AEPD (Spain) - EXP202203580: Difference between revisions

AEPD - EXP202203580
Authority:	AEPD (Spain)
Jurisdiction:	Spain
Relevant Law:	Article 5(1)(a) GDPR Article 44 GDPR Article 45 GDPR Article 46(2)(c) GDPR
Type:	Complaint
Outcome:	Upheld
Started:	18.02.2022
Decided:	03.10.2024
Published:
Fine:	n/a
Parties:	Mapfre España Compañia de Seguros y Reaseguros SA
National Case Number/Name:	EXP202203580
European Case Law Identifier:	n/a
Appeal:	Unknown
Original Language(s):	Spanish
Original Source:	AEPD (in ES)
Initial Contributor:	fb

The DPA reprimanded an insurance company after it placed cookies without the data subject's consent and unlawfully transferred data to the USA through the use of Google Analytics in violation of Chapter V of the GDPR.

English Summary

Facts

The controller, an insurance company, has a website that uses cookies. The data subject noticed that, even though the website had a cookie banner, the cookies were placed even before the user interacted with the cookie banner.

Moreover, the cookies at hand were connected with the Google Analytics service. According to the data subject, this entailed an unlawful data transfer to the USA.

Therefore, the data subject filed a complaint with the Spanish DPA.

The controller acknowledged that it was using Google Analytics on its website, but argued that the relevant cookie is placed only after the data subject's consent.

Moreover, the controller pointed out that it is now using the so-called "Google Analytics 4", which uses an IP-address "anonymiser".

Holding

First, the DPA noted that the controller acknowledged the Google Analytics tool. Therefore, the controller processed several data of the data subject, including unique user identifiers, the IP address as well as other data associated with the browser.

The DPA shared the data subject's view, holding that the controller should not have installed the cookies before the data subject's consent. Since no legal basis for this processing was present, the DPA found a violation of Article 5(1)(a) GDPR.

Second, the DPA pointed out that, even though the data transfer to the USA (i.e. to Google LLC) was carried out by Google Ireland (appointed as processor pursuant to Article 28 GDPR), the controller is however responsible and liable under Chapter V GDPR (see EPDB Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR, para. 19).

As for this point, the DPA considered it irrelevant that the controller did not decide where personal data is stored by Google LLC, since the data processing agreement also mentioned the US as a place where the servers could be located.

Third, the DPA held that the fact that now Google LLC adheres to the "EU-US Data Privacy Framework" is not relevant, since the complaint refers to processing activities that happened before this legal regime entered into force. Therefore, reference should be made to the previous legal framework, where no valid adequacy decision under Article 45 GDPR was in force (see C-311/18, Schrems II).

Fourthly, as for the controller's migration to Google Analytics 4, the DPA pointed out that the controller provided no evidence that the IP addresses are anonymised in the EU and, thus, there is a possibility that they had been transferred to the US. Additionally, the DPA noted that the collection of IP in itself constitutes a processing of personal data.

Fifthly, the DPA noted that the standard contractual clauses (SCCs) governing the relationship between the controller and the processor did not take into account the principles stated by the CJEU in case C-311/18, Schrems II. In particular, the DPA referred to the fact that, in this judgement, the CJEU held that SCCs cannot constitute an appropriate safeguard when it comes to the exercises of powers of third countries' public authorities, given the contractual nature of these clauses (see para. 126).

Therefore, the DPA held that the controller could not transfer data to the US, since no adequacy decision nor appropriate safeguards under Article 46 GDPR were in place and found a violation of Article 44 GDPR.

On these grounds, the DPA issued a reprimand to the controller.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

1/35

File No.: EXP202203580 (PA/00053/2023)

RESOLUTION OF WARNING PROCEDURE

From the procedure instructed by the Spanish Data Protection Agency and based
on the following

BACKGROUND

FIRST: A.A.A. (hereinafter, the complaining party) on February 18, 2022
filed a claim with the Spanish Data Protection Agency. The
claim is directed against MAPFRE ESPAÑA COMPAÑÍA DE SEGUROS Y

REASEGUROS, S.A. with NIF A28141935 (hereinafter, MAPFRE). The reasons on
which the claim is based are the following:

Claim against MAPFRE in relation to the use of cookies on its website.
The complainant claims that cookies are loaded "before they can be managed, without

taking any action" and that, in relation to the use of Google Analytics,
international transfers to the USA are taking place.

Along with the complaint, the following are provided:

-Images from the MAPFRE website of the “Cookie Notice” from the website ***URL.1.

- Printout of the Chrome browser – Settings – Security and Privacy.

On March 18, 2022, the following evidence collected by this Agency was incorporated into the file:

- Printout of a series of screens of the Privacy Policy and Data Processing of the website ***URL.2, which contains the following Google

Analytics cookies: _ga, _gid.

- Performing a test of installed cookies after accepting, the
installation of the aforementioned Google Analytics cookies was verified.

SECOND: In accordance with article 65.4 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and Guarantee of Digital Rights (hereinafter LOPDGDD), said claim was forwarded to the respondent party, so that it could proceed to analyze it and inform this Agency within one month of the actions taken to comply with the requirements provided for in the data protection regulations.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/35

The transfer, which was carried out in accordance with the rules established in Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP), was recorded on May 4, 2022, as

recorded in the acknowledgment of receipt in the file.

On June 6, 2022, this Agency received a written response indicating
that:

“1. Decision adopted regarding the claim

As a result of the internal reviews carried out, it has been decided to strengthen the verification and review process
prior to uploading the privacy and cookie policies to production. As well as continuing the process of implementing the cookie governance model, focusing on periodic scanning to force the correct

classification of cookies so that they are reflected in the correct categories, both in the
configurer and in the cookie policy.

2. Causes that have motivated the incident that has originated the claim.

The transfer of the claim indicates the date of entry into the Agency on February 18,

2022, and consists of three different types of events:

1. The claimant states that cookies would be installed on the website ***URL.3,
before being able to manage them.

In this regard, note that on the date of February 2022 the cookie policy on
Mapfre.es, as can be seen in the attachment as Evidence 1, reflects an
incorrect distribution of cookies within the categories.

This is a consequence of the characteristics of the tool used to classify

and manage cookies, and the review processes of these through periodic

scans. Therefore, it is possible that these may appear incorrectly assigned to a

category in the cookie configurator, or those that are

obsolete may not have been deleted, and as a result of their synchronization with the

cookie policy through a script, they appear assigned as such. Please note that this does

not mean that the installation is carried out.

In this sense, MAFPRE ESPAÑA is immersed in a "cookie

governance" project, as explained in section 3, with the aim of improving the

management of cookies, as evidenced by the following change history:

At the date of these allegations, MAPFRE has been able to verify after analyzing the

cookies deployed, no cookie is installed unless the user accepts the

chosen selection. The cookies are retained until the user performs the action of

saving configuration.

The cookies that are installed in the event of rejecting all of them, as shown below, are those that are strictly necessary.

Regarding the management of cookies carried out by MAPFRE, please note that:

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/35

First, in relation to how we provide information to users about the
use of cookies and the purposes of data processing, MAPFRE follows the
provisions of the guide “Guide on the use of cookies July 2020” (the Guide). The

management of cookies and the need to adapt it to both the LSSI and the
data protection regulations is something that has always been present at MAPFRE. For this reason, throughout this time, various actions have been undertaken
to ensure compliance with the different regulations,
as well as the criteria that have emerged over time.

In the interest of transparency and usability of the web environment, MAPFRE complies with the
duty of information at two levels of detail. A first level in the cookie banner and
the preference configurator and a second level through the privacy policy and the cookie policy.

First level of information through the cookie banner and the user
preference configurator.
First, in the pop-up (cookie banner) that appears to a user the first time
they access the website, including the definition and description of the generic function of
the cookies on www.mapfre.es:

“MAPFRE ESPAÑA S.A. uses its own and third-party cookies to perform
statistical analyses, authenticate the user session, show you useful content and
improve and personalize certain services by analyzing your browsing habits. You can configure these cookies, which may limit the
browsing and services on the website. If you accept cookies, you are consenting to the

use of cookies on this website. You can accept all cookies
by clicking the "Accept" button, or configure or reject their use by clicking on
Cookie Settings. If you want more information, you can consult our Privacy Policy and Cookies Policy.

Second, by clicking on the active link of the cookie banner "Cookie Settings" the cookie configuration tool is displayed where the cookie categories are reported.

- Strictly necessary cookies: These cookies are used for the website to
work and for you to navigate to secure areas. We cannot deactivate them,

but if you still want to change them, you can modify them through your browser settings. By configuring them, it is very likely that the website will not work, since
they are necessary cookies.

- Analytical cookies: These are used to collect statistics on user activity.

Among other things, the number of users visiting the website, the number of
pages visited, as well as the activity of users on the website and their frequency of
use are analysed. The information collected is always anonymous so that a link cannot be established
between it and the physical person to whom it refers.

- Functional cookies: These cookies allow us to improve functionality, such as videos and
online chats. They may be set by us or by external providers
whose services are integrated into our pages. If you do not allow these cookies,
some or all of these features may not work correctly. An

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/35

example would be multimedia player cookies, which are used to
store technical data in order to play video or audio content.
In addition, thanks to them the content is tailored to your use. They allow information to be remembered

to personalise your experience.

- Marketing cookies: These cookies allow the personalization and adaptation of the
advertising communications that are displayed, according to your preferences.
In addition, they allow you to personalize some of the general options of the website,
thanks to the navigation data. They are also used to integrate social networks in

our site and to allow the user to share content of interest on social networks.

Thirdly, the configurator includes links that display more specific
information, so that the user can consult in each category of cookies which

are first-party and which are third-party. Third-party cookies are identified
by their name or by the brand with which they are identified to the public.

Second level of information:
Through the cookie policy, which through a configurator script synchronizes the
classification of the cookies in the configurator with the reported categories and through

the privacy policy included in the configurator pop-up. Likewise, this
is always available in the footer of the website.

In the cookie policy, you are informed of how to avoid the use of third-party cookies once accepted by the user. Information is provided on the tools provided by the browser and third parties and if you subsequently wish to delete them, you must do so from your own browser or the system enabled by third parties for this purpose.
The privacy policy informs you of those treatments related to the purposes of cookie management and their legal basis.

Second, in relation to how we provide the user with the mechanisms to reject or withdraw consent for their use. Before the cookies are installed in their browser, the user has all the necessary information in layers to make the decision of which ones to select or reject.
Therefore, being aware of the consequences of accepting or denying the installation of the cookies stated, they can decide what action to take. Likewise, at any time they can withdraw the consent given by accessing the link of the cookie configuration located in the footer of the website. The action that the user must perform is a clear affirmative action so that consent is considered validly granted.

These requirements for obtaining consent are technically materialized in the
following way:

At a first level, the user can accept all cookies by clicking the
"Accept" button, or configure or reject their use by clicking on Cookie settings.

At a second level, within the cookie settings you can:
 Accept or reject all

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/35

 Accept by cookie category by moving the cursor and saving
preferences Until the user does not perform any of the above actions, all those that are not strictly

necessary will remain deactivated and those that you have selected will be installed in your browser as you browse the web through the domain and subdomains depending
on the requested service.

2. The complainant states that, on the privacy page, the

contact method for exercising rights would be limited to a postal address, without
providing an email address.

As a result of the update of privacy policies, the privacy policy included in this Evidence 2 was available for
months.

The last change made to the text was on 03/26/2021. The evidence of the
evolution of changes:

The latest available version ***URL.2 includes the email, which corrects the
error under the following literal:

The above rights may be exercised directly by the data owner or
through a legal or voluntary representative, through written communication addressed
to the Corporate Office of Privacy and Data Protection at Carretera de Pozuelo,
52, 28222 Majadahonda, Madrid or by writing to ***URL.1. It is attached as
a document. Evidence 3

The error was available for a short time until the review of this in March.

Add that not only is the email at ***URL.2 available to the interested party as a means of electronic

contact, but also:
- DPD mailbox included at the beginning of the policy.
- As well as other channels such as those available in the Customer Area.

3. The complainant states that personal data would be transferred to the United States through the services of Google Analytics and Google Adds.

In this section we consider it important to point out again that within the project

governance of cookie management, when performing periodic scans, it is possible that cookies that are not strictly necessary are
classified in a category that does not correspond to them, but this does not imply that they are being installed. Therefore, those
Google analytics and Google ads cookies are only installed with consent
once the user, after reading the privacy policy and the cookie policy, makes the decision to accept them.

Accordingly, only those cookies that have been consented to are sent to Google Analytics after an anonymization process, where the IP anonymization function applies IP masking so that Google Analytics uses only part of a collected IP address, instead of the full address.

The anonymization method is performed on the "aip" variable which, if it has the value
"1" in the call, means that anonymization is active. It is documented here:

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/35

https://developers.google.com/analytics/devguides/collection/protocol/v1/parameters?
hl=es#aip

On the other hand, regarding the migration actions to Google Analytics 4 identified in 2021, a plan was drawn up at the corporate level so that in 2022 the migration that all MAPFRE Group entities are carrying out can be completed. Attached in
evidence 4 is the action plan presented in May 2021
with the actions to be carried out to improve analytics and migration to Google analytics
4.

One of the accelerators of the implementation and improvement plan comes from the change in
the technological platform for the creation and generation of commercial sites, as is the case
with mapfre.es.
All portals generated for all entities come out with a standard version of Google

Analytics 4, giving the different entities the opportunity to customize and
improve said version based on their needs. This is the case of mapfre.es, whose
migration date is set for April 7, 2022, being one of the last
portals to migrate due to its extension.

For those cookies that are part of the migration to version 4 of

Google Analytics, it is not necessary to anonymize the IPs, since they are not recorded or
stored. In this version, IP addresses are used at the time of collection
to determine location information (country, city, latitude and longitude of the
city) and are then discarded before the data is recorded in the data centers or servers.

Regarding Google ads, when using the tags provided by Google Analytics,
as these are anonymized, they are under the same protection. The _gac and
_gcl cookies store campaign information to provide Google Ads with a
more reliable way to measure customer interactions with your company. Analytics
records campaign information in the _gac and _gcl cookies when a user

opens a page on your website through a URL that uses Google Ads automatic

tagging.

2. The measures adopted to adapt your “Privacy Policy”.

The validation of the controls included in the AEPD's guide to compliance with the duty of information and the Report on Privacy Policies on the
Internet Adaptation to the GDPR has been reinforced within the review process for uploading the privacy policy.

MAPFRE has a firm commitment to the protection of personal data.

In order to meet the requirements established by the European Data Protection Regulation. In July 2016, a Corporate Working Group was established
to adapt MAPFRE, early and with a transversal and proactive approach, to the new demands. This Corporate Working Group, among other lines, defined the different projects and lines of activity that must be developed

to adapt to the new Regulation, considering among others:

- Catalogue of Privacy Texts: Identification, review and, where appropriate, codification,
of the texts that must be modified or developed in order to adapt to the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/35

updated European Data Protection Regulation (clauses, privacy policies,
messages, etc.) ensuring that they are homogeneous and that they serve as
models in the MAPFRE group
- Duty to Provide Information: Analyze the requirements regarding the Information to

provide to interested parties, as well as the mechanisms that will be used to

guarantee the duty to provide information. Review the texts and clauses that inform interested parties regarding the treatment, so that they comply with the information required and
follow the criteria of the regulation: concise, transparent, intelligible and
easy-to-access information, with clear and simple language.
- Consent management: Ensure that consent management is carried out for
treatments based on the new requirements.

In this regard, the Working Group prepared and approved the first
versions of the following linked documents:
- July 2017
- February 2018, both the privacy policy and the cookie policy.

With the entry into force in May 2018, this Working Group remained active,
becoming the Corporate Privacy and Data Protection Committee. This
Committee meets every six months to monitor the various
legislative pronouncements/new developments, without prejudice to the possibility of
convening extraordinary sessions to deal with any specific relevant aspect.
MAPFRE has a regulatory observatory and analyses the many

pronouncements by regulators in the countries in which it is present, with the aim of guaranteeing that, from the design stage, all processes comply at all times with the privacy and data protection regulations that are applicable.
In this regard, linked to Cookie Management, specific Working Groups were established to analyze and define the criteria and lines of action to be undertaken:
- November 2019. Since the publication of the AEPD Cookies Guide, work has been carried out on the analysis, from which the lines of adaptation have been established. Evidence is shown of the presentation held in January where the analysis carried out was reported and the actions necessary to adapt to what is established in the guide were identified.

- July 2020. Since the publication of the Guide on the use of Cookies by the AEPD, work has been carried out on the analysis, from which the lines of adaptation have been established before October 31, 2020, a transitional period of three months
to implement the necessary changes in accordance with the criteria introduced
regarding user consent for the use of cookies. In order to monitor compliance with the implemented texts, apart from the

periodic reviews, it is important to indicate that different audits of compliance with the
RGPD are carried out, where the topic of privacy and cookie policies is specifically reviewed.

3. The measures adopted to adapt the use of cookies. Mapfre, due to the

technological particularity of its web resources, has decided to create a Cookie Governance Model
that is made up of three lines of work:

 Cookie governance model, integrating various areas of the company
(Privacy, digital business, web development)

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 8/35

It is based on a structured work dynamic that allows to minimize as much as possible the
possible errors or problems derived from the use of OneTrust. The

good practices that help detect when it is necessary to make changes in the
OneTrust configuration are established

1. Before any new site or development in the web portals:
migrations, implementation of new analytical tools,
changes in an application...

2. Periodic reviews to prevent implementation errors.
3. Incident detection: errors in web loads
After exporting the scan result, the cookies found and the
categorizations assigned by OneTrust will be reviewed. Sometimes these categories must
be changed or assigned manually since the tool is not able to

understand who or what creates the cookies. In these cases, a categorization proposal and description document is created that must be approved by legal.
Prioritize by domains and subdomains, creation of domains Evidence 5
Outsourcing of the cookie management service.
The decision has been made to seek support in the implementation of the cookie management governance model through an external supervised service with the

objective of having proactive and continuous monitoring. Evidence 6

Migration to G4: Implementation project.
As a result of the global corporate action plan, migration to Google Analytics 4 has begun at MAPFRE
SPAIN, as planned in 2021.

In addition to improvements in web analytics functionalities, the basis of Google
Analytics 4 is privacy. When collecting data, Google Analytics 4 does not record or
store IP addresses. The IP addresses it collects from EU users are removed before registering them on EU domains and servers. The lines to be executed for the migration include:

 Adaptation to the new GA4 taxonomy of all Mapfre ES assets
 In coordination with IT, include datalayer in all possible assets
 GA adjustments (DataStreams, Subproperties...)
 Adaptation of reports to GA4 according to priority”

THIRD: On May 19, 2022, in accordance with article 65 of the
LOPDGDD, the claim submitted by the complaining party was admitted for processing.

FOURTH: On May 28, 2024, the Director of the Spanish Data Protection Agency agreed to initiate a warning procedure against the respondent party, for the alleged violation of Article 44 of the GDPR, classified in Article
83.5 of the GDPR.

FIFTH: The notification of the aforementioned initiation agreement, which was carried out in accordance with
the rules established in Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP), was
received on May 29, 2024, as stated in the acknowledgment of receipt that is
in the file.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 9/35

SIXTH: On May 30, 2024, MAPFRE submitted a document through which
it requested an extension of the deadline to submit allegations.

SEVENTH: On May 31, 2024, the body in charge of the procedure
agreed to the requested extension of the deadline up to a maximum of five days, in accordance
with the provisions of article 32.1 of the LPACAP.

The aforementioned agreement was notified to MAPFRE on May 31, 2024, as stated
in the acknowledgment of receipt in the file.

EIGHTH: On June 19, 2024, a written statement of allegations was received from the respondent party, which, in summary, includes the following considerations:

- MAPFRE claims to have corrected what was stated by the complainant in the

complaint regarding the fact that on the website ***URL.3 “cookies are loaded before they can be
managed, without taking any action”

- In the contract in force during the period of the claim, Google Ireland Limited is the
entity that provides the Google Analytics services.

- The cookies that had been consented to were sent to Google by applying an
anonymization process on the user's IP address.

- Since September 2023, Google LLC has adhered to the EU-US Data Privacy
Framework. UU.

- As of June 6, 2022, MAPFRE was immersed in the process of
migrating to Google Analytics 4.

- According to MAPFRE, a Corporate Privacy and Data Protection Committee has been created.

This is a specific, operational committee for management and control in the area of privacy and data protection, supporting the DPO in the development
of its functions. - That, pursuant to the provisions of article 67.2 of the LOPDyGDD in connection with
article 122.4 of the LOPD Development Regulation (RLOPD), approved by

Royal Decree 1720/2007, of December 21, in force in everything that does not
contradict, oppose or is incompatible with the provisions of the RGPD and the
LOPDGDD, the previous actions carried out by that Agency within the framework of
this warning procedure must be understood to have expired.

In view of all the actions taken, the following facts are considered proven by the Spanish Data Protection Agency
in the present procedure:

PROVEN FACTS

FIRST: On March 18, 2022, in connection with the analysis of the claim
filed by the complainant against MAPFRE, this Agency found that

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 10/35

the Privacy and Data Processing Policy of the ***URL.2 website includes the
following Google Analytics cookies: _ga, _gid (page 19 of the file).

On that same date, the following action is carried out: Acceptance of the cookies of the
***URL.1 website through the Chrome browser. In the image incorporated into the file
it is verified that the _ga, _gid cookies have been installed (page 44 of the file).

SECOND: On June 6, 2022, in the response to the transfer of the

claim, MAPFRE acknowledges that it has introduced the code of the Google Analytics
tool on its website: “…so those Google Analytics and Google Ads cookies are only installed with consent once the user, after reading the privacy policy and the cookie policy, makes the decision to
accept them.”

THIRD: On September 2, 2020, the plenary session of the European Data Protection
Committee decided to create a working group (hereinafter, working group
TF101) to ensure a coherent approach between European data
authorities, regarding the management of the 101 NOYB complaints regarding the use of

Google Analytics and possible data transfers to the US, in the context of the
CJEU Schrems II ruling.

FOURTH: In the document dated April 9, 2021, sent by GOOGLE LLC to

the Austrian data protection authority, which shares it with the rest of the
authorities through the TF101 working group NOYB claims in the
context of the CJEU Schrems II ruling, the following information and
statements are included (from its unofficial translation from English):

(…).

FIFTH: In the model Contract for adhesion to GOOGLE services (page 145 and following of the file), entitled “Google Ads Data Processing Terms” (https://privacy.google.com/businesses/processorterms/), in its version of

September 21, 2022, it was stated that (unofficial translation):

“Google Ads Data Processing Terms

Google and the counterparty that accepts these Conditions (the “Client”), have

entered into a contract for the provision of the Data Processor Services (as amended from time to time, the “Contract”)

These Google Ads Data Processing Terms, (the
“Data Processing Terms”) are entered into by Google and the Client and

supplement the Contract.

[…]

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 11/35

If you accept these Data Processing Terms on behalf of the Client, you
warrant that a) you have full legal authority to make these Data Processing Terms binding on the
Client, b) you have read and understand these Data Processing Terms, and c) you accept them on behalf of the Client. If you do not have the legal
authority to make these Data Processing Terms binding on the Client, do not accept them.

Introduction

These Data Processing Terms reflect the agreement between the parties
regarding the terms governing the processing of certain data in relation to
European Data Protection Legislation and certain Non-European Data Protection Legislation.

Definitions and Interpretation

[…]
“Google Entity” means Google LLC (formerly known as
Google Inc.), Google Ireland Limited or any other entity that directly or
indirectly controls Google LLC, is controlled by Google LLC or is subject to the

same control as Google LLC.

“Google” means the Google Entity that is a party to the Agreement.

“European Data Protection Law” means, as applicable, a)

the GDPR and/or b) the Swiss FDPA.

[…]

“SCCs” means the Customer Standard Contractual Clauses and/or the
Standard Contractual Clauses (EU Processor to Processor, Google

Exporter), as applicable.
[…]

“SCCs (Processor to Processor, Google Exporter)” means the terms included in ***URL.4.
[…]

“Subprocessors” means third parties authorized under these Data Processing Terms to have logical access to and process Customer Personal Data for the purposes of providing part of the Processor Services and any related technical assistance.

[…]

5. Data Processing

5.1 Roles and Compliance; Authorization.

5.1.1 Responsibilities of the Data Processor and the Data Controller.
The parties acknowledge and agree as follows:
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 12/35

(a) Appendix 1 describes the subject matter and details of the processing of Customer Personal Data.

(b) Google is a data processor of Customer’s personal data;
(c) Customer is a data controller or processor, as applicable, of Customer’s Personal Data; and
(d) Each party will comply with its obligations under Applicable Data Protection Laws with respect to the processing of Customer’s Personal Data.

[…]

5.2. Customer Instructions. By entering into these Data Processing Terms, Customer directs Google to process Customer Personal Data

solely in accordance with applicable law: a) to provide the Processor Services and any related support, b) as more fully specified through Customer's use of the Processor Services (including the configuration and other features of the Processor Services) and any related support, c)
as documented by the Agreement (including these Data Processing Terms), and d) as more fully documented in other instructions provided in writing by Customer and acknowledged by Google as constituting instructions for the purposes of these Data Processing Terms (collectively, the "Instructions").

5.3 Google's Compliance with Instructions. Google will comply with the
Instructions unless prohibited by Applicable Laws or other processing is
required by Applicable Laws.

[…]

10. Data Transfers

10.1 Data Storage and Processing Facilities. Subject to
this Section 10 (Data Transfers), Google may process Customer Personal Data in any country in which Google or any of its
Subprocessors maintain facilities.

10.2 Restricted European Transfers. The parties acknowledge that European Data
Protection Laws do not require SCCs or an Alternative Transfer Solution to
process Customer Personal Data in or transfer Customer Personal Data to an

Adequate Country. If Customer Personal Data is transferred to any other country and such transfers are subject to European Data Protection Laws (“Restricted European Transfers”), then:

If Google adopts an Alternative Transfer Solution for any

Restricted European Transfer, Google will inform Customer of the relevant

solution and ensure that such Restricted European Transfers are carried out in accordance with such

Solution and/or If Google has not adopted or informed Customer that it will no longer adopt any

Alternative Transfer Solution for any Restricted European Transfer, then:

If Google’s address is located in an Adequate Country:

The Processor SCCs apply to the Processor, Google Exporter) with respect to all Restricted European Transfers. Restricted European Transfers
from Google to Subprocessors and.

(B) In addition, if Customer's address is not located in an Adequate Country, the
SCCs from Data Processor to Data Controller will
apply with respect to Restricted European Transfers between Google and Customer,
regardless of whether Customer is a controller and/or a processor, or

(ii) If Google's address is not located in an Adequate Country, the
SCCs from Data Controller to Data Processor and/or the
SCCs (Processor to Data Processor) will apply, depending on whether Customer is a
data controller and/or a processor, with respect to Restricted European Transfers between Customer and Google.

10.3 Additional Measures and Information. Google will provide Customer with relevant information regarding Restricted European Transfers, including information about additional measures to protect Customer Personal Data as described in Section 7.5.1 (Security Documentation Reviews), Appendix 2 (Security Measures) and other materials relating to the nature of the Processor Services and the processing of Customer Personal Data (e.g., help center articles).

10.4 Termination. If Customer concludes, based on its intended or current use of the Processor Services, that the Alternative Transfer Solution and/or SCCs, as applicable, do not provide adequate protection for Customer Personal Data, Customer may immediately terminate the Agreement for convenience by giving written notice to Google.

10.5 Data Center Information. Information about Google's data center locations is available at ***URL.5.

11. Subprocessors.

11.1 Consent to engage a Subprocessor. Customer specifically authorizes the engagement of the entities listed, as of the Effective Date of the Terms, at the URL specified in Section 11.2 (Subprocessor Information). In addition, and without prejudice to Section 11.4
(Opportunity to Opt Out of Subprocessor Changes), Customer generally authorizes the engagement of any other third party as a
Subprocessor (“New Subprocessors”).

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 14/35

[…]” (emphasis added).

SIXTH: In the description of Google Analytics, located at the URLs ***URL.5
it was stated, among other information, that the cookies _ga and _gid were used to distinguish
users and that the parameter “sr” referred to the screen resolution (page 136

and following of the file).

SEVENTH: According to the answer to question 4 (ii) of the document dated April 9, 2021 from GOOGLE LLC in the file, the owner of the website

who has implemented the Google Analytics code on said website, can choose
between multiple retention periods ranging from 2 months to 50 months from the
moment the data was collected.

EIGHTH: According to the document dated September 27, 2024, in the file, as of January 18, 2021, at URL ***URL.6 it was stated (unofficial translation, original in English):

“[…]

Requests from US government agencies in cases involving
national security

In investigations related to national security, the US government
You may use a National Security Letter (NSL) or one of the warrants

granted under the Foreign Intelligence Surveillance Act (FISA) to
compel Google to provide user information.

An NSL does not require a court order and can only be used to compel us to
provide limited subscriber information.

FISA warrants and authorizations can be used to compel electronic
surveillance and disclosure of stored data, including content on services
such as Gmail, Drive, and Photos.”

[…]” (unofficial translation, original in English)

NINTH: According to the document dated September 27, 2024, in the file, as of January 26, 2022, the URL ***URL.7 stated (unofficial translation, original in English):

“[…]

Basic concepts about personally identifiable information in Google contracts and

policies.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 15/35

Many contracts, terms of service, and policies for Google advertising and

measurement products refer to “personally identifiable information” (PII).

This is a different categorization of data than what the General

Data Protection Regulation (GDPR) considers “personal data.”

Please note that even if Google does not identify certain data as personally identifiable information, it may be possible that the GDPR does so or that such data may be considered personal information under the California Consumer Privacy Act (CCPA) and may be subject to those laws.

[…]
Google considers "personally identifiable information" to be information that can be used on its own to precisely identify, locate, or contact an individual directly. This includes, but is not limited to:
• Email addresses

• Mailing addresses
• Phone numbers
• Precise locations (for example, GPS coordinates, except as noted below)
• Full names (first and last names) or usernames.
[…]

Among other things, Google does not consider the following data to be personally identifiable information:
• Pseudonymous cookie IDs
• Pseudonymous advertising IDs
• IP addresses

• Other pseudonymous end-user identifiers
For example, if an IP address is submitted with an ad request (which is
almost all ad requests are submitted as a result of Internet protocols), that submission will not violate any prohibition against submitting personally identifiable information to Google.

Please note that even if Google does not identify certain data as personally identifiable information, it may still be considered personal data or personal information under the GDPR, CCPA, or other privacy laws.
[…]”

TENTH: According to the document dated September 27, 2024, which is included in

the file, at the URL ***URL.8 Google has been publishing since 2009 the number of
requests for information on users in the US related to FISA (Foreign
Intelligence Surveillance Act) and the NSL (National Security Letters).

FUNDAMENTALS OF LAW

I

Competence and procedure

In accordance with the powers granted to each supervisory authority by article 58.2 of Regulation (EU) 2016/679
(General Data Protection Regulation, hereinafter RGPD) and according to the provisions of articles 47, 48.1, 64.2 and 68.1 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and
guarantee of digital rights (hereinafter LOPDGDD), the Director of the Spanish Data Protection Agency is competent to

initiate and resolve this procedure. Likewise, article 63.2 of the LOPDGDD determines that: "The procedures
processed by the Spanish Data Protection Agency will be governed by the provisions
of Regulation (EU) 2016/679, in this organic law, by the regulatory

provisions issued in its development and, insofar as they do not contradict them,
in a subsidiary manner, by the general rules on administrative procedures."

Considering the nature of the facts that have given rise to the actions and the
concurrent circumstances, the present warning procedure is followed in

accordance with the provisions of article 64.3 of the LOPDGDD.

II
Preliminary questions

Article 4.2) of the GDPR defines “processing” as:

“any operation or set of operations which is performed on personal data or on
sets of personal data, whether or not by automated means, such as

collection, recording, organisation, structuring, storage, adaptation or
alteration, retrieval, consultation, use, disclosure by transmission, dissemination or
otherwise making available, alignment or combination, restriction,
erasure or destruction.”

Article 4.7) of the GDPR defines the “controller” or
“data controller” as:

“the natural or legal person, public authority, agency or other body which, alone or
jointly with others, determines the purposes and means of the processing; If the purposes and means of processing are determined by Union or Member State law, the

data controller or the specific criteria for its appointment may be established by Union or Member State law.”

In this case, in accordance with the provisions of Article 4.1 and 4.2 of the GDPR,
personal data processing is being carried out, since MAPFRE

collects and processes, through the Google Analytics service, among others,
the following personal data of natural persons: unique user identifiers
(_ga and _gid), the IP address, as well as other data associated with the browser and the navigation itself, among other
processing.

MAPFRE carries out this activity in its capacity as data controller, given that it
is the one who determines the purposes and means of such activity, pursuant to Article 4.7 of the
GDPR.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 17/35

Article 44 of the GDPR establishes the general principle of
transfers of personal data to third countries.

III
Response to the allegations

The following is a response to the allegations presented by the

responding entity, in the order in which they are formulated in its writing:

“1. Regarding the possible installation of analytical cookies.”

MAPFRE claims to have corrected the statement made by the complainant in the

complaint regarding the fact that on the website ***URL.3 “cookies are loaded before they can be
managed, without taking any action”, reinforcing the implementation process of the
cookie governance model, focusing on periodic scanning to force the
correct classification of cookies so that they are reflected in the correct
categories, both in the configuration tool and in the cookie policy.

In response to this allegation, it should be noted that the issue raised by MAPFRE
does not undermine its responsibility regarding the facts that led to the initiation of
the present procedure. The management of the installation of cookies is independent
of the fact that there is no cause that legitimizes the international transfer of data. If
MAPFRE intended to legitimize the international transfer of data by obtaining

the consent of the complainant, it should have obtained said consent in a manner
specific to the consent obtained for the installation of cookies.
In addition, it was required to report on the risks that data transfers to the US posed to the complainant's personal data.

For all the reasons stated above, this claim is rejected.

“2. Regarding possible international data transfers.”

“First.- Situation of MAPFRE ESPAÑA prior to the EU-US Data Privacy Framework”

“1.- Contract with Google Ireland Limited”

In the contract in force during the period of the claim, Google Ireland Limited is the

entity that provides the Google Analytics services.

In response to this claim, it should be noted that MAPFRE's liability for the
commission of the infringement that motivates this procedure is attributable to the extent
that the international transfer of data violates the rights of the complainant

and of the users who visit the MAPFRE website, by not guaranteeing an equivalent level
of protection to that established in the GDPR, and the effectiveness of the
obligations established by this regulation must be guaranteed.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 18/35

In this regard, Recital 81 of the GDPR clarifies that the data processor
must offer sufficient guarantees regarding specialized knowledge,
reliability and resources, with a view to the application of technical and organizational measures

that meet the requirements of the Regulation, including the security of the processing.

On September 27, 2021, GOOGLE substantially modified the
“Conditions for the processing of Google Ads data.”, as can be seen
on the website ***URL.9.

In section 10.3 of these “Conditions” the Client who contracts the service assumes
the so-called “Restricted Transfers”:

“10.3 Restricted Transfers. If the processing of Customer Personal Data
involves any type of transfer other than a Permitted Transfer and

such transfers are subject to European Data Protection Laws
(“Restricted Transfers”), then:

(a) If Google announces that it has adopted an Alternative Transfer Solution for
any Restricted Transfer, then it will ensure that such
Restricted Transfers are made in accordance with such Alternative Transfer Solution.

(b) If Google has not adopted an Alternative Transfer Solution for
any Restricted Transfer, then

(i) If Google's address is located in an Adequate Country:

(…)

(ii) If Google's address is not located in an Adequate Country:

(A) The SCCs (EU Data Controller to
Data Processor) and/or the SCCs (EU Data Processor to
Data Processor) apply, in depending on whether Customer is a data controller and/or processor, with respect to Restricted Transfers between Customer and Google that are subject to the EU GDPR and/or the Swiss FDPA. (…)”

The SCCs applicable to the present case are the “SCCs (Google Ads and Measurement:
Standard Contractual Clauses (Module 3: Processor to Processor)”, which can

be consulted on the following website: ***URL.10, the status of exporter is attributed to
GOOGLE IRELAND, as MAPFRE refers to in its allegations

However, MAPFRE, when introducing the code of the Google Analytics tool on
its website ***URL.3 based on a corporate decision, was aware that the

personal data is transferred to Google LLC, based in the United States,
either directly by MAPFRE or by Google Ireland.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 19/35

Although it is true that MAPFRE does not decide where personal data is stored by
Google LLC, from the moment you contract the services of its Google Analytics tool, it is understood that you agree with point 10 of the "Google Ads Data Processing Terms", so the data controller has
agreed that Google may store and process the client's personal data (i.e.,
personal data of the complaining party and of any user who visits the website in question) in any country in which Google or any of its subcontractors for data
processing maintain facilities, including the USA, as declared by Google LLC itself in the document dated April 9, 2021. Thus, the actions

of Google LLC. adhere to the provisions and, on behalf of MAPFRE, carry out the
processing of the personal data necessary for the correct provision of the service.

Consequently, regardless of the fact that the current SCCs (Google Ads and
Measurement: Standard Contractual Clauses (Module 3: Processor to Processor)

consider Google Ireland as the data exporter, MAPFRE, as the data controller,
assumes, together with the other conditions of the contract for Google LLC services, the agreements regarding data processing and the SCCs
that allow data to be transferred to Google LLC, based in the United States. Therefore, MAPFRE is responsible for the international transfer of data that occurs as a result of the service provided by Google LLC.

This criterion is shared by the European Data Protection Board (EDPB), which, in compliance with the objective of guaranteeing the consistent application of the
General Data Protection Regulation (as attributed to it by Article 70 of the
RGPD), adopted the following guidelines: “Guidelines 05/2021 on the Interplay between

the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR” (unofficial translation: “Guidelines 05/2021 on the interaction between the
application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR”, paragraph 19 of which states the following (official text
in English with emphasis added):

“It is also important to note that Article 44 of the GDPR clearly provides that
a transfer may not only be carried out by the controller,
but also by the processor. Therefore, there will be a situation of
transfer when a processor (either under Article 3,
paragraph 1, or under Article 3, paragraph 2, for a particular processing,

as explained above) sends data to another processor or
even to a controller in a third country on instructions from
its controller. In such cases, the processor acts
as a data exporter on behalf of the controller and must
ensure that the provisions of Chapter V for the transfer in question are complied with
in accordance with the instructions of the controller, including the use of
an appropriate transfer tool. Given that the
transfer is a processing activity carried out on behalf of the controller, the
controller is also responsible and could be liable under Chapter V, and must also ensure that the
processor provides sufficient guarantees under Article 28.”

In conclusion, MAPFRE may be considered the data controller in the sense of Article 4.7 of the GDPR, since it is the party that manages the website

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 20/35

«www.mapfre.es», determining the means and purposes of the collection and processing
of the data obtained as a result of the integration of Google Analytics on its website,
so that it is responsible for ensuring that the processing complies with the

requirements of the GDPR, and must guarantee the protection of the rights of the interested party in
international data transfers, in accordance with the provisions of Article 44
and following of the GDPR.

For all the reasons set forth above, this claim is rejected.

“2.- Anonymization of the IP when sending it to Google Universal Analytics”

The cookies that had been consented to were sent to Google by applying an anonymization process
on the user's IP address.

In response to this allegation, it should be noted that MAPFRE has not in any way proven that the IPs are anonymized within the territory of the European Union. There is no
technical proof nor is there any evidence to support the claim that the
anonymization of the IP is carried out within the territory of the European Union, as MAPFRE itself
refers to: “…it should be carried out immediately after its collection by

Google Ireland” (emphasis added)

Therefore, any IP address can be transmitted to the United States and shortened only
in a second step after its export. There, from a technical point of view,
it is possible to access the full IP address before its anonymization.

Furthermore, it should be noted that the measure is optional and not applicable to all
transfers.

In addition to the IP, as developed in Legal Basis IV of this
resolution, in its point 2, “On the classification of the data subject to processing

as personal data”, MAPFRE carries out international transfers of other
personal data through Google Analytics.

For all the reasons stated above, this claim is rejected.

“Second. - Situation of MAPFRE ESPAÑA as of the date of the response to the
warning.”

“1.- Google's adherence to the EU-US Data Privacy Framework since

September 2023.”

Since September 2023, Google LLC has adhered to the EU-US Data
Privacy Framework.

In response to the claim about the new US legal framework and Google LLC's adherence
to the “EU-US Data Privacy Framework.” UU”, for the purposes of determining
responsibility for the commission of the infringement, the current legal framework is not applicable,
but rather the legal regime in force on the date of the facts that are the subject of the claim, in particular as established by the CJEU in the judgment in case
C-311,/18 (Schrems II), which declared invalid the Commission Implementing Decision (EU) 2016/1250, of 12 July 2016, on the adequacy of the protection conferred

by the EU-US Privacy Shield.

For all the reasons set out above, this claim is rejected.

“2.- Migration to Google Analytics 4 (GA4)”

MAPFRE was immersed in the process of migrating to Google Analytics 4, in
which IP addresses are no longer recorded and stored.

In response to this claim, it should be noted that the collection of the IP address itself

constitutes processing of personal data of the interested parties, regardless of
their subsequent anonymization. As an example, in Google Analytics 4, according to
Google’s “Privacy and Data in the EU” (***URL.11), “…IP address data
is used only to obtain geolocation data and is immediately
discarded,” so information that the IP address may provide before

anonymization is used.

In addition, the “Google Ads Data Processing Terms” are maintained, according to
which the data controller agrees with Google that it may store
and process the client's personal data in any country in which Google or any of its
subcontractors maintain facilities. When this information is

collected, it is transmitted to the Google Analytics servers. And, according to
the Google LLC document dated April 9, 2021, in the last paragraph to the
answer to question 8, Google states that all data collected through Google Analytics is
hosted in the United States.

For all the reasons set forth above, this claim is rejected.

“Third.- MAPFRE ESPAÑA has a Cookie and Regulatory Compliance
Government.”

According to MAPFRE, a Corporate Privacy and Data Protection Committee has been created. This is a specific committee, of an operational nature, for management and control
in the area of privacy and data protection, supporting the DPO in the development
of its functions. In addition, pursuant to the provisions of article 67.2 of the
LOPDGDD in connection with article 122.4 of the Regulation for the development of the
LOPD (RLOPD), approved by Royal Decree 1720/2007, of December 21, in force
in everything that does not contradict, oppose or prove incompatible with the provisions
of the RGPD and the LOPDGDD, the previous actions carried out by this
Agency within the framework of this warning procedure must be understood
to have expired.

- MAPFRE has created a Corporate Committee for Privacy and Data Protection.

However, this Committee, which has existed since 2016, has not taken into account, with regard to the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 22/35

treatment in question, the doctrine established by the CJEU in Case C-311/18
(Schrems II), which declared invalid Commission Implementing Decision (EU) 2016/1250 of 12 July 2016 on the adequacy of the protection conferred by the

EU-US Privacy Shield. According to GOOGLE LLC's response of 9 April 2021, as a provider of electronic communications
services within the meaning of paragraph (b) of point 4 of Article 1881 of Title 50 of the United States Code, it is subject to oversight. by US intelligence services pursuant to Section 1881(a) of Title 50 of the United States Code ("FISA 702"), and therefore the international transfers of data to Google Analytics servers infringed the regulatory framework in force according to the judgment of the CJEU in Case C-311/18.

With regard to the standard contractual clauses on which Google bases its international transfer of data to the US, the CJEU considered that the contractual nature of these clauses meant that they could not be binding on authorities in third countries. In particular, the CJEU stated that: “...Therefore, while there are situations in which, based on the laws and practices in force in the third country in question, the recipient of such a transfer is able to ensure the necessary protection of the data solely on the basis of standard contractual clauses on data protection, there are other situations in which the content of such standard clauses may not constitute a sufficient means to ensure, in practice, the effective protection of the personal data transferred to the third country in question. This is the case, in particular, when the legislation of that third country allows its public authorities to interfere with the rights of the data subjects to whom the data refer" (C-311/18, point 126, underlined).

- Expiration of the preliminary investigation proceedings.

With regard to the expiry of the preliminary investigation proceedings, in response to this
allegation, it should be noted that, in this case, after the claim was admitted for processing,
no preliminary investigation proceedings have been carried out, so that the twelve-month period for the duration of these proceedings, which Article 67.2 of the LOPDGDD established as a time limit, according to the wording of said article in force at the time when the claim was admitted for processing, is not applicable. The period established in Article 67.2 of the LOPDGDD is the maximum period in which the initiation agreement must be issued, only in the event that the agreed

to open preliminary investigation proceedings, and this time limit cannot be applied, as MAPFRE claims, even if they have not been
agreed.

After the claim has been admitted for processing, and it is not considered necessary to

carry out preliminary investigation proceedings, the only time limit that we must apply is
the three-year limitation period provided for in article 72.1.l) of the LOPDGDD
for the case of very serious infringements, as was based on the
initiation agreement. Given the absence of an adequacy decision with the USA (after
ECJ C-311/18) between 16 July 2020 and 10 July 2023, the facts

referred to in the claim continued until at least the latter date, which
would be the start of the limitation period, so that, on the date of commencement of
the present procedure, the infringement had not expired.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 23/35

For all the reasons set out above, this claim is rejected.

IV
Transfers of personal data to third countries

Article 44 “Transfers of personal data to third countries or international organisations” of the GDPR provides:

“A transfer of personal data which is being processed or is to be processed following transfer to a third country or international organisation shall take place only if, subject to the other provisions of this Regulation, the controller and the processor comply with the conditions set out in this
Chapter, including those relating to onward transfers of personal data from the third country or international organisation to another third country or international organisation. All provisions of this Chapter shall apply in order to
ensure that the level of protection of natural persons guaranteed by this Regulation is not undermined.”

Chapter V of the Regulation provides for various instruments to ensure a level of
protection substantially equivalent to that guaranteed in the European Union, in accordance with Article 44 of the Regulation:

- adequacy decisions (Article 45);

- adequate guarantees (Article 46);

In the absence of an equivalent level of protection, it establishes exceptions for specific

situations (Article 49).

1. On data processing and responsibility for processing.

In the document dated April 9, 2021 sent by Google LLC to the Austrian data

protection authority, which it shared with the other authorities in the framework of the TF101 working group, it is indicated that Google Analytics
works by including a block of Javascript code in the pages of a website.
When a user visits a web page, this Javascript code refers to a Javascript code that has been
previously downloaded to the user's device, which then executes the tracking operation for Google Analytics. The

tracking operation sends data about the requested page through various means and sends
this information to the Analytics server via a set of parameters
attached to a request for a single-pixel GIF image sent to the
google-analytics.com domain. The data is then further processed and ends up
in the reports of the website owner, in this case MAPFRE. The data that

Google Analytics collects for the benefit of the website owner comes from the
following sources:

i. The user's HTTP request.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 24/35

An HTTP request contains details such as the browser and computer making the
request, such as the hostname, browser type, referer, and language.

ii. Browser and system information.

iii. First-party cookies.

Website administrators who integrate the Google Analytics service may
send instructions to Google for the processing of data collected through

Google Analytics. The website administrator may apply different
settings, for example, regarding the data retention period. The
Google Analytics function also allows website administrators to
monitor and maintain the stability of their website, for example by keeping them
informed of certain events such as a spike in audience or the fact that there is
no traffic at all. Google Analytics also allows website administrators to
measure and optimize the effectiveness of advertising campaigns
conducted using other Google tools.

Therefore, Google Analytics collects the user's http query which contains
information about the user's browser and operating system, the referrer, and the

language. In addition, Google Analytics stores and reads cookies in the user's browser
to evaluate the user's session and other information about the query.

With regard to these data transfers, the agreement for the Google Analytics feature (“Google Analytics Terms of Service”) incorporates an

appendix entitled “Google Ads Data Processing Terms” (in previous versions referred to as the
“Google Ads Data Processing Terms”).
This appendix contains standard contractual clauses governing the transfer of personal data to the United States of America under the Google Analytics service.

In addition, Google has implemented additional legal, organizational and technical measures to regulate data transfers under the Google Analytics service.

In accordance with point 10 of the “Google Ads Data Processing Terms”, the controller has agreed that Google may store and
process personal data of the customer (in this case, personal data of the complaining party) in any country in which Google or any of its subprocessors maintain facilities. When this information is collected,
it is transmitted to the Google Analytics servers.

Referring to the document sent by Google LLC dated April 9, 2021, in the
last paragraph to the answer to question 8, Google states that all data

collected through Google Analytics is hosted in the United States. Therefore, the data collected on the website "www.mapfre.es" through Google
Analytics is transferred to the United States. Such data transmission requires a
legal basis in accordance with Article 44 et seq. of the GDPR.

All these elements show that, by deciding to implement the Google Analytics function on its website, MAPFRE, which operates the website “www.mapfre.es”,
determined the means and purposes of the collection and processing of the data obtained
following the integration of Google Analytics on its website and must be considered the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 25/35

data controller within the meaning of Article 4.7 of the GDPR.

2. Regarding the classification of the data subject to processing as personal data

It can be stated that the data collected in accordance with the Google Analytics function and

transferred to the United States of America constitute personal data.

Article 4.1 of the GDPR defines personal data as “any information relating
to an identified or identifiable natural person (“the data subject”); An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

It should be noted that online identifiers such as IP addresses or information stored in cookies can commonly be used to identify a user, especially when combined with other similar types of information.
This is illustrated by Recital 30 of the GDPR, according to which the assignment of online identifiers such as IP addresses, cookie identifiers to natural persons or their devices may "leave traces which, in particular when combined with unique identifiers and other information received by servers, can be used to create profiles of natural persons and to identify them." In the
particular case where the controller claims not to have the ability to
identify the user by using (alone or in combination with other data points)
such identifiers, it would be expected that it would disclose the specific means deployed
to ensure the anonymity of the identifiers collected. Without such details, they cannot
be considered anonymous.

It is therefore necessary to examine to what extent the implementation of Google
Analytics on a website enables the website operator and Google to make it possible
for a data subject (a visitor to the website in question) to be identified.

When a user visits the website www.mapfre.es, the following data (via JavaScript code) is transmitted from the complainant's browser to the servers of Google LLC (answer to question 2 of the Google document of 9 April 2021):

 _ga and _gid cookies (first-party cookies)

 URL of the web page visited (dl parameter) and title of the web page visited
(dt parameter)
 IP address
 sr (screen resolution), among other parameters.

 Data on the browser and operating system:
 Unique identifier that identifies the website operator

It should be noted that the CJEU has already declared that IP addresses are personal data (see Case C-597-19, point 102 and C-582/14, point 49). The IP address does not

lose its nature as personal data simply because the means of

identification reside in third parties. In addition, the case in question is very

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 26/35

different, since the IP address can be combined with other elements, as

described below.

With regard to unique identifiers, when a user visits the website

www.mapfre.es, its cookie policy recognizes the use of Google Analytics, which

involves sending the values of the cookies "_ga" and "_gid" to Google LLC, as

recorded in the reference of Google Analytics cookies.

According to the description of Google Analytics located at the urls:

***URL.12 and ***URL.13. , the _ga and _gid cookies are used to distinguish users and the “sr” parameter
refers to the screen resolution.

Visitor identifiers are unique identifiers intended to differentiate

individuals (where such differentiation was not previously possible), and make individuals
identifiable. These identifiers may also be combined with
other information, such as the address of the website visited, metadata relating to the
browser and operating system, time and data relating to the website visit, and
the IP address. This combination of information further differentiates individuals.

For this reason, when several elements are combined, they may allow
visitors to the website of “***URL.3”, on which Google Analytics is
implemented, to be identified individually. It is not necessary to know the name or
(physical) address of the visitor, since, according to Recital 26 of the GDPR, such
qualification of individuals is sufficient to make the visitor identifiable.

If it were decided otherwise, the scope of the right to data protection,
guaranteed by Article 8 of the Charter of Fundamental Rights of the European Union,
would be undermined, as it would allow companies to
specifically target individuals with personal information (for example,

when they visit a specific website) while denying them any right to
protection against such targeting. Such a restrictive opinion that
would undermine the level of protection of individuals is also not in line with the
case law of the Court of Justice of the European Union (hereinafter CJEU), which
has repeatedly ruled that the scope of the GDPR must be understood
very broadly (see, for example, judgment C-439/19, paragraph 61).

Google LLC claims that it has “no intention” to use online identifiers
to identify the complaining party (or other persons), as stated in the last
paragraph of the answer to question 13 of the document of April 9, 2021, and that in
fact it “does not do this”, it should be noted that Article 4, paragraph 1, of the GDPR does

not require an entity to have a specific intention to identify a person.
According to the clear wording of Article 4, paragraph 1, of the GDPR, the term
“personal data” is completed when an entity can (has the possibility) to
do so.

Even a more restrictive interpretation of Article 4, paragraph 1, of the GDPR, which in any case would be contrary to the case law of the CJEU, the definition of
“personal data” would be understood to apply to the data exposed. In the event that any visitor to the website ***URL.3 has logged into a Google account at the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 27/35

time of his visit, as can be seen in the Google LLC declaration of April 9, 2021, the implementation of Google Analytics on a website allows
Google to receive the information that a specific user of the Google account has

visited that website.

In the context of the use of Google Analytics, and depending on some settings in the
Google user account settings (see answer to question 9 of the
Google document of April 9, 2021), it allows Google to receive information
that a user connected to a Google account has visited a particular website.

Personal data related to this account is therefore collected. For all these reasons, the data in question must be considered to be personal data within the meaning of Article 4.1 of the GDPR.

3.- Regarding the failure to comply with the obligation to regulate transfers of personal data outside the European Union

In the present case, it must be verified whether the export of personal data to the United States of America took place, as indicated by the complainant, in the terms established in
Article 44 of the GDPR, and, if it did take place, whether the

export was carried out with an adequate level of protection in accordance with an adequacy decision of
Article 45 of the GDPR, or, failing that, whether any of the guarantees of Article 46 of the GDPR were adopted.

 Adequacy decisions

In its judgment in Case C-311/18 ("Schrems II") of 16 July 2020, the CJEU
invalidated Commission Implementing Decision (EU) 2016/1250 of 12 July 2016 pursuant to Directive 95/46/EC of the European Parliament and of the
Council on the adequacy of the protection offered by the "EU-US Privacy Shield"

(“Privacy Shield”), without maintaining its effects on the date of the facts subject to the
complaint.

In the absence of an adequacy decision applicable to the present case, the data transfer in question cannot be based on the provisions of Article 45.3 of the GDPR.

 Appropriate safeguards: Standard data protection clauses

Article 46, “Transfers with appropriate safeguards”, of the GDPR, establishes
in its section 1 that “In the absence of a decision pursuant to Article 45, section 3, the

controller or the processor may only transfer personal data to a
third country or international organisation if it has offered appropriate guarantees and on condition that the data subjects have enforceable rights and effective legal remedies.

Article 46(2) of the GDPR provides that “Appropriate safeguards pursuant to paragraph 1 may be provided, without requiring any express authorisation from a supervisory authority, by:
(…)
(c) standard data protection clauses adopted by the Commission in accordance

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 28/35

with the examination procedure referred to in Article 93(2).
(…)”.

Google's standard contractual clauses for the transfer of personal data to the
United States, updated on September 27, 2021, entitled "Google
Ads & Measurement: Standard Contractual Clauses (Module 3: Processor-to-
Processor)”, which could be translated as: “Google
Ads data processing terms: Model Contractual Clauses, Standard Contractual Clauses Processor-to-
Processor” (hereinafter, SCC). These clauses comply with those published by the

European Commission in Commission Implementing Decision (EU) 2021/915 of 4
June 2021 on standard contractual clauses between controllers and
processors.

In this context, it should be noted that the standard contractual clauses are a

transfer instrument within the meaning of Chapter V of the Regulation and were not
challenged as such by the CJEU in its judgment of 16 July 2020 (C-
311/18). However, the CJEU considered that the contractual nature of these clauses meant that they could not be binding on authorities in third countries. In particular, the CJEU stated that: “...Therefore, while there are situations
in which, based on the laws and practices in force in the third country
in question, the recipient of such a transfer is in a position to ensure the necessary data protection
solely on the basis of standard contractual data protection clauses, there are other situations in which the content of
such standard clauses may not constitute a sufficient means to ensure, in practice, the effective protection of personal data transferred to the third country
in question. This is the case, in particular, where the legislation of that third country
allows its public authorities to interfere with the rights of data subjects to whom such data
relate" (C-311/18, point 126, emphasis added).

There is no need to carry out a further analysis of the legal situation in the
United States, as the CJEU has already provided for this in its judgment
referred to above. Indeed, the CJEU considered that regulatory surveillance programmes such as
Section 702 of FISA and E.O. 12333 in conjunction with PPD-28 do not satisfy the
minimum requirements set by Union law with regard to the principle of
proportionality, so that surveillance programmes based on these provisions cannot be considered as limited to what is strictly necessary (C-

311/18, point 184). Furthermore, the CJEU considered that the legal framework in question did not
confer on data subjects rights susceptible of being subject to
the US authorities, from which it follows that these persons do not have
the right to effective judicial protection (C-311/18, paragraph 192).

The CJEU's analysis is relevant in the present case, since Google LLC (as
the importer of the data to the US) must be classified as a provider of electronic
communications services within the meaning of paragraph (b) of point 4 of
section 1881 of title 50 of the United States Code and is therefore subject to
surveillance by the US intelligence services in accordance with paragraph
(a) of section 1881 of title 50 of the United States Code ('FISA
702'). Therefore, Google LLC is required to provide personal data to the
US government when requested pursuant to section 1881(a) of Title 50 of the United States Code (FISA 702).

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 29/35

As can be seen in the Google Transparency Report, Google LLC is regularly subject
to such access requests by the US intelligence services. The report can be consulted at:
***URL.14.

The CJEU stated, on the one hand, that the EU-US adequacy decision The Court of Justice of the EU concluded that the standard contractual clauses adopted by the Commission on the basis of Article 46(2)(c) of the GDPR are intended only to provide contractual guarantees that apply uniformly in all third countries to controllers and processors established in the European Union and, consequently, regardless of the level of protection guaranteed in each third country. To the extent that these standard data protection clauses cannot, given their nature, provide

guarantees beyond a contractual obligation to ensure compliance with the
level of protection required by Union law, they may require, depending on the
prevailing position in a given third country, the adoption of
additional measures by the controller to ensure compliance with that
level of protection" (C-311/18, point 133).

 General observations on additional measures

In its Recommendations 01/2020, of 18 June 2021, (which can be consulted
on the website ***URL.15, although the transcriptions included in this document

refer to their translation into Spanish) the European Data Protection Board (EDPB)
has clarified that, when the assessment of the legislation or practices in force in the
third country may affect the effectiveness of the appropriate safeguards, of the transfer instruments relied upon by the exporter, in the context of its
specific transfer, as is the case here following the CJEU assessment, the

exporter must suspend the transfer or apply appropriate complementary measures. The EDPB notes in this regard that “Any complementary measure
can only be considered effective within the meaning of the CJEU judgment “Schrems II” to the extent that it
addresses the specific deficiencies identified in its assessment of the legal situation in the third country. If it cannot ultimately ensure an

essentially equivalent level of protection, it should not transfer the personal data.” (see Recommendations 01/2020, point 75).

Measures to complement standard data protection clauses can be
classified into three categories: contractual, technical or organisational (see
Recommendations 01/2020, point 74).

With regard to contractual measures, the EDPB noted that: “In some
situations, these measures may complement and reinforce the guarantees that the
transfer instrument and the relevant third-country law may provide, where, taking into account the circumstances of the transfer, they
do not fulfil all the conditions necessary to ensure a level of protection
essentially equivalent to that guaranteed in the Union. Given the nature

of contractual measures, which generally cannot bind the authorities of that third country
when they do not form part of the contract, they should be combined
with other technical and organisational measures to provide the required level of data
protection (...)”. (see Recommendations 01/2020, point 99, emphasis
added).

As regards organisational measures, the EDPB stressed that: “…
Selecting and implementing one or more of these measures will not necessarily and
systematically ensure that their transfer complies with the essential equivalence standard
required by Union law. Depending on the specific circumstances of the transfer and the assessment made on the law of the third country, organisational measures will be

needed to complement contractual or technical measures in order to ensure a level of protection of personal data
essentially equivalent to that guaranteed in the Union" (see Recommendations
01/2020, point 128, emphasis added).

As regards technical measures, the EDPB noted that "…Such measures

will be particularly necessary where the law of that country imposes obligations on
data importers that are contrary to the guarantees of Article 46
of the GDPR and may, in particular, affect the contractual guarantee of an essentially equivalent
level of protection against access by public authorities of that third country to such data" (see Recommendations 01/2020, point 77).

It added that "The measures listed below are intended to ensure that
access by authorities of that third country is free of charge and that the data is protected by law." third countries to the transferred data does not
affect the effectiveness of the appropriate safeguards contained in the transfer instruments of
Article 46 of the GDPR. These measures apply even if the access
by public authorities is in accordance with the law of the country of the importer, where such

access goes beyond what is necessary and proportionate in a democratic society. These measures are intended to prevent a potential breach of access by preventing
authorities from identifying data subjects, inferring information about them,
individualizing them in another context or associating the transferred data with other data sets
they may hold and which may contain, among other data, online identifiers provided by devices, applications, tools and
protocols used by data subjects in other contexts." (see Recommendations
01/2020, point 79, emphasis added).

 Complementary measures implemented by Google LLC

Google LLC, as a recipient of data from users of its Google Analytics services,
has adopted contractual, organizational and technical measures to complement
the SCCs. In the document dated 9 April 2021 sent by Google LLC to the
Austrian data protection authority, which the latter shared with the other
authorities within the framework of the TF101 Working Group, Google LLC described the

measures taken in detail.

Taking into account the considerations of the CJEU and the EDPB, it must now be verified
whether the additional measures taken by Google LLC were effective, which

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 31/35

means that they address the specific issue of the access possibilities of the
US intelligence services.

As regards the “legal and organisational measures” taken, it should be noted
that neither the notification of users, even if such notification is
admissible, nor the publication of a transparency report or a “public policy
on the handling of government requests” in fact prevent or reduce
the access possibilities of the US intelligence services. Furthermore,
it is not clear how Google LLC's "careful review of each request" for its

admissibility is effective as a complementary measure, given that, according to the CJEU, admissible (legal) requests from US intelligence services are not in line with the requirements of European
Data Protection legislation.

With regard to the "technical measures" adopted, it should be noted that it has not been
clarified how the measures described, such as the protection of communications
between Google services, the protection of data in transit between data centers, the protection of communications
between users and websites, or "on-site security", in fact prevent or reduce the possibilities of access by US intelligence
services on the basis of the US legal framework.

As regards encryption technologies, such as in the case of “data at rest” in data centres, as specifically mentioned by Google LLC
as a technical measure, it should be noted that Google LLC, as data importer,

is obliged to grant access to or hand over imported personal data in its
holding, including the cryptographic keys necessary to make the data
intelligible (see Recommendations 01/2020, point 81). In other words:
as long as Google LLC has the possibility to access the data of natural persons in
clear text, such a technical measure cannot be considered effective in the

present case.

As soon as Google LLC notes that “to the extent that the Google Analytics data
for measurement purposes transferred by website owners is personal data, it
should be considered pseudonymous”, it should be noted that
unique universal identifiers (UUIDs) do not fall under the definition of Article 4.5 of the

GDPR. While pseudonymisation may be a privacy-enhancing technique,
unique identifiers are, as already described above, specifically intended
to select users, not to act as a safeguard. Apart from
this, it has also been described above why the combination of unique
identifiers with other elements (such as browser or device data and IP
address) and the possibility of linking such information to a Google account
in any case make a person identifiable.

Insofar as Google LLC refers to an "optional technical measure" by
means of an IP anonymisation function, it should be noted, first of all,

that such a measure is, as its name suggests, optional and not applicable to all
transfers. Furthermore, it is not clear from Google's response whether this
anonymisation takes place before the transfer or whether the full IP address is
transmitted to the United States and only shortened after this transfer to the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 32/35

United States. From a technical point of view, therefore, there is potential access
to the entire full IP address before it is shortened.

The additional measures adopted, as presented by Google, are therefore
not effective insofar as none of them address the specific issues
in the present case, which means that none of them prevents the
access possibilities of the American intelligence services or renders
such access ineffective.  The exceptions provided for in Chapter V of the Regulation

Article 49, “Exceptions for specific situations”, of the GDPR states:

"1. In the absence of an adequacy decision pursuant to Article 45,

paragraph 3, or of appropriate safeguards pursuant to Article 46, including
binding corporate rules, a transfer or set of transfers of personal data to a third country or
international organisation shall only take place if one of the following conditions is met:

a) the data subject has explicitly given his or her consent to the
proposed transfer, after having been informed of the possible risks for him or her of such
transfers due to the absence of an adequacy decision and appropriate
guarantees;

b) the transfer is necessary for the performance of a contract between the data subject and
the controller or for the implementation of pre-contractual measures
taken at the request of the data subject;
(…)”

The European Data Protection Board (EDPB), in compliance with the objective In order to

ensure the consistent application of the General Data Protection Regulation,
as assigned to it by Article 70 of the GDPR, it issued Guidelines 2/2018 on the
exceptions provided for in Article 49 of Regulation 2016/679. Regarding the
interpretation of assumption a) of Article 49 of the GDPR (section 2.1 of
Guidelines 2/2018), the EDPB points out that consent must be specific and

informed about the possible risks, establishing the following: “this provision
obliges interested parties to also be informed of the specific risks arising
from the fact that their data will be transferred to a country that does not offer an adequate
level of protection and that adequate guarantees for the protection of data are not provided.”

In the present case, the consent of users for the storage of cookies during their visit to the website cannot be considered equivalent to having
explicitly consented to the international transfer of data, as required by
Article 49.1.a) of the GDPR; this consent must be obtained in a
specific manner and, in order to be valid, MAPFRE should have previously
informed the interested parties of the risks involved in data transfers to the USA, in the absence of an adequacy decision and adequate guarantees in the sense of
Article 49, paragraph 1 of the Regulation.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 33/35

With regard to the possible existence of a contractual relationship, the occurrence of this assumption is not appreciated, taking into account that Recital 111 of the
RGPD requires that the international transfer of data based on explicit consent

must be “occasional and necessary in relation to a contract”, while in this case the transfers occur continuously and systematically and their
need is not justified.

 Current legal framework

On July 10, 2023, the Commission approved Implementing Decision
(EU) 2023/1795 on the adequacy of the level of protection of personal data in the EU-US Data Privacy Framework pursuant to Regulation
(EU) 2016/679 of the European Parliament and of the Council, so that international transfers made after that decision may be

covered by the aforementioned Decision.

On the website https://www.dataprivacyframework.gov/s/ you can see that Google
LLC has certified its adherence to the principles of the Data Privacy Framework until
September 13, 2024, due to the need to renew said certification annually. Therefore, international data transfers to Google LLC in the US are currently covered by the EU-US Data Privacy Framework.

However, it must be concluded that, on the date on which the facts subject to the complaint occurred, MAPFRE cannot invoke any of the tools provided for in Chapter V of the GDPR to justify international transfers of personal data of visitors to its website, in particular unique identifiers, IP addresses, browser data and metadata, to Google LLC in the United States, the doctrine established by the Court of Justice of the European Union in the Schrems II judgment, which invalidated the EU-US Privacy Shield decision, being fully applicable.

Consequently, in accordance with the evidence available in this
warning procedure resolution, it is considered that the known

facts constitute an infringement, attributable to MAPFRE, for violation
of article 44, “General principle of transfers”, of the GDPR, which states that
transfers of personal data that are subject to processing or
will be processed after their transfer to a third country or international organization will only be carried out if,
subject to the other provisions of the GDPR, the controller and the processor
comply with the conditions established in this chapter, including those
relating to subsequent transfers of personal data from the third country or
international organization to another third country or another international organization.

V
Classification and qualification of the infringement of article 44 of the GDPR

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 34/35

The infringement of article 44 of the GDPR involves the commission of the infringements
classified in article 83.5 of the GDPR which under the heading “General conditions
for the imposition of administrative fines” provides:

“Infringements of the following provisions shall be punishable, in accordance with
section 2, by administrative fines of a maximum of EUR 20,000,000 or,
in the case of a company, an amount equivalent to a maximum of 4% of the
total global annual turnover of the previous financial year, whichever is higher:

(…)
c) the transfer of personal data to a recipient in a third country or an
international organization pursuant to articles 44 to 49;
(…)”

In this regard, the LOPDGDD, in its article 71 “Infringements” establishes that
“The acts and conduct referred to in sections 4,
5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that are contrary to this organic law, constitute infringements”.

For the purposes of the limitation period, article 72 “Infringements considered very

serious” of the LOPDGDD indicates:

“1. Pursuant to the provisions of Article 83.5 of Regulation (EU) 2016/679, infringements that constitute a substantial violation of the articles mentioned therein and, in particular, the following are considered to be very serious and will be subject to a three-year statute of limitations:

(…)
l) The international transfer of personal data to a recipient located in a third country or to an international organization, when the guarantees, requirements or exceptions established in Articles 44 to 49 of Regulation (EU) 2016/679 are not met. (…)”

VI
Warning

Article 64 of the LOPDGDD, which regulates the “Form of initiation of the procedure and duration”, in its third section provides that:

“3. When appropriate, taking into account the nature of the facts and taking into account the criteria established in article 83.2 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, the Spanish Data Protection Agency, after hearing the controller or processor, may issue a warning and order the controller or processor to adopt corrective measures aimed at ending the potential breach of data protection legislation in a certain manner and within the specified period.

The procedure will have a maximum duration of six months from the date of the start agreement. After this period, the procedure will expire and, consequently, the proceedings will be closed.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 35/35

In this case, the provisions of the second and third paragraphs of section 2 of this article shall apply.”

In accordance with the evidence available at the time of the procedural resolution, the balance of the circumstances contemplated in article 83.2 of the GDPR and 76.2 of the LOPDGDD, for the infringement committed by violating the provisions of article 44 of the GDPR, a warning must be issued to

MAPFRE. Therefore, in accordance with the applicable legislation and having assessed the criteria for grading the sanctions whose existence has been proven, the Director of the

Spanish Data Protection Agency RESOLVES:

FIRST: TO ISSUE A WARNING to MAPFRE ESPAÑA COMPAÑÍA DE
SEGUROS Y REASEGUROS, S.A., with NIF A28141935, for an infringement of
Article 44 of the GDPR, classified in Article 83.5 of the GDPR.

SECOND: TO NOTIFY this resolution to MAPFRE ESPAÑA COMPAÑÍA DE
SEGUROS Y REASEGUROS, S.A.

Against this resolution, which ends the administrative process in accordance with art. 48.6 of the

LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the interested parties may, at their discretion, lodge an appeal for reconsideration before the
Director of the Spanish Data Protection Agency within one month from the day following the notification of this resolution or directly
an administrative appeal before the Administrative Litigation Division of the

National Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the
Administrative Litigation Jurisdiction, within two months from the day following the notification of this act, as provided for in article 46.1 of the
referred Law.

Finally, it is noted that in accordance with the provisions of art. 90.3 a) of the LPACAP, the final resolution may be provisionally suspended by administrative means if the interested party
expresses his intention to lodge an administrative appeal.
If this is the case, the interested party must formally communicate this fact by means of

a written document addressed to the Spanish Data Protection Agency, presenting it through
the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica-
web/], or through one of the other registries provided for in art. 16.4 of
the aforementioned Law 39/2015, of October 1. He must also transfer to the Agency the
documentation that proves the effective filing of the administrative appeal.

If the Agency is not aware of the filing of the administrative appeal within two months from the day following the
notification of this resolution, it will terminate the provisional suspension.

1403-16012024
Mar España Martí

Director of the Spanish Data Protection Agency

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es