AEPD (Spain) - EXP202306257: Difference between revisions
m (→Facts) |
|||
Line 89: | Line 89: | ||
eDreams contested the Resolution, leading to the appeal, based on the following arguments. | eDreams contested the Resolution, leading to the appeal, based on the following arguments. | ||
Firstly, eDreams claimed that the DPA infringed their right of defense | Firstly, eDreams claimed that the DPA infringed their right of defense, as the controller affected by the delay on the access to the case file. These circumstances limited their time for presenting allegations, and for not granting a requested trial period. They highlighted that further technical proof was unnecessary, since Google's terms allow data storage and processing in any country with Google facilities and all data collected via Google Analytics is hosted in the U.S. The DPA attributed the delays to technical issues and miscommunication rather than procedural fairness, and argued that the extension of deadlines to submit allegations was sufficient, countering claims of unjustified period limitation. | ||
Secondly, eDreams contested the | Secondly, eDreams contested the decision for failing to technically demonstrate international data transfers to the U.S and claimed that their privacy settings prevent such transfers. The DPA refuted these claims, citing documentation, U.S laws and Google's statements confirming U.S. data hosting and obligation to share personal data in case of request made by a U.S authority. It emphasizes that Google Analytics settings used by eDreams do not prevent personal data processing and that the international transfer did not comply with [[Article 44 GDPR]]. | ||
Thirdly, eDreams argued that the decision did not consider the new U.S. legal framework and the European Commission's Adequacy Decision, claiming it is unfair and legally improper, as it mandates compliance with a third-party service (Google) outside their control. Also, the decision prohibited future processing that is legal (based on the new U.S legal framework). The DPA disagreed, stating that the legal framework at the time of the infraction applies, and compliance with GDPR | Thirdly, eDreams argued that the decision did not consider the new U.S. legal framework and the European Commission's Adequacy Decision, claiming it is unfair and legally improper, as it mandates compliance with a third-party service (Google) outside their control. Also, the decision prohibited future processing that is legal (based on the new U.S legal framework). The DPA disagreed, stating that the legal framework at the time of the infraction applies, and compliance with GDPR was required at the time of the complaint. | ||
Fourthly, eDreams argued that the sanctioning procedure lacks a basis, citing the EU-U.S. Data Privacy Framework and their Google Analytics privacy settings, including IP anonymization and Google Signals deactivation, as compliance measures. They mention the EDPB endorsement of U.S. safeguards for data transfers regardless of the mechanism used. The DPA emphasized that the new EU-U.S. Privacy Framework confirms past data transfers violated EU citizens' rights due to U.S. intelligence's unrestricted data access. The | Fourthly, eDreams argued that the sanctioning procedure lacks a basis, citing the EU-U.S. Data Privacy Framework and their Google Analytics privacy settings, including IP anonymization and Google Signals deactivation, as compliance measures. They mention the EDPB endorsement of U.S. safeguards for data transfers regardless of the mechanism used. The DPA emphasized that the new EU-U.S. Privacy Framework confirms past data transfers violated EU citizens' rights due to U.S. intelligence's unrestricted data access. The DPA's decision was based on the legal framework at the time of the infractions, not the subsequently adjusted U.S. data protection guarantees. Also, eDreams did not present evidence of Standard Contractual Clauses with Google, which together with the safeguards set out in the EU-US Data Privacy Framework, would allow the international transfer of data to the U.S. to be considered compliant with the GDPR. | ||
In light of the above, the DPA decided to dismiss the appeal by eDreams against the decision made on 26 July 2023, since eDreams did not provide new facts or legal arguments to reconsider the original decision. | |||
== Comment == | == Comment == |
Revision as of 12:40, 6 March 2024
AEPD - EXP202306257 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 44 GDPR |
Type: | Complaint |
Outcome: | Rejected |
Started: | |
Decided: | |
Published: | |
Fine: | n/a |
Parties: | VACACIONES EDREAMS, S.L. |
National Case Number/Name: | EXP202306257 |
European Case Law Identifier: | n/a |
Appeal: | Appealed - Confirmed AEPD PS/00349/2022 |
Original Language(s): | Spanish Spanish |
Original Source: | AEPD (in ES) AEPD (in ES) |
Initial Contributor: | mgrd |
eDreams unsuccessfully appealed a decision on the violation of Article 44 GPDR, as their transfer of personal data to the U.S. lacked appropriate safeguards.
English Summary
Facts
On 20 August 2020 the data subject, represented by noyb, filed a complaint against eDreams, the controller, with the Spanish DPA. The data subject stated that he visited the eDreams website, while connected to his Google account. His IP address and cookies information were collected and transferred to Google U.S. through the services of Google Analytics and Google Ads, contractualized by eDreams.
The Spanish DPA started an investigation. Based on the documents and the requests made by the Spanish DPA, it was confirmed that Google Analytics statistics were collected from stakeholders in other Member States where eDreams concentrates its activity. The data of the Google Analytics tool is accessed mainly from eDream's offices in Spain, led by the head of the Analytics team, but also from France and Germany by their country management teams in each country.
eDreams stated that they only communicate the data collected through Google Analytics to Google. In the event that the user provides their consent for advertising cookies and does not block cookies in its browser, Google Ad Manager and Google Ads tools will also be recipients of the data. The controller specified that legal basis for the incorporation of the Google Analytics tool was legitimate interest, based on the need to understand how their website is used as well as to provide a better service to users.
Concerning the international transfer of data to the U.S., the controller was using the Privacy Shield Certificate until the latter was declared invalid and subsequently the Standard Contractual Clauses adopted by the Commission, together with the appropriate complementary measures provided by Google. Additionally, eDreams did not have the option to opt-out from transferring data outside the EEA when using Google Analytics, since the configuration of the tool does not allow it.
The browsing and behavioral data of customers were pseudonymized by means of a cookie identifier "Cookie ID" that allowed eDreams to analyze how the user accessed and interacted with their website. The Cookie ID was also their internal identifier to analyze the results at a statistical level. The controller claimed that no processing of special categories of personal data took place as defined in Article 9 GDPR, nor any processing of personal data of particularly vulnerable persons. The data storage was 26 months, which allowed the controller to make comparisons with the previous year data.
On 12 October 2020, in response to the DPA’s requests, Google stated that customers using Google Analytics can enable IP anonymization immediately after the data is collected. When data collected through Google Analytics transferred by Google's customers are personal data, they would have to be pseudonymised (as mandated by Google Analytics Terms of Service). Also, Google highlighted that they obtained ISO 27001 certification and will allow customers or customer-appoint third-party auditor to conduct audits of Google Analytics and verify Google's compliance with its obligations.
Google also claimed that if any government request access to personal data stored in Google's systems in the course of an investigation, a dedicated team of Google lawyers and specially trained personnel will carefully review the request to verify that it is lawful, proportionate, and complies with Google's policies. Their infrastructure is not designed to, and does not, give the U.S. government or any other government "backdoor" access to customer data or its servers. In addition, they highlighted that it uses strong technical measures (such as encryption) to protect against interception, including surveillance attempts by government authorities around the world.
Despite all the arguments, on 26 July 2023, the DPA ordered eDreams to comply with Article 44 GDPR, specifically to adapt its data processing with Google Analytics to ensure no international data transfers to U.S. occur without adequate safeguards. The Spanish DPA determined the measures implemented by eDreams were insufficient to address the core issue of unlawful data transfers and the risk it posed to EU citizens' data protection rights.
Holding
eDreams contested the Resolution, leading to the appeal, based on the following arguments.
Firstly, eDreams claimed that the DPA infringed their right of defense, as the controller affected by the delay on the access to the case file. These circumstances limited their time for presenting allegations, and for not granting a requested trial period. They highlighted that further technical proof was unnecessary, since Google's terms allow data storage and processing in any country with Google facilities and all data collected via Google Analytics is hosted in the U.S. The DPA attributed the delays to technical issues and miscommunication rather than procedural fairness, and argued that the extension of deadlines to submit allegations was sufficient, countering claims of unjustified period limitation.
Secondly, eDreams contested the decision for failing to technically demonstrate international data transfers to the U.S and claimed that their privacy settings prevent such transfers. The DPA refuted these claims, citing documentation, U.S laws and Google's statements confirming U.S. data hosting and obligation to share personal data in case of request made by a U.S authority. It emphasizes that Google Analytics settings used by eDreams do not prevent personal data processing and that the international transfer did not comply with Article 44 GDPR.
Thirdly, eDreams argued that the decision did not consider the new U.S. legal framework and the European Commission's Adequacy Decision, claiming it is unfair and legally improper, as it mandates compliance with a third-party service (Google) outside their control. Also, the decision prohibited future processing that is legal (based on the new U.S legal framework). The DPA disagreed, stating that the legal framework at the time of the infraction applies, and compliance with GDPR was required at the time of the complaint.
Fourthly, eDreams argued that the sanctioning procedure lacks a basis, citing the EU-U.S. Data Privacy Framework and their Google Analytics privacy settings, including IP anonymization and Google Signals deactivation, as compliance measures. They mention the EDPB endorsement of U.S. safeguards for data transfers regardless of the mechanism used. The DPA emphasized that the new EU-U.S. Privacy Framework confirms past data transfers violated EU citizens' rights due to U.S. intelligence's unrestricted data access. The DPA's decision was based on the legal framework at the time of the infractions, not the subsequently adjusted U.S. data protection guarantees. Also, eDreams did not present evidence of Standard Contractual Clauses with Google, which together with the safeguards set out in the EU-US Data Privacy Framework, would allow the international transfer of data to the U.S. to be considered compliant with the GDPR.
In light of the above, the DPA decided to dismiss the appeal by eDreams against the decision made on 26 July 2023, since eDreams did not provide new facts or legal arguments to reconsider the original decision.
Comment
In this case, the Spanish DPA was the lead supervisory authority and the Austrian, French and Italian DPA's concerned supervisory authorities.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/29 File no.: EXP202306257 (RR/00640/2023) IMI Reference: A56ID 438120 – A60DD 448732 – Case Register - 448157 RESOLUTION OF REPLACEMENT APPEAL Examined the appeal for reconsideration filed by VACACIONES EDREAMS, S.L. (hereinafter, the appellant) against the resolution issued by the Director of the Spanish Data Protection Agency dated July 26, 2023, and based on the following FACTS FIRST: On July 26, 2023, a resolution was issued by the Director of the Spanish Data Protection Agency in file EXP202306257, under of which VACACIONES EDREAMS, S.L. was ordered for a violation of the Article 44 of the GDPR, typified in Article 83.5 of the GDPR, adapt the activity of data processing carried out through the Google Analytics service as provided in articles 44 et seq. of Parliament Regulation (EU) 2016/679 European Parliament and of the Council of 27 April 2016, in particular by cessation of the international data transfer until it is proven that the Google service Analytics complies with the aforementioned provisions of the Regulation. Said resolution, which was notified to the appellant on July 31, 2023, was issued prior to the processing of the corresponding sanctioning procedure, in accordance with the provisions of Organic Law 3/2018, of December 5, of Protection of Personal Data and guarantee of digital rights (LOPDGDD), and supplementarily in Law 39/2015, of October 1, on Administrative Procedure Common of Public Administrations (hereinafter, LPACAP), in matters of processing of sanctioning procedures. SECOND: As proven facts of the aforementioned sanctioning procedure, PS/00349/2022, the following were recorded: FIRST: A.A.A. (the complaining party) on 08/14/2020 at 4:44:00 a.m., visited the site ***URL.1 website while logged in to the Google account associated with the address ***EMAIL.1 belonging to the complaining party. Through HTML code embedded in the web page “***URL.1”, data have been collected personal data (at least, the IP address and "cookies") of the complaining party and have transferred to Google LLC, 1600 Amphitheater Parkway, Mountain View, CA 94043, USA, through the Google Analytics and Google Ads services contracted by the responsible for the portal, EDREAMS. When the complaining party visited the aforementioned website, the following actions were carried out: requests: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 2/29 1. A GET request to the URL ***URL.2, which includes cookies and fields the request with, among others, the following values: Field Value User-Agent (…) _ga (…) __gads (…) _gid (…) 2. A GET request to the URL ***URL.3, which includes cookies and fields. the request with, among others, the following values: Field Value User- (…) agent NID (…) accept- language (…) u1 (…) 3. A POST request to URL ***URL.4 with the following header and parameters encoded in the payload, among others: Headboard (…) Field Value User- (…) agent gjid (…) cid (…) tid (…) _gid (…) accept- (…) language SECOND: As stated in your response of 12/10/2020, in response to requirement of this Agency, EDREAMS has introduced the tool code Google Analytics on your website ***URL.1 and is currently still embedding it. THIRD: As stated in your response of 12/10/2020, in response to requirement of this Agency, Google Analytics statistics were collected of interested parties in the Member States where EDREAMS concentrates its activity; C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 3/29 Germany, Austria, Czechia, Denmark, Spain, France, Finland, Greece, Hungary, Italy, Netherlands, Poland, Portugal, Romania, Sweden. FOURTH: As stated in your response of 12/10/2020, in response to request of this Agency, the data from the Google Analytics tool is accessed mainly from the EDREAMS offices in Spain led by the responsible for the Analytics team, but also from France and Germany for the management team from each country. FIFTH: As stated in your response of 10/12/2020, in response to request of this Agency, EDREAMS only communicate the data collected through Google Analytics to GOOGLE. And in the event that the user provides consent for advertising cookies and do not block cookies in your browser, they will also be Recipients are the Google Ad Manager and Google Ads tools. SIXTH: As stated in your response of 10/12/2020, in response to request of this Agency, the legal basis for the incorporation of the Tool is double legitimate interest in understanding how the EDREAMS website is used and providing a better service to users. SEVENTH: As stated in your response of 12/10/2020, in response to requirement of this Agency, the initial legal basis for the international transfer of data by EDREAMS fell on the Privacy Shield Certificate until its nullity and the standard data protection clauses adopted by the Commission ("Standard Contractual Clauses", or "CCT"), since August 2020, together with the appropriate complementary measures provided by Google. EIGHTH: As stated in your response of 10/12/2020, in response to request of this Agency, EDREAMS did not have the option of whether or not to transfer data outside the EEA when using Google Analytics, since the tool's configuration does not allow it. NINTH: As stated in your response of 10/12/2020, in response to request of this Agency, EDREAMS processes the navigation and behavior data of the clients on their pseudonymized websites using a cookie identifier “Cookie ID” that allows you to analyze how the user accesses and interacts with your website and your internal identifier to analyze the results at the level statistical. The “Booking ID” (internal reservation identifier) is used by EDREAMS to Identify the sales conversion ratio. As well as the “Checked Booking ID” allows you to know how many people have entered the “Manage my reservation” section and have selected to cancel or modify it. The "Session, Session or eDOuser ID" allow you to limit the amount of data as much as possible that EDREAMS has in Google Analytics and uses them to solve problems technicians. For all these reasons, the data is limited to how users, through their devices, interact with the EDREAMS website (internal browsing data to the website). C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 4/29 In no case are special categories of data defined in article 9.1 processed. of the GDPR, nor are data of particularly vulnerable people processed. I do not know process non-pseudonymized data. TENTH: As stated in your response of 10/12/2020, in response to request of this Agency, GOOGLE may have knowledge of the personal data of the users automatically, by saving the information on its own platform. He Google Analytics tool code is integrated directly when the user access the EDREAMS website. Any purpose that moves away from analyzing the use of the aforementioned website, such as the advertising, will not be activated until there is the prior consent of the user. That is, in the case in which the user does not provide consent, Google Analytics will not connect with Google Ad Manager and Google Ads in any way. ELEVENTH: As stated in your response of 12/10/2020, in response to requirement of this Agency, the data is stored for a period of 26 months, which It is the period that allows them to make comparisons against the previous year. TWELFTH: As stated in your response of 12/10/2020, in response to requirement of this Agency, the data was stored according to clause 10.3 of the current document “Conditions for the processing of Google Ads data”, whose terms or configuration did not allow the change by EDREAMS. THIRTEENTH: As stated in your response of 10/12/2020, in response to requirement of this Agency, of the five purposes for sharing data with GOOGLE Only EDREAMS had the GOOGLE technical service activated so that can resolve any incident, without GOOGLE being able to use it for other purposes. FOURTEENTH: As stated in your response of 12/10/2020, in response to requirement of this Agency, the cookies are not refreshed even though the user Please revisit the website so the 13 month duration is static. FIFTEENTH: As stated in your response of 10/12/2020, in response to requirement of this Agency, apart from the Google tool service itself Analytics, data is connected with other services when prior consent with: Google Ads Linking: which links the Google Ads account to the Analytics account, allowing see the full customer cycle, from how users interact with marketing to how the objectives that have been established on the site are finally achieved Web. Adsense Linking: which allows you to see AdSense data in Analytics, as well as the Key Analytics metrics on AdSense homepage cards. Google Ad Manager Linking: Once the Ad Manager accounts are linked and Analytics, Ad Manager metrics will be available in Analytics. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 5/29 Optimize and Tag Manager linking: Google Optimize allows you to test and customize the website using Google Analytics data for measurement and targeting. Ad Exchange Linking: which allows you to receive data from the Ad Exchange within the account of Analytics regarding statistical advertising data. Campaign Manager 360 Linking: which allows you to enable the import to Analytics 360 of campaign statistical data from Campaign Manager 360 and cost data. SIXTEENTH: As of 10/12/2020, EDREAMS had the following linked services with the Google Analytics tool: to. “AdSense. Actively linked. Receiving data. AdSense helps you earn money by displaying ads on your website that are relevant to your audience.[…]" b. “Google Adds. Actively linked. Sending and receiving information. Google Ads is an online advertising program that helps you reach your customers and grow your business, improve your ad campaigns and analyze the journey of the client – from clicking on the ad to conversion.” c. “Ad Exchange. Actively linked. Receiving data. Ad Exchange helps you earn money by displaying ads on your website that are relevant to your audience. Correlate key AdExchange metrics such as eCPM and unit impressions, with more Analytics data.” d. “Campaign Manager 360. Actively linked. Receiving data. Campaign Manager 360 is an ad management and serving solution that helps agencies and advertisers manage the full reach of advertising programs digital advertising. This integration allows Google Analytics 360 customers to view and analyze Campaign Manager 360 data in Analytics.” and. “Google Optimize and Tag Manager for website and app optimization. Actively linked. Receiving data. Google Optimize allows you to test and Personalize your website using Google analytics to measure and personalize. […]” F. “Search Console. Actively linked. Receiving data. Search Console can help you understand how users find your website through Google searches, identify ways to attract more attention to your website and prioritize development efforts.” SEVENTH: As of 10/12/2020, EDREAMS had the following configuration of the Google Analytics account in the “Data Sharing Settings” section: to. “Google product&services”. Not selected. b. “Benchmarking”. Not selected. c. “Technical Support”. Selected. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 6/29 d. “Account specialists”. Not selected. and. “Give all Google sales experts Access to your data and account so you can get more in Depth analysis, insights and recommendations across Google products.” No selected. 26 months was the retention period with the minimum selectable period being 14 months and the maximum of 50 months. And there was the selectable option of not deleting automatically the data after a specific period, but it was not selected. EIGHTEENTH: AS OF 12/10/2020, GOOGLE IRELAND LTD. acted as manager of the treatment. NINETEENTH: As of 10/12/2020, in the Adhesion Contract proposed by GOOGLE “Conditions for the processing of Google Ads data”, from the link https://privacy.google.com/businesses/processorterms/, it was stated that: “[…] 2.5 In the event that these Data Processing Conditions were translated into any other language and there is any discrepancy between the English version and the translated text, the English version will be applicable. […]” TWENTIETH: As stated in your response of 12/10/2020, in response to requirement of this Agency, from the same day that the STJUE C- 311/18, EDREAMS considered that they should update their contracting by eliminating the base legal provisions of the Privacy Shield and including the Standard Contractual Clauses, which They had to analyze the risks for the interested parties taking into account the type of data treated personnel, who had to review the additional measures to those already contained in the Standard Contractual Clauses. And, regarding the Privacy Shield, GOOGLE proposed in a month (August 16, 2020) its new version with the changes in the “Conditions for the processing of Google Ads data”. And the transfer of the IP of whoever visits the website. TWENTY-FIRST: As stated in your response of 12/10/2020, in response to requirement of this Agency, in an email sent between EDREAMS and GOOGLE in On September 24, GOOGLE declared that it had implemented the following Additional safeguards to ensure Google Analytics data protection: Yo. Google Analytics ensures the secure transmission of your content libraries. Javascript and measurement data via HTTP Strict Transport protocol Security (HSTS). ***URL.5. ii. IP anonymization. GOOGLE offered the possibility of anonymizing IPs. Whether activate this option, IPs are deleted immediately after collection and never are stored on disk. That this measure was implemented from eDreams. ***URL.6 iii. Google has obtained ISO 27001 certification in relation to Google Analytics. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 7/29 iv. According to GOOGLE, they have a team that carefully reviews each request of user data they receive from government authorities. Report transparency in ***URL.7 and its policies in ***URL.8. v. Encryption to protect personal data against interception in transit. TWENTY-SECOND: As stated in your response of 10/12/2020, in response to requirement of this Agency, the legal basis for the international transfer of data has as its legal basis the Privacy Shield until its nullity and the clauses standard contractual agreements adopted by the Commission since August 2020, together with the appropriate complementary measures provided by GOOGLE. The clauses standard contractual agreements are located at ***URL.9. TWENTY-THIRD: As stated in your response of 12/10/2020, in response to requirement of this Agency, in the event that any US agency security would like to obtain access to the data collected by EDREAMS in the Google Analytics tool, first of all, could not do it directly, without send request to Google, since said data is encrypted. Likewise, Google has internal processes to question any management requirement American that it considers disproportionate or incompatible with the regulations of European data protection or with the Standard Contractual Clauses. But in the hypothetical case that the corresponding US agency ends up accessing the data, you will not be able to know which specific person is behind the data collected in the Tool through identifiers, since only personal data that would allow direct identification are protected by EDREAMS and stored within the European Economic Area. TWENTY-FOURTH: As stated in your response of 12/10/2020, in response to requirement of this Agency, “OE 12333 (...) organizes and assigns functions and responsibilities to the United States intelligence community and articulates high-level principles that all intelligence activities must comply with. The activities Specific intelligence actions carried out under OE NO 12333 are subject to more specific application procedures (which can be classified) than include safeguards and protections appropriate for that type of activity intelligence. OE 12333 mainly governs intelligence activities that are carried out performed outside the United States. It is understood that OE 12333 allows the United States to conduct electronic surveillance outside the United States of compliance with United States legal requirements; does not authorize surveillance electronics within the United States nor does it impose requirements on providers of services inside or outside the United States. Section 702 of the FISA Amendments Act, which also requires the Government of the United States that minimizes the use and dissemination of data, has two components: Section 702 "Upstream" authorizes United States authorities to collect data that travels through the Internet "backbone" infrastructure controlled by the 1United States Executive Order 12333 (hereinafter EO 12333 or EO 123333) C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 8/29 United States electronic communications service providers (e.g. example, telecommunications providers in the United States). As far in which the data of any user or client crosses the networks subject to the Upstream section 702 collection, that data is encrypted in transit as has described previously. Section 702 "Downstream" authorizes United States authorities to obtain specific data directly from service providers electronic communication. To the extent Google LLC may be subject to specific requests related to Google customer data under section 702 Downstream, we carefully review every request we receive under FISA regulations in accordance with the guidelines described below to ensure that you comply with all applicable legal requirements and policies of Google". TWENTY-FIFTH: As stated in your response of 12/10/2020, in response to requirement of this Agency, Google declares that if any government requested access personal data stored in Google systems in the course of an investigation, a dedicated team of Google lawyers and staff specially trained person will carefully review the application to verify that it is legal, proportionate and that complies with Google policies. Google states that Google's infrastructure is not designed for, and does not give the United States government or any other government "back door" access to customer data or to its servers that store customer data. Besides, Google states that it uses strong technical measures (such as encryption) to protect against interception in transit, including surveillance attempts government authorities around the world. Google declares that Google Analytics uses the HTTP Strict protocol by default Transport Security (HSTS), which tells browsers that they support HTTP over SSL (HTTPS) that use that encryption protocol for all communications between end users, websites and Google servers Analytics. Google states that it protects service-to-service communications at the applications through a system of mutual authentication and encryption of Google states that after a handshake protocol between the client and the server completes and the client and server negotiate cryptographic secrets required to encrypt and authenticate network traffic, AL TS ensures RPC (Remote Procedure Call) traffic forcing integrity, and encryption optional, using negotiated shared secrets. Google supports multiple protocols to ensure integrity, for example, AES-GMAC (Advanced Encryption Standard) with 128-bit keys. Whenever traffic leaves a physical border controlled by or on behalf of Google, for example, in transit through of WAN (Wide Area Network) between data centers, all protocols are automatically update to provide encryption as well as security guarantees. integrity. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 9/29 Google states that it encrypts Google Analytics data that is stored at rest in your data centers using the advanced encryption standard. Each center of data is protected with six layers of physical security designed to prevent Unauthorized access. "At rest" encryption in this section means the encryption used to protect user data that is stored on a disk (including hard drives solid-state drive) or backup media. All user data is encrypt at the storage level, typically using the encryption standard advanced (AES256). Data is typically encrypted at multiple levels in the stack. Google production storage in data centers, including at the level of hardware, with no action required by Google customers. Google states that it uses common cryptographic libraries that incorporate the Google FIPS 140-2 validated module, to implement encryption in a way consistent across all products. Consistent use of common libraries means that only a small team of cryptographers need to implement and maintain this code closely controlled and reviewed. Google states that it builds dedicated servers for its data centers and maintains an industry-leading security team to ensure that Google data is among the most secure in the world. The centers of Google production data is protected by multiple layers of security to prevent any unauthorized access to data. Google declares that it limits access to personal data for advertising and analysis of Google to Google people who need them to do their jobs. Google states that customers who use Google Analytics can activate the IP anonymization to tell Google to anonymize all IP addresses immediately after they are collected. If activated, at no time will writes the full IP address to disk, since all anonymization occurs in memory almost instantly after receiving the request. Google declares that to the extent that Google Analytics data for the measurements transferred by customers are personal data, they would have to be considered pseudonyms. Google Analytics Terms of Service order that no data that Google can use or recognize be transferred to Google as personally identifiable information (PII). Google has obtained ISO 27001 certification and will allow customers or an auditor third party designated by a client to perform audits (including inspections) to verify compliance with Google's obligations. TWENTY-SIXTH: As of February 3, 2021, at the link ***URL.1 in the policy privacy of EDREAMS stated that: “[…] C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 10/29 V. Marketing activities. We use your information for marketing purposes, including others: […] II. Information we collect automatically when you use our services. to. Information about your device (for example, your IP address, browser type, Internet service providers, geographic location, information technique of the device, the time and duration of the request and the visit and the method used to send your request to the server). When you visit our websites or our app, we automatically collect certain information from your device. Please note that we may associate this information with your account. b. Other technical information, for example how your device has interacted with our website or our app (for example, the pages you have accessed, the links you have clicked, etc.) or other means. […] If you register on our website with a social network account, you link the account that you use on our website with your social network account or use any other our social media features, we may access information about you through of such social media provider, in accordance with such provider's policies. The information may include your name, email address, profile photo, gender, list from friends and any other information that you authorize us to receive. Some of this information may be collected through cookies or technology. similar tracking. The processing of information collected through cookies is based on different legal grounds (for example, it may be necessary to provide our services based on your consent). to get more information, consult our Cookies Policy. […] III. International data transfers. Our servers are located in the European Union. However, to facilitate our global operations (carried out by external service providers) the transmission of personal data to the recipients described above may include international transfers of personal data to countries whose data protection regulations are not as complete as that of the countries within the European Union. In this situations, As required, we make contractual arrangements to ensure that your data personal data continue to be protected in accordance with European standards. […]” TWENTY-SEVENTH: As of February 3, 2021, in the url ***URL.10 it was stated that (unofficial translation, in English in the original): “Google Ads Data Processing Terms: Model Contract Clauses C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 11/29 Standard Contractual Clauses (Processors) For the transfer of personal data to third party processors countries that do not ensure an adequate level of data protection Name of the organization exporting the data: the entity identified as the “Client” in the Data Processing Terms (the data exporter) and Name of the organization importing the data: Google LLC, 1600 Amphitheater Parkway, Mountain View, California 94043 USA (the data importer) […] Clause 4 Obligations of the data exporter The data exporter agrees and warrants: (a) that the processing, including the transfer itself, of the personal data has been and will be carried out in accordance with the relevant provisions of the legislation of applicable data protection (and, where applicable, has been notified to the authorities relevant to the Member State where the data exporter is established) and not violates the relevant provisions of that State; (b) that you have instructed and for the duration of the data processing services personal data will instruct the data importer to process the personal data transferred only at the expense of the data exporter and in accordance with the legislation of applicable data protection and Clauses; (c) that the data importer will provide sufficient guarantees regarding the security measures technical and organizational security specified in Appendix 2 of this contract; (d) that after analyzing the requirements of data protection legislation applicable, security measures are adequate to protect the data personal property against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular if the processing involves the transmission of data over a network, and against all other forms of illicit processing, and that these measures ensure a level of security appropriate to the risks presented by the treatment and the nature of the data to be protected taking into account the state of the art and the cost of its implementation; […] Clause 5 Obligations of the data importer C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 12/29 The data importer agrees and warrants: (a) process personal data only on behalf of the data exporter and in compliance with your instructions and the Clauses; if I could not comply for any reason, you agree to duly inform the data exporter of your inability to fulfill, in which cso the data exporter can suspend the transfer of the data and/or finalize the contract; (b) that you have no reason to believe that applicable law prevents you from complying with the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the guarantees and obligations established by the Clauses, will immediately notify the data exporter of the change as soon as as it becomes aware of, in which case the data exporter may suspend the transfer of data and/or terminate the contract; (c) that has implemented technical and organizational security measures specified in Appendix 2 before processing the transferred personal data; (d) that it will immediately notify the data exporter of: (i) any legally binding request for disclosure of personal data by part of a law enforcement authority unless prohibited, as a prohibition under […] […] Clause 8 Cooperation with supervisory authorities 1. The data exporter agrees to deposit a copy of this contract with the authority of supervision if this request or deposit would be mandatory under the legislation of applicable data protection. 2. The parties agree that the supervisory authority has the right to carry out an audit of the data importer, and any sub-processor, who has the same scope and is subject to the same conditions that would apply to an audit of the data exporter under applicable data protection legislation. […] Appendix 2 to the Standard Contractual Clauses This Appendix is part of the Clauses. Description of the technical and organizational security measures implemented by the data importer in accordance with Clauses 4(c) and 5(c) (or attached document/legislation): The data importer currently complies with Security Measures established in Appendix 2 of the Data Processing Terms in ***URL.11. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 13/29 […]” TWENTY-EIGHTH: As of February 3, 2021, the url ***URL.12 contained: “Conditions for the processing of Google Ads data Google and the counterparty that accepts these Terms (the "Customer"), have entered into a contract for the provision of the Services of the person in charge of the treatment (as amended from time to time, the "Contract") These Conditions for the processing of data from Google ads, (the "Conditions of data processing") are entered into by Google and the Client and complement the Contract. […] Introduction These Data Processing Conditions reflect the agreement of the parties on the conditions governing the processing of certain personal data in relationship with European data protection legislation and certain Non-European data protection legislation. Definitions and interpretation […] "European or National Laws": as applicable: (a) the laws of the EU or its Member States (if the EU GDPR applies to the processing of Personal Data of the Customer); and/or (b) the law of the United Kingdom or a part of the United Kingdom (if the GDPR of United Kingdom applies to the processing of Customer Personal Data). […] "Google": the Google Entity that is a party to the Agreement. "Google subsidiaries data processors" has the meaning given in Section 11.1 (Consent for Hiring of the Sub-processor of data processing). "Google Entity": Google LLC (formerly known as Google Inc.), Google Ireland Limited or any other Affiliate of Google LLC. […] 5. Data processing 5.1 Roles and regulatory compliance; authorization. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 14/29 5.1.1 Responsibilities of the person in charge of the treatment and of the person responsible for the treatment. The parties acknowledge and agree that: (a) Appendix 1 describes the purpose and details of the processing of the Data client's personal (b) Google is a processor of Customer Personal Data with in accordance with European data protection legislation; (c) The Client is a data controller or processor, according to applicable, of Personal Data of the client in accordance with the European Legislation of Data Protection; and (d) each party will comply with its obligations under the European data protection legislation regarding the processing of Data client's personal […] 5.2. Client instructions. By celebrating these Conditions of the processing of data, the Client instructs Google to process the Data personal data of the client only in accordance with applicable legislation: (a)for provide the Processor Services and any technical support related; (b) as further specified through Customer's use of the Processor Services (including configuration and other functionalities of the Data Processor Services) and any support related technical; (c) as documented by the Contract, including the these Data Processing Conditions; and (d) as documented in other instructions provided in writing by the Client and acknowledged by Google as constitutive instructions for the purposes of these Conditions of the data treatment. 5.3. Compliance with instructions by Google. Google will comply with the instructions described in Section 5.2 (Customer Instructions) (including relating to data transfers), unless European or National Laws which Google is subject to requires other processing of personal data by Google, in which case Google will inform the Customer (unless any of such laws prohibit Google from doing so for important reasons of public interest). […] 10. Data transfers 10.1 Data storage and processing facilities. The Client accepts that Google, without prejudice to Section 10.2 (Data Transfers), stores and performs the processing of Customer Personal Data in any country in which Google or any of its Subprocessors maintain facilities. 10.2 Data Transfers. If the storage and/or processing of the Data Customer's personal data involves transfers of Customer's Personal Data from the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 15/29 EEA, Switzerland or the United Kingdom to any third country that is not subject to a adequacy decision under European data protection legislation: (a) The client (as data exporter) will be deemed to have signed the Clauses Type Contractual with Google LLC (as data importer); (b) transfers will be subject to the Standard Contractual Clauses; and (c) Google will ensure that Google LLC fulfills its obligations under said Standard Contractual Clauses with respect to said transfers. […] 11. Subprocessors of data processing. 11.1 Consent for hiring the Subprocessor of data processing. The Client specifically authorizes the contracting of Google affiliates as Subprocessors of data processing ("Subprocessors of data processing of Google affiliates"). In addition, Customer generally authorizes the hiring of other third parties as Subprocessors of the data processing ("Subprocessors of the data"). processing of third party data"). If the Standard Contractual Clauses are applied in Under Section 10.2 (Data Transfers), the above authorizations constitute the Client's prior written consent to subcontracting by part of Google LLC of the processing of the Customer's Personal Data. […] TWENTY-NINTH: As of February 3, 2021, the url ***URL.8 contained: “[…] Requests from US government agencies in cases involving National security In investigations related to national security, the U.S. government You can use a National Security Letter (NSL) or one of the authorizations granted under the Foreign Intelligence Surveillance Act (FISA) to force Google to provide user information. An NSL does not require judicial authorization and can only be used to force us to provide limited subscriber information. FISA Orders and Authorizations Can Be Used to Compel Surveillance electronic and disclosure of stored data, including the content of services like Gmail, Drive and Photos.” […]” (unofficial translation, in English in the original) THIRTYTH: As of February 3, 2021, the url ***URL.13 contained: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 16/29 “[…] Basic concepts about personally identifiable information in contracts and Google policies. In many contracts, terms of service, and advertising product policies and Google measurement is referred to as "personally identifiable information" (PII). This is a categorization of data different from what the General Regulations of Data Protection (GDPR) considers "personal data". Please note that although Google does not identify certain data as information personally identifiable, it is possible that the GDPR does or that data may be considered personal information in accordance with the Privacy Law of the California Consumer Protection Act (CCPA), and may be subject to those laws. […] Google considers "personally identifiable information" information that can be used alone to accurately identify or locate a person, or to contact in contact with her directly. Among other information, it includes the following: • Email addresses • Postal mailing addresses • Telephone numbers • Precise locations (for example, GPS coordinates, except where specified) mentioned below) • Full names (first and last names) or usernames. […] Among others, Google does not consider the following personally identifiable information: data: • Pseudonymous cookie IDs • Pseudonymous advertising IDs • IP addresses • Other pseudonymous end-user identifiers For example, if an IP address is sent with an advertisement request (something that It happens with almost all ad requests as a result of the Internet protocols), such shipment will not violate any prohibition related to the sending personally identifiable information to Google. Please note that although Google does not identify certain data as information personally identifiable information, the GDPR, CCPA or other privacy laws may consider them personal data or personal information. […]” THIRTY-FIRST: As of February 1, 2021, after visiting the website ***URL.1 while logged into a Google test account, was reflected in the section “Activity on the Web and Applications” the visit made to said website. THIRTY-SECOND: On February 17, 2021, after deleting cookies, it is confirmed that that: 1. After logging in to a Google account, they are installed on the browser cookies like NID, LSID, SID, __Secure-3PSID, __Secure-3PAPISID all C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 17/29 They are more than 30 alphanumeric characters where capital letters and lowercase letters and an expiration period from 6 months to several years. They do not appear cookies like _ga, _gid installed. 2. Being logged into the Google account and after visiting ***URL.1, rejecting all your cookies and perform a navigation corresponding to a search for a rental car from Madrid-Airport to Málaga-Airport with start date of the rental on 02/25/2021 and end date on 02/28/2021 it is verified that they are installed cookies _ga, _gid among others. It is also verified that there is a request HTTP GET to the domain google-analytics.com in whose parameters within the url of the request includes, among others, data such as: to. the _ga cookie inside the cid parameter and the _gid cookie. b. the url visited (***URL.14) and, among other data, the operation carried out within the same, coded as: “pickupDateTime”: “2021-02-25” “returnDateTime”: “2021-02-28” “pickupName”: “%3DMadrid%2520-%2520Airport” “returnName”: “%3DM%25C3%25A1laga%2520-%2520Airport” c. the “sr” parameter. 3. That the HTTP GET headers also contain data such as “user- agent” and “accept-language”. THIRTY-THIRD: On March 4, 2021, it is verified that, after logging in in a Google account, followed by a logout and then followed by a navigation in ***URL.1 corresponding to a flight plus hotel search from the 19th to March 21 and selecting Madrid as origin and destination Malaga: 1. There is an HTTP POST request to the google-analytics.com domain where sends data as payload, among others: “***URL.1” “sr=1920x1080” the “cid” parameter that matches the value of the _ga cookie the _gid parameter that matches the value of the _gid cookie the date of departure and return, as well as the city of departure and arrival. 2. That the HTTP POST headers also contain data such as “user- agent” and “accept-language”. THIRTY-FOURTH: On June 23, 2021, it is verified that, after logging in to a Google account, then browse the web ***URL.1: 1. Which consists of an HTTP GET request to the domain adservice.google.com where sends as parameter u1 the same value as the content in the _ga cookie as well as the “user-agent” and “accept-language” parameters. That in this same HTTP request GET also sends the NID cookie. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 18/29 It is verified, on different dates, that the domain 18oogle-analytics.com as well as several IP addresses corresponding to that domain are assigned to GOOGLE LLC THIRTY-FIFTH: As stated in your letter of May 12, 2021, the figure total users in the period from April 1, 2020 to March 31, 2021 the website ***URL.1 as well as other versions of the page aimed at others countries is, for example, in the German market 1,623,842 visits, in the Spanish 13,344,019 visits and in the French market 12,682,624 visits. And the number of users total in the period described is 72,648,400 visits. THIRTY-SIXTH: As stated in your letter of May 12, 20212, the version that EDREAMS used was Google Analytics 360, since July 2012. THIRTY-SEVENTH: As stated in your letter of May 28, 2021, the EDREAMS establishments in which they process personal data in the context of the present claim are Germany, Spain, France, Italy, United Kingdom. THIRTY-EIGHTH: As stated in your letter of May 28, 2021, (…). THIRTY-NINTH: On October 27, 2021, it is confirmed that in the plenary session of the European Data Protection Committee dated September 2, 2020, it was decided create a working group to ensure a coherent approach between the European data authorities to handle the 101 NOYB complaints, which deal with similar issues (whoever claims has visited a website of a controller while you were logged in to your Google account or Facebook, linked to your email address. And the person responsible for treatment had embedded code from Google or Facebook services, which had transferred your personal data to the United States, without having a legal basis for it). FORTIETH: According to the diligence of October 27, 2021, GOOGLE LLC sent to the Austrian data protection authority a document dated April 9, 2021, which shares it with the rest of the authorities through the Working Group for NOYB's 101 claims in the context of the CJEU ruling Schrems II (“101 taskforce”, hereinafter, task force TF101). In the document in question includes the following information and statements (its translation is not English official): (…). FORTY-FIRST: As of November 2, 2021, the website ***URL.1 is Also available for the following EEA countries: Czech Republic, France, Italy, Romania, Germany, Greece, Holland, Poland, Hungary, Portugal. FORTY-SECOND: As of November 2, 2021, at url ***URL.15 The existence of requests for FISA (Foreign Intelligence Surveillance Act) and NSL (National Security Letters) addressed to GOOGLE regarding user information. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 19/29 FORTY-THIRD: On March 24 and 25, 2022, in the description of Google Analytics located at the URLs ***URL.16 and ***URL.17 included, among other things, information, that the _ga and _gid cookies were used to distinguish users and that the “sr” parameter referred to the screen resolution. And that, by executing tracert commands towards multiple IP addresses assigned to GOOGLE LLC in relation to the domain google-analytics.com, the times RTT are too low for said destination IPs to be geographically located in United States. THIRD: On August 30, 2023, the appellant has presented appeal for reconsideration before this Agency, basing it, basically, on the fact that defenseless, with infringement of the right of defense, with a denial unjustified trial period. Furthermore, it considers that the sanctioning resolution is incongruent and lacks the necessary motivation, and that the sanction imposed has illegal effects and impossible content. Finally, the lack of purpose is alleged of the sanctioning procedure and the subjective element and guilt. FOUNDATIONS OF LAW Yo Competence The Director of the Spanish Agency is competent to resolve this appeal. of Data Protection, in accordance with the provisions of article 123 of the Law 39/2015, of October 1, of the Common Administrative Procedure of the Public Administrations (hereinafter LPACAP) and article 48.1 of the Law Organic 3/2018, of December 5, Protection of Personal Data and guarantee of digital rights (hereinafter, LOPDGDD). II Response to the allegations presented in the appeal for reconsideration In relation to the allegations made by the appellant in the appeal for replacement, we proceed to respond to them according to the order set forth by EDREAMS: “FIRST.- Helplessness. Violation of the right of defense. Unjustified denial of the probationary period.” According to EDREAMS, this Agency has made EDREAMS defenseless by delaying unjustifiably access to the File, by unjustifiably limiting the deadlines for extension for the presentation of allegations and, even more so, by not agreeing to this AEPD the opening of the trial period expressly requested by EDREAMS in several occasions. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 20/29 Next, we proceed to give a due response to these arguments. With respect to rejection of the request for evidence formulated by EDREAMS, it ignores in its approach the provisions of point 10 of the “Terms of Data Processing of Google Ads”, according to which the controller has agreed that Google can store and process personal data of the client (in this case, data of the complaining party) in any country in which Google or any of its subprocessors maintain facilities. When collects this information, it is transmitted to Google Analytics servers. Specifically, the document in the file sent by Google LLC with date April 9, 2021, in the last paragraph to the answer to question 8, Google declares that all data collected through Google Analytics is hosted in the U.S. Therefore, the data collected on the website «***URL.1» to through Google Analytics are transferred to the United States. Documentally accredited the international transfer of personal data to the United States, it was not necessary to carry out technical proof of a fact that has been recognized by Google, and is that, ultimately, all the data processed by Google Analytics are hosted in the USA in accordance with the provisions of the article 77.3 of the LPACAP, “the instructor of the procedure may only reject the evidence proposed by the interested parties when they are manifestly inappropriate or unnecessary, through a reasoned resolution”, in this way, a “omnimode” right to the taking of evidence, which EDREAMS claims, but rather can be rejected with reasons, as was done in the resolution, in the terms that have been reproduced again in this paragraph. Regarding what EDREAMS calls “unjustified delay in access to the File”, the form of delivery of the file was motivated by the impossibility technique of making it available to EDREAMS through the electronic headquarters, due to to the size of the document, therefore it was decided to send the copy of the file in electronic support through messaging. It was the will of this Agency that EDREAMS had access to the copy of the EDREAMS file as soon as possible, to which the personnel in charge of your shipment confirmed the address by telephone to that had to be sent to EDREAMS personnel who, at that time, included the database of this Agency, to which the shipment was sent on December 12, 2022. Despite the aforementioned verification, as stated in the receipt issued by the courier company on file, on December 13, 2022, when There were still 6 business days left until the end of the period to submit allegations, The delivery man of the courier company could not deliver the shipment for the following reason: cause: “Unknown recipient at the delivery address.” After this first attempt delivery, EDREAMS was contacted again to confirm the address. Therefore, the delay in delivering the copy of the file is due to the fact that EDREAMS had not notified this Agency of the change of address. On December 15, 2022, EDREAMS personnel appeared before this Agency, when there were four business days left for the last day of submission of allegations. The EDREAMS representation was provided with a copy of the file in person, and the copy cannot be provided two days before, when appeared before this Agency without proving said representation. Without a doubt, this C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 21/29 This circumstance was also the cause of the delay in the delivery of the copy of the proceedings. In any case, since December 15, 2022, the day on which the copy of the file, EDREAMS has had a fairly long period of time to review the documents in the file; proof of this, as an example, is constituted by the expert report that he attaches to his allegations (attached document no. 3), where in 134 pages technical issues of some of the documents on file. Finally, regarding what EDREAMS calls “unjustified limitation” of the extension of the deadline to present allegations to the proposed resolution, provides Article 32.1 of the LPACAP that “The Administration, unless otherwise provided, may grant... an extension of the established deadlines...", so it is not obliged to do so.” In the present case, the deadline for allegations to the initiation agreement was extended five business days, the maximum period allowed by article 32.1 of the LPACAP, taking into account that the initial period was ten business days, and, within the period of allegations to the proposed resolution, two business days have been granted additional, so it has been guaranteed that EDREAMS has a term longer than sufficient to make allegations. For all the above reasons, this allegation is rejected. “SECOND.- Lack of motivation for the Sanctioning Resolution.” In this section EDREAMS reiterates the lack of proof of the facts constituting the infringement, without this Agency having been able to technically demonstrate that cause international data transfers to the USA. EDREAMS considers that the privacy settings with which you use the Google Analytics service prevents international data transfers. Likewise, according to EDREAMS, in the appealed resolution is sanctioned by the future prohibition of treatment, without having carried out this risk analysis of what the risk is like today. By Lastly, other arguments already supported in the previous sections are repeated, such as the absence of proof in the procedure and configuration of Privacy in use of Google Analytics by EDREAMS, which have already been the subject of a response. In response to this allegation, first of all, it must be clarified in relation to the assessment carried out by the Inspector who carried out in the previous actions of investigation (page 5373 of the file) to which EDREAMS alludes in its appeal for replacement that, regardless of whether this Agency has been able to demonstrate Technically, international data transfers to the US occur, These have been documented, as has been reasoned in the response to EDREAMS' allegation in the section preceding this one, in which refers to point 10 of the “Google Data Processing Terms Ads”, according to which the controller has agreed that Google may store and process customer personal data in any country in which Google or any of its subprocessors maintain facilities and that, specifically, the document in the file sent by Google LLC dated April 9, 2021, in the last paragraph to the answer to question 8, C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 22/29 Google states that all data collected through Google Analytics is hosted in the United States. It was already justified in the appealed resolution that the configuration of Google Analytics used by EDREAMS on its website, without having Google Signal enabled, did not prevent the processing of personal data. In the document dated April 9, 2021 that GOOGLE LLC refers to the Austrian data protection authority, in which GOOGLE LLC answers a series of questions asked by the Austrian authority in connection with a claim substantially similar to this procedure, and to which EDREAMS has had access since it is incorporated into the proceedings; In point number 9 (page 5234 of the file), the following is stated: (unofficial translation): “In this claim, the complaining party was logged into his account Google when visiting the specific website of the site owner. Does the implementation of Google services (including Google Analytics) allow Google to receive information that a specific user of a Google account has visited a specific website? If yes, please describe how and what information about the user's Google account is collected. No, the implementation of Google Analytics as such does not allow Google to receive the information that a specific Google user has visited a specific website. Implementing Google Analytics on a website allows Google to receive the information that a certain Google user has visited a website specific, only if the following additional conditions are met: (1) The user has activated activity on the Internet and in their Google account and, in addition, you have visited the website; (2) The user has chosen to include the activity of companies that use the Google services; (3) The user has activated ad personalization; (4) and the user logs in to their Google account in the same browser while visit the website. If Google Signals (see our answer to question 6(ii)) is activated in that website, Google will then be able to visit the user to said website in the activity of the user's Google account on the Internet and applications. “ As can be seen, again by Google's own response, it is not It is necessary to have Google Signals activated for Google to receive information from a Google user if the four transcribed conditions are met, being a function optional whose deactivation does not prevent Google from receiving information that a A certain user of a Google account has visited a specific website. In the answer 6 (ii), Google says: “Google Signals is an optional feature of Google Analytics that, when enabled, adds supplemental reports that are based on the data from Google users who have activated ad personalization on your account." On the other hand, EDREAMS regarding the collection of IP Addresses: “The IP addresses would be anonymized at the time of collection and such anonymization, C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 23/29 As confirmed by Google, it is produced within the European region for users browsing from the EEA. Consequently, data that could be potentially transferred to the USA is not personal data, but has undergone a solid and irreversible anonymization process.” Neither Google nor EDREAMS have accredited in any way - that the IPs are anonymized within the territory of the European Union. We can take as good the statements made by Google that IPs are anonymized within the territory of the EU just as we have reproduced previously how they treat cookies and their use to distinguish users, but, They could be subject to treatment once collected. As an example, in Google Analytics, according to Google's “Privacy and Data in the EU” document (available at https://support.google.com/analytics/answer/12017362? hl=es&ref_topic=2919631), “…IP address data is used only for obtain the geolocation data and it is immediately discarded”, so it is uses information that may be provided by the IP before anonymization. EDREAMS, uses as proof that IPs are always anonymized in territory of the European Union an email from a Google worker, therefore that there is no technical evidence to prove it. Consequently, in accordance with the most widely developed in the Legal basis IV of the appealed resolution, especially in point 2, “On the classification of the data subject to processing as personal data”, EDREAMS carries out international transfers of personal data through Google Analytics. Finally, as expressed by EDREAMS, in the appealed resolution there has been no taken into account the risk analysis of what the risk is like today. Without However, the modification of the framework cannot be applied to this procedure regulations on data protection that have taken place in the USA, which has occurred after the events in question. On the date on which the events object of the claim occurred, it was application of the grounds of the CJEU ruling in case C-311/18 (Schrems II), which declared Commission Implementing Decision (EU) 2016/1250 invalid, July 12, 2016, on the adequacy of the protection conferred by the Shield of the EU-US Privacy USA In paragraphs 184 and 185 of this ruling it is established: “Therefore, it is evident that neither section 702 of the FISA nor the E.O. 12333, interpreted in relation to the PPD-28, satisfy the minimum requirements established by Union Law with respect to the principle of proportionality, so that it cannot be considered that surveillance programs based on these provisions be limited to what strictly necesary. In these circumstances, the limitations of the protection of personal data that are derive from the domestic regulations of the United States relating to access and use, by US authorities, of data transferred from the Union to the United States, which the Commission assessed in the EP Decision, are not C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 24/29 regulated in accordance with requirements substantially equivalent to those required, in the Union law, in Article 52, paragraph 1, second sentence, of the Charter.” Google LLC (as importer of the data to the USA) should be qualified as electronic communications service provider within the meaning of paragraph (b) of point 4 of article 1881 of title 50 of the United States Code and, therefore, Therefore, it is subject to surveillance by the US intelligence services of in accordance with section (a) of article 1881 of title 50 of the State Code United States ("FISA 702"). Therefore, Google LLC has the obligation to provide personal data to the United States government when requested pursuant to section (a) of article 1881 of title 50 of the United States Code United States (FISA 702). As can be seen in the Transparency Report of Google, Google LLC is regularly subject to access requests from United States intelligence services. The report can be consulted at: https://transparencyreport.google.com/user-data/us-national-security?hl=en Consequently, international data transfers carried out by EDREAMS through the Google Analytics tool at the time of the claim did not comply with the provisions of article 44 of the RGPD, without the application of the new adequacy decision “EU-Data Privacy Framework “USA” can solve. For all the above reasons, this allegation is rejected. “THIRD.- Inconsistency of the Sanctioning Resolution. Sanction with effects illegal and of impossible content.” EDREAMS argues that it is incongruous that the appealed resolution does not analyze the new US legal framework and the European Commission's Adequacy Decision because it is not automatic nor does it apply to this procedure, but at the same time, Precisely in the sanction that is imposed, reference is made to the current moment and to adaptation to the applicable regulations that necessarily include the new framework US legal and Adequacy Decision. According to EDREAMS, the sanction generates disproportionate and unfair harm, and is illegal because they would be prohibiting future treatments that are lawful. Finally, EDREAMS estimates that the sanction imposed has an impossible content since it would be forcing EDREAMS to impose and modulate a service that is not its own but that of a third party (Google), and therefore does not fall under its sphere of control. In response to the allegation about the new US legal framework and the new Adequacy Decision “EU-US Data Privacy Framework.” “U.S.”, just as it is Agency maintained in the appealed resolution and once again justified itself in the allegation above, for the purposes of determining responsibility for the commission of the infraction, it is not the current legal framework is applicable, but rather the legal regime in force on the date of the facts constituting the infringement, in particular as established by the CJEU in the judgment in case C-311,/18 (Schrems II), which declared invalid the Decision of Commission Implementation (EU) 2016/1250 of 12 July 2016 on adequacy of the protection conferred by the EU-US Privacy Shield. USA C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 25/29 Since Google LLC is required to provide personal data to the United States Government when requested pursuant to section (a) of section 1881 of title 50 of the United States Code (FISA 702), as can be seen in its Transparency Report (https://transparencyreport.google.com/user-data/us-national-security?hl=en), it is your full application of the doctrine established by the CJEU in the aforementioned ruling. Furthermore, in order to ensure that international data transfers to the US comply with the GDPR, the approval of the Implementing Decision of the Commission dated July 10, 2023, in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council on the appropriate level of protection of personal data in the “EU-US Data Privacy Framework”, establishes in its Annex I, “Principles of the EU-US Data Privacy Framework. issued by the United States Department of Commerce” the following (unofficial translation): "2. In order to rely on the EU-US Data Privacy Framework. for transfer personal data from the EU, an organization must self-certify your adherence to the Principles to the Department (or your person designated). Although the decisions of the organizations to thus enter the Framework EU-US Privacy Policy are completely voluntary, effective compliance is mandatory: organizations that self-certify before the Department and declare publicly their commitment to adhere to the Principles must fully comply with the Principles… 3. …The benefits of the EU-US Privacy Framework are insured from the date the Department places the organization on the Framework List of Data Privacy.” However, at the time the resolution was issued, Google had not self-certified its adherence to the Principles of the EU-US Data Privacy Framework. USA so international data transfers could not be considered to be carried out with sufficient guarantees and under the protection of the new Adequacy Decision. The appealed resolution cannot be considered “illegal” when what it orders is precisely compliance with current regulations, that is, adapting the activity of data processing at the service of Google Analytics in accordance with the provisions of articles 44 and following Regulation (EU) 2016/679 of the European Parliament and of the Council, of April 27, 2016, in particular by cessation of the international transfer of data until it is proven that the Google Analytics service complies with the aforementioned provisions of the Regulation. Compliance with this mandate was not proven before of issuing a resolution in the sanctioning procedure, without the adaptation carried out subsequently determines the invalidity of that, on the contrary, it means that The imposed measure has been complied with. On the other hand, the mandate included in the appealed resolution does not have a content impossible. Let us remember that, regardless of whether the current Clauses Type Contractual Clauses (Google Ads and Measurement: Standard Contractual Clauses (Module 3: Processor to Processor) consider Google Ireland as data exporter. EDREAMS, as data controller, assumes, together with the other C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 26/29 conditions of contracting the services of Google LLC, the relative agreements to data processing and the Standard Contractual Clauses that allow the data are transferred to Google LLC, based in the United States. Specifically, EDREAMS assumes point 10 of the “Terms of Treatment of Google Ads Data”, so the data controller has agreed that Google may store and process personal data of the customer (i.e. data personal of the complaining party and of any user who visits the website in question) in any country in which Google or any of its “subprocessors” data processing facilities, including the USA, as declared by the Google LLC itself in the document dated April 9, 2021. Consequently, having contracted the services of GOOGLE, assuming its contracting conditions, EDREAMS, as responsible for the treatment, is the one You must take the necessary measures so that the data of those who visit your website are treated in accordance with the GDPR. For all the above reasons, this allegation is rejected. “FOURTH.- Lack of purpose of the sanctioning procedure.” In this allegation he summarizes what has already been argued in the allegations. preceding this one: Application of the new Framework Adaptation Decision of EU-US Data Privacy In the US, there are no international data transfers to cannot be technically proven and due to the privacy settings of Google Analytics selected by EDREAMS (IP anonymization and deactivation of Google Signals). A novel argument is included: The European Committee of Data Protection has confirmed “that all the guarantees that the US government regulations apply to all data transfers to "United States, regardless of the transfer mechanism used" and, in its default, “even if the EU-US Privacy Framework were not applicable.” USA, the European Commission and the EDPB have clearly confirmed that the Decision of Adequacy is fully applicable to all transfers to the US.” In response to this argument, it is worth highlighting that the adoption by the Commission of the EU-US Data Privacy Framework Adequacy Decision. UU does not come but to confirm that international data transfers carried out by EDREAMS prior to the approval of that, represented a violation of the rights and freedoms of European citizens in terms of data protection, through the indiscriminate access to your personal data by the intelligence services of the USA, from the moment in which the aforementioned Adequacy Decision was justified based on the new guarantees regarding data protection established by the U.S. These guarantees include the limitation of the access by US intelligence services to data of EU citizens to what is necessary and proportionate, and the establishment of a Data Protection Appeal Court, to which EU citizens will have access. Well, none of these guarantees existed on the date of the events referred to. refers to the appealed resolution, when EDREAMS, through its website, and because C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid Seeagpd.gob.es 27/29 operates in other Member States of the Union, transferred personal data of citizens of the European Union to the USA in violation of the current regulatory framework according to the ruling of the CJEU in case C-311/18 (Schrems II), which declared invalid Commission Implementing Decision (EU) 2016/1250 of 12 July 2016 on the adequacy of the protection conferred by the EU US Privacy Shield. In this ruling, the Court considered that the requirements of national law American, and in particular, some programs that allowed the authorities Public authorities in the United States access personal data transferred from the EU to the US for national security purposes, imposed limitations on the protection of personal data that were not circumscribed in a way that offered guarantees substantially equivalent to those required by the Law of the Union, and that this legislation did not provide any means of judicial recourse against the United States authorities to the data subjects. However, EDREAMS maintains in its appeal for reconsideration the non-existence of the infringement, and that your international data transfers to the US have complied at all times with the legal system, even prior to the new Adequacy Decision, through which the Commission concludes the existence of guarantees in the US that ensure a level of protection equivalent to that of the EU for European citizens, and considers that the questions have been answered elucidated by the CJEU in the Schrems II ruling. This reasoning, according to which EDREAMS defends the validity of its actions regardless of the legal framework applicable, is completely incongruous. Furthermore, it is worth remembering that, among others arguments, EDREAMS has defended ideas such as that the data sent is not It was personal data, he has even questioned whether the data is sent to the US. USA, when this has been recognized by Google itself. Consequently, it maintains the validity of the appealed resolution and the need for the established mandate in the same of “adapting the data processing activity to the Google service Analytics in accordance with the provisions of articles 44 et seq. of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, in particular by the cessation of international data transfer until it is proven that the service “Google Analytics complies with the aforementioned provisions of the Regulation.” that in the Nowadays, there are new circumstances that allow treatments previously contrary to the RGPD, can now be compliant with it, it does not prevent attributing to EDREAMS the responsibility in the commission of the infraction, nor does it invalidate the order imposed, without prejudice to the fact that, having recognized the facts and foundations of the right of the sanctioning resolution, and in accordance with the measures adopted, allows consider that EDREAMS has complied with the measure imposed in the resolution appealed. Furthermore, EDREAMS has not justified that it has signed with Google, as a data processor, the standard contractual clauses adapted to the Decision (EU) 2021/914 of June 4, 2021 regarding contractual clauses type for the transfer of personal data to third countries, which, together with the guarantees contemplated in the EU-US Data Privacy Framework. USA, would allow the international transfer of data to the USA to be considered to be in accordance with data protection regulations. For all the above reasons, this allegation is rejected. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 28/29 “FIFTH.- Lack of subjective element and guilt.” As EDREAMS already maintained in the Briefs of Allegations, the requirement of guilt of the subject who carries out the illicit conduct is necessary for the imposition of an administrative sanction. In response to this allegation, as already stated in the response to the Fourth allegation of the replacement appeal, EDREAMS assumes point 10 of the “Terms of the Google Ads Data Processing”, so the person responsible for the treatment has agreed that Google may store and process customer personal data (i.e. personal data of the complaining party and of any user who visits the website in issue) in any country in which Google or any of its “subprocessors” data processing facilities, including the US, regardless of whether the Standard Contractual Clauses have been modified with respect to those in force in the moment of the events subject to claim, attributing the status of exporter to Google Ireland. Thus, the actions of Google LLC. adheres to what is stipulated and, therefore, EDREAMS account, carrying out the processing of personal data necessary for the correct provision of the service, which determines the responsibility administrative of the person responsible for the treatment. For all the above reasons, this allegation is rejected. III Conclusion Consequently, in the present appeal for reconsideration, the appellant has not provided new facts or legal arguments that allow reconsideration of the validity of the contested resolution. Considering the aforementioned precepts and others of general application, the Director of the Agency Spanish Data Protection RESOLVES: FIRST: DISMISS the appeal for reconsideration filed by VACATIONS EDREAMS, S.L. against the resolution of this Spanish Agency for the Protection of Data issued on July 26, 2023, in file EXP202306257. SECOND: NOTIFY this resolution to VACACIONES EDREAMS, S.L. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of Law 39/2015, of 1 C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 29/29 October, of the Common Administrative Procedure of Public Administrations (LPACAP), interested parties may file a contentious-administrative appeal before the Contentious-Administrative Chamber of the National Court, in accordance with the provided in article 25 and in section 5 of the fourth additional provision of the Law 29/1998, of July 13, regulating the Contentious-Administrative Jurisdiction, within a period of two months counting from the day following notification of this act, as provided in article 46.1 of the aforementioned Law. Finally, it is noted that in accordance with the provisions of art. 90.3 a) LPACAP, it may be provisionally suspend the final resolution through administrative channels if the interested party expresses its intention to file a contentious-administrative appeal. If this is the case, the interested party must formally communicate this fact in writing addressed to the Spanish Data Protection Agency, presenting it through the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica-web/], or through any of the other records provided for in art. 16.4 of the aforementioned LPACAP. You must also transfer to the Agency the documentation that accredits the effective filing of the contentious-administrative appeal. If the Agency did not have knowledge of the filing of the contentious-administrative appeal within the period of two months from the day following the notification of this resolution, it would be considered the precautionary suspension has ended. 180-111122 Sea Spain Martí Director of the Spanish Data Protection Agency C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es