AEPD (Spain) - PS/00140/2020: Difference between revisions

From GDPRhub
No edit summary
 
(One intermediate revision by the same user not shown)
Line 72: Line 72:
In 2018, the AEPD (Spain) received a complaint which raised doubts about whether Google LLC (controller) was handling requests to remove content in a legally correct manner. The complaint asserted that Google LLC, which is based in Mountain View California USA, was unlawfully sending copies of removal requests by users to a third party (the “Lumen Project”). This triggered a broader investigation of the AEPD into the way how Google handles removal requests and the right to erasure under [[Article 17 GDPR]]. In its investigation the AEPD found that Google provides a webpage named “Removing Content From Google”<ref>https://support.google.com/legal/troubleshooter/1114905?hl=en - as providing an overview of all the options of the system would push the boundaries of this summary, the reader is invited to take a look at the removal system theirself. </ref> where a user can request the removal of content from the various Google services (33 at the time of writing). In the first step, the user had to select the particular Google service it wanted data to be removed from. In the second step, the user had to choose between predefined grounds for the request. Among these predefined grounds (which specific grounds are listed depends on the selected service in step one) are e.g. defamation, copyright infringement, harassment and personal information. The AEPD took special notice of some of these predefined grounds: e.g. when having selected “Google Search”, a user had, among others, the following three options of predefined grounds: “Remove personal information from Google under product policies”, “Legal personal information issue: request removal of my personal information from Google’s search results”, “Other legal issue: report content for a legal reason not already listed”. The AEPD further established in its investigation that, only if the user selected the right predefined grounds, he or she was provided with the link to the web form “EU Privacy Removal”<ref>https://www.google.com/webmasters/tools/legal-removal-request?complaint_type=rtbf&visit_id=637896063609021876-1705887571&hl=en&rd=1.</ref>. This was the only form which Google treated as a request to erasure under [[Article 17 GDPR]]. Furthermore, Google did not provide a link to this form in its privacy policy<ref>https://policies.google.com/privacy?hl=en&fg=1.</ref> but rather linked to the web page “Removing Content From Google”.
In 2018, the AEPD (Spain) received a complaint which raised doubts about whether Google LLC (controller) was handling requests to remove content in a legally correct manner. The complaint asserted that Google LLC, which is based in Mountain View California USA, was unlawfully sending copies of removal requests by users to a third party (the “Lumen Project”). This triggered a broader investigation of the AEPD into the way how Google handles removal requests and the right to erasure under [[Article 17 GDPR]]. In its investigation the AEPD found that Google provides a webpage named “Removing Content From Google”<ref>https://support.google.com/legal/troubleshooter/1114905?hl=en - as providing an overview of all the options of the system would push the boundaries of this summary, the reader is invited to take a look at the removal system theirself. </ref> where a user can request the removal of content from the various Google services (33 at the time of writing). In the first step, the user had to select the particular Google service it wanted data to be removed from. In the second step, the user had to choose between predefined grounds for the request. Among these predefined grounds (which specific grounds are listed depends on the selected service in step one) are e.g. defamation, copyright infringement, harassment and personal information. The AEPD took special notice of some of these predefined grounds: e.g. when having selected “Google Search”, a user had, among others, the following three options of predefined grounds: “Remove personal information from Google under product policies”, “Legal personal information issue: request removal of my personal information from Google’s search results”, “Other legal issue: report content for a legal reason not already listed”. The AEPD further established in its investigation that, only if the user selected the right predefined grounds, he or she was provided with the link to the web form “EU Privacy Removal”<ref>https://www.google.com/webmasters/tools/legal-removal-request?complaint_type=rtbf&visit_id=637896063609021876-1705887571&hl=en&rd=1.</ref>. This was the only form which Google treated as a request to erasure under [[Article 17 GDPR]]. Furthermore, Google did not provide a link to this form in its privacy policy<ref>https://policies.google.com/privacy?hl=en&fg=1.</ref> but rather linked to the web page “Removing Content From Google”.


By looking at this system, the AEPD also found – as the complaint asserted – that Google was sending removal requests, except the ones made under [[the Article 17 GDPR]], to the “Lumen Project”. The Lumen Project is a project of the Berkman Klein Center for Internet & Society of the Harvard University which is collecting removal requests from different providers in a publicly accessible database. A typical entry in the database contains a summary of the request and a link to the original content. Before the user submitted a request for removal on the page “Removing Content From Google” he or she was informed by a banner that a copy of the request may be sent to the Lumen project for publication and that Lumen will redact the personal information.<ref>example page of such a banner: https://support.google.com/legal/troubleshooter/1114905#ts=9814647%2C1115655%2C9814950%2C1282899.</ref> However, the AEPD found that the automated redaction process implemented by the Lumen Project often did not work, leaving personal data included in the requests unredacted in the database.
By looking at this system, the AEPD also found – as the complaint asserted – that Google was sending removal requests, except the ones made under [[Article 17 GDPR]], to the “Lumen Project”. The Lumen Project is a project of the Berkman Klein Center for Internet & Society of the Harvard University which is collecting removal requests from different providers in a publicly accessible database. A typical entry in the database contains a summary of the request and a link to the original content. Before the user submitted a request for removal on the page “Removing Content From Google” he or she was informed by a banner that a copy of the request may be sent to the Lumen project for publication and that Lumen will redact the personal information.<ref>example page of such a banner: https://support.google.com/legal/troubleshooter/1114905#ts=9814647%2C1115655%2C9814950%2C1282899.</ref> However, the AEPD found that the automated redaction process implemented by the Lumen Project often did not work, leaving personal data included in the requests unredacted in the database.


At the start of the proceedings, the AEPD forwarded the complaint to the DPC (Ireland). After one year, the DPC decided that it did not consider itself competent to handle the complaint since Google LLC and not Google Ireland Ltd was the controller of the processing in question.
At the start of the proceedings, the AEPD forwarded the complaint to the DPC (Ireland). After one year, the DPC decided that it did not consider itself competent to handle the complaint since Google LLC and not Google Ireland Ltd was the controller of the processing in question.
Line 94: Line 94:
The decision gives rise to examine some legal points more closely:
The decision gives rise to examine some legal points more closely:


1) Denying Google to invoke [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]] because it did not inform the users of the legitimate interests pursued seems incorrect from a systematic viewpoint. This may merely be seen as a violation of the obligation to inform the users under [[Article 13 GDPR#1d|Article 13(1)(d) GDPR]] but may not deprive a controller to invoke [[Article 6 GDPR1f|Article 6(1)(f) GDPR]].
1) Denying Google to invoke [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]] because it did not inform the users of the legitimate interests pursued seems incorrect from a systematic viewpoint. This may merely be seen as a violation of the obligation to inform the users under [[Article 13 GDPR#1d|Article 13(1)(d) GDPR]] but may not deprive a controller to invoke [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]].


2) The approach of the AEPD to determine the controllership solely on the basis of the privacy policy is legally at least questionable if not wrong. [[Article 4 GDPR#7|Article 4(7) GDPR]] stipulates that "controller means the natural or legal person (...) which, alone or jointly with others, determines the purposes and means of the processing of personal data". In my opinion, [[Article 4 GDPR#7|Article 4(7) GDPR]] insinuates that controllership is being determined on a factual basis and may not just be determined by the privacy policy of the leading company of a group of companies. This would allow an arbitrary determination of the fundamental notion of controllership irrespective of the facts of the individual case. Which company of a group of companies is the controller must, in my opinion, rather be determined a) in relation to the particular processing activity in question and b) on the basis of the individual circumstances of the case.  
2) The approach of the AEPD to determine the controllership solely on the basis of the privacy policy is legally at least questionable if not wrong. [[Article 4 GDPR#7|Article 4(7) GDPR]] stipulates that "controller means the natural or legal person (...) which, alone or jointly with others, determines the purposes and means of the processing of personal data". In my opinion, [[Article 4 GDPR#7|Article 4(7) GDPR]] insinuates that controllership is being determined on a factual basis and may not just be determined by the privacy policy of the leading company of a group of companies. This would allow an arbitrary determination of the fundamental notion of controllership irrespective of the facts of the individual case. Which company of a group of companies is the controller must, in my opinion, rather be determined a) in relation to the particular processing activity in question and b) on the basis of the individual circumstances of the case.  

Latest revision as of 07:08, 9 June 2022

AEPD - PS/00140/2020
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 6(1)(a) GDPR
Article 6(1)(f) GDPR
Article 17 GDPR
Article 58(2)(d) GDPR
Article 83 GDPR
Type: Investigation
Outcome: Violation Found
Started: 15.10.2018
Decided:
Published: 18.05.2022
Fine: 10000000 EUR
Parties: Google LLC
National Case Number/Name: PS/00140/2020
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: Heiko Hanusch

The Spanish DPA issued a fine of €10,000,000 against Google LLC for unlawfully transferring personal data to a third party and for impeding the exercise of the right to erasure.

English Summary

Facts

In 2018, the AEPD (Spain) received a complaint which raised doubts about whether Google LLC (controller) was handling requests to remove content in a legally correct manner. The complaint asserted that Google LLC, which is based in Mountain View California USA, was unlawfully sending copies of removal requests by users to a third party (the “Lumen Project”). This triggered a broader investigation of the AEPD into the way how Google handles removal requests and the right to erasure under Article 17 GDPR. In its investigation the AEPD found that Google provides a webpage named “Removing Content From Google”[1] where a user can request the removal of content from the various Google services (33 at the time of writing). In the first step, the user had to select the particular Google service it wanted data to be removed from. In the second step, the user had to choose between predefined grounds for the request. Among these predefined grounds (which specific grounds are listed depends on the selected service in step one) are e.g. defamation, copyright infringement, harassment and personal information. The AEPD took special notice of some of these predefined grounds: e.g. when having selected “Google Search”, a user had, among others, the following three options of predefined grounds: “Remove personal information from Google under product policies”, “Legal personal information issue: request removal of my personal information from Google’s search results”, “Other legal issue: report content for a legal reason not already listed”. The AEPD further established in its investigation that, only if the user selected the right predefined grounds, he or she was provided with the link to the web form “EU Privacy Removal”[2]. This was the only form which Google treated as a request to erasure under Article 17 GDPR. Furthermore, Google did not provide a link to this form in its privacy policy[3] but rather linked to the web page “Removing Content From Google”.

By looking at this system, the AEPD also found – as the complaint asserted – that Google was sending removal requests, except the ones made under Article 17 GDPR, to the “Lumen Project”. The Lumen Project is a project of the Berkman Klein Center for Internet & Society of the Harvard University which is collecting removal requests from different providers in a publicly accessible database. A typical entry in the database contains a summary of the request and a link to the original content. Before the user submitted a request for removal on the page “Removing Content From Google” he or she was informed by a banner that a copy of the request may be sent to the Lumen project for publication and that Lumen will redact the personal information.[4] However, the AEPD found that the automated redaction process implemented by the Lumen Project often did not work, leaving personal data included in the requests unredacted in the database.

At the start of the proceedings, the AEPD forwarded the complaint to the DPC (Ireland). After one year, the DPC decided that it did not consider itself competent to handle the complaint since Google LLC and not Google Ireland Ltd was the controller of the processing in question.

Google LLC notably argued in the proceedings that the AEPD violated the consistency mechanism because it forwarded the case to the DPC only at the beginning of the proceedings – where only a violation of Article 6 GDPR was alleged – but not after having broadened the investigation to include a violation of Article 17 GDPR. Furthermore, it argued that the transfer of the requests to the Lumen Project were lawful under Article 6(1)(f) GDPR since the Lumen Project pursues educational, research and transparency purposes with the database.

Holding

The AEPD found that Google LLC violated Articles 6 and 17 GDPR and, therefore, fined Google LLC €5,000,000 for each violation (€10,000,000 in total) and ordered it to bring its processing into compliance with the GPDR according to Article 58(2)(d) GDPR.

First, the AEPD established that the GDPR was applicable under Article 3(1) GPDR or, if not, at least Article 3(2)(a) GDPR would apply. Regarding Article 3(1) GDPR, the AEPD determined that the subsidiaries of the controller maintained in various member states can be considered establishments within the meaning of GDPR as clarified by Recital 22. Moreover, by referring to the judgement of the CJEU C-131/12 (GOOGLE SPAIN), the DPA concluded that the processing in question took place “in the context of the activities of an establishment” because the purposes of the European establishments is to promote and sell the Google services in the respective member states. It is not necessary that the processing is carried out by the establishment itself but it is sufficient that the processing and the establishment located in the EU are inextricably linked.

Second, the AEPD rejected the argument of the controller that it had violated the consistency mechanism by emphasizing that the proceedings were directed against Google LLC and not Google Ireland Ltd and, consequently, the consistency mechanism did not apply. It further underpinned its position by referring to the Privacy Policy of Google. It found that before Google introduced Google Ireland as a controller in its privacy policy by change of 22th January 2019, Google LLC was the responsible entity for Google services in Europe. Moreover, the AEPD reasoned, even after this date Google LLC remained the controller in Europe at least for the services of “Google Search” and “Google Maps” as stated in its privacy policy. It also highlighted that “Google Search” and “Google Maps” seem to be listed as examples in the privacy policy, implying that there may be other products or services than the two expressly mentioned for which GOOGLE LLC is the responsible entity.

Third, the AEPD found that there was no legal basis under Article 6 GDPR for the transfer of the removal requests to the Lumen project. It held that the submission of a removal request could not be construed as consent under Article 6(1)(a) GDPR since the banner showed by Google lacked essential information, such as the purpose of the transfer to the Lumen Project, and, therefore, users could not make a sufficiently informed decision. Furthermore, it reasoned that the user could not even make a decision not to consent, since there was no option to submit the removal request without having it send to the Lumen Project. The AEPD also held that the requirements of Article 6(1)(f) GDPR were not met because it was not necessary for the purposes stated by Google that the Lumen Project receives the personal data contained in the removal requests. It found that Google should have anonymized the data before transferring it to the Lumen project. Moreover, the AEPD even reasoned that Google had no legitimate interest for the transfer in the first place because it did not disclose the legitimate interests pursued to the data subjects, which deprived them of the possibility to contest Google’s assessment.

Fourth, the AEPD held that Google LLC violated Article 17 GDPR by hindering data subjects from exercising their right to erasure due to the complexity of its removal system. The DPA especially criticized that there was no option in the removal procedure which was clearly labeled as “erasure according to Article 17 GDPR” and that the Privacy Policy did not include a direct link to the correct request form but only a link to the page “Removing Content From Google”.

Fifth, when determining the amount of the fine, the DPA especially considered as aggravating factors that the Lumen Project resides in a non-member state, that the data subjects had no opportunity to object to the transfer, that the infringement lasted over a long period, since it started even before the GDPR came into effect, and that the database of the Lumen Project was publicly accessible. The DPA further rejected Google's notion to consider the absence of benefits from the unlawful processing as a mitigating factor.

Comment

The decision gives rise to examine some legal points more closely:

1) Denying Google to invoke Article 6(1)(f) GDPR because it did not inform the users of the legitimate interests pursued seems incorrect from a systematic viewpoint. This may merely be seen as a violation of the obligation to inform the users under Article 13(1)(d) GDPR but may not deprive a controller to invoke Article 6(1)(f) GDPR.

2) The approach of the AEPD to determine the controllership solely on the basis of the privacy policy is legally at least questionable if not wrong. Article 4(7) GDPR stipulates that "controller means the natural or legal person (...) which, alone or jointly with others, determines the purposes and means of the processing of personal data". In my opinion, Article 4(7) GDPR insinuates that controllership is being determined on a factual basis and may not just be determined by the privacy policy of the leading company of a group of companies. This would allow an arbitrary determination of the fundamental notion of controllership irrespective of the facts of the individual case. Which company of a group of companies is the controller must, in my opinion, rather be determined a) in relation to the particular processing activity in question and b) on the basis of the individual circumstances of the case.

3) The decision gives also rise to another question. The AEPD based the applicability of the GDPR on Article 3(1) GDPR, stating that Google LLC maintains subsidiaries in various member states which can be considered establishments within the meaning of the GDPR. However, after the DPC denied its competence as lead supervisory authority, the AEPD never raised the question of its own competence according to Articles 55 and 56 GDPR. According to Article 56(1) GDPR "the supervisory authority of the main establishment or of the single establishment of the controller or processor shall be competent to act as lead supervisory authority for the cross-border processing carried out by that controller or processor (...)". Therefore, the AEPD, in my opinion, since it stated on the applicability of the GDPR that Google LLC has establishments in various member states, should have asked the question whether there is and who is the lead supervisory authority in this case. Also the DPC apparently did not consider whether Google Ireland Ltd may be the main establishment of Google LLC according to Article 4(16) GDPR but rather denied competence on the grounds that Google Ireland Ltd was not the controller but Google LLC. However, the lead supervisory authority is not directly determined by the controllership according to Article 56(1) GDPR but by the notion of main and single establishment. The question of controllership is a preliminary question which must be answered before the main question of "who is the lead supervisory authority" is being answered. Controllership, therefore, determines the lead supervisory authority only indirectly. If the AEPD had come to the conclusion that actually the DPC would have been competent because it considered Google Ireland to be the main establishment of Google LLC, the interesting question of what happens if no DPA finds itself competent would have arisen. Is the denial of competence by the actual lead supervisory authority binding for the supervisory authority concerned or must this conflict be resolved according to Article 65(1)(b) GDPR (analogously)?

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

                                                                                      1/137










     File No.: PS/00140/2020



                 RESOLUTION OF PUNISHMENT PROCEDURE



Of the procedure instructed by the Spanish Agency for Data Protection and based on
to the following

                                     BACKGROUND



FIRST: A.A.A. (hereinafter, the complainant) dated September 13 and 29,
2018 and October 15, 2018, filed two complaints with the Spanish Agency

Data Protection. The complaints are directed against GOOGLE LLC (hereinafter,
GOOGLE LLC, the claimed entity or the claimed entity) for the communication of data
to the “Lumen Project” (hereinafter, “Lumen Project”, “Organization
Lumen” or “Lumen”), to the “lumendatabase.org” website. The reasons on which he bases the

complaints are as follows:



Complaint of September 13, 2018:

“[…] Any Internet user can find on Google or in their
products/tools (Google +, YouTube, Google Drive, Blogspot Blogs, etc.),
circumstances such as the following:


. Personal data (which is not only in the search engine, but in its products such as the blogs of
Google, Google +, etc.).
. Defamation (publishing, in addition, personal data).
. Illicit content declared in a court order.
. Trademark or copyright infringement.
. Issues related to AutoComplete or Related Search.
. Other legal incidents.


[…] Google has made specific communication channels available to those affected (on
line, and distributed by different subjects), so that they can transfer to Google
complaints (identifying the conflicting site or URL, your name and surname, email, document
identification, etc.), and a decision can be made in this regard. The so-called "forms of
contact” are the following:


https://support.google.com/legal/contact/lr_dmca?product=news&uraw=&hl=es [Form
Google 1]

https://support.google.com/legal/troubleshooter/1114905?
rd=2#ts=1115655%2C1282900%2C1115974 [Google Form 2]


https://support.google.com/legal/troubleshooter/1114905#ts=1115645 [Google Form 3]

https://support.google.com/legal/troubleshooter/1114905#ts=1115658%2C1115662 [Form
Google 4]


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 2/137









https://support.google.com/legal/troubleshooter/1114905#ts=1115658%2C7565832 [Form
Google 5]


https://support.google.com/legal/troubleshooter/1114905#ts=1115658%2C1115673 [Form
Google 6]

https://support.google.com/legal/troubleshooter/1114905#ts=1115658%2C6387768
 [Google Form 7]


https://support.google.com/legal/troubleshooter/1114905#ts=1115658%2C7308762 [Form
Google 8]

https://support.google.com/legal/troubleshooter/1114905#ts=1115658%2C1115676 [Form
Google 9]


https://support.google.com/legal/troubleshooter/1114905#ts=1115658%2C1115686 [Form
Google 10]

https://support.google.com/legal/contact/lr_dmca?product=news&uraw=&hl=es [Form
Google 11]


https://support.google.com/legal/troubleshooter/1114905#ts=1115658%2C7494925 [Form
Google 12]

https://support.google.com/legal/troubleshooter/1114905#ts=1115658%2C7529574 [Form
Google 13]


https://support.google.com/legal/troubleshooter/1114905#ts=1115658%2C7282135 [Form
Google 14]

https://support.google.com/legal/troubleshooter/1114905#ts=1115658%2C7367058 [Form
Google 15]


https://support.google.com/legal/troubleshooter/1114905#ts=1115658%2C7546357 [Form
Google 16]

https://support.google.com/legal/troubleshooter/1114905#ts=1115658%2C9053853 [Form
Google 17]


https://support.google.com/legal/troubleshooter/1114905#ts=1115648 [Google Form 18]

https://support.google.com/legal/troubleshooter/1114905#ts=1115652 [Google Form 19]

https://support.google.com/legal/troubleshooter/1114905#ts=1115681 [Google Form 20]


https://support.google.com/legal/troubleshooter/1114905#ts=1349036 [Google Form 21]

https://support.google.com/legal/troubleshooter/1114905#ts=1115681%2C7689505 [Form
Google 22]


https://support.google.com/legal/troubleshooter/1114905#ts=1115655%2C1282900 [Form
Google 23]

[…] The problem with the previous “contact forms” is simple: Google imposes on the

user who uses them the transfer of their personal data and their claim to a
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 3/137









organization called Lumendatabase.org. Google announces what is exposed in the “forms” of
the following way:

     “Please note that we may send a copy of each notification
     that we receive to the Lumendatabase project (https://www.lumendatabase.org) to

     its publication and annotation. Lumendatabase will remove personal contact information
     of the sender (i.e., the telephone number, the email address and the
     home).
     To consult an example of this type of publication, access the
     page https://www.lumendatabase.org/notices/5838.
     We may also send the original notification to the alleged infringer or the owner of the

     rights if we have reason to suspect the validity of your claim.
     We may also post similar information from your notification on our
     transparency report. For more information about this report, please
     click here".

[…] According to the criteria of the GTA29, Google cannot communicate the censorship to the

web pages affected by it, nor inform the users of their browser about the censorship.

With the above reasoning, it makes no sense for Google to reserve the power to
communicate personal data to Lumendatabase.org. Communications from Google to
Lumendatabase.org reveal who has requested the exercise of censorship (of any kind) in
Internet, your previous specific personal situation, and your personal data, being completely

communication unnecessary.

[…] In light of the GDPR, there is no justification for Google to transmit to
Lumendatabase.org personal data.

It is quite possible that Google will argue that, if there is no personal data in the
Lumendatabase.org posts (for Lumendatabase.org having anonymized them prior to

publicize them), there is no infringement, but the truth is that the infringement occurs from the same
moment in which a transfer of personal data is made, before these are
anonymize On the other hand, they are not always anonymised by Lumendatabse.org. In some
assumptions the publications that are made in Lumendatabase.org have not eliminated the
name and surname of the applicants and in other cases do not eliminate the URLs object of
claims, so anyone who accesses Lumendatabase.org can know

the identity of the applicants.

The transfer system devised by Google does not respond to the principles of the RGPD: the
risks of processing unnecessarily, and cannot be based on legitimate interest (the
form does not allow opposition, and it is unquestionable that it does not pass a minimum weighting).
Neither can transfers be based on the user's consent, since -in the case of

notice the assignment, whose consent is not requested separately and as a box
intended for this purpose - is forced to provide it, if you want to complete the form (if you do not want
complete it due to the mention of Lumendatabase we would be facing one more infraction,
consisting of hindering the exercise of rights).

It is not legal that:


. An affected party is obliged to consent to the aforementioned assignment when using the form.
. Google LLC. transmit personal data to an organization absolutely unrelated to
the decision adopted on the claim of the interested party. The assignment is unnecessary, and
harmful, especially in those cases in which intimate or private situations are revealed that
they have deserved the censorship of Google. What real legitimating base exists? None.

. All the indicated principles of the RGPD are transgressed.

28001 – Madrid 6 sedeagpd.gob.es, 4/137








. A user is unable to use the Google form for fear of assignment
carried out, which hinders the exercise of their rights.


[…] Cases that affect Spain, published in Lumendatabase.org since August 2018.

(…) [Link Lumendatabase 1]
(…) [Link Lumendatabase 2]
(…) [Link Lumendatabase 3]
(…) [Link Lumendatabase 4]
(…) [Link Lumendatabase 5]

(…) [Link Lumendatabase 6]
(…) [Link Lumendatabase 7]

[...]”.

Complaint of September 28, 2018.


It refers to four new cases “affecting Spain, published in
Lumendatabase.org since August 2018.”


Regarding the first case, it indicates that the person is identified with their name and surnames,
understanding therefore that the data is not always anonymized for publication in
lumendatabase.org. Review the following links:

(…) [Link Lumendatabase 8]
(…) [Link Lumendatabase 9]

(…) [Link Lumendatabase 10]
(…) [Link Lumendatabase 11]
(…) [Link Lumendatabase 12]

In relation to the following three cases, he points out that in the publication of
“lumendatabase.org” the word “Redacted” appears in the petitioner and highlights that if

GOOGLE LLC would have provided this data for anonymization and if it were personal
would have violated data protection regulations. The links corresponding to
These cases are the following:

(…) [Link Lumendatabase 13]

(…) [Link Lumendatabase 14]
(…) [Link Lumendatabase 15]”.

Provides screenshots corresponding to links 8 to 14. The description of
these screenshots is as follows:


. Link Lumendatabase 8

     . Header: Addressed to GOOGLE LLC by a Spanish user anonymous by

     defamation grounds.

     . Claim: (...).

     . Link:(…).



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 5/137








. Links Lumendatabase 9 to 12


This is the same assumption as the previous link, but in these links 9 to 12,
in the paragraph showing part of the claim filed with GOOGLE LLC, the
name appears as follows: “B.B.B.” (link 9), “B.B.B.” (link 10), “B.B.B.”
(links 11) and “B.B.B.” (link 12).


The link address shows “B.B.B.” (link 9), “B.B.B.” (links 10 and 11) or
“B.B.B.” (link 12).

. Link Lumendatabase 13


    . Header: Addressed to GOOGLE LLC by a Spanish user anonymous by
    defamation grounds.

    . Claim: (...).


    . Link: (…) .

. Link Lumendatabase 14

    . Header: Addressed to GOOGLE LLC by a Spanish user anonymous by

    defamation grounds.

    . Claim: (...).

    . Link: (…).



Complaint of October 15, 2018.

“A person sent Google LLC a Judgment, which has been forwarded by Google to

Lumendatabase.org in September 2018 for publication along with your name and
surnames, without the communication to Lumendatabase being protected by the principles
of the GDPR”.

The links to which this complaint refers are the following:


(…) [Link Lumendatabase 16]
(…) [Link Lumendatabase 17]

Provide a screenshot corresponding to these links, with the details

following:

. Link Lumendatabase 16:

       . Header: Addressed to GOOGLE LLC by C.C.C. on ***DATE.1 as

       as a result of a court ruling.

       . Claim: (...).

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 6/137









       . Link: (…)


       . Documents: Icon that would point to an attached document in .pdf format
       which would mean support for content removal.

. Lumendatabase 17 link: the provided screenshot corresponds to a
fragment of the first page of the (...) presumably accessible through the
previous link.


It also provides a complete copy of this Judgment, in which the names and
surnames of all the people involved in the process (judge who dictates it, party
plaintiff (C.C.C.), defendant, their representatives, Public Prosecutor and (...)
(D.D.D.), as well as all the circumstances of the process, which is motivated by a

article published in a blog (the URL that leads to said article is indicated).
The ruling condemns the defendant to suppress the content of the article published in his
Blog.


SECOND: Prior to admission for processing, these complaints will be

transferred to GOOGLE LLC, in accordance with the provisions of article 9.4 of the
Royal Decree-Law 5/2018, of July 27, on urgent measures for the adaptation of the
Spanish law to the regulations of the European Union regarding the protection of
data.


On 12/28/2018, this Agency received a written answer to the
referred to in the previous paragraph, in which it states the following:

“[…] That, through this document, Google provides the information and documentation
requested in the Transfer of Claim and Request for Information and, specifically:


1. Copy of the communications, of the adopted decision that has been sent to the
claimant regarding the transfer of this claim, and proof that the
claimant has received communication of that decision.

The communication sent

by Google on December 28, 2018 in connection with the claims filed
by… (name and surname of the complainant), as well as proof of sending by burofax.

2. Report on the causes that have motivated the incidence that has originated the
claim.


Google does not know the relationship between the claimant and the two web pages to
which are referenced in your claims. The claimant has not provided
no explanation in this regard and no information has been provided to us about
whether the claimant has proven to the AEPD to have any relationship or capacity to

represent the interested party in question.

3. Report on the measures adopted to prevent incidents from occurring
Similar.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 7/137









Despite the lack of clarity of the claims and the fact that no
the allegedly affected data subject, Google LLC has contacted the organization

Lumendatabase, and, after that, has warned that the two URLs mentioned in the
claims (see 2 above) are no longer accessible, as can be seen from the
prints provided as DOCUMENT #3.

[…] That it is appropriate to reject the claims presented by… (name and
surnames of the complainant), by virtue of the provisions of article 9.3 of the Royal

Decree-Law 5/2018, of July 27, on urgent measures for the adaptation of the
Spanish law to the regulations of the European Union regarding the protection of
data, or article 65.3 of the current Organic Law 3/2018, of December 5, of
Protection of Personal Data and Guarantee of Digital Rights in view of
that, regardless of the fact that at this time it is not possible for us to know what the

relationship between the complainant and the referenced web pages
in your claims, the web pages are no longer accessible, so we understand
that additional corrective action would not even be necessary for
lack of object […]”

The links referred to in GOOGLE LLC's reply brief are those

contained in the complaint of 10/15/2018 (“Lumendatabase links 16 and 17”).


THIRD: On dates 02, 03, 05, 07 and 09/01/2019, the complainant presents new
complaints to the Spanish Agency for Data Protection about new cases

that they would incur in the same infraction denounced in the First Background.

Complaint of January 2, 2019:

“I note that searching for the name of C.C.C. in Google, it appears linked, at the bottom of

search results, a specific content removal notice.

When looking for the name of his father, now deceased, D.D.D., another specific notice of
removal of content, which hyperlinks to lumendatabase.org, where we can
find a content removal request and a statement, in which
declares the violation of the right to honor of both. […]”


Attach two screenshots of the search, dated January 2, 2019 and
in the “Google Search Engine”, of the terms “C.C.C.” and “D.D.D.”, in which a
footnote indicating that several results have been deleted and a highlighted
hyperlink to “LumenDatabase.org” [Google Search 1 and 2].


Also, attach a screenshot corresponding to the URL (...) [Link
Lumendatabase 18]

Description of the impression provided:


       . Header: Addressed to GOOGLE LLC by C.C.C., on ***DATE.2,
       as a result of a court ruling.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 8/137








       . Claim: “(…)” .

       . Links:

                     (…)
                     (…)

       . Documents: Possibility of downloading a document in .pdf format

Resubmits the aforementioned judgment issued by the (...). This sentence corresponds

with the content of Link Lumendatabase 17 referred to above.

Complaint of January 3, 2019:

Complaint that through the URL (...) [Link Lumendatabase 19], you can access

information provided by GOOGLE LLC that identifies censorship applicants.
Attach a copy of the information available at said internet address and the
document accessible through it. In the information header there is
which corresponds to a request addressed to GOOGLE LLC by (...), prior to the
validity of the RGPD.


Complaint of January 5, 2019:

Complaint referred to the URL (...) [Link Lumendatabase 20], in which it appears
published the name of a person and offers the possibility of downloading from two
documents in .pdf format. It is verified that the information available in this

link corresponds to a request addressed to GOOGLE LLC by the person cited, in
date *** DATE.3, prior to the entry into force of the RGPD.

Complaint of January 7, 2019:


Complaint referred to the URL (...) [Link Lumendatabase 21], in which it appears
published the name of a person. In the header of the information it is stated that
corresponds to a request addressed to GOOGLE LLC by (...), prior to the validity of the
GDPR.

Complaint of January 9, 2019:


“I inform and denounce before the AEPD facts related to the following link:

(…) [Link Lumendatabase 22]


In the aforementioned link, a judicial notification is being published (in an annexed form) in the
that the name of the (...) is included: E.E.E.. Apparently, GOOGLE LLC has
sent to lumendatabase.org the judicial document without any anonymization”.

Description of the impression provided:


       . Header: Addressed to GOOGLE LLC by F.F.F., on 01/03/2019, as
       as a result of a court ruling.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 9/137








       . Claim: (...).

       . Links: (…)


       . Documents: Possibility of downloading a document in .pdf format

A copy of the (...) is attached to the complaint. However, it is not proven that the
document was obtained through the publication in “lumendatabase.org”.



FOURTH: On February 1, 2019, the Spanish Data Protection Agency gave
transfer of the complaints described in the previous points to Data Protection
Commission of Ireland (hereinafter DPC Ireland) so that said control authority
Assess whether it holds the status of main control authority based on article 56

of the RGPD, since the entity GOOGLE IRELAND LTD. is located in that country,
the establishment of the person in charge who decides, for Europe, the ends and the means in
the processing of personal data.

In a first communication, dated April 10, 2019, DPC Ireland communicates
that it is not considered competent in this case because the complaints are

filed prior to DPC Ireland becoming the enforcement authority
main control for matters related to the protection of personal data, in
the territorial scope of the RGPD, in which GOOGLE is involved.

Subsequently, on August 20, 2019, DPC Ireland addressed a communication to this

Agency requesting transfer to the complainant of a series of issues
related to the complaints filed. Thus, it asks the complainant to confirm
if you have contacted GOOGLE in relation to the complaint and provide a copy of the
correspondence maintained that it considers pertinent. In the same way, he asks
confirm your consent for the purposes of a possible transfer of the complaint by

from DPC Ireland to GOOGLE. In another order of things, DPC Ireland expresses its
reservations in relation to the status of interested party of the complainant

On November 4, 2019, this Agency received a written response from the
complainant, in which he defends his status as affected and interested; what is the
entity claimed which must prove to the control authority the reasons for

those that force users who use their forms to accept the transfer of data
personal information to “lumendatabase.org”, on which it has provided evidence, including
to nationals of other countries; and that the seriousness of this fact is not diminished by
the modifications made by “lumendatabase.org” to anonymize the
publications. With his writing, the complainant provides the communication that was

sent by GOOGLE on 12/28/2018, on the occasion of the transfer process and a
screenshot with a series of statistical indicators on publications
which, according to the whistleblower, “lumendatabase.org” has published since May 2019
until the date of 04/11/2019.


The Spanish Agency for Data Protection agreed to the provisional file of the
file on January 16, 2020.

By communication of January 22, 2020, DPC Ireland rejects the competition

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 10/137








in the processing of complaints when considering that the data controller does not
would be GOOGLE IRELAND LTD., but rather GOOGLE LLC, since the treatment
consists of the communication, to a US database, of data

related to content removal requests handled by GOOGLE LLC.

FIFTH: On December 1, 2020, the complainant files a new brief before
Spanish Agency for Data Protection, in which it refers to its complaints
and to the file agreed by the AEPD in January 2020, for the referral of his complaint to
the Irish Data Protection Authority, noting that therein only

his complaint of 09/13/2018 is mentioned; that the Irish Authority communicated to him, in
date 04/30/2020, that the competent authority is the AEPD.

On the other hand, it informs “the existence of the following publications in
Lumendatabase.org, in order to be incorporated into the PROCEDURE that is

still in the AEPD

Court Postings in Lumendatabase, Initially Referred to Google LLC,
from 27.11.2029:

(…) [Link Lumen 23]


(…) [Link Lumen 24]

(…) [Link Lumen 25


(…) [Link Lumen 26]

(…) [Link Lumen 27]

It is highly significant that all these petitions are still published today.

Google is responsible for notifying Lumen of their withdrawal.

(…) [ Link Lumen 28]

VIII.- It should be noted that when searching Google for the name and surnames, between quotation marks, of
“C.C.C.”, and "D.D.D." appears at the bottom of the search engine a link that shows the censorship in

Google. Have both been warned by Google that this would take place?
practice, what is differentiated data processing? have they consented
clearly? Has it been verified by the AEPD and has it been investigated?

IX.- In the following link personal data referring to C.C.C. and G.G.G.

(Has the latter consented to this data processing???). (…) [Link Lumen 29]”.


SIXTH: By the Subdirectorate General for Data Inspection,
screen prints of the links that appear in the complaints reviewed, to

verify that they correspond to those provided by the complainant, as well as to
make a description of what appears in them in those cases in which they do not
capture or impression would have been provided in the complaints filed.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 11/137









googleforms

a) Google Forms 1 and 11: this is the form enabled by GOOGLE LLC to

report suspected copyright infringement. The textual references to
“lumendatabase.org” in this form are the following:

Regardless of whether Google may be liable for such infringement under the
country-specific legislation or United States law, our response may include

the removal of any material against which a claim has been made for incurring
in an infringing activity, the disabling of access to said material or the cancellation of
subscriber accounts. If we remove material or disable access to it in response to
this type of notification, we will contact the owner or administrator of the
content or website in question so that you can file a counter notification.
Also, in accordance with our policy, we document all notifications of suspected
violations we receive, including sending a copy of the notice to one or

various third parties, or its publication. You can see an example of this type of publication in the
page https://www.lumendatabase.org/notices/2069”.

“Please note that a copy of each legal notice we receive is sent to a third party,
that you could publish it and annotate it (without your personal information). So the content of this
form will be forwarded to Lumen (http://www.lumendatabase.org) so that it can be published.
To see an example of this type of publication, access the page

http://www.lumendatabase.org/dmca512/notice.cgi?NoticeID=861. In the case of products
such as Google Web Search, a link to the posted notice will appear in the search results.
Google search instead of removed content.”

This form includes mandatory fields for the applicant to

provide the following information: country of residence, applicant's full name,
copyright holder's full name, email address
of contact, protected work, where can I see an authorized example of the work?
Allegedly infringing URL and signature.


b) Google Forms 2, 4, 5, 7, 9, 17, 21 and 23: these are entry pages for the
request for removal of content in which various products of the
company and where the applicant would choose which of said products his

content removal request. Includes the following text:

“How to remove content from Google

This page will allow you to access the right place to report the content you want

withdraw from Google services in accordance with applicable laws. Provide us
complete information so that we can investigate your query.
If you have non-legal issues related to the "Terms of Service" or
with the Google Product Policies, go to http://support.google.com.
You must send a notification for each Google service in which the content appears.


What Google product does your request refer to?
( ) Google search
( ) Blogger/Blogspot
( ) Google Maps and related products
( ) Google Play: Apps
( ) Youtube
( ) Google images

( ) A Google ad
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 12/137








( ) Drive and Documents
( ) Google Photos and Picasa Web Albums

( ) Google Shopping
( ) See more products”.

When clicking on the “See more products” option, a new list is displayed:


“Select an option from the following list.
( ) Google+
( ) Google AMP Cache
( ) Google Arts & Culture
( ) Google Assistant
( ) Chrome Web Store/Extension Gallery
( ) Google Classroom
( ) Cloud Firestore

( ) Google Cloud Platform
( ) DataStudio
( ) Google domains
( ) Feedburner
( ) Firebase
( ) Gmail
( ) Google URL Shortener (goo.gl)
( ) Google Groups

( ) Google Help Communities
( ) Google Lens
( ) Navlekha
( ) Google news
( ) Google Play Books and Google Books
( ) Poly
( ) Google Sites (Google's web page and wiki creation tool)
( ) Stadia.


c) Google Forms 3, 6, 8, 10, 12, 13, 14, 15, 16, 19, 20 and 22. These are the
entry pages to the content removal forms relating to different
GOOGLE LLC products:


     Google Form 3: Blogger/Blogspot product.
     Google Form 6: Chrome Web Store product/extension gallery.
     Google Form 8: Google Classroom product.

     Google Form 10: Google Groups product.
     Google product form 12: Google Help Communities.
     Google Form 13: Poly product.
     Google Form 14: Feedburner product.
     Google Form 15: Data Studio product.

     Google Form 16: Cloud Firestore product.
     Google Form 19: Google Photos and Picasa Web Album product.
     Google Form 20: Drive and Documents product.
     Google Form 22: page similar to number 20, differing in that it is already

     is selected the option "Personal information: the information includes
     my personal data” as a reason to request the removal of content.

All of them include the same information outlined in section b) above (“As

remove content from Google…”).
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 13/137










Textual references to “lumendatabase.org” in these forms are the
following:


“Please note that we may send a copy of each notification
legal documents that we receive to the Lumen project (https://www.lumendatabase.org) for publication
and annotation. Lumen will remove the sender's personal contact information (i.e., the
phone number, email address and home address).

To consult an example of this type of publication, go to the page

https://www.lumendatabase.org/notices/5838”.

And added:


“In addition, we may publish similar information from your notification on our website.
transparency report. For more information on this report, click here.”

The following options are offered:


     . Google Forms 3

     “How can we help you?
     ( ) I would like to report malware, phishing,
     disclosure of private data or other similar incidents.

     ( ) I want to report a blog that impersonates my identity.
     ( ) I want to report the disclosure of private nude images or information
     ( ) I want to report bullying and harassing content.
     ( ) Intellectual property issue: report copyright infringement,
     circumvention etc.
     ( ) Other legal problem: report content for another legal reason not included in the list”.


     . Google Form 6

     “How can we help you?
     ( ) Copyright Infringement: My copyrighted work is being

     using illegally without authorization
     ( ) Counter Notice: An appeal intended to restore content that was removed due to a
     copyright infringement claim
     ( ) Brand: my brand is being used in a way that may cause confusion
     ( ) Court order: a court ruling has determined that a specific content is
     illegal
     ( ) Circumvention: a tool circumvents technological measures for the protection of rights

     From author
     ( ) Material with images of child sexual abuse: visual representation of practices
     explicit sex with minors.

     Google Forms 8, 12, 13, 14 (except the first option, in the last 3 cases),

     15 (except for the first option and the one related to “Legal problem”) and 16 (except for the first
     option and those related to “Avoidance” and “Legal problem”)

     “How can we help you?
     ( ) I have a question about the Classroom program policies

     ( ) Copyright Infringement: My copyrighted work is being

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 14/137









     using illegally without authorization
     ( ) Counter Notice: An appeal intended to restore content that was removed due to a
     copyright infringement claim
     ( ) Circumvention: a tool circumvents technological measures for the protection of rights
     From author

     ( ) Court order: a court ruling has determined that a specific content is
     illegal
     ( ) Legal problem: legal problem that does not appear on the list
     ( ) Material with images of child sexual abuse: visual representation of practices
     explicit sex with minors.


     Google forms 10, 19 (except the first option)

     “How can we help you?
     ( ) Report violent or hateful content, disclosure of personal data, or

     the promotion of goods and services
     ( ) Copyright Infringement: My copyrighted work is being
     using illegally without authorization
     ( ) Counter Notice: An appeal intended to restore content that was removed due to a
     copyright infringement claim
     ( ) Personal information: the content includes my personal data

     ( ) Court order: a court ruling has determined that a specific content is
     illegal
     ( ) Legal problem: legal problem that does not appear on the list
     ( ) Material with images of child sexual abuse: visual representation of practices
     explicit sex with minors.


     Google Form 20

     “How can we help you?
     ( ) I want to report a case of identity theft, spam, malicious software or

     Other misuse of a Google Docs or Google Drive file
     ( ) Copyright Infringement: My copyrighted work is being
     using illegally without authorization
     ( ) Counter Notice: An appeal intended to restore content that was removed due to a
     copyright infringement claim
     ( ) Circumvention: a tool circumvents technological measures for the protection of rights
     From author

     ( ) Personal information: the content includes my personal data
     ( ) Other legal problem: report content for other legal reasons not included in the list”.

d) Google Form 18: corresponds to the entry page to the forms of

removal of content related to the product “Google Images”, which does not contain
references to “lumendatabase.org”. The information provided is the following:

“How to remove content from Google… (the same information outlined in section b)

previous)".

“Even if Google removes a web page or image from our search results, it doesn't
we may remove content from websites that host it. The page may continue
existing on the website, meaning it can be found via the site's URL
web, in social networks where it has been shared or in other search engines. We recommend
to contact the owner of the website to ask him to remove the content in

question.

28001 – Madrid 6 sedeagpd.gob.es, 15/137








Visit “this page” for more information on how to contact the

owner of a w.b site”

The following options are offered on this page:

“How can we help you?
( ) I want to report malware, phishing, or similar issues.

( ) Content that I requested to be removed continues to appear in search results,
even though the webmaster has already removed it.
( ) Right to be forgotten: request to withdraw information in accordance with European legislation
in terms of data protection
( ) Defamation: the content defames me or my company or organization
( ) Intellectual property issue: report copyright infringement, circumvention,
etc.
( ) Other legal problem: report content for another legal reason not included in the list”.



Lumendatabase Links

. Link Lumendatabase 1


       . Heading: Removal request for defamation. Directed at GOOGLE
       LLC on ***DATE.4 by an anonymous Spanish user.


       . Claim: (...).

       . Link: (…)


. Link Lumendatabase 2

       . Heading: Removal request for defamation. Directed at GOOGLE
       LLC on ***DATE.5 by an anonymous Spanish user.


       . Claim: (...).

       . Link: (…)


. Link Lumendatabase 3

       . Heading: Removal request for defamation. Directed at GOOGLE
       LLC on ***DATE.6 by an anonymous Spanish user.


       . Claim: “(…)” .

       . Link: (…)


. Link Lumendatabase 4

       . Heading: Removal request for defamation. Directed at GOOGLE
       LLC by an anonymous Spanish user.



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 16/137








       . Claim: “(…)”.


       . Link:
         (…)
         (…)
         (…)
         (…)

         (…)

. Link Lumendatabase 5

       . Heading: Removal request for defamation. Directed at GOOGLE

       LLC on ***DATE.7 by an anonymous Spanish user.

       . Claim: “(…) ”.

       . Link: (…)


. Link Lumendatabase 6

       . Heading: Removal request for defamation. Directed at GOOGLE
       LLC on ***DATE.8 by an anonymous Spanish user.


       . Claim: “(…)”.

       . Link: (…)
. Link Lumendatabase 7


This impression corresponds to the search engine of “lumendatabase.org” composed
through a series of simple and advanced search boxes. The search box
simple appears filled with the term "Google", supposedly used by the
complainant to carry out the searches that he presents as evidence before this

Agency.

. Link Lumendatabase 8

It is verified that the information of this link substantially coincides with the capture

screenshot attached to the letter of complaint dated September 28, 2018 (See
Facts First), presenting the following differences:

       . The date of the request is stated, this being ***DATE.9.
       . The address of the link that was the subject of the removal request has been removed

       any reference to the personal name, subsisting this in the summary of the
       content request.

. Link Lumendatabase 9 to 12


It is verified that the information of this link substantially coincides with the capture
screenshot attached to the letter of complaint dated September 28, 2018 (See
Facts First), presenting the following differences:

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 17/137









       . The date of the request is stated, this being ***DATE.9.

       . In the link address, only “(…)” is indicated.

. Link Lumendatabase 13

It is verified that the information of this link substantially coincides with the capture

screenshot attached to the letter of complaint dated September 28, 2018 (See
Facts First), presenting the following differences:

       . The date of the request is stated, this being ***DATE.10.
       . The link address has been simplified.


. Link Lumendatabase 14

It is verified that the information of this link substantially coincides with the capture
screenshot attached to the letter of complaint dated September 28, 2018 (See

Facts First), presenting the following differences:

       . The date of the request is stated, this being ***DATE.11.
       . The link address has been simplified.


. Link Lumendatabase 15

       . Heading: Withdrawal requirement due to application of local regulations.
       Addressed to GOOGLE LLC on ***DATE.10 by an anonymous Spanish user.


       . Link: (…).

. Link Lumendatabase 16

The page presents a 404 error, which is consistent with what was stated by GOOGLE

SPAIN S.L. in his letter of December 28, 2018

. Link Lumendatabase 17

This link does not allow the download of the document, which is consistent with what

manifested by GOOGLE SPAIN S.L. in his letter of December 28, 2018.

. Link Lumendatabase 18

It is verified that the information of this link substantially coincides with the

printing of the web page attached to the complaint letter of January 2, 2019
(See facts First), presenting the following differences:

       . Only the link (...) remains.


. Link Lumendatabase 19

It is verified that the information on this link corresponds to a request addressed to

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 18/137








GOOGLE LLC prior to the entry into force of the RGPD. Also, it is verified that
the possibility of downloading the judicial document has disappeared.


. Link Lumendatabase 20

It is verified that the information on this link corresponds to a request addressed to
GOOGLE LLC prior to the entry into force of the RGPD. Also, it is verified that

the possibility of downloading documents has been limited to one.

. Link Lumendatabase 21

It is verified that the information on this link corresponds to a request addressed to

GOOGLE LLC on date ***DATE.12, prior to the entry into force of the RGPD.

. Link Lumendatabase 22

It is verified that the information of this link substantially coincides with the

printing of the web page attached to the complaint letter of January 9, 2019
(See Acts First).

. Link Lumendatabase 23


Link Description: This is a page that provides search results
content removal requirements. Joins the performances the first
of the pages, which reviews requests from December 2019, January and February 2020,
addressed to GOOGLE LLC based on court decisions.


. Link Lumendatabase 24

Description of the link: Page that offers the search results of
content removal requirements addressed to GOOGLE LLC based on
judicial resolutions, in Spanish.


. Link Lumendatabase 25

Link description:


       . Heading: Removal request for defamation. Directed at GOOGLE
       LLC on ***DATE.13 by an anonymous Spanish user.

       . Claim: “(…)”.


       . Link:     (…)
                     (…)
                     (…)
                     (…)


. Link Lumendatabase 26

Link description:

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 19/137









       . Heading: Withdrawal request as a result of a failure

       judicial. Addressed to GOOGLE LLC on ***DATE.14 by H.H.H.

       . Explanation:"(…)"

       . Link:      (…)

                      (…)

. Link Lumendatabase 27

Link Description: Refers to a content removal requested by a

Italy user.

. Link Lumendatabase 28

Description of the link: Page that offers the search results of

publications on the Lumen website based on the terms “EU-Right to
Oblivion” and “Google”. Corresponds to requests from 2014, 2015 and 2016.

. Link Lumendatabase 29


This is the same link as number 18 already sent in the complaint filed on
January 2, 2019.


Below the links indicated in the publications reviewed with the numbers 1, 2,

3, 4, 5, 6, 8, 9, 10, 11, 12, 13, 14, 15, 18, 19, 20, 21, 22, 25, 26 and 29 shows the
phrase “Click here to request access and see full URLs” (whose translation would be “Pinche
here to request access see full URL”) in hyperlink format.

Google searches


1. The terms “C.C.C.” are introduced. in the "Google Search", resulting in
removed reference to “lumendatabase.org”.

2. The terms “D.D.D.” are introduced. in the "Google Search", verifying that

makes specific reference to deleted results and directs, for more information, to a
hyperlink from “lumendatabase.org”.


SEVENTH: On 06/09/2021, the Director of the Spanish Protection Agency

of Data agreed to initiate sanctioning proceedings against the entity GOOGLE LLC, with
in accordance with the provisions of articles 63 and 64 of Law 39/2015, of October 1, of the
Common Administrative Procedure of Public Administrations (hereinafter,
LPACAP), for the alleged infringement of article 17 of the RGPD in ideal competition with
an infringement of article 6.1 of the RGPD, which are typified in article 83.5 of the

same norm.

In the opening agreement it was determined that the sanctions that could correspond,

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 20/137








attended the existing evidence at the time of opening and without prejudice to what
resulting from the investigation, would be 5,000,000.00 euros for the relative infringement

to article 17 of the RGPD and 5,000,000.00 euros for the infringement related to article
6.1 of the GDPR. However, considering that both offenses concur in
ideal bankruptcy regime, the total resulting from the sanction to be imposed would amount to
5,000,000.00 euros.


In the same agreement to open the procedure, it was warned that the infractions
imputed, if confirmed, may lead to the imposition of measures, in accordance
with the provisions of the aforementioned article 58.2 d) of the RGPD.

EIGHTH: Notification of the aforementioned initial agreement and extension of the term granted for

formulate allegations, the claimed entity, having received a copy of the
proceedings, filed a brief dated 07/21/2021, requesting:

"one. The nullity of the Sanctioning Procedure for infraction of regulatory norms of the
sanctioning procedure of a fundamental and essential nature that causes the defenselessness of
Google.
2. Subsidiarily to the foregoing, the non-existence of alleged violations of articles
6.1 and 17 of the RGPD, and the file of the proceedings.

3. In the alternative to the foregoing, and in the unlikely event that Google is deemed
responsible for the infringement of articles 6.1 and/or 17 RGPD, the imposition of the amount of the
corresponding sanction in its minimum degree.

Prior to presenting the allegations on which said request is based,
GOOGLE LLC indicates that it does not discuss the application of the RGPD to the activities of

treatment in question, while disagreeing with the Agency's analysis of
the alternative assumptions (and not cumulative) provided for in articles 3.1 and 3.2.(a)
GDPR. You understand that article 3.2.(a) RGPD does not apply, since it has
with various establishments in countries of the European Union, in addition to Spain.


(...).

(…)

This occurs in a complex legal and regulatory context, which requires an evaluation

careful consideration and weighing of all the rights at stake in the operation of a
successful content moderation program, especially the freedom of
expression and information, the right to data protection, the protection of honor,
privacy and other personality rights, intellectual property rights,
freedom of the arts and sciences, the protection of consumers and the principles

of transparency and responsibility. Among other requirements, it draws the attention of the
Agency on the legal frameworks derived from Regulation (EU) 2019/1150 of the
European Parliament and of the Council, of June 20, 2019, on the promotion of
fairness and transparency for professional users of information services
online intermediation (the “P2B Regulation”) and the European Commission Proposal

Regulation on a Single Market for Digital Services (Digital Services
Act, “DSA”). Both normative instruments impose high standards of
transparency and accountability on the way in which service providers
intermediary services moderate the content, including the requirement to publish
all content removal decisions in an access database

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 21/137








public, as it would “contribute to mitigating possible abuses” (see art. 15.4 of the DSA and
Recital 26 of the P2B Regulation).


It is in this context that the relationship of GOOGLE LLC with
“lumendatabase.org” (“Lumen”). Specific:

“Lumen” is a project of the Berkman Klein Center for Internet & Society at the
Harvard University, whose main objective is to study the “cease and termination letters”
desistimiento” (cease and desist letters) relating to online content. lumen collects

and analyzes requests to remove materials from the web with the aim of educating the
public, facilitate research on the different types of complaints and
Takedown requests being sent to publishers and service providers
of the Internet, and to provide as much transparency as possible about the "ecology" of such
communications, in terms of who is sending them and why, and for what purpose. Although

one principle “Lumen” focused on requests submitted voluntarily by
companies under the United States Digital Millennium Copyright Act
(United States' Digital Millennium Copyright Act, “DMCA”), now also
includes claims relating to other issues, including trademarks, defamation,
court decisions, etc.


In the above context, GOOGLE LLC, along with other major players in the
digital society (See: https://lumendatabase.org/pages/about for more information
in this regard), contributes to the "Lumen Project" for purposes of transparency and
accountability, as well as to prevent abuse and fraud and shares with Lumen
content removal requests in relation to intellectual property rights

(DMCA), circumvention/avoidance, counterfeiting, non-confidential court decisions,
libel and takedown notices based on local law.

The positive contribution of the "Lumen Project" to society is evident. For example,
it was thanks to Lumen that a very recent fraudulent use of the

content removal tools by a Spanish entity (which came
to the point of pretending to be the European Commission) and cites the links: (...).

(...):

a) (…).

b) (...).
c) (...).

The aforementioned entity bases its request on the following considerations:


1. Violation of the LOPDGDD, which provides for a sanctioning procedure for a
maximum duration of 21 months, taking into account the duration of the actions
prior investigation (art. 67.2) and the penalty procedure itself (art.
64.2), because it keeps GOOGLE LLC under investigation for more than two
years, ignoring the expiration of previous investigation actions.


Furthermore, art. 65.5 LOPDGDD establishes that "The decision on the admission or
inadmissibility for processing, as well as the one that determines, in its case, the remission of the
claim to the main control authority that is deemed competent, must

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 22/137








notify the claimant within three months.

In this case, the first claim filed is from 09/13/2018, so you can

understood admitted on 12/13/2018, although the Agency did not issue any resolution in
this date. More than a year later, on 01/16/2020, the AEPD decided to file
provisionally the file and direct it to the data protection authority of
Ireland (Irish Data Protection Commission); and more than a year and a half later, the
06/23/2021, the Start Agreement was notified (the Agency has taken almost 3 years since
the first claim to initiate the Penalty Procedure).


In accordance with the foregoing, the previous investigative actions expired on
12/13/2019, so the information collected in the framework of said actions
previous investigations cannot be used in the Sanctioning Procedure, among
other things, because they are investigations that have expired and are no longer correct

from a factual point of view, they are not up to date. Using them would violate
provided in art. 95.3 of Law 39/2015, of October 1, on Procedure
Common Administrative Law of Public Administrations ("LPAC"), as well as the laws and
principles that regulate the sanctioning administrative procedure.

These facts, which hinder the right of defense of GOOGLE LLC, imply the

nullity of the Start Agreement and the Sanctioning Procedure, proceeding the file
of the performances.

2. There has been no violation of art. 6 GDPR: application of the base
legitimate interest


Clarifies that the legitimating basis on which it relies to share personal data
with Lumen is not the consent, but the legitimate interest, interpreted of
in accordance with Opinion 06/2014, on the concept of legitimate interest of the
data controller under article 7 of the Directive

95/46/EC, which is applicable to the case at hand. Consider GOOGLE LLC that
(A) there are multiple overriding legitimate interests in the data transfer with Lumen, and (B)
that said legitimate interests prevail over the rights and freedoms of the
interested.

A. There is a legitimate interest of both GOOGLE LLC and "Lumen" (in this case,

a third party), in the transfer of requests relating to the removal of content (which
may or may not include personal data, depending on the type of withdrawal request and
the solicitor):

a) The legitimate interest of "Lumen" consists of promoting education,

investigation and transparency, which, ultimately, fall within the interest of
society as a whole and find support in many different laws
(including the Spanish Constitution itself (arts. 27 and 44.2 of the Spanish Constitution,
related to education and research, respectively) and Organic Laws (Law
Organic Law 2/2006, of May 3, on Education; LOPDGDD; Organic Law 1/1982, of 5

of May, on civil protection of the right to honor, to personal and family privacy
and in his own image, etc.), and even in the Opinion of Legitimate Interest, which
establishes that:
“The nature of the interest may vary. Some interests may be compelling and

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 23/137








beneficial to society in general, such as the interest of the press in
publish information about government corruption or interest in carrying out
scientific research (subject to adequate safeguards)”.


b) GOOGLE LLC also has a clear legitimate interest in sharing with
“Lumen” content removal requests. Specifically, these assignments
constitute an important mechanism for the Google group to ensure that
their content removal practices are transparent and accountable, and are not
related to the exercise of data protection rights, but with other

rights (for example, intellectual property rights, right to honor, trademarks,
etc.). "Lumen" provides transparency and serves to account for the
content moderation processes implemented by the Google group (which is not
a public entity or authority), to demonstrate the existence of procedures for
withdrawal reagents, to encourage a clear understanding of the types of content in

line that are the subject of withdrawal requests, the fairness between similar matters in
different countries and regions, as well as to mitigate the risk of misuse or
fraudulent use of content removal tools. In addition to the community
of researchers, the general public and public authorities benefit from
this transparency.


The importance of these transparency objectives is reflected in the framework itself
applicable legal system (such as the P2B Regulation), and even in legal provisions that
are yet to come (such as the DSA).

These legitimate interests are also recognized in the Opinion of Legitimate Interest,

which establishes the following examples of legitimate interests: “the exercise of the right
of freedom of expression or information, including situations in which it is exercised
said right in the media”, “the prevention of fraud, the use
misuse of services or money laundering”, “treatment for historical purposes,
scientific or statistical” and the “publication of data for purposes of transparency and

responsibility".

The AEPD itself also recognizes in the Start Agreement that complying with the
transparency standards may constitute a legitimate interest.

B. These legitimate interests are not outweighed by the interests or rights and

freedoms of the interested parties.

In the opinion of GOOGLE LLC, the affirmation of the AEPD in the Initiation Agreement -without
any evidentiary support- that the communication from GOOGLE LLC to Lumen of
content removal requests “have a high impact on the interests and

rights of the interested party” lacks any support for the following reasons:

a) The interested parties who complete the “Google” content removal forms
are sufficiently informed about the communication of requests to
“Lumen”: Specifically, the interested parties are clearly informed about the

communication of your personal data to Lumen at the time you provide your
data to GOOGLE LLC, including by means of a prominent disclaimer posted
displayed in the “Google” legal troubleshooting tool (reproduces the
information on the possibility of sending a copy of the notifications to the Project

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 24/137








Lumen” and to publish them in the “Google Transparency Report”, already outlined in
the Sixth Antecedent).


b) GOOGLE LLC limits the personal data that is shared with “Lumen” and “Lumen”
proceeds to anonymize the requests that GOOGLE LLC shares.

(...).

(...).


Finally, it is the practice of "Lumen" to anonymize certain personal data of the
requests prior to publication, including shared request categories
by GOOGLE LLC in the case analyzed in the Startup Agreement (these are,
those related to defamation, non-confidential judicial decisions and those

related to local regulations other than data protection), in order to
Minimize the personal data included in the publications. The protocol of
Anonymization of Lumen is clearly available to the public on its page
website (https://www.lumendatabase.org/pages/lumen-notice-basics).

On this issue, he provides a screenshot where you can see the

information regarding requests for defamation or for a court ruling
(This coincides with the information provided on the “lumendatabase.org” website, in the
document "Basic concepts of the Lumen notice information", which consists
outlined in Annex 4.


The foregoing does not prevent errors from being made on an occasional basis and that some
Lumen posts are not fully anonymized. In these cases, those affected
can go to both GOOGLE LLC (to notify Lumen of such errors)
as well as Lumen directly asking for the correction of the anonymization.

c) Access to full URLs and court decisions is limited to researchers from

good faith: "Lumen" operates gradual data access, so that access to URLs
completed forms and attached documents related to a publication (such as a
court decision) does not remain available to the general public and can only be
access them upon individual request by email. "Lumen" only gives
access to this information to bona fide researchers, which limits access to such

information and appropriately weighs the interests of the community of
investigators with those of the subjects who submit requests for withdrawal of
content to GOOGLE LLC.

d) The legitimate interest at stake is important and compelling: the communication of
content removal requests to “Lumen” for reasons of transparency and

research benefits the general public, which, according to the Opinion of the
Legitimate Interest is a key element to consider when performing the weighting test:
“In general, the fact that the data controller acts not only in his or her
own legitimate interest (for example, your company), but also in the interest of the
community at large can give more 'weight' to their interest. The more pressing

be it the public interest or the interest of the community at large, and the more
clearly the community and stakeholders recognize and expect the responsible
of the treatment can act and treat the data to pursue these interests, more

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 25/137








Such legitimate interest will have weight in the balance”.

i) (...):

i. (…)

ii. (…)
iii. (…)

3. Art. 17 GDPR: GOOGLE LLC respects the right to
individuals' right to be forgotten/deletion


A. (…).

Regarding requests for the Right to be Forgotten, the “Lumen” website
(https://www.lumendatabase.org/pages/lumen-notice-basics) expressly indicates that
GOOGLE LLC "does not share with Lumen, at this time, requests it receives

of EU citizens regarding the so-called “Right to be Forgotten (“RTBF”)(…)”
(Unofficial translation).

(…)

The essential element that determines the application of article 17 RGPD is the purpose

of the request and, consequently, the right invoked and exercised by the individual.
Furthermore, unintended and unexpected consequences would occur if all
requests that involve the withdrawal of personal data are treated in a
automatic as exercises of the right of suppression under the protection of art. 17 GDPR, with
independence of the legal regime in which the subject bases the withdrawal request
of content.


Content removal requests are assessed by performing legal analyzes and tests in
depending on the reason you are submitting your request. For example, requests for
deindexation for defamation reasons, in the absence of a judicial decision, are analyzed
according to the local legislation that regulates defamation and the legal framework of the Directive of
Electronic Commerce, and not on the basis of the RGPD, in such a way that they are taken into account

account the facts and, depending on local regulations, the opinions contained in that
content and other relevant factors (including legal doctrine). In the Spanish case, this
would involve analyzing, among others, article 7 of Organic Law 1/1982, of May 5,
of civil protection of the right to honor, to personal and family privacy and to one's own
image, or articles 205 and following of the Penal Code in relation to crimes
against honor; as well as Law 34/2002, of July 11, on services of the society of

information and electronic commerce.

B. The form for the exercise of the Right to be Forgotten made available by
GOOGLE LLC, accessible at the address
“https://www.google.com/webmasters/tools/legal-removal-request?

complaint_type=rtbf”, does not include any reference to the communication of information to
Lumen because such requests are not shared with Lumen. In this way, there is no
construe that the Right to be Forgotten Form hinders in any way the
rights of the interested parties under article 17 of the RGPD for an alleged imposition
of the communication of information to Lumen.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 26/137









The documentation and information included in the file of the Procedure
Sanctioning are inconsistent with that statement. none of the forms

mentioned by the complainant in his complaints (and later confirmed by the
Subdirectorate General for Inspection, the "Investigated Forms") refer to the
Right to be Forgotten Form. The Investigated Forms are intended to
submitting content removal requests for various legal reasons not
related to data protection (e.g. copyright infringements), and not
the Right to be Forgotten.


(…)

(…)


4. In relation to the graduation of sanctions, considers that they should be taken into account
account the following extenuating circumstances:

a) Any measure taken by the controller or processor to
alleviate the damages suffered by the interested parties (article 83.2.c RGPD):
GOOGLE LLC has contacted “Lumen” to let her know that she must

carry out additional anonymizations of some of your publications related to
requests for removal of content identified by the AEPD in the Basis of
Law II of the Home Agreement. From this, "Lumen" has carried out new
actions aimed either at anonymizing information or withdrawing publications (provides
screen printing corresponding to Links Lumendatabase 3, 5, 8, 9, 10,

11, 18, 22 and 26).

b) The benefits obtained as a result of committing the offense (art.
76.2.c LOPDGDD): the communication of information to "Lumen" is carried out with the
purposes of increasing transparency and accountability, educating the public and

facilitate research, all of which benefits society as a whole (being
these purposes also promoted throughout the RGPD). GOOGLE LLC does not obtain
any commercial benefit or income as a result of these communications.

5. Notwithstanding the foregoing allegations, GOOGLE LLC is in the
currently in the process of reviewing its practices in relation to the communication of

content removal requests to “Lumen”. GOOGLE LLC considers the protection
of personal data as an extremely relevant issue and takes careful
note of the comments made by the AEPD in the Start Agreement. GOOGLE
LLC reviews its practices on an ongoing basis to ensure that it reaches a correct
balance between transparency and data protection rights of users

individuals. GOOGLE LLC hopes to have the opportunity to present and comment on its
new practices with the AEPD soon.


NINTH: On 10/05/2021, this Agency received a letter of

supplemental allegations filed by GOOGLE LLC.

(...).


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 27/137








(...).


(...):

a) (…).


b) (...).

c) (...).


d) (...).

(…)


(…)

(…)


(...).

TENTH: On 12/30/2021, the instructor of the procedure agreed to open
a period of practice of evidence, considering reproduced for evidentiary purposes
the complaints filed and their documentation, the documents obtained and

generated during the phase of admission to processing of the complaints and the
checks carried out by the General Subdirectorate of Data Inspection for
verify that the links mentioned in the complaints and their content are
correspond to the screen prints provided by the complainant or to

access said content in cases in which it had not provided the capture of
corresponding screen; and for presenting the allegations made by GOOGLE
LLC and the documentation that accompanies them.


Likewise, it was agreed to include in the actions the information and/or documentation
Next:

“a) Financial information relating to the entity GOOGLE LLC, obtained from the websites
“es.investing.com” and “es.tradingview.com”.

b) Copy of the "forms" mentioned in the Background of the agreement to initiate the

reference sanctioning procedure, enabled by GOOGLE LLC so that the
Interested parties may request the removal of content, accessible through the addresses
that are also mentioned in said agreement (Google Forms 1 to 23).

c) Copy of the information accessible through the links to “lumendatabase.org” that are
mentioned in the Background of the agreement to initiate the sanctioning procedure of
reference (Lumendatabase Links 1 to 29).


d) Copy of the first page of search results in the Google search engine with the
terms "D.D.D."

e) Copy of the “Withdrawal under EU privacy law” form, accessible via
from the “google.com” website (“https://www.google.com/webmasters/tools/legal-removal-request?
complaint_type=rtbf&visit_id=637759350971490255-235171692&hl=es&rd=1”).

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 28/137









f) Copy of the Privacy Policy accessible through the website "google.com" in its version

current, in force since 07/01/2021, and some versions of it in force as of
05/25/2018.

g) Copy of the information accessible through the URL cited by GOOGLE LLC in point
3.3 of your pleadings brief dated 07/21/2021
(“https://www.lumendatabase.org/pages/lumen-notice-basics”).

h) Information available on the “lumendatabase.org” website regarding the “Lumen Project”.


Said test practice was notified to GOOGLE LLC, warning it that the result
of the same could give rise to the realization of others and that against said act of
procedure there is no room for the filing of an administrative appeal, notwithstanding that the

The interested party may file the appropriate appeals against the resolution that
end of the procedure, by virtue of the provisions of article 112.1 of the LPACAP. For
On the other hand, it was warned about the right to know, at any time, the state of
the processing of the procedure and to formulate allegations, use the means of
defense admitted by the Legal System, and to provide documents in any

phase of the procedure prior to the hearing process.


A) Result of the test indicated with the letter a):


(…).

(...).



B. Result of the test indicated with the letter b):


It is verified that the content and structure of the verified forms coincide
with the detail outlined in the Sixth Antecedent.

On the other hand, the following observations are made:


a) “Google Forms 1 and 11”: form enabled by GOOGLE LLC to report
alleged copyright infringement.

Access the link "https://www.lumendatabase.org/notices/2069", which corresponds

to a notice of copyright infringement from a company located in the United States
United States, dated September 2003. Click on the link that leads to one of the
application support documents and access to a Lumen form that
allows you to request "full access to complaints" from the company in question before

Google, which has the following structure:

“To access this notice enter your email address and solve the captcha.
After you submit the form, we will send you an email with a one-time link.
use to notice.

Email address
(space to record email address)

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 29/137









( ) Select to receive a notification when new documents are added.

notification (or when existing notification documents are updated).

Deliver (button)”.

This form includes a link to access the “instructions for filing a
DMCA notification for each product”, which leads to a document with

the label “American Copyright Act (DBCA)”.

b) “Google Forms 2, 4, 5, 7, 9, 17, 21 and 23”: entry pages for the application
removal of content in which various products of the company are listed and

where the applicant would choose which of said products his application for
content removal.

Regarding the list of products that is outlined in the Sixth Antecedent, it is
check that the product “Navlekha” disappears and “Google Workspace

Marketplace”.

1. You access the page to which the link to the product “Search for
Google” (“Google Form 24”), verifying that it does not include any reference

to the communication of information to Lumen. Options are provided on this page.
following:

“How can we help you?
( ) I want to report malware, phishing, or similar issues.
( ) Content that I requested to be removed continues to appear in search results,

even though the webmaster has already removed it.
( ) Remove personal information from Google in accordance with our product policies
(personally identifiable information, doxxing, explicit non-consensual images, etc.).
( ) Personal information: request that my personal information be removed from the results of
Google search.
( ) Intellectual property issue: report copyright infringement, circumvention,
etc.

( ) Other legal problem: report content for another legal reason not included in the .ista”

With the option “Personal information: request that my personal information be removed
from Google search results” takes you to a new page for
removal of content, in which GOOGLE LLC informs that "it is possible that the

search results include a notice to indicate that some
results"; and new options are offered to the interested party:

“Choose one of the following options:
( ) Remove personal information from Google in accordance with our product policies

(personally identifiable information, doxxing, non-consensual explicit images, etc.)
( ) Right to be forgotten: request to withdraw information in accordance with European legislation
in terms of data protection
( ) Defamation: the content defames me or my company or organization”.

Selecting one of these options allows you to create a request (“Click on

Create request to send a request to our team”).
The option “Right to be forgotten” leads to the form “Withdrawal under the law of

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 30/137








EU privacy.

For the “Defamation” option, a data collection form is displayed with the
following information:

“Request removal of content for legal reasons
If you think you have found content that is illegal in your country, you can use this form

to submit a claim.
Please identify the exact URLs of the content in question and explain in detail why you believe
that content is illegal. We will evaluate your request taking into account our privacy policies.
removal of content, we will review it and take appropriate action."

“For Google Search claims, you must identify the URL of each web page
that contains allegedly infringing material. Check out this article if you need help
search the URLs”.


“To be as accurate as possible, please cite exactly the text of the URLs listed above
that you believe violates your rights. If the allegedly infringing content is a
image or video, please provide a detailed description of that content so that we can
locate it at the URL in question”.

“If the violation affects multiple Google products, you must submit a notification for each
affected product.


This form includes fields for the applicant to provide the following data: country
of residence, full name of the applicant, name of the company, name of the
company or organization whose legal rights it represents, email address
contact email, allegedly infringing URL and signature. It is also requested to

applicant to “Explain in detail why you believe that the content of the URLs
above is illegal and cite the specific legal provisions if possible.”

2. You access the page to which the link to the “Google Maps and Maps” product leads.

related products” (“Google Form 25”), verifying that it includes the
Next information:

“How to remove content from Google
This page will take you to the right place to report the content you want
withdraw from Google services in accordance with applicable laws. Provide us
complete information so that we can investigate your query.

If you have non-legal issues with the Terms of Service or Privacy Policies
Google products, visit http://support.google.com.
You must submit an individual notification for each Google service in which the
content" .

This page offers new “product” options (Local listings, Google

Maps, Street View and My Business website). By selecting the option “Files
local (including business listings, reviews, posts and photos)”, is displayed
an informative text that refers to the communication of data to the "Project
Lumen” (the same reference to “lumendatabase.org” that appears in the “Forms of

Google 3, 6, 8, 10, 12, 13, 14, 15, 16, 19, 20 and 22”, reproduced in the Background
Sixth), as well as the publication of information in the transparency report of
“Google (“We may also publish similar information from your
notification in our transparency report. For more information on

this report, click here”).
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 31/137










The following options are also displayed regarding the reason for the request:

“How can we help you?
( ) I want to change the incorrect information on my local file

( ) I want to know why the information on my local listing has changed
( ) Personal information: the content includes my personal data
( ) Intellectual property issue: reporting copyright infringement, circumvention,
etc.
( ) Court order: a court ruling has determined that a specific content is illegal
( ) Legal problem: legal problem that does not appear in the list
( ) Material with images of child sexual abuse: visual representation of sexual practices

explicit with minors”.

Selecting one of these options allows you to create a request (“Click on
Create request to send a request to our team”). for option

“Personal information: the content includes my personal data” a message is displayed.
data collection form with the following information:

“Form to request the withdrawal of personal information

For privacy reasons, you may have the right to request that certain
personal information related to you.
This form is used to request the withdrawal of certain content of the product from
Google you have selected. If you wish to request the removal of personal information from another
Google product, submit a request through the corresponding product form,
available on our “How to remove content from Google” page.
For example, if you want to request that certain Search results be removed from

Google for queries that include your name, please submit a request through the
corresponding Google Search form.
Upon receipt of a request, Google strikes a balance between the individual's right to privacy
affected and the right of the general public to have access to information, as well as the right
from other users to distribute it. For example, Google may refuse to remove certain
information about financial scams, professional negligence, criminal convictions, or
public behavior of government officials.


“I agree to the processing of the personal information I submit, as described below:
Google LLC or Google Ireland, for users in the European Economic Area or Switzerland,
will use the personal information you provide on this form (such as your email address)
email and all identity data) and personal information you submit in other
messages to process your request and comply with our legal obligations. google can
share information from your application with data protection authorities, but only if the

request to investigate or review a decision Google has made. This usually happens if
has contacted the national data protection authority in relation to
our decision. Once the content has been removed from our products,
We will inform the corresponding owners.
Please note that if you are signed in to your Google account, we may associate your
application to that account.

( ) Check the box to confirm.

This form includes fields for the applicant to provide their data related to country
of residence, full name and contact email address; So

such as the name and surname of the person it represents, URL of the content that
include the personal information you want removed, the personal information you
you want it to be withdrawn and the reasons for the withdrawal.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 32/137










3. You access the page that leads to the link to the “Google +” product (“Form
Google 26"), verifying that it includes the same information outlined in the case
above (“Google Maps”), including reference to the communication of data to Lumen and

to the “Google Transparency Report”. As for the options, they offer the
following:

“How can we help you?
( ) I want my profile removed from search results.
( ) I want to file a phishing claim.

( ) Other legal problem: report content for another legal reason not included in the list”.

Selecting one of these options allows you to create a request (“Click on
Create request to send a request to our team”).


For the option "I want my profile to be removed from the search results"
displays a link to the following information:

“Allow or prevent web search engines from crawling your Google+ profile

In Google+ settings you can allow or prevent web search engines
track your profile.
1. On your computer, open Google+.
2. Click Menu Settings.
3. Go to "Profile".
4. Activate or deactivate the option "Allow other users to find my profile in the
Search results".


“Do you use Google Currents at work or school?
The person in your organization who manages your Google Workspace account, called
"system administrator" will choose whether web browsers can crawl your profile page or
not. If you don't like the option you've chosen, you can change it."

4. You access the page to which the link to the “Google News” product leads

(“Google Form 27”), verifying that it includes the same information outlined
in section 2 above, except for the reference to the communication of data to the "Project
Lumen” and the “Google Transparency Report”.


The following options are offered on this page:

“How can we help you?
( ) Copyright Infringement: My copyrighted work is being used
illegally without authorization
( ) Counter Notice: An appeal intended to restore content that was removed due to a

copyright infringement claim
( ) Circumvention: a tool circumvents the technological measures for the protection of the rights of
Author
( ) Personal information: the content includes my personal data
( ) Court order: a court ruling has determined that a specific content is illegal
( ) Legal problem: legal problem that does not appear in the list
( ) Material with images of child sexual abuse: visual representation of sexual practices
explicit with minors”.


Selecting one of these options allows you to create a request (“Click on

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 33/137








Create request to send a request to our team”). for option
“Personal information: the content includes my personal data” a message is displayed.
data collection form with the same information that appears in section 2
above, corresponding to the application form available for this same option,
in the “Google Maps” product.


This form includes fields for the applicant to provide their data related to country
of residence, full name and contact email address; So
such as the name and surname of the person it represents, URL of the content that
include the personal information you want removed, the personal information you
you want it to be withdrawn and the reasons for the withdrawal.


c) Google Forms 3, 6, 8, 10, 12, 13, 14, 15, 16, 19, 20 and 22. These are the
entry pages to the content removal forms relating to different
GOOGLE LLC products, which are detailed in Precedent Six.


The link provided in these forms is accessed to be able to examine a
example post on “lumendatabase.org”
(https://www.lumendatabase.org/notices/5838). Corresponds to a withdrawal of
defamation content filed in April 2005 by a UK company
that is not identified. Nor is there any personal information of the client of the
requesting entity, and no URL or supporting documentation is included.


Click on the link included in this publication “to request access and see the URLs
complete" and access to the usual "Lumen" form, in which the
email address of the person who wishes to access the information, the
that later said entity sends an email with a link to the information of
single use.


These forms include a link to obtain information about the report of
transparency of GOOGLE LLC (“In addition, we may publish similar information
from your notification in our transparency report. to get more
information about this report, click here”).


On the other hand, in the content removal form corresponding to the product
“Drive and documents”, the option “Personal information: the content
includes my personal data”, which leads to the page where the
creation of the request (Google Form 22). For this option, a
data collection form with the same information contained in section 2
above, corresponding to the application form available for this same option,

in the “Google Maps” product.

This form includes fields for the applicant to provide their data related to country
of residence, full name and contact email address; So
such as the name and surname of the person it represents, URL of the content that

include the personal information you want removed, the personal information you
you want it to be withdrawn and the reasons for the withdrawal.

d) Google Form 18: entry page to content removal forms
related to the product “Google Images”.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 34/137










You access the link "Visit this page", through which you access the information
provided on how to contact the webmaster of a website.

At the end of the document, it is indicated:

“If the webmaster has already made the changes you requested to a website listed on
search results, you can ask us to remove outdated information by
a “website removal request”.


By means of this link "web page removal request" you access a
Google Search outdated content removal tool. In the
It indicates the following:


“Guidelines
. This tool only works with pages or images that have already been modified or
removed from the web.
. To remove personal information or content with legal problems that is still present
on one page, "submit a legal request."
. See more information in “this document”.


New request"

Through the "document consultation" inserted in that information, it allows access to

a page with the label “Remove obsolete content tool”, which allows
“update Google search results of pages or images removed or
of pages with removed content.


Through the link “send a legal request”, also inserted in the information
reviewed, you access the page that includes the "Create application" button. This
page reports the following:


“Report content for legal reasons

We take inappropriate content very seriously
If you see content in a Google product that you think violates the law or your rights, contact
in contact with us. We will review the material and study the possibility of blocking it,
limit or withdraw access to such material. Behaviors such as impersonation of
identity (phishing) or the presence of violent or explicit content may lead to the

Violation of our “product policies” and lead to possible removal of products.
content of Google products. We recommend that you report the possible
content violation on the relevant product page before creating a request.

Create a request (button).

Protect your information

Our goal is to provide you with the most powerful security and privacy tools
of the world. Security and privacy are very important to us, so we
We strive to offer you maximum protection.
Read our "Privacy Policy" to learn how Google uses information and what can
do to protect yourself.
Our “Safety Center” can help you and your family stay safe at
Internet. Check it out for more information on the topic and how Google protects

users, their computers and the entire Web against cybercrime.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 35/137










Transparency is essential for us
Transparency is one of Google's core values.
In our desire to be transparent, we can send a copy of each legal notice that
Let's receive the "Lumen project" (link to the website "lumendatabase.org") for publication.
Lumen is an independent research project led by the Berkman Klein Center for

Internet & Society at Harvard Law School. The Lumen database contains
Millions of content removal requests that various companies have shared
volunteer, including Google. Its objective is to facilitate academic and sectoral research on
the availability of online content. Lumen will hide the personal contact information of the
sender, such as your phone number, email address, and mailing address.
You can see an example of a Lumen post “on this page”.
Likewise, we could publish similar information from your notice in our “Report

of transparency”, which provides data on the requests sent to us by both holders of
copyrights such as governments to get us to remove information from our products.

Copyright Information
In accordance with Google's policy, we must comply with notices of infringement of
copyright under the United States Copyright Protection Act.
author (DMCA). See more information about our copyright policies and all

the requirements that a notice must meet in the “Copyright Help Center”.


C. Result of the test indicated with the letter c):


The information published in the Lumendatabase Links 6, 7, 13, 15, 16, 17, 19, 27,
28 and 29 coincides with that outlined in the First and Sixth Background.


In all other cases, the following findings are made:

     . Link Lumendatabase 1


     In the indication of the link appears: "(...)".

     (…)


     Likewise, the link “Click here to request access and see full URLs” is accessed,
     which gives access to the “(…)” page. This page appears with the label “Request
     full access to defamation complaint against Google”, with the following text:


     “To access this notice, enter your email address and solve the problem.
     captcha After submitting the form, we will send you an email with a
     one-time link to notice.

     Email address
     (space to add email address)


     ( ) Select to receive a notification when new documents are added.
     notification (or when existing notification documents are updated).

     Deliver (Button)”.


     . Link Lumendatabase 2

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 36/137









    The published content coincides with that outlined in the previous Background.


    The link “Click here to request access and see full URLs” is accessed, which gives
    access to the “(…)” page, with the same structure as the one outlined in the Link
    Lumendatabase 1.


    . Link Lumendatabase 3

    In the text of the complaint, the data “(…)” and the URL “(…)” have been deleted.

    The link “Click here to request access and see full URLs” is accessed, which gives

    access to the “(…)” page, with the same structure as the one outlined in the Link
    Lumendatabase 1.

    . Link Lumendatabase 4


    Indicates the date of the request addressed to GOOGLE LLC ***DATE.12 and the
    links appear as follows:

    (…)
    (…)

    (…)
    (…)
    (…)

    (...).


    . Link Lumendatabase 5

    In the text of the claim, the data “I.I.I.” Y
    “*** COMPANY.1”.


    . Link Lumendatabase 8

    In the text of the claim, the data “B.B.B.” Y (…) ; and the
    link appears with the review “(…)”.


    . Links Lumendatabase 9 to 12

    In the text of the claim, the data “B.B.B.” (link 9),
    “B.B.B.” (link 10), “B.B.B.” (links 11) and “B.B.B.” (link 12).


    . Link Lumendatabase 13

    The published content coincides with that outlined in the previous Background.


    . Link Lumendatabase 14

    The link indicates “(…)”.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 37/137









    . Link Lumendatabase 18


    In the header the data “C.C.C.” has been suppressed, and in the text of the
    claim, the information “(…)” has been suppressed.

    . Link Lumendatabase 19


    The information coincides with that outlined in the previous Background information (request
    prior to the entry into force of the GDPR).



    . Link Lumendatabase 20

    The published content coincides with that outlined in the previous Background
    (request prior to the validity of the RGPD).


    . Link Lumendatabase 21

    The published content coincides with that outlined in the previous Background
    (request prior to the validity of the RGPD).


    The blog “(…)” is accessed and it is verified that it has been eliminated.

    . Link Lumendatabase 22

    The applicant's name has been removed from the header.


    The blog “(…)” is accessed and it is verified that it has been eliminated.

    . Link Lumendatabase 23


    Page similar to the previous one, with requests addressed to GOOGLE LLC based on
    judicial resolutions.

    . Link Lumendatabase 24


    Page similar to the previous one, with requests addressed to GOOGLE LLC based on
    judicial resolutions.

    You access some of the links on the results page of
    the search corresponding to Spanish users, verifying the following:


       . (…) (Lumendatabase 30 link)

          . Header: Addressed to GOOGLE LLC by J.J.J., on 07/06/2020,
          as a result of a court ruling.


          . Claim: “(…)”.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 38/137








          . Link: (…)


          . Documents: Possibility of downloading two supporting documents in
          Pdf format.

       On the other hand, you access the link “Support documents. Support PDF.

       Click here to get…”, which gives access to the “(…)” page. This page, which
       appears with the label “Request Full Access to the Court Order Complaint
       to Google”, offers the option of requesting information related to this
       notification:


       “To access this notice, enter your email address and solve the problem.
       captcha After submitting the form, we will send you an email with a
       one-time link to notice.

       Email address
       (space to add email address)

       ( ) Select to receive a notification when new documents are added.
       notification (or when existing notification documents are updated).


       . (…) (Lumendatabase link 31)

          . Header: Addressed to GOOGLE LLC by K.K.K., on ***DATE.16,
          as a result of a court ruling.


          . Claim: “(…)”.

          . Link: (…)


       . (…) (Lumendatabase link 32)

          . Header: Addressed to GOOGLE LLC by L.L.L., on ***DATE.17,
          as a result of a court ruling.


          . Claim: “(…)”

          . Links: (…)


          . Documents: Possibility of downloading two supporting documents in
          Pdf format.

       . (…) (Lumendatabase link 33)


          . Header: Addressed to GOOGLE LLC by M.M.M., on ***DATE.18,
          as a result of a court ruling.

          . Links: (…) (…)


     . Link Lumendatabase 25


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 39/137








    Page not found

    . Link Lumendatabase 26


    The data “H.H.H.” has been removed from the header.


D) Result of the test indicated with the letter d):


The first page of search results in the
Google search engine with the terms “D.D.D.”. Check that at the bottom of the page
The following disclaimer is included: “Some results may have been removed
in accordance with European data protection law. More information".



E) Result of the test indicated with the letter e):

a) The “Google.com” website is accessed and a copy of the
“Withdrawal under EU privacy law” form
(“https://www.google.com/webmasters/tools/legal-removal-request?
complaint_type=rtbf&visit_id=637759350971490255-235171692&hl=es&rd=1”), which

It is reproduced in full in Annex 2.

b) Click on the link “How to remove content from Google” inserted in the form
above and it is verified that it gives access to the Google login page for the
request for removal of content in which various products of the

company, in which the applicant can choose which of said products his
content removal request (Google Forms 2, 4, 5, 7, 9, 17, 21 and 23).


F) Result of the test indicated with the letter f):


A copy of the Privacy Policy accessible through the
website “google.com” in its current version, valid from 07/01/2021, and a copy of
the versions of said Privacy Policy dated 05/25/2018, 01/22/2019 and
03/31/2020.


From the content of the update of the Privacy Policy dated 05/25/2018,
the sections that are outlined in Annex 1 stand out.

The update of 01/22/2019 includes the same sections as the previous one and
expressed in the same terms, except for the changes indicated in Annex 1 (it is

introduces a new section with the label “European requirements”).

In the same way, the update of 03/31/2020 has the same structure as the
above and is expressed in the same terms, with the changes indicated in
Annex 1, among which the incorporation of a new section regarding the
“Data Retention”.


The update of this Privacy Policy on 07/01/2021, which corresponds to the
version currently in force includes the same sections as the previous version
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 40/137








and are expressed in the same terms, with the changes indicated in Annex 1.

All versions of the Privacy Policy examined include the link
“request content to be removed”. This link is clicked and it is verified, in all the
cases, which gives access to the entry page to the content removal request in

which lists various products of the company, in which the applicant can
choose which of those products your content removal request relates to
(Google Forms 2, 4, 5, 7, 9, 17, 21 and 23).


G) Result of the test indicated with the letter g):


a) The internet address “https://www.lumendatabase.org/pages/lumen-
notice-basics” and the information contained therein is incorporated into the proceedings.
From the information contained in this document, which appears with the label "Concepts
basics of the information of the notice of Lumen”, the fragments that are

reproduced in Annex 4.

b) The Internet address is accessed
“https://support.google.com/websearch/troubleshooter/3111061#ts=2889054%2C2889
099”, included in the previous document, in the section “OTHER TYPES OF NOTICES”.
It leads to an informative document from “Google” about the withdrawal of information, the
which is also reproduced in Annex 4.



H) Result of the test indicated with the letter h):

a) The website “lumendatabase.org” is accessed, to the section called “About” and
the information available in said section is incorporated into the actions, which
It is reproduced in Annex 3.


b) The "Legal Notice" inserted in "lumendatabase.org" is accessed and incorporated into the
actions the information available in said section, which is reproduced in
Annex 3.

c) The website “lumendatabase.org” is accessed, to the section called

“Investigators”, and the information available in said report is incorporated into the proceedings.
section, which is reproduced in Annex 3.

ELEVENTH: On 01/31/2022, a resolution proposal was issued in the
following sense:


1. That the Director of the AEPD sanction the entity GOOGLE LLC, for a
infringement of article 6 of the RGPD, typified in article 83.5.a) and qualified as
very serious for prescription purposes in article 72.1.b) of the LOPDGDD, with a
fine amounting to 5,000,000 euros (five million euros).


2. That the Director of the AEPD sanction the entity GOOGLE LLC, for a
infringement of article 17 of the RGPD, typified in article 83.5.b) and qualified as
very serious for prescription purposes in article 72.1.k) of the LOPDGDD, with a
fine amounting to 5,000,000 euros (five million euros).
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 41/137









3. That the Director of the AEPD impose the entity GOOGLE LLC, within the term
to be determined, the adoption of the necessary measures to adapt to the regulations

protection of personal data, treatment operations and procedures
exercise of the right object of the actions, with the scope expressed in the
Legal basis X of the proposed resolution.

TWELFTH: Notification of the proposed resolution, extension of the term
granted for the formulation of allegations and sent a copy of the proceedings

incorporated into the procedure, a letter was received from GOOGLE LLC requesting the
Next:

1. That the nullity of the procedure be declared null and void for not taking into account
consideration the rules of the cooperation mechanism, and break the rules

regulations of the sanctioning procedure of a fundamental nature and of the principle of
legitimate expectations (letter e) of article 47.1 of the LPACAP).
2. Subsidiarily to the foregoing, the annulment of the Procedure in the terms
contemplated in article 48 LPACAP, due to the existence of an action by the
Agency that involves an infraction of the legal system and that causes the
helplessness of the defendant.

3. Subsidiarily to the foregoing, the non-existence of the alleged infractions of the
art. 6.1 and 17 of the RGPD, and the file of the actions.
4. Subsidiarily to the foregoing, the imposition of the amount of the sanction
corresponding in its minimum degree and the limitation of the scope of the orders or
corrective measures only for data processing attributable to GOOGLE

LLC, granting a reasonable term to comply with them.

After declaring his previous writings and information reproduced, he formulates the
following considerations, on which you base your request:


1. The initial object of the procedure, referred to the "communication of data
related to requests or requests for removal of content made by
GOOGLE LLC. to the Lumendatabase project”, has been expanded by the AEPD in the
proposed resolution to treatments for which GOOGLE LLC is not responsible,
thereby violating the regulations.


GOOGLE LLC indicates that the Agency initiated the procedure with a defined object,
such as the analysis of the communication of data related to requests for
withdrawals of content to the "Lumen Project", and the fulfillment of the
article 17 of the RGPD in relation to these communications. About this issue,
GOOGLE LLC expressly declares the following:


“In effect… Google LLC, is the entity responsible for the processing of personal data
that has taken place in the context of communications of withdrawal requests to Lumen.
Precisely for this reason, the present procedure was correctly initiated against
Google LLC”.

It adds that, notwithstanding the foregoing, in the aforementioned proposal a new

alleged infringement of article 17 GDPR based on deficiencies (quod non)
found in the forms and procedures for the removal of content
accessible through Google products and services, which are offered to users
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 42/137








users located in the European Economic Area (“EEA”) and Switzerland (including
Blogger/Blogspot, Drive, Google Photos, Google Play, YouTube, etc.) by Google
Ireland Limited, so this entity is responsible for data processing

associated with the use of these services and the Irish Data Protection Commission
(or “IDPC”) the lead supervisory authority for any cross-border processing
related to such personal data.

Nor is GOOGLE LLC responsible for the procedures and forms for the
removal of content or personal data processed in this context.


By not considering whether the cooperation mechanism of Article 60 of the GDPR should
activated with the extension of the procedure, the AEPD has infringed the regulations
applicable, which irremediably entails the nullity of this procedure
in accordance with the provisions of article 47.1.e) of the LPACAP or, in any case, the

annulment of the procedure in the terms contemplated in article 48
LPACAP.

2. The facts show that the processing of claims, the
involvement of the IDPC and the investigation and verification actions carried out
by the Agency have been delayed for more than what is allowed in the applicable regulations,

not subject to the procedures provided for in said regulations.

The previous investigation actions have widely exceeded the term of 12
months established in article 67.2 of the LOPDGDD, since the IDPC rejected
its competence (understood, then, that the competence corresponded to the

AEPD) on 01/22/2020.

Faced with this, the provisional filing of the file declared by the
01/16/2020 in accordance with article 66.2 of the same Organic Law, which only
it can be extended until the moment in which the AEPD confirms its competence. In

At this point the provisional file is lifted and the file recovers everything
its vigour. In this case, it is appropriate to apply, by analogy, a criterion in line with what
establishes article 64.4 of the LOPDGDD, according to which the suspension of deadlines
of the procedures ends at the moment in which the control authority of the other State
Member proceeds to the "notification of the pronouncement to the Spanish Agency of
Data Protection".


Thus, although the Agency declared at the time the provisional file of the
procedure, said file must be understood as raised on 01/22/2020, once the
AEPD "recovered" its jurisdiction over the knowledge of claims. In
consequently, the provisional file of the procedure is ineffective to avoid the

expiration of actions. Likewise, the lack of declaration by the AEPD
of the formal lifting of the provisional file cannot have any effect at this
respect, since it is evident that the procedure continued.

In this situation, the previous investigative actions would have expired, therefore

that the information collected within the framework of the same could not be used in this
Procedure.

This circumstance was highlighted by this party in its arguments to the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 43/137








Home Agreement. Given this, in the resolution proposal, the Agency states that
agreed to open the procedure without having developed prior actions of
investigation and, that being so, the expiration of some actions cannot be invoked

that have not taken place.

Although the Agency denies these previous actions, it is clear that it did lead to
carried out a series of actions aimed at "better determining the facts and
the circumstances that justify the processing of the procedure” and that can only be
qualify as investigations or verifications and that have been reflected in the

Original File (p. 194 et seq. and p. 275 et seq. of Annex 1), as well as in the
background indicated in the resolution proposal. The existence of these tasks
research is an incontestable fact.

The AEPD does not provide any explanation about how to qualify the work then

of research that he actually carried out prior to the initiation agreement, nor
nor the legal framework in which they would have been carried out. It is simply limited to
deny having carried out any investigation, which is clearly not consistent with the
reality.

In view of this, there are only two possibilities, leading both to the infringement of the

legal system by the AEPD:

a) That although the opening of proceedings prior to the failure to
there is an agreement by which its initiation was decided, such previous actions
should be understood as open in any case, given the research work that,

effectively, the Agency did carry out. If such were the case, said actions
previous reports would have exceeded the legally permitted period of time and should
understood expired for the reasons stated above.

b) That, since there is no formal agreement to initiate the preliminary actions, the

Agency would have carried out investigation, investigation and verification actions,
outside the legally established framework for prior actions, (i) exercising
powers and investing resources and human and material means, without legal protection or
a legally established legal framework (which in itself entails legal reproach) and
(ii) thus reprehensibly circumventing the time limit established by the
LOPDGDD for previous actions.


In relation to the possibility of carrying out investigation tasks without formal opening
of preliminary investigations, GOOGLE LLC indicates that it does not share the interpretation that the
Agency does with respect to article 67 of the LOPDGDD and the optional nature of
the same.


By virtue of this article, the Agency may or may not carry out prior actions of
investigation before adopting the initiation agreement, but in case of making any
investigation or verification, the legal channel provided for it must be those mentioned
preliminary investigative actions.


On the other hand, the 12-month period established for preliminary actions is due to
to the will of the legislator to ensure the efficiency of the work of the AEPD and protect
those administered against the excessive dilation of the procedures. Can not

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 44/137








accept that the AEPD can carry out actions aimed at the "best
determination of the facts and circumstances that justify the processing of the
procedure” indefinitely, without formally considering them “prior actions

investigation”, even more so when, as in our case, it is invoked
precisely to circumvent the time constraints imperatively imposed by the
Article 67.2 of the LOPDGDD.

Therefore, the Agency has violated the provisions of the LOPDGDD regarding the
sanctioning administrative procedure and its processing, invalidating the

initiation agreement and the procedure as established in the article. 47.1.e) of
the LPACAP for having totally and absolutely dispensed with the procedure legally
established.

3. Considers GOOGLE LLC that it has not violated article 6 of the RGPD, which proceeds

apply the legitimating basis of legitimate interest to data communications made
to Lumen.

The Agency rejects the application of legitimate interest and denies the possibility of resorting to
consent. Regarding this last alternative, he indicates that it has never been
defended by GOOGLE LLC, so it does not refer to it in its allegations,

although he warns that he disagrees with the reasoning contained in the proposal, although
offers no explanation for it.

The respondent understands that, according to Opinion 06/2014 on the concept of interest
legitimate interest of the data controller, (a) there are various interests

legitimate interests in the transfer of data with Lumen, and (b) said legitimate interests prevail
on the rights and freedoms of the interested parties; in line with what is indicated in the
arguments to the initial agreement, which is reproduced almost literally in this new writing
of arguments to the proposal.


Reiterates what was stated in the pleadings brief at the opening of the proceeding
about the legitimate interests of GOOGLE LLC, Lumen and society in general in the
transfer of information on requests regarding the removal of content, and points out,
in response to what is indicated in the resolution proposal, that such legitimate interests
they do not have a supervening character, but existed before the activities were carried out.
transfers to Lumen and met the necessary requirements to constitute the base

legitimizer of such assignments; and that it cannot be argued that said communication of
data defrauds the expectation of privacy of users, since these are
reported on the forms.

On the other hand, GOOGLE LLC clarifies that it is not true that it shares with Lumen the

e-mail address of the claimants, and that this could only happen in the
In the event that it is the claimant himself who includes his email address in the
free field of the form intended to motivate or explain your withdrawal request.

Finally, the respondent alleges that none of the circumstances indicated by the

Agency to question the application of this legal basis may deny their own interest
legitimate, that of Lumen or of society in general, nor can it be understood that
tilt the weighting test in favor of the rights and freedoms of
interested.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 45/137









4. The AEPD imputes to GOOGLE LLC an infringement of art. 17 of the GDPR, referring to
right of suppression, although from a very different perspective than the one analyzed in the

initial agreement, and reproaches the "non-attention and obstruction of the right of
deletion of personal data” based on the analysis of procedures and various
forms that the entities of the Google group make available to their users
to request the removal of illegal content or content that is contrary
to the terms of service or the content policies of each respective service or
Google product.


GOOGLE LLC is not the controller of the personal data processed
in the context of many of those forms and the associated withdrawal processes,
which entails the impossibility that the Agency can impute the infringement of the
article 17 of the RGPD regarding these treatments.


In addition, the AEPD does not provide any evidence of the existence of a single right of
deletion "unattended" or "hindered" by the claimed and bases the violation
in an opinion on the lack of simplicity and clarity of withdrawal forms
Contents. The aforementioned imputation is devoid of any evidence or objective criteria
and absolutely disconnected from the complaints that originated the procedure.


The AEPD ignores that GOOGLE LLC has more open channels for communication
with its users and those interested in exercising a right under the regulations of
data protection, being possible to contact the Data Protection Office of
Google through the channels enabled for this, generic forms are offered to

formulate any type of legal claim and, in the same way, the entity receives
regularly all kinds of postal mail related to removals of content or
with the exercise of rights.

The AEPD "speculates" that the lack of attention and obstruction exists because the

content removal forms are not clear, but this is not enough to
prove the infraction, which is situated before a case of effective exercise of a
right of suppression, which is infringed only when it is really frustrated, either by
prevent its exercise, either because the personal data was not deleted when appropriate.

But the commission of the offending type requires as a "condition sine qua non" the existence of

a right of suppression that, well it was tried to exercise and was not achieved by preventing
illicitly exercised, or was exercised and the data was not deleted when
proceeded.

The AEPD bears the burden of proving the real existence of this exercise of

right of deletion that did not come to fruition due to "not having been attended to or having
been hindered." However, the Agency proves no such thing.

Faced with this, although it is not required of anyone to prove their innocence, GOOGLE LLC
can provide numerous evidence that the right of suppression is met

correctly and in no case is it hindered.

(…)


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 46/137








On the other hand, the AEPD ignores the set of help pages and resources
specifically intended to inform and assist applicants for the right of

suppression before GOOGLE LLC. This is the case, among others, of the help page
"General description of the right to be forgotten" (provides the detail of this page), which
includes, according to said entity, very detailed information, in simple, clear and
concise on the law, as it has been recognized by the CJEU and is
applying and interpreting the courts and data protection authorities in

their decisions and guides.

It also makes video tutorials available to claimants to explain the
channels and procedures to exercise your right of deletion (“right to be forgotten”)
effectively (provides screen print available on Youtube).


Considers it unheard of that the AEPD understands that GOOGLE LLC hinders the exercise
of rights, when it invests so many resources and means to explain to claimants
How can you exercise it?


The AEPD also seems to have overlooked the fact that the Third Chamber of the Court
Supreme has had the opportunity to evaluate forms for the removal of content
offered by Google LLC in various sentences, and has done so in the following
terms:

“offers interested parties complete information on the exercise of their right, facilitates the

corresponding forms and provides precise instructions for completing them.

See, for all, Judgment no. 1917/2016, of July 21, 2016 (Recourse
no. 2866/2015), Judgment no. 3713/2016 of July 21, 2016 (Appeal no.
3279/2015) or Judgment no. 1912/2016 of July 21, 2016 (Appeal no.

1867/2015).

In view of the absence of evidence, in the opinion of the respondent, it turns out that the AEPD is
trying to reorient the purpose of article 17 RGPD and to create a new
construction on how the requests of the interested parties should be channeled. A

new interpretation that has no connection with the evidence collected by the
AEPD, its conclusions and the complaints filed. As on previous occasions,
it seems that the AEPD is using a sanctioning procedure inappropriately
to establish interpretive criteria (when said procedure is clearly
unsuitable for this) and, as the Agency is well aware, such behavior is not

allowed by law. This was established by the Contentious-Administrative Chamber of the
National High Court in its ruling of April 23, 2019 (appeal no. 88/2017),
precisely as a result of a resource of GOOGLE LLC:

“In short, the Chamber considers that the AEPD, in this case, has not proceeded to initiate a
sanctioning procedure, based on the denunciation of specific facts, and in which,
respecting the principles that govern such a procedure, has reached a resolution

sanctioning authority after making a reasonable assessment of the evidence, but, as she
itself comes to recognize, has made use of a sanctioning procedure, to establish a
interpretive criterion regarding the issues raised by the complainants – the disagreement
with the criteria already established by the AEPD itself in a press release- in accordance with
the guidelines of the Group of Data Protection Authorities of the European Union. (F.V,
page 41 of the resolution), a criterion that cannot be shared by the Chamber at all, according

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 47/137








with the previously exposed.”

There is also no complaint or complaint from any citizen about this in the file.
particular.


Thus, the conclusions of the motion for a resolution are manifestly contrary to the
principle of legitimate expectations contained in art. 3.1(e) of Law 40/2015, of 1
October, of the Legal Regime of the Public Sector, taking into account that the AEPD
has been linking and inviting citizens to use the set of forms of
removal of content, as can be seen on its website: Right of deletion ("at
oblivion"): internet search engines, Delete photos and videos from the internet, Guide for

citizen (page no. 23) or its recent Priority Channel (reviews the links that
lead to this information posted on the AEPD website).

GOOGLE LLC states that it is open to improving the procedures and
mechanisms enabled for the withdrawal of content and the exercise of rights to

under the data protection regulations, in accordance with the considerations that
transfer the AEPD, but does not consider that it is hindering its exercise.

What is stated in this allegation entails, according to the claim, the non-existence of the
infringement of article 17 of the RGPD, as well as the nullity of the start-up agreement and the
procedure in accordance with the provisions of art. 47.1(e) LPACAP and,

subsidiarily, the annulment of the same in the terms contemplated in art. 48
LPACAP.

5. In relation to the graduation of sanctions, GOOGLE LLC formulates
subsidiary the following allegations:


a) The AEPD has taken into consideration content removal forms
related to products and services provided by GOOGLE IRELAND LTD and
processing for which GOOGLE LLC is not responsible. Understand that since
have reduced the products and services under analysis, the sanctions must be
subject to an equally proportional reduction.


b) The mitigating circumstances specified below must be considered.
continuation:

. Article 83.2.c of the RGPD:
GOOGLE LLC has instructed Lumen to carry out additional anonymisations of
requests for removal of content identified by the AEPD, as stated in the

performances.

He rejects the assessment made by the Agency regarding these measures when
indicates that they do not modify the basic fact of the infraction so as not to take them into account
as mitigating factors. Mitigating circumstances, by definition, do not change the fact

that an infringement has occurred, but rather contribute to mitigating the
liability of the offender for the offense committed. If such measures are not
valid for these purposes, the respondent raises what the Agency considers to be
It would be a mitigating circumstance appropriate to the indicated precept.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 48/137








Nor can it be accepted that the accompanying measures (described in the
Complementary Allegations), aimed at reinforcing the protection of the rights of
stakeholders, should not be taken into consideration because they are insufficient, according to the

criterion of the AEPD, which seems to want to discourage the taking of measures by
those responsible before a procedure. He adds that the fact that they did not "reach
remedy the infraction” does not imply that they cannot be configured as mitigating
(especially, taking into account art. 83.2.k of the RGPD does not limit the type of
mitigating factors to resort to).


. Article 76.2.c of the LOPDGDD:
GOOGLE LLC does not derive any commercial benefit or income as a result of
communications to Lumen.
The Agency has indicated that the absence of benefits cannot be measured
exclusively in commercial or monetary terms and, furthermore, in the case of a

company that bases its activity on the processing of personal data, cannot
It can be said, without further qualification, that GOOLGE LLC makes no commercial profit. Yes
the Agency considers that the respondent entity has obtained benefits, whether
commercial or of any other type, you must prove it, not corresponding to GOOGLE
LLC demonstrate a negative fact (and constituting "evil evidence"), such as the
lack of benefits obtained in this aspect.


c) The object of the imputed infractions is reduced solely to the treatment of
data attributable to GOOGLE LLC in Spain, which implies a clear and direct impact
in the aggravating circumstances (which that entity rejects in its entirety) under the
articles 83.2(a), (g) and (k) of the RGPD indicated by the AEPD.


d) In accordance with the principle of legitimate expectations, it is manifestly incoherent that
the Agency itself has been linking and promoting the Withdrawal Forms for years
Google Content on your websites, guides and publications, if you really
considered that they were an obstacle or barrier to the exercise of rights. turns out how much

less shocking than it is up to now, and nothing less than at the headquarters of a
Proposal for a sanctioning Resolution, the first time this issue has been raised.
According to the defendant, the advertising carried out by the AEPD of the forms of
Google should be considered a mitigating circumstance under art. 83.2 (k) GDPR,
that directly mitigates the potential malicious or negligent behavior of Google
LLC (quod non).


e) It is also not possible to accept the recrimination that the AEPD makes about the lack of
statement by GOOGLE LLC, in its allegations to the initiation agreement,
about the graduation factors stated in said Startup agreement. GOOGLE
LLC totally rejects the aggravating circumstances indicated by the AEPD and its

lack of statement in this regard in the allegations to the initial agreement does not produce
no effect in this regard.

6. In relation to the measures that GOOGLE LLC must take to adjust its
action to the personal data protection regulations, reiterates that in the territory

Spanish can only be considered responsible for the treatment derived from the
communication of withdrawal requests to Lumen and in relation to certain data
present in the information indexed and displayed in the services of
“Google Search” and “Google Maps”. Any measure that the AEPD establishes

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 49/137








should be limited to those specific treatments.

In this regard, it warns that any type of measure that affects its processes

internal demands significant engineering resources and implies the need to undertake
various tasks of planning, coordination, management, error testing and supervision,
with the added difficulty that the claimed company is a foreign company that will have
to coordinate different teams at an international level. On this basis, it requests that
grant a sufficient term to guarantee a correct implementation of the
measures in question and that allow safeguarding the rights of the interested parties and

not jeopardize the quality and stability of the entity's systems.


Of the actions carried out in this procedure and the documentation
in the file, the following have been accredited:



                                PROVEN FACTS


1. GOOGLE LLC is a company with registered office in California (United States),

which has a subsidiary in Spain that acts under the legal form of a limited liability company.
limited liability, with the name GOOGLE SPAIN, S.L. and what has like
corporate purpose “Promote, promote and market online advertising services,
Through Internet".


GOOGLE LLC develops an activity of an economic nature whose purpose is
the offer of products and the provision of online services, which include,
among others, operating systems, applications for mobile devices, email
e-mail, social networks, maps, video, blogs, Cloud services and applications
specific for companies.


This entity offers its products and services to people residing in Spain,
are natural persons (such as “Search”, “Maps”, “Gmail”, “YouTube”, “Drive”,
"Blogger") or legal. In some cases, the use of the products or services is
offers to users who have previously registered as such (eg, Gmail), but
products and services are also offered (Search, Maps, Youtube, etc.) that can

be used without logging in as a registered user.

GOOGLE LLC has a subsidiary in Ireland, with the name GOOGLE
IRELAND LIMITED. This subsidiary, from 01/22/2019 (date of update of the
Privacy Policy that informs about the offer of products and services of

"Google" by this entity in the European Economic Area), acts as
responsible for the processing of personal data of the users of the services of
“Google” that are located in the European Economic Area, “unless indicated
otherwise in a service-specific privacy notice” (Privacy Policy).
Privacy).


 As of that date, “Google LLC is the data controller.
information indexed and displayed in services such as Google Search and Google
Maps” (Privacy Policy), regardless of the user’s location.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 50/137










2. The Privacy Policy of GOOGLE LLC is accessible on the website

"Google com". Since the date 05/25/2018, there are eight updates to this
Privacy Policy, four of which have been incorporated into the proceedings
(those dated 05/25/2018, 01/22/2019, 03/31/2020 and 07/01/2021, which corresponds to
currently valid version).

As indicated in this information, the Privacy Policy applies to all

services offered by GOOGLE LLC and its affiliates, except “for services that are
subject to independent privacy policies”.

The entire content of this Privacy Policy, in its different versions, is
declares reproduced in this act for evidentiary purposes. Some of this content is

incorporated into this act as Annex 1.


3. GOOGLE LLC has established a specific procedure so that interested parties
may request, "for privacy reasons", the withdrawal of results obtained in
searches with the name of the person as criteria and enabled a form
specifically called “Withdrawal under EU privacy law”. East

form is accessible through the “google.com” website, at the URL
“https://www.google.com/webmasters/tools/legal-removal-request?
complaint_type=rtbf&visit_id=637759350971490255-235171692&hl=es&rd=1”.

In this form, GOOGLE LLC declares itself responsible for data processing

personal data by providing results from “Google Search” and managing the
withdrawal requests submitted using this form.

It incorporates a link “How to remove content from Google” that leads to the page on which
that various "Google" products are listed, through which you can access the

content removal forms enabled for each of these products
(in the Sixth Antecedent the complete list of products and services is detailed
included in it). This page coincides with the one outlined as “Forms
Google 2, 4, 5, 7, 9, 17, 21 and 23”.

The full content of this form, which is incorporated into this act as Annex 2, is

declares reproduced for evidentiary purposes.


4. Through the website “google.com” you can access the page “How to withdraw
Google content”, which coincides with the one described as “Google Forms 2, 4, 5,

7, 9, 17, 21 and 23”.

This page gives entry to the forms enabled by GOOGLE LLC so that
Users can request the removal of content online for each of the
products that are listed in it (according to the information offered, "This page

will allow you to access the appropriate site to report the content you want to remove from
Google services in accordance with applicable laws”).

The Sixth Precedent details the complete list of products and services
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 51/137








included on this page.


Verifications have been carried out in the actions (they are detailed in the
Background Sixth and Tenth) in relation to the Blogger/Blogspot products,
Chrome Web Store/extension gallery, Google Classroom, Google Groups,
Google Help Communities, Poly, Feedburner, Data Studio, Cloud Firestore, Google
Images, Google Photos and Picasa Web Album, Drive and Documents, Search

Google, Google Maps and related products, Google + and Google News
(“Google Forms 3, 6, 8, 10, 12, 13, 14, 15, 16, 18, 19, 20, 22, 24, 25, 26 and 27,
respectively).

In general, when you click on a product on the page “How to remove content from

Google” you access a new page that allows you to create a request for withdrawal of
online content.

The application includes fields for the applicant to provide their data relating to the country of
residence, full name and contact email address; just like him

name and surname of the person you represent, URL of the content that includes
the personal information you want removed, the personal information you want
to withdraw and the reasons for the withdrawal.

“Google Forms 3, 6, 8, 10, 12, 13, 14, 15, 16, 19, 20 and 22” include the

following informative text:

“In addition, we may publish similar information from your notification on our website.
transparency report. For more information on this report, click here.”

The content of these forms, which is outlined in Background Information Sixth and

Tenth, it is declared reproduced for evidentiary purposes.


5. GOOGLE LLC has provided a specific form to report alleged
copyright infringements (“Google Forms 1 and 11”), accessible through the

website “Google.com”. This complaint may entail “the withdrawal of any
material against which a claim has been made for incurring a
infringing activity, the disabling of access to said material or the cancellation of
subscriber accounts.


These forms include the following informative text:

“Furthermore, according to our policy, we document all notifications of alleged
violations we receive, including sending a copy of the notice to one or
various third parties, or its publication”.

The content of these forms, which is outlined in Background Information Sixth and

Tenth, it is declared reproduced for evidentiary purposes.


6. The “Google Forms 3, 6, 8, 10, 12, 13, 14, 15, 16, 19, 20, 22, 25 and 26”
display the following informative text, which refers to the communication of

data to “Project Lumen” by GOOGLE LLC:
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 52/137










“Please note that we may send a copy of each notification
legal documents that we receive to the Lumen project (https://www.lumendatabase.org) for publication
and annotation. Lumen will remove the sender's personal contact information (i.e., the
phone number, email address and home address).
To consult an example of this type of publication, go to the page

https://www.lumendatabase.org/notices/5838”.

Through the "Google Form 18", corresponding to the Google Images product,
accesses a tool for removal of “outdated content from Search Search”.

Google". This tool offers the option of submitting a “legal request” to
“remove personal information or content with legal problems that are still present
in a page". In relation to this request, the following is indicated:

Transparency is essential for us

Transparency is one of Google's core values.
In our desire to be transparent, we can send a copy of each legal notice that
let's welcome the "Lumen project" (link to lumendatabase.org website) for publication.
Lumen is an independent research project led by the Berkman Klein Center for
Internet & Society at Harvard Law School. The Lumen database contains
Millions of content removal requests that various companies have shared
volunteer, including Google. Its objective is to facilitate academic and sectoral research on
the availability of online content. Lumen will hide the personal contact information of the

sender, such as your phone number, email address, and mailing address.
You can see an example of a Lumen post “on this page”.

The "Google Forms 1 and 11", arranged to request removal of content in
line for copyright infringement, include the following references to

"Lumen Project":

“Furthermore, according to our policy, we document all notifications of alleged
violations we receive, including sending a copy of the notice to one or
various third parties, or its publication. You can see an example of this type of publication in the

page https://www.lumendatabase.org/notices/2069”.

“Please note that a copy of each legal notice we receive is sent to a third party,
that you could publish it and annotate it (without your personal information). So the content of this
form will be forwarded to Lumen (http://www.lumendatabase.org) so that it can be published.
To see an example of this type of publication, access the page
http://www.lumendatabase.org/dmca512/notice.cgi?NoticeID=861. In the case of products
such as Google Web Search, a link to the posted notice will appear in the search results.

Google search instead of removed content.”


7. GOOGLE LLC communicates to the "Lumen Project", created by the entity Berkman Klein

Center for Internet & Society at Harvard University, both based in
United States, requests for removal or deletion of online content that
manages, motivated by copyright infringement, defamation, court rulings,
trademarks, applications based on local law (legal problem).


The information included in the "Google Forms" shows other reasons for
that are selected by the interested parties, which may also lead to the sending of
notification of content removal to "Project Lumen".

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 53/137









This communication occurs in relation to requests for removal of content in
line that are formulated with respect to the products that are mentioned in the Facts

Tried 4 and 5.

GOOGLE LLC communicates to the "Lumen Project" all the information corresponding to
these requests, including the identification of the applicant and the affected party, if applicable, their
email address, the reasons alleged (the text of the claim)
and the claimed URL, as well as supporting documentation, if any.



8. The entity responsible for the "Lumen Project" publishes the withdrawal notices
online content that you receive from GOOGLE LLC on the website of its ownership,
lumendatabase.org.


The notice is published with the information that is transmitted to the "Lumen Project", although,
This entity informs on its website that it executes automatic processes to anonymize
some personal data (email addresses, telephone numbers or
National identification or Social Security numbers, names included within
a URL or in the text of the notice), in the manner indicated in the Proven Facts

following.

The publication of these notifications or notices has the following structure:

. Header: reason for the request, natural person or entity making the request,

date of the request, country of origin, entity to which the request is addressed and entity that
has sent the notice to the “Lumen Project”.
. Content Removal Request Summary – Includes a text box in which
the factual circumstances of the request and its motivation and the URL are reproduced
that gives access to the deleted content.

. Link to the support documentation in “pdf” format.

A link is included at the bottom of these posts, “Click here to request access and
see full URLs” (whose translation would be “Click here to request access see address
full URL”) leads to a page
(“https://lumendatabase.org/notices/.../request_access”) in which you can request the

“Lumen Project” access to the complete information of the corresponding notice of
content removal. Clicking on this link takes you to a page with the label
“Request full access to the complaint”, which includes a form that is requested
the email address of the person who wishes to access the information, to
which later the "Lumen Project" sends an email with a link to the

single-use information. The structure of this form is as follows:

Click on the link included in this publication “to request access and see the URLs
complete” and access a form available at “lumendatabase.org”, at

“To access this notice enter your email address and solve the captcha.

After you submit the form, we will send you an email with a one-time link.
use to notice.

Email address
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 54/137








(space to record email address)

( ) Select to receive a notification when new documents are added.
notification (or when existing notification documents are updated).

Deliver (button)”.



9. It is declared reproduced in this act, for evidentiary purposes, the information available
on the website "lumendatabae.org", in the sections "About", "Legal Notice" and
“Researchers”, and in the document called “Basic concepts of the

information of the notice of Lumen”, whose content is fully outlined in
Annexes 3 and 4.


10. The detail of various publications is included in the proceedings

made on the website "lumendatabase.org" corresponding to notifications of
removal of online content submitted by GOOGLE LLC, related to
requests addressed to this entity by Spanish users under the validity of the RGPD.

The content of these publications, which is outlined in the Background of

this act, is declared reproduced for evidentiary purposes.

Said content can be accessed publicly, without restrictions, through the
URLs that are mentioned in the Background of this act, outlined as "Link
Lumendatabase” and marked with the numbers 1, 2, 3, 4, 5, 6, 8, 9, 10, 11, 12, 13, 14,

15, 16, 17, 18, 22, 25, 26, 29, 30, 31, 32 and 33.

The content deletion notifications accessible through the “Link
Lumentadabase” indicated with the numbers 1, 2, 3, 4, 5, 6, 8, 9, 10, 11, 12, 13, 14, and

25 were sent by GOOGLE LLC as notices regarding requests for reasons
defamation. On the reasons for the request, in relation to the “Links
Lumendatabase 3, 14 and 25”, consists of the following:

   . “Lumendatabase 3 Link”: Remitted as a request for libel purposes,

   but it refers to the removal of search results from the “Search Finder”.
   Google" "(…)".
   . “Lumendatabase 14 Link”: Remitted as a request for libel purposes,
   but it refers to the deletion of personal data (“Data about me is given,
   email address…").

   . “Lumendatabase 25 Link”: Submitted by GOOGLE LLC as a request for
   motives of defamation, but the text of the same refers to the elimination
   of search results of “Google Search” “(…)”.

The content deletion notifications accessible through the “Link

Lumentadabase” indicated with the numbers 16, 17, 18, 22, 26, 29, 30, 31, 32 and 33
were sent by GOOGLE LLC as notices regarding requests based on a
Judicial failure.

The content deletion notification accessible through the “Link

Lumentadabase 15” was sent by GOOGLE LLC as a notice regarding
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 55/137








withdrawal requests by application of local regulations.

The publications accessible through the "Lumentadabase Links" marked with

numbers 16, 18, 22, 26, 29, 30, 31, 32 and 33 include the data in the header
information of the applicants related to name and two surnames (except number 32,
that only mentions a first name and a last name).

The publications accessible through the "Lumentadabase Links" marked with
the numbers 3, 5, 8 to 12, 18, 25, 29 and 30 include in the text box that reproduces

the request for removal of content, detailing, in addition to the
factual circumstances that motivate said request, the identification of one or more
people (whether they are the interested parties to whom the removed content refers or other
affected or implicated in the events); postal addresses; review of some url
that includes the mention of a person's first and last name or a postal address;

the commercial name of an establishment; the reference of a statement (number,
date) and the name of the persons involved as parties in the process
(plaintiff and defendant); or the profession of an affected party:

“Lumentadabase 3 link”: postal address and URL with postal address.
“Lumentadabase 5 link”: name and two surnames of a person and name

merchant of an establishment.
“Links Lumentadabase 8 to 12”: name and two surnames of the affected party (8), name and
a surname of the same person (9 and 10), only a name of the same person (11 and 12).
“Link Lumentadabase 18 and 29”: reference of a judgment (number, date) and the
name of the people who intervene as parties in the process (plaintiff and

defendant).
“Base 25 Lumented Bond”. name and surname of a person and their profession.
“Lumentadabase 30 link”: name and surname of two people involved in
a court proceeding.


The publications accessible through the "Lumentadabase Links" marked with
the numbers 4, 8, 9 to 12, 13, 16, 18 and 32 include the URL that gives access to the content
eliminated, in which personal data appears integrated in the address of
Internet. These URLs appear in the post as follows:

“Lumentadabase 4 link”:

 "(...)".
"(...)".
"(...)".
"(...)".
"(...)".


“Lumentadabase 8 link”:
"(...)".

“Link Lumentadabase 9 to 12”: These links correspond to the same request for

removal of content from “Link Lumendatabase 8”. In these cases, the address of the
link shows “B.B.B.” (link 9), “B.B.B.” (links 10 and 11) or “B.B.B.” (link
12).


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 56/137








“Base 13 Lumented Link”:
"(...)".


“Base 16 Lumented Link”:
"(...)".

“Base 18 Lumented Link”:
"(...)".


“Base 32 Lumented Link”:
"(...)".

In relation to the "Link Lumentadabase 16", the complainant provided a capture of
screenshot of the “lumendatabase.org” website (“Lumendatabase 17 Link”), at

showing a fragment of the first page of the (...), accessible through the
“Link Lumendatabase 16”. It also provided a complete copy of this Judgment, in
which includes the names and surnames of all the people involved in the
process (judge who dictates it, plaintiff "C.C.C.", defendant, their
representatives, the Public Prosecutor and (...) “D.D.D.”, as well as all the circumstances of the
process, (…).


This sentence is also support of the publication indicated as “Link
Lumendatabase 18”.



The checks carried out in the test phase of the procedure have allowed
verify that the personal data and information accessible through the links
reviewed has changed in the following sense:

“Enlace Lumentadabase 3”: In the text of the claim, the address has been deleted

postcard and the URL that was mentioned.

“Link Lumentadabase 4”: Three URLs have been anonymized, while the
two others as follows:
"(...)".
"(...)".


“Link Lumentadabase 5”: In the text of the claim the data has been suppressed
of name and surnames and the commercial name of the establishment.

“Links Lumentadabase 8 to 12”: In the text of the claim and in the address of the

link personal data relating to name and surname have been deleted.

“Lumentadabase 13 Link”: The URL object of the content removal request
appears anonymous.


“Links Lumentadabase 18 and 29”: In the header the data of the
applicant; in the text of the complaint the name of the persons has been deleted
that intervene as parties in the process and the URLs have been suppressed.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 57/137








“Link Lumentadabase 22 and 26”: The name of the applicant has been removed from the

header.

“Lumentadabase links 16, 17 and 25”: The page is not accessible.



During the testing phase of the procedure, the following URLs were accessed,
mentioned in the "Link Lumentadabase" that are indicated, which correspond
to the respective internet addresses that were the subject of the withdrawal request.

online content. This access returned the following information:

“Lumentadabase 1 Link”:
Access to the blog available at the address "(...)", which contains the date
***DATE.19. It is verified that it corresponds to a blog created, as indicated, (...).

The heading indicates “(…)”.

“Lumentadabase 4 link”:
The internet address “(…)” is accessed and it is verified that it gives access to a

document dated ***DATE.20, with the label (...). (...).


11. In a search carried out by the complainant with the “Google Search Engine”, with the

name and surname of the applicant to whom the "Lumendatabase Links" correspond
16, 17 and 18” as query criteria, a page of results is obtained that
includes a footnote indicating that several results have been deleted and is highlighted
a hyperlink to “lumendatabase.org”:


“In response to a legal requirement sent to Google, we have removed 3 result(s) from this
page. If you wish, you can read more information about this requirement at
LumenDatabase.org”.

In a search carried out by the complainant with the "Google Search", with the

name and surname of the affected party to whom the “Lumendatabase 16 Links,
17 and 18” as the query criteria, a results page is obtained that includes
at the bottom two notes indicating that several results have been eliminated and a highlighted
hyperlink to “lumendatabase.org”:


“In response to a legal requirement sent to Google, we have removed 3 result(s) from this
page. If you wish, you can read more information about this requirement at
LumenDatabase.org”.

“In response to a legal requirement sent to Google, we have removed 1 result(s) from this
page. If you wish, you can read more information about this requirement at

LumenDatabase.org”.


12. For evidentiary purposes, the statements made by the

GOOGLE LLC in its brief of complementary allegations, dated 10/05/2021, the
which is declared reproduced for such purposes.

(...).

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 58/137









(...):


. (...).

. (...).

. (...).


. (…)

. (...).

. (...).



                           FOUNDATIONS OF LAW

                                           I


By virtue of the powers that article 58.2 of the RGPD recognizes to each Authority of
Control and, as established in articles 47, 64.2 and 68.1 of the LOPDGDD, the
Director of the Spanish Data Protection Agency is competent to initiate
this procedure.


Article 63.2 of the LOPDGDD determines that: "The procedures processed by the
Spanish Agency for Data Protection will be governed by the provisions of the
Regulation (EU) 2016/679, in this organic law, by the provisions
regulations issued in its development and, as long as they do not contradict them, with a
subsidiary, by the general rules on administrative procedures.



                                           II

Previously, it is considered opportune to analyze the exceptions alleged by
GOOGLE LLC, based on which requests the declaration of nullity of the

actions, due to infringement of rules regulating the sanctioning procedure
cause of defenselessness.

1. Considers that the AEPD has ignored the expiration of the previous actions of
investigation and has kept the claimed entity under investigation for more

of two years, despite the fact that the LOPDGDD provides for a sanctioning procedure of
a maximum duration of 21 months, taking into account the duration of twelve months of
the preliminary investigation actions (article 67.2) and the nine months of the
penalty procedure (article 64.2).


Warns that the previous actions expired on 12/13/2019, considering that the
first complaint is from 09/13/2018 and that art. 65.5 LOPDGDD establishes that the
admission or inadmissibility for processing, the claimant must be notified within a period of three
months.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 59/137









And it adds that the AEPD did not dictate any agreement on the admission for processing and it was not
until 01/16/2020 when he decided to provisionally archive the file and direct it

to the Irish Data Protection Commission. The
initiation agreement was notified on 06/23/2021, almost three years after the first
complaint.

Considering this expiration of the previous actions, it alleges that the information
collected during the same cannot be used in the procedure, in accordance

with the provisions of article 95.3 of the LPACAP.

In this regard, it should be noted that the facts revealed by GOOGLE
LLC to maintain this claim are incomplete and do not fully conform
to the antecedents that must be assessed to appreciate or not the nullity invoked.


In this case, eight complaints (8) were received between the dates 09/13/2018 and the
01/09/2019, and one more dated 12/01/2020.

The first complaints received were transferred, on 02/01/2019, to the authority of
Ireland Data Protection Act (Ireland DPC), in accordance with section 56 of the

RGPD, to assess whether or not it held the status of control authority
principal, as the entity GOOGLE IRELAND LTD. is located in that country, in
so much so that establishment of the person in charge who decides, for Europe, the aims and the
means in the processing of personal data.


In a first communication, dated 04/10/2019, DPC Ireland reported that no
considered competent to resolve this case. However, later,
following the mutual assistance mechanism regulated in article 61 of the RGPD,
requested the collaboration of this Agency to transfer the complainant
various issues related to the complaints made.


Once this procedure has been completed and the complainant's answers known, DPC Ireland
rejected the competence in the processing of complaints through communication of
01/22/2020, considering that GOOGLE LLC is the controller,
consisting of the communication of personal data related to requests for
removal of content managed by GOOGLE LLC, carried out by this entity

in the United States to an American database.

After this procedure, which determined the competence of this AEPD to resolve
the issues raised in those complaints, on 06/09/2021 it was agreed to
opening of this sanctioning procedure, without having carried out actions

prior investigation.

This being the case, the expiration of actions that have not had
place.


The decision to carry out these preliminary investigation actions is a
power of the AEPD, which may or may not agree to its initiation (article 67 of the
LOPDGDD). In this case, said actions were not agreed upon and, therefore, were not
did any research.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 60/137









No legal consequences can be attributed to the fact of not having agreed to the
opening of previous investigative actions, nor to the time elapsed

since the rejection of the complaints by DPC Ireland and the opening of the
procedure, since there is no rule that limits the time available to the
Administration to initiate this type of procedure, beyond the rule of the
prescription and the effects attributed to it.

On the other hand, it should be noted that the approach that GOOGLE LLC makes on

the maximum duration of the sanctioning procedure, which is set at 21 months, taking into account
takes into account the duration of twelve months of the previous investigation actions (article
67.2) and the nine months of the sanctioning procedure itself (article 64.2), no
adjust to Law. On the one hand, as has been indicated, there is no standard
applicable to the sanctioning procedure regarding the protection of personal data

that establishes a preclusive term to agree on its opening; and, on the other hand, the term
of expiration of the sanctioning procedure is established in nine months and
computed from the date on which its start is agreed, resulting inadmissible to add to
this computation, in order to measure the duration of the administrative file, no other
period, such as the time of the preliminary investigation actions, in case of
that its realization had been agreed.


The Spanish procedural rules (LPACAP), establish that the procedures of
sanctioning nature will always be initiated ex officio by agreement of the body
competent.


GOOGLE LLC responds to the above reasoning in its allegations to the
motion for a resolution, pointing out that the preliminary investigation actions
have dilated more than what is allowed in the norm, without being able to oppose the file
provisional file of the declared file due to the procedures followed before the DPC
Ireland, since this entity rejected the case on 01/22/2020. Right now

that provisional file must be understood as raised and the file recovers its “vigour”.

The consequence of this, according to GOOGLE LLC, is the expiration of the actions
previous, whose existence is an incontestable fact in the opinion of said entity, for
as the Agency, before the opening of the procedure, carried out a series of
actions aimed at the "better determination of the facts and circumstances

that justify the processing of the procedure” (article 67 of the LOPDGDD) that only
They can be classified as investigations, which are reflected in this act.

This supposes, in the opinion of the defendant, an infraction of the legal system by
part of the Agency, whether the preliminary proceedings are considered open by the

investigative work carried out, in which case these actions would be
expired; as for the exercise of these powers of investigation without having
formally agreed upon their initiation, circumventing the established time limit.

According to GOOGLE LLC, the only possibility to carry out investigative work is through

through these preliminary actions, whose duration is set at 12 months to protect
to those administered indefinite investigations and excessive dilations in the
procedures.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 61/137








However, as stated above, this Agency does not oppose the
aforementioned provisional file to justify the time elapsed until the opening of the
penalty procedure. As can be seen, in the preceding paragraphs

This Agency details the procedure followed in accordance with articles 56 and 61 of the
GDPR and it is clearly stated that DPC Ireland has rejected competition in the
processing of complaints dated 01/22/2020, to then add that no
no consequence can be attributed to the time elapsed until the opening of the
procedure, unless the prescription of the infractions had occurred.


This is so considering, as this Agency understands, that no
previous investigative actions prior to the opening of this
process.

Screenshots were only obtained of the links that appear in the

complaints, to verify that they correspond to what was stated by the complainant.
It should be clarified in this regard that in some cases the links that
motivate the complaint, but without accompanying its content. And this is done by
of the complainant knowing that access to information is public and the review of the
URL that leads to that information is sufficient for this Agency to be able to
verify the reasons or manifestations of the complaint.


It is the same thing that GOOGLE LLC does in its allegations to the proposed resolution
in relation to the infringement of article 17 of the RGPD that is analyzed in the
Foundation of Law VII. In these allegations he invokes the principle of trust
legitimate considering that the website of the AEPD inviting citizens to use

the set of online content withdrawal forms enabled by said
entity and includes links to access them. GOOGLE LLC details URLs
that lead to this information inserted in the website of this Agency (“aepd.es”),
but without providing the information offered. To respond to these allegations in
this Resolution, this Agency has accessed the information alleged by the claimed

and checked the links to the forms in question, and it cannot be said that this
verification is investigative in nature.

Therefore, no action was developed for the "better determination of the facts
and the circumstances that justify the processing of the procedure”, as GOOGLE says

LLC.

2. On the other hand, in its brief of arguments to the proposed resolution, GOOGLE
LLC questions the extension of the object of the procedure carried out in the
motion for a resolution, which has added a new alleged infringement of Article 17

of the GDPR.

In this regard, it argues that said infringement is based on forms and
procedures for the removal of content accessible through the products and
Google services offered by GOOGLE IRELAND LTD. Understand, therefore, that it is

this entity and not GOOGLE LLC, which is responsible for those procedures and forms
and the processing of personal data associated with the use of these services; and what is
the Irish Data Protection Commission (or “IDPC”) the main supervisory authority for
any cross-border processing related to such personal data.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 62/137








Therefore, it considers that this extension of the object of the procedure has been
carried out without resorting to the cooperation mechanism regulated in article 60 of the
RGPD, vitiating the present procedure as null or void.


This Agency does not share with GOOGLE LLC that to declare the infringement of the
article 17 it is necessary to go to the cooperation mechanism regulated in the
article 60 quoted.

This file analyzes exclusively the responsibility of GOOGLE LLC in

the issues raised, considering the complaints made and the documentation
reviewed in the file.

It follows that from the moment the GDPR became fully applicable, in
May 2018, and at the time the allegations are made, GOOGLE LLC was

responsible for data processing associated with the use of all products and
Google services, as well as all withdrawal procedures and forms
online content and the processing of personal data that its content entails.
utilization.

This situation continued until 01/22/2019, the date on which, as reported to

users in the Privacy Policy available on the website "google.com", the subsidiary
of GOOGLE LLC in Ireland, trading as GOOGLE IRELAND LTD, became
charge of providing some products and services of "Google" for the Space
European Economic and Swiss.


And not only that. It is accredited that GOOGLE LLC has been the responsible entity in
our territory for certain products and services throughout this period and
it still is today. According to the aforementioned Privacy Policy,
“Google LLC is the controller of the information indexed and displayed
in services such as Google Search and Google Maps”, regardless of the

user location. It can even be said, as expressed in the Privacy Policy
Privacy, that the products “Google Search” and “Google Maps” are mentioned
as an example, implying that there may be other products or services of the
that GOOGLE LLC is the responsible entity, other than the two mentioned
in the Privacy Policy.


This is the specific responsibility of GOOGLE LLC that is assessed in the
proceedings, in which nothing is resolved with respect to GOOGLE IRELAND LTD, of
so that the provisions of article 60 do not apply to this case
the GDPR.


Also in relation to this violation of the provisions of article 17 of the
RGPD, GOOGLE LLC, in addition to questioning what said entity qualifies as a
extension of the object of the procedure, indicates that this imputation is
disconnected from the complaints that have given rise to the procedure and that in the
itself, interpretive criteria are established improperly, contrary to what

declared by the National High Court in its judgment of 04/23/2019 (appeal no.
88/2017), issued by reason of an appeal from the claimed entity itself.

This Agency does not share the conclusion expressed by GOOGLE LLC. how can

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 63/137








verified in this act, the agreements that are adopted are based on what
expressed in the applicable regulations and in consolidated interpretations thereof.
In addition, the doctrine established in the cited judgment is applicable to events prior to the

RGPD, which establishes a new and different legal regime that must be taken into account
account in the procedure and that, unlike what was reported in the sentence, in the
This resolution makes reference to the specific complaints, makes a
assessment of the tests carried out around them, which are related
with specific and individualized behaviors in relation to certain people
physical, but also transcend these complaints.


On the other hand, this Agency understands that the decisions adopted in this
resolution are directly linked to the complaints outlined in the
Background, which refers to numerous cases of requests for withdrawal of
online content and the specific forms under analysis.


In any case, the intervention of this Agency is not restricted by complaints
formulated.

The RGPD has established its own and specific regime regarding the
Procedures before the control authorities in matters of data protection. In

Chapter VIII of the RGPD, which is entitled “Remedies, liability and sanctions”,
establishes the right to file a claim with a control authority if
a data processing is considered to infringe the Regulation (article 77) and the
right to effective judicial protection in case of violation of the rights established
in said Regulation (article 79).


The LOPDGDD has also reflected this distinction, so that the claim of
an individual can give rise to two types of procedures, one of them related to
infractions of the RGPD, in general, and another for violation of their rights
(article 63.1).


The LOPDGDD does not foresee any additional type of procedure in case of possible
violation of the data protection regulations, so that all the
functions and powers that the RGPD grants to the control authorities in the articles
57 and 58 RGPD will have to be exercised through said procedures in case of
possible violation of data protection regulations. There are no others.


Also taking into account article 64 LOPDGDD, when the procedure is
directs exclusively to the lack of attention to a request of the rights
articles 15 to 22 RGPD a claim will be necessary, but (art. 64.2 LOPDGDD)
[w]hen the purpose of the procedure is to determine the possible existence

of an infringement of the provisions of Regulation (EU) 2016/679 and of this law
organic, will be initiated by means of a start-up agreement adopted on its own initiative or as
consequence of claim. In other words, both the RGPD and the LOPDGDD consider
that a claim from an affected party may be the way or means of carrying out
knowledge of the control authority a possible infringement of the regulation of

data protection, but in no case restricts the action of the data protection authority.
control to the specific and concrete complaint of those affected. Control Authority
can act when the confluence of several claims of people
individuals affected, an action by the person responsible for

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 64/137








general character (that is, not only in the specific cases presented by the
claimants) which shows that these specific cases are the reflection of a pattern
or common policy applied to all those affected persons who are in the same

case those interested.

When an action that is considered incorrect derives from a general policy
adopted by the data controller, so that these are not cases
specific, but these cases are just the sample of a general policy
adopted that is considered in violation of the RGPD, the violation does not reside

exclusively in the cases examined but in the general action followed by the
responsible. It will be said general action that constitutes an infringement of the RGPD,
and not just the specific offenses based on it.

To do otherwise would be inconsistent with the purpose and will of the Community legislator,

expressly embodied in the RGPD, according to which the control authorities must
control and enforce the GDPR; and with the possibility that “breaches” of the
data protection regulations may transcend claims
individual formulated through which they are revealed.

In any case, no rule prevents the body that exercises the power

sanctioning, when it determines the opening of a sanctioning procedure,
always ex officio (article 63.1 law 39/2015, of October 1), determine its scope
according to the circumstances revealed, even if they do not fit
strictly to the statements and claims of the complainant. That is, the
agreement to initiate the sanctioning procedure is not constrained by the complaint

(the same happens with the claim in the scope of the RGPD) presented by the
particular. This is not the case in the case of procedures carried out at the request of the
interested, in which article 88.2 of the LPACAP requires that the resolution be
consistent with the requests made by him. Even in this case, it remains
except for the power of the Administration to initiate a new procedure ex officio.


This same article 88 of the LPACAP, referring to the content of the resolution, in its
Paragraph 1 establishes the obligation to decide all the issues raised by the
interested parties and those others that derive from the procedure, including questions
related not raised by the interested parties.


In the sanctioning procedure, even the facts that are
reveal during their instruction, which will be determined in the
resolution proposal, and may motivate the modification of the imputations
contained in the agreement to initiate the procedure or its legal qualification. In this
sense, when referring to the specialties of the resolution in the procedures

sanctioning, article 90 of the LPACAP establishes that "The resolution does not
may accept facts other than those determined in the course of the procedure,
regardless of their different legal assessment…”.

For all these reasons, the aforementioned claims of nullity must be rejected.



                                          III


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 65/137








The purpose of this proceeding is to analyze the presumed illegality of the
communication of personal data related to the removal of content in
line carried out by GOOGLE LLC, either at the request of the affected party or at the request

in some instance, to the "Lumen Project"; as well as a possible infringement of the right
of deletion of personal data regulated in article 17 of the RGPD.

To analyze these issues, the information provided by the
entity claimed from users, mainly the one provided in the
application forms enabled by said entity and in the "Privacy Policy of

Google". It also takes into account the personal data management system that
is made available to users and the mechanisms for the exercise of rights.
Rights recognized to interested parties in terms of data protection.

However, this act does not contain any pronouncement on the legality of

this information and the personal data management processes designed and
implemented by GOOGLE LLC, other than the one specifically analyzed in the
present procedure.

In the same way, although the information obtained from the “Links
Lumendatabase” incorporated into the actions, is not part of the object of the

procedure the analysis of the treatment of personal data that entails the
receipt and processing of online content removal notices that the
"Lumen Project" receives from the respondent, the publication of these notices that this
entity performs through its website "lumendatabase.org", nor the communication of data
that said entity performs to third parties, to whom it gives access to complete information

regarding these requests.

On the other hand, in relation to the publications made in “lumendatabase.org”
(“Lumendatabase Links”) of the documents provided by the complainant and the
verification of these links by the Subdirectorate General for Inspection of

Data, indications are obtained of an effective communication of data by
GOOGLE LLC to the "Lumen Project" under the validity of the RGPD in the cases
corresponding to requests for removal of content subsequent to the entry into
force of this Regulation, on 05/25/2018.

Therefore, requests prior to this date are excluded from the purpose of the procedure.

date. Also those that correspond to requests made by users of
other countries.

In accordance with the foregoing, the conclusions that could be derived from this
procedure will not imply any pronouncement regarding the aspects

previously discarded.

                                          IV

GOOGLE LLC is a company with registered office in California (United States) that

develops its activity as a provider of online products and services, which are
offered in the European Union territory.

This entity has a subsidiary in Ireland, under the name GOOGLE IRELAND

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 66/137








LTD, which, since 01/22/2019, is the provider of products and services of “Google”
for the European Economic Area and Switzerland. Thus, from that date, GOOGLE

IRELAND LTD acts as the controller of the personal data of the
users of “Google” services who are in the Economic Area
European, "unless otherwise indicated in a specific privacy notice of a
service” (Privacy Policy).


Until that date of January 2019, GOOGLE LLC was the entity in charge of this
provision of products and provision of services in its entirety. After that
date, it still is for certain products, such as "Google Search" and
“Google Maps” (according to the Privacy Policy, “Google LLC is the
responsible for processing the information indexed and displayed in services such as

Google Search and Google Maps”, regardless of the location of the
Username).

This proceeding is directed against GOOGLE LLC for considering this
company as responsible for the processing of data consisting of the transfer to a

third party (“Project Lumen”) of the data related to the withdrawal requests
content of its products and/or internet services.

In this case, as has been said, the processing of data subject to the procedure
consists of a communication of data related to requests or requirements

of content withdrawal that GOOGLE LLC makes to the “Lumen Project”.

Therefore, this proceeding is directed against GOOGLE LLC, as an entity
responsible for that communication of personal data to a third party (the position of
third party that is granted to the “Lumen Project” is carried out in accordance with the definition

reflected in article 4.10) of the RGPD: “third party: natural or legal person, authority
public, service or body other than the interested party, the data controller,
of the person in charge of the treatment and of the persons authorized to treat the data
under the direct authority of the person in charge or the person in charge”).


Thus, in the case of a company with headquarters in a third country, it is appropriate to analyze
the territorial scope of the GDPR.

Article 3 of the RGPD establishes the assumptions related to the territorial scope in which the
The Regulation itself and the European regulations are applicable to the processing of

personal information. Specifically, the article in question, based in turn on
Considering 22 to 25 of the same legal text, establishes:

"1. This Regulation applies to the processing of personal data in the context of the
activities of an establishment of the controller or processor in the Union,
regardless of whether the processing takes place in the Union or not.

2. This Regulation applies to the processing of personal data of interested parties who are

are in the Union by a controller or processor not established in the Union,
when the treatment activities are related to:

a) the offer of goods or services to said interested parties in the Union, regardless of whether
they are required to pay, or


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 67/137








b) the control of their behavior, to the extent that it takes place in the Union.

3. This Regulation applies to the processing of personal data by a
responsible that is not established in the Union but in a place where the law of the
Member States is applicable under public international law.


These RGPD application criteria, in light of the transcribed article, are susceptible
grouped into two large groups: on the one hand, the one that refers to the place of
establishment of the person in charge (or person in charge, as the case may be) and on the other, the place of
location of the target audience of the activities of the person in charge (or person in charge, in his/her

case), even when it cannot be considered established in the European Union.
Finally, the article points out that it also falls within the scope of the RGPD those
cases in which, by virtue of the application of the rules of law
international public, it is considered that the law applicable to the place of establishment
responsible is that of a Member State.


With regard to this sanctioning procedure, and whenever
considers GOOGLE LLC. responsible for the processing of personal data, it is
necessary to examine whether the GDPR is applicable to the US entity and in
Under what criteria?


Beginning the examination with the first of the two great criteria, the one that makes
reference to the place of establishment of the person in charge, it is necessary that
two elements: the existence of an establishment in the territory of the European Union
and that the data processing is carried out in the “context of the activities of the

establishment of the person in charge or in charge”, regardless of whether the
treatment takes place in the European Union or not.

Regarding the first of the mentioned elements, Recital 22 offers us
an interpretation of what should be considered as an establishment:


“[…] An establishment implies the effective and real exercise of an activity through
stable modalities. The legal form of such modalities, whether it is a
branch or a subsidiary with legal personality, is not the determining factor in this regard”.

In this sense, we find that, regardless of the designation, for
part of the parent company, GOOGLE IRLELAND LTD. as a provider of

services within the scope of the European Economic Area and Switzerland, GOOGLE LLC. follow
maintaining subsidiaries in various member territories that can be considered
“stable” establishments for the purposes of the provisions of the RGPD. Thus, it is worth remembering
ruled by the Court of Justice of the European Union (hereinafter CJEU) in the

Judgment delivered on May 13, 2014 in case C-131/12 (GOOGLE SPAIN
SL and Google Inc. v. Spanish Data Protection Agency and N.N.N.) when
points out that “[…] it is not disputed that Google Spain is dedicated to the effective and real
of an activity through a stable facility in Spain. Furthermore, being
endowed with its own legal personality, is thus a subsidiary of Google Inc. in

Spanish territory, and, therefore, an "establishment", in the sense of article 4,
paragraph 1, letter a), of Directive 95/46. […]”, whose literal tenor was “[…] the
treatment is carried out within the framework of the activities of an establishment of the
controller in the territory of the Member State […]”.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 68/137








Regarding the second of the elements that come into play, the determining factor would not be

so much so that the data processing is carried out by the establishment itself
based in the European Union, but that the activities carried out by the latter
are inextricably linked to the data processing activities carried out
by the person in charge. On this point, the CJEU, in the same ruling cited in paragraph

above considered the following:

“[…] it is appropriate to consider that the processing of personal data carried out in order to
operation of a search engine such as Google Search, managed by a company
which has its registered office in a third State but which has an establishment in
a Member State, is carried out 'within the activities' of that establishment if
this is intended for the promotion and sale in said Member State of the spaces

search engine advertising, which serve to monetize the service offered by the
motor.

Indeed, in such circumstances, the activities of the operator of the search engine and those of its
establishment located in the Member State in question are inextricably linked,
given that the activities related to advertising spaces constitute the means for the
search engine in question is economically profitable and since this engine is, at
At the same time, the medium that allows the aforementioned activities to be carried out.


Furthermore, with regard to the application of the RGPD to the treatment
of data subject to this sanctioning procedure, it should be noted that, not
However, the concurrence of the territorial element under article 3.1 examined,

It can also be concluded that the processing of data subject to this procedure
would be collected under the umbrella of the aforementioned article 3.2.a), finding the
foundation to determine the concurrence of the mentioned precept, in the
Considering 23 of the same legal text:


"In order to ensure that natural persons are not deprived of the protection to which they
have the right under this Regulation, the processing of personal data of
interested parties who are in the Union by a person in charge or a person in charge not established
in the Union should be governed by this Regulation if the processing activities are
refer to the offer of goods or services to said interested parties, regardless of whether
half payment. To determine if said person in charge or person in charge offers goods or services to
stakeholders who are located in the Union, it must be determined whether it is clear that the

responsible or the person in charge plans to offer services to interested parties in one or more of the
Member States of the Union. Although the mere accessibility of the website of the person in charge or
manager or an intermediary in the Union, an email address or other
contact details, or the use of a language generally used in the third country where you reside
the person in charge of the treatment, is not enough to determine said intention, there are factors, such as the
use of a language or currency generally used in one or more Member States
with the possibility of ordering goods and services in that other language, or the mention of clients or
users residing in the Union, which may reveal that the data controller

plans to offer goods or services to those interested in the Uni.n”

Examining the factual assumption, its fit with the aforementioned article is observed.
3.2.a) of the RGPD and with the criteria of Considering 23, namely, existence of a

processing of personal data of interested parties located in the European Union
European; by a person in charge not established in the Union; and that is
related to the offer of goods and services to said interested parties in the Union:

. GOOGLE LLC, in the development of its activity as a service provider of

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 69/137








Internet, offer products and services online in the territory of the European Union, the
which include, among others, operating systems, applications for devices

mobile, email, social networks, maps, video, blogs, Cloud services and
specific applications for companies. These products and services are offered to
persons residing in said territory, whether natural persons (such as "Search",
“Maps”, “Gmail”, “YouTube”, “Drive”, “Blogger”) or legal.


As indicated, until 01/22/2019, GOOGLE LLC was the entity in charge of
this provision of products and provision of services in its entirety. After that
date, it still is for certain products, such as "Google Search" and
Google Maps.


This activity makes the claimed entity responsible for data processing.
personal data involved in its development. As such, it manages the
requests made by users for the removal of content from the products and

services offered in the territory of the European Union, in accordance with the
applicable regulations, and is responsible for the data processing that motivates the
actions, consisting of communicating to a third entity the personal data
contained in those requests from interested parties found in the repeated
territory.


GOOGLE LLC, in its pleadings brief at the opening of the proceeding, indicates
that it does not dispute the application of the GDPR to the processing activities in question, if
either considers that the assumptions provided for in articles 3.1 and 3.2.a) of the RGPD are
alternatives and that the latter is not applicable, given that it has various

establishments in European Union countries, in addition to Spain.

This Agency does not share said consideration, on which GOOGLE LLC does not contribute
any argument.


                                            v

Article 5.1 of the RGPD lists the principles to which the
personal data processing:


“a) processed lawfully, loyally and transparently in relation to the interested party (“lawfulness, loyalty and
transparency");

b) collected for specific, explicit and legitimate purposes, and will not be processed further
in a manner incompatible with said purposes; according to article 89, paragraph 1, the
further processing of personal data for purposes of archiving in the public interest, purposes of
scientific and historical research or statistical purposes shall not be considered incompatible with the

initial purposes (“purpose limitation”);

c) adequate, pertinent and limited to what is necessary in relation to the purposes for which they are
processed (“data minimization”);

d) accurate and, if necessary, updated; All reasonable steps will be taken to
that personal data that is inaccurate with respect to
regarding the purposes for which they are processed (“accuracy”);

e) kept in a way that allows the identification of the interested parties for no more

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 70/137








time necessary for the purposes of the processing of personal data; the data
Personal data may be kept for longer periods as long as they are treated
exclusively for archival purposes in the public interest, scientific research purposes or
historical or statistical purposes, in accordance with article 89, paragraph 1, without prejudice to the
application of the appropriate technical and organizational measures imposed by this
Regulation in order to protect the rights and freedoms of the interested party (“limitation of the term of

conservation");

f) processed in such a way as to ensure adequate security of personal data,
including protection against unauthorized or unlawful processing and against loss,
accidental destruction or damage, through the application of technical and organizational measures
appropriate (“integrity and confidentiality”)”.

Recital 39 also affects these principles applicable to all treatment

of data.

                                            SAW

    - About the "Lumen Project"


Before analyzing the processing of personal data that involves the communication of
data that GOOGLE LLC makes to the "Lumen Project" and if said treatment violates the
RGPD, it is considered convenient to outline some considerations related to the "Project
Lumen”.


According to the information available on the website “lumendatabae.org”, in the sections
“About”, “Legal Notice” and “Investigators”, or in the document called
"Basic concepts of the information of the Lumen notice", whose contents consist
incorporated into this act in Annexes 3 and 4, "Lumen" is a project of the entity

Berkman Klein Center for Internet & Society at Harvard University, based in
the city of Cambridge (Massachusetts, United States), born in 2002,
whose main mission lies in the collection and availability, both of
investigators as well as interested persons, requests for removal of content
of web pages inside and outside the United States.


Its purpose would be to contribute to carrying out a study as ecological as possible of
the types of requests, their applicants and their recipients, enhancing transparency
about internet. Thus, it is said that its purpose, as a research project
independently, (i) the study of requests for withdrawal or elimination of content

online that are formulated to Internet publishers, search engines and providers
of services; (ii) facilitate the investigation of its different types; (iii) and provide the greatest
possible transparency about who sends them and why and with respect to what content
online; (iv) and educate the public.


Lumen's database grows by more than 40,000 listings per week, with
voluntary submissions provided by companies, such as “Google”, or by the
persons responsible for originally sending or receiving the notices. at the end of
As of 2021, the project hosts more than eighteen million ads, referencing nearly
four and a half billion URLs. In 2021, the project website was visited

more than nineteen million times by more than one million unique users of
virtually every country in the world.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 71/137










Regarding these requests for removal of content, on said website it is clarified that the basis
Lumen's data only includes the notices that are notified to you and only with the
information included in these notices; of all varieties, such as
applications filed under copyright, trademark

registered, defamation and privacy, national and international, and orders
judicial; and that, generally, the notices are presented by the "Lumen Project"
in the way they are shared with you.


From said information, the content that, in the opinion of the project, could
be sensitive or personal, as well as the contact information of the original applicant
of content removal. About the confidential content that may include the notice,
informs that “a person or company that sends a notice directly to the database
Lumen data may have chosen not to share with Lumen, or keep in

private, certain information in the notice”; that the Lumen staff makes an effort
to remove sensitive or personal information from the notice text, such as phone numbers
telephone, email addresses or other forms of identification number
(with Social Security or national identification numbers), mailing addresses, or

allegedly defamatory content (it is said: “Our writing processes
automatically seek to identify and eliminate” that information). Regarding the copies
of court orders, in particular, he points out that he generally shows them in the form
in which they have been shared with "Lumen" and "further makes a good faith effort to

do so in accordance with the applicable law of the jurisdiction from which the order arose.”

The “Lumen” database, which includes content withdrawal notices in
online, it can be consulted by the general public. In the document called
“Researchers”, inserted in the website “lumendatbase.org”, includes the information

Next:

“Who is Lumen for?
Lumen is designed for casual use by both curious lay Internet users
about an ad they may have come across, perhaps in the news, or out of interest
staff…as well as by journalists, NGOs, policymakers, academics, and other researchers

law firms conducting more in-depth and focused research or studying broader trends
extensive on the removal of online content…

If you or your organization are interested in conducting your own journalistic investigation,
academic, legal, or policy-focused, or if you have more ideas about how we can improve the
database and its interfaces, email us at team@lumendatabase.org.

see a notice

For non-investigators, Lumen currently offers access to a full notice by
email address every twenty-four (24) hours. Submit an email address
email through the request form will provide a single-use URL for that
particular notice that will display the full content of the notice. Access through this
URL will last for 24 hours. See here for more details.

How does it work?
Most users will find that the web interface will be sufficient to navigate and
discover within the database. However, for those who need to access

large amounts of data for your research, or for those interested in submitting
copies of takedown notices to Lumen, we offer our API. Read on to get

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 72/137








more information".

Removed content notices are posted on the website

“lumendatabase.org”, which includes a search tool.

They are also offered through the "Lumen Project" API, which is planned
“for those who need to access large amounts of data or create processes
automated” and requires obtaining an “API key” to consult the database.
It is also reported that “API queries to the database sent without a

token will be limited to the first 25 results and 5 requests per day”.

About the "Download of results in a massive way" it is indicated: "To better manage
its resources, Lumen limits the requests to its API, as well as the use of the interface of
web-based user. For those interested in less restricted access

to the database via the API, see "Getting an API key"…”.

Being this as it has been said, and being known by GOOGLE LLC, the
allegation that this entity raises when it states in its defense that the information
full is limited to "bona fide investigators."


The publication of these notifications or notices in “lumendatabase.org” has the
following structure:

. Header: reason for the request, natural person or entity making the request,
date of the request, country of origin, entity to which the request is addressed and entity that

has sent the notice to the organization.
. Content Removal Request Summary – Includes a text box in which
the factual circumstances of the request and its motivation and the URL are reproduced
that gives access to the deleted content.
. Link to the support documentation in “pdf” format.


A link is included at the bottom of these publications (“Click here to request access and
see full URLs”) that leads to a page
(“https://lumendatabase.org/notices/.../request_access”) in which you can request
the "Lumen Organization" access to the complete information of the corresponding
content removal notice. This page appears with the label “Request access

to the defamation complaint against Google” and includes the following text:

“To access this notice enter your email address and solve the captcha.
After you submit the form, we will send you an email with a one-time link.
use to notice.

Email address
(space to add email address)


( ) Select to receive a notification when new documents are added.
notification (or when existing notification documents are updated).

Deliver (Button).

This same form is also used to access the support documentation

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 73/137








of the notice in question.


In relation to "Google", the document "Basic concepts of the information of the
Lumen notice” available at “lumendatabase.org”, reports the following:


On the same website "lumendatabase.org" it is indicated that "Google" is the most popular sender.
of the “Lumen Project”, both for the total volume of advertisements and for the
number of possible types of notices that such entity has chosen to share with the
“Project Lumen” (DMCA, defamation, circumvention, court orders, ads based on

local legislation, etc.), which can be received by “Google” regarding your
various products (search, Blogger, Drive and Documents, Groups, search for
images, etc).

Regarding notices based on court orders received from “Google”, the “Project

Lumen” indicates that they are presented in the form in which they are received from “Google” and clarifies
that if this entity is prohibited from sharing the content of a court order that has
received, you must explicitly indicate it in the text of the notice. However, he adds that
“Project Lumen” makes an effort to remove foreign court orders

in accordance with any local law, including the names, addresses or aspects of
the URLs in question.

About the notices related to requests for defamation reasons it is said:


“As a matter of internal Google policies, Google does not share with Lumen the names
of the senders of defamation notices. Also, if the name of a Sender/Principal
appears in some form within one of the claimed URLs that are the subject of the notice, or
within any text within the prompt, that text will also be removed.
For example, an original URL of
https://www.blogger.com/JohnQPublicistheworst.com
would be shared by Google with Lumen as

https://www.blogger.com/[removed]is the worst.com
In addition, Google does not share with Lumen the text entered by a complainant in the
“To ensure specificity, please cite the exact text…”
field in the Google web form.
Text entered by a whistleblower in the
"Please explain in detail why you believe the content of the above URLs is illegal, citing
specific legal provisions whenever possible".
Google shares the web form field with Lumen and is displayed as part of the notice
in Lumen as is, subject solely to Lumen's automatic redaction processes.

Please note that if the subject of the alleged defamation is not the sender of the notice, the
that subject's name will not be automatically removed from the notice. Notify Lumen if the
name of the person allegedly defamed is still present in a notice.”

And on “Other types of notices” it is indicated:


“…at this time, Google does NOT share with Lumen the notices it receives from citizens
of the EU as part of the so-called "Right to be Forgotten ("RTBF") or notices sent through the
Google form to report sexually explicit images.

In this section “Other types of notices” of the document “Basic concepts of the
Lumen notice information”, includes an Internet address that leads to

an informative document on the withdrawal of information from “Google”, which is incorporated

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 74/137








in Annex 4.


    - Information shared by GOOGLE LLC with the "Lumen Project".


GOOGLE LLC communicates to “Project Lumen” (“send a copy”) requests for
withdrawal or elimination of online content of Spanish users that it manages. I know
deals with requests made regarding its products and services (the
mentioned in Proven Facts 4 and 5).

The requests sent to the "Lumen Project" are motivated by infringement of

copyright, defamation, court decisions, trademarks, applications based on the
local legislation (legal problem), although in the “Google Forms” they show
other reasons for them to be selected by the interested parties, who may also
be sent to the "Lumen Project", according to the information that is included in the own
forms.


Although GOOGLE LLC indicates in its allegations that it only shares these
requests related to intellectual property rights (DMCA),
Circumvention/Avoidance, Forgery, Judgments, Defamation and Notifications of
removal of content based on local regulations (which coincides with the
information provided on the website "lumendatabase.org"), and which does not refer in any case

requests for the exercise of rights recognized in the regulations for the protection of
personal data, there are circumstances that introduce doubts about the effectiveness of
this decision or that can generate confusion in users when pointing out the
reason for your requests.

An example of this is found in the “Lumendatabase Links 3, 14 and 25”, which

are outlined in Proven Fact 10, in which the request of the interested party
was related to the deletion of personal data or the withdrawal of
search results in the "Google Search", although all of them were sent
by GOOGLE LLC as notifications based on defamation grounds.

In other cases, such as the one corresponding to “Lumendatabase Links 16, 17 and 18”,

are referred to "Project Lumen" as notices based on a court ruling, but this
bug is related to the removal of content on a blog, which included
personal information.

The application forms themselves do not contribute to certainty about this
issue, as explained in the Legal Basis below. serve these

effects all the circumstances that are revealed in said Foundation. I know
Here are some examples of the doubts raised by these forms:

   . The "Google Forms 18 and 24", corresponding to "Google Images" and the
   "Google Search", they do not inform about the communication of data to "Lumen", but

   they do include among the reasons for the request defamation, violations of rights
   copyright or deletion of personal information.

   . Other “Google Forms”, such as those indicated with the numbers 3, 6, 10, 18
   (“Google Images” form for the removal of obsolete content), 19, 20,

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 75/137








   22, 25 and 27, which do warn about sending the request to the "Lumen Project",
   They refer to the exercise of the right to delete personal data. Between the
   reasons shown for the use of these removal forms

   contents includes the "disclosure of private data", "disclosure of personal data
   personal” and “Personal information: the content includes my personal data”.

   . The form marked with number 25, corresponding to "Google Maps", is
   offers the option to change the user's "local record" for the following reasons:
   “I want to change the incorrect information on my local file”, “I want to know why

   the information in my local file has been changed”, “Personal information: the
   content includes my personal data”.

   . Search results from “Google Search” report links to
   content from other GOOGLE LLC products (Blogger/Blogspot, etc.). This does

   difficult to differentiate when a user requests the removal of information from the search engine
   or the specific product. In the first case, no copy is sent to the "Project
   Lumen”, according to the claimed, and in the second it would be sent, according to the information
   contained in the forms.

GOOGLE LLC communicates to the "Lumen Project" all the information corresponding to

these requests, including the identification of the applicant and the affected party, if applicable, their
email address, the reasons alleged (the text of the claim)
and the claimed URL, as well as supporting documentation, if any.

GOOGLE LLC has not denied this communication of personal data. has been limited to

state that none of the withdrawal requests that you transfer or notify to the
"Lumen Project" is related to the exercise of rights in terms of
personal data protection. However, this question, which will be analyzed in the
The following legal basis does not modify the fact that the communication of
personal data to a third party organization takes place, regardless of the

request for removal of online content that serves as a basis.

The Background contains the detail of the checks carried out in
“lumendatabase.org”, regarding posting of content takedown notices on
line originating from requests addressed to GOOGLE LLC by users
Spanish, subsequently notified by this entity to the Lumen organization.

Also, in Proven Fact 10 there is a summary of these details.

These checks have made it possible to verify that the deletion notifications
verified content were sent by GOOGLE LLC as notices regarding
to requests based on defamation, based on a court ruling or by application

of local regulations.

According to the state in which they were initially published, it is known that nine of them
included in the header the personal data of the applicants regarding the name and
two last names (except for one case, which only mentions a first name and a last name).


In eleven verified cases, the text box of the request, in which the
the reasons given by the applicant to justify the elimination, is reproduced
in the publication and details the factual circumstances that motivate said request, the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 76/137








identification of one or several persons (whether they are the interested parties referred to in the
content removed or others affected or involved in the events); postal addresses;
review of a URL that includes the mention of a person's first and last name

or a postal address; the commercial name of an establishment; the reference of a
Judgment (number, date) and the name of the persons intervening as parties
in the process (plaintiff and defendant); or the profession of an affected party:

And in ten notices, the URL that gives access to the removed content, which is also
included in the publication, contains personal data integrated in the address itself

from Internet. Two of these URLs were also verified, verifying that they made it possible to
access to personal information, with personal data of names and surnames of
several people.

In addition, one of the published notices allowed access to a Judgment in which

contain the names and surnames of all the people involved in the process,
as well as all the circumstances of the same.

Obviously, these postings of takedown notices on
“lumendatabase.org” show that GOOGLE LLC notified the respective requests
of Spanish users without deleting the personal data that have been referred.


(...).

(...). These are ineffective measures if we consider that data is included
personal data in other sections of the removal notice sent to the “Project

Lumen”, as occurs in the cases of the “Lumentadabase link” indicated with the
numbers 3, 4, 5, 8, 9 to 12 and 13, which include personal data in the text of the
claim or integrated into the Internet address itself that gives access to the content
removed.


In any case, the interest of these actions is aimed at the
communication of personal data that GOOGE LLC makes to the "Lumen Project" and does not
to the publication that this last entity makes in “lumendatabase.org”.

During the test phase, it was found that almost all personal data that
initially appeared in the publication of these withdrawal notices in

“lumendatabase.org” have been suppressed, both in the header of the notice, and in
the text of the claim and in the URLs. It should be understood that this deletion does not
affects the purposes intended by GOOGLE LLC and by the "Lumen Project" with the
actions they carry out.


On the other hand, the respondent entity has stated in its pleadings that
The legal framework applicable to this communication of personal data is
determined by Regulation (EU) 2019/1150 of the European Parliament and of the
Council, of June 20, 2019, on the promotion of equity and transparency
for professional users of online intermediation services, and the Proposal

of the European Commission of Regulation Relating to a Single Market for Services
Digital, which reflect the importance of transparency objectives on the way
in which intermediation service providers moderate the content,
including the requirement to post all content removal decisions on

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 77/137








a publicly accessible database. And he cites article 15.4 of the DSA and the
Recital 26 of the P2B Regulation.


This Agency does not share that position.

Regulation 2019/1150 applies “to online intermediation services and
online search engines that are provided or proposed to be used by users
professionals and users of corporate websites, respectively”; and regulates
aspects such as the decisions that these suppliers can adopt in order to

restrict, suspend or terminate the provision of its services to a user
professional; or the difference in treatment that these providers may give to some users
professionals in relation to others.

The same Regulation orders these suppliers to establish an internal system of

claims that should be made available to professional users and that
It will be based on the principles of transparency and equal treatment. It is in relation to these
claims that establishes the obligation of said service providers of
online intermediation of submitting information on the operation of the system
internal complaint handling system and make that data publicly available.


Nothing to do, therefore, with the matter at hand; and neither this regulation
contains no provision enabling the making available to the public
of personal data.

On the Proposal for a Regulation of the European Commission that is invoked by

GOOGLE LLC, just indicate that the same article that this entity cites indicates that the
data hosting service providers will publish in a database of
public access managed by the Commission decisions on removing elements of
specific information provided by recipients of the service, or disable the
access to them; and expressly provides that such information shall not contain

personal information.


    - Information offered by GOOGLE LLC to users about the communication
       of personal data to the “Lumen Project”


The only information offered by GOOGLE LLC to users about the communication
to the "Lumen Project" of the personal data that they may include in their requests for
removal of content from the entity's products consists of a notice inserted in
the application forms themselves (“Google Forms”).


The details of these notices and the forms in which they are inserted are outlined in the
Proven Fact 6. The information offered therein is limited to warning about the
possibility of “sending a copy of each of the legal notifications that
let us receive the Lumen project for its publication and annotation”, noting that “Lumen
will remove the personal contact information of the sender (i.e., the number of

phone number, e-mail address and home address).

Based on this information, GOOGLE LLC does not delete any information contained in
the requests it receives and admits that it is the "Lumen Project" who anonymizes the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 78/137








contact details of the applicant so that they are not published. It is also concluded
that the publication of the notification in "lumendatabase.org" will be made without suppressing the
identity of the applicant.


Of the forms checked, only in "Google Form 18",
corresponding to the product "Google Images", in the tool provided for
removal of “outdated content from Google Search”, in the option “remove
personal information or content with legal problems that is still present in
one page”, an informative text is included in which “transparency” is mentioned

as a reason for GOOGLE LLC to transfer the information to "Project Lumen" and
cites the entity responsible for this project and its objective (“facilitate research
academic and sectoral information on the availability of online content”).

On the other hand, the Privacy Policy of GOOGLE LLC, which is accessible

on the “google.com” website and applies to all services offered by this entity
and its affiliates (except “for services that are subject to privacy policies
independent”) does not mention this treatment of personal data of the
users, nor among the purposes for which said personal data will be processed
does not include the communication of personal data to the "Lumen Project", nor the purposes
manifested by GOOGLE LLC for which this communication of personal data

is carried out.

This Privacy Policy includes a specific section related to "information
staff” that said entity shares externally, noting that “No
we share your personal information with companies, organizations or individuals

unrelated to Google”, unless the interested party gives his consent or for reasons
legal (when Google believes, "in good faith", that it is necessary to disclose them to
comply with any requirement provided by applicable law or regulation or
to attend a legal process or a requirement of a competent authority;
comply with the applicable terms of service, including the investigation of possible

violations; detect, prevent, or otherwise remedy fraud or security problems
security or technical; o protect Google, users and the general public from
damage to your rights and property or your safety to the extent required or permitted by
the law).

Regarding the deletion of personal data, it is reported that there is the possibility

to remove specific products from "Google", including the information associated with the
product, or "Delete your Google Account entirely." Specifically, it
informs that it is possible to “request that content be removed” from certain services of
“Google” in accordance with applicable laws. This information includes a link that
gives access to the page in which various products of the company are listed so that

the user selects the product to which the content that he intends corresponds
delete (“Google Forms 2, 4, 5, 7, 9, 17, 21 and 23”), but not this time
The communication of these content removals to third parties is reported.



    - Legal basis of the treatment

Within the principles relating to the processing of personal data set forth in the
article 5.1 of the RGPD, deserves to bring up in the case at hand the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 79/137








related to "legality, loyalty and transparency" and "limitation of purpose".

And this happens since the "Google Forms" object of study have as
objective the collection of a series of data and documents in order to a purpose
clear, such as requesting the removal of content from a product or the complaint
of copyright infringements, but to which a different one is added (since neither

media nor is it essential for the management of the aforementioned removal of content) as is
is the communication of data to a third party, such as the "Lumen Project".

It will therefore be a priority to analyze whether a legitimating basis can be inferred

confer legality to the aforementioned communication of data by GOOGLE LLC to
"Lumen Project". In this regard, article 6.1 of the RGPD, establishes the assumptions
that allow the processing of personal data to be considered lawful.

“The treatment will only be lawful if at least one of the following conditions is met:


a) The interested party gave his consent for the processing of his personal data for one or
various specific purposes;

b) The treatment is necessary for the execution of a contract in which the interested party is a party
or for the application at the request of the latter of pre-contractual measures;

c) The treatment is necessary for the fulfillment of a legal obligation applicable to the
data controller;


d) The treatment is necessary to protect the vital interests of the interested party or another person
physical;

e) The treatment is necessary for the fulfillment of a mission carried out in the public interest
or in the exercise of public powers conferred on the data controller;

f) The treatment is necessary for the satisfaction of legitimate interests pursued by the

responsible for the treatment or by a third party, provided that said interests are not
prevail the interests or the fundamental rights and freedoms of the interested party that
require the protection of personal data, in particular when the interested party is a child.

The provisions of letter f) of the first paragraph shall not apply to the treatment carried out by
public authorities in the exercise of their functions.


In relation to the above, in the case of data processing consisting of the
transfer of information related to the request for removal of content to the "Project
Lumen” by GOOGLE LLC, we would find that the legality of the
treatment should be based either on the existence of consent, or on the
existence of a legitimate interest, since a brief analysis of the rest of the assumptions

They make us see that they could not be applicable (due to the very nature of the facts and
of the parties involved).



legitimate interest

The entity claimed, in its pleadings at the opening of the procedure
and the motion for a resolution, turns to this legal basis to substantiate the

communication of personal data that concerns us, understanding that there are interests
legitimate, both their own and the "Lumen Project".
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 80/137









After highlighting the objectives sought by the "Lumen Project", already
mentioned (educating the public, facilitating research, providing transparency,

etc.), alleges that it contributes to this project for transparency and accountability purposes.
accounts, as well as to prevent abuse and fraud.

According to GOOGLE LLC, the legitimate interest of the "Lumen Project" consists precisely
in that, in promoting education, research and transparency, which, in
Ultimately, they fall within the interest of the whole society as a whole.


On legitimate self-interest, it also refers to the importance of these
data communications to ensure that your content removal practices
be transparent and accountable; adding that they serve to account for
the content moderation processes implemented, to demonstrate the

existence of reactive recall procedures, to foster an understanding
of the types of online content that are subject to takedown requests, the
fairness between similar matters in different countries and regions, as well as to mitigate
the risk of improper or fraudulent use of the content removal tools.
In addition to the benefit that this transparency represents for the community of
researchers, the general public and public authorities.


And it points out in this regard that Opinion 06/2014, on the concept of legitimate interest,
supports these legitimate interests, including “compelling and beneficial” interests
for society in general, such as… the interest in carrying out research
(subject to adequate guarantees"; and that the AEPD itself also recognizes

in the Home Agreement that meeting transparency standards can
constitute a legitimate interest.

An important aspect that is worth highlighting first of all has to do with the
information provided to users. As has been stated, this

information is contained in a text notice inserted in the forms themselves
content removal request and is limited to warning about the possibility of
send to “Project Lumen” a copy of the notifications, without any mention of the
legal basis that legitimizes the processing of personal data or the interests
legitimate rights indicated in the pleadings brief.


In the Privacy Policy of GOOGLE LLC, the only information on the basis
The legal basis for data processing generally refers to the provision
of a service, compliance with legal obligations, consent of the interested party
(“We request your authorization to treat your information for certain purposes and
you have the right to revoke your consent at any time”) and the exercise of

legitimate interests, own and third parties.

Among the "objectives" that are intended with the processing of personal data based on
legitimate interest, the Privacy Policy mentions in general the
following:


   . Detect, prevent, or otherwise remedy fraud, abuse, and security issues or
   technicians related to our services.
   . Protect Google, our users and the general public from harm to their rights and
   property or your safety to the extent required or permitted by law, including
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 81/137









   disclosure of information to government authorities.
   . Conduct research to improve our services to users and
   benefit the general public.

With this information, it cannot be understood that the user has been duly
informed about the legal basis that would justify the communication of your data

to the "Lumen Project", nor about the legitimate interests of themselves or of
invoked third parties, if legitimate interest is the legal basis.

On the contrary, taking into account the information that in the Privacy Policy is

offers about the personal information that is shared externally, outlined in
the previous section (“We do not share your personal information with companies,
organizations or individuals outside of Google”, unless the interested party provides
consent or for legal reasons), the more it seems that the conclusion that can be

obtain the user on the legal basis that protects the communication of data to a
external entity such as the "Lumen Project" is the provision of consent.


In relation to the legal basis of legitimate interest, article 6 cited establishes:

"one. The treatment will only be lawful if at least one of the following conditions is met:
f) the treatment is necessary for the satisfaction of legitimate interests pursued by the
responsible for the treatment or by a third party, provided that said interests are not
prevail the interests or the fundamental rights and freedoms of the interested party that

require the protection of personal data, in particular when the interested party is a child...”.

Regarding the legitimate interest, the two cumulative requirements of its
statement: the existence of a legitimate interest pursued by the person responsible for the
treatment or the third party to whom the data is communicated and the non-prevalence of the

rights and freedoms of the interested party.

Recital 47 of the RGPD specifies the content and scope of this base
legitimizer of the treatment:


“(47) The legitimate interest of a controller, including that of a controller to whom
may communicate personal data, or of a third party, may constitute a legal basis
for treatment, provided that the interests or the rights and freedoms of the user do not prevail.
data subject, taking into account the reasonable expectations of data subjects based on their
relationship with the person in charge. Such legitimate interest could occur, for example, when there is a

relevant and appropriate relationship between the data subject and the controller, such as in situations where
which the interested party is a client or is at the service of the person in charge. In any case, the
existence of a legitimate interest would require careful assessment, even if a
The interested party can reasonably foresee, at the time and in the context of the collection of
personal data, which may be processed for this purpose. In particular, the interests and
the fundamental rights of the interested party could prevail over the interests of the
responsible for the treatment when proceeding to the treatment of personal data in
circumstances in which the data subject does not reasonably expect that a

further treatment. Since it is up to the legislator to establish by law the legal basis for
the processing of personal data by public authorities, this legal basis does not
should apply to processing carried out by public authorities in the exercise of their duties.
functions. The processing of personal data strictly necessary for the
prevention of fraud also constitutes a legitimate interest of the data controller.
that it is The processing of personal data for direct marketing purposes may
be considered carried out for legitimate interest”.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 82/137









The interpretative criteria that are extracted from this Considering are, among others, (i)
that the legitimate interest of the person in charge prevails over the interests or rights and

fundamental freedoms of the owner of the data, in view of the expectations
reasonable that he has, based on the relationship he maintains with the person in charge
of the treatment; (ii) it will be essential to carry out a "meticulous evaluation" of
the rights and interests at stake, also in those cases in which the
interested party can reasonably foresee, at the time and in the context of the
data collection, which may be processed for this purpose; (iii) interest and

fundamental rights of the owner of the personal data could prevail against
the legitimate interests of the person in charge when the processing of the data is carried out
in such circumstances in which the data subject "does not reasonably expect"
carry out further processing of your personal data.


The entity complained against has not justified having carried out this prior analysis and there is evidence
that it has not duly informed the interested parties about this legitimate basis,
as has been said.

In the specific case that concerns us, it is pertinent to start from the basis that the
claimed does not offer sufficient information about the communication of data to the

"Project Lumen" in order to ascertain what legitimate interest would be at the base of the
aforementioned data communication.

Making an inference from the mention made in the forms of
content removal request to a transparency report and the mission of the

“Lumen Project”, it could be concluded that the legitimate interest
underlying could be to comply with certain standards of transparency. Once
course the above, however, it is necessary that the data controller
the data demonstrates that, once the weighting test is applied, your interest
real and current legitimate prevails over the interests or rights of individuals.


Taking into account the deficient information offered about the purpose and basis
legitimizing data communication, it is not possible to assess the weighting of
interests and conclude the prevalence of the legitimate interest of the person in charge or of third parties.

The interested party, for his part, due to the lack of information regarding the weighting test,

is deprived of his right to know the legal basis of the treatment alleged by the
responsible, and specifically, when referring to the legitimate interest, is deprived of his right
to know what are said legitimate interests alleged by the person in charge or of a
third that would justify the treatment.


In the same way, the interested party is deprived of his right to claim for what reasons
Said legitimate interest of the person in charge of the treatment could be counteracted by the
rights or interests of the interested party. Not having given the interested party an opportunity
to allege them against the person in charge, any weighing carried out by the person in charge
without taking into account the circumstances that the interested party could allege, to whom it was not

allowed to do so would be vitiated, as it is an act contrary to a mandatory norm.

It is not possible, therefore, to invoke this legal basis of legitimate interest on the occasion of a
administrative procedure, such as that of allegations at the opening of a procedure

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 83/137








sanctioning Accepting it would be the same as admitting a supervening legitimate interest, or
posteriori, in respect of which the requirements set forth in the

personal data protection regulations and about which the users are not informed.
interested.

Although the legitimate interest is not applicable, it is interesting to analyze the terms in which it must
carry out the weighting provided for in article 6.1.f) of the RGPD between the legitimate

interest of the person responsible for the data or a third party and the protection of personal data
interest of the interested party, that is, how said legitimate interest plays, if applicable.

The CJEU, in its ruling of 05/04/2017, C-13/16, Rigas Satskime, sections 28 to 34,
determined what are the requirements for a treatment to be lawful on

the basis of legitimate interest. The CJEU ruling of 07/29/2019, C-40/17, Fashion ID,
Echoing the sentence cited, it collects said requirements.

28. In this regard, article 7, letter f), of Directive 95/46 -(current article 6.1.f) of the RGPD)-
sets three cumulative requirements for the processing of personal data to be lawful:
first, that the data controller or the third party or third parties to whom they are communicated
the data pursues a legitimate interest; second, that the treatment is necessary for the
satisfaction of that legitimate interest and, third, that the rights and freedoms

fundamentals of the interested party in the protection of data.

This legal basis requires the existence of real interests, not speculative and that,
Also, they are legitimate. And not only does the existence of that legitimate interest mean that
those treatment operations can be carried out. It is also necessary that these
treatments are necessary to satisfy that interest and consider the repercussion

for the interested party, the level of intrusion on their privacy and the effects that may
negatively impact it.

Even if the data controller has said legitimate interest, this does not, in itself, mean

considered, that this legal basis can simply be invoked as a basis
of the treatment. The legitimacy of this interest is only a starting point, one of only
items to be weighed.

In this case, it is considered that the processing of personal data carried out by

GOOGLE LLC is not necessary or strictly necessary for the satisfaction of the
alleged legitimate interest (the cited judgment of 05/04/2017, C-13/16, Rigas Satskime,
in its section 30, it declares “Regarding the requirement that the treatment of
data is necessary, it should be remembered that the exceptions and restrictions at the beginning
protection of personal data must be established without exceeding the

limits of what is strictly necessary”).

This principle, according to which the treatment must be strictly necessary for the
satisfaction of legitimate interest, it must be interpreted in accordance with what
established in article 5.1.c) RGPD, which refers to the principle of

data minimization, noting that personal data will be “adequate,
relevant and limited to what is necessary in relation to the purposes for which they are
treaties”.

Thus, less invasive means of serving a patient should always be preferred.

same end. Necessity implies here that the treatment is essential for the
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 84/137








satisfaction of said interest, so that, if said objective can be achieved
reasonable manner in another manner that is less impactful or less intrusive, the

Legitimate interest cannot be invoked.

The term “necessity” used in article 6.1 f) of the RGPD has, in the opinion of the CJEU, a
own and independent meaning in Community law. It's about a
“autonomous concept of Community Law” (STJUE of 12/16/2008, case C-

524/2006, section 52). On the other hand, the European Court of Human Rights
(ECHR) has also offered guidelines to interpret the concept of necessity. In
its Judgment of 03/25/1983 specified that, without prejudice to the treatment of
data of the claimants is "useful", "desirable" or "reasonable", as specified by the ECHR in
its Judgment of 3/25/1983, the term “necessary” does not have the flexibility that is

implicit in those expressions.

The more "negative" or "uncertain" the impact of treatment may be, the more
It is unlikely that the processing as a whole can be considered legitimate.


As can be seen, what was stated above is in line with the doctrine of
Constitutional Court on the proportionality trial that must be carried out on
a restrictive measure of a fundamental right. According to this doctrine, they should
three requirements must be verified: suitability (if the measure allows the objective
proposed); necessity (that there is no other more moderate measure); proportionality in

strict sense (more benefits or advantages than harm).

Furthermore, in the event that due weighting attributed a preference to the
legitimate interest of the person in charge or of the third party, it must be guaranteed that it is safe
the right of opposition to the treatment of article 21.1 of the RGPD by the

particular:

“The interested party shall have the right to oppose at any time, for reasons related to
your particular situation, that personal data that concerns you are subject to treatment
based on the provisions of article 6, paragraph 1, letters e) or f), including the preparation of
profiles on the basis of those provisions. The controller will stop processing
personal data, unless it proves compelling legitimate reasons for the treatment that
prevail over the interests, rights and freedoms of the intestacy, or for the
formulation, exercise or defense of claims”.


In short, it is understood that the communication of personal data to the "Project
Lumen” that the respondent entity performs is excessive, considering that there are other
less intrusive ways to satisfy the legitimate interests claimed.


This means that, in this case, the requirement of necessity is not met, since the
communication of the personal data included in the withdrawal requests
online content formulated by users is not strictly necessary, in the
indicated terms. GOOGLE LLC has not provided a single reason that justifies
include personal data in the content removal notices that you transfer to the

“Lumen Project” to satisfy its own legitimate interests or those of the third party. A) Yes,
it is not even necessary to analyze if such interests exist, that is, if they are real
and not speculative, nor whether or not such interests are legitimate.

(…)

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 85/137









About the use of personal data for the purposes intended by GOOGLE
LLC and the "Lumen Project" it is appropriate to consider the provisions of article 89.1 of the

RGPD, referring to the guarantees and exceptions applicable to treatment for purposes, among
others, for scientific or historical research or statistical purposes, according to which these
treatments will be subject “to the adequate guarantees, in accordance with this
Regulation, for the rights and freedoms of the interested parties”, and obliges to have
technical and organizational measures, in particular to ensure respect for the
principle of minimization of personal data. It is added that “Such measures

may include pseudonymization, provided that in this way they can be achieved
said purposes. Provided that those purposes can be achieved by processing
that does not allow or no longer allows the identification of the interested parties, those purposes
They will be achieved that way.”


And what is established in article 21.6 of the same Regulation, referring to the right of
opposition, about which nothing is indicated in this case to the interested parties in relation to
data communication to “Lumen”:

“6. When personal data is processed for the purpose of scientific or historical research or
statistical purposes in accordance with article 89, paragraph 1, the data subject shall have the right,
for reasons related to your particular situation, to oppose the processing of data
personal information that concerns him, unless it is necessary for the fulfillment of a mission

carried out for reasons of public interest”

It is also necessary to consider the repercussion for the interested party of the
communication of data to a third party, the level of intrusion on your privacy and the
effects that can negatively affect you, especially considering the

use that is made with them, which includes their disclosure on the third party's website,
lumendatabase.org. It is not possible to ignore that the aforementioned communication of data to the
"Lumen Project" by the entity claimed for publication by this
project has a high impact on the interests and rights of the interested party due to
to the following reasons:


1º It can hardly be considered as an expectation of the interested party that the
information regarding which you have requested your withdrawal from the Google product is
again accessible through another page. Thus, as follows from the
“Google Search 2”, when entering the search terms in the “Google Search
Google” (name and surname of the affected person), an informative note appears that sends, to

through a hyperlink, to a page of "lumendatabase.org", in order to obtain
more information about the removed content, which would mean in practice emptying
of content the request or request for withdrawal of information made.

 In the "Google Forms 1 and 11", enabled to report violations of

copyright, they also refer in the information they contain to the
communication of the "content of this form" to the "Lumen Project" so that it can
be published, and it is expressly noted that “In the case of products such as the
Google web search, a link to the posted notice will appear in the results
Google search engine instead of the removed content.”


2º GOOGLE LLC communicates the data related to the requests for withdrawal of
content without anonymizing the personal data of applicants and third parties, and delegates to the
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 86/137








“Project Lumen” this function. However, this anonymization is sometimes
deficient, as the cases of the following links show:

    1. “Lumendatabase 3 link”: In the text that shows the part of the content of the
    content removal request a full address appears,

    ***ADDRESS.1, which would identify the person requesting the withdrawal
    of content and that, in addition, according to what he states, would be linked to his
    mobile phone number.

    3. “Lumendatabase 5 link”: In the link claim section, the link appears.
    name "I.I.I." This name does not correspond to the person who has requested the

    withdrawal of the content, but of a third party with respect to which it attributes a
    conduct you consider illegal. In this case, therefore, it is even exposing
    the identifying name of a person with respect to which some
    manifestations with legal implications.


    4. “Lumendatabase 8 and 9 to 12 links”: These links are about the same
    content removal request. The presence of personal data in the section
    claim of the link ranges from the proof of the full name and the two
    surnames (“B.B.B.”) in link no. 8 until the appearance of only the name
    “(…)” in link no. 11. The rest of the links publish various combinations
    of the name and any of the surnames, as has been shown in

    Background.

    5. “Lumendatabase 18 link”. In this link subsists without anonymizing the name
    from the sender of the content removal request (“C.C.C.”) and in which,
    in addition, two other proper names “G.G.G.” -in the section

    link claim- and “D.D.D.” -in the direction of the link.

    6. “Lumendatabase 22 link”: As in the previous case, in this case
    also subsists the name of the sender of the notification of withdrawal of
    content “F.F.F.”.


    7. “Lumendatabase 25 link”. In the summary section of the withdrawal request,
    the name “P.P.P.” appears, which would correspond to the person affected by the
    alleged defamation.

    8. “Lumendatabase 26 link”: As in other related cases
    above, the name of the sender of the withdrawal notice subsists

    content, "H.H.H."

3º GOOGLE LLC communicates complete judicial documents to the "Lumen Project" without
anonymize any personal data. It cannot be ignored that the "Lumen Project",
even when it states that it will try to respect the applicable regulations depending on the
territorial scope in which the judicial body is located, is located in a country that does not exercise

censorship over them due to the consideration of public documents that
enjoy judicial documents in the United States and therefore does not apply
correctly the appropriate measures to ensure that the publication of
judicial documents is in accordance with the regulations of the country in which they were issued.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 87/137








In the specific case of Spain, court rulings are not a source of access
general public and its publication by the bodies in charge of
this (with exceptions pertaining to rulings of the Constitutional Court) is carried out

anonymizing and dissociating the data of natural persons. The disclosure of data
personal character from sentences can only be carried out in the
assumptions determined by the Organic Law 6/1985, of July 1, of the Judicial Power and in
those cases in which, according to the doctrine issued by the Court
Constitutional, it can be considered that in that, carried out the mandatory weighting
between the rights guaranteed by articles 18 and 20 of the Spanish Constitution,

It can be affirmed that freedom of expression prevails over the right to protection of
personal information.

On the other hand, it is recalled that access to court rulings must be
carried out in accordance with Royal Decree 937/2003, of July 18, of

modernization of judicial archives.

An assumption that would refer to what is referred to in the previous paragraphs is made up of the
judicial document that could be downloaded through the “Lumendatabase Link 18”
in which, according to the documentation provided by the complainant, there are
names of various natural persons who have taken part in the legal proceedings.


4º Regardless of what is indicated in the previous ordinals, it is also possible to
access the original link removed or deindexed, since the "Lumen Project" facilitates
a full link access request mechanism.


5º Finally, it is pointed out that the same information can be accessible through
different “lumendatabase.org” links, which would show the absence of a
protocol or implementation of technical measures to verify the information that
is published in the “lumendatabase.org” database. It is possible to find these
cases in:


    1. The aforementioned assumption regarding “Lumendatabase Links 8 and 9 to
    12”, which when referring to the same request for content suppose the
    disposal of these data in a quintupled manner.

    2. On the other hand, in a written response to the transfer, the respondent stated

    I manifest the withdrawal of the content of the “Lumendatabase Link 16”. Nevertheless,
    the information contained in that link has subsequently persisted through
    of the “Lumendatabase 18 Link”.

Consequently, in accordance with all the foregoing, the interest

legitimate invoked by GOOGLE LLC does not prevail over the rights and freedoms
of those interested in the protection of their personal data, for which
It cannot be considered that the processing of personal data that it carries out is
protected by the legitimate interest provided for in article 6.1.f) of the RGPD.



Consent

In another order, it cannot be said that the signature of the withdrawal request form

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 88/137









contained in the products of GOOGLE LLC, in which the transfer is reported
of the deletion notification to “Project Lumen”, including personal data
that are reflected in it, can be considered a provision of consent
valid for said data communication to take effect.


In order for the assumption of consent of the interested party to concur, it is necessary that the
It is linked to the specific purposes of processing your data. In respect of
its form, in accordance with article 4 of the RGPD, must be a "manifestation of

free, specific, informed and unequivocal will by which the interested party accepts,
either through a declaration, or a clear affirmative action, the treatment of the
personal data that concerns you”.


Likewise, according to Recital 32:

“Consent must be given by means of a clear affirmative act that reflects a manifestation
free, specific, informed and unequivocal will of the interested party to accept the treatment
of personal data concerning you, such as a written statement, including
by electronic means, or a verbal statement. This could include checking a box on a
website on the internet, choose technical parameters for the use of services of the

information society, or any other statement or conduct that clearly indicates in
this context that the interested party accepts the proposal for the processing of their personal data
[…] Consent must be given for all treatment activities carried out with the
same or the same ends. When the treatment has several purposes, the
consent for all of them [...]”.


Expanding on this need for a clear and unequivocal statement, Recital 42
establishes that:

“When the treatment is carried out with the consent of the interested party, the person in charge of the
treatment must be able to demonstrate that he has given his consent to the operation

of treatment. In particular in the context of a written statement made about another
matter, there must be guarantees that the interested party is aware of the fact that he gives his
consent and the extent to which it does so. In accordance with Directive 93/13/CEE of the
Council [of April 5, 1993, on abusive clauses in contracts entered into with
consumers], a model declaration of consent prepared
previously by the person in charge of the treatment with an intelligible and easily accessible formulation
that uses clear and simple language, and that does not contain abusive clauses. So that the
consent is informed, the interested party must know at least the identity of the

responsible for the treatment and the purposes of the treatment for which the data is intended
personal. Consent should not be considered freely given when the interested party
does not have true or free choice or cannot withhold or withdraw consent without suffering
any harm”.

Likewise, article 7 of the RGPD lists the conditions that must be met to

the granting of consent:

"one. When the treatment is based on the consent of the interested party, the person in charge must
be able to demonstrate that they consented to the processing of their personal data.


2. If the data subject's consent is given in the context of a written statement that
also refers to other matters, the request for consent will be presented in such a way
clearly distinguishable from other matters, in an intelligible and easily accessible manner and
using clear and simple language. No part of the declaration will be binding.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 89/137








constitutes an infringement of this Regulation.

3. The interested party shall have the right to withdraw their consent at any time. The retreat
of consent will not affect the legality of the treatment based on the consent prior to
his withdrawal. Before giving their consent, the interested party will be informed of it. It will be so easy
Withdraw consent as give it.


4. When assessing whether consent has been freely given, it will be taken into account to the greatest
extent possible whether, among other things, the performance of a contract, including the
provision of a service, is subject to the consent of personal data that is not
necessary for the execution of said contract.

Consequently, and in accordance with the transcribed precepts, to consider valid the

consent granted, this must be informed, refer specifically to
specific purposes, be provided freely and be unequivocal.

First, in relation to the need for informed consent,
it will be necessary to go to article 13 of the RGPD, which becomes the vector of the principle of

transparency enshrined in article 5.1 of the RGPD.

Regarding the deficient information provided, the arguments expressed
previously.


Analyzing the forms that GOOGLE LLC makes available to users
to request the withdrawal of information, it is noted that in the links related
with the complaint of violations related to copyright (“Forms of complaint”).
Google 1 and 11”) it is reported that a copy of the notifications will be “sent” to one or
various third parties (giving the "Lumen Project" as an example), while in the

regarding content removal requests “Google Forms 3, 6, 8, 10, 12, 13,
14, 15, 16, 19, 20, 22, 25 and 26”) it is stated that “it is possible that” a copy of
notifications to "Project Lumen" for publication. In the latter case, let
It is clear that the "Lumen Project" will be the one in charge of removing the information from
personal contact, which adds to the fact that it is the project itself that anonymizes the

information that you consider sensitive.

The comparison between article 13 of the RGPD with the information provided in the
forms, highlights the lack of essential information, such as the relative
for all purposes of the treatment (in the event of removal of content, there is no

clear whether the information provided, in addition to being used to analyze and manage the
withdrawal will or will not be communicated and in what cases), the third parties to whom
communicate the data (in complaints of copyright infringement,
speaks of one or several third parties), as well as something fundamental, such as the information
reference about the legal basis that serves as the basis for said communication of data

or if it responds to any legitimate interest of the person in charge or of the third party.

Second, the requirement of specificity is closely linked to the requirement
of "informed" consent, so that by not complying with the latter, as has been

exposed, it will be difficult for the interested party to obtain precise information about
a different purpose in the treatment of your data than the management of the withdrawal of
content. At this point it is necessary to remember, as has been pointed out
above, that the communication of data to "Project Lumen" (or any other

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 90/137








third) is not an essential requirement for the effective management of content removal
by GOOGLE LLC. In order to comply with the consent requirement
specific, GOOGLE LLC should enable it to be granted in a manner

independent of the request for content removal, through the modality that is
It has been called granular or layered.

Thirdly, freely given consent means that the data subject who
fill out the form must have a real option not to grant the consent of
communication of your data to the "Lumen Project", without this implying any

penalty in the use of the content removal or claim service. Without
However, in the forms studied this does not occur, since the transfer of data to the
“Project Lumen” is unconditionally included with the withdrawal request itself
of content or denunciation, without the possibility of choosing this assignment or not and with
the aggravating circumstance that not granting global consent implies not being able to file the

report or request the content, something that could violate the right to suppression
set forth in article 17 of the RGPD. As was the case with compliance with the
specificity requirement, in order to be configured as a free requirement, it is necessary
guarantee that the consent of data communication to the "Lumen Project" is
provided independently and unrelated to the request for withdrawal of
content or claim infringement.


Lastly, fourthly and with regard to non-equivocalness, this requirement is
would state that, from the use of the content removal service made by the
concerned, the indubitable conclusion should be drawn that the said person accepts
that your data be communicated to the "Lumen Project". However, given, as

as stated in the previous paragraphs, that no information is offered
clear and precise about the purpose and its legal basis, and that it cannot
The presumed consent granted should be considered free since it has a nature
conditional (if you do not want to transfer your data you cannot request the removal of content),
It is not possible to conclude in a rational way that we are faced with a

clear and unambiguous statement that the interested party wishes to communicate the data of their
request to a third party as the “Lumen Project”.


Faced with everything stated in this Foundation of Law VI, in his writing of
allegations to the proposed resolution GOOGLE LLC is limited to pointing out that the

alleged legitimate interests, of the claimed entity itself, of the "Lumen Project" and
of society in general, are not supervening, but are prior to transfers to
Lumen; and that the expectation of privacy of the users is not disappointed, given that
are reported on the forms.


In response to this allegation, it suffices to refer to what has already been stated above.
about the defects appreciated in the information that the claimed offers to the
interested parties in relation to the communications made to the "Lumen Project", in the
that the legal basis that legitimizes the communication of data is not even mentioned. The
Legitimate interest is only mentioned in the response briefs provided to this

Agency by GOOGLE LLC, but in no way in the information provided to the
users.

(...).

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 91/137










GOOGLE LLC ends by stating in its brief of allegations that "None of
the circumstances indicated by the Agency to question the application of said
legal basis may deny the legitimate interest of Google LLC, Lumen and the company in

nor can it be understood that they tilt the weighting test in favor of
the rights and freedoms of the interested parties”, but does not present any reasoning
to defend this claim.


Lastly, it is interesting to note that in the written arguments regarding the proposal for
resolution presented by GOOGLE LLC, this entity declares itself responsible for the
communication of data related to requests for removal of content to the
"Lumen Project". On this matter, GOOGLE LLC expressly states that

Next:

“In effect… Google LLC, is the entity responsible for the processing of personal data
that has taken place in the context of communications of withdrawal requests to Lumen.
Precisely for this reason, the present procedure was correctly initiated against
Google LLC”.



Consequently, in accordance with the exposed evidence, the aforementioned facts
represent a violation of the provisions of article 6 of the RGPD, which gives rise to the

application of the corrective powers that article 58 of the aforementioned Regulation grants to
the Spanish Data Protection Agency.



                                            7th

The right of deletion (“Right to be forgotten”) is regulated in article 17 of the RGPD,
which provides the following:


"one. The interested party shall have the right to obtain, without undue delay, from the data controller
the deletion of personal data that concerns you, which you will be obliged to delete without
undue delay personal data when any of the circumstances
following:


a) the personal data are no longer necessary in relation to the purposes for which they were
collected or otherwise treated;

b) the interested party withdraws the consent on which the treatment is based in accordance with the
Article 6(1)(a) or Article 9(2)(a) and this is not based on another
legal basis;

 c) the interested party opposes the treatment in accordance with article 21, paragraph 1, and does not

other legitimate reasons for the treatment prevail, or the interested party opposes the
treatment according to article 21, paragraph 2;

d) the personal data has been illicitly processed;

e) the personal data must be deleted for the fulfillment of a legal obligation
established in the Law of the Union or of the Member States that applies to the

data controller;

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 92/137









f) the personal data has been obtained in relation to the offer of services of the company
of the information mentioned in article 8, paragraph 1.

2. When you have made the personal data public and are obliged, by virtue of the provisions
in section 1, to delete said data, the data controller, taking into account the

available technology and the cost of its application, will take reasonable measures, including
technical measures, with a view to informing those responsible for processing the data
of the request of the interested party to suppress any link to said data
personal information, or any copies or replicas thereof.

3. Sections 1 and 2 will not apply when the treatment is necessary:


a) to exercise the right to freedom of expression and information;

b) for the fulfillment of a legal obligation that requires the treatment of data imposed
by the Law of the Union or of the Member States that applies to the person responsible for the
treatment, or for the fulfillment of a mission carried out in the public interest or in the exercise

of public powers conferred on the person responsible;

c) for reasons of public interest in the field of public health in accordance with the
article 9, paragraph 2, letters h) and i), and paragraph 3;

d) for archival purposes in the public interest, scientific or historical research purposes or

statistics, in accordance with Article 89, paragraph 1, insofar as the right
indicated in section 1 could make impossible or seriously impede the achievement of the
purposes of such processing, or

e) for the formulation, exercise or defense of claims”.


Regarding the right to be forgotten, Recital 65 also pronounces, when it states
what:

“Interested parties must have the right to have the personal data they provide rectified.

concern and a "right to be forgotten" if the retention of such data violates this
Regulation or the Law of the Union or of the Member States applicable to the person responsible for the
treatment. In particular, data subjects must have the right to have their personal data
delete and stop processing if they are no longer necessary for the purposes for which they were
collected or otherwise processed, if the interested parties have withdrawn their consent for the
processing or oppose the processing of personal data concerning them, or if the

processing of your personal data otherwise breaches this Regulation. East
right is relevant in particular if the data subject gave his consent as a child and it is not
is fully aware of the risks involved in processing, and later wants to delete
such personal data, especially on the internet. The interested party must be able to exercise this
right even if he is no longer a child. However, further retention of personal data
must be lawful when necessary for the exercise of freedom of expression and information,

for the fulfillment of a legal obligation, for the fulfillment of a mission carried out in
public interest or in the exercise of public powers vested in the data controller,
for reasons of public interest in the field of public health, for archiving purposes in the interest
public, scientific or historical research purposes or statistical purposes, or for the formulation,
exercise or defense of claims.


In this case, it is interesting to highlight some aspects of the systems designed
and mechanisms enabled by GOOGLE LLC so that interested parties can
manage or request the deletion of your personal data processed by this entity.


28001 – Madrid 6 sedeagpd.gob.es, 93/137









In relation to the exercise of the rights that the RGPD recognizes to the interested parties

holders of personal data, the Privacy Policy available on the website
“google.com” contains the following single reference:

“If the data protection regulations of the European Union are applicable to the treatment of
your information, we will provide you with the controls described in this policy so that
You can exercise your right to request access to your data, update them, withdraw them and restrict
your treatment. You also have the right to object to the processing of your information or to
export it to another service” (paragraph introduced for the first time in the date update
01/22/2019, in which a new section was added with the label "European requirements").


Also, in addition to pointing out that there are specific privacy functions in the
Google products, various options are offered for the management and control of the
personal data (personal information can be reviewed and updated at any
moment by logging in to the “Google account”, there is a space for

set activity controls, set up ads, or control what information is
will share with other users…).

Links to different tools enabled for this are also inserted, such as the
following:


. “Privacy Review”, to adjust the search history, reproductions and
Youtube history or ad settings;
. “My activity”, to consult and delete the activity on Google websites and in
applications, or the history of location and Youtube;

. “Control panel”, which allows “managing the information associated with products
specific”, such as YouTube, Gmail, Google Play, Calendar and others;
. The “Your personal information” space, through which you can manage the
contact information, such as name, email address, phone number

phone numbers or profiles displayed when using Google products.

Regarding the deletion of personal data, it is added that there is the possibility
to remove personal content from “specific Google services”; search items
specific and delete them from the user account through "My Activity"; "remove

specific Google products”, including information associated with the product; either
"Delete your Google Account completely."

Specifically, it is reported in the Privacy Policy that it is possible to "request
content to be removed” from certain Google services in accordance with the laws

applicable. This information includes a link that gives access to the entry page
of Google for the content removal request in which various
company products. On this page, the applicant can choose which of these
products refers your request for removal of content and, once selected the
product in question, the system makes available to the user the form

specific authorized by GOOGLE LLC to make the request, according to the details
that are exposed later (Google Forms 2, 4, 5, 7, 9, 17, 21 and 23).

Despite the complexity of this system implemented by GOOGLE LLC, the
Privacy Policy does not refer to or contain any link that leads to a

specific form for exercising rights regarding data protection
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 94/137








personal.


It has provided a specific procedure so that interested parties can request,
“for privacy reasons”, the withdrawal of results obtained in searches with the
name of the person as criteria and enabled a specific form called
“Withdrawal under EU privacy law”, which is not mentioned in the Policy
Of privacy. This form, the only one available that contains an express reference

to the personal data protection regulations, is accessible through the
website “google.com”, at the URL “https://www.google.com/webmasters/tools/legal-
removal-request?complaint_type=rtbf&visit_id=637759350971490255-
235171692&hl=es&rd=1”.


In this form, GOOGLE LLC declares itself responsible for data processing
personal data by providing results from “Google Search” and managing the
withdrawal requests submitted using this form.

The applicant must indicate the personal information they wish to withdraw and their location

(“the URLs of the content that includes the personal information you want removed”), the
name which, if used as a search query, produces the results to which
refers to the deletion request and the reason for deletion for each URL (“(1)
how the personal information identified above is related to the individual
on whose behalf you are submitting this application; and (2) why you believe this information

staff must leave”).

The same form expressly informs:
“With this form, you can request that certain results be removed from the Search
from Google returned in queries that include your name.”
“If you want to request that personal information be removed from another Google product, please submit a
request through the form of that product, which you can find on the page “How to

remove content from Google. For example, if you want to request the withdrawal of information
Blogger staff, please submit a request via the corresponding Blogger form.te…”

The link “How to remove content from Google” inserted in this information leads to
the page that lists various "Google" products, through which

access the content removal forms enabled for each of these
products. This page is the same one that is accessed through the link “request
that content be removed” included in the Privacy Policy, indicated above.

Through the website "google.com" you can also access the page "How to

remove content from Google”, which coincides with the one described as “Google Forms
2, 4, 5, 7, 9, 17, 21 and 23”.

This page gives entry to the forms enabled by GOOGLE LLC so that
Users can request the removal of content online for each of the

products that are listed in it (according to the information offered, "This page
will allow you to access the appropriate site to report the content you want to remove from
Google services in accordance with applicable laws”).

The Sixth Precedent details the complete list of products and services

included on this page.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 95/137









Verifications have been carried out in the actions (they are detailed in the
Background Sixth and Tenth) in relation to the Blogger/Blogspot products,
Chrome Web Store/extension gallery, Google Classroom, Google Groups,
Google Help Communities, Poly, Feedburner, Data Studio, Cloud Firestore, Google

Images, Google Photos and Picasa Web Album, Drive and Documents, Search
Google, Google Maps and related products, Google + and Google News
(“Google Forms 3, 6, 8, 10, 12, 13, 14, 15, 16, 18, 19, 20, 22, 24, 25, 26 and 27,
respectively).


In general, when you click on a product on the page “How to remove content from
Google” you access a new page that allows you to create a request for withdrawal of
online content.


Previously, different options are offered on the reason for the request. A
Listed below are the various reasons shown on these forms,
in the section "How can we help you?", so that the interested party can select the

that serves as the basis for your request (in the sixth Antecedent it is indicated which of these
reasons are included in each of the forms included in the proceedings):

( ) I want to change the incorrect information on my local file
( ) I want to know why the information on my local listing has changed
( ) Personal information: the content includes my personal data

( ) Intellectual property issue: reporting copyright infringement, circumvention,
etc.
( ) Court order: a court ruling has determined that a specific content is illegal
( ) Legal problem: legal problem that does not appear in the list
( ) Material with images of child sexual abuse: visual representation of sexual practices
explicit with minors”.
( ) Copyright Infringement: My copyrighted work is being used

illegally without authorization
( ) Counter Notice: An appeal intended to restore content that was removed due to a
copyright infringement claim
( ) Circumvention: a tool circumvents the technological measures for the protection of the rights of
Author
( ) I would like to report malware, phishing, disclosure
of private data or other similar incidents.
( ) I want to report a blog that impersonates my identity.

( ) I want to report the disclosure of private nude images or information
( ) I want to report bullying and harassing content.
( ) Brand: my brand is being used in a way that may cause confusion
( ) Report violent or hateful content, the disclosure of personal data, or the
promotion of goods and services
( ) I want to report a case of phishing, spam, malware or other
Misuse of a Google Docs or Google Drive file

( ) Right to be forgotten: request to withdraw information in accordance with European legislation
in terms of data protection
( ) Defamation: the content defames me or my company or organization

When selecting one of these options, a new page is accessed, in which

allows you to create the request (“Click Create Request to send a request to
our team").

In relation to the products “Google Maps”, “Google News” and “Drive and Documents”,

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 96/137








the process has been verified by selecting the option among the reasons for the request

“Personal information: the content includes my personal data”. In all cases
A data collection form was displayed with the following information:

“Form to request the withdrawal of personal information
For privacy reasons, you may have the right to request that certain

personal information related to you.
This form is used to request the withdrawal of certain content of the product from
Google you have selected. If you wish to request the removal of personal information from another
Google product, submit a request through the corresponding product form,
available on our “How to remove content from Google” page.
For example, if you want to request that certain Search results be removed from
Google for queries that include your name, please submit a request through the
corresponding Google Search form
Upon receipt of a request, Google strikes a balance between the individual's right to privacy

affected and the right of the general public to have access to information, as well as the right
from other users to distribute it. For example, Google may refuse to remove certain
information about financial scams, professional negligence, criminal convictions, or
public behavior of government officials”.


It has been verified that the link “Google Search form” inserted in
that informative text leads to the request form “Withdrawal under the law
of privacy of the EU.

The request that is generated with the described process, which the interested party must

complete and send, includes fields for the applicant to provide their data
regarding country of residence, full name and email address of
Contact; as well as the name and surname of the person he represents, “URL of the
content that includes the personal information you want removed”, “the information

you want to be removed” and “the reasons for the removal”.

It is important to note, on the other hand, that the page “How to remove content from
Google” in which various “Google” products are listed, through which

access the content removal forms enabled for each of them,
the product “Google Search” is also included.

By clicking on this product you access a new page that allows you to create a request
online content removal. The following options are offered on this page:


“How can we help you?
( ) I want to report malware, phishing, or similar issues.
( ) Content that I requested to be removed continues to appear in search results,
even though the webmaster has already removed it.
( ) Remove personal information from Google in accordance with our product policies
(personally identifiable information, doxxing, explicit non-consensual images, etc.).

( ) Personal information: request that my personal information be removed from the results of
Google search.
( ) Intellectual property issue: report copyright infringement, circumvention,
etc.
( ) Another legal problem: report content for another legal reason not included in the li.ta”


With the option “Personal information: request that my personal information be removed
from Google search results” takes you to a new page for
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 97/137








removal of content, in which new options are offered to the interested party:


“Choose one of the following options:
( ) Remove personal information from Google in accordance with our product policies
(personally identifiable information, doxxing, non-consensual explicit images, etc.)
( ) Right to be forgotten: request to withdraw information in accordance with European legislation
in terms of data protection
( ) Defamation: the content defames me or my company or organization”.


Selecting one of these options allows you to create the request (“Click Create
request to submit a request to our team”).


The option “Right to be forgotten” leads to the form “Withdrawal under the law of
EU privacy.

For the “Defamation” option, a data collection form is displayed with the

following information:

“Request the removal of content for legal reasons.

If you think you have found content that is illegal in your country, you can use this form
to submit a claim.
Please identify the exact URLs of the content in question and explain in detail why you believe

that content is illegal. We will evaluate your request taking into account our privacy policies.
removal of content, we will review it and take appropriate action."

“To be as accurate as possible, please cite exactly the text of the URLs listed above
that you believe violates your rights. If the allegedly infringing content is a
image or video, please provide a detailed description of that content so that we can
locate it at the URL in question”.


“If the violation affects multiple Google products, you must submit a notification for each
affected product.

This form includes fields for the applicant to provide the following data: country
of residence, full name of the applicant, name of the company, name of the

company or organization whose legal rights it represents, email address
contact email and the allegedly infringing URL. It is also requested to
applicant to “Explain in detail why you believe that the content of the URLs
above is illegal and cite the specific legal provisions if possible.”


These forms, which appear in the actions indicated as "Forms of
Google 3, 6, 8, 10, 12, 13, 14, 15, 16, 19, 20, 22, 25, 26 and 27”, as already indicated,
inform users that GOOGLE LLC may send (“we may send”)
a copy of the legal notifications that you receive to the "Lumen Project" for your

publication and annotation. The information that is communicated to “Lumen” and the publication
that this entity carries out on its website "lumendatabase.org" has been exposed in the
Basis of previous Law.


It is also indicated that the entity GOOGLE LLC itself may publish in its "Report
of Transparency” information of the withdrawal notification “similar” to that published in
lumendatabase.org.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 98/137









(…)


(…)

It adds in this regard that the essential element that determines the application of the
article 17 RGPD is the purpose of the request and, consequently, the right

invoked and exercised by the individual, the legal regime in which the subject bases the
content removal request.

And it clarifies that these content removal requests are valued by carrying out analyzes
legal and test depending on the reason for submitting your request. For example,

De-indexation requests for defamation grounds, in the absence of a decision
judicial, they are analyzed according to the local regulations that regulate defamation and not on the
GDPR basis.

However, in cases of removal of content from products and services

analyzed it is difficult to deduce if the request is made invoking the regulations of
protection of personal data, simply because this regulation is not mentioned
in any of the forms, regardless of the reason that the interested party
select from among the proposed options, except in the form called
“Withdrawn under EU privacy law”, the only one available that contains

an express reference to this regulation, as has been said.

If we take into account what was stated by GOOGLE LLC, this means that said entity
believes that online content removal requests for the products of
"Google" that are formulated using the mechanisms to which the

page "How to remove content from Google", in no case is it considered an exercise
of right of suppression regulated in article 17 of the RGPD and in no case
analyzed and resolved by the responsible entity in accordance with the protection regulations
of personal data.


This is so despite the fact that many of the reasons shown on the forms
in question to be marked by interested users are directly
related to the processing of personal data, or may be in the intention
of it when making your selection. See for example the following options,
keeping in mind at all times that the issue analyzed has to do with

online content removal requests:

( ) I want to change the incorrect information on my local file
( ) Personal information: the content includes my personal data
( ) I would like to report malware, phishing, disclosure
of private data or other similar incidents.
( ) I want to report a blog that impersonates my identity.
( ) I want to report the disclosure of private nude images or information
( ) Report violent or hateful content, the disclosure of personal data, or the

promotion of goods and services

With the option “Personal information: the content includes my personal data”,
even, a form is accessed that is presented as "Form to request the
withdrawal of personal information. For reasons of privacy…”, which also does not invoke the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 99/137








personal data protection regulations.

And not only that. These forms do not even use the terms “personal data”.


In addition, the system designed by GOOGLE LLC, which leads the interested party through
of various pages to complete your request, previously forcing you to
check the options that are offered, it can cause it to end up marking a
option that suits the reasons that you consider appropriate to your interest, but that
deviates from its original intention, which may be clearly linked to the protection

of your personal data, unaware that these options place you in a regime
different normative because GOOGLE LLC has wanted it that way or that your request is
will resolve according to the internal policies established by this same entity.

Nor does anything ensure that a user has not noticed the existence of the content

that you intend to withdraw through the "Google Search", which also offers among the
search results contained in other "Google" products, and that your
intention was the deindexation of said content and your personal data.

In the cases analyzed, only GOOGLE LLC knows which requests respond to a
criterion or another, which is to say that only GOOGLE LLC knows which requests are

will be resolved in accordance with some rules or others. It is as much as leaving it to the discretion of
GOOGLE LLC the decision on when the RGPD applies and when not, and this would mean
accept that this entity can avoid the application of the data protection regulations
personal data and, more specifically for this case, accept that the right of
deletion of personal data is conditioned by the system of elimination of

content designed by the responsible entity.

The effect may be that personal data that the interested party wishes are not deleted.
delete in cases where the personal data protection regulations protect this
suppression.


There is no other form on exercising personal data protection rights
than the so-called “Removal under EU privacy law”, and GOOGLE
LLC correctly treats it as an exercise of the right to be forgotten because it is
intended for requests to remove results from “Google Search” in
searches with a person's name as criteria. But there is no other

form for the right to delete data regulated by the RGPD.

We already know that the exercise of these rights is not subject to form and that a
The interested party can formulate the request with a simple writing prepared by himself.
But what is analyzed here is the suitability and legality of the mechanisms enabled

by GOOGLE LLC so that a user can request the deletion of their data
when this deletion involves the removal of online content from
the products and services that the entity provides, considering that the existence of
these means can lead the interested party to use them, not knowing the true
scope and effects that will have in relation to its purposes the fact of using

they.

It is important to note that the information that the Privacy Policy offers about the
right of deletion, the way to exercise it and the means available to the interested party,

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 100/137








in the section “Export, withdraw and delete your information”, expressly informs that
You can “request to remove content from certain Google services from
in accordance with the applicable laws”. This information includes a link that gives access to

the “How to remove content from Google” page that lists the products and
services and leading to the forms being analyzed. It is understood that if
Privacy Policy refers to "removal of information" and "remove content"
is referring to the right to delete personal data.

It cannot be accepted, therefore, that the Privacy Policy leads to this site

web, in which means are made available to the user for the exercise of the right
of suppression, with which the elimination of contents is pursued (it must be understood
that refers to personal data) and, subsequently, the requests made
are not treated as such, at the discretion of the responsible entity.


For the correct assessment of what is discussed here, it is necessary to consider the level of
social implantation of the products and services of GOOGLE LLC, almost global with respect to
of the population of the territories in which these products are offered and provided
those services. And consider, likewise, that this content removal system in
line and its effects, requires for its correct understanding a level of training in the
matter that does not occur in the profile of the average citizen.


This system not only causes those difficulties and effects on the interested party. on trial
of this Agency, as well as the management of the requests that must be made by the
claimed entity may be affected.


Proof of this are the cases to which the “Lumendatabase 3 Links,
14 and 25”, which are outlined in Proven Fact 10. These publications of
"lumendatabase.org" correspond to requests for deletion of personal data
(removed from search results in “Google Search”), but they were sent
by GOOGLE LLC as notifications based on defamation grounds.


What is striking, on the other hand, is the existence of two forms for the elimination
content in the "Google Search Engine", outlined above, which does not contribute to
clarify the issue.

One of them, “Withdrawal under EU privacy law”; and another, the

available through the “How to remove content from Google” page, which is also
include this product in the list it contains.

In the first of these forms, according to the information provided,
used solely for the removal of "personal information" in the results of

search when a name is used as the search query (“With this
form, you can request that certain search results be removed from
Google returned in queries that include your name”).

In the second case, the form has the same mechanics as those indicated

previously. The interested party must mark one of the reasons for the claim that is
shown in the section “How can we help you?”, similar to those already expressed
(such as “A piece of content that I requested to be removed continues to appear in the
search results, even though the webmaster has already removed it”, “Remove

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 101/137








personal information from Google in accordance with our product policies
(personally identifiable information, doxxing, non-consensual explicit images,

etc.)”, “Personal information: request that my personal information be removed from the
Google search results”, or “Another legal problem: reporting content for
other legal reason not included in the list”).

With the option “Personal information: request that my personal information be removed

from Google search results” takes you to a new page for
removal of content, in which new options are offered to the interested party:

“Choose one of the following options:
( ) Remove personal information from Google in accordance with our product policies
(personally identifiable information, doxxing, non-consensual explicit images, etc.)
( ) Right to be forgotten: request to withdraw information in accordance with European legislation
in terms of data protection

( ) Defamation: the content defames me or my company or organization”.

Selecting one of these options allows you to create the request (“Click Create
request to submit a request to our team”).


The option “Right to be forgotten” leads to the form “Withdrawal under the law of
EU privacy.

For the “Defamation” option, a data collection form is shown in which
it is reported that the request will be evaluated and resolved taking into account the "policies of

content removal” of GOOGLE LLC.

Therefore, requests made using this form will never be
will resolve in accordance with the data protection regulations:
. If the removal of content refers to search results with the name of

a person as a criterion, it is resolved in accordance with the regulations for the protection of
data, but using the form enabled for the "Withdrawal under the law of
privacy of the EU”, to which the second of the three previous options leads.
. The first and third options above are resolved in accordance with the "policies of
content removal” of GOOGLE LLC. In this way, the removal of content

in the product "Google Search" in other cases different from the previous one (eg,
searches with the phone number as a query) is resolved according to criteria
of the responsible entity, established by itself, although that content
include personal data (the first option includes removal of "personal information
identifiable”; and the second talks about content that defames a person).


It should also be added that the result that the interested party obtains from the use of the
“EU Privacy Law Withdrawal” form does not extend to the
deletion of online content, but only results in the deindexation of
those contents, and only in searches by name as query criteria,

avoiding that in these cases the content is displayed in the results of the "Search Engine".
of Google".

In the other cases of exercise of the right through the application forms of
removal of content online the result in accordance with the requirements of the RGPD is the

effective deletion of information.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 102/137









For this reason, although the “Withdrawal under the privacy law” form is operational
of the EU”, the only one that mentions the data protection regulations

personal, this cannot be the only form that GOOGLE LLC uses to
understand exercised the right of suppression.


Once the request for removal of online content has been submitted and the right has been met, it is
That is, once the deletion of personal data has been agreed, there is no further processing

thereof, such as the communication that GOOGLE LLC makes to the "Project
Lumen”.

Communication of content removal request data from GOOGLE LLC to
“Lumen Project”, analyzed in the previous Legal Basis, considering

that all the information contained in the application is sent so that it can be included in another
database accessible to the public and to be disclosed through a website,
It supposes in practice to frustrate the purpose of the exercise of the right of suppression.

In addition, this communication of data by GOOGLE LLC to "Project Lumen"
imposed on the user who intends to use the repeated forms, who does not have to

want the option to oppose it. This conditionality in the exercise of a
right recognized to the interested parties, which is the deletion, does not find
accommodation in the RGPD to the extent that an additional treatment of the data is generated.
data on which the deletion request relates when communicating them to a third party.


Moreover, if we consider that on the results page of the "Google Search",
in searches carried out with the name of the interested parties as a criterion of the
query, a footnote is included noting that a result “in
response to a legal requirement” and includes a hyperlink to “lumendatabase.org” for
that the user can access the information (“If you wish, you can read more

information on this requirement at LumenDatabase.org”). About this note in
search results are expressly informed to those interested in the
“Google Forms 1 and 11”, arranged to request online content removals
for copyright infringement (“In the case of products such as Web Search
of Google, a link to the published notice will appear in the search results of
Google instead of the removed content”).


To this we must add that the entity GOOGLE LLC itself informs in the forms
in question about the possibility of publishing information similar to that communicated to the
“Lumen Project” in its “Transparency Report”.



Regarding this breach of article 17 of the RGPD, GOOGLE LLC points out that the
AEPD does not provide any evidence of the existence of a single right of deletion "not
served" or "hindered" by the claimed, necessary for it to be understood
breached article 17 of the RGPD, either by preventing the exercise or by not

delete the data when appropriate. Highlights the number of applications for right
of suppression (“right to be forgotten”) that receives and attends each year in Spain and that of
legal protection procedures processed by the Agency without critical comment
some.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 103/137









As GOOGLE LLC indicates, the impediment of exercise has been taken into account
of the right of suppression that supposes the use of the repeated forms by the

interested parties and the procedure for managing these requests applied by the claimed party,
as well as the numerous individual cases analyzed in the proceedings, which
are outlined in the Proven Facts in full detail, some of which
correspond to exercises of "right to be forgotten", in which GOOGLE LLC did not suppress
the personal data of the interested parties. These conclusions do not change in any way.
number of requests for the right of deletion that said entity attends or the

procedures of exercises of right promoted by the interested parties before this
Agency, all of them referring to the “right to be forgotten”.

It also adds the entity claimed that the AEPD ignores other channels and resources
arranged by the same for communication with its users and interested in

relation to the exercise of rights. But this does not counteract the fact that the
forms object of these actions have been enabled by GOOGLE LLC
for the exercise of the right of deletion, as explained in its Privacy Policy.
Privacy, through which you can access them. Although it may exist
other ways, given the freedom of form for the exercise of rights provided by the
applicable regulations, the interested party may choose to use those provided by

the entity to which it is directed. It can even be said that he is led to the
use of these forms. Nor can the claimant ensure that when a
Interested party opts for these forms does so knowing and having previously agreed to
those other channels and resources to which he refers in his allegations.



On the other hand, GOOGLE LLC understands that the conclusions of the proposal of
resolution, which coincide with those expressed above, are manifestly
Contrary to the principle of legitimate expectations contained in art. 3.1.e) of the Law
40/2015, of October 1, on the Legal Regime of the Public Sector, taking into account

that the AEPD has spent years linking and inviting citizens to use the set of
content withdrawal forms, as can be seen on its website.

In said allegations, it has detailed the URLs that lead to this information
inserted on the website of this Agency (“aepd.es”):


1. The first of these links (“https://www.aepd.es/es/areas-de-actuacion/internet-y-
social-networks/right-to-be-forgotten”), within the “Areas of action” tab. Internet
and Social Networks”, leads to the section “Right of suppression (“to be forgotten”):
Internet search engines", in which interested parties are offered several "key points"
to exercise this right. In point 4 “How to exercise it?” the following is reported:


“The data protection regulations establish that to exercise the right of deletion (and,
therefore, the 'right to be forgotten') it is essential that the citizen go first to the
entity that is processing your data, in this case the search engine. Major search engines
have enabled their own forms (Google...) to receive requests to exercise
this right in this field.

The “Google” link in this text allows you to access the GOOGLE form

LLC called “Withdrawn under EU privacy law”, which is not listed
among the reported forms.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 104/137










2. The second URL (“https://www.aepd.es/es/areas-de-actuacion/internet-y-redes-
social/delete-photos-and-videos-from-the-internet”), within the same tab indicated in
the previous section, leads to the section “Delete photos and videos from the internet”, in the

which is reported as follows:

“Do you know how to request the removal of photos or videos posted on the internet? Your image
it is a personal data, whether you appear in a photo or in a video.

Your image, both a photo and a video in which you appear, is personal data. Diffusion

of images or videos published in different internet services without legitimation
to deal with this data of yours, especially in social networks, is an issue that arises with
frequently before the Agency. The General Data Protection Regulation recognizes the
people the exercise of the right of suppression...

What should you do?
The exercise of the right of suppression can only be requested by the affected person or, in the event of
be minors under 14 years of age, their parents or legal guardians.

Whenever circumstances allow it, it is advisable to contact the person who uploaded the
content requesting its removal.
If you did not achieve your goal, you should necessarily request the deletion to the platform that
has provided the means for publication, that is, the social network or video portal on
that these images or videos have been published, proving your identity and indicating what
links are the ones that contain the data you want to cancel…


The most popular social networks, meanwhile, have established mechanisms for
notify them of privacy violations or inappropriate content through their own
forms.

Here are some of the methods they offer…

Google
The company has a page from which you can request the removal of content

of its different services. In the case of the YouTube video service, you will be offered
different options in case of abuse or harassment, violations of privacy, reporting of
sexual content, violent content or other issues. On the other hand, if you consider that
a video posted on YouTube includes inappropriate content you can use the icon with
form of flag (Report) to warn of the content and for the company to review it”.


The link "The withdrawal of content" that appears in this text allows access to the
page "How to remove content from Google", of "google.com", which is the page of
Google's entry for the content removal request in which they are listed
various products of the company, through which you can access the forms

enabled for each product. This page coincides with the one reviewed in the
Actions such as "Google Forms 2, 4, 5, 7, 9, 17, 21 and 23".

The rest of the links (“abuse or harassment”, “privacy violations”, complaint of

sexual content”, “violent content” and “other problems”), basically,
allows access to the information offered by the claimed on withdrawals of
content on Youtube according to the policies of the entity itself (“Rules of the
Youtube Community”): “The safety of our creators, viewers and

partners is our highest priority, and we hope that each of you
Help protect this unique and vibrant community. It is important that you

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 105/137








Familiarize yourself with our Community Guidelines and understand the role
play in our shared responsibility to maintain safety in

Youtube. You can also consult the complete list of our policies”.

3. Through the third URL (“https://www.aepd.es/sites/default/files/2020-05/guia-
citizen.pdf") accesses the "Citizen's Guide" prepared by this Agency,

which is available on the website of this entity, in the tab “Guides and
tools". Section 5.4 of this Guide provides information on the “Right to
deletion (“Right to be forgotten”)”, with the following text:

“On the other hand, the most popular social networks offer help services that allow
inform you, through your own forms, when there has been a

violation of privacy or inappropriate content.

Some of these services are the following:

Google:
Content removal
Report abuse or harassment (Youtube)
Violation of privacy (Youtube)
Report sexual content (Youtube)

Report violent content (Youtube).

They are the same links as in section 2 above.

4. The fourth URL (“https://www.aepd.es/sites/default/files/2020-02/infografia-canal-

priority.pdf”) accesses information related to the “Priority Channel” enabled by the
AEPD to communicate the dissemination of sensitive content and request its withdrawal. East
document includes the following information:

“What can I do if images in which I appear are spread? In general, the

affected by these behaviors should contact the Internet service provider requesting
the removal of images that are being disseminated without their consent. then it
The links to some of the major service providers are detailed:

Google…"  .


By clicking on the “Google” link that appears in this information, you access the
“Withdraw Google Information” page, from “google.com”. This page informs
how to contact the webmaster of a website to request the
removal of content and links are included to access the removal tool
removal of obsolete content, removal of images, fake pornography, practices

abusive, financial, medical information or personal identification documents,
Doxxing content or images of minors.

It also includes a link to the forms object of the actions
(“Legal Problem Resolution Form”).


The aforementioned principle of legitimate expectations is contained in article 3
from the LRJSP:

“Article 3. General principles.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 106/137









1. The Public Administrations objectively serve the general interests and act in
in accordance with the principles of efficiency, hierarchy, decentralization, deconcentration and
coordination, with full submission to the Constitution, the Law and the Law.
They must respect the following principles in their actions and relationships:
(…)
e) Good faith, legitimate trust and institutional loyalty.


It is a manifestation of the doctrine of "proper acts" and is related to the
principle of legal certainty. The principle of legitimate expectations can be understood

as the confidence of citizens in the future action of the Administrations
Public according to their past performances, considering the expectations that
generate, although always safeguarding the principle of legality, so that the
principle cannot be invoked to save situations contrary to the norm.


This follows from the STS of 12/18/2007, which refers to the principle of protection of
legitimate expectations citing the terms of a previous Judgment of 05/10/1999:


"Thus, the STS of 10-5-99 (RJ 1999, 3979), recalls "the doctrine on the principle of protection
of legitimate trust, related to the most traditional in our system of
legal certainty and good faith in relations between the Administration and individuals, and
entails, according to the doctrine of the Court of Justice of the European Communities and the
jurisprudence of this Chamber, the fact that the public authority cannot adopt measures that result
contrary to the hope induced by reasonable stability in its decisions, and
on the basis of which individuals have adopted certain decisions. […] For other

On the other hand, in the STS of 1-2-99 (RJ 1999, 1633), it is recalled that "this principle cannot
invoked to create, maintain or extend, in the field of public law, situations
contrary to the legal system, or when the preceding act results in a contradiction with
the purpose or interest protected by a legal norm that, by its nature, is not susceptible to
protect one discretionary conduct by the Administration that supposes the recognition of
some rights and/or obligations arising from acts of the same. […] One thing is
irrevocability of the declarative acts of rights themselves outside the review channels

established in the Law (articles 109 and 110 of the Administrative Procedure Law of 1958
[ RCL 1958, 1258, 1469, 1504 and RCL 1959, 585], 102 and 103 of the Law of Legal Regime of
Public Administrations and Common Administrative Procedure, Law 30/1992 [ RCL 1992,
2512, 2775 and RCL 1993, 246] , modified by Law 4/1999 [ RCL 1999, 114, 329] ), and another on
respect for the legitimate trust generated by one's own actions, which must necessarily
be projected into the field of discretion or autonomy, not that of regulated aspects
or normative requirements against which, in Administrative Law, the

resolved in act or in precedent that was contrary to those. Or, in other words, not
It can be said that the trust placed in an act or precedent that is
contrary to mandatory rule.

The STS of 02/22/2016 (rec.1354/2014), for its part, refers to the requirements that

must concur to assess legitimate expectations:

“It should be borne in mind that legitimate expectations ultimately require the concurrence of
three essential requirements. Namely, that it is based on undeniable and external signs (1); that the
hopes generated in the administered must be legitimate (2); and that the final conduct of the

Administration is contradictory with the previous acts, is surprising and inconsistent
(3). Exactly what happens in the case examined, according to the facts above
reported, which is pointless to insist.
Let us remember that, with respect to legitimate expectations, we have been repeatedly declaring,
for all, Judgment of December 22, 2010 (contentious-administrative appeal no.
257/2009), that "the principle of good faith protects legitimate expectations that are justified

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 107/137








may have deposited in the behavior of others and imposes the duty of coherence in the
own behaviour. Which is as much as to say that the principle implies the requirement of a
duty of behavior that consists of the need to observe in the future the con-
conduct that the previous acts made anticipate and accept the binding consequences that are

arise from the acts themselves, constituting an assumption of injury to legitimate expectations
of the parties "venire contra factum propium".

This same Judgment refers to the confidence in the stability of criteria of the
Administration, evidenced in previous acts in the same sense.


On the other hand, the STS of September 21, 2015 (rec.721/2013), in its Basis
of Fourth Law, declares the following:

“In the aforementioned judgment of this jurisdictional Chamber of February 23, 2000, the application
of the principle of protection of legitimate expectations is conditioned not so much to the fact that

produce any type of psychological conviction in the benefited individual, but rather to
that the existence of external signs produced by the Administration "what
sufficiently conclusive" so as to reasonably induce you to rely on the legality
of administrative action.”

Therefore, this hope or confidence generated must be "legitimate" and be based on

previous external acts, whose meaning is undoubtedly contrary to what was agreed
subsequently, without it being necessary to include in this principle of legitimate expectations a
mere psychological conviction of the individual.

In this case, it is stated that the website of this Agency includes general information addressed to

internet users about the exercise of the right of deletion and warns users
themselves, in various sections, on the possibility of using the forms for this
specific authorized by different service providers, among which is the
entity "Google".


For this reason, in said information links are inserted that lead to the
forms enabled by GOOGLE LLC. Among these links it is worth highlighting, for its
special interest for the performances, those included in the section “Delete photos and
internet videos” and in the “Guide for the citizen”, which give access to the page

“How to remove content from Google”, from “google.com”, through which you access
the forms object of this procedure.

This fact does not represent an external act of the Administration that could have

influence the conduct of GOOGLE LLC determining the violation of article 17 of the
RGPD, to the extent that the inclusion of these links on the AEPD website does not
may mislead said entity or allow it to conclude that in those
forms there is no element that contravenes the provisions of the RGPD and
LOPDGDD. This being the case, it cannot be said that GOOGLE LLC has been surprised

for the aforementioned infringement of the RGPD that is imputed in this act.

Therefore, GOOGLE LLC does not have external events prior to this resolution.
(“external undeniable signs”) that may be considered favorable to said entity of
conclusively and sufficient to have induced it to think that the AEPD

validated repeated content removal forms. There are no previous decisions
of the AEPD, nor recommendations, nor any act in which a criterion is transmitted that

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 108/137








is now being modified.

That inclusion of links to the forms in informative documents inserted in

the website "aepd.es" does not constitute any regulated action or an act with content
legally binding, nor does it imply any pronouncement on the issues to which
which the allegations refer. In short, they do not represent external acts
of the Administration from which a future violation of the
principle of "legitimate trust of the company", now invoked.


The actions of this Agency have not influenced in any way the conduct of
GOOGLE LLC determining the infringement analyzed, nor does it influence the design of
those forms or in their use for the management of rights in matters of
protection of personal data or legal claims in general that give rise to
the application of its own internal policies for the removal of content or other

regulations other than personal data protection; nor has this Agency
performed any other action that has allowed said entity to conclude the
suitability of his action. GOOGLE LLC cannot provide any statement or
action of this Agency that led to this alleged confusion, simply
because there is no action in that sense.


The Agency has limited itself to informing citizens of their rights and how
can exercise them, including a link to the forms of those responsible for the
treatment. The inclusion of said links does not imply a validation of those
forms, something that, on the other hand, does not correspond to the AEPD, but is
responsibility of the claimed entity, which is obliged to seek the

compliance with data protection regulations in accordance with the principle of
proactive responsibility. Proof of this is that the defendant can at any
moment to vary the content of the information to which the repeated links lead
inserted in the web "aepd.es", or the design of the forms themselves, without any
prior pronouncement and without the knowledge of this Agency.


With the inclusion of these links, as has already been said, the AEPD is not deciding or
recommending anything that legally binds this Agency, the claimed or
third parties. It is now, in the exercise of the corrective powers that the RGPD grants to the
Control authority, when the infraction is detected, of which only GOOGLE
LLC is responsible.


In short, projecting the doctrine of the Supreme Court to the present case, and in the
terms of the STS of 12/18/2007, it turns out that there are no circumstances that
allow us to understand that GOOGLE LLC has been surprised by the actions of the
Management.


It is worth insisting, in any case, on what was previously expressed about the prevalence
of the principle of legality, which prevents invoking legitimate expectations to save
situations contrary to the norm.


For all these reasons, the allegation of violation of the principle of trust must be rejected.
legitimate and, otherwise, reaffirm the full responsibility of GOOGLE LLC in
in relation to the online content removal forms designed by the same
and the management that applies due to its use by the interested parties.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 109/137











                                          viii

In the event that there is an infringement of the provisions of the RGPD, between the
corrective powers available to the Spanish Data Protection Agency,

as a control authority, article 58.2 of said Regulation contemplates the
following:

“2 Each control authority will have all the following corrective powers indicated below:
continuation:
(…)
b) sanction any person responsible or in charge of the treatment with a warning when the

treatment operations have violated the provisions of this Regulation;”
(...)
d) order the person responsible or in charge of the treatment that the treatment operations be
comply with the provisions of this Regulation, where appropriate, of a given
manner and within a specified time;
(…)
i) impose an administrative fine under article 83, in addition to or instead of the
measures mentioned in this section, according to the circumstances of each case
particular;".


According to the provisions of article 83.2 of the RGPD, the measure provided for in letter d)
above is compatible with the sanction consisting of an administrative fine.



                                          IX

The exposed facts do not comply with the provisions of articles 6 and 17 of the RGPD, with
the scope expressed in the previous Legal Foundations.


In the agreement to open the procedure, the violation of article 17 was
considered linked to the breach of the provisions of article 6, both of the
RGPD, to the extent that the communication to the "Lumen Project" of the data
included in online content removal requests means no

respond to this request for deletion of personal data.

However, the actions carried out during the investigation of the procedure
have revealed serious deficiencies in the process designed for the

formulation, reception and management of these requests for deletion of personal data
that directly affects the very exercise of this right recognized to
interested in the RGPD and its resolution in accordance with this regulation, as is
exposed in the Foundation of Law VII. This fact violates article 17 of the
RGPD and constitutes a differentiated infringement of data communication

to the "Lumen Project", to the extent that it results from conduct
differentiated. Failure to comply with article 17 of the RGPD, for the reasons stated
in the aforementioned Foundation of Rights, occurs regardless of whether the
personal data included in the request that the interested party makes is communicated or
not to “Project Lumen”.


Ultimately, these are separate conducts that must be sanctioned by
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 110/137









separate.

Failure to comply with the provisions of articles 6 and 17 of the RGPD implies the
commission of two offenses classified in sections 5.a) and b) of article 83

of the GDPR, respectively. This article 83.5, under the heading "General conditions
for the imposition of administrative fines”, provides the following:

"5. Violations of the following provisions will be sanctioned, in accordance with the
section 2, with administrative fines of a maximum of EUR 20,000,000 or, in the case of a

company, of an amount equivalent to a maximum of 4% of the total annual turnover
of the previous financial year, opting for the highest amount:

a) the basic principles for the treatment, including the conditions for the consent to
tenor of articles 5, 6, 7 and 9.
b) the rights of the interested parties according to articles 12 to 22”.


In this regard, the LOPDGDD, in its article 71 establishes that "They constitute
infractions the acts and behaviors referred to in sections 4, 5 and 6 of the
Article 83 of Regulation (EU) 2016/679, as well as those that are contrary to the
present organic law”.


For the purposes of the limitation period for infractions, the infractions indicated in
the previous paragraph are considered very serious and prescribe after three years,
in accordance with article 72.1.b) and k) of the LOPDGDD, which establishes:


“Based on the provisions of article 83.5 of Regulation (EU) 2016/679, they are considered
very serious and will prescribe after three years the infractions that suppose a violation
substance of the articles mentioned therein and, in particular, the following:

b) The processing of personal data without the concurrence of any of the conditions of legality of the
treatment established in article 6 of Regulation (EU) 2016/679.

k) The impediment or the hindrance or the repeated non-attention of the exercise of the rights
established in articles 15 to 22 of Regulation (EU) 2016/679”.

In order to determine the administrative fine to be imposed, the

provisions of articles 83.1 and 83.2 of the RGPD, precepts that indicate:

"one. Each control authority will guarantee that the imposition of administrative fines with
in accordance with this article for the infringements of this Regulation indicated in the
sections 4, 9 and 6 are in each individual case effective, proportionate and dissuasive.

2. Administrative fines will be imposed, depending on the circumstances of each case

individually, in addition to or as a substitute for the measures referred to in article 58,
section 2, letters a) to h) and j). When deciding to impose an administrative fine and its amount
In each individual case, due account shall be taken of:
a) the nature, seriousness and duration of the offence, taking into account the nature,
scope or purpose of the treatment operation in question as well as the number of
affected parties and the level of damages they have suffered;
b) intentionality or negligence in the infringement;

c) any measure taken by the person responsible or in charge of the treatment to alleviate the
damages suffered by the interested parties;
d) the degree of responsibility of the data controller or processor, taking into account
of the technical or organizational measures that they have applied by virtue of articles 25 and 32;

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 111/137









e) any previous infringement committed by the person in charge or the person in charge of the treatment;
f) the degree of cooperation with the supervisory authority in order to remedy the
infringement and mitigate the possible adverse effects of the infringement;
g) the categories of personal data affected by the infringement;
h) the way in which the supervisory authority became aware of the infringement, in particular if the
The person responsible or the person in charge notified the infringement and, if so, to what extent;

i) when the measures indicated in article 58, section 2, have been ordered
previously against the person in charge or the person in charge in question in relation to the same
matter, compliance with said measures;
j) adherence to codes of conduct under Article 40 or certification mechanisms
approved under article 42, and
k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as
financial benefits obtained or losses avoided, directly or indirectly, through

the infraction”.

For its part, article 76 “Sanctions and corrective measures” of the LOPDGDD
has:


"one. The sanctions provided for in sections 4, 5 and 6 of article 83 of the Regulation (EU)
2016/679 will be applied taking into account the graduation criteria established in the
section 2 of the aforementioned article.
2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679, also
may be taken into account:


a) The continuing nature of the offence.
b) The link between the activity of the offender and the performance of data processing
personal.
c) The profits obtained as a result of committing the offence.
d) The possibility that the conduct of the affected party could have induced the commission of the crime.
infringement.
e) The existence of a merger by absorption process subsequent to the commission of the infraction,

that cannot be attributed to the absorbing entity.
f) Affectation of the rights of minors.
g) Have, when not mandatory, a data protection delegate.
h) Submission by the person in charge or person in charge, on a voluntary basis, to
alternative conflict resolution mechanisms, in those cases in which there are
controversies between them and any interested party”.


In this case, considering the seriousness of the infractions found, the
imposition of an administrative fine and the adoption of measures. In this regard, the fine
imposed must be, in each individual case, effective, proportionate and

dissuasive, in accordance with the provisions of article 83.1 of the RGPD.

In accordance with the precepts indicated, in order to set the amount of the penalties
to impose in the present case, it is considered appropriate to graduate the fines of

according to the following criteria:

1. Infringement of article 6 of the RGPD, typified in article 83.5.a) of the RGPD and
classified as very serious for prescription purposes in article 72.1.b) of the

LOPDGDD.

The following graduation criteria are considered concurrent as aggravating:



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 112/137








    . Article 83.2.a) of the RGPD: “a) the nature, seriousness and duration of the
    infringement, taking into account the nature, scope or purpose of the operation
    of treatment in question as well as the number of interested parties affected and the

    level of damages they have suffered.

         . The nature and seriousness of the infraction, considering that the
         communication of data that is sanctioned is made to a third entity in
         a third country, and is carried out without the interested party having the opportunity to
         oppose it. In addition, this communication of data is related to

         online content in all the entity's products and services
         claimed and originates from requests made by the interested parties to
         that such content be removed. All this affects the ability to
         interested parties to exercise true control over their personal data.
         . In relation to the duration of the infringement, it is stated in the proceedings that the

         data communication had been taking place since before the entry into
         force of the RGPD, on 08/25/2018, and remains current.
         . The nature, scope or purpose of the processing operation to be
         process: the personal data included in the withdrawal requests
         online content are communicated by GOOGLE LLC to “Project Lumen” for
         its publication on a publicly accessible web page and for its publication

         available to the public, together with an explanation of the circumstances and
         reasons that in the opinion of the interested party would justify the withdrawal of the content in
         question and the documentation that supports said request, among which are
         those related to judicial processes, such as sentences.
         . The number of interested parties: the infraction affects requests from all

         products and services of an entity that has a global social implantation,
         as evidenced by the fact that the "Lumen Project" reports on its website that
         GOOGLE LLC is the entity that reports the most information to the project.
         . The damages suffered by the interested parties: taking into account all
         the circumstances set forth above, it is clear that the interested parties have

         seen their rights limited and the risks to their privacy increased.

    . Article 83.2.b) of the RGPD: "b) the intention or negligence in the infringement".

    The negligence in the commission of the infraction on the part of the person in charge, since
    knows the consequences of the communication of data to the third party (article 83.2.b)

    GDPR).

    This negligence is appreciated, taking into account, on the one hand, the "nature and
    seriousness of the infraction” and the “nature and purpose of the operation of
    data treatment"; and, on the other hand, the level of professionalism in the treatment

    of the data that must be required from GOOGLE LLC.

    Regarding this last circumstance, the National High Court, in a Judgment of
    10/17/2007 (rec. 63/2006), in relation to the entities whose activity has
    coupled with the continuous processing of customer data, indicates that "... the Court

    Supreme has understood that there is imprudence whenever it is neglected
    a legal duty of care, that is, when the offender does not behave with the
    due diligence. And in assessing the degree of diligence, it must be weighed
    especially the professionalism or not of the subject, and there is no doubt that, in the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 113/137








     case now examined, when the activity of the appellant is constant and
     abundant handling of personal data, it must be insisted on the rigor and
     exquisite care to adjust to the legal precautions in this regard”.


     It is a company that performs personal data processing of
     users of its products and services in a systematic and continuous way, as
     as the central object of its activity, and therefore must take extreme care in the
     compliance with its data protection obligations.


     . Article 83.2.d) of the RGPD: “d) the degree of responsibility of the person in charge or of the
     data processor, taking into account the technical or organizational measures
     that they have applied by virtue of articles 25 and 32”.

     The imputed entity does not have adequate procedures in place for

     action processing of personal data, in what refers to the
     Use of information contained in content removal requests
     online, so that the infringement is not the result of an anomaly in the
     operation of these procedures but a defect in the management system
     of the personal data designed by the person in charge. This procedure is
     adopted by the defendant on its own initiative without meeting the regulatory provisions

     applicable.

     . Article 83.2.g) of the RGPD: “g) the categories of personal data
     affected by the infringement.


     The “Lumendatabase Links” examined in the proceedings include data
     personal of a sensitive nature. In addition, in general, in the case of
     online content removal requests, it cannot be ruled out that they may
     also be affected "Special categories of personal data", according to
     defines the RGPD in article 9.


     . Article 76.2.b) of the LOPDGDD: “b) The link between the activity of the offender
     with the processing of personal data”.

     The processing of personal data is the central objective of the activities and
     services developed by GOOGLE LLC and its level of implementation in our

     territory and population is global.

     . Article 83.2.k) of the RGPD: “k) any other aggravating or mitigating factor
     applicable to the circumstances of the case, such as the financial benefits obtained
     or losses avoided, directly or indirectly, through the infringement”.


         . The volume of data and processing that constitutes the object of the file.
         . The status of large company and volume of business of GOOGLE LLC.

Considering the exposed factors, the valuation reached by the fine, for the

Violation of article 6 of the RGPD, it is 5,000,000 euros (five million euros).


2. Violation of article 17 of the RGPD, typified in article 83.5.b) of the same

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 114/137








Regulation, classified as very serious for prescription purposes in article 72.1.
k) of the LOPDGDD.


    . Article 83.2.a) of the RGPD: “a) the nature, seriousness and duration of the
    infringement, taking into account the nature, scope or purpose of the operation
    of treatment in question as well as the number of interested parties affected and the
    level of damages they have suffered.

         . The nature of the infraction, since the lack of attention to the right of

         deletion affects the ability of the interested parties to exercise a true
         control over your personal data.
         . The number of interested parties: the infringement affects all the interested parties that
         have exercised the right of deletion or intend to do so,
         very numerous considering the level of implementation of the claim.

         . The nature of the damage caused to the interested persons, which
         see neglected one of their basic rights in terms of protection of
         personal data and increased risk to your privacy.

    . Article 83.2.b) of the RGPD: "b) the intention or negligence in the infringement".


    This negligence is appreciated, taking into account, on the one hand, the "nature and
    seriousness of the infraction” and of the damages caused; and, on the other hand, the level of
    professionalism in the processing of data that must be required of GOOGLE LLC.

    . Article 83.2.d) of the RGPD: “d) the degree of responsibility of the person in charge or of the

    data processor, taking into account the technical or organizational measures
    that they have applied by virtue of articles 25 and 32”.

    The imputed entity does not have adequate procedures in place for
    performance in the collection and processing of personal data, in what

    refers to the management of requests for the exercise of rights, so that the
    infringement is not the consequence of an anomaly in the functioning of said
    procedures but a defect in the personal data management system
    designed by the person in charge. Said procedure was adopted by the respondent to
    own initiative.


    . Article 83.2.g) of the RGPD: “g) the categories of personal data
    affected by the infringement.

    The requests for deletion of personal data referred to in the
    actions include personal data of a sensitive nature. Also, with

    In general, in the case of requests for the removal of online content,
    it can be ruled out that they may also be affected “Special categories
    of personal data”, as defined by the RGPD in article 9.

    . Article 76.2.b) of the LOPDGDD: “b) The link between the activity of the offender

    with the processing of personal data”.

    The high link between the activity of the offender and the performance of treatment
    of personal data, taking into account the reasons already expressed when exposing the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 115/137








    prior offense ranking factors.

    . Article 83.2.k) of the RGPD: “k) any other aggravating or mitigating factor

    applicable to the circumstances of the case, such as the financial benefits obtained
    or losses avoided, directly or indirectly, through the infringement”.

         . The volume of data and processing that constitutes the object of the file,
         taking into account the level of information that the requested person has
         accessing its services.

         . The status of large company and volume of business of GOOGLE LLC.

Considering the exposed factors, the valuation reached by the fine, for the
Violation of article 17 of the RGPD, it is 5,000,000 euros (five million euros).



It should be noted that GOOGLE LLC, in its pleadings brief at the opening of the
procedure has not made any statement about the graduation factors
indicated in the start-up agreement, related to the scope of the operation of
processing and the number of data subjects affected, the intent or negligence in
the commission of the infraction, and the linking of the activities and services

developed by GOOGLE LLC with the processing of personal data.

And in his arguments to the motion for a resolution, in relation to the factors
previously valued, it limits itself to stating, without further explanation, that it "rejects
In its whole".


On the other hand, according to the factors and circumstances exposed, it is not possible to admit
the request made subsidiarily by GOOGLE LLC to sanction "for
the amount of the corresponding sanction in its minimum degree”, considering that,
At the request of the respondent herself, "Lumen" has anonymized the requests for withdrawal of

content identified in these proceedings or withdrawn publication in
some cases; that GOOGLE LLC does not derive any commercial benefit or income
as a result of these communications; and which is currently in
process of reviewing its practices in relation to the communication of requests for
removal of content to “Lumen”.


This approach was already rejected in the motion for a resolution for the reasons
following:

. The anonymization of the information published in "lumendatabase.org" of the
"Links" included in the claims do not change the underlying fact of the infringement,

as is the communication of the data to the "Lumen Project" without a legitimate basis.

In this regard, GOOGLE LLC has argued that mitigating circumstances, for
definition, do not change the fact that an infringement has occurred, but rather
They help mitigate the offender's responsibility for the offense committed.


In the opinion of this Agency, in this case, the circumstance invoked as mitigating,
as is the request for anonymization made by the claimed to the "Lumen Project"
it does not contribute to mitigating the responsibility of the offender. It must be emphasized that the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 116/137








infraction is determined by the communication of data to "Lumen" and not by the
dissemination of these data by the third party assignee. GOOGLE LLC has not taken
any measure to mitigate the effects of that communication of data to Lumen that

could influence the graduation of the sanction.

. The absence of benefits cannot be measured exclusively in terms
commercial or monetary. In addition, being a company that bases its activity
in the processing of personal data, it cannot be said, without further accreditation, that
obtain commercial benefits.


This Agency does not share the position defended by GOOGLE LLC in its
allegations to the proposal, according to which in order not to apply this mitigation, the Agency
must prove that the defendant has obtained benefits, especially considering that
it is GOOGLE LLC who has requested the assessment of this circumstance as

extenuating. This Agency understands that the graduation factors must be derived
clearly from the actions so that they can be considered in the quantification
of the sanction.

In any case, article 76.2 of the LOPDGDD, in its letter c), includes among the criteria
that must be weighed when setting the amount of the sanction “the benefits

obtained as a consequence of the commission of the infraction” and not the absence of
these benefits.

In this regard, the AN Judgment of 05/05/2021, rec. 1437/2020, refers to the
need for the de facto “budget” contemplated in the norm to concur in order to

that a certain graduation criterion can be applied, and, as has been said, the
absence of benefits is not among the circumstances regulated in the cited article.
In this Judgment it is indicated: “…the fact that the budget for its
application entails that it cannot be taken into consideration, but does not imply or
allows, as the plaintiff claims, its application as a mitigating factor”.


This graduation criterion is established in the LOPDGDD in accordance with the provisions
in article 83.2.k) of the RGPD, according to which administrative fines will be imposed
taking into account any “aggravating or mitigating factor applicable to the
circumstances of the case, such as the financial benefits obtained or the losses
avoided, directly or indirectly, through the infraction”, it being understood that avoiding

a loss has the same nature for these purposes as a gain.

If we add to this that the sanctions must be effective "in each individual case",
proportionate and dissuasive, in accordance with the provisions of article 83.1 of the RGPD,
admitting the absence of benefits as a mitigating factor is not only contrary to the

presuppositions of facts contemplated in article 76.2.c), but also contrary to
what is established in article 83.2.k) of the RGPD and the indicated principles.

Thus, assessing the absence of benefits as a mitigating factor would nullify the effect
dissuasive of the fine, to the extent that it reduces the effect of the circumstances that

effectively affect its quantification, reporting to the person in charge a benefit to the
that has not been deserved. It would be an artificial reduction of the sanction that can
lead to understand that violating the norm without obtaining benefits, financial or of the type
Whatever it may be, it will not produce a negative effect proportional to the seriousness of the act

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 117/137








offender.

In any case, the administrative fines established in the RGPD, in accordance with the

established in its article 83.2, are imposed based on the circumstances of each
individual case and, at present, the absence of benefits is not considered to be a
adequate and decisive grading factor to assess the seriousness of the behavior
offending Only in the event that this absence of benefits is relevant to
determine the degree of unlawfulness and culpability present in the specific
infringing action may be considered as a mitigating action, in application of article

83.2.k) of the RGPD, which refers to “any other aggravating or mitigating factor
applicable to the circumstances of the case.

. The measures "in process" or "complementary" are insufficient to "put
remedy to the infringement and mitigate the possible adverse effects of the infringement”, according to

the terms of article 83.2.f) of the RGPD, or “to mitigate the damages suffered
by the interested parties”, according to section 2.c) of the same article.

GOOGLE LLC considers that this reasoning of the Agency discourages the taking
measures aimed at reinforcing the protection of the rights of data subjects and
It adds that, although they do not remedy the infringement, they can be configured as mitigating factors.


Being as the claimed one says, that is, if the measures do not remedy the infraction, it is
It is clear that such measures do not comply with the regulatory provision regulated in the aforementioned
article 83.2, sections c) and f), which requires that remedy of the infraction, or mitigate
adverse effects or mitigate damage. In this case, the measures that GOOGLE LLC

says it plans to implement are not aimed at mitigating the damage of the
data communications already made to the "Lumen Project".

In addition, the adoption of measures, without further ado, cannot have the mitigating effects
intended without a clear analysis of their suitability.



On the other hand, in the allegations to the proposed resolution, GOOGLE LLC has
requested that the sanction be reduced considering that the infractions are reduced to
the processing of personal data attributable to said entity in Spain and to the
products and services provided by GOOGLE IRELAND LTD and not by GOOGLE

LLC. However, it is obvious that these circumstances have already been considered when
define the object of the procedure, as was well exposed in the foundations of
previous right.

Finally, in relation to the sanction for non-compliance with article 17 of the RGPD,

The respondent states that the advertising carried out by the AEPD of the
“Google” forms should be considered a mitigating circumstance under art.
83.2 (k) RGPD, which directly mitigates the malicious or negligent behavior of the
entity.


Regarding this issue, it is worth referring to what was expressed in the Basis of
Right VII to dismiss the legitimate expectations alleged by GOOGLE LLC, in the
that it is sufficiently reasoned that the responsibility for the repeated forms is
exclusive to GOOGLE and that responsibility is not modified by the links

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 118/137








to the online content removal forms embedded in the information
offered by this Agency on its website.


                                          X

The infractions committed may lead to the imposition of the person responsible for the
adoption of appropriate measures to adjust its actions to the aforementioned regulations
in this act, in accordance with the provisions of the aforementioned article 58.2.d) of the RGPD,
according to which each control authority may "order the person in charge or in charge

of the treatment that the treatment operations comply with the provisions of the
this Regulation, where appropriate, in a certain way and within a
specified period…”.

Thus, it is appropriate to require the responsible entity, GOOGLE LLC, to cease the

infringing conduct and adapt to the personal data protection regulations the
treatment operations carried out, in relation to the communication of data to the
"Lumen Project", and the processes of exercise and attention to the right of suppression, in
in connection with requests to remove online content from its products and
services, as well as the information offered to its users regarding both
issues. All this, with the scope expressed in the Foundations of Law of the

this agreement and referred to users of its products and services of "Google" in the
Spanish territory.

Likewise, GOOGLE LLC must correct the effects of the infringement committed, which
entails the deletion of all personal data that has been the subject of a

request for the right of deletion not duly attended due to the
communication of data to the "Lumen Project", as well as the obligation to urge this
I project the deletion and cessation of the use of personal data that GOOGLE
LLC has communicated to you on the occasion of a data deletion request
personal.


GOOGLE LLC must provide the means of proof of compliance with the
required.

(...).


(...):

. (…)

. (...).


. (...).

There is no complete and sufficient information on these exceptions for
can be properly valued. In any case, this procedure is not the

adequate framework for analysis.

This Agency considers, on the other hand, that the aforementioned actions, given the
evidence obtained in this case, are a requirement of the principle of

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 119/137








proactive responsibility and diligence regarding compliance with the regulations of
data protection that should be expected from an entity such as GOOGLE LLC and that the
RGPD itself expressly imposes, including the obligation to review and update the

organizational measures that guarantee the adequacy of your data processing with
the GDPR.

GOOGLE LLC has indicated that its responsibility in relation to the measures
arranged is limited, in Spanish territory, to communications of requests for
withdrawal to Lumen related to personal data present in the information

indexed and displayed in the “Google Search” and “Google Maps” services.

However, this does not coincide with what was stated by the entity GOOGLE LLC itself,
that has been declared responsible for the communication of data related to
online content removal requests to “Project Lumen”.


It is warned that not meeting the requirements of this organization may be
considered as a serious administrative infraction by “not cooperating with the Authority
of control” before the requirements made, being able to be valued such behavior to the
time of the opening of an administrative sanctioning procedure with a fine
pecuniary



Therefore, in accordance with the applicable legislation and having assessed the criteria for
graduation of sanctions whose existence has been proven,
the Director of the Spanish Data Protection Agency RESOLVES:


FIRST: IMPOSE the entity GOOGLE LLC, with NIF 770493581, for a
infringement of article 6 of the RGPD, typified in article 83.5.a) and qualified as
very serious for prescription purposes in article 72.1.b) of the LOPDGDD, a fine
for an amount of 5,000,000 euros (five million euros).


SECOND: IMPOSE the entity GOOGLE LLC, for a violation of article 17
of the RGPD, typified in article 83.5.b) of the same Regulation and qualified as
very serious for prescription purposes in article 72.1.k) of the LOPDGDD, a fine
for an amount of 5,000,000 euros (five million euros).


THIRD: TO REQUIRE the entity GOOGLE LLC so that, within a period of six
months, counted from the notification of this resolution, adopt the measures
necessary to adapt to the personal data protection regulations
treatment operations and the procedures for exercising the right object of the
actions, with the scope expressed in the Basis of Law X. Likewise, in

The text of the resolution establishes the infractions committed and the
facts that have given rise to the violation of data protection regulations, of
which clearly infers what are the measures to be adopted, without prejudice to the fact that the
type of procedures, mechanisms or specific instruments to implement them
corresponds to the sanctioned party, since it is the data controller who

fully knows your organization and has to decide, based on the responsibility
proactive and risk-focused, how to comply with the RGPD and the LOPDGDD.

FOURTH: NOTIFY this resolution to the entity GOOGLE LLC.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 120/137









FIFTH: Warn the sanctioned party that he must make the imposed sanction effective once
Once this resolution is enforceable, in accordance with the provisions of the

art. 98.1.b) of Law 39/2015, of October 1, on Administrative Procedure
Common Public Administrations (hereinafter LPACAP), within the payment term
voluntary established in art. 68 of the General Collection Regulations, approved
by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003,
of December 17, through its entry, indicating the NIF of the sanctioned and the number
of procedure that appears in the heading of this document, in the account

restricted number ES00 0000 0000 0000 0000 0000, opened on behalf of the Agency
Spanish Department of Data Protection in the banking entity CAIXABANK, S.A.. In case
Otherwise, it will be collected in the executive period.

Received the notification and once executed, if the date of execution is

between the 1st and 15th of each month, both inclusive, the term to make the payment
voluntary will be until the 20th day of the following month or immediately after, and if
between the 16th and last day of each month, both inclusive, the payment term
It will be until the 5th of the second following month or immediately after.

In accordance with the provisions of article 76.4 of the LOPDGDD and given that the

amount of the sanction imposed is greater than one million euros, it will be subject to
publication in the Official State Gazette of the information that identifies the offender, the
offense committed and the amount of the penalty.

In accordance with the provisions of article 50 of the LOPDGDD, this

Resolution will be made public once it has been notified to the interested parties.

Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the
LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the
Interested parties may optionally file an appeal for reconsideration before the

Director of the Spanish Agency for Data Protection within a month from
counting from the day following the notification of this resolution or directly
contentious-administrative appeal before the Contentious-Administrative Chamber of the
National Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-administrative jurisdiction, within a period of two months from the

day following the notification of this act, as provided in article 46.1 of the
aforementioned Law.

Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP,
may provisionally suspend the firm resolution in administrative proceedings if the

The interested party expresses his intention to file a contentious-administrative appeal.
If this is the case, the interested party must formally communicate this fact by
writing addressed to the Spanish Agency for Data Protection, presenting it through
Electronic Register of the Agency [https://sedeagpd.gob.es/sede-electronica-
web/], or through any of the other registers provided for in art. 16.4 of the

aforementioned Law 39/2015, of October 1. You must also transfer to the Agency the
documentation proving the effective filing of the contentious appeal-
administrative. If the Agency was not aware of the filing of the appeal
contentious-administrative within a period of two months from the day following the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 121/137










notification of this resolution would end the precautionary suspension.


                                                                                                          938-150222
Sea Spain Marti
Director of the Spanish Data Protection Agency





































































C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 122/137













                                           APPENDIX 1


                        “GOOGLE” PRIVACY POLICY


a) PRIVACY POLICY, UPDATE OF 05/25/2018:


“The objective of this Privacy Policy is to inform you about what data we collect, why
we collect them and how you can update, manage, export and delete them.

Google develops a variety of services that allow millions of users to explore the
world and interact with it differently on a daily basis. These services include:

   . Google apps, websites and devices, such as Google Search, YouTube
   and Google Home.
   . Platforms, such as the Chrome browser and the Android operating system.
   . Products that are integrated into third-party applications and websites, such as advertisements and
   embedded maps from Google Maps.


You can use our services in different ways to manage your privacy. For
For example, if you want to create and manage content, such as emails and photos, or check
most relevant search results, you can sign up for a
Google. You can also use various Google services after you've closed
logged into your account or without even creating one, such as by making a

searching on Google or watching videos on YouTube. You can also surf the Internet
privately in Chrome with incognito mode. Also, you can adjust the settings
privacy policy on all of our services to control what information we collect and how
we use it”.

“We use the information we collect from all our services with the following

purposes:
   . Provide our services...
   . Maintain and improve our services…
   . Develop new services...
   . Offer personalized services, including content and ads…

   . Measure performance...
   . Communicate with you...
   . Protect Google, our users and the general public…
We will ask for your consent before using your information for a purpose that is not
include in this Privacy Policy”.


“Your privacy controls

You can choose what information we collect and how we use it.
This section describes the main controls that allow you to manage privacy
in all our services. You can also access the “privacy review” to
Check and modify important privacy options. In addition to these tools,

we offer specific privacy features in our products. you can get more
information in the "guide to privacy in Google products".

Manage, review and update your information
If you are logged in, you can review and update the information whenever you want
accessing the services you use. For example, Photos and Drive are designed to
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 123/137









help you manage specific types of content you've saved to Google.
We have also created a space where you can review and control the information you have saved
in your Google Account. Your “Google Account” includes:


. privacy controls
   . Activity controls. Decide what type of activity you want to save to your account...
   . Ad settings… You can modify your interests, decide if your information
   personal is used to show you more relevant ads…
   . Over you. Control the information that other users see about you on the Services.

   Google.
   . Shared recommendations. Decide if you want your name and photo to appear together
   to your activity, such as reviews and recommendations shown in ads.
   . Data shared by you. Control who you share information with through your account
   on Google+.


. Ways to review and update your information
   . My Activity. It allows you to review and control the data that is created when you use the
   Google services, such as searches performed or visits to Google Play. Can you
   consult by date or by topic and delete the activity partially or completely.
   . Google Dashboard. It allows you to manage the information associated with products
   specific.

   . Your personal information. Manage your contact information, such as name,
   email address and phone number.

By logging out, you can manage the information associated with your browser or your device,
including the following:

. Search customization without logging in…
. Youtube settings: pause and delete your “search history” … and from
"reproductions"...
. Ad Settings…

Export, withdraw and delete your information...

You can also "request content to be removed" from certain Google services by
in accordance with applicable laws.

To delete your information, you can:
   . Remove your content from “specific Google services”.
   . Search for specific items and remove them from your account using “My Activity”.

   . “Remove specific products from Google”, including your information associated with those
   products.
   . "Delete your Google Account completely."

Finally, you can use "Inactive Account Manager" to allow other users
access to parts of your Google account in case you cannot use it properly

unexpected.

You can use other methods to control the information that Google collects whether you have
signed in to a Google Account as if not, for example:
   . Browser settings…

   . Device configuration…”.

“Sharing your information…

When Google shares your information
We do not share your personal information with companies, organizations or individuals outside of

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 124/137









Google except in the following cases:

. Consent. We will share personal information outside of Google if we have
with your consent...


. External treatment. We provide personal information to our affiliates and other
trusted companies and people to treat it on our behalf…

. Legal reasons. We will share personal information outside of Google if
we believe in good faith that it is reasonably necessary to access that data or
use, retain or disclose them for the following purposes:

   . Comply with any requirement provided for in the applicable law or regulation or to attend
   a legal process or a requirement of a competent authority…
   . Comply with applicable Terms of Service, including investigation of potential
   infractions.
   . Detect, prevent or otherwise solve fraud or security or technical problems.
   . Protect Google, our users and the general public from damage to their rights and

   property or your safety to the extent required or permitted by law.

We may share non-personally identifiable information publicly and with
our partners, such as publishers, advertisers, developers or rights holders. For
For example, we share information publicly to show trends about usage
Overview of our services. We also allow certain partners to collect

information from your browser or device for measurement and advertising purposes through their
own cookies or similar technologies…”.

“Export and delete your information…

In some cases, we retain data for limited periods for legal or regulatory purposes.
legitimate business…”


When does this policy apply?
This Privacy Policy applies to all services offered by Google LLC and its
affiliates… This Privacy Policy does not apply to services that are subject to
separate privacy policies that do not incorporate this Privacy Policy.”


“Other Helpful Resources
Below are links to helpful resources that offer more information about
our privacy practices and settings.

   . “Your Google Account” houses many of the options you can use to manage
   your account.

   . The “privacy checkup” guides you through the most important privacy options
   for your Google account.
   . The "Google Security Center" offers advice on protection and security.
   . The "Google privacy website" provides you with more information on how
   We keep your information private and secure…”



b) PRIVACY POLICY, UPDATE OF 01/22/2019:

It includes the same sections transcribed above and expressed in the same

terms (except for the reference to "Google's privacy website" which has been
deleted in the “Other useful resources” section), but this update added
the following section:

28001 – Madrid 6 sedeagpd.gob.es, 125/137










“European requirements


If the data protection regulations of the European Union are applicable to the treatment of
your information, we will provide you with the controls described in this policy so that
You can exercise your right to request access to your data, update them, withdraw them and restrict
your treatment. You also have the right to object to the processing of your information or to
export it to another service.


The person responsible for processing the data of users with habitual residence in the
European Economic Area or Switzerland is Google Ireland Limited, unless otherwise noted.
otherwise in a service-specific privacy notice. In other words, Google Ireland
Limited is the associated entity of Google responsible for the processing of your data and the
compliance with applicable privacy laws.


We treat your information for the purpose described in this policy in accordance with the
following legal bases:

Consent
We request your authorization to treat your information for certain purposes and you have

right to revoke your consent at any time. For example, we ask your
consent to offer you personalized services, such as advertisements. We also ask for your
consent when we collect your voice and audio activity for speech recognition.
You can manage these options in your “Google account”.


In the exercise of legitimate interests
We process your information to achieve our legitimate interests and those of third parties and, by
At the same time, we apply adequate protection measures to guarantee your privacy.
This means that we treat your information with the following objectives:
   . Provide, maintain and improve our services to meet the needs of
   our users.

   . Develop new products and features that are useful to our users.
   . Know how users use our services to ensure and improve their
   performance.
   . Customize our services to offer you a better user experience.
   . Promote our services to users.

   . Offer advertising so that users can freely access many of the
   our services.
   . Detect, prevent, or otherwise remedy fraud, abuse, and security issues or
   technicians related to our services.
   . Protect Google, our users and the general public from damage to their rights and
   property or your safety to the extent required or permitted by law, including

   disclosure of information to government authorities.
   . Conduct research to improve our services to users and
   benefit the general public.
   . Fulfill obligations to our partners, such as developers and license holders
   Rights.
   . Respond to legal claims, including investigation of potential privacy violations

   the applicable terms of service.

To provide a service
We treat your data to provide a service that you have requested under a contract. For
For example, we process your payment details when you buy more storage for Google Drive.


To comply with legal obligations
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 126/137









We will treat your data to comply with a legal obligation that requires it, for example, to
respond to a legal process or a requirement of a competent authority.

If you have any questions, "you can contact Google and our office of
Data Protection". You can also contact your data protection authority
local data if you have any questions about your rights under local law.”



c) PRIVACY POLICY, UPDATE OF 03/31/2020:


The sections included in this version coincide with those of the previous one and are expressed
in the same terms, except for the reference to the offer of advertising in exercise
of legitimate interests, which is expressed as follows: “Google shows
advertising, which allows many of its services to be free (in the case of

personalized ads, we ask for your consent)”; although this update
has incorporated a new section related to “Data Conservation”.

“Keep your data


Google keeps the data it collects for different periods of time depending on the type
data they are, how Google uses them, and how you configure your settings.

   . There is data that you can delete whenever you want, such as the content you create or upload.
   You can also delete information about the activity saved in your account or have
   automatically deleted after a certain period.
   . Other data is automatically deleted or anonymized after a period

   determined, such as advertising data in server logs.
   . There is data that Google keeps until you delete your account, such as information about the
   how often you use Google services.
   . There is also data that Google retains for longer periods to
   legitimate legal or business purposes, such as security, fraud prevention
   and abuse or preservation of financial records.


When you delete data, Google follows a process to make sure your data is deleted
completely and securely from our servers or to be kept only for
anonymously. Google tries to ensure that its services prevent information from being
accidentally or maliciously deleted. For this reason, delays may occur
from the time you delete content until the copies disappear from the
active systems and backup systems.


You can get more information about Google's "data retention periods",
including how long it takes to delete your information.”



d) PRIVACY POLICY, UPDATE OF 07/01/2021 (VERSION
CURRENT):

The sections included in this version coincide with those of the previous one, dated

03/31/2020 and are expressed in the same terms, except in the following aspects:

. In the “Privacy controls” section, the indication “Shared data
for you. Control who you share information with through your Google+ account.



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 127/137









. In the "European requirements" section, the information about the person in charge of the

treatment and on the treatment of the data based on the consent of the
interested is as follows:

Unless otherwise stated in a service-specific privacy notice, the

responsible for the treatment of your information depends on the place where you are:

   . Google Ireland Limited for users of Google services located in
   the European Economic Area or in Switzerland.
   . Google LLC for users of Google services located in the United Kingdom

   United.

Google LLC is the data controller for the information indexed and displayed on
services like Google Search and Google Maps, regardless of your location.


“Google requests your authorization to process your information for certain purposes, and
You have the right to revoke your consent at any time. For example, you are asked
consent to provide you with personalized services, such as advertisements based on your
interests. We also ask for your consent when we collect your voice and audio activity.

for voice recognition. You can manage these settings in your Google account.









































C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 128/137










                                            APPENDIX 2


  “WITHDRAWAL PURSUANT TO THE EU PRIVACY LAW” FORM.



“Withdrawal under EU privacy law

Form to request the withdrawal of personal information

For privacy reasons, you may have the right to request the removal of certain

personal information related to you.

With this form, you can request that certain results be removed from Search
from Google returned in queries that include your name. Google LLC is responsible for
treatment of personal data when determining the results that are shown in
Google Search and to manage removal requests submitted through this

form.

If you want to request that personal information be removed from another Google product, please submit a
request through the form of that product, which you can find on the page “How to
remove content from Google. For example, if you want to request the withdrawal of information

Blogger staff, please submit a request via the appropriate Blogger form…

Your information…

(This section includes fields enabled for the applicant to provide their data relating to

country of origin, name and surname, email address, as well as to indicate whether
acts on their own behalf or on behalf of another person (client, relative, friend or others). For this case, it
informs that the applicant must have legal authority to act on behalf of the principal
and that Google may request documentation confirming that legal representation).


Identify the personal information you want removed and its location

If this notification is related to multiple grounds that have been the subject of a violation,
send only the first one below. Then click on the link "Add a new
group" that appears below the text boxes to add another pattern.


The URLs of the content that includes the personal information you want to remove…

(space to indicate the URL)

Enter a URL on each line (1000 lines maximum).


Reason for deletion
For each of the URLs you provide, you must indicate the following:

(1) how the personal information identified above is related to the individual in
whose name you submit this application; Y
(2) why you think this personal information should be removed

For example: "(1) This page is related to me because a, b and c. (2) This page
should be removed because x, y and z”.

(space to indicate reasons for deletion)

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 129/137









Add a new group (10 groups maximum)
Name used to perform searches *

This should be the name that, if used as a search query, produces the
results you want to remove from the registry. If you want to submit multiple names (for example, if
your maiden name is different from the one you use now), use a forward slash ("/") to
separate them. For example, "Ana Garcia / Ana Diaz."

(space to indicate the name used to perform searches)


Declared jurisdictions

Please read the following statements and check their boxes to confirm that you have read them and
you accept


( ) I have read and confirm that I have understood the explanation of the treatment of the information
personnel I send, as described below:

Google LLC will use the personal information you provide in this form (such as your address

email address and all identification data) and the personal information you submit
in other messages to process your request and comply with our legal obligations.
Google may share information from your request with data protection authorities,
but only if they request it to investigate or review a decision Google has made. This
This usually happens if you have contacted the national data protection authority in
relation to our decision. If, due to your request, URLs have been removed from our

search results, Google may provide information to webmasters of those URLs.
Please note that if you are signed in to your Google account, we may associate your request
to that account.

( ) I declare that the information on this application is accurate and that I am authorized to submit it.

( ) I understand that Google LLC will not be able to process my request if the form has not been
filled out correctly or if the application is incomplete.

Signature…


Send (button)”.
























C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 130/137










                                          ANNEX 3



1. INFORMATION AVAILABLE ON THE “LUMENDATABASE.ORG” WEBSITE,
"ABOUT" SECTION.



“Lumen is a project of the Berkman Klein Center for Internet & Society at the University of
Harvard.

Lumen is an independent research project that studies termination letters and
withdrawal related to online content. We collect and analyze requests

to remove material from the web. Our goals are to facilitate research on the
different types of complaints and removal requests, both legitimate and questionable, that
are sent to Internet publishers, search engines and service providers, and
provide as much transparency as possible about… such notices, in terms of who sends them and
why, and with what effect…


Lumen is not the original sender or recipient of requests and notices within its
database… Lumen documents the notification and removal process… reporting that
notice or request was sent and received, by whom and for whom, and with respect to what
online content. Lumen has no more information about a particular notice than what is
is present in a notice and cannot provide contact information for senders
or recipients of the notice. We also cannot provide legal advice.


… the database now includes complaints from all varieties, including brands
registered, defamation and privacy, national and international, and court orders. The
Lumen's database grows by more than 40,000 listings per week, with submissions
volunteers provided by companies like Google… By the end of 2021, the project
houses more than eighteen million ads, referencing about four thousand five hundred

millions of URLs. In 2021, the project website was visited more than nineteen million times.
times by more than a million unique users from virtually every country in the world…

Contact Us…
You can also send notices by mail:
Lumen
The Berkman Klein Center for Internet and Society

23 Everett St.
Cambridge, MA 02138”.



2. INFORMATION AVAILABLE ON THE “LUMENDATABASE.ORG” WEBSITE,
"LEGAL NOTICE" SECTION.

"Legal notices

Neither the Lumen website nor the Lumen team can provide legal advice
individual: we cannot analyze your particular website or activity, or a takedown notice
received… What we can do is help present the problems as they are.
lawyers think about them, and answer general questions… We hope that the database in
as a whole is a useful resource...


Please note that the presence of a notice in the Lumen database does not mean that
Lumen has made no judgment as to the validity of the statements it makes, or that it has

28001 – Madrid 6 sedeagpd.gob.es, 131/137









authenticated…All notices and requests in the Lumen database have been
voluntarily shared with us by the companies or persons responsible for
send or receive the notices originally. Therefore, we generally present notices in
how they have been shared with us.


…In some cases, at the request of the entity that shared a notice with Lumen…we may
remove a notice from our public database..."



3. INFORMATION AVAILABLE ON THE “LUMENDATABASE.ORG” WEBSITE,
“RESEARCHERS” SECTION.

“Lumen tools for researchers


An introduction to Project Lumen

What is Lume?

Lumen is an independent research project that studies termination letters and
withdrawal related to online content. We collect and analyze requests

to remove material from the web. Our goals are to educate the public, facilitate
research on the different types of complaints and removal requests, both legitimate
as questionable, which are sent to Internet service providers and publishers, and
provide as much transparency as possible about the “ecology” of such notices, in terms of
who sends them and why, and with what effect…


…focused initially on applications filed under the Copyright Act
author of the United States digital millennium. As the Internet and its use have
evolved, so has Lumen, and the database now includes complaints from all
the varieties, including trademarks, defamation and privacy, national and
international, and court orders. Lumen database grows by over 40,000
ads per week, with voluntary submissions provided by companies like

Google... As of summer 2019, the project hosts approximately twelve million
ads, referencing nearly four billion URLs. In 2018, the project website
was visited more than ten million times by users from practically every country in the world.
world…

A notice or job contains "[redacted]": what is missing?


Lumen staff make a good faith effort to review and redact any notice
potentially confidential information received by the project in order to eliminate confidential or
staff of the text of the notices. Such information may include telephone numbers,
email addresses or allegedly defamatory content. Also, one
person or company that submits a notice directly to the Lumen database may have
decided not to share with Lumen, or keep private, certain information in the notice.

Finally, Lumen runs automated processes to remove certain information
confidential notices and job descriptions of your associates when possible.

Please note that for DMCA notices, Lumen does not normally remove the name of the
rights holder making the request or the URL(s) of the material claimed. Without the
location of the reported material and the complainant, the notices do not make sense from a

perspective of transparency or investigation, not to mention that they do not offer information
about the possible misuse of takedown notices as a vehicle for censorship.

When a business shares copies of court orders it has received with us,

28001 – Madrid 6 sedeagpd.gob.es, 132/137









Lumen generally displays those orders in the form that they have been shared with Lumen
and further makes a good faith effort to do so in accordance with applicable law of the
jurisdiction from which the order arose. United States court orders, unless

that they are sealed, they are public documents...

Who is Lumen for?

Lumen is designed for casual use by both curious lay Internet users
about an ad they may have come across, perhaps in the news, or out of interest

staff…as well as by journalists, NGOs, policymakers, academics, and other researchers
law firms conducting more in-depth and focused research or studying broader trends
extensive on the removal of online content…

If you or your organization are interested in conducting your own journalistic investigation,
academic, legal, or policy-focused, or if you have more ideas about how we can improve the

database and its interfaces, email us at team@lumendatabase.org.

see a notice

For non-investigators, Lumen currently offers access to a full notice by
email address every twenty-four (24) hours. Submit an email address

email through the request form will provide a single-use URL for that
particular notice that will display the full content of the notice. Access through this
URL will last for 24 hours. See here for more details.

How does it work?


Most users will find that the web interface will be sufficient to navigate and
discover within the database. However, for those who need to access
large amounts of data for your research, or for those interested in submitting
copies of takedown notices to Lumen, we offer our API. Read on to get
more information.


Basic facts about the API and the database

API Documentation

Lumen API documentation can be found here…


Database search

Most users will find that the web interface will be sufficient to navigate and
discover within the database. However, for those who need to access
large amounts of data or create automated processes to digest trends in

data, we offer our new API.
The search in the database, either through the web interface or with the API, is performed
using a full text search. The default search is to search all
possible warning fields and facets. Searches can also be refined based on
specific segments of the database or specific facets of the data. see the

documentation for applicable notification parameters and metadata.

Query the database with the API

Get an API key


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 133/137









An authentication key is needed to query the database at will via

the API. Please contact Lumen staff at team@lumendatabase.org to have
provide you with one. API queries to the database sent without a token are
will limit to the first 25 results and 5 requests per day...

Running these search queries through the API will allow you to search over a period

of time, as well as download the search results to use and reuse them in the
Applications. You can find a full list of search parameters here.

Request for a playlist


The database classifies the notices in one or more themes, of which you can add
more over time. Certain topics are classified as subtopics of a larger root topic and
complete. For example, such as "DMCA", "fair use" and "anti-circumvention" all fall under "Copyright".
Each topic has a unique numerical ID in the database…


Looking for the notices

In the web interface, above a certain number of results, the results will be paginated
of your search. By default, results are sorted by relevance
falling. Full-text search results contain the same data as

notices requested individually, with the addition of a punctuation field that articulates the
relevance of the result to the query term; higher numbers are more
relevant. Terms are joined with an 'O' by default.

Bulk download of results


To better manage your resources, Lumen limits requests to its API, as well as the use of
the web-based user interface. For those interested in less access
restricted to the database via the API, see "Getting an API key"…”.































C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 134/137










                                          ANNEX 4



1. INFORMATION AVAILABLE ON THE “LUMENDATABASE.ORG” WEBSITE,
DOCUMENT “BASIC CONCEPTS OF THE INFORMATION OF THE NOTICE OF

LUMEN”.


“Every takedown notification and takedown request in the Lumen database is
there because one of the parties involved in sending or receiving the notification (usually

usually, but not always, your receipt) has chosen to share a copy of that notice
with lume. That being the case, Lumen only has the information that the sharing entity
has chosen to share with Lumen regarding that notice…

Our automated redaction processes seek to identify and remove the following: Emails
electronics

Telephone numbers
Other forms of identification number (for example, Social Security numbers,
national ID)
Lumen also makes a good faith effort not to display the mailing addresses of
persons who are the senders or recipients of the notices if that information has been included
in a notice...

Generally, Lumen does NOT remove the names of the person or entity that owns the
rights in question that the notice seeks to exercise.

DMCA Notices
In general, when Lumen receives a DMCA notice, it displays the notice as received.
Lumen, subject only to the automatic redactions described above. This

means that Lumen displays the name of the requesting rights holder on the
as it originally appeared in the notice sent. Lumen usually too
displays the URL location(s) of the reported material, albeit truncated to the domain of
top level of the URL text. We include claimed URLs as raw text only
and we use robots.txt to request that the URLs, as well as all the content of the pages of
notification, are not indexed by search engines. Without the location of the material

reported and the identity of the reporting person, the notices are meaningless from the perspective of
investigation or public transparency, not to mention that they do not offer information on
the potential misuse of takedown notices as a vehicle for censorship or other
purposes.

libel notices
Lumen displays the defamation notices it receives in the form it receives them, but it does

a good faith effort to remove any allegedly defamatory language that
may have been included...

court orders
United States court orders are publicly available documents
and therefore Lumen generally shares them in the form in which they were received, without

censorship. For court orders issued from jurisdictions other than the United States
United States, Lumen makes a good faith effort to draft them in a manner consistent with
the relevant legal restrictions of the jurisdiction in question…

Google
Google is the largest sender of Lumen both by total ad volume and by

number of possible types of notices. Below is an updated list of
28001 – Madrid 6 sedeagpd.gob.es, 135/137









types of ads Google has chosen to share with Lumen, sorted by ad type
(DMCA, defamation, circumvention, etc.) and a list of the various Google products (search,
blogger, images, etc.) for which Google may receive notices that it then

share with Lumen.

Types of Ads that Google shares with Lumen
DMCA
Elusion
Falsification

court orders
Defamation
Notices Based on Laws Outside the US - "Local Law"

A list of Google products for which Lumen may have notices
related

blogging
Drive and Documents
Google URL Shortener
groups
image search
Search

sites

Relevant Google Ad Types

DMCA NOTICES

As described above, Google's DMCA notices, like all DMCA notices
DMCA on Lumen, are posted in the form in which they were originally submitted. Lumen makes a
good faith effort to remove personally identifiable information other than the
Sender's name, which will be displayed in the form in which it was shared with Lumen.

ELUSION

Circumvention notices Lumen receives from Google are published in the form in which they were sent
originally. Lumen makes a good faith effort to remove information from
personal identification other than the Sender's name, which will be displayed on the form in
which was shared with Lumen.

COUNTERFEITING (as of June 2020)

Google's help page on this topic describes these notices as follows:
“Upon notice, Google will remove websites selling counterfeit products from
our search results. Counterfeit products contain a trademark or
logo that is identical to or substantially indistinguishable from another's trademark. imitate
the brand characteristics of the product in an attempt to impersonate a product
genuine from the brand owner. This policy only applies to specific web pages that

sell counterfeit products and does not apply to trademark issues not
falsified. If complaints under this policy are not limited to websites that sell
counterfeit products, future complaints may be restricted from submitting.

COURT ORDERS

Google shares with Lumen copies of court takedown orders it receives, both from
U.S. domestic and foreign courts. As described above,
U.S. court orders, unless sealed, are public record, and those
court orders are served on Lumen in the form Lumen receives them from Google. Yes
Google is prohibited from sharing the content of a court order it has received, that is
explicitly stated in the text of the notice.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 136/137









Lumen makes a good faith effort to draft foreign court orders that are
shared with Lumen in accordance with any applicable local law in the jurisdiction of origin
of the order. These redactions will generally include names, addresses, and other forms of

PII, and may include aspects of the URLs in question. The other newsrooms that are
present in a document may vary from country to country.

DEFAMATION NOTICES
As a matter of internal Google policies, Google does not share names with Lumen.
of the senders of defamation notices. Also, if the name of a Sender/Principal

appears in some form within one of the claimed URLs that are the subject of the notice, or
within any text within the prompt, that text will also be removed.
For example, an original URL of https://www.blogger.com/JohnQPublicistheworst.com would be
shared by Google with Lumen as https://www.blogger.com/[removed]it's the worst.com
In addition, Google does not share with Lumen the text entered by a complainant in the “To
ensure specificity, quote the exact text…”

field in the Google web form.
Text entered by a whistleblower in the
"Please explain in detail why you believe the content of the above URLs is illegal, citing
specific legal provisions whenever possible".
Google shares the web form field with Lumen and is displayed as part of the notice
in Lumen as is, subject solely to Lumen's automatic redaction processes.

Please note that if the subject of the alleged defamation is not the sender of the notice, the
that subject's name will not be automatically removed from the notice. Notify Lumen if the
name of the allegedly defamed person is still present in a notice.

NOTICES AND COURT ORDERS SENT TO GOOGLE REGARDING LAWS

OUTSIDE THE UNITED STATES - "Local Law"
Notices sent to Google from Senders in countries other than the United States
States are generally governed by the local law of the country of origin. In such cases, in addition to
Lumen's good faith effort standard redactions, redactions are made in accordance with
in accordance with applicable local law in the jurisdiction of origin of the order. these redactions
will include names, addresses, and other forms of PII, and may include aspects of URLs in

question. The other redactions that are present in a document may vary from one
country to country, as well as in accordance with Google's internal policy decisions, of which
Lumen has no knowledge.

OTHER TYPES OF NOTICES
Please note that, at this time, Google does NOT share with Lumen the notices that

receives from EU citizens as part of the so-called "Right to be Forgotten ("RTBF") or the
notices sent through the Google form to report sexually. images
explicit, which can be found here.***
https://support.google.com/websearch/troubleshooter/3111061#ts=2889054%2C2889099
Google sometimes indicates, by referring to a "placeholder" notice on
Lumen, when you have received requests to remove material about which you cannot share

more information.
1. https://lumendatabase.org/notices/18516
2. https://www.lumendatabase.org/notices/9415 [Germany]
3. https://lumendatabase.org/notices/10929 [UK]
4. https://lumendatabase.org/notices/11062657 [France]

5. https://www.lumendatabase.org/notices/15710816 [for notices not yet available at
Lumen]
6. https://www.lumendatabase.org/notices/17158812 [Canada]
7. https://www.lumendatabase.org/notices/13678481 [Privacy grievances]
8. https://www.lumendatabase.org/notices/18639436 [AU]
9. https://www.lumendatabase.org/notices/18639403 [New Zealand]

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 137/137









10. https://lumendatabase.org/notices/20174812”.




2. Information available at the Internet address
“https://support.google.com/websearch/troubleshooter/3111061#ts=2889054%2C2889
099”, included in the previous document, in the section “OTHER TYPES OF NOTICES”.


It leads to an information document on the removal of information from “Google” :


“Remove information from Google
We realize that sometimes you may want content about you to be removed
that you found on Google Search. In some cases, Google may

remove links to information from Google Search.
Important: Google Search displays information that has been collected from websites.
Even if we remove content from Google Search, it may still exist on the web.
This means that it will still be possible to find the content on the page that hosts it, the
social networks, with other search engines or in other ways. For this reason, we recommend
that you contact the webmaster of the site and ask them to remove the content.
See how to contact a webmaster.

If the website owner removes the information, it will eventually be removed from Search
from Google as part of our regular update process. However, also
you can notify us of outdated content using the takedown tool
of outdated content.

Personal information that will be removed by Google
If you can't get a website owner to remove material from the site, Google may remove

personal information that poses a significant risk of identity theft, financial fraud
or other specific types of damage. The following articles provide information on
the types of withdrawals available:

   . Remove non-consensual explicit or intimate personal images from Google
   . Remove Fake Porn Posted Without Consent From Google
   . Remove content about me from Google on sites where practices take place

   abusive removal of content
   . Remove financial, medical, and identification document information from Google
   national . Remove "doxxing" content; that is, content that exposes information from
   contact with intent to harm someone
   . Remove images of minors from Google search results


We recommend that you consult the article corresponding to the type of content from which you
you want to request withdrawal. If you believe your application meets the requirements described in
that article, you can submit a content removal request as directed in that article.

Other information Google will remove
Google also removes content for specific legal reasons, such as privacy violations.
DMCA copyright and child sexual abuse images. To request a

removal of content for a legal reason, use the troubleshooting form
legal”.






C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es