AEPD (Spain) - EXP202203580: Difference between revisions
m (→Facts) |
No edit summary |
||
Line 67: | Line 67: | ||
}} | }} | ||
The DPA reprimanded an insurance company after it placed cookies without the data subject's consent and unlawfully transferred data to the USA through the use of Google Analytics. | The DPA reprimanded an insurance company after it placed cookies without the data subject's consent and unlawfully transferred data to the USA through the use of Google Analytics in violation of Chapter V of the GDPR. | ||
== English Summary == | == English Summary == | ||
Line 87: | Line 87: | ||
The DPA shared the data subject's view, holding that the controller should not have installed the cookies before the data subject's consent. Since no legal basis for this processing was present, the DPA found a violation of [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]]. | The DPA shared the data subject's view, holding that the controller should not have installed the cookies before the data subject's consent. Since no legal basis for this processing was present, the DPA found a violation of [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]]. | ||
Second, the DPA pointed out that, even though the data transfer to the USA (i.e. to Google LLC) was carried out by Google Ireland, the controller is however responsible and liable under Chapter V GDPR (see [https://www.edpb.europa.eu/system/files/2023-02/edpb_guidelines_05-2021_interplay_between_the_application_of_art3-chapter_v_of_the_gdpr_v2_en_0.pdf EPDB Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR], para. 19). | Second, the DPA pointed out that, even though the data transfer to the USA (i.e. to Google LLC) was carried out by Google Ireland (appointed as processor pursuant to [[Article 28 GDPR]]), the controller is however responsible and liable under Chapter V GDPR (see [https://www.edpb.europa.eu/system/files/2023-02/edpb_guidelines_05-2021_interplay_between_the_application_of_art3-chapter_v_of_the_gdpr_v2_en_0.pdf EPDB Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR], para. 19). | ||
As for this point, the DPA considered it irrelevant that the controller did not decide where personal data is stored by Google LLC, since the data processing agreement also mentioned the US as a place where the servers could be located. | As for this point, the DPA considered it irrelevant that the controller did not decide where personal data is stored by Google LLC, since the data processing agreement also mentioned the US as a place where the servers could be located. |
Latest revision as of 14:38, 26 November 2024
AEPD - EXP202203580 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 5(1)(a) GDPR Article 44 GDPR Article 45 GDPR Article 46(2)(c) GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | 18.02.2022 |
Decided: | 03.10.2024 |
Published: | |
Fine: | n/a |
Parties: | Mapfre España Compañia de Seguros y Reaseguros SA |
National Case Number/Name: | EXP202203580 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | fb |
The DPA reprimanded an insurance company after it placed cookies without the data subject's consent and unlawfully transferred data to the USA through the use of Google Analytics in violation of Chapter V of the GDPR.
English Summary
Facts
The controller, an insurance company, has a website that uses cookies. The data subject noticed that, even though the website had a cookie banner, the cookies were placed even before the user interacted with the cookie banner.
Moreover, the cookies at hand were connected with the Google Analytics service. According to the data subject, this entailed an unlawful data transfer to the USA.
Therefore, the data subject filed a complaint with the Spanish DPA.
The controller acknowledged that it was using Google Analytics on its website, but argued that the relevant cookie is placed only after the data subject's consent.
Moreover, the controller pointed out that it is now using the so-called "Google Analytics 4", which uses an IP-address "anonymiser".
Holding
First, the DPA noted that the controller acknowledged the Google Analytics tool. Therefore, the controller processed several data of the data subject, including unique user identifiers, the IP address as well as other data associated with the browser.
The DPA shared the data subject's view, holding that the controller should not have installed the cookies before the data subject's consent. Since no legal basis for this processing was present, the DPA found a violation of Article 5(1)(a) GDPR.
Second, the DPA pointed out that, even though the data transfer to the USA (i.e. to Google LLC) was carried out by Google Ireland (appointed as processor pursuant to Article 28 GDPR), the controller is however responsible and liable under Chapter V GDPR (see EPDB Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR, para. 19).
As for this point, the DPA considered it irrelevant that the controller did not decide where personal data is stored by Google LLC, since the data processing agreement also mentioned the US as a place where the servers could be located.
Third, the DPA held that the fact that now Google LLC adheres to the "EU-US Data Privacy Framework" is not relevant, since the complaint refers to processing activities that happened before this legal regime entered into force. Therefore, reference should be made to the previous legal framework, where no valid adequacy decision under Article 45 GDPR was in force (see C-311/18, Schrems II).
Fourthly, as for the controller's migration to Google Analytics 4, the DPA pointed out that the controller provided no evidence that the IP addresses are anonymised in the EU and, thus, there is a possibility that they had been transferred to the US. Additionally, the DPA noted that the collection of IP in itself constitutes a processing of personal data.
Fifthly, the DPA noted that the standard contractual clauses (SCCs) governing the relationship between the controller and the processor did not take into account the principles stated by the CJEU in case C-311/18, Schrems II. In particular, the DPA referred to the fact that, in this judgement, the CJEU held that SCCs cannot constitute an appropriate safeguard when it comes to the exercises of powers of third countries' public authorities, given the contractual nature of these clauses (see para. 126).
Therefore, the DPA held that the controller could not transfer data to the US, since no adequacy decision nor appropriate safeguards under Article 46 GDPR were in place and found a violation of Article 44 GDPR.
On these grounds, the DPA issued a reprimand to the controller.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/35 File No.: EXP202203580 (PA/00053/2023) RESOLUTION OF WARNING PROCEDURE From the procedure instructed by the Spanish Data Protection Agency and based on the following BACKGROUND FIRST: A.A.A. (hereinafter, the complaining party) on February 18, 2022 filed a claim with the Spanish Data Protection Agency. The claim is directed against MAPFRE ESPAÑA COMPAÑÍA DE SEGUROS Y REASEGUROS, S.A. with NIF A28141935 (hereinafter, MAPFRE). The reasons on which the claim is based are the following: Claim against MAPFRE in relation to the use of cookies on its website. The complainant claims that cookies are loaded "before they can be managed, without taking any action" and that, in relation to the use of Google Analytics, international transfers to the USA are taking place. Along with the complaint, the following are provided: -Images from the MAPFRE website of the “Cookie Notice” from the website ***URL.1. - Printout of the Chrome browser – Settings – Security and Privacy. On March 18, 2022, the following evidence collected by this Agency was incorporated into the file: - Printout of a series of screens of the Privacy Policy and Data Processing of the website ***URL.2, which contains the following Google Analytics cookies: _ga, _gid. - Performing a test of installed cookies after accepting, the installation of the aforementioned Google Analytics cookies was verified. SECOND: In accordance with article 65.4 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and Guarantee of Digital Rights (hereinafter LOPDGDD), said claim was forwarded to the respondent party, so that it could proceed to analyze it and inform this Agency within one month of the actions taken to comply with the requirements provided for in the data protection regulations. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 2/35 The transfer, which was carried out in accordance with the rules established in Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP), was recorded on May 4, 2022, as recorded in the acknowledgment of receipt in the file. On June 6, 2022, this Agency received a written response indicating that: “1. Decision adopted regarding the claim As a result of the internal reviews carried out, it has been decided to strengthen the verification and review process prior to uploading the privacy and cookie policies to production. As well as continuing the process of implementing the cookie governance model, focusing on periodic scanning to force the correct classification of cookies so that they are reflected in the correct categories, both in the configurer and in the cookie policy. 2. Causes that have motivated the incident that has originated the claim. The transfer of the claim indicates the date of entry into the Agency on February 18, 2022, and consists of three different types of events: 1. The claimant states that cookies would be installed on the website ***URL.3, before being able to manage them. In this regard, note that on the date of February 2022 the cookie policy on Mapfre.es, as can be seen in the attachment as Evidence 1, reflects an incorrect distribution of cookies within the categories. This is a consequence of the characteristics of the tool used to classify and manage cookies, and the review processes of these through periodic scans. Therefore, it is possible that these may appear incorrectly assigned to a category in the cookie configurator, or those that are obsolete may not have been deleted, and as a result of their synchronization with the cookie policy through a script, they appear assigned as such. Please note that this does not mean that the installation is carried out. In this sense, MAFPRE ESPAÑA is immersed in a "cookie governance" project, as explained in section 3, with the aim of improving the management of cookies, as evidenced by the following change history: At the date of these allegations, MAPFRE has been able to verify after analyzing the cookies deployed, no cookie is installed unless the user accepts the chosen selection. The cookies are retained until the user performs the action of saving configuration. The cookies that are installed in the event of rejecting all of them, as shown below, are those that are strictly necessary. Regarding the management of cookies carried out by MAPFRE, please note that: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 3/35 First, in relation to how we provide information to users about the use of cookies and the purposes of data processing, MAPFRE follows the provisions of the guide “Guide on the use of cookies July 2020” (the Guide). The management of cookies and the need to adapt it to both the LSSI and the data protection regulations is something that has always been present at MAPFRE. For this reason, throughout this time, various actions have been undertaken to ensure compliance with the different regulations, as well as the criteria that have emerged over time. In the interest of transparency and usability of the web environment, MAPFRE complies with the duty of information at two levels of detail. A first level in the cookie banner and the preference configurator and a second level through the privacy policy and the cookie policy. First level of information through the cookie banner and the user preference configurator. First, in the pop-up (cookie banner) that appears to a user the first time they access the website, including the definition and description of the generic function of the cookies on www.mapfre.es: “MAPFRE ESPAÑA S.A. uses its own and third-party cookies to perform statistical analyses, authenticate the user session, show you useful content and improve and personalize certain services by analyzing your browsing habits. You can configure these cookies, which may limit the browsing and services on the website. If you accept cookies, you are consenting to the use of cookies on this website. You can accept all cookies by clicking the "Accept" button, or configure or reject their use by clicking on Cookie Settings. If you want more information, you can consult our Privacy Policy and Cookies Policy. Second, by clicking on the active link of the cookie banner "Cookie Settings" the cookie configuration tool is displayed where the cookie categories are reported. - Strictly necessary cookies: These cookies are used for the website to work and for you to navigate to secure areas. We cannot deactivate them, but if you still want to change them, you can modify them through your browser settings. By configuring them, it is very likely that the website will not work, since they are necessary cookies. - Analytical cookies: These are used to collect statistics on user activity. Among other things, the number of users visiting the website, the number of pages visited, as well as the activity of users on the website and their frequency of use are analysed. The information collected is always anonymous so that a link cannot be established between it and the physical person to whom it refers. - Functional cookies: These cookies allow us to improve functionality, such as videos and online chats. They may be set by us or by external providers whose services are integrated into our pages. If you do not allow these cookies, some or all of these features may not work correctly. An C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 4/35 example would be multimedia player cookies, which are used to store technical data in order to play video or audio content. In addition, thanks to them the content is tailored to your use. They allow information to be remembered to personalise your experience. - Marketing cookies: These cookies allow the personalization and adaptation of the advertising communications that are displayed, according to your preferences. In addition, they allow you to personalize some of the general options of the website, thanks to the navigation data. They are also used to integrate social networks in our site and to allow the user to share content of interest on social networks. Thirdly, the configurator includes links that display more specific information, so that the user can consult in each category of cookies which are first-party and which are third-party. Third-party cookies are identified by their name or by the brand with which they are identified to the public. Second level of information: Through the cookie policy, which through a configurator script synchronizes the classification of the cookies in the configurator with the reported categories and through the privacy policy included in the configurator pop-up. Likewise, this is always available in the footer of the website. In the cookie policy, you are informed of how to avoid the use of third-party cookies once accepted by the user. Information is provided on the tools provided by the browser and third parties and if you subsequently wish to delete them, you must do so from your own browser or the system enabled by third parties for this purpose. The privacy policy informs you of those treatments related to the purposes of cookie management and their legal basis. Second, in relation to how we provide the user with the mechanisms to reject or withdraw consent for their use. Before the cookies are installed in their browser, the user has all the necessary information in layers to make the decision of which ones to select or reject. Therefore, being aware of the consequences of accepting or denying the installation of the cookies stated, they can decide what action to take. Likewise, at any time they can withdraw the consent given by accessing the link of the cookie configuration located in the footer of the website. The action that the user must perform is a clear affirmative action so that consent is considered validly granted. These requirements for obtaining consent are technically materialized in the following way: At a first level, the user can accept all cookies by clicking the "Accept" button, or configure or reject their use by clicking on Cookie settings. At a second level, within the cookie settings you can: Accept or reject all C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 5/35 Accept by cookie category by moving the cursor and saving preferences Until the user does not perform any of the above actions, all those that are not strictly necessary will remain deactivated and those that you have selected will be installed in your browser as you browse the web through the domain and subdomains depending on the requested service. 2. The complainant states that, on the privacy page, the contact method for exercising rights would be limited to a postal address, without providing an email address. As a result of the update of privacy policies, the privacy policy included in this Evidence 2 was available for months. The last change made to the text was on 03/26/2021. The evidence of the evolution of changes: The latest available version ***URL.2 includes the email, which corrects the error under the following literal: The above rights may be exercised directly by the data owner or through a legal or voluntary representative, through written communication addressed to the Corporate Office of Privacy and Data Protection at Carretera de Pozuelo, 52, 28222 Majadahonda, Madrid or by writing to ***URL.1. It is attached as a document. Evidence 3 The error was available for a short time until the review of this in March. Add that not only is the email at ***URL.2 available to the interested party as a means of electronic contact, but also: - DPD mailbox included at the beginning of the policy. - As well as other channels such as those available in the Customer Area. 3. The complainant states that personal data would be transferred to the United States through the services of Google Analytics and Google Adds. In this section we consider it important to point out again that within the project governance of cookie management, when performing periodic scans, it is possible that cookies that are not strictly necessary are classified in a category that does not correspond to them, but this does not imply that they are being installed. Therefore, those Google analytics and Google ads cookies are only installed with consent once the user, after reading the privacy policy and the cookie policy, makes the decision to accept them. Accordingly, only those cookies that have been consented to are sent to Google Analytics after an anonymization process, where the IP anonymization function applies IP masking so that Google Analytics uses only part of a collected IP address, instead of the full address. The anonymization method is performed on the "aip" variable which, if it has the value "1" in the call, means that anonymization is active. It is documented here: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 6/35 https://developers.google.com/analytics/devguides/collection/protocol/v1/parameters? hl=es#aip On the other hand, regarding the migration actions to Google Analytics 4 identified in 2021, a plan was drawn up at the corporate level so that in 2022 the migration that all MAPFRE Group entities are carrying out can be completed. Attached in evidence 4 is the action plan presented in May 2021 with the actions to be carried out to improve analytics and migration to Google analytics 4. One of the accelerators of the implementation and improvement plan comes from the change in the technological platform for the creation and generation of commercial sites, as is the case with mapfre.es. All portals generated for all entities come out with a standard version of Google Analytics 4, giving the different entities the opportunity to customize and improve said version based on their needs. This is the case of mapfre.es, whose migration date is set for April 7, 2022, being one of the last portals to migrate due to its extension. For those cookies that are part of the migration to version 4 of Google Analytics, it is not necessary to anonymize the IPs, since they are not recorded or stored. In this version, IP addresses are used at the time of collection to determine location information (country, city, latitude and longitude of the city) and are then discarded before the data is recorded in the data centers or servers. Regarding Google ads, when using the tags provided by Google Analytics, as these are anonymized, they are under the same protection. The _gac and _gcl cookies store campaign information to provide Google Ads with a more reliable way to measure customer interactions with your company. Analytics records campaign information in the _gac and _gcl cookies when a user opens a page on your website through a URL that uses Google Ads automatic tagging. 2. The measures adopted to adapt your “Privacy Policy”. The validation of the controls included in the AEPD's guide to compliance with the duty of information and the Report on Privacy Policies on the Internet Adaptation to the GDPR has been reinforced within the review process for uploading the privacy policy. MAPFRE has a firm commitment to the protection of personal data. In order to meet the requirements established by the European Data Protection Regulation. In July 2016, a Corporate Working Group was established to adapt MAPFRE, early and with a transversal and proactive approach, to the new demands. This Corporate Working Group, among other lines, defined the different projects and lines of activity that must be developed to adapt to the new Regulation, considering among others: - Catalogue of Privacy Texts: Identification, review and, where appropriate, codification, of the texts that must be modified or developed in order to adapt to the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 7/35 updated European Data Protection Regulation (clauses, privacy policies, messages, etc.) ensuring that they are homogeneous and that they serve as models in the MAPFRE group - Duty to Provide Information: Analyze the requirements regarding the Information to provide to interested parties, as well as the mechanisms that will be used to guarantee the duty to provide information. Review the texts and clauses that inform interested parties regarding the treatment, so that they comply with the information required and follow the criteria of the regulation: concise, transparent, intelligible and easy-to-access information, with clear and simple language. - Consent management: Ensure that consent management is carried out for treatments based on the new requirements. In this regard, the Working Group prepared and approved the first versions of the following linked documents: - July 2017 - February 2018, both the privacy policy and the cookie policy. With the entry into force in May 2018, this Working Group remained active, becoming the Corporate Privacy and Data Protection Committee. This Committee meets every six months to monitor the various legislative pronouncements/new developments, without prejudice to the possibility of convening extraordinary sessions to deal with any specific relevant aspect. MAPFRE has a regulatory observatory and analyses the many pronouncements by regulators in the countries in which it is present, with the aim of guaranteeing that, from the design stage, all processes comply at all times with the privacy and data protection regulations that are applicable. In this regard, linked to Cookie Management, specific Working Groups were established to analyze and define the criteria and lines of action to be undertaken: - November 2019. Since the publication of the AEPD Cookies Guide, work has been carried out on the analysis, from which the lines of adaptation have been established. Evidence is shown of the presentation held in January where the analysis carried out was reported and the actions necessary to adapt to what is established in the guide were identified. - July 2020. Since the publication of the Guide on the use of Cookies by the AEPD, work has been carried out on the analysis, from which the lines of adaptation have been established before October 31, 2020, a transitional period of three months to implement the necessary changes in accordance with the criteria introduced regarding user consent for the use of cookies. In order to monitor compliance with the implemented texts, apart from the periodic reviews, it is important to indicate that different audits of compliance with the RGPD are carried out, where the topic of privacy and cookie policies is specifically reviewed. 3. The measures adopted to adapt the use of cookies. Mapfre, due to the technological particularity of its web resources, has decided to create a Cookie Governance Model that is made up of three lines of work: Cookie governance model, integrating various areas of the company (Privacy, digital business, web development) C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 8/35 It is based on a structured work dynamic that allows to minimize as much as possible the possible errors or problems derived from the use of OneTrust. The good practices that help detect when it is necessary to make changes in the OneTrust configuration are established 1. Before any new site or development in the web portals: migrations, implementation of new analytical tools, changes in an application... 2. Periodic reviews to prevent implementation errors. 3. Incident detection: errors in web loads After exporting the scan result, the cookies found and the categorizations assigned by OneTrust will be reviewed. Sometimes these categories must be changed or assigned manually since the tool is not able to understand who or what creates the cookies. In these cases, a categorization proposal and description document is created that must be approved by legal. Prioritize by domains and subdomains, creation of domains Evidence 5 Outsourcing of the cookie management service. The decision has been made to seek support in the implementation of the cookie management governance model through an external supervised service with the objective of having proactive and continuous monitoring. Evidence 6 Migration to G4: Implementation project. As a result of the global corporate action plan, migration to Google Analytics 4 has begun at MAPFRE SPAIN, as planned in 2021. In addition to improvements in web analytics functionalities, the basis of Google Analytics 4 is privacy. When collecting data, Google Analytics 4 does not record or store IP addresses. The IP addresses it collects from EU users are removed before registering them on EU domains and servers. The lines to be executed for the migration include: Adaptation to the new GA4 taxonomy of all Mapfre ES assets In coordination with IT, include datalayer in all possible assets GA adjustments (DataStreams, Subproperties...) Adaptation of reports to GA4 according to priority” THIRD: On May 19, 2022, in accordance with article 65 of the LOPDGDD, the claim submitted by the complaining party was admitted for processing. FOURTH: On May 28, 2024, the Director of the Spanish Data Protection Agency agreed to initiate a warning procedure against the respondent party, for the alleged violation of Article 44 of the GDPR, classified in Article 83.5 of the GDPR. FIFTH: The notification of the aforementioned initiation agreement, which was carried out in accordance with the rules established in Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP), was received on May 29, 2024, as stated in the acknowledgment of receipt that is in the file. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 9/35 SIXTH: On May 30, 2024, MAPFRE submitted a document through which it requested an extension of the deadline to submit allegations. SEVENTH: On May 31, 2024, the body in charge of the procedure agreed to the requested extension of the deadline up to a maximum of five days, in accordance with the provisions of article 32.1 of the LPACAP. The aforementioned agreement was notified to MAPFRE on May 31, 2024, as stated in the acknowledgment of receipt in the file. EIGHTH: On June 19, 2024, a written statement of allegations was received from the respondent party, which, in summary, includes the following considerations: - MAPFRE claims to have corrected what was stated by the complainant in the complaint regarding the fact that on the website ***URL.3 “cookies are loaded before they can be managed, without taking any action” - In the contract in force during the period of the claim, Google Ireland Limited is the entity that provides the Google Analytics services. - The cookies that had been consented to were sent to Google by applying an anonymization process on the user's IP address. - Since September 2023, Google LLC has adhered to the EU-US Data Privacy Framework. UU. - As of June 6, 2022, MAPFRE was immersed in the process of migrating to Google Analytics 4. - According to MAPFRE, a Corporate Privacy and Data Protection Committee has been created. This is a specific, operational committee for management and control in the area of privacy and data protection, supporting the DPO in the development of its functions. - That, pursuant to the provisions of article 67.2 of the LOPDyGDD in connection with article 122.4 of the LOPD Development Regulation (RLOPD), approved by Royal Decree 1720/2007, of December 21, in force in everything that does not contradict, oppose or is incompatible with the provisions of the RGPD and the LOPDGDD, the previous actions carried out by that Agency within the framework of this warning procedure must be understood to have expired. In view of all the actions taken, the following facts are considered proven by the Spanish Data Protection Agency in the present procedure: PROVEN FACTS FIRST: On March 18, 2022, in connection with the analysis of the claim filed by the complainant against MAPFRE, this Agency found that C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 10/35 the Privacy and Data Processing Policy of the ***URL.2 website includes the following Google Analytics cookies: _ga, _gid (page 19 of the file). On that same date, the following action is carried out: Acceptance of the cookies of the ***URL.1 website through the Chrome browser. In the image incorporated into the file it is verified that the _ga, _gid cookies have been installed (page 44 of the file). SECOND: On June 6, 2022, in the response to the transfer of the claim, MAPFRE acknowledges that it has introduced the code of the Google Analytics tool on its website: “…so those Google Analytics and Google Ads cookies are only installed with consent once the user, after reading the privacy policy and the cookie policy, makes the decision to accept them.” THIRD: On September 2, 2020, the plenary session of the European Data Protection Committee decided to create a working group (hereinafter, working group TF101) to ensure a coherent approach between European data authorities, regarding the management of the 101 NOYB complaints regarding the use of Google Analytics and possible data transfers to the US, in the context of the CJEU Schrems II ruling. FOURTH: In the document dated April 9, 2021, sent by GOOGLE LLC to the Austrian data protection authority, which shares it with the rest of the authorities through the TF101 working group NOYB claims in the context of the CJEU Schrems II ruling, the following information and statements are included (from its unofficial translation from English): (…). FIFTH: In the model Contract for adhesion to GOOGLE services (page 145 and following of the file), entitled “Google Ads Data Processing Terms” (https://privacy.google.com/businesses/processorterms/), in its version of September 21, 2022, it was stated that (unofficial translation): “Google Ads Data Processing Terms Google and the counterparty that accepts these Conditions (the “Client”), have entered into a contract for the provision of the Data Processor Services (as amended from time to time, the “Contract”) These Google Ads Data Processing Terms, (the “Data Processing Terms”) are entered into by Google and the Client and supplement the Contract. […] C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 11/35 If you accept these Data Processing Terms on behalf of the Client, you warrant that a) you have full legal authority to make these Data Processing Terms binding on the Client, b) you have read and understand these Data Processing Terms, and c) you accept them on behalf of the Client. If you do not have the legal authority to make these Data Processing Terms binding on the Client, do not accept them. Introduction These Data Processing Terms reflect the agreement between the parties regarding the terms governing the processing of certain data in relation to European Data Protection Legislation and certain Non-European Data Protection Legislation. Definitions and Interpretation […] “Google Entity” means Google LLC (formerly known as Google Inc.), Google Ireland Limited or any other entity that directly or indirectly controls Google LLC, is controlled by Google LLC or is subject to the same control as Google LLC. “Google” means the Google Entity that is a party to the Agreement. “European Data Protection Law” means, as applicable, a) the GDPR and/or b) the Swiss FDPA. […] “SCCs” means the Customer Standard Contractual Clauses and/or the Standard Contractual Clauses (EU Processor to Processor, Google Exporter), as applicable. […] “SCCs (Processor to Processor, Google Exporter)” means the terms included in ***URL.4. […] “Subprocessors” means third parties authorized under these Data Processing Terms to have logical access to and process Customer Personal Data for the purposes of providing part of the Processor Services and any related technical assistance. […] 5. Data Processing 5.1 Roles and Compliance; Authorization. 5.1.1 Responsibilities of the Data Processor and the Data Controller. The parties acknowledge and agree as follows: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 12/35 (a) Appendix 1 describes the subject matter and details of the processing of Customer Personal Data. (b) Google is a data processor of Customer’s personal data; (c) Customer is a data controller or processor, as applicable, of Customer’s Personal Data; and (d) Each party will comply with its obligations under Applicable Data Protection Laws with respect to the processing of Customer’s Personal Data. […] 5.2. Customer Instructions. By entering into these Data Processing Terms, Customer directs Google to process Customer Personal Data solely in accordance with applicable law: a) to provide the Processor Services and any related support, b) as more fully specified through Customer's use of the Processor Services (including the configuration and other features of the Processor Services) and any related support, c) as documented by the Agreement (including these Data Processing Terms), and d) as more fully documented in other instructions provided in writing by Customer and acknowledged by Google as constituting instructions for the purposes of these Data Processing Terms (collectively, the "Instructions"). 5.3 Google's Compliance with Instructions. Google will comply with the Instructions unless prohibited by Applicable Laws or other processing is required by Applicable Laws. […] 10. Data Transfers 10.1 Data Storage and Processing Facilities. Subject to this Section 10 (Data Transfers), Google may process Customer Personal Data in any country in which Google or any of its Subprocessors maintain facilities. 10.2 Restricted European Transfers. The parties acknowledge that European Data Protection Laws do not require SCCs or an Alternative Transfer Solution to process Customer Personal Data in or transfer Customer Personal Data to an Adequate Country. If Customer Personal Data is transferred to any other country and such transfers are subject to European Data Protection Laws (“Restricted European Transfers”), then: If Google adopts an Alternative Transfer Solution for any Restricted European Transfer, Google will inform Customer of the relevant solution and ensure that such Restricted European Transfers are carried out in accordance with such Solution and/or If Google has not adopted or informed Customer that it will no longer adopt any Alternative Transfer Solution for any Restricted European Transfer, then: If Google’s address is located in an Adequate Country: The Processor SCCs apply to the Processor, Google Exporter) with respect to all Restricted European Transfers. Restricted European Transfers from Google to Subprocessors and. (B) In addition, if Customer's address is not located in an Adequate Country, the SCCs from Data Processor to Data Controller will apply with respect to Restricted European Transfers between Google and Customer, regardless of whether Customer is a controller and/or a processor, or (ii) If Google's address is not located in an Adequate Country, the SCCs from Data Controller to Data Processor and/or the SCCs (Processor to Data Processor) will apply, depending on whether Customer is a data controller and/or a processor, with respect to Restricted European Transfers between Customer and Google. 10.3 Additional Measures and Information. Google will provide Customer with relevant information regarding Restricted European Transfers, including information about additional measures to protect Customer Personal Data as described in Section 7.5.1 (Security Documentation Reviews), Appendix 2 (Security Measures) and other materials relating to the nature of the Processor Services and the processing of Customer Personal Data (e.g., help center articles). 10.4 Termination. If Customer concludes, based on its intended or current use of the Processor Services, that the Alternative Transfer Solution and/or SCCs, as applicable, do not provide adequate protection for Customer Personal Data, Customer may immediately terminate the Agreement for convenience by giving written notice to Google. 10.5 Data Center Information. Information about Google's data center locations is available at ***URL.5. 11. Subprocessors. 11.1 Consent to engage a Subprocessor. Customer specifically authorizes the engagement of the entities listed, as of the Effective Date of the Terms, at the URL specified in Section 11.2 (Subprocessor Information). In addition, and without prejudice to Section 11.4 (Opportunity to Opt Out of Subprocessor Changes), Customer generally authorizes the engagement of any other third party as a Subprocessor (“New Subprocessors”). C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 14/35 […]” (emphasis added). SIXTH: In the description of Google Analytics, located at the URLs ***URL.5 it was stated, among other information, that the cookies _ga and _gid were used to distinguish users and that the parameter “sr” referred to the screen resolution (page 136 and following of the file). SEVENTH: According to the answer to question 4 (ii) of the document dated April 9, 2021 from GOOGLE LLC in the file, the owner of the website who has implemented the Google Analytics code on said website, can choose between multiple retention periods ranging from 2 months to 50 months from the moment the data was collected. EIGHTH: According to the document dated September 27, 2024, in the file, as of January 18, 2021, at URL ***URL.6 it was stated (unofficial translation, original in English): “[…] Requests from US government agencies in cases involving national security In investigations related to national security, the US government You may use a National Security Letter (NSL) or one of the warrants granted under the Foreign Intelligence Surveillance Act (FISA) to compel Google to provide user information. An NSL does not require a court order and can only be used to compel us to provide limited subscriber information. FISA warrants and authorizations can be used to compel electronic surveillance and disclosure of stored data, including content on services such as Gmail, Drive, and Photos.” […]” (unofficial translation, original in English) NINTH: According to the document dated September 27, 2024, in the file, as of January 26, 2022, the URL ***URL.7 stated (unofficial translation, original in English): “[…] Basic concepts about personally identifiable information in Google contracts and policies. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 15/35 Many contracts, terms of service, and policies for Google advertising and measurement products refer to “personally identifiable information” (PII). This is a different categorization of data than what the General Data Protection Regulation (GDPR) considers “personal data.” Please note that even if Google does not identify certain data as personally identifiable information, it may be possible that the GDPR does so or that such data may be considered personal information under the California Consumer Privacy Act (CCPA) and may be subject to those laws. […] Google considers "personally identifiable information" to be information that can be used on its own to precisely identify, locate, or contact an individual directly. This includes, but is not limited to: • Email addresses • Mailing addresses • Phone numbers • Precise locations (for example, GPS coordinates, except as noted below) • Full names (first and last names) or usernames. […] Among other things, Google does not consider the following data to be personally identifiable information: • Pseudonymous cookie IDs • Pseudonymous advertising IDs • IP addresses • Other pseudonymous end-user identifiers For example, if an IP address is submitted with an ad request (which is almost all ad requests are submitted as a result of Internet protocols), that submission will not violate any prohibition against submitting personally identifiable information to Google. Please note that even if Google does not identify certain data as personally identifiable information, it may still be considered personal data or personal information under the GDPR, CCPA, or other privacy laws. […]” TENTH: According to the document dated September 27, 2024, which is included in the file, at the URL ***URL.8 Google has been publishing since 2009 the number of requests for information on users in the US related to FISA (Foreign Intelligence Surveillance Act) and the NSL (National Security Letters). FUNDAMENTALS OF LAW I Competence and procedure In accordance with the powers granted to each supervisory authority by article 58.2 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter RGPD) and according to the provisions of articles 47, 48.1, 64.2 and 68.1 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and guarantee of digital rights (hereinafter LOPDGDD), the Director of the Spanish Data Protection Agency is competent to initiate and resolve this procedure. Likewise, article 63.2 of the LOPDGDD determines that: "The procedures processed by the Spanish Data Protection Agency will be governed by the provisions of Regulation (EU) 2016/679, in this organic law, by the regulatory provisions issued in its development and, insofar as they do not contradict them, in a subsidiary manner, by the general rules on administrative procedures." Considering the nature of the facts that have given rise to the actions and the concurrent circumstances, the present warning procedure is followed in accordance with the provisions of article 64.3 of the LOPDGDD. II Preliminary questions Article 4.2) of the GDPR defines “processing” as: “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.” Article 4.7) of the GDPR defines the “controller” or “data controller” as: “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing; If the purposes and means of processing are determined by Union or Member State law, the data controller or the specific criteria for its appointment may be established by Union or Member State law.” In this case, in accordance with the provisions of Article 4.1 and 4.2 of the GDPR, personal data processing is being carried out, since MAPFRE collects and processes, through the Google Analytics service, among others, the following personal data of natural persons: unique user identifiers (_ga and _gid), the IP address, as well as other data associated with the browser and the navigation itself, among other processing. MAPFRE carries out this activity in its capacity as data controller, given that it is the one who determines the purposes and means of such activity, pursuant to Article 4.7 of the GDPR. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 17/35 Article 44 of the GDPR establishes the general principle of transfers of personal data to third countries. III Response to the allegations The following is a response to the allegations presented by the responding entity, in the order in which they are formulated in its writing: “1. Regarding the possible installation of analytical cookies.” MAPFRE claims to have corrected the statement made by the complainant in the complaint regarding the fact that on the website ***URL.3 “cookies are loaded before they can be managed, without taking any action”, reinforcing the implementation process of the cookie governance model, focusing on periodic scanning to force the correct classification of cookies so that they are reflected in the correct categories, both in the configuration tool and in the cookie policy. In response to this allegation, it should be noted that the issue raised by MAPFRE does not undermine its responsibility regarding the facts that led to the initiation of the present procedure. The management of the installation of cookies is independent of the fact that there is no cause that legitimizes the international transfer of data. If MAPFRE intended to legitimize the international transfer of data by obtaining the consent of the complainant, it should have obtained said consent in a manner specific to the consent obtained for the installation of cookies. In addition, it was required to report on the risks that data transfers to the US posed to the complainant's personal data. For all the reasons stated above, this claim is rejected. “2. Regarding possible international data transfers.” “First.- Situation of MAPFRE ESPAÑA prior to the EU-US Data Privacy Framework” “1.- Contract with Google Ireland Limited” In the contract in force during the period of the claim, Google Ireland Limited is the entity that provides the Google Analytics services. In response to this claim, it should be noted that MAPFRE's liability for the commission of the infringement that motivates this procedure is attributable to the extent that the international transfer of data violates the rights of the complainant and of the users who visit the MAPFRE website, by not guaranteeing an equivalent level of protection to that established in the GDPR, and the effectiveness of the obligations established by this regulation must be guaranteed. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 18/35 In this regard, Recital 81 of the GDPR clarifies that the data processor must offer sufficient guarantees regarding specialized knowledge, reliability and resources, with a view to the application of technical and organizational measures that meet the requirements of the Regulation, including the security of the processing. On September 27, 2021, GOOGLE substantially modified the “Conditions for the processing of Google Ads data.”, as can be seen on the website ***URL.9. In section 10.3 of these “Conditions” the Client who contracts the service assumes the so-called “Restricted Transfers”: “10.3 Restricted Transfers. If the processing of Customer Personal Data involves any type of transfer other than a Permitted Transfer and such transfers are subject to European Data Protection Laws (“Restricted Transfers”), then: (a) If Google announces that it has adopted an Alternative Transfer Solution for any Restricted Transfer, then it will ensure that such Restricted Transfers are made in accordance with such Alternative Transfer Solution. (b) If Google has not adopted an Alternative Transfer Solution for any Restricted Transfer, then (i) If Google's address is located in an Adequate Country: (…) (ii) If Google's address is not located in an Adequate Country: (A) The SCCs (EU Data Controller to Data Processor) and/or the SCCs (EU Data Processor to Data Processor) apply, in depending on whether Customer is a data controller and/or processor, with respect to Restricted Transfers between Customer and Google that are subject to the EU GDPR and/or the Swiss FDPA. (…)” The SCCs applicable to the present case are the “SCCs (Google Ads and Measurement: Standard Contractual Clauses (Module 3: Processor to Processor)”, which can be consulted on the following website: ***URL.10, the status of exporter is attributed to GOOGLE IRELAND, as MAPFRE refers to in its allegations However, MAPFRE, when introducing the code of the Google Analytics tool on its website ***URL.3 based on a corporate decision, was aware that the personal data is transferred to Google LLC, based in the United States, either directly by MAPFRE or by Google Ireland. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 19/35 Although it is true that MAPFRE does not decide where personal data is stored by Google LLC, from the moment you contract the services of its Google Analytics tool, it is understood that you agree with point 10 of the "Google Ads Data Processing Terms", so the data controller has agreed that Google may store and process the client's personal data (i.e., personal data of the complaining party and of any user who visits the website in question) in any country in which Google or any of its subcontractors for data processing maintain facilities, including the USA, as declared by Google LLC itself in the document dated April 9, 2021. Thus, the actions of Google LLC. adhere to the provisions and, on behalf of MAPFRE, carry out the processing of the personal data necessary for the correct provision of the service. Consequently, regardless of the fact that the current SCCs (Google Ads and Measurement: Standard Contractual Clauses (Module 3: Processor to Processor) consider Google Ireland as the data exporter, MAPFRE, as the data controller, assumes, together with the other conditions of the contract for Google LLC services, the agreements regarding data processing and the SCCs that allow data to be transferred to Google LLC, based in the United States. Therefore, MAPFRE is responsible for the international transfer of data that occurs as a result of the service provided by Google LLC. This criterion is shared by the European Data Protection Board (EDPB), which, in compliance with the objective of guaranteeing the consistent application of the General Data Protection Regulation (as attributed to it by Article 70 of the RGPD), adopted the following guidelines: “Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR” (unofficial translation: “Guidelines 05/2021 on the interaction between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR”, paragraph 19 of which states the following (official text in English with emphasis added): “It is also important to note that Article 44 of the GDPR clearly provides that a transfer may not only be carried out by the controller, but also by the processor. Therefore, there will be a situation of transfer when a processor (either under Article 3, paragraph 1, or under Article 3, paragraph 2, for a particular processing, as explained above) sends data to another processor or even to a controller in a third country on instructions from its controller. In such cases, the processor acts as a data exporter on behalf of the controller and must ensure that the provisions of Chapter V for the transfer in question are complied with in accordance with the instructions of the controller, including the use of an appropriate transfer tool. Given that the transfer is a processing activity carried out on behalf of the controller, the controller is also responsible and could be liable under Chapter V, and must also ensure that the processor provides sufficient guarantees under Article 28.” In conclusion, MAPFRE may be considered the data controller in the sense of Article 4.7 of the GDPR, since it is the party that manages the website C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 20/35 «www.mapfre.es», determining the means and purposes of the collection and processing of the data obtained as a result of the integration of Google Analytics on its website, so that it is responsible for ensuring that the processing complies with the requirements of the GDPR, and must guarantee the protection of the rights of the interested party in international data transfers, in accordance with the provisions of Article 44 and following of the GDPR. For all the reasons set forth above, this claim is rejected. “2.- Anonymization of the IP when sending it to Google Universal Analytics” The cookies that had been consented to were sent to Google by applying an anonymization process on the user's IP address. In response to this allegation, it should be noted that MAPFRE has not in any way proven that the IPs are anonymized within the territory of the European Union. There is no technical proof nor is there any evidence to support the claim that the anonymization of the IP is carried out within the territory of the European Union, as MAPFRE itself refers to: “…it should be carried out immediately after its collection by Google Ireland” (emphasis added) Therefore, any IP address can be transmitted to the United States and shortened only in a second step after its export. There, from a technical point of view, it is possible to access the full IP address before its anonymization. Furthermore, it should be noted that the measure is optional and not applicable to all transfers. In addition to the IP, as developed in Legal Basis IV of this resolution, in its point 2, “On the classification of the data subject to processing as personal data”, MAPFRE carries out international transfers of other personal data through Google Analytics. For all the reasons stated above, this claim is rejected. “Second. - Situation of MAPFRE ESPAÑA as of the date of the response to the warning.” “1.- Google's adherence to the EU-US Data Privacy Framework since September 2023.” Since September 2023, Google LLC has adhered to the EU-US Data Privacy Framework. In response to the claim about the new US legal framework and Google LLC's adherence to the “EU-US Data Privacy Framework.” UU”, for the purposes of determining responsibility for the commission of the infringement, the current legal framework is not applicable, but rather the legal regime in force on the date of the facts that are the subject of the claim, in particular as established by the CJEU in the judgment in case C-311,/18 (Schrems II), which declared invalid the Commission Implementing Decision (EU) 2016/1250, of 12 July 2016, on the adequacy of the protection conferred by the EU-US Privacy Shield. For all the reasons set out above, this claim is rejected. “2.- Migration to Google Analytics 4 (GA4)” MAPFRE was immersed in the process of migrating to Google Analytics 4, in which IP addresses are no longer recorded and stored. In response to this claim, it should be noted that the collection of the IP address itself constitutes processing of personal data of the interested parties, regardless of their subsequent anonymization. As an example, in Google Analytics 4, according to Google’s “Privacy and Data in the EU” (***URL.11), “…IP address data is used only to obtain geolocation data and is immediately discarded,” so information that the IP address may provide before anonymization is used. In addition, the “Google Ads Data Processing Terms” are maintained, according to which the data controller agrees with Google that it may store and process the client's personal data in any country in which Google or any of its subcontractors maintain facilities. When this information is collected, it is transmitted to the Google Analytics servers. And, according to the Google LLC document dated April 9, 2021, in the last paragraph to the answer to question 8, Google states that all data collected through Google Analytics is hosted in the United States. For all the reasons set forth above, this claim is rejected. “Third.- MAPFRE ESPAÑA has a Cookie and Regulatory Compliance Government.” According to MAPFRE, a Corporate Privacy and Data Protection Committee has been created. This is a specific committee, of an operational nature, for management and control in the area of privacy and data protection, supporting the DPO in the development of its functions. In addition, pursuant to the provisions of article 67.2 of the LOPDGDD in connection with article 122.4 of the Regulation for the development of the LOPD (RLOPD), approved by Royal Decree 1720/2007, of December 21, in force in everything that does not contradict, oppose or prove incompatible with the provisions of the RGPD and the LOPDGDD, the previous actions carried out by this Agency within the framework of this warning procedure must be understood to have expired. - MAPFRE has created a Corporate Committee for Privacy and Data Protection. However, this Committee, which has existed since 2016, has not taken into account, with regard to the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 22/35 treatment in question, the doctrine established by the CJEU in Case C-311/18 (Schrems II), which declared invalid Commission Implementing Decision (EU) 2016/1250 of 12 July 2016 on the adequacy of the protection conferred by the EU-US Privacy Shield. According to GOOGLE LLC's response of 9 April 2021, as a provider of electronic communications services within the meaning of paragraph (b) of point 4 of Article 1881 of Title 50 of the United States Code, it is subject to oversight. by US intelligence services pursuant to Section 1881(a) of Title 50 of the United States Code ("FISA 702"), and therefore the international transfers of data to Google Analytics servers infringed the regulatory framework in force according to the judgment of the CJEU in Case C-311/18. With regard to the standard contractual clauses on which Google bases its international transfer of data to the US, the CJEU considered that the contractual nature of these clauses meant that they could not be binding on authorities in third countries. In particular, the CJEU stated that: “...Therefore, while there are situations in which, based on the laws and practices in force in the third country in question, the recipient of such a transfer is able to ensure the necessary protection of the data solely on the basis of standard contractual clauses on data protection, there are other situations in which the content of such standard clauses may not constitute a sufficient means to ensure, in practice, the effective protection of the personal data transferred to the third country in question. This is the case, in particular, when the legislation of that third country allows its public authorities to interfere with the rights of the data subjects to whom the data refer" (C-311/18, point 126, underlined). - Expiration of the preliminary investigation proceedings. With regard to the expiry of the preliminary investigation proceedings, in response to this allegation, it should be noted that, in this case, after the claim was admitted for processing, no preliminary investigation proceedings have been carried out, so that the twelve-month period for the duration of these proceedings, which Article 67.2 of the LOPDGDD established as a time limit, according to the wording of said article in force at the time when the claim was admitted for processing, is not applicable. The period established in Article 67.2 of the LOPDGDD is the maximum period in which the initiation agreement must be issued, only in the event that the agreed to open preliminary investigation proceedings, and this time limit cannot be applied, as MAPFRE claims, even if they have not been agreed. After the claim has been admitted for processing, and it is not considered necessary to carry out preliminary investigation proceedings, the only time limit that we must apply is the three-year limitation period provided for in article 72.1.l) of the LOPDGDD for the case of very serious infringements, as was based on the initiation agreement. Given the absence of an adequacy decision with the USA (after ECJ C-311/18) between 16 July 2020 and 10 July 2023, the facts referred to in the claim continued until at least the latter date, which would be the start of the limitation period, so that, on the date of commencement of the present procedure, the infringement had not expired. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 23/35 For all the reasons set out above, this claim is rejected. IV Transfers of personal data to third countries Article 44 “Transfers of personal data to third countries or international organisations” of the GDPR provides: “A transfer of personal data which is being processed or is to be processed following transfer to a third country or international organisation shall take place only if, subject to the other provisions of this Regulation, the controller and the processor comply with the conditions set out in this Chapter, including those relating to onward transfers of personal data from the third country or international organisation to another third country or international organisation. All provisions of this Chapter shall apply in order to ensure that the level of protection of natural persons guaranteed by this Regulation is not undermined.” Chapter V of the Regulation provides for various instruments to ensure a level of protection substantially equivalent to that guaranteed in the European Union, in accordance with Article 44 of the Regulation: - adequacy decisions (Article 45); - adequate guarantees (Article 46); In the absence of an equivalent level of protection, it establishes exceptions for specific situations (Article 49). 1. On data processing and responsibility for processing. In the document dated April 9, 2021 sent by Google LLC to the Austrian data protection authority, which it shared with the other authorities in the framework of the TF101 working group, it is indicated that Google Analytics works by including a block of Javascript code in the pages of a website. When a user visits a web page, this Javascript code refers to a Javascript code that has been previously downloaded to the user's device, which then executes the tracking operation for Google Analytics. The tracking operation sends data about the requested page through various means and sends this information to the Analytics server via a set of parameters attached to a request for a single-pixel GIF image sent to the google-analytics.com domain. The data is then further processed and ends up in the reports of the website owner, in this case MAPFRE. The data that Google Analytics collects for the benefit of the website owner comes from the following sources: i. The user's HTTP request. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 24/35 An HTTP request contains details such as the browser and computer making the request, such as the hostname, browser type, referer, and language. ii. Browser and system information. iii. First-party cookies. Website administrators who integrate the Google Analytics service may send instructions to Google for the processing of data collected through Google Analytics. The website administrator may apply different settings, for example, regarding the data retention period. The Google Analytics function also allows website administrators to monitor and maintain the stability of their website, for example by keeping them informed of certain events such as a spike in audience or the fact that there is no traffic at all. Google Analytics also allows website administrators to measure and optimize the effectiveness of advertising campaigns conducted using other Google tools. Therefore, Google Analytics collects the user's http query which contains information about the user's browser and operating system, the referrer, and the language. In addition, Google Analytics stores and reads cookies in the user's browser to evaluate the user's session and other information about the query. With regard to these data transfers, the agreement for the Google Analytics feature (“Google Analytics Terms of Service”) incorporates an appendix entitled “Google Ads Data Processing Terms” (in previous versions referred to as the “Google Ads Data Processing Terms”). This appendix contains standard contractual clauses governing the transfer of personal data to the United States of America under the Google Analytics service. In addition, Google has implemented additional legal, organizational and technical measures to regulate data transfers under the Google Analytics service. In accordance with point 10 of the “Google Ads Data Processing Terms”, the controller has agreed that Google may store and process personal data of the customer (in this case, personal data of the complaining party) in any country in which Google or any of its subprocessors maintain facilities. When this information is collected, it is transmitted to the Google Analytics servers. Referring to the document sent by Google LLC dated April 9, 2021, in the last paragraph to the answer to question 8, Google states that all data collected through Google Analytics is hosted in the United States. Therefore, the data collected on the website "www.mapfre.es" through Google Analytics is transferred to the United States. Such data transmission requires a legal basis in accordance with Article 44 et seq. of the GDPR. All these elements show that, by deciding to implement the Google Analytics function on its website, MAPFRE, which operates the website “www.mapfre.es”, determined the means and purposes of the collection and processing of the data obtained following the integration of Google Analytics on its website and must be considered the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 25/35 data controller within the meaning of Article 4.7 of the GDPR. 2. Regarding the classification of the data subject to processing as personal data It can be stated that the data collected in accordance with the Google Analytics function and transferred to the United States of America constitute personal data. Article 4.1 of the GDPR defines personal data as “any information relating to an identified or identifiable natural person (“the data subject”); An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. It should be noted that online identifiers such as IP addresses or information stored in cookies can commonly be used to identify a user, especially when combined with other similar types of information. This is illustrated by Recital 30 of the GDPR, according to which the assignment of online identifiers such as IP addresses, cookie identifiers to natural persons or their devices may "leave traces which, in particular when combined with unique identifiers and other information received by servers, can be used to create profiles of natural persons and to identify them." In the particular case where the controller claims not to have the ability to identify the user by using (alone or in combination with other data points) such identifiers, it would be expected that it would disclose the specific means deployed to ensure the anonymity of the identifiers collected. Without such details, they cannot be considered anonymous. It is therefore necessary to examine to what extent the implementation of Google Analytics on a website enables the website operator and Google to make it possible for a data subject (a visitor to the website in question) to be identified. When a user visits the website www.mapfre.es, the following data (via JavaScript code) is transmitted from the complainant's browser to the servers of Google LLC (answer to question 2 of the Google document of 9 April 2021): _ga and _gid cookies (first-party cookies) URL of the web page visited (dl parameter) and title of the web page visited (dt parameter) IP address sr (screen resolution), among other parameters. Data on the browser and operating system: Unique identifier that identifies the website operator It should be noted that the CJEU has already declared that IP addresses are personal data (see Case C-597-19, point 102 and C-582/14, point 49). The IP address does not lose its nature as personal data simply because the means of identification reside in third parties. In addition, the case in question is very C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 26/35 different, since the IP address can be combined with other elements, as described below. With regard to unique identifiers, when a user visits the website www.mapfre.es, its cookie policy recognizes the use of Google Analytics, which involves sending the values of the cookies "_ga" and "_gid" to Google LLC, as recorded in the reference of Google Analytics cookies. According to the description of Google Analytics located at the urls: ***URL.12 and ***URL.13. , the _ga and _gid cookies are used to distinguish users and the “sr” parameter refers to the screen resolution. Visitor identifiers are unique identifiers intended to differentiate individuals (where such differentiation was not previously possible), and make individuals identifiable. These identifiers may also be combined with other information, such as the address of the website visited, metadata relating to the browser and operating system, time and data relating to the website visit, and the IP address. This combination of information further differentiates individuals. For this reason, when several elements are combined, they may allow visitors to the website of “***URL.3”, on which Google Analytics is implemented, to be identified individually. It is not necessary to know the name or (physical) address of the visitor, since, according to Recital 26 of the GDPR, such qualification of individuals is sufficient to make the visitor identifiable. If it were decided otherwise, the scope of the right to data protection, guaranteed by Article 8 of the Charter of Fundamental Rights of the European Union, would be undermined, as it would allow companies to specifically target individuals with personal information (for example, when they visit a specific website) while denying them any right to protection against such targeting. Such a restrictive opinion that would undermine the level of protection of individuals is also not in line with the case law of the Court of Justice of the European Union (hereinafter CJEU), which has repeatedly ruled that the scope of the GDPR must be understood very broadly (see, for example, judgment C-439/19, paragraph 61). Google LLC claims that it has “no intention” to use online identifiers to identify the complaining party (or other persons), as stated in the last paragraph of the answer to question 13 of the document of April 9, 2021, and that in fact it “does not do this”, it should be noted that Article 4, paragraph 1, of the GDPR does not require an entity to have a specific intention to identify a person. According to the clear wording of Article 4, paragraph 1, of the GDPR, the term “personal data” is completed when an entity can (has the possibility) to do so. Even a more restrictive interpretation of Article 4, paragraph 1, of the GDPR, which in any case would be contrary to the case law of the CJEU, the definition of “personal data” would be understood to apply to the data exposed. In the event that any visitor to the website ***URL.3 has logged into a Google account at the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 27/35 time of his visit, as can be seen in the Google LLC declaration of April 9, 2021, the implementation of Google Analytics on a website allows Google to receive the information that a specific user of the Google account has visited that website. In the context of the use of Google Analytics, and depending on some settings in the Google user account settings (see answer to question 9 of the Google document of April 9, 2021), it allows Google to receive information that a user connected to a Google account has visited a particular website. Personal data related to this account is therefore collected. For all these reasons, the data in question must be considered to be personal data within the meaning of Article 4.1 of the GDPR. 3.- Regarding the failure to comply with the obligation to regulate transfers of personal data outside the European Union In the present case, it must be verified whether the export of personal data to the United States of America took place, as indicated by the complainant, in the terms established in Article 44 of the GDPR, and, if it did take place, whether the export was carried out with an adequate level of protection in accordance with an adequacy decision of Article 45 of the GDPR, or, failing that, whether any of the guarantees of Article 46 of the GDPR were adopted. Adequacy decisions In its judgment in Case C-311/18 ("Schrems II") of 16 July 2020, the CJEU invalidated Commission Implementing Decision (EU) 2016/1250 of 12 July 2016 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection offered by the "EU-US Privacy Shield" (“Privacy Shield”), without maintaining its effects on the date of the facts subject to the complaint. In the absence of an adequacy decision applicable to the present case, the data transfer in question cannot be based on the provisions of Article 45.3 of the GDPR. Appropriate safeguards: Standard data protection clauses Article 46, “Transfers with appropriate safeguards”, of the GDPR, establishes in its section 1 that “In the absence of a decision pursuant to Article 45, section 3, the controller or the processor may only transfer personal data to a third country or international organisation if it has offered appropriate guarantees and on condition that the data subjects have enforceable rights and effective legal remedies. Article 46(2) of the GDPR provides that “Appropriate safeguards pursuant to paragraph 1 may be provided, without requiring any express authorisation from a supervisory authority, by: (…) (c) standard data protection clauses adopted by the Commission in accordance C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 28/35 with the examination procedure referred to in Article 93(2). (…)”. Google's standard contractual clauses for the transfer of personal data to the United States, updated on September 27, 2021, entitled "Google Ads & Measurement: Standard Contractual Clauses (Module 3: Processor-to- Processor)”, which could be translated as: “Google Ads data processing terms: Model Contractual Clauses, Standard Contractual Clauses Processor-to- Processor” (hereinafter, SCC). These clauses comply with those published by the European Commission in Commission Implementing Decision (EU) 2021/915 of 4 June 2021 on standard contractual clauses between controllers and processors. In this context, it should be noted that the standard contractual clauses are a transfer instrument within the meaning of Chapter V of the Regulation and were not challenged as such by the CJEU in its judgment of 16 July 2020 (C- 311/18). However, the CJEU considered that the contractual nature of these clauses meant that they could not be binding on authorities in third countries. In particular, the CJEU stated that: “...Therefore, while there are situations in which, based on the laws and practices in force in the third country in question, the recipient of such a transfer is in a position to ensure the necessary data protection solely on the basis of standard contractual data protection clauses, there are other situations in which the content of such standard clauses may not constitute a sufficient means to ensure, in practice, the effective protection of personal data transferred to the third country in question. This is the case, in particular, where the legislation of that third country allows its public authorities to interfere with the rights of data subjects to whom such data relate" (C-311/18, point 126, emphasis added). There is no need to carry out a further analysis of the legal situation in the United States, as the CJEU has already provided for this in its judgment referred to above. Indeed, the CJEU considered that regulatory surveillance programmes such as Section 702 of FISA and E.O. 12333 in conjunction with PPD-28 do not satisfy the minimum requirements set by Union law with regard to the principle of proportionality, so that surveillance programmes based on these provisions cannot be considered as limited to what is strictly necessary (C- 311/18, point 184). Furthermore, the CJEU considered that the legal framework in question did not confer on data subjects rights susceptible of being subject to the US authorities, from which it follows that these persons do not have the right to effective judicial protection (C-311/18, paragraph 192). The CJEU's analysis is relevant in the present case, since Google LLC (as the importer of the data to the US) must be classified as a provider of electronic communications services within the meaning of paragraph (b) of point 4 of section 1881 of title 50 of the United States Code and is therefore subject to surveillance by the US intelligence services in accordance with paragraph (a) of section 1881 of title 50 of the United States Code ('FISA 702'). Therefore, Google LLC is required to provide personal data to the US government when requested pursuant to section 1881(a) of Title 50 of the United States Code (FISA 702). C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 29/35 As can be seen in the Google Transparency Report, Google LLC is regularly subject to such access requests by the US intelligence services. The report can be consulted at: ***URL.14. The CJEU stated, on the one hand, that the EU-US adequacy decision The Court of Justice of the EU concluded that the standard contractual clauses adopted by the Commission on the basis of Article 46(2)(c) of the GDPR are intended only to provide contractual guarantees that apply uniformly in all third countries to controllers and processors established in the European Union and, consequently, regardless of the level of protection guaranteed in each third country. To the extent that these standard data protection clauses cannot, given their nature, provide guarantees beyond a contractual obligation to ensure compliance with the level of protection required by Union law, they may require, depending on the prevailing position in a given third country, the adoption of additional measures by the controller to ensure compliance with that level of protection" (C-311/18, point 133). General observations on additional measures In its Recommendations 01/2020, of 18 June 2021, (which can be consulted on the website ***URL.15, although the transcriptions included in this document refer to their translation into Spanish) the European Data Protection Board (EDPB) has clarified that, when the assessment of the legislation or practices in force in the third country may affect the effectiveness of the appropriate safeguards, of the transfer instruments relied upon by the exporter, in the context of its specific transfer, as is the case here following the CJEU assessment, the exporter must suspend the transfer or apply appropriate complementary measures. The EDPB notes in this regard that “Any complementary measure can only be considered effective within the meaning of the CJEU judgment “Schrems II” to the extent that it addresses the specific deficiencies identified in its assessment of the legal situation in the third country. If it cannot ultimately ensure an essentially equivalent level of protection, it should not transfer the personal data.” (see Recommendations 01/2020, point 75). Measures to complement standard data protection clauses can be classified into three categories: contractual, technical or organisational (see Recommendations 01/2020, point 74). With regard to contractual measures, the EDPB noted that: “In some situations, these measures may complement and reinforce the guarantees that the transfer instrument and the relevant third-country law may provide, where, taking into account the circumstances of the transfer, they do not fulfil all the conditions necessary to ensure a level of protection essentially equivalent to that guaranteed in the Union. Given the nature of contractual measures, which generally cannot bind the authorities of that third country when they do not form part of the contract, they should be combined with other technical and organisational measures to provide the required level of data protection (...)”. (see Recommendations 01/2020, point 99, emphasis added). As regards organisational measures, the EDPB stressed that: “… Selecting and implementing one or more of these measures will not necessarily and systematically ensure that their transfer complies with the essential equivalence standard required by Union law. Depending on the specific circumstances of the transfer and the assessment made on the law of the third country, organisational measures will be needed to complement contractual or technical measures in order to ensure a level of protection of personal data essentially equivalent to that guaranteed in the Union" (see Recommendations 01/2020, point 128, emphasis added). As regards technical measures, the EDPB noted that "…Such measures will be particularly necessary where the law of that country imposes obligations on data importers that are contrary to the guarantees of Article 46 of the GDPR and may, in particular, affect the contractual guarantee of an essentially equivalent level of protection against access by public authorities of that third country to such data" (see Recommendations 01/2020, point 77). It added that "The measures listed below are intended to ensure that access by authorities of that third country is free of charge and that the data is protected by law." third countries to the transferred data does not affect the effectiveness of the appropriate safeguards contained in the transfer instruments of Article 46 of the GDPR. These measures apply even if the access by public authorities is in accordance with the law of the country of the importer, where such access goes beyond what is necessary and proportionate in a democratic society. These measures are intended to prevent a potential breach of access by preventing authorities from identifying data subjects, inferring information about them, individualizing them in another context or associating the transferred data with other data sets they may hold and which may contain, among other data, online identifiers provided by devices, applications, tools and protocols used by data subjects in other contexts." (see Recommendations 01/2020, point 79, emphasis added). Complementary measures implemented by Google LLC Google LLC, as a recipient of data from users of its Google Analytics services, has adopted contractual, organizational and technical measures to complement the SCCs. In the document dated 9 April 2021 sent by Google LLC to the Austrian data protection authority, which the latter shared with the other authorities within the framework of the TF101 Working Group, Google LLC described the measures taken in detail. Taking into account the considerations of the CJEU and the EDPB, it must now be verified whether the additional measures taken by Google LLC were effective, which C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 31/35 means that they address the specific issue of the access possibilities of the US intelligence services. As regards the “legal and organisational measures” taken, it should be noted that neither the notification of users, even if such notification is admissible, nor the publication of a transparency report or a “public policy on the handling of government requests” in fact prevent or reduce the access possibilities of the US intelligence services. Furthermore, it is not clear how Google LLC's "careful review of each request" for its admissibility is effective as a complementary measure, given that, according to the CJEU, admissible (legal) requests from US intelligence services are not in line with the requirements of European Data Protection legislation. With regard to the "technical measures" adopted, it should be noted that it has not been clarified how the measures described, such as the protection of communications between Google services, the protection of data in transit between data centers, the protection of communications between users and websites, or "on-site security", in fact prevent or reduce the possibilities of access by US intelligence services on the basis of the US legal framework. As regards encryption technologies, such as in the case of “data at rest” in data centres, as specifically mentioned by Google LLC as a technical measure, it should be noted that Google LLC, as data importer, is obliged to grant access to or hand over imported personal data in its holding, including the cryptographic keys necessary to make the data intelligible (see Recommendations 01/2020, point 81). In other words: as long as Google LLC has the possibility to access the data of natural persons in clear text, such a technical measure cannot be considered effective in the present case. As soon as Google LLC notes that “to the extent that the Google Analytics data for measurement purposes transferred by website owners is personal data, it should be considered pseudonymous”, it should be noted that unique universal identifiers (UUIDs) do not fall under the definition of Article 4.5 of the GDPR. While pseudonymisation may be a privacy-enhancing technique, unique identifiers are, as already described above, specifically intended to select users, not to act as a safeguard. Apart from this, it has also been described above why the combination of unique identifiers with other elements (such as browser or device data and IP address) and the possibility of linking such information to a Google account in any case make a person identifiable. Insofar as Google LLC refers to an "optional technical measure" by means of an IP anonymisation function, it should be noted, first of all, that such a measure is, as its name suggests, optional and not applicable to all transfers. Furthermore, it is not clear from Google's response whether this anonymisation takes place before the transfer or whether the full IP address is transmitted to the United States and only shortened after this transfer to the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 32/35 United States. From a technical point of view, therefore, there is potential access to the entire full IP address before it is shortened. The additional measures adopted, as presented by Google, are therefore not effective insofar as none of them address the specific issues in the present case, which means that none of them prevents the access possibilities of the American intelligence services or renders such access ineffective. The exceptions provided for in Chapter V of the Regulation Article 49, “Exceptions for specific situations”, of the GDPR states: "1. In the absence of an adequacy decision pursuant to Article 45, paragraph 3, or of appropriate safeguards pursuant to Article 46, including binding corporate rules, a transfer or set of transfers of personal data to a third country or international organisation shall only take place if one of the following conditions is met: a) the data subject has explicitly given his or her consent to the proposed transfer, after having been informed of the possible risks for him or her of such transfers due to the absence of an adequacy decision and appropriate guarantees; b) the transfer is necessary for the performance of a contract between the data subject and the controller or for the implementation of pre-contractual measures taken at the request of the data subject; (…)” The European Data Protection Board (EDPB), in compliance with the objective In order to ensure the consistent application of the General Data Protection Regulation, as assigned to it by Article 70 of the GDPR, it issued Guidelines 2/2018 on the exceptions provided for in Article 49 of Regulation 2016/679. Regarding the interpretation of assumption a) of Article 49 of the GDPR (section 2.1 of Guidelines 2/2018), the EDPB points out that consent must be specific and informed about the possible risks, establishing the following: “this provision obliges interested parties to also be informed of the specific risks arising from the fact that their data will be transferred to a country that does not offer an adequate level of protection and that adequate guarantees for the protection of data are not provided.” In the present case, the consent of users for the storage of cookies during their visit to the website cannot be considered equivalent to having explicitly consented to the international transfer of data, as required by Article 49.1.a) of the GDPR; this consent must be obtained in a specific manner and, in order to be valid, MAPFRE should have previously informed the interested parties of the risks involved in data transfers to the USA, in the absence of an adequacy decision and adequate guarantees in the sense of Article 49, paragraph 1 of the Regulation. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 33/35 With regard to the possible existence of a contractual relationship, the occurrence of this assumption is not appreciated, taking into account that Recital 111 of the RGPD requires that the international transfer of data based on explicit consent must be “occasional and necessary in relation to a contract”, while in this case the transfers occur continuously and systematically and their need is not justified. Current legal framework On July 10, 2023, the Commission approved Implementing Decision (EU) 2023/1795 on the adequacy of the level of protection of personal data in the EU-US Data Privacy Framework pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, so that international transfers made after that decision may be covered by the aforementioned Decision. On the website https://www.dataprivacyframework.gov/s/ you can see that Google LLC has certified its adherence to the principles of the Data Privacy Framework until September 13, 2024, due to the need to renew said certification annually. Therefore, international data transfers to Google LLC in the US are currently covered by the EU-US Data Privacy Framework. However, it must be concluded that, on the date on which the facts subject to the complaint occurred, MAPFRE cannot invoke any of the tools provided for in Chapter V of the GDPR to justify international transfers of personal data of visitors to its website, in particular unique identifiers, IP addresses, browser data and metadata, to Google LLC in the United States, the doctrine established by the Court of Justice of the European Union in the Schrems II judgment, which invalidated the EU-US Privacy Shield decision, being fully applicable. Consequently, in accordance with the evidence available in this warning procedure resolution, it is considered that the known facts constitute an infringement, attributable to MAPFRE, for violation of article 44, “General principle of transfers”, of the GDPR, which states that transfers of personal data that are subject to processing or will be processed after their transfer to a third country or international organization will only be carried out if, subject to the other provisions of the GDPR, the controller and the processor comply with the conditions established in this chapter, including those relating to subsequent transfers of personal data from the third country or international organization to another third country or another international organization. V Classification and qualification of the infringement of article 44 of the GDPR C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 34/35 The infringement of article 44 of the GDPR involves the commission of the infringements classified in article 83.5 of the GDPR which under the heading “General conditions for the imposition of administrative fines” provides: “Infringements of the following provisions shall be punishable, in accordance with section 2, by administrative fines of a maximum of EUR 20,000,000 or, in the case of a company, an amount equivalent to a maximum of 4% of the total global annual turnover of the previous financial year, whichever is higher: (…) c) the transfer of personal data to a recipient in a third country or an international organization pursuant to articles 44 to 49; (…)” In this regard, the LOPDGDD, in its article 71 “Infringements” establishes that “The acts and conduct referred to in sections 4, 5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that are contrary to this organic law, constitute infringements”. For the purposes of the limitation period, article 72 “Infringements considered very serious” of the LOPDGDD indicates: “1. Pursuant to the provisions of Article 83.5 of Regulation (EU) 2016/679, infringements that constitute a substantial violation of the articles mentioned therein and, in particular, the following are considered to be very serious and will be subject to a three-year statute of limitations: (…) l) The international transfer of personal data to a recipient located in a third country or to an international organization, when the guarantees, requirements or exceptions established in Articles 44 to 49 of Regulation (EU) 2016/679 are not met. (…)” VI Warning Article 64 of the LOPDGDD, which regulates the “Form of initiation of the procedure and duration”, in its third section provides that: “3. When appropriate, taking into account the nature of the facts and taking into account the criteria established in article 83.2 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, the Spanish Data Protection Agency, after hearing the controller or processor, may issue a warning and order the controller or processor to adopt corrective measures aimed at ending the potential breach of data protection legislation in a certain manner and within the specified period. The procedure will have a maximum duration of six months from the date of the start agreement. After this period, the procedure will expire and, consequently, the proceedings will be closed. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 35/35 In this case, the provisions of the second and third paragraphs of section 2 of this article shall apply.” In accordance with the evidence available at the time of the procedural resolution, the balance of the circumstances contemplated in article 83.2 of the GDPR and 76.2 of the LOPDGDD, for the infringement committed by violating the provisions of article 44 of the GDPR, a warning must be issued to MAPFRE. Therefore, in accordance with the applicable legislation and having assessed the criteria for grading the sanctions whose existence has been proven, the Director of the Spanish Data Protection Agency RESOLVES: FIRST: TO ISSUE A WARNING to MAPFRE ESPAÑA COMPAÑÍA DE SEGUROS Y REASEGUROS, S.A., with NIF A28141935, for an infringement of Article 44 of the GDPR, classified in Article 83.5 of the GDPR. SECOND: TO NOTIFY this resolution to MAPFRE ESPAÑA COMPAÑÍA DE SEGUROS Y REASEGUROS, S.A. Against this resolution, which ends the administrative process in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the interested parties may, at their discretion, lodge an appeal for reconsideration before the Director of the Spanish Data Protection Agency within one month from the day following the notification of this resolution or directly an administrative appeal before the Administrative Litigation Division of the National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Administrative Litigation Jurisdiction, within two months from the day following the notification of this act, as provided for in article 46.1 of the referred Law. Finally, it is noted that in accordance with the provisions of art. 90.3 a) of the LPACAP, the final resolution may be provisionally suspended by administrative means if the interested party expresses his intention to lodge an administrative appeal. If this is the case, the interested party must formally communicate this fact by means of a written document addressed to the Spanish Data Protection Agency, presenting it through the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica- web/], or through one of the other registries provided for in art. 16.4 of the aforementioned Law 39/2015, of October 1. He must also transfer to the Agency the documentation that proves the effective filing of the administrative appeal. If the Agency is not aware of the filing of the administrative appeal within two months from the day following the notification of this resolution, it will terminate the provisional suspension. 1403-16012024 Mar España Martí Director of the Spanish Data Protection Agency C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es