AEPD (Spain) - E/10529/2021: Difference between revisions
From GDPRhub
(→Facts) |
m (Ar moved page AEPD (Spain) - E-10529-2021 to AEPD (Spain) - E/10529/2021) |
Latest revision as of 10:34, 13 December 2023
| AEPD - E-10529-2021 | |
|---|---|
 | |
| Authority: | AEPD (Spain) |
| Jurisdiction: | Spain |
| Relevant Law: | Article 45 GDPR Article 46 GDPR |
| Type: | Complaint |
| Outcome: | Rejected |
| Started: | |
| Decided: | |
| Published: | 15.12.2022 |
| Fine: | n/a |
| Parties: | GOOGLE LLC REAL ACADEMIA ESPAÑOLA noyb – European Centre for Digital Rights |
| National Case Number/Name: | E-10529-2021 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Spanish |
| Original Source: | AEPD (in ES) |
| Initial Contributor: | Carmen Villarroel |
The Spanish DPA dismissed a complaint regarding the use of Google Analytics by a Spanish public law institution, indicating that the controller did not process any data that could have identified a particular user, and that the controller had stopped using Google Analytics short after the Schrems II ruling, so there was no violation of Chapter V of the GDPR.
English Summary
Facts
Background
About a month after the "Schrems II ruling" by the CJEU (CJEU - C-311/18 - Schrems II) the NGO noyb filed 101 complaints regarding data transfers from EEA based websites to Google LLC and Facebook Inc. in the U.S (see here and here). In order to coordinate the work of all involved DPAs, the EDPB created a special task force.
Complaint
On 18.08.2020, a data subject (represented by noyb) filed a complaint with the DSB against both the website provider (in its role as data exporter) and Google LLC (in its role as data importer), arguing that both respondents violated Articles 44 et. seqq. GDPR in light of the "Schrems II" ruling by transferring their personal data to Google LLC. As Google LLC qualifies as "electronic communication service provider" under 50 U.S. Code § 1881(b)(4), it is subject to surveillance by U.S. intelligence services and can be ordered to disclose data of European citizens - such as the data subject - to them.
The complaint was filed against the Spanish Royal Academy (Real Academia Española, "RAE").
The controller alleged that it is a public law institution that uses Google Analytics tools solely and exclusively for fulfilling the general interest purposes that constitute its ultimate goal, which is to ensure the development, dissemination, proper use and update of the Spanish language; in order to achieve that, it is necessary to have access to statistical data related to the access and use of these instruments, and also to know its evolution and adaptation to the reality of the use of the language at any given moment (e.g. statistics related to the use of terms not included in the dictionary can allow a better knowledge of the evolution in the use of the language and the possible inclusion of such terms in the future).
Through the use of Google Analytics, the controller can know essential information related to the use of the language and its diffusion worldwide.
The controller also alleged that it only had access to aggregated data that did not allow for identification of users. The controller had no access to personal data whatsoever, nor IPs or any other information. Hence, no personal data was processed.
The controller also indicated that it had subscribed a contract with Google LLC (Conditions for the Processing of Data) and that therefore the RAE was a controller while Google was a processor.
Furthermore, the controller alleged that it had only used the most basic functionalities of Google Analytics, guaranteeing the minimization of the use of data, so only aggregated data was processed.
Only the following data was gathered:
- Identification of the geographic area (city and country) from which the user of the user accessed the website and statistics by country.
- Language.
- Source from which the visit originates.
- Statistical flow of visits to the Web Site.
- Statistical analysis of visits, offering percentages of recurrent or first access visits.
- Browser used for access.
- Type of mobile device used.
- Screen resolution of the device and its operating system.
Nor Google Signals nor Comparatives were activated.
On 08.09.2020, the AEPD verified that the code of the website included the creation and storage of Google Analytics cookies.
On 27.10.2021, the AEPD confirmed that such code was not on the website anymore.
Holding
The AEPD decided to accept the allegations of the controller and considered that the controller had not violated Article 45 GDPR nor any of the subsequent Articles from Chapter V of the GDPR. The AEPD took into account that the controller had stopped using Google Analytics short after the Schrems II ruling and that it had never used the obtained information to identify specific users.
Therefore, the DPA concluded that, at the time of issuing the decision, the controller was not in breach of the GDPR under the competential scope of the AEPD.
Comment
This decision is the first DPA decision following noyb's 101 complaints regarding EEA-US data transfers. The EDPB formed a "task force" on these cases to come to similar decisions in the EEA. Further decisions are expected soon. For details see here and here.
Some decisions have already been published by European DPAs. E.g. see here and here.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/15
File No.: E/10529/2021
RESOLUTION OF ACTIONS FILE
Of the actions carried out by the Spanish Agency for Data Protection and
based on the following:
FACTS
FIRST: Don A.A.A. (hereinafter, the claiming party), dated August 21,
2020, filed a claim with the Spanish Agency for Data Protection. The
The claim is directed against GOOGLE LLC and the ROYAL SPANISH ACADEMY (in
forward, this last RAE or the claimed party).
The reasons on which the claim is based are the following:
- Through HTML code embedded in the WWW.RAE.ES web page,
collected personal data from the claimant and have transferred it to the US through the
Google Analytics and Google Ads services contracted by the person in charge of the portal,
the RAE.
- During the visit of the complaining party to the mentioned website, the person in charge treated
your personal data (at least IP address and "cookies"), and, apparently,
some of this data was transferred to Google LLC. The complaining party had
signed in to your Google account associated with your email inbox.
- The complaining party maintains that the transfer of personal data to the US by
part of the person in charge through his treatment manager has no legal basis,
since the CJEU has invalidated the decision on the "EU-US Privacy Shield" in the
ruling C-311/18 ("Schrems II"), and the controller can no longer base the transfer of
data to Google in the USA in an adequacy decision pursuant to Art. 45 of the
GDPR.
- The person in charge cannot base the transfer of data on the clauses
contractual type provided for in arts. 46.2.c and 46.2.d of the GDPR, if the third country of
destination does not guarantee adequate protection of the personal data transferred
under those clauses, in accordance with EU law. The CJEU has ruled
explicitly that onward transfers to companies covered by the
Article 50 of the United States Code (USC), as is the case of Google,
violate the relevant articles of Chapter 5 of the GDPR, since, by virtue of this
regulations (50 USC Par. 1881, or "FISA 702"), are subject to surveillance by the
US intelligence. As can be seen from the "Snowden Slides" and from the
Google Transparency Report, this entity is actively providing data
personal data to the US government under that precept.
- The controller and Google have continued to rely on the "EU-US Privacy Shield" and on
the standard data protection clauses for the aforementioned transfers
of data.
Therefore, it requests that the claim be fully investigated and that the following be established:
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/15
1. What personal data was transferred from the controller to Google LLC in
USA or any other third country and international organization.
2. In which transfer mechanism under article 44 et seq. of the
GDPR the controller based this data transfer.
3. If the provisions of the Google Analytics Terms of Service and the
new Conditions for the treatment of data of Google Ads in its current version
and with effect from 08/31/2020 they comply with the requirements of article 28 GDPR
regarding the transfer of personal data to third countries.
4. Immediately impose a ban or suspension of any
flow of data to Google LLC in the USA and order the return of that data to the
EU/EEA or to another country offering adequate protection under Articles
58(2)(d), (f) and (j) GDPR.
5. That an administrative fine be imposed on the person responsible and on Google.
And, among other things, attach the following documentation:
- HAR file containing, among others:
a. A GET request with the following header:
“Host www.rae.es
User Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:79.0)
Gecko/20100101 Firefox/79.0
Accepttext/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/
*;q=0.8
Accept-Language en-GB,en;q=0.5
Accept-Encoding gzip, deflate, br
Connection keep-alive
Cookie _ga=GA1.2.345900854.1597222413; cookie-agreed=2;
__unam=67c8073-173e205d800-f576793-2;
TS018cf77a=017ccc203c9e7bc4149f20e42e6a3643881397eb41e025f2c54bb
e7141c720c53441c2483c; has_js=1; _gid=GA1.2.1837808855.1597415922;
_gat=1
Upgrade-Insecure-Requests 1
If-None-Match" 1597405902-1"
Cache-Control max-age=0”
b. A GET request with the following header and url-encoded parameters:
https://www.google-analytics.com/collect?
v=1&_v=j83&a=1005550321&t=pageview&_s=1&dl=https%3A%2F
%2Fwww.rae.es%2F&ul=en-gb&de=UTF-8&dt=Real%20Academia
%20Spain%C3%B1ola&sd=24-
bit&sr=1920x1080&vp=1903x716&je=0&_u=AACAAEAB~&jid=&gjid=&cid
=345900854.1597222413&tid=UA-44263049-
1&_gid=1837808855.1597415922&z=1892337212
“Host www.google-analytics.com
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/15
User Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:79.0)
Gecko/20100101 Firefox/79.0
Accept image/webp,*/*
Accept-Language en-GB,en;q=0.5
Accept-Encoding gzip, deflate, br
Referer https://www.rae.es/
Connection keep-alive
TE Trailers”
Parameters encoded in the url:
v 1
_v j83
to 1005550321
t page view
_s 1
dl https://www.rae.es/
ul en-gb
from UTF-8
dt Royal Spanish Academy
24-bit sd
mr 1920x1080
vp 1903x716
heh 0
_u AACAAEAB~
jid
gjid
cid 345900854.1597222413
time UA-44263049-1
_gid 1837808855.1597415922
z 1892337212”
SECOND: On October 5, 2020, the claim was admitted for processing
presented by the claimant, under the provisions of article 65.5 of
the LOPDGDD.
THIRD: The General Subdirectorate of Data Inspection proceeded to carry out
of previous investigative actions to clarify the facts in
matter, by virtue of the investigative powers granted to the authorities of
control in article 58.1 of Regulation (EU) 2016/679 (General Regulation of
Data Protection, hereinafter GDPR), and in accordance with the provisions of the
Title VII, Chapter I, Second Section, of the LOPDGDD, being aware of the
following extremes:
- On September 8, 2020, it is verified that in the url
www.rae.es/info/aviso-legal contains the following information:
1. The identification and contact of the person in charge, about the purpose,
legitimizing basis, as well as conservation period, exercise of rights of the
personal data collected.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/15
2. It is stated "The RAE does not carry out international data transfers or
transfers of information provided by users”.
- On December 10, 2020, the RAE sends this Agency the following
information and demonstrations:
1. That the RAE is a public law corporation integrated into the Institute of
Spain since:
a. According to art. 4 of the RAE Regulation "in accordance with the provisions
In its statutes, the main mission of the Academy is to ensure the unity of
the Spanish language, in close collaboration with all the academies
integrated into the Association of Academies of the Spanish Language (ASALE)"
b. According to art- 1.2.a) of Royal Decree 1160/2010 of September 17 by
which regulates the Institute of Spain, the RAE is part of the Institute of
Spain, which according to article 1.1 of the worthy Royal Decree "is a
corporation governed by public law, with legal personality and capacity to
act for the fulfillment of its purposes, which brings together the Royal Academies of
national level that are listed in the following section, for the
coordination of the functions that they must perform in common".
2. That according to section 1 of article XXXVIII of the RAE Statutes:
"The funds of the Academy will consist of:
1.9 In the ordinary allocation that is granted in the budgets of the
State, and in the extraordinary ones with which the Government and donors or
private founders want to favor the activities of the corporation.”
3. That according to article 39 of its Regulations
"the assets and resources of the Royal Spanish Academy will include the
movable and immovable property, the rights and rents of any kind that
to which they belong, the ordinary allocation provided for in the State budget,
as well as the subsidies and aid agreed by any administration
public. It will count among its income the donations that sponsors
private parties agree to grant it, especially those coming from the Foundation
pro-RAE. The profits derived from the exploitation will integrate its patrimony
economics of his works. Likewise, the subsidies, legacies, donations or
personal benefits that you receive and accept, perpetually or
temporary".
4. That all this means that, although the use of Google tools
Analytics may be aimed at obtaining commercial or business revenue,
In the case of the RAE, said use has the sole and exclusive purpose of
compliance with the purposes of general interest that constitute its object which are
guarantee the development, dissemination, diffusion, good use and updating of the language
Spanish.
5. That it is essential to have tools that allow you to know data
statistics related to the access and use of said instruments,
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/15
allowing you not only to configure strategies that guarantee a better knowledge and
diffusion of our language and grammar but also to know its evolution and
adaptation to the reality of the use of the language at all times (e.g. statistics
related to the use of terms not included in the dictionary may allow a
better knowledge of the evolution in the use of the language and the possible inclusion of
such terms in the future).
6. That through the use of Google Analytics they could know information
related to the use of the Spanish language and its diffusion worldwide,
being able to access in an aggregated way about the geographical origin of the
visitors to your website, with a minimum level of aggregation by city, your flow
visit the website, the settings of your browsing devices, as well as
such as the browser and operating system, screen resolution and the recurrence of
your visits.
7. That the use of Google Analytics has been limited solely and exclusively to the
access to statistical and aggregate information that will not allow the aforementioned to be identified
users.
8. That he did keep the Google Analytics tool embedded on his website.
9. That no data was obtained that could be considered as data
personal, as information that identifies or allows direct or direct identification is not processed.
indirectly to those users.
10. That they did not have access to the IP address of the users or any
information that could be considered personal data.
11. That the only information that could individualize the users would be the
related to the random ID that Google gives to its users. that the RAE does not
may, based on that information, take any action to achieve its
reidentification.
12. That all the pages of the domain rae.es are established in Spain. That
the RAE is not established in any other state.
13. That since December 3, 2020 no RAE domain
makes use of the Google Analytics tool.
14. That the legal relationship between RAE and Google LLC is that of the relationship
existing between the person in charge and the person in charge of the treatment, being RAE the person in charge
and Google in charge of the treatment. That this is stated in the Conditions for the
Processing of Google Ads Data both in its previous versions and in its
last version dated August 16, 2020 and in the Terms of Service of
Google Analytics.
15. That in response to the measures adopted so that Google does not process
personal data for your own purposes or for the purposes of third parties, you refer to the
section 5.2. and 5.3. of the Conditions for the Treatment of Data of Google Ads.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/15
16. That in relation to the guarantees that Google grants to the RAE for the purposes of
verifying compliance with the provisions is referred to sections 7.5.1. and 7.5.2 of
the Google Ads Data Processing Conditions.
Provide a copy of the Google Ads Data Processing Conditions where
consists:
"[…]
5.2 Customer Instructions. By entering into these Conditions of
data processing, the Client instructs Google to carry out the
processing of Customer Personal Data only in accordance with the
applicable law: (a) to provide the Services of the processor of the
treatment and any related technical support; (b) as
further specified through Customer's use of the Services of the
in charge of the treatment (including the configuration and other functionalities of
Processor Services) and any technical support
related; (c) as documented by the Agreement, including any
these Conditions of data processing; and (d) as
documented in other instructions provided in writing by the Customer and
recognized by Google as constitutive instructions for the purposes
of these Conditions of data processing.
5.3 Compliance with instructions by Google. gooqle will comply
the instructions described in Section 5.2 (Customer Instructions)
(including those relating to data transfers), unless the Leves
European or National to which Google is subject requires another treatment
of personal data by Gooqle, in which case Gooqle will inform the
Customer (unless Google is prohibited by any such law from doing so for
important reasons of public interest).
[…]
7.5.1 Security Documentation Reviews. To demonstrate the
Google's performance of its obligations under the
present Conditions of data processing, Google will provide the
Security documentation Will be reviewed by the Client.
7.5.2 Customer Audit Rights.
(a) Google will allow the Client or an external auditor designated by the
Client perform audits (including inspections) to verify that Google
comply with the obligations contracted under these Conditions of the
data processing in accordance with Section 7.5.3 (Terms
additional commercial for audits). Google will contribute to such audits
as described in Section 7.4 (Safety Certification) and in the
this Section 7.5 (Regulatory Compliance Audits and Reviews).
(b) If the Standard Contractual Clauses apply under Section 10.2
(Data Transfers), Gooq will allow the Client or an external auditor
designated by the Client to carry out audits as described in Clauses
Contractual Type in accordance with Section 7.5.3 (Conditions of Business
additional for audits).
(c) The Client may also perform an audit to verify the
Google's compliance with its obligations under the
present Conditions of data processing by reviewing the
certificate issued for ISO 27001 Certification (reflecting the result of
an audit by an external auditor)."
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/15
Provide a copy of the Google Analytics Terms of Service where it states:
“[…]
7. Privacy
The User must not send information to Google that Google may consider
personally identifiable information or use as such, nor must you allow a
third party to do it, nor help him to do it. The User must have a Privacy Policy
Adequate privacy and comply with it. You must also comply with all laws,
applicable policies and regulations related to the collection of information
of Users and publish a Privacy Policy that notifies the use of
cookies, mobile device identifiers (eg, the identifier of
advertising for Android or the advertising identifier for iOS) or technology
similar to collect data. In addition, you must disclose the use of Google Analytics and
the way in which this Service collects and processes the data. To do this, you can
include a prominent link on the website "How Google uses the
information from websites or apps used by our partners" (which
located at www.google.com/polici es/privacy/partners/ or at any
another URL provided by Google). The User must take measures
commercially reasonable to ensure that Users receive
complete and clear information about the storage of cookies and the
access to them or any other information about the device of the
Users, and that they give their consent in this regard, when such
activity occurs in connection with the Service and when required by law
provide such information and obtain such consent.
[…]”
17. That the RAE did not provide or communicate any data that could be derived from the use
of Google Analytics to any third party. That he has not accessed data either
any staff so it is hardly possible to make a transfer to
third parties. That you cannot specify the specific suppliers or locations to which
that Google may have transmitted the data collected by Google Analytics. That
Links are included in the Google Ads Data Processing Conditions
with the identification of the sub-processors https://privacy.google.com/
businesses/subprocessors/ and with geographic locations
https://www.google.com/intl/es/about/datacenters/locations/
18. That only the basic functionalities of Google Analytics were used
guaranteeing the minimization of the impact on the privacy of users so that
there is no processing of information referring to persons identified or
identifiable but only aggregate information. that they have not carried out
any data processing related to the users' IP.
19. That they have only had access to the following aggregate information provided by
Google Analytics:
a. Identification of the geographical area (city and country) from which the
Website user accesses it and access statistics by country.
b. Idiom.
c. Source from which the visit comes.
d. Statistical flow of visits to the Website.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 8/15
and. Statistical analysis of visits, offering percentages of visits
recurring or first access.
F. Browser used in your access.
g. Type of mobile device used.
h. Screen resolution of the device and its operating system.
Provide screenshots of Google Analytics where the
classifications of:
a. language with at least 10 different values
b. country with at least 10 different values
c. city with at least 10 different values
d. System with subsections:
Yo. browser with at least 10 different values
ii. Operating system with at least 10 different values
iii. Service provider
and. Mobile with the subsections of:
Yo. Operating system with at least 10 different values
ii. Service provider
iii. Screen resolution with at least 10 different values.
F. Mobile devices/devices with at least 9 different values.
There is no data on age or sex. There are no data of interest.
Google Signals is not activated.
The Comparisons are not activated.
There are no custom or user-defined variables.
On the contrary, the RAE has not made use of any of the information
advanced capabilities provided by Google Analytics, which require a
specific enablement within the tool. They have not had access to:
a. Age.
b. Sex.
c. Affinity categories.
d. Segments with purchase intent.
and. Multi-device section.
F. Comparison sections.
20. That there are no treatments of special categories of data.
21. That, since they did not process age data, they do not have information to
specify if any of the users of the website could be minors.
22. That art. 22.2 of the LSSI since its
activity must be classified as providing a public service.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 9/15
23. "On the other hand, in the denied assumption that my client had carried out
carry out a treatment of personal data of the users of its website, the same
would have been developed for the fulfillment of the purposes established in its
Statutes and its Regulations, such treatment being necessary for compliance with
a mission of public interest and thus being covered by article 6.1 e) of the
GDPR.”
24. “Regarding data transmissions to Google LLC, as has already been
indicated in a previous place of this writing, were based on the condition of
person in charge of the treatment of the aforementioned entity and in its adherence to the
"Privacy Shield" Agreement, pursuant to the Enforcement Decision
(EU) 2016/1250 of the Commission, of July 12, 2016, as well as, subsequently,
in the application, as of August 12, 2020, of the standard contractual clauses
for international data transfers between controllers and processors
treatment, approved by Commission Decision 2010/87/UE, of February 5,
2010.”
25. That Google Analytics establishes a predefined period of conservation of the
information collected for 26 months.
26. That according to clause 6.2 of the Conditions for the Treatment of Data of
Google Ads establishes "Deletion at the expiration of the validity period. To the
expiration of the term, Customer instructs Google to
delete all Customer Personal Data (including existing copies) from the
Google systems in accordance with applicable law. Google will comply with the
present instructions as soon as reasonably possible and within a
maximum period of 180 days, unless European or National Laws require its
storage."
- On 06/01/2021, the ROYAL SPANISH ACADEMY sends this Agency the
following information and representations:
1. That the RAE is a public law corporation, having established the
having established the Supreme Court in its judgment of November 17,
2015 (appeal 764/2014) the public nature of all the
functions and activities carried out by the Royal Academies (first section of the
letter of December 10, 2010).
2. That the Google Analytics tool they used was the free version.
3. That they started using Google Analytics on September 12,
2019.
4. That it does not maintain web pages aimed at third countries, there being a
sole domain of it.
5. That from December 1, 2019 to November 30, 2020 there were
210,555,443 visits to the RAE portal, corresponding to a total of 100,131,355
users.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 10/15
A report is provided where it is stated that from December 1, 2019 to December 30,
November 2020 there was the following breakdown of visits by country, with the 10 being
first in number of visits:
Number of Percentage on the
total visits
Spain 77,829,236 36.96%
Mexico 35,409,134 16.82%
Colombia 16,817,104 7.99%
Argentina 15,312,395 7.27%
Peru 11,861,855 5.63%
Chile 10,642,227 5.05%
United 6,248,681 2.97%
states
Ecuador 4,511,765 2.14%
Venezuela 2,935,038 1.39%
Guatemala 2,669,888 1.27%
And where it also states that:
France 1,261,921 0.60%
Italy 1,208,428 0.57%
Germany 1,091,227 0.52%
Honduras 989,860 0.47%
Portugal 325,589 0.15%
- On 09/08/2020 it is verified that in the code of the website www.rae.es
loaded in the browser contains the following code:
<head>
[…]
</script>
<!--[if lt IE 9]><script
src="http://html5shiv.googlecode.com/svn/trunk/html5.js"></script><![endif]-->
<script>
//<![CDATA[(function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||
function(){
(i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new
Date();a=s.createElement(o),m=s.getElementsByTagName(o)
[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)})
(window,document,'script','//www.google-analytics.com/analytics.js','ga');
ga('create', 'UA-44263049-1', 'auto');
ga('send', 'pageview');
if(Drupal.eu_cookie_compliance != undefined && !
Drupal.eu_cookie_compliance.hasAgreeed()){window['ga-disable-UA-44263049-
1'] = true;
}
//]]>
</script>
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 11/15
</head>
- On October 27, 2021 it is verified that:
1. The code of the website www.rae.es loaded in the browser does not contain
the above code.
2. While browsing the web www.rae.es there are no HTTP requests to the
domain google-analytics.com, nor are cookies associated with Google Analytics installed.
3. In the url https://policies.google.com/technologies/cookies?hl=es#types-of-
cookies consists:
“[…]
Analytics
Cookies used for analytical purposes help collect data that
They allow services to understand how users interact with them. Is
information is used to improve the content of the services and its
functions, as well as to offer a better experience to users.
Some cookies help sites understand how visitors interact
with its properties. For example, Google Analytics, a Google product
with which site and application owners can understand how
users interact with its services, uses a set of cookies to
collect information and offer statistics of use of the sites without identifying
personally to each visitor. The main cookie used by Google Analytics
is "_ga", which allows services to distinguish one user from another and lasts 2
years. It is used by all sites where Google Analytics is implemented,
including Google services.
[,,,]
4. Check that in the url https://developers.google.com/analytics/devguides/
collection/analytics consists of:
“The analytics.js library (known as "the Google Analytics tag") is
a JavaScript library used to measure user interactions
users with your website. This document explains how to add the
Google Analytics tag to a website.”
It also states that the tag to add analytics.js to the website is:
<!-- Google Analytics -->
<script>
(function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
(i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
m=s.getElementsByTagName(o)
[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m
})(window,document,'script','https:∕∕www.google-analytics.com∕analytics.js','ga'
ga('create', 'UA-XXXXX-Y', 'auto');
ga('send', 'pageview');
<∕script>
<!-- End Google Analytics -->
FUNDAMENTALS OF LAW
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 12/15
Yo
In accordance with the investigative and corrective powers that article 58 of the
Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter
GDPR) grants each control authority, and according to the provisions of article 47 of the
Organic Law 3/2018, of December 5, Protection of Personal Data and
guarantee of digital rights (hereinafter LOPDGDD), is competent to
resolve these investigative actions the Director of the Spanish Agency for
Data Protection.
II
The claim presented by the claimant, represented by Noyb –
European Center for Digital Rights, is based on data processing
data made by RAE and that have been transferred to Google LLC, that is, they have
been subject to international data transfer in violation of articles 44 to 49 of the
GDPR. Requests that the facts be investigated, that the RAE data flow be prohibited
against Google LLC in the US, and that a fine be imposed on RAE and Google LLC.
Indicates that the transfers made by RAE have been produced when the
HTML code on the website www.rae.es for Google services (including
Google Analytics), and personal data of the claimant have been collected and
transferred to the US.
The complaining party has filed 101 claims for similar events, which are
being investigated by the control authorities of the country where it is
established the data controller.
This procedure refers to the performance of the RAE in relation to the
international data transfers through the installation of certain
cookies.
In order for all control authorities to act jointly and coherently, it is
created a working group, which has convened numerous meetings. In them, they have
developed questionnaires to make information requirements about the
treatment carried out, addressed both to the data controller and to Google.
The will of all data protection control authorities is the cessation
of the flow of data to third countries without the guarantees established in the GDPR.
II
Article 45 of the GDPR establishes the following:
"one. A transfer of personal data may be made to a third country or
international organization when the Commission has decided that the third country, a ter-
territory or one or several specific sectors of that third country, or the international organization
national law in question guarantee an adequate level of protection. Said transfer-
cia will not require any specific authorization.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 13/15
2. When assessing the adequacy of the level of protection, the Commission shall take into account
In particular, it covers the following elements: a) the rule of law, respect for
human rights and fundamental freedoms, the relevant legislation, both ge-
both general and sectoral, including that related to public safety, defense, security
national law and criminal law, and public authorities' access to data
personal data, as well as the application of said legislation, the rules for the protection of
data, professional standards and security measures, including rules on
about onward transfers of personal data to another third country or international organisation.
international law observed in that country or international organization, jurisprudence, as well
such as recognition of the interested parties whose personal data is being transferred
conferred effective and enforceable rights and administrative resources and legal actions
cials that are effective; b) the existence and effective functioning of one or more
independent supervisory authorities in the third country or to which a
international organization, with the responsibility of guaranteeing and enforcing the
data protection rules, including appropriate enforcement powers,
to assist and advise the interested parties in the exercise of their rights, and to cooperate
with the supervisory authorities of the Union and of the Member States, and c) the com-
international commitments assumed by the third country or international organization of
in question, or other obligations derived from legally binding agreements or instruments
binding, as well as their participation in multilateral or regional systems, in
particularly in relation to the protection of personal data.
3. The Commission, after having assessed the adequacy of the level of protection, may
may decide, by means of an implementing act, that a third country, a territory or one or several
various specific sectors of a third country, or an international organization guaranteeing
provide an adequate level of protection in accordance with the provisions of section 2 of the pre-
feel article. The implementing act will establish a periodic review mechanism,
least every four years, taking into account all relevant events
in the third country or in the international organization. The act of execution will specify
its scope of territorial and sectoral application, and, where appropriate, will determine the authority or
control authorities referred to in section 2, letter b), of this article. The
The implementing act shall be adopted in accordance with the examination procedure referred to in
re article 93, paragraph 2.
4. The Commission will continuously monitor developments in the country
third parties and international organizations that may affect the effective application
tion of decisions taken pursuant to paragraph 3 of this article and of
decisions taken on the basis of Article 25(6) of the Directive
95/46/EC.
5. When the information available, particularly after the review referred to,
For the purposes of paragraph 3 of this article, show that a third country, a territory or a
specific sector of that third country, or an international organization no longer guarantees
an adequate level of protection within the meaning of paragraph 2 of this Article, the Commission
tion, through acts of execution, will repeal, modify or suspend, to the extent
necessary and without retroactive effect, the decision referred to in section 3 of the present
you article. Those implementing acts shall be adopted in accordance with the procedure
examination referred to in article 93, paragraph 2. For compelling reasons of urgency,
duly justified gency, the Commission will adopt acts of immediate execution.
applicable in accordance with the procedure referred to in article 93,
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 14/15
paragraph 3.
6. The Commission shall enter into consultations with the third country or international organization
with a view to remedying the situation that gave rise to the decision taken to
accordance with section 5.
7. Any decision in accordance with paragraph 5 of this article shall be
without prejudice to transfers of personal data to the third country, to a te-
territory or one or several specific sectors of that third country, or to the international organization
national concerned under articles 46 to 49.
8. The Commission shall publish in the Official Journal of the European Union and on its website
na web a list of third countries, territories and specific sectors in a third
country, and international organizations for which it has decided that
guarantees, or no longer, an adequate level of protection.
9. Decisions taken by the Commission under Article 25, paragraph
6 of Directive 95/46/CE will remain in force until they are modified, replaced
protected or repealed by a Commission decision taken in accordance with the
paragraphs 3 or 5 of this article.”
Article 46 establishes the possibility of transmitting personal data to a third country or
international organization if it had offered adequate guarantees and on condition of
that the interested parties have enforceable rights and effective legal actions. The ar-
The following article regulates the binding corporate rules and article 49 establishes
the exceptions in which personal data may be transferred if certain circumstances occur
specific circumstances.
In the present case, during the previous investigation actions, it has been
It has been noted that, shortly after learning of the Schrems II Judgment, RAE stopped using
the Google Analytics tool. In addition, RAE has never used information with the
in order to identify the users of its website.
In accordance with what is indicated in the previous paragraphs and with the information of the
that is available at this time, no evidence has been found that proves in
the current moment the existence of infringement in the area of competence of the Agency
Spanish Data Protection.
Therefore, in accordance with what has been indicated, by the Director of the Spanish Agency for
Data Protection,
HE REMEMBERS:
FIRST: PROCEED TO THE ARCHIVE of the present proceedings.
SECOND: NOTIFY this resolution to A.A.A. and GOOGLE LLC and REAL
SPANISH ACADEMY.
In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once the interested parties have been notified.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 15/15
Against this resolution, which puts an end to the administrative process as prescribed by
the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure
Common for Public Administrations, and in accordance with the provisions of the
arts. 112 and 123 of the aforementioned Law 39/2015, of October 1, interested parties may
file, optionally, an appeal for reversal before the Director of the Agency
Spanish Data Protection Agency within a period of one month from the day
following the notification of this resolution or directly contentious appeal
before the Contentious-Administrative Chamber of the National Court,
in accordance with the provisions of article 25 and paragraph 5 of the provision
additional fourth of Law 29/1998, of July 13, regulating the Jurisdiction
Contentious-Administrative, within a period of two months from the day following
to the notification of this act, as provided in article 46.1 of the aforementioned Law.
940-051121
Mar Spain Marti
Director of the Spanish Data Protection Agency
28001 – Madrid 6 sedeagpd.gob.es
