2014) the public nature of all the functions and activities carried out by the Royal Academies (first section of the letter of December 10, 2010). 2. That the Google Analytics tool they used was the free version. 3. That they started using Google Analytics on September 12, 2019. 4. That it does not maintain web pages aimed at third countries, there being a sole domain of it. 5. That from December 1, 2019 to November 30, 2020 there were 210,555,443 visits to the RAE portal, corresponding to a total of 100,131,355 users. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 10/15 A report is provided where it is stated that from December 1, 2019 to December 30, November 2020 there was the following breakdown of visits by country, with the 10 being first in number of visits: Number of Percentage on the total visits Spain 77,829,236 36.96% Mexico 35,409,134 16.82% Colombia 16,817,104 7.99% Argentina 15,312,395 7.27% Peru 11,861,855 5.63% Chile 10,642,227 5.05% United 6,248,681 2.97% states Ecuador 4,511,765 2.14% Venezuela 2,935,038 1.39% Guatemala 2,669,888 1.27% And where it also states that: France 1,261,921 0.60% Italy 1,208,428 0.57% Germany 1,091,227 0.52% Honduras 989,860 0.47% Portugal 325,589 0.15% - On 09/08/2020 it is verified that in the code of the website www.rae.es loaded in the browser contains the following code: <head> […] </script> <!--[if lt IE 9]><script src="http://html5shiv.googlecode.com/svn/trunk/html5.js"></script><![endif]--> <script> //<![CDATA[(function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]|| function(){ (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),m=s.getElementsByTagName(o) [0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)}) (window,document,'script','//www.google-analytics.com/analytics.js','ga'); ga('create', 'UA-44263049-1', 'auto'); ga('send', 'pageview'); if(Drupal.eu_cookie_compliance != undefined && ! Drupal.eu_cookie_compliance.hasAgreeed()){window['ga-disable-UA-44263049- 1'] = true; } //]]> </script> C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 11/15 </head> - On October 27, 2021 it is verified that: 1. The code of the website www.rae.es loaded in the browser does not contain the above code. 2. While browsing the web www.rae.es there are no HTTP requests to the domain google-analytics.com, nor are cookies associated with Google Analytics installed. 3. In the url https://policies.google.com/technologies/cookies?hl=es#types-of- cookies consists: “[…] Analytics Cookies used for analytical purposes help collect data that They allow services to understand how users interact with them. Is information is used to improve the content of the services and its functions, as well as to offer a better experience to users. Some cookies help sites understand how visitors interact with its properties. For example, Google Analytics, a Google product with which site and application owners can understand how users interact with its services, uses a set of cookies to collect information and offer statistics of use of the sites without identifying personally to each visitor. The main cookie used by Google Analytics is "_ga", which allows services to distinguish one user from another and lasts 2 years. It is used by all sites where Google Analytics is implemented, including Google services. [,,,] 4. Check that in the url https://developers.google.com/analytics/devguides/ collection/analytics consists of: “The analytics.js library (known as "the Google Analytics tag") is a JavaScript library used to measure user interactions users with your website. This document explains how to add the Google Analytics tag to a website.” It also states that the tag to add analytics.js to the website is: <!-- Google Analytics --> <script> (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){ (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o), m=s.getElementsByTagName(o) [0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m })(window,document,'script','https:∕∕www.google-analytics.com∕analytics.js','ga' ga('create', 'UA-XXXXX-Y', 'auto'); ga('send', 'pageview'); <∕script> <!-- End Google Analytics --> FUNDAMENTALS OF LAW C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 12/15 Yo In accordance with the investigative and corrective powers that article 58 of the Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter GDPR) grants each control authority, and according to the provisions of article 47 of the Organic Law 3/2018, of December 5, Protection of Personal Data and guarantee of digital rights (hereinafter LOPDGDD), is competent to resolve these investigative actions the Director of the Spanish Agency for Data Protection. II The claim presented by the claimant, represented by Noyb – European Center for Digital Rights, is based on data processing data made by RAE and that have been transferred to Google LLC, that is, they have been subject to international data transfer in violation of articles 44 to 49 of the GDPR. Requests that the facts be investigated, that the RAE data flow be prohibited against Google LLC in the US, and that a fine be imposed on RAE and Google LLC. Indicates that the transfers made by RAE have been produced when the HTML code on the website www.rae.es for Google services (including Google Analytics), and personal data of the claimant have been collected and transferred to the US. The complaining party has filed 101 claims for similar events, which are being investigated by the control authorities of the country where it is established the data controller. This procedure refers to the performance of the RAE in relation to the international data transfers through the installation of certain cookies. In order for all control authorities to act jointly and coherently, it is created a working group, which has convened numerous meetings. In them, they have developed questionnaires to make information requirements about the treatment carried out, addressed both to the data controller and to Google. The will of all data protection control authorities is the cessation of the flow of data to third countries without the guarantees established in the GDPR. II Article 45 of the GDPR establishes the following: "one. A transfer of personal data may be made to a third country or international organization when the Commission has decided that the third country, a ter- territory or one or several specific sectors of that third country, or the international organization national law in question guarantee an adequate level of protection. Said transfer- cia will not require any specific authorization. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 13/15 2. When assessing the adequacy of the level of protection, the Commission shall take into account In particular, it covers the following elements: a) the rule of law, respect for human rights and fundamental freedoms, the relevant legislation, both ge- both general and sectoral, including that related to public safety, defense, security national law and criminal law, and public authorities' access to data personal data, as well as the application of said legislation, the rules for the protection of data, professional standards and security measures, including rules on about onward transfers of personal data to another third country or international organisation. international law observed in that country or international organization, jurisprudence, as well such as recognition of the interested parties whose personal data is being transferred conferred effective and enforceable rights and administrative resources and legal actions cials that are effective; b) the existence and effective functioning of one or more independent supervisory authorities in the third country or to which a international organization, with the responsibility of guaranteeing and enforcing the data protection rules, including appropriate enforcement powers, to assist and advise the interested parties in the exercise of their rights, and to cooperate with the supervisory authorities of the Union and of the Member States, and c) the com- international commitments assumed by the third country or international organization of in question, or other obligations derived from legally binding agreements or instruments binding, as well as their participation in multilateral or regional systems, in particularly in relation to the protection of personal data. 3. The Commission, after having assessed the adequacy of the level of protection, may may decide, by means of an implementing act, that a third country, a territory or one or several various specific sectors of a third country, or an international organization guaranteeing provide an adequate level of protection in accordance with the provisions of section 2 of the pre- feel article. The implementing act will establish a periodic review mechanism, least every four years, taking into account all relevant events in the third country or in the international organization. The act of execution will specify its scope of territorial and sectoral application, and, where appropriate, will determine the authority or control authorities referred to in section 2, letter b), of this article. The The implementing act shall be adopted in accordance with the examination procedure referred to in re article 93, paragraph 2. 4. The Commission will continuously monitor developments in the country third parties and international organizations that may affect the effective application tion of decisions taken pursuant to paragraph 3 of this article and of decisions taken on the basis of Article 25(6) of the Directive 95/46/EC. 5. When the information available, particularly after the review referred to, For the purposes of paragraph 3 of this article, show that a third country, a territory or a specific sector of that third country, or an international organization no longer guarantees an adequate level of protection within the meaning of paragraph 2 of this Article, the Commission tion, through acts of execution, will repeal, modify or suspend, to the extent necessary and without retroactive effect, the decision referred to in section 3 of the present you article. Those implementing acts shall be adopted in accordance with the procedure examination referred to in article 93, paragraph 2. For compelling reasons of urgency, duly justified gency, the Commission will adopt acts of immediate execution. applicable in accordance with the procedure referred to in article 93, C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 14/15 paragraph 3. 6. The Commission shall enter into consultations with the third country or international organization with a view to remedying the situation that gave rise to the decision taken to accordance with section 5. 7. Any decision in accordance with paragraph 5 of this article shall be without prejudice to transfers of personal data to the third country, to a te- territory or one or several specific sectors of that third country, or to the international organization national concerned under articles 46 to 49. 8. The Commission shall publish in the Official Journal of the European Union and on its website na web a list of third countries, territories and specific sectors in a third country, and international organizations for which it has decided that guarantees, or no longer, an adequate level of protection. 9. Decisions taken by the Commission under Article 25, paragraph 6 of Directive 95/46/CE will remain in force until they are modified, replaced protected or repealed by a Commission decision taken in accordance with the paragraphs 3 or 5 of this article.” Article 46 establishes the possibility of transmitting personal data to a third country or international organization if it had offered adequate guarantees and on condition of that the interested parties have enforceable rights and effective legal actions. The ar- The following article regulates the binding corporate rules and article 49 establishes the exceptions in which personal data may be transferred if certain circumstances occur specific circumstances. In the present case, during the previous investigation actions, it has been It has been noted that, shortly after learning of the Schrems II Judgment, RAE stopped using the Google Analytics tool. In addition, RAE has never used information with the in order to identify the users of its website. In accordance with what is indicated in the previous paragraphs and with the information of the that is available at this time, no evidence has been found that proves in the current moment the existence of infringement in the area of competence of the Agency Spanish Data Protection. Therefore, in accordance with what has been indicated, by the Director of the Spanish Agency for Data Protection, HE REMEMBERS: FIRST: PROCEED TO THE ARCHIVE of the present proceedings. SECOND: NOTIFY this resolution to A.A.A. and GOOGLE LLC and REAL SPANISH ACADEMY. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once the interested parties have been notified. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 15/15 Against this resolution, which puts an end to the administrative process as prescribed by the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure Common for Public Administrations, and in accordance with the provisions of the arts. 112 and 123 of the aforementioned Law 39/2015, of October 1, interested parties may file, optionally, an appeal for reversal before the Director of the Agency Spanish Data Protection Agency within a period of one month from the day following the notification of this resolution or directly contentious appeal before the Contentious-Administrative Chamber of the National Court, in accordance with the provisions of article 25 and paragraph 5 of the provision additional fourth of Law 29/1998, of July 13, regulating the Jurisdiction Contentious-Administrative, within a period of two months from the day following to the notification of this act, as provided in article 46.1 of the aforementioned Law. 940-051121 Mar Spain Marti Director of the Spanish Data Protection Agency 28001 – Madrid 6 sedeagpd.gob.es