Datatilsynet (Denmark) - 2021-7329-0052: Difference between revisions
No edit summary |
m (→Facts) |
||
Line 68: | Line 68: | ||
The controller – Boligportal – was an online housing platform using “Facebook Connect” tools, including “Facebook Login” and “Facebook Pixel”. In making use of these tools, the controller transferred personal data to the U.S. | The controller – Boligportal – was an online housing platform using “Facebook Connect” tools, including “Facebook Login” and “Facebook Pixel”. In making use of these tools, the controller transferred personal data to the U.S. | ||
The data subject claimed that their personal data were unlawfully transferred to the U.S. in connection with their visit to the controller’s website. According to the data subject, the data transfer was unlawful as it did not rely on any legal basis, after the CJEU invalidated the EU Commission’s adequacy decision in the "Schrems II" judgement ([https://curia.europa.eu/juris/document/document.jsf;jsessionid=1E2806A6F5A04246B927BC7E69809FA8?text=&docid=228677&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=14533665 C-311/18]). The data subject acknowledged that they did not have the technical resources to demonstrate that their personal data were effectively transferred to Meta Platforms Inc. in the US rather than only to Meta Ireland | The data subject claimed that their personal data were unlawfully transferred to the U.S. in connection with their visit to the controller’s website. According to the data subject, the data transfer was unlawful as it did not rely on any legal basis, after the CJEU invalidated the EU Commission’s adequacy decision in the "Schrems II" judgement ([https://curia.europa.eu/juris/document/document.jsf;jsessionid=1E2806A6F5A04246B927BC7E69809FA8?text=&docid=228677&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=14533665 C-311/18]). The data subject acknowledged that they did not have the technical resources to demonstrate that their personal data were effectively transferred to Meta Platforms Inc. in the US rather than only to Meta Ireland Ltd. However, given Meta’s terms and conditions (which contain provisions on data transfers), its commercial practices and the principle of accountability enshrined in [[Article 5 GDPR#2|Article 5(2) GDPR]], it was up to the controller to show that data were not transferred to third countries in the present case. | ||
The controller claimed that personal data were not transferred to the US, but only to Meta Ireland. The controller argued that any processing activities taking place between Meta Ireland and Meta Platforms Inc. in the U.S. were not their concern and outside of their control. | The controller claimed that personal data were not transferred to the US, but only to Meta Ireland. The controller argued that any processing activities taking place between Meta Ireland and Meta Platforms Inc. in the U.S. were not their concern and outside of their control. |
Latest revision as of 13:54, 9 June 2023
Datatilsynet - 2021-7329-0052 | |
---|---|
Authority: | Datatilsynet (Denmark) |
Jurisdiction: | Denmark |
Relevant Law: | Article 26 GDPR Article 44 GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | 20.04.2023 |
Published: | |
Fine: | n/a |
Parties: | n/a |
National Case Number/Name: | 2021-7329-0052 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | English |
Original Source: | Datatilysinet (Denmark) (in EN) |
Initial Contributor: | mg |
The Danish DPA reprimanded a controller for sharing personal data with Meta Ireland without prior ascertaining that the latter complied with the GDPR when transferring data to Meta Platforms in the US.
English Summary
Facts
The controller – Boligportal – was an online housing platform using “Facebook Connect” tools, including “Facebook Login” and “Facebook Pixel”. In making use of these tools, the controller transferred personal data to the U.S.
The data subject claimed that their personal data were unlawfully transferred to the U.S. in connection with their visit to the controller’s website. According to the data subject, the data transfer was unlawful as it did not rely on any legal basis, after the CJEU invalidated the EU Commission’s adequacy decision in the "Schrems II" judgement (C-311/18). The data subject acknowledged that they did not have the technical resources to demonstrate that their personal data were effectively transferred to Meta Platforms Inc. in the US rather than only to Meta Ireland Ltd. However, given Meta’s terms and conditions (which contain provisions on data transfers), its commercial practices and the principle of accountability enshrined in Article 5(2) GDPR, it was up to the controller to show that data were not transferred to third countries in the present case.
The controller claimed that personal data were not transferred to the US, but only to Meta Ireland. The controller argued that any processing activities taking place between Meta Ireland and Meta Platforms Inc. in the U.S. were not their concern and outside of their control.
Holding
At the outset, the Danish DPA stated it did not have the means to ascertain whether data transfer to the U.S. effectively took place. Therefore, it did not provide a clear answer to this part of the complaint and suggested that a court was in a better position to adjudicate on the matter.
However, by embedding Meta plug-ins on its website, Boligportal contributed to the determination of purposes and means of the processing and thus became joint controller with Meta Ireland. According to the Danish DPA, Article 26 GDPR implies that joint controllers have to cooperate to ensure compliance with the GDPR and must jointly be able to demonstrate it. Such a compliance concerns also Article 44 GDPR, even if only one of the controllers performs data transfers to a third country.
In the Danish DPA’s view, the principle of accountability enshrined in Articles 5(2) and 24 GDPR imposed on the controller an obligation to demonstrate that the sharing of personal data with Meta Ireland was compliant with the GDPR. In other words, the fact that the controller claimed to have no knowledge whether data were transferred to the US by Meta Ireland showed that the controller disregarded its responsibilities under the GDPR.
In light of the above, the Danish DPA reprimanded the controller and ordered it to bring its processing activities in compliance with Article 25, 5 and 24 GDPR. within a month. In particular, the controller should ensue to be able to demonstrate compliance with its obligations under the GDPR.
Comment
The complaint was part of noyb’s “101 complaints”on unlawful EU-U.S. data transfers in the wake of the “Schrems II” judgment. The Danish DPA’s view that it would require a court to asses if the data subject’s personal data had indeed been transferred to the U.S. is very puzzling in light of the ample investigative powers vested in the European DPAs under Article 58(1) GDPR. Several other DPAs (such as the Austrian, French or Italian DPA) had no problems establishing that a data transfer indeed took place. Without having established the existence of a data transfer, the Danish DPA consequently found no violation of Article 44 GDPR – again contrary to many of its European counterparts.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
NOYB - European Center for Digital Rights 20 April 2023 Goldschlagstrasse 172/4/3/2 1140 Wien J.No. 2021-7329-0052 Doc.no. 571264 Caseworker Complaint concerning the processing of personal data The Danish Data Protection Agency The Danish Data Protection Agency (“Danish DPA”) hereby returns to the case where the Carl Jacobsens Vej 35 organisation None of Your Business on behalf of (“the complainant”) on 17 August 2500 Valby Denmark 2020 has filed a complaint with the Danish DPA that BoligPortal A/S (“BoligPortal”) has trans- T 3319 3200 ferred personal data of the complainant to the United States in connection with the complain- dt@data ilsynet.dk ant’s visit to BoligPortal’s website on 12 August 2020. datatilsynet.dk VAT No. 11883729 Firstly, the Danish DPA notes that the supervisory authority by this decision has only consid- ered BoligPortal’s processing of personal data through its use of “Facebook Business Tools”. As such, the Danish DPA has not considered the company’s potential processing of personal data using other third-party tools. Secondly, the Danish DPA notes that the supervisory authority by this decision has only con- sidered Boligportal’s processing of personal data of the complainant through the use of Face- book Business Tools. As such, the decision does not take a position on neither Meta Platforms Ireland Limited (formerly Facebook Ireland Limited, hereinafter Meta Ireland) nor Meta Plat- forms, Inc. (formerly Facebook, Inc., hereinafter Meta Platforms) processing of personal data. Finally, the Danish DPA notes that since the complaint was filed, Boligportal has provided additional documentation to demonstrate that the processing has been carried out in accord- ance with the General Data Protection Regulation. Additionally, Meta Ireland has changed the terms under which the company provides its Facebook Business Tools. On this basis, the Danish DPA has by this decision firstly assessed whether the processing of personal data of the complainant on 12 August 2020 occurred in compliance with the General Data Protection Regulation, and secondly, whether Boligportal’s current processing of per- sonal data of website visitors complies with the General Data Protection Regulation. 1. Decision and order Upon reviewing the case, the Danish DPA finds that there are grounds for seriously repri- manding Boligportal for not demonstrating that its processing of personal data of the com- plainant on 12 August 2020 was carried out in compliance with the General Data ProtectionRegulation (“GDPR”) and for not demonstrating that its current processing of personal data Page 2 of 26 of website visitors takes place in compliance with Article 26 GDPR pursuant to Articles 5(1)(a), 5(2), and 24(1) GDPR. Firstly, the Danish DPA considers that the supervisory authority cannot adopt a decision spe- cifically on Boligportal’s possible transfer of personal data of the complainant to the United States as there is disagreement between the parties as to whether personal data of the com- plainant was in fact transferred to the United States. However, the fact that the Danish DPA cannot decide on the possible transfer of personal data of the complainant to the United States gives the supervisory authority rise to assess whether Boligportal has complied with its obligations under the GDPR, in particular its obligation to demonstrate its compliance with the GDPR under Articles 5(1)(a), 5(2), and 24(1). In this regard, the Danish DPA considers that – at the time of the complainant’s visit to Bolig- portal’s website on 12 August 2020 – there has been an insufficient allocation of roles and responsibilities between Boligportal and Meta Ireland in light of the processing of personal data that occurred. Considering the processing activity and the purposes for which Boligportal, per its own sub- mission as detailed in section 3.3 below, has processed the complainant’s personal data, the parties must be considered as joint controllers for the processing of personal data of the com- plainant. In view of this, and considering that at the time of the complainant’s visit to Boligportal’swebsite there was no arrangement pursuant to Article 26 GDPR in place which in a transparent manner determined the parties’ respective responsibilities for compliance with the GDPR, the Danish DPA finds that Boligportal has not demonstrated that its processing of personal data of the complainant was carried out in compliance with Article 26 GDPR pursuant to Articles 5(1)(a), 5(2), and 24(1). Additionally, the Danish DPA finds that it is unclear from the current arrangement concluded between Boligportal and Meta Ireland as joint controllers pursuant to Article 26 GDPR whether personal data of website visitors is processed by means located outside the EU/EEA and where, including, if applicable, by the use of processors outside the EU/EEA in the context of processing activities under the parties’ joint controllership and, consequently, which party is responsible for ensuring compliance with Article 44 GDPR. As such, the Danish DPA considers that Boligportal has not, in general, demonstrated that its current processing of personal data takes place in compliance with Articles 26 GDPR pursuant to Articles 5(1)(a), 5(2), and 24(1) GDPR, as Boligportal has not fully identified whether per- sonal data of visitors to its website is processed by means located outside the EU/EEA and where including, if applicable, by the use of processors outside the EU/EEA, in the context of the processing activities for which the Boligportal and Meta Ireland are joint controllers. On this basis, the Danish DPA orders Boligportal to bring its processing of personal data into compliance with Articles 5(1)(a), 5(2), 24(1) and 26 GDPR and to be able to demonstrate com- pliance with these provisions. 1 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). Page 3 of 26 Boligportal shall comply with the order no later than 18 May 2023. The Danish DPA requests confirmation and documentation that the order has been complied with no later than the same date. In the view of the Danish DPA, this order may inter alia be complied with by clarifying the allocation of roles and responsibilities between Boligportal and Meta Ireland, so that it is ap- parent from the arrangement between the parties whether personal data of website visitors in the context of the joint controllership is processed by means located outside the EU/EEA in- cluding, if applicable, by the use of processors outside the EU/EEA and, consequently, how Article 44 GDPR is complied with as well as which party must ensure compliance with that provision. Alternatively, compliance with the order may be done by ceasing the processing activity in question. The Danish DPA notes that the above-mentioned suggested solutions are not exclusive and do not constitute the only options for how Boligportal may comply with the order. As the con- troller, Boligportal has full freedom of choice in accordance with Articles 5(2) and 24(1) GDPR as to how it demonstrates its compliance with the GDPR. This order is notified pursuant to Article 58(2)(d) GDPR. According to Section 41(2)(4) of the Danish Data Protection Act, a fine or imprisonment of up to 6 months shall be imposed on persons who fail to comply with an order issued by the Danish DPA pursuant to Article 58(2)(d) GDPR. Below is a detailed examination of the case and a statement of reasons for the Danish DPA’s decision. 2. Facts of the case On 12 August 2020, the complainant visited Boligportal’s website. During the visit, the com- plainant was logged into her account on Facebook which is a social media platform operated by Meta Ireland. Boligportal has embedded “Facebook Connect” tools on its website which are the subject of the complaint. The Danish DPA understands that “Facebook Connect” refers to several tools provided by Meta Ireland, in particular “Facebook Login” and “Facebook Pixel”. The tools are provided by Meta Ireland to website operators under the terms “Facebook Busi- ness Tools Terms” and “Facebook Data Processing Terms”. Since the complainant’s visit to Boligportal’s website on 12 August 2020, the terms have been updated on 31 August 2020. 2.1. Meta Ireland’s Terms Meta Ireland’s “Facebook Business Terms” of 26 December 2019, which were in force at the time of complainant’s visit to Boligportal’s website inter alia state the following: “The Facebook Business Tools are a subset of Facebook Products that we provide to help website owners and publishers, developers, advertisers, business partners (and their cus- tomers) and others integrate, use and exchange information with Facebook. The Face- book Business Tools include APIs and SDKs, the Facebook Pixel, social plugins such as the Like and Share buttons, Facebook Login and Account Kit, as well as other platform integrations, plugins, code, specifications, documentation, technology and services. By clicking “Accept” or using any of the Facebook Business Tools, you agree to the following: 1. Sharing Personal Data with Facebooka. You may use the Facebook Business Tools to send personal data to us about your Page 4 of 26 customers and users (“Customer Data”). Depending on the Facebook Products you use, Customer Data may include: i. “Contact Information” consists of information that personally identifies indi- viduals, such as names, email addresses, and phone numbers that we use for matching purposes only. We will hash Contact Information that you send to us via a Facebook javascript pixel for matching purposes prior to trans- mission. When using a Facebook image pixel or other Facebook Business Tools, you or your service provider must hash Contact Information in a man- ner specified by us before transmission. ii. “Event Data” includes other information you share about your customers and the actions they take on your websites and apps or in your stores, such as visits to your sites, installations of your apps, and purchases of your products. [...] 2. Use of Customer Data a. We will use Customer Data for the purposes depending on which Facebook Company Products you choose to use: i. Contact Information for Matching 1. You instruct us to process the Contact Information solely to match the Contact Information against Facebook’s or Instagram's user IDs (“Matched User IDs”), as well as to combine those user IDs with corresponding Event Data. We will delete Contact Infor- mation following the match process. ii. Event Data for Measurement and Analytics Services 1. You instruct us to process Event Data (a) to prepare reports on your behalf on the impact of your advertising campaigns and other online content (“Campaign Reports”) and (b) to generate analytics and insights about your customers and their use of your apps, websites, products and services (“Analytics”). 2. We grant to you a non-exclusive and non-transferable license to use the Campaign Reports and Analytics for your internal busi- ness purposes only and solely on an aggregated and anonymous basis for measurement purposes. You will not disclose the Cam- paign Reports or Analytics, or any portion thereof, to any third party, unless otherwise agreed to in writing by us. We will not dis- close the Campaign Reports or Analytics, or any portion thereof, to any third party without your permission, unless (i) they have been combined with Campaigns Reports and Analytics from nu- merous other third parties and (ii) your identifying information is removed from the combined Campaign Reports and Analytics. iii. Event Data to Create Targetable Audiences 1. We may process the Event Data to create audiences (including Website Custom Audiences, Mobile App Custom Audiences and Offline Custom Audiences) that are grouped together by common Event Data, which you may use to target ad campaigns. In our sole discretion, we may also allow you to share these audiences with other advertisers. iv. Event Data to Deliver Commercial and Transactional Messages 1. We may use the Matched User IDs and associated Event Data to help you to reach people with transactional and other commercial messages on Messenger and other Facebook Company Prod- ucts. v. Event Data to Personalize Features and Content and to Improve and Secure the Facebook Products 1. We use Event Data to personalize the features and content (in- cluding ads and recommendations) we show people on and off our Facebook Company Products. In connection with ad targeting and delivery optimization, we will: (i) use your Event Data for de- livery optimization only after aggregating such Event Data with other data collected from other advertisers or otherwise collected on Facebook Products; and (ii) not allow other advertisers or third parties to target advertising solely on the basis of your Event Data. 2. We may also use Event Data to promote safety and security on Page 5 of 26 and off the Facebook Company Products, for research and devel- opment purposes, and to maintain the integrity of and to improve the Facebook Company Products. [...] 4. A note to EU and Swiss data controllers a. To the extent the Customer Data contain personal data which you process sub- ject to the General Data Protection Regulation (Regulation (EU) 2016/679) (the “GDPR”), the parties acknowledge and agree that for purposes of providing matching, measurement, and analytics services described in Paragraphs 2.a.i and 2.a.ii above, that you are the data controller in respect of such personal data, and you have instructed Facebook Ireland Limited to process such personal data on your behalf as your data processor pursuant to these terms and Facebook’s Data Processing Terms, which are incorporated herein by reference. “Personal data,” “data controller,” and “data processor” in this paragraph have the mean- ings set out in the Data Processing Terms.” Meta Ireland’s “Data Processing Terms” (undated), which are incorporated into Meta Ireland’s terms by reference inter alia state the following: “2. You agree that Facebook may subcontract its data processing obligations under these Data Processing Terms to a subprocessor, but only by way of a written agreement with the sub-processor which imposes obligations on the sub-processor no less onerous than as are imposed on Facebook under these Data Processing Terms. Where the sub-pro- cessor fails to fulfil such obligations, Facebook shall remain fully liable to you for the per- formance of that sub-processor’s obligations. You hereby authorize Facebook to engage Facebook Inc. (and other Facebook Companies) as its sub-processor(s). Facebook shall notify you of any additional sub-processor(s) in advance. If you reasonably object to such additional sub-processor(s), you may inform Facebook in writing of the reasons for your objections. If you object to such additional subprocessor(s), you should stop using the Services and providing data to Facebook.” Meta Ireland’s “Facebook Business Terms” of 31 August 2020 , which are the latest applicable terms inter alia state the following: “When you use the Facebook Business Tools to send us or otherwise enable the collection of Business Tool Data (as defined in Section 1 below), these terms govern the use of that data. Background: Ad Products and other Business Tools We may receive Business Tool Data as a result of your use of Facebook ad products, in connection with advertising, matching, measurement and analytics. Those ad products include, but are not limited to, Facebook Pixel, Conversions API (formerly known as Server-Side API), Facebook SDK for App Events, Offline Conversions, App Events API and Offline Events API. We also receive Business Tools Data in the form of impression data sent by Facebook Social Plugins (for example the Like and Share buttons) and Fa- cebook Login, and data from certain APIs such as Messenger Customer Match via the Send API. Facebook may also offer pilot, test, alpha, or beta programs from time to time through which you may provide Business Tool Data. Uses of Business Tools Data are described below. By clicking "Accept" or using any of the Facebook Business Tools, you agree to the fol- lowing: 1. Sharing Business Tool Data with Facebook a. You may use the Facebook Business Tools to send us one or both of the following types of personal information (“Business Tool Data”) for the purposes described in Section 2: i. “Contact Information” is information that personally identifies individuals, such as names, email addresses, and phone numbers, that we use for matching purposes only. We will 2 Printed by the complainant on 10 August 2020 from https://www.facebook.com/legal/terms/dataprocessing 3 https://www.facebook.com/legal/terms/businesstools hash Contact Information that you send to us via a Facebook Page 6 of 26 JavaScript pixel for matching purposes prior to transmission. When using a Facebook image pixel or other Facebook Busi- ness Tools, you or your service provider must hash Contact Information in a manner specified by us before transmission. ii. “Event Data” is other information that you share about people and the actions that they take on your websites and apps or in your shops, such as visits to your sites, installations of your apps, and purchases of your products. While Event Data does include information collected and transferred when peo- ple access a website or app with Facebook Login or Social Plugins (e.g. the Like button), it does not include information created when an individual interacts with our platform via Fa- cebook Login, Social Plugins, or otherwise (e.g. by logging in, or liking or sharing an article or song). Information created when an individual interacts with our platform via Facebook Login, Social Plugins, or otherwise is governed by the Plat- form Terms. iii. Note: for purposes of these Business Tool Terms, references in existing terms or agreements to “Customer Data” will now mean “Business Tool Data.” [...] 2. Use of Business Tool Data a. We will use Business Tool Data for the following purposes depending on which Facebook Business Tools you choose to use: i. Contact Information for Matching 1. You instruct us to process the Contact Information solely to match the Contact Information against user IDs (“Matched User IDs”), as well as to com- bine those user IDs with corresponding Event Data. We will delete Contact Information following the match process. ii. Event Data for Measurement and Analytics Services 1. You may instruct us to process Event Data (a) to prepare reports on your behalf on the impact of your advertising campaigns and other online con- tent (“Campaign Reports”) and (b) to generate an- alytics and insights about people and their use of your apps, websites, products and services (“Ana- lytics”). 2. We grant to you a non-exclusive and non-transfer- able license to use the Campaign Reports and An- alytics for your internal business purposes only and solely on an aggregated and anonymous basis for measurement purposes. You will not disclose the Campaign Reports or Analytics, or any portion thereof, to any third party, unless otherwise agreed to in writing by us. We will not disclose the Cam- paign Reports or Analytics, or any portion thereof, to any third party without your permission, unless (i) they have been combined with Campaigns Reports and Analytics from numerous other third parties and (ii) your identifying information is removed from the combined Campaign Reports and Analytics. iii. Event Data for Targeting Your Ads 1. You may provide Event Data to target your ad cam- paigns to people who interact with your business. You may direct us to create custom audiences, which are groups of Facebook users based on Event Data, to target ad campaigns (includingWeb- site Custom Audiences, Mobile App Custom Audi- ences, and Offline Custom Audiences). Facebook will process Event Data to create such audiences for you. You may not sell or transfer these audi- ences, or authorize any third party to sell or transfer these audiences. Facebook will not provide such audiences to other advertisers unless you or your service providers share audiences with other ad- vertisers through tools we make available for that purpose, subject to the restrictions and require- Page 7 of 26 ments of those tools and our terms. 2. These terms apply to the use of Website Custom Audiences, Mobile App Custom Audiences, and Of- fline Custom Audiences created through Face- book's Business Tools. Customer List Custom Au- diences provided through our separate custom au- dience feature are subject to the Customer List Custom Audience Terms. iv. Event Data to Deliver Commercial and Transactional Messages 1. We may use the Matched User IDs and associated Event Data to help you reach people with transac- tional and other commercial messages on Messen- ger and other Facebook Company Products. v. Event Data to Improve Ad Delivery, Personalise Features and Content and to Improve and Secure the Facebook Products 1. You may provide Event Data to improve ad target- ing and delivery optimization of your ad campaigns. We may correlate that Event Data to people who use Facebook Company Products to support the objectives of your ad campaign, improve the effec- tiveness of ad delivery models, and determine the relevance of ads to people. We may use Event Data to personalize the features and content (in- cluding ads and recommendations) that we show people on and off our Facebook Company Prod- ucts. In connection with ad targeting and delivery optimization, we will: (i) use your Event Data for de- livery optimization only after aggregating such Event Data with other data collected from other ad- vertisers or otherwise collected on Facebook Prod- ucts; and (ii) not allow other advertisers or third par- ties to target advertising solely on the basis of your Event Data. 2. To improve the experience for people who use Fa- cebook Company Products, we may also use Event Data to promote safety and security on and off the Facebook Company Products, for research and de- velopment purposes and to maintain the integrity of and to improve the Facebook Company Products. [...] 5. Additional Terms for Processing of Personal Information a. To the extent the Business Tool Data contain Personal Information which you Process subject to the General Data Protection Regulation (Regulation (EU) 2016/679) (the “GDPR”), the following terms apply: i. The parties acknowledge and agree that you are the Control- ler in respect of the Processing of Personal Information in Business Tool Data for purposes of providing matching, measurement and analytics services described in Sections 2.a.i and 2.a.ii above (e.g. to provide you with Analytics and Campaign Reports), and that you instruct Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2 Ireland (“Facebook Ireland”) to Process such Personal Infor- mation for those purposes on your behalf as your Processor pursuant to these Business Tools Terms and Facebook’s Data Processing Terms. The Data Processing Terms are ex- pressly incorporated herein by reference and apply between you and Facebook Ireland together with these Business Tools Terms. ii. Regarding Personal Information in Event Data referring to people’s actions on your websites and apps which integrate Facebook Business Tools for whose Processing you and Fa- cebook Ireland jointly determine the means and purposes, you and Facebook Ireland acknowledge and agree to be Joint Controllers in accordance with Article 26 GDPR. The joint controllership extends to the collection of such Personal Information via the Facebook Business Tools and its subse- Page 8 of 26 quent transmission to Facebook Ireland in order to be used for the purposes set out above under Sections 2.a.iii to 2.a.v.1 (“Joint Processing”). For further information, click here. The Joint Processing is subject to the Controller Ad- dendum, which is expressly incorporated herein by reference and applies between you and Facebook Ireland together with these Business Tools Terms. Facebook Ireland remains an independent Controller in accordance with Article 4(7) GDPR for any Processing of such data that takes place after it has been transmitted to Facebook Ireland. iii. You, as the case may be, and Facebook Ireland remain in- dependent Controllers in accordance with Article 4(7) GDPR for any Processing of Personal Information in Business Tool Data under GDPR not subject to Sections 5.a.i and 5.a.ii.” 4 Meta Ireland’s “Controller Addendum” of 31 August 2020 , which are incorporated into Meta Ireland’s terms by reference inter alia state the following: “This Controller Addendum applies when it is expressly incorporated by reference into terms for Facebook Products, such as the Facebook Business Tools Terms (any such terms, “Applicable Product Terms”, any covered Facebook Products, “Applicable Prod- ucts”). Capitalized terms used but not defined in this Controller Addendum have the mean- ings given in the Applicable Product Terms. In the event of any conflict between the Ap- plicable Product Terms and this Controller Addendum, this Controller Addendum will gov- ern solely to the extent of the conflict. Facebook and you agree to the following: Facebook Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland ("Facebook Ireland" or “we”) and you (each a “Party”, together the “Parties”) are Joint Controllers in accordance with Article 26 GDPR for the Joint Processing specified by the Applicable Product Terms. The scope of the Joint Processing and this Controller Addendum covers the collection of the Personal Data specified by the Applicable Product Terms and its transmission to Face- book Ireland; the subsequent processing of data by Facebook Ireland does not form part of the Joint Processing. More information on the Joint Processing can be found in the Applicable Product Terms. This Controller Addendum determines Facebook Ireland's and your responsibil- ities for compliance with the obligations under the GDPR with regard to the Joint Processing. The Joint Processing is subject to the provisions of this Controller Addendum. They apply to all activities in which the Parties, their employees or their Processors are involved in the Joint Processing. You agree to follow the available documentation regarding the correct technical implementation of the Applicable Products into your websites or apps and their configuration. Facebook Ireland's and your responsibilities for compliance with the obligations under the GDPR with regard to the Joint Processing are determined as follows: No, Obligation under Facebook Ireland You no. GDPR 1 Article 6: Require- X (regarding Face- X (regarding your own processing) ment of legal ba- book Ireland’s pro- sis for Joint Pro- cessing) cessing 2 Articles 13,14: X Providing infor- mation on Joint This includes as a minimum the provi- Processing of sion of the following information in ad- Personal Data dition to your standard data policy or similar document: That Facebook Ireland is a Joint Con- troller of the Joint Processing and that the information required by Article 13(1)(a) and (b) GDPR can be found in Facebook Ireland’s Data Policy at 4 https://www.facebook.com/legal/controller addendum https://www.facebook.com/about/pri- Page 9 of 26 vacy. The information that you use Applica- ble Products as well as the purposes for which the collection and transmis- sion of Personal Data that constitutes the Joint Processing takes place as set out in the Applicable Product Terms. That further information on how Face- book Ireland processes Personal Data, including the legal basis Facebook Ire- land relies on and the ways to exercise Data Subject rights against Facebook Ireland, can be found in Facebook Ire- land’s Data Policy at https://www.face- book.com/about/privacy. (please see Applicable Product Terms for further information on the Joint Pro- cessing) 3 Article 26(2): X Making available the essence of This includes as a minimum the provi- this Controller Ad- sion of the following information: dendum That you and Facebook Ireland have: entered into this Controller Addendum to determine the respective responsibil- ities for compliance with the obligations under the GDPR with regard to the Joint Processing (as specified in the Applicable Product Terms); agreed that you are responsible for providing Data Subjects as a minimum with the information listed under no. 2; agreed that between the Parties, Face- book Ireland is responsible for enabling Data Subjects’ rights under Articles 15- 20 of the GDPR with regard to the Per- sonal Data stored by Facebook Ireland after the Joint Processing. 4 Articles 15-20: X Rights of the Data Subject with re- gard to the Per- sonal Data stored by Facebook after the Joint Pro- cessing 5 Article 21: Right X (regarding Face- X to object insofar book Ireland’s pro- (regarding your own processing) as the Joint Pro- cessing) cessing is based on Article 6(1)(f) 6 Article 32: Secu- X (regarding the se- X rity of the Joint curity of the Applica- (regarding the correct technical imple- Processing ble Products) mentation and configuration of the Ap- plicable Products) 7 Articles 33, 34: X (insofar as a Per- X (insofar as a Personal Data Breach Personal Data sonal Data Breach concerns your obligations under this Breaches con- concerns Facebook Controller Addendum) cerning the Joint Ireland’s bond under Processing this Controller Adden- dum) Page 10 of 26 All other responsibilities for compliance with obligations under the GDPR regard- ing the Joint Processing remain with each Party individually. [...] In clause 5.a.ii of its “Facebook Business Tools” terms, Meta Ireland refers to further infor- 5 mation. This information provides an overview of the personal data collected and transmitted to Meta Ireland as part of the processing activity for which the parties are joint controllers. This overview shows inter alia that the tools Facebook Login and Facebook Pixel collect infor- mation about “http header information, which include information about the web browser or app used (e.g. user agent, locale country-level/language)” and “online identifiers including IP addresses and, insofar as provided, FB-related identifiers or device identifiers (such as mobile OS advertising IDs) as well as information on opt-out/limited ad tracking status”. 2.2. Complainant’s submissions In general, the complainant has stated that in connection with her visit to Boligportal’s website, Boligportal has processed information about her IP address and information collected through cookies and transferred (some of) this information to Meta Platforms in the United States. To support this, the complainant has submitted technical documentation for her visit to Bolig- portal’s website on 12 August 2020. Additionally, the complainant has stated that the transfer is unlawful as the Court of Justice of the European Union (“CJEU”) in its so-called Schrems II-decision invalidated the European Commission’s adequacy decision concerning the United States (more specifically US organi- sations certified under the Privacy Shield-scheme). Therefore, there is no transfer basis for transfers to the United States pursuant to Article 45 GDPR. Furthermore, the complainant has stated that the transfer cannot take place on the basis of standard contractual clauses pursuant to Article 46(2)(c) and (d) GDPR if an essentially equiv- alent level of data protection cannot be ensured by the SCCs in the third country to which the data are transferred. In this regard, the complainant has stated that Meta Platforms is considered an electronic communications service provider and is thus covered by Section 702 of the Foreign Intelli- gence Surveillance Act (FISA 702). According to the CJEU, transfer of personal data to com- panies that are subject to FISA 702 constitutes an infringement of Articles 7 and 8 and the essence of Article 47 of the Charter of Fundamental Rights of the European Union. Finally, the complainant refers to the fact that Meta Platforms inter alia according to its own Transparency Report actively discloses personal data to U.S. authorities under FISA 702. In summary, the complainant argues that Boligportal cannot ensure an essentially equivalent level of data protection for personal data of the complainant that is transferred to Meta Plat- forms. With regard to the allocation of roles and responsibilities between Boligportal and Meta Ireland, the complainant has generally stated that Boligportal has entered into a contract with Meta 5 Under clause 5.2.ii Meta Ireland refers to the following website: https://www.facebook.com/legal/terms/busi- nesstools jointprocessing 6 Judgment of the Court of Justice of the European Union of 16 July 2020 in Case C-311/18, Schrems II.Ireland under which Meta Ireland acts as a processor on behalf of Boligportal and that Bolig- Page 11 of 26 portal has authorised the use of Meta Platforms as subprocessor for Boligportal. The com- plainant refers to clause 4 of the Facebook Business Tools Terms of 26 December 2019 and clause 1.4 of the Facebook Data Processing Terms. The complainant also refers to point 4 of the Facebook Business Tool Terms of 31 August 2020. The complainant has stated that Boligportal cannot accept Meta Ireland’s standard terms and at the same time claim in good faith that no personal data is transferred to the United States. These transfers were the subject of the case in the judgment of the Irish Supreme Court “Data Protection Commission — v. Facebook and Schrems, No.2016 4809P”, which led to the judg- ment of the CJEU in the Schrems II-decision. As such, there is a presumption that Meta Ireland transfers personal data to Meta Platforms in the United States. In the complainant’s view, Boligportal must – pursuant the provisions on accountability in Articles 5(2) and 24(1) GDPR – be able to prove that, despite the existing contractual relationship and the technical arrange- ment of Meta’s platform, no personal data is transferred to the United States. To the extent that Meta Ireland cannot be considered a processor for Boligportal, the com- plainant has further stated that Meta Ireland and Boligportal are joint controllers for the pro- cessing of personal data. The parties have made a joint decision on the purposes and means of the processing of personal data by embedding Meta Ireland’s tools on Boligportal’s website which include transfers of personal data to the United States. Finally, the complainant submits that according to the principle of accountability in Articles 5(2) and 24 GDPR, it is for the controller to demonstrate that the processing of personal data is carried out in compliance with data protection law. The complainant states in this regard that she does not have the technical means of providing certain proof that the transfer has actually taken place as Meta Ireland is unlikely to provide the complainant with the necessary access to demonstrate this. However, according to the complainant, Boligportal is as the controller required to demonstrate that personal data of the complainant are not transferred to Meta Platforms, in particular in view of the publicly known fact that Meta Ireland uses Meta Platforms’ infrastructure. It is insufficient to submit that the complainant must demonstrate that her personal data has been transferred to the United States and it is insufficient to refer to the fact that the IP addresses to which the data were transferred are registered to Meta Ireland. 2.3. Boligportal’s comments Boligportal has generally stated that, according to the technical information immediately avail- able to the company, it did not transfer personal data of the complainant to the United States using the tools provided by Meta Ireland. Boligportal has stated that, on the basis of an examination of the documentation submitted by the complainant, it is the company’s view that the complainant has visited the front page of Boligportal’s website, that the complainant has not used her Facebook account to create a profile on Boligportal’s website, and that the complainant has not searched for housing or leases on the website. Additionally, Boligportal has stated that in the abovementioned documentation the company has identified three scripts which were loaded from the domain “connect.facebook.com” and that those scripts were loaded from the IP address . From these three scripts, a pixel is loaded from the facebook.com domain which is retrieved from the IP address Page 12 of 26 Boligportal has further stated that by looking up the IP addresses in the Réseaux IP Européens 7 Network Coordination Centre (RIPE NCC) , Boligportal finds that the two IP addresses form part of a pool of IP addresses registered to “Facebook Ireland Ltd” and that the IP addresses belong to “IE”, that is to say, Ireland. Boligportal submits that the company has no reason to assume that the same should not have been the case on 12 August 2020 when the complain- ant visited the website. Boligportal has also stated that by embedding the scripts and pixels in question, Boligportal has accepted the standard terms of use of those scripts. However, Boligportal’s assessment is that the provisions governing the transfer to third countries are irrelevant to the complaint as Boligportal has neither transferred nor contributed to the transfer of personal data of the com- plainant to the United States. Personal data appear to only have been transmitted to Ireland. As regards the allocation of roles and responsibilities between Boligportal and Meta Ireland, Boligportal has generally stated that none of the services for which Boligportal has used the tools from Meta Ireland entail that Meta Ireland has been a processor for Boligportal, including for the processing of personal data of the complainant in connection with the complainant’s visit to Boligportal’s website on 12 August 2020. Boligportal has stated that the company subsequently made a general update of its privacy policy on 19 February 2021 clarifying the correct context. It follows from the updated privacy policy that there is joint controllership for the given processing of personal data which does not involve the transfer of personal data to third countries. Boligportal has further stated that Meta Ireland’s terms cover a wide variety of Meta Ireland’s services and that Boligportal uses Meta Ireland’s tools for limited activities. None of the ser- vices for which Boligportal has used Meta Ireland’s tools entail that Meta Ireland is a processor for Boligportal. Boligportal has also stated that the company is not aware of whether there is a transfer of personal data between Meta Ireland and Meta Platforms, but this is also irrelevant as – under Chapter V GDPR – Boligportal’s controllership and liability ends upon the company’s trans- mission of personal data to Meta Ireland as an independent controller. Boligportal has stated that there has been no evidence to support that the company had trans- ferred personal data to the United States and that the facts of a 2016 case from the Irish Data Protection Commission are not relevant to the present case. Finally, on the limits of joint controllership with Meta Ireland, Boligportal has stated the follow- ing: “[Boligportal] collects information on both its own and Facebook Ireland Ltd’s behalf, and subsequently [Boligportal] and Facebook Ireland Ltd. are each controllers for the respec- tive further use of the personal data. This is also stated in [Boligportal’s] privacy policy at […] under point “Social media” ([Boligportal’s emphasis): “For some of our partners, we have a joint controllership, i.e. Boligportal collects information on both our own behalf and a partner’s. Subsequently, Boligportal and the partners are each a controller for the respective further use of the data. Below you can see with which partners we are joint controllers and how the responsibility is allocated. 7 RIPE NCC is the Regional Internet Register (RIR) for Europe. A RIR is an organisation that handles the assignment and registration of, inter alia, IP addresses within a specific region. There are a total of five regional registers. Page 13 of 26 Login using your Facebook profile on Boligportal Facebook Ireland, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. You can read about data processing here – Facebook Login, which is Event Data in section 2.a.ii and section 5.a.ii on joint controllership: https://www.facebook.com/legal/terms/businesstools allocation of responsibilities here: https://www.facebook.com/le- gal/controller_addendum information about Facebook’s privacy information here: https://www.facebook.com/about/privacy including the basis for Facebook’s processing and exercise of rights with Facebook” Despite [Boligportal’s] unambiguous indication of the allocation of responsibilities, which has been available on [Boligportal’s] website since the update on 19 February 2021, [the complainant] writes in the letter of 29 November 2021: “... in any case there is a joint controllership of Facebook Ireland Ltd. and the respondent. The two companies jointly made the decision on the pur- poses and means of data processing by integrating Facebook tools, which involve the transfer of data to Facebook Inc. into [Boligportal’s] website.” This view is contested in relation to the time after the transmission to Facebook Ireland Ltd. as [Boligportal] is no longer part of the joint controllership where the processing no longer relates to the use of Facebook Connect as described in the Privacy Policy. The use of Facebook Connect does not entail a transfer to the United States. The pro- cessing consists of the collection and transmission of personal data through a cookie and the execution of scripts from the Facebook domain in Ireland. The function is used solely to support website visitors’ login options and to enable Facebook Ireland Ltd. to identify that the complainant has visited the website. From the EDPB’s Guidance 07/2020 on joint controller follows ([Boligportal’s] highlights): “Joint participation can take the form of a common decision taken by two or more entities or result from converging decisions by two or more entities, where the decisions complement each other and are necessary for the processing to take place in such a manner that they have a tangible im- pact on the determination of the purposes and means of the processing. An important criterion is that the processing would not be possible without both parties’ participation in the sense that the processing by each party is inseparable, i.e. inextricably linked. The joint participation needs to include the determination of purposes on the one hand and the determination of means on the other hand.” As previously mentioned above, [Boligportal] does not exercise any influence over the processing operations carried out by Facebook Ireland Ltd. as an independent controller after the transmission from [Boligportal]. Thus, a transfer from Facebook Ireland Ltd. to a recipient in the United States will be possible without [Boligportal’s] participation in the determination of the purpose or means. [Boligportal] further refers to the judgments of the Court of Justice of the European Union C-210/16 (“Wirtschaftsakademie-decision”) and C-40/17 (“Fashion ID-decision”) as well as to the Danish DPA’s decision in case 2018-32-0357 (“DMI-decision”). In its Wirtschaftsakademie-decision, the CJEU clarified in para. 43 that: “[...] the existence of joint responsibility does not necessarily imply equal responsibility of the various operators involved in the processing of per- sonal data. On the contrary, those operators may be involved at different stages of that processing of personal data and to different degrees, so that the level of responsibility of each of them must be assessed with regard to all the relevant circumstances of the particular case.” In its later Fashion ID-decision, para. 70, the CJEU applied an identical interpretation of the scope of joint controllership. Furthermore, the CJEU expressly stated in its Fashion ID-decision, para. 74, that a [legal] person cannot be regarded as a joint controller of pro- cessing operations carried out by another controller that precede or are subsequent to the processing operations of that legal person, where he determines neither the purposes nor means of processing by the other controller. Therefore, in the specific case, the CJEU did not consider Fashion ID to be the controller in relation to Facebook’s processing of per- sonal data after it was transferred to Facebook. The Danish DPA has adopted the same interpretation in its DMI-decision, where, in ac- Page 14 of 26 cordance with the case-law of the CJEU, the Danish DPA stated that it is excluded that the joint controllership covers subsequent processing operations for which a company does not determine the purpose or means: “In view of this, the Danish DPA considers that the processing operations for which DMI together with Google can determine the purposes and means are the collection and transmission of personal data of visitors to dmi.dk. On the other hand, as regards the personal data at issue, it appears prima facie impossible for DMI to determine the purposes and means of subsequent processing operations relating to personal data by Google af- ter their transmission to Google hence DMI cannot be regarded as the con- troller for those operations.” The [complainant’s] submissions in the letter of 16 March 2021 that [Boligportal] is the controller because there is a “chain of processing” directly contradicts the interpretation by the CJEU and the Danish DPA of joint controllership and the limits of the responsibilities of the actors involved. As [Boligportal] has already made clear, [Boligportal] is not aware of whether Facebook Ireland Ltd. has transferred personal data to Facebook Inc. in the United States. Conse- quently, it is clear that [Boligportal] could not in any way have participated in the determi- nation of the purpose or determination of the means in the context of the alleged but still unsubstantiated transfer. Therefore, [Boligportal] is not the controller responsible for this specific processing, which may involve a transfer to the United States. [Boligportal] has not carried out the specific processing to which the complaint relates. Thus, should Facebook Ireland Ltd have made the alleged transfer, it is outside the scope of [Boligportal’s] controllership within the meaning of Article 26 GDPR since [Boligportal] cannot be regarded as a controller for processing operations subsequent to the transmis- sion to Facebook Ireland Ltd. No documentation has been put forward demonstrating that, following the reception of the information by the Irish subsidiary, Facebook has transferred any personal data relating to the complainant to the United States through the executed script on [Boligportal]’s web- site. It can never be detrimental to [Boligportal] that [Boligportal] cannot demonstrate whether a subsequent controller (Facebook) has transferred personal data to the United States or not. [Boligportal] is simply not responsible for any transfer, nor is it obliged to demonstrate anything in this regard against the complainant or the Danish DPA. The question in prin- ciple is whether a prior controller is obligated under the GDPR or other legal provisions to demonstrate whether a subsequent controller has or has not transferred information about a complainant to the United States when the trail for the processing of personal data by the prior controller stops in Ireland. That question must necessarily be answered in the negative. 3. Reasons for the Danish DPA’s decision 3.1. Is this processing of personal data? On the basis of the documentation submitted by the complainant, the Danish DPA finds that, upon the complainant’s visit to Boligportal’s website, information about inter alia the complain- ant’s IP address, her visit to Boligportal’s website, the time of the visit, and other information about the complainant’s browser, operating system, etc. as well as information about online identifiers collected through cookies stored in the complainant’s browser, has been collected and transmitted. According to the “Facebook Business Tools Terms” of 26 December 2019 and 31 August 2020, this information, which is defined as “Event Data”, is used inter alia to create target groups on Facebook which can be used for targeted marketing, and to personalise features and content on Facebook. In its decision of 11 February 2020 in the case 2018-32-0357 concerning the Danish Meteor- ological Institute’s processing of personal data of website visitors, the Danish DPA held that such data is considered as personal data when the data makes it possible to single out the persons in question.Followingly, it is the Danish DPA’s assessment that the information about the complainant in Page 15 of 26 the present case which is collected and transmitted to Meta Ireland constitutes personal data of the complainant. In support of this assessment, the Danish DPA considers that the information relates to the characteristics and behaviour of the complainant and is used to treat that person in a certain manner in relation to which functions and content are displayed for the complainant on Face- book. 3.2. Has personal data about the complainant been transferred to the United States? The complainant has stated that her personal data has been collected and transferred to Meta Platforms in the United States as part of her visit to Boligportal’s website. In this regard, Boligportal has stated that according to the technical information immediately available to the company, it did not transfer personal data of the complainant to the United States and that the IP addresses to which the data was transferred upon the complainant’s visit to Boligportal’s website were registered with Meta Ireland located in Ireland. The complainant has stated that she does not have the technical means to provide certain proof that the transfer has actually taken place as Meta Ireland is unlikely to provide the com- plainant with the necessary access to demonstrate this. However, according to the complain- ant, Boligportal is – as the controller – required to demonstrate that personal data of the com- plainant is not transferred to Meta Platforms, in particular in view of the publicly known fact that Meta Ireland uses Meta Platforms’ infrastructure. In that regard, it is insufficient for Bolig- portal merely to refer to the fact that the IP addresses to which the complainant’s data have been transferred are registered with Meta Ireland. Regarding this, Boligportal has stated that it has only transmitted information to Ireland and that no evidence has been provided that, following its receipt of the information, Meta Ireland has transferred the personal data of the complainant to the United States by means of the executed scripts on Boligportal’s website. On this basis, the Danish DPA finds that there is disagreement between the parties as to whether there has been a specific transfer of personal data of the complainant to the United States. The Danish DPA notes that the supervisory authority in principle only handles cases on a written basis. In cases where there is a disagreement between the parties on the facts, the Danish DPA only takes a position on such disagreement if either position can be supported by the further material of the case. The final assessment of such evidential issues can be carried out by the courts, which, unlike the Danish DPA, have the opportunity to clarify factual circum- stances, including by means of questioning of witnesses. As a result, the Danish DPA cannot clearly determine whether, in this specific case, personal data of the complainant has been transferred to third countries and, if so, which countries. Therefore, the supervisory authority cannot adopt a specific decision concerning Boligportal’s possible transfer of personal data of the complainant to the United States. However, the fact that the Danish DPA cannot decide on the possible transfer of personal data of the complainant to the United States gives the Danish DPA rise to assess whether Bolig- portal has complied with its obligations under the GDPR, in particular its obligation to demon- strate its compliance with the GDPR under Articles 5(1)(a), 5(2), and 24(1). Page 16 of 26 3.3. Roles and responsibilities The question then arises as to the allocation of roles and responsibilities between Boligportal and Meta Ireland for the processing of the personal data at issue. At the time of the complainant’s visit to Boligportal’s website on 12 August 2020 By integrating tools from Meta Ireland on its website, Boligportal has enabled Meta Ireland to obtain personal data concerning visitors to its website, including the complainant, as this pos- sibility arises from the moment they visit the website. In light of this, the Danish DPA considers that it can be established that the processing opera- tions for which Boligportal together with Meta Ireland jointly determine the purposes and means of processing are the collection and transmission of personal data concerning visitors to Boligportal’s website, including the complainant. In its decision of 11 February 2020 in the case 2018-32-0357 concerning the Danish Meteor- ological Institute’s processing of personal data of website visitors, the Danish DPA held that embedding plug-ins on a website, which triggers the collection of personal data, means that the website operator becomes a joint controller with the provider of the plug-in in question for the collection and transmission of personal data. With regard to the means used for the collection and transmission of personal data of visitors to Boligportal’s website, including the complainant, it is apparent from sections 2 and 2.3 above that Boligportal has embedded tools from Meta Ireland on its website, which the latter provides to website operators, and that Boligportal is aware that these tools, in addition to making it possible to create an account on Boligportal’s website via the visitors’ Facebook account, also collect and transmit personal data of website visitors, including the complainant, to Meta Ire- land. By integrating these tools on its website, Boligportal exerts a decisive influence over the col- lection and transmission of personal data of visitors to its website, including the complainant, to Meta Ireland, as this processing would not have occurred had the tools not been integrated 8 on the website. On this basis, the Danish DPA finds that Boligportal and Meta Ireland jointly determine the means used for the collection and transmission of personal data of visitors to Boligportal’s website, including the complainant. As for the purposes of the processing of the personal data of the complainant, the Danish DPA finds that Boligportal’s embedding of the Facebook Login tool takes place inter alia in order to be able to perform targeted marketing on Facebook. The Danish DPA notes that Boligportal has stated (as detailed in section 2.3 above) that at the time of the complainant’s visit to Boligportal’s website, it did not use tools from Meta Ireland for purposes where Meta Ireland acts as a processor, but rather for purposes where the parties act as joint controllers. The Danish DPA therefore concludes that Boligportal has used the tools for one or more of the purposes set out in section 2.a.iii-v of Meta Ireland’s “Facebook Business Tools Terms” dated 26 December 2019. 8 Judgment of the Court of Justice of the European Union of 29 July 2019 in C-40/17, Fashion ID, paragraph 78. Page 17 of 26 Followingly, the Danish DPA considers that by integrating these tools on its website, Boligpor- tal has enabled the collection and transmission of personal data of the complainant as this processing activity is performed in the economic interest of both Boligportal and Meta Ireland, whereas the latter’s access to this data for the purpose of evaluating and determining the preferences and behaviour of the complainant contributes to the efficacy of Meta Ireland’s advertising platform which also benefits Boligportal in the form of improved marketing oppor- 9 tunities on Facebook. In light of the foregoing, it is the view of the Danish DPA that Boligportal and Meta Ireland jointly determine the purposes and means for the collection and transmission of personal data of the complainant and shall be considered as joint controllers for these processing operations. After Meta Ireland’s update of its Terms on 31 August 2020 As Boligportal has continued to embed the tools of Meta Ireland on Boligportal’s website after the complainants visit, Boligportal continues to have a decisive influence on the collection and transmission of personal data of its website visitors to Meta Ireland. Similarly, Meta Ireland’s update of its terms on 31 August 2020 has not resulted in significant changes in the purposes for which the personal data is collected and transmitted to Meta Ire- land via its business partners such as Boligportal. Personal data is thus processed to enable Boligportal to perform targeted marketing on Facebook as well as the improvement and effi- cacy of Meta Ireland’s advertising platform. Consequently, the Danish DPA considers that the processing activity continues to take place in the economic interest of both Boligportal and Meta Ireland and that Boligportal and Meta Ireland continue to jointly determine the purposes and means for the collection and transmis- sion of personal data of visitors to Boligportal’s website. As such, the parties are joint control- lers for these processing operations. The Danish DPA has also considered that the terms have been clarified, in particular with respect to the determination of roles and responsibilities, such that it is now apparent from clause 5.a.ii of the terms that website operators and Meta Ireland are joint controllers for the processing of personal data of website visitors on websites where tools from Meta Ireland are embedded. It follows from the terms that the parties are joint controllers for the collection and transmission of the personal data to Meta Ireland. 3.4. Who is responsible and for what? It follows from Article 26(1) GDPR that joint controllers shall determine their respective respon- sibilities for compliance with the obligations under the GDPR in a transparent manner. In its Guidelines 7/2020 on controllers and processors, the European Data Protection Board has elaborated on what this obligation entails in practice: “Joint controllers thus need to set “who does what” by deciding between themselves who will have to carry out which tasks in order to make sure that the processing complies with the applicable obligations under the GDPR in relation to the joint processing at stake. In other words, a distribution of responsibilities for compliance is to be made as resulting from the use of the term “respective” in Article 26(1). [...] 9 Judgment of the Court of Justice of the European Union of 29 July 2019 in Case C- 40/17 Fashion ID, paragraph 80. 10 European Data Protection Board’s guidelines 7/2020 on the concepts of controller and processor in the GDPR, version 2, adopted on 7 July 2021, para. 162, 163, 165 & 166. The objective of these rules is to ensure that where multiple actors are involved, especially in complex data processing environments, responsibility for compliance with data protec- Page 18 of 26 tion rules is clearly allocated in order to avoid that the protection of personal data is re- duced, or that a negative conflict of competence lead to loopholes whereby some obliga- tions are not complied with by any of the parties involved in the processing. It should be made clear here that all responsibilities have to be allocated according to the factual cir- cumstances in order to achieve an operative agreement. The EDPB observes that there are situations occurring in which the influence of one joint controller and its factual influ- ence complicate the achievement of an agreement. However, those circumstances do not negate the joint controllership and cannot serve to exempt either party from its obligations under the GDPR. [...] However, the use of the terms “in particular” indicates that the obligations subject to the allocation of responsibilities for compliance by each party involved as referred in this pro- vision are non-exhaustive. It follows that the distribution of the responsibilities for compli- ance among joint controllers is not limited to the topics referred in Article 26(1) but extends to other controller’s obligations under the GDPR. Indeed, joint controllers need to ensure that the whole joint processing fully complies with the GDPR. In this perspective, the compliance measures and related obligations joint controllers should consider when determining their respective responsibilities, in addition to those specifically referred in Article 26(1), include amongst others without limitation: Implementation of general data protection principles (Article 5) Legal basis of the processing (Article 6) Security measures (Article 32) Notification of a personal data breach to the supervisory authority and to the data subject (Articles 33 and 34) Data Protection Impact Assessments (Articles 35 and 36) The use of a processor (Article 28) Transfers of data to third countries (Chapter V) Organisation of contact with data subjects and supervisory authorities” In the view of the Danish DPA, two or more parties who are joint controllers must therefore jointly comply with the obligations of controllers under the GDPR. The parties are jointly re- sponsible for ensuring that the processing operations in question are carried out in compliance with data protection law. As such, Boligportal is, in principle, as (one of) the controller(s) subject to the obligations aris- ing inter alia from Articles 5-22, 24-28, 30 to 39 and 44 to 49 GDPR. In this context, the CJEU has clarified that the existence of joint liability does not necessarily imply equal responsibility of the various operators engaged in the processing of personal data. On the contrary, those operators may be involved at different stages of that processing of personal data and to different degrees, with the result that the level of liability of each of them 11 must be assessed with regard to all the relevant circumstances of the particular case. In other words, joint controllership only covers those processing operations for which the par- ties jointly determine the purpose(s) and means. In line with the case-law of the CJEU and the Danish DPA, the Danish DPA considers that Boligportal – as mentioned above in section 3.2 – is a joint controller for the processing oper- ations of collection and transmission of personal data of website visitors, including the com- plainant. Boligportal is therefore not responsible for the processing of personal data carried out by Meta Ireland after its transmission to the latter as Boligportal does not determine the purposes and means of that subsequent processing. 11 Judgment of the Court of Justice of the European Union of 29 July 2019 in Case C-40/17 Fashion ID, paragraph 70, as well as the references therein.However, Boligportal is a joint controller together with Meta Ireland for the collection and trans- Page 19 of 26 mission of personal data about website visitors, including personal data of the complainant. In particular, the Danish DPA considers that there are certain obligations which generally fall on the controller that Boligportal is precluded from observing given the nature of the processing operations. For example, it would appear to be impossible for Boligportal to comply with the right of access or the right to rectification since it is solely responsible for the processing of personal data in the form of collection and transmission and subsequently does not have ac- cess to the personal data. 12 On the other hand, Boligportal does not appear as precluded from complying – together with Meta Ireland – with the obligations relating to the transfer of personal data to third countries as set out in Article 44 GDPR, if and to the extent that personal data is processed by means located outside the EU/EEA in the context of collection and transmission of that personal data. In view of the fact that collection and transmission can occur by means located outside the EU/EEA, it is the Danish DPA’s view that Boligportal is at least jointly responsible for ensuring compliance with Article 26 GDPR, in particular with regards to the allocation of roles and re- sponsibilities concerning transfers of personal data to third countries. The Danish DPA places significant importance on the fact that personal data may as part of these processing opera- tions be transferred outside the EU/EEA, for instance, if the processing – in this case collection and transmission – is carried out by processors outside the EU/EEA. The Danish DPA also considers that these processing operations are only made possible by the fact that Boligportal has embedded tools from Meta Ireland on its website while being fully aware that these tools serve as a means of collecting and transmitting personal data of visitors to Boligportal’s website, including the complainant, to Meta Ireland. By Boligportal’s decision to embed these tools on its website, Boligportal exerts a decisive influence on how and where the processing of personal data of website visitors takes place, including, if applicable, whether the processing may occur by means located outside the EU/EEA. Specifically, the Danish DPA notes that unlike disclosure of personal data between two indi- vidual controllers where Boligportal, prior to disclosure, would be obligated, in particular, to (i) ensure a lawful basis for the disclosure and (ii) comply with its notification obligation under Articles 13 and 14 GDPR, joint controllership exists for the processing operations of collection and transmission. In light of this and having regard to the fact that one of the fundamental objectives of the GDPR is to ensure effective and complete protection of the fundamental rights and freedoms of nat- ural persons, in particular the right to privacy and the right to data protection, the Danish DPA considers that Article 26 GDPR must be understood as an obligation for two or more parties who are joint controllers for processing of personal data to jointly ensure compliance with the GDPR and must jointly be able to demonstrate this. It is thus the Danish DPA’s view that the underlying premise of joint controllership is that the parties must jointly demonstrate compliance with their obligations as controllers under the GDPR. 12 Opinion of Advocate General Bobek of 19 December 2018 in Case C-40/17 Fashion ID, paragraphs 83, 135-136.If the parties were individually obligated to ensure compliance with the GDPR, it would, in the Page 20 of 26 view of the Danish DPA, entail a risk that the data subject would not be guaranteed a full and effective protection of his or her rights and freedoms as certain obligations could be overlooked by both parties with the consequence that neither party complies with those obligations. However, the parties who are joint controllers are not precluded from, taking into account the specific processing activity, from organising themselves in such a way that inter alia the obli- gations pursuant to Article 44 is effectively observed by one of the parties. For instance, where collection and processing of personal data occurs by means located outside the EU/EEA, e.g. by way of a processor outside of the EU/EEA, the parties may organise themselves so that Article 44 is effectively observed by the party who has the contractual relationship with that processor(s). However, where appropriate, this must be made transparent and clear from the arrangement between the parties under Article 26 GDPR. 3.5. The principle of accountability The GDPR contains a general principle of accountability in Article 5(2) GDPR. It follows that the controller is responsible for and must be able to demonstrate inter alia that personal data is lawfully processed. The principle of accountability is further developed in Article 24 GDPR, from which it follows that, depending on the specific processing operation, the controller must take appropriate measures to ensure and be able to demonstrate that the processing is carried out in accord- ance with data protection rules. Further, in its so-called Proximus-decision, the CJEU held that Articles 5(2) and Article 24 GDPR impose general accountability and compliance requirements upon controllers. In par- ticular, those provisions require controllers to take appropriate measures to prevent possible infringements of the rules laid down by the GDPR in order to ensure the right to data protec- tion.13 In the view of the Danish DPA, Articles 5(2) and Article 24 GDPR therefore impose an obliga- tion on the controller to be able to document and present this documentation, in particular to the supervisory authority, that the processing of personal data is carried out in compliance with data protection law. It is the Danish DPA’s view that Boligportal has not, in connection with its embedding of tools from Meta Ireland, demonstrated that its processing of personal data of the complainant on 12 August 2020 was lawful, nor has the company demonstrated that its current processing of personal data of visitors to Boligportal’s website is lawful pursuant to Articles 5(1)(a), 5(2) and 24(1) GDPR. As regards the processing of personal data of the complainant in connection with her visit to Boligportal’s website on 12 August 2020, the Danish DPA considers in particular that there has been an insufficient allocation of roles and responsibilities between Boligportal and Meta Ireland considering the processing activity and the purposes for which Boligportal, per its own submission as detailed in section 3.3 above, has processed the complainant’s personal data, and therefore that Boligportal has not been aware of whether personal data has been pro- cessed by means located outside the EU/EEA, e.g. by the use of processors outside the EU/EEA, in the context of processing activities for which the parties are joint controllers. 13 Judgment of the Court of Justice of the European Union of 27 October 2022 in Case C-129/21, Proximus, paragraph 81. Page 21 of 26 The Danish DPA also considers that Boligportal itself has stated that it is not aware of whether personal data as part of the collection and transmission to Meta Ireland are processed by means located outside the EU/EEA, e.g. by the use of processors outside the EU/EEA, and that it is not apparent from Meta Ireland’s terms and documentation, to which Boligportal has referred, whether this is the case. With regard to the processing of personal data of website visitors since Meta Ireland’s update of its terms on 31 August 2020, the Danish DPA considers, in particular, that it is not apparent from the current arrangement between Boligportal and Meta Ireland as joint controllers under Article 26 GDPR whether personal data is processed by means located outside the EU/EEA and where, including, if applicable, by the use of processors outside the EU/EEA in the context of processing activities for which the parties are joint controllers and, consequently, which party is responsible for ensuring compliance with Article 44 GDPR. The Danish DPA also considers that Boligportal has not taken independent action to clarify these matters in greater detail. It is the Danish DPA’s fundamental view that a controller cannot demonstrate its compliance with data protection law when the controller is not fully aware of the facts relevant to its pro- cessing of personal data. On the contrary, when processing personal data – whether alone or jointly with others – a controller must provide the supervisory authority with the necessary and relevant information on how the processing of personal data, for which the organisation is (co-)responsible, takes place. In the view of the Danish DPA, this applies in particular where the controller, by not providing the necessary information, avoids taking into account and assessing publicly known circum- stances relevant to the processing activity. In the present case, this includes e.g. the publicly known fact that Meta Ireland (with which Boligportal is a joint controller), as part of its ordinary business operations generally processes personal data by means, such as technical infra- structure, provided by Meta Platforms, Inc. in the United States. In view of the fact that it is not apparent from the current arrangement between Boligportal and Meta Ireland as joint controllers under Article 26 GDPR whether the processing for which the parties are joint controllers takes place by means located outside the EU/EEA and where, and consequently, which party must, in practice, ensure compliance with Article 44 GDPR, and that Boligportal has not provided sufficient documentation to the Danish DPA in order to demon- strate this, the Danish DPA considers that Boligportal has not demonstrated that its processing of personal data is carried out in compliance with Article 26 GDPR pursuant to Articles 5(1)(a), 5(2), and 24(1) GDPR. 4. Summary: Decision and order The Danish DPA finds that there are grounds for seriously reprimanding Boligportal for not demonstrating that its processing of personal data of the complainant on 12 August 2020 was carried out in compliance with the GDPR and for not demonstrating that its current processing of personal data of website visitors takes place in compliance with Article 26 GDPR pursuant to Articles 5(1)(a), 5(2), and 24(1) GDPR. Firstly, the Danish DPA considers that the supervisory authority cannot adopt a decision spe- cifically on Boligportal’s possible transfer of personal data of the complainant to the United States as there is disagreement between the parties as to whether personal data of the com- plainant was in fact transferred to the United States. Page 22 of 26 However, the fact that the Danish DPA cannot decide on the possible transfer of personal data of the complainant to the United States gives the supervisory authority rise to assess whether Boligportal has complied with its obligations under the GDPR, in particular its obligation to demonstrate its compliance with the GDPR under Articles 5(1)(a), 5(2), and 24(1). In this regard, the Danish DPA considers that – at the time of the complainant’s visit to Bolig- portal’s website on 12 August 2020 – there has been an insufficient allocation of roles and responsibilities between Boligportal and Meta Ireland in light of the processing of personal data that occurred. Considering the processing activity and the purposes for which Boligportal, per its own sub- mission as detailed in section 3.3 above, has processed the complainant’s personal data, the parties must be considered as joint controllers for the processing of personal data of the com- plainant. In view of this, and considering that at the time of complainant’s visit to Boligportal’s website there was no arrangement pursuant to Article 26 GDPR in place which in a transparent manner determined the parties’ respective responsibilities for compliance with the GDPR, the Danish DPA finds that Boligportal has not demonstrated that its processing of personal data of the complainant was carried out in compliance with Article 26 GDPR pursuant to Articles 5(1)(a), 5(2), and 24(1). Additionally, the Danish DPA finds that it is unclear from the current arrangement concluded between Boligportal and Meta Ireland as joint controllers pursuant to Article 26 GDPR whether personal data of website visitors are processed by means located outside the EU/EEA includ- ing, if applicable, by the use of processors outside the EU/EEA in with the context of processing activities under the parties’ joint controllership and, consequently, which party is responsible for complying with Article 44 GDPR. As such, the Danish DPA considers that Boligportal has not, in general, demonstrated that its current processing of personal data takes place in compliance with Articles 26 GDPR pursuant to Articles 5(1)(a), 5(2), and 24(1) GDPR as Boligportal has not fully identified whether per- sonal data of visitors to its website is processed by means located outside the EU/EEA and where, including, if applicable, by the use of processors outside the EU/EEA in the context of processing activities for which Boligportal and Meta Ireland are joint controllers. On this basis, the Danish DPA orders Boligportal to bring its processing of personal data into compliance with Articles 5(1)(a), 5(2), 24(1) and 26 GDPR and to be able to demonstrate com- pliance with these provisions. Boligportal shall comply with the order no later than 18 May 2023. The Danish DPA requests confirmation and documentation that the order has been complied with no later than the same date. In the view of the Danish DPA, this order may inter alia be complied with by clarifying the allocation of roles and responsibilities between Boligportal and Meta Ireland, so that it is ap- parent from the arrangement between the parties whether personal data of website visitors in the context of the joint controllership is processed by means located outside the EU/EEA in- cluding, if applicable, by the use of processors outside the EU/EEA and, consequently, how Article 44 GDPR is complied with as well as which party must ensure compliance with thatprovision. Alternatively, compliance with the order may be done by ceasing the processing Page 23 of 26 activity in question. The Danish DPA notes that the above-mentioned suggested solutions are not exclusive and do not constitute the only options for how Boligportal may comply with the order. As the con- troller, Boligportal has full freedom of choice in accordance with Articles 5(2) and 24(1) GDPR as to how it demonstrates its compliance with the GDPR. This order is notified pursuant to Article 58(2)(d) GDPR. According to Section 41(2)(4) of the Danish Data Protection Act, a fine or imprisonment of up to 6 months shall be imposed on persons who fail to comply with an order issued by the Danish DPA pursuant to Article 58(2)(d) GDPR. 5. Final remarks The Danish DPA regrets the lengthy consideration of the case and that Boligportal has not been continuously informed of delays in reaching a decision, etc. A copy of this decision will be forwarded to the complainant. For completeness, the Danish DPA notes that the authority intends to publish this decision on its website. Kind regards Annex: Legal basis. Page 24 of 26 Annex: Legal basis Excerpts from Regulation (EU) 2016/679 of the European Parliament and of the Coun- cil of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) Chapter II Principles Article 5 Principles relating to processing of personal data 1. Personal data shall be: a) processed lawfully fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’); b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompati- ble with the initial purposes (‘purpose limitation’); c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’); d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the pur- poses for which they are processed, are erased or rectified without delay (‘accu- racy’); e) kept in a form which permits identification of data subjects for no longer than is nec- essary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to imple- mentation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘stor- age limitation’); f) processed in a manner that ensures appropriate security of the personal data, in- cluding protection against unauthorised or unlawful processing and against acci- dental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’). 2. The controller shall be responsible for, and be able to demonstrate compliance with, para- graph 1 (‘accountability’). Page 25 of 26 Chapter IV Controller and processor Article 24 Responsibility of the controller 1. Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the con- troller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. 2Those measures shall be reviewed and updated where necessary. 2. Where proportionate in relation to processing activities, the measures referred to in para- graph 1 shall include the implementation of appropriate data protection policies by the control- ler. 3. Adherence to approved codes of conduct as referred to in Article 40 or approved certification mechanisms as referred to in Article 42 may be used as an element by which to demonstrate compliance with the obligations of the controller. Article 26 Joint controllers 1. Where two or more controllers jointly determine the purposes and means of processing, they shall be joint controllers. They shall in a transparent manner determine their respective responsibilities for compliance with the obligations under this Regulation, in particular as re- gards the exercising of the rights of the data subject and their respective duties to provide the information referred to in Articles 13 and 14, by means of an arrangement between them unless, and in so far as, the respective responsibilities of the controllers are determined by Union or Member State law to which the controllers are subject. The arrangement may des- ignate a contact point for data subjects. 2. The arrangement referred to in paragraph 1 shall duly reflect the respective roles and rela- tionships of the joint controllers vis-à-vis the data subjects. The essence of the arrangement shall be made available to the data subject. 3. Irrespective of the terms of the arrangement referred to in paragraph 1, the data subject may exercise his or her rights under this Regulation in respect of and against each of the controllers. CHAPTER V Transfers of personal data to third countries or international organisations Article 44 General principle for transfers Any transfer of personal data which are undergoing processing or are intended for pro- cessing after transfer to a third country or to an international organisation shall take placeonly if, subject to the other provisions of this Regulation, the conditions laid down in this Page 26 of 26 Chapter are complied with by the controller and processor, including for onward transfers of personal data from the third country or an international organisation to another third country or to another international organisation. All provisions in this Chapter shall be applied in or- der to ensure that the level of protection of natural persons guaranteed by this Regulation is not undermined.