DSB (Austria) - 2021-0.586.257
DSB (Austria) - 2021-0.586.257 (D155.027) | |
---|---|
Authority: | DSB (Austria) |
Jurisdiction: | Austria |
Relevant Law: | Article 4(1) GDPR Article 4(2) GDPR Article 4(7) GDPR Article 4(8) GDPR Article 5 GDPR Article 44 GDPR Article 46(1) GDPR Article 46(2)(c) GDPR Article 51(1) GDPR Article 57(1)(d) GDPR Article 57(1)(f) GDPR Article 77(1) GDPR Article 80(1) GDPR Article 93(2) GDPR § 18 Abs 1 Austrian Data Protection Act (Datenschutzgesetz - DSG) § 24 Austrian Data Protection Act (Datenschutzgesetz - DSG) |
Type: | Complaint |
Outcome: | Partly Upheld |
Started: | |
Decided: | 22.12.2021 |
Published: | |
Fine: | None |
Parties: | website visitor and Google user (data subject and complainant) Austrian website provider (data exporter and respondent #1) Google LLC (data importer and respondent #2) |
National Case Number/Name: | 2021-0.586.257 (D155.027) |
European Case Law Identifier: | unknown |
Appeal: | Unknown |
Original Language(s): | German |
Original Source: | noyb.eu (in DE) |
Initial Contributor: | n/a |
The Austrian DPA held that the use of Google Analytics by an Austrian website provider led to transfers of personal data to Google LLC in the U.S. in violation of Chapter V. of the GDPR.
English Summary
Facts
Background
About a month after the "Schrems II ruling" by the CJEU (CJEU - C-311/18 - Schrems II) the NGO noyb filed 101 complaints regarding data transfers from EEA based websites to Google LLC and Facebook Inc. in the U.S (see here and here). In order to coordinate the work of all involved DPAs, the EDPB created a special task force. The Austrian DPA (Datenschutzbehörde - DSB) now issued the first decision on one of these 101 complaints.
Website visit and data transfer to Google LLC
On 14.08.2020, the data subject visited a website on health topics hosted by an Austrian company while logged into his personal Google account. The website used Google Analytics, a tool provided by Google LLC used to measure and track website use. According to the website provider and Google LLC, the website controller qualifies as controller (Article 4(7) GDPR) and Google LLC as processor (Article 4(8) GDPR) for data processing in connection with Google Analytics. Furthermore, according to the privacy documents provided on the website or included via hyperlink, the website provider and Google LLC entered into standard contractual clauses under Article 46(2)(c) GDPR (Commission Decision2010/87 of 05.02.2010; SCCs) as a mechanism for transfers of personal data with regard to Google Analytics.
On 18.08.2020, the data subject (represented by noyb) filed a complaint with the DSB against both the website provider (in its role as data exporter) and Google LLC (in its role as data importer), arguing that both respondents violated Articles 44 et. seqq. GDPR in light of the "Schrems II" ruling by transferring their personal data to Google LLC. As Google LLC qualifies as "electronic communication service provider" under 50 U.S. Code § 1881(b)(4), it is subject to surveillance by U.S. intelligence services and can be ordered to disclose data of European citizens - such as the data subject - to them.
In the course of the procedure, which took almost one and a half years and included the exchange of multiple submissions between the parties, the respondents essentially argued that even if there had been a data transfer to Google LLC in the U.S., the transferred data do not qualify as personal data under Article 4(1) GDPR as they could not be assigned to the data subject. Furthermore, the respondent argued that they had put sufficient additional measures in place in case of an actual transfer of personal data. Lastly, they brought forward the argument that Chapter V GDPR and the concluded SCCs follow a "risk based approach" and that there was a very low risk of the data subject actually having been subject to U.S. surveillance. Google LLC in particular also argued that Chapter V. GDPR only applied to the data exporter (i.e. the entity actually transferring the data to a third country) but not to Google LLC in its role as mere data importer.
Holding
On Google LLC
In its decision, the DSB mostly followed the data subject's arguments and waived most of the objections raised by the respondents. However, with regard to Google LLC, the DSB held that Chapter V. of the GPPR only imposes legal duties on the data exporter but not on the data recipient. Consequently, the DSB dismissed the complaint against Google LLC, but declared that it will conduct an ex officio investigation and issue a separate decision on the question if Google LLC violated Articles 5 et seqq. GDPR in connection with Article 28(3)(a) and Article 29 GDPR.
On the website provider
The DSB fully upheld the complaint with regard to the website provider. It held that:
- the website had transferred the data subject's personal data to Google LLC on 14.08.2020, including user identifiers, IP address and browser parameters;
- The SCCs concluded between the respondents do not offer an adequate level of protection, because
- Google LLC qualifies as as "electronic communication service provider" under 50 U.S. Code § 1881(b)(4) and is subject to surveillance by US intelligence services and
- any additional safeguards which have been put into place in addition to where insufficient as they could not prevent US intelligence services from accessing the data subject's personal data.
- the website provider could not rely on other transfer mechanisms under Chapter V. of the GDPR. Consequently, the website provider failed to provide an adequate level of protection within the meaning of Articles 44 et seqq. GDPR.
In its legal reasoning, the DSB pointed out the following aspects in particular:
- The DSB considered itself competent under Article 55(1) GDPR. The fact that Google LLC argued that Google Analytics was allegedly provided by Google Ireland Ltd since April 2021 was not considered relevant, as the violation occurred in August 2020.
- IP addresses and online identifiers qualify as personal data under Article 4(1) GDPR, especially because they allow to single out a data subject within the meaning of recital 26 of the GDPR. It is sufficient that the data subject can be identified; an actual identification is not necessary.
- It is irrelevant that the website provider might require additional information from Google LLC in order to identify the data subject. According to CJEU 20.12.2017, C-434/16 and 19.10.2016, C‑582/14, there is no requirement that all the information enabling the identification of the data subject must be in the hands of one person.
- The fact that Google allows user to opt in and out of personalized ads shows that Google LLC possesses all means to identify the data subject.
On the supplementary measures
Google relies on the SCCs and so-called "supplementary measures" or "technical and organizational measures", but neither respondent showed the existence of additional measures that would provide an adequate level of protection within the meaning of Articles 44 et seqq. GDPR together with the concluded SCCs. Google LLC in particular had tried to frame basic technical and organisational measures under Article 32 GDPR as "additional measures" (see submission of Google here, at page 23), which were rejected by the DSB as irrelevant in relation to US surveillance laws (see decision, page 37 and 38).
Comment
This decision is the first DPA decision following noyb's 101 complaints regarding EEA-US data transfers. For details see here and here. Further decisions are expected soon.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the German original. Please refer to the German original for more details.
Barichgasse 40-42 A-1030 Vienna Tel .: + 43-1-52152 302565 Email: dsb@dsb.gv.at GZ: D155.027 Clerk: XXX XXX 2021-0.586.257 XXX XXX zH NOYB - European Center for Digital Rights Goldschlagstrasse 172/4/3/2 1140 Vienna Data protection complaint (Art. 77 Para. 1 GDPR) XXX XXX / 1. XXX GmbH (formerly: XXX.at GmbH), 2. Google LLC (101 Dalmatians) by email delivery / email legal@noyb.eu T E I L B E S C H E I D S P R U C H The data protection authority decides on the data protection complaint from XXX XXX (Complainant) of August 18, 2020, represented by NOYB - European Center for Digital Rights, Goldschlagstrasse 172/4/3/2, 1140 Vienna, ZVR: 1354838270, against 1) XXX GmbH (formerly: XXX.at GmbH) (respondent first), represented by DORDA Rechtsanwälte GmbH, Universitätsring 10, 1010 Vienna and 2) Google LLC, 1600 Amphitheater Parkway, Mountain View, CA 94043, USA (Second Respondent), represented by Baker McKenzie Lawyers LLP & Co KG, Schottenring 25, 1010 Vienna, because of a violation of the general Principles of data transfer according to Art. 44 GDPR as follows: 1. The decision of the data protection authority of October 2, 2020, Zl. D155.027, 2020-0.527.385, will be fixed. 2. The complaint against the First Respondent is allowed and it is determined that a) the first respondent as the person responsible by implementing the tool "Google Analytics" on their website at www.XXX.at at least on August 14th - 2 - 2020 personal data of the complainant (these are at least unique user identification numbers, IP address and browser parameters) has transmitted the second respondent, b) the standard data protection clauses that the first respondent with the Second Respondent has concluded no adequate level of protection in accordance with Art. 44 GDPR, there i) the Second Respondent as a provider of electronic Communication services within the meaning of 50 U.S. Code § 1881 (b) (4) too qualify and as such of surveillance by US intelligence agencies according to 50 U.S. Code § 1881a (“FISA 702”), and ii) the measures in addition to those mentioned in point 2. b) Standard data protection clauses are not effective as these the possibilities of surveillance and access by US intelligence services do not eliminate, c) In the present case, no other instrument pursuant to Chapter V of the GDPR for the in Spruchpunkt 2.a) mentioned data transmission can be used and the First Respondent therefore for the in the context of ruling point 2.a) The data transfer mentioned does not provide an adequate level of protection in accordance with Art. 44 GDPR has guaranteed. 3. The complaint against the second respondent because of a violation of the general The principles of data transfer in accordance with Art. 44 GDPR are rejected. Legal bases: Art. 4 no. 1, no. 2, no. 7 and 8, Art. 5, Art. 44, Art. 46 Paragraph 1 and Paragraph 2 lit. c, Art. 51 Paragraph 1, Art. 57 Paragraph 1 lit. d and lit. f, Art. 77 Paragraph 1, Art. 80 Paragraph 1 and Art. 93 Paragraph 2 of the Regulation (EU) 2016/679 (General Data Protection Regulation, GDPR), OJ No. L 119 of 4.5.2016 p. 1; §§ 18 Paragraph 1 and 24 Paragraph 1, Paragraph 2 Item 5 and Paragraph 5 of the Data Protection Act (DSG), Federal Law Gazette I No. 165/1999 idgF; Section 68 (2) of the General Administrative Procedure Act 1991 (AVG), Federal Law Gazette 51/1991 as amended. - 3 - REASON A. Arguments of the parties and course of the procedure A.1. The complainant summarized in his submission of August 18, 2020 The following: On August 14, 2020, at 10:45 a.m., he had the website of the Respondent at www.XXX.at/ visited. During the visit he was logged into his Google account, which is linked to the complainant's email address, XXX.XXX@gmail.com. the First Respondent has an HTML code for Google services (including Google Analytics) embedded. In the course of the visit, the first respondent said personal data, namely at least the IP address and the cookie data of the Complainant processed. Let some of this data be sent to the second respondent has been transmitted. Such a data transfer requires a legal basis in accordance with the Art. 44 ff GDPR. According to the judgment of the European Court of Justice of July 16, 2020, Case C-11/18 (“Schrems II”), the Respondents no longer respond to a data transfer to the USA Support adequacy decision ("Privacy Shield") according to Art. 45 GDPR. the The first respondent is also not allowed to transfer data to standard data protection clauses support if the third country of destination does not provide an appropriate one in accordance with EU law Protection of the personal transmitted on the basis of standard data protection clauses Data guarantee. The second respondent is said to be an electronic provider Communication services within the meaning of 50 U.S. Code § 1881 (b) (4) qualify and are subject to those of surveillance by US intelligence agencies pursuant to 50 U.S. Code § 1881a ("FISA 702"). the Second Respondent complained to the U.S. government under 50 U.S. Code § 1881a active personal data available. As a result, the respondents are not in a position to adequately protect the to ensure the complainant's personal data if his data is sent to Second respondent will be transmitted. The transmission of the complainant's data to the USA is illegal. Several enclosures were attached to the complaint. A.2. In a statement dated December 16, 2020, the respondent first brought summarized the following: The first respondent is only based in Austria. She is in favor of the decision responsible for embedding the tool on the XXX.at website. The tool is used to to enable general statistical evaluations of the behavior of the website visitors. The However, the tool does not allow the content to be adapted to a specific website user, as the - 4 - Evaluation is carried out anonymously and no reference to a specific user is made possible. User IP addresses would also be anonymized before storage or transmission ("IP Anonymization "). The so-called user agent string is used to inform the server which System specification of the user to access the server. Without reference to a person, only devices Operating system and version, browser and browser version and the device type are displayed. in the the best case scenario is an assignment to a specific device, but never to a specific person, who use the device, possible. The processing of the anonymous statistics takes place predominantly in Data centers in Europe, but also by the second respondent on servers outside of the country of the EEA. If the GDPR is applicable, the first respondent is responsible and the Second respondent is a processor. It is a processor agreement been completed. Since no personal data would be transmitted, the verdict is of the ECJ of July 16, 2020 in case C311 / 18 not applicable. However, in order for any Making arrangements for the transfer of personal data to the second respondent - e.g. in the event that IP anonymization is deactivated due to a data breach - have the first respondent entered into a data processing agreement with the second respondent completed, as well as standard data protection clauses (SDK) included. This is purely from Implemented as a precaution. The second respondent had further technical and Organizational measures are set to ensure a high level of data protection for those using the tools to provide processed data. Several enclosures were attached to the opinion. A.3. With a statement of January 22, 2021, the complainant summarized The following: In the case of a processor in a third country, a breach of anonymization is not enforceable or detectable. In case of doubt, 50 U.S.C § 1881a applies and not an advertising text on the Google website. The personal data processed first would only be processed subsequently in a second step be anonymized. This anonymization, which may have taken place after the transfer, is effective does not rely on previous processing. The statement contains a more detailed one at this point technical description. Apart from that, the complainant does not only refer to the processing of his IP address, but also other personal data, such as cookie data. At the time of the website During the visit, he was logged into his private Google account. "Google" cookies are set been. In order to prevent a violation of Art. 44 ff GDPR, a complete removal of the Tools required and a change to another tool without data transmission to the USA is recommended. If the first respondent is convinced that no personal data would be processed, the conclusion of order processing conditions is absurd. the Several enclosures were attached to the statement. - 5 - A.4. The second respondent submitted his answers in a statement dated April 9, 2021 to the questionnaire of the data protection authority. A.5. With a statement of May 4, 2021, the Respondent brought the Second respondent of April 9, 2021 summarized the following: The First Respondent only uses the free version of Google Analytics. Included both the terms of use and the SDK have been approved. Neither is that Google Analytics 4 version implemented, the data sharing setting has been activated. the Code was embedded with the anonymization function. The second respondent will only used as a processor. The Respondent gave the instructions via the Settings in the Google Analytics user interface and via the global website tag. Google Signals are not used. The first respondent did not have her own Authentication system and don't use any user ID function either. Currently one does not support oneself to the exception of Art. 49 Para. 1 GDPR. A.6. With an opinion of 5 May 2021, the complainant brought the Second respondent of April 9, 2021 summarized the following: The complaint is directed against the first and second respondents. Google Ireland Limited is not party to the proceedings. The data protection authority is direct for the second respondent responsible for violating Art. 44 ff GDPR. The Second Respondent was said to be Processor standard addressee of Chapter V GDPR. The second Respondent also asserts Dispute that all data collected by Google Analytics would be hosted in the United States. At least some of the cookies set when you visited the website on August 14, 2020 would be contain unique user identification numbers. In the transaction between the browser of the Complainant and https://tracking.XXX.at, which was started on the stated date, the user identification numbers "_gads", _ "ga" and "_gid" were set. These numbers were subsequently transmitted to https://www.google-analytics.com/. It is with the Numbers around "online identifiers" that were used to identify natural persons and a Users would be specifically assigned. With regard to the IP address, it should be noted that Chapter V GDPR does not provide for any exceptions for "subsequently anonymized data". Let it be assume that the complainant's IP address is not even used in all transactions had been anonymized. The application for the imposition of a fine is withdrawn, this is now a suggestion. A.7. In a statement dated June 10, 2021, the second respondent summarized The following before: - 6 - The complainant's legitimacy to act was not established because it had not been proven that the data transmitted are personal data of the complainant. The cookies in question are first-party cookies that are stored under the domain XXX.at had been set. They are therefore cookies of the first and not of the Second respondent. Accordingly, these are not unique Google Analytics cookie IDs per user that would be used on multiple websites using Google Analytics. One user have different cid numbers for different websites. It is not stated that the numbers would make the complainant identifiable. The submission contains further technical information on the cookies used at this point. With regard the IP address is to be checked whether the IP address of the device connected to the Internet is actually to be assigned to the complainant and whether the responsible person or "another person" the have legal means to receive subscriber information from the provider in question. As a processor, the second respondent provided the website operator with numerous Configuration options from Google Analytics are available. Based on the received Information should be noted that the First Respondent configured Google Analytics in this way got as stated. The First Respondent had a possible configuration error the IP anonymization function is not activated in all cases. Under normal operating conditions and as far as users based in the EU are concerned, a web server is located in the EEA, which is why the IP Anonymization is generally carried out within the EEA. In the present case they are normal Operating conditions exist. On August 14, 2020 the account XXX.XXX@gmail.com has the web & app activities Setting activated. However, the account did not choose website activity include those who used Google services. As the first respondent stated that it was also did not activate Google signals, the second respondent was therefore not in a position to determine that the user of the account XXX.XXX@gmail.com has visited this website. With regard to international data traffic, it should be noted that - even assuming that it concerns personal data of the complainant - these by their nature im Are limited in terms of quantity and quality. As far as the transmitted data is at all as personal data are to be qualified, it would also be pseudonymous data. Standard contractual clauses were also concluded with the respondent supplementary measures have been implemented. The second respondent did not submit any User data according to EO 12333 open. FISA § 702 is in the present case in view of the Encryption and anonymization of IP addresses are irrelevant. Art. 44 ff GDPR could not be the subject of a complaint procedure according to Art. 77 Para. 1 GDPR, which is why the The complaint is to be rejected in this regard. The Art. 44 ff GDPR are with regard to the Second respondent as data importer also not applicable. - 7 - A.8. With comments from June 18 and 24, 2021, the respondent first brought summarized the following: As part of an asset deal, the website www.XXX.at will be available on February 1, 2021 XXX GmbH in Munich. Subsequently, the first respondent was from XXX.at GmbH has been renamed XXX GmbH. In addition, got the first respondent instructed the second respondent to use Google Analytics Properties to delete collected data immediately. The configuration error related to the IP anonymization function has been fixed. In the meantime, the Second Respondent confirms the final deletion of all data, as evidence Enclosure presented. It is suggested to discontinue the procedure in accordance with Section 24 (6) DSG. A.9. With statements of July 9, 2021, the second respondent summarized The following: In the opinion of the European Data Protection Board, an adequacy assessment was made (EDSA) is not limited to examining the legal provisions of the third country, but must also take into account all specific circumstances of the transfer in question. This is for the relevant case. The pseudonymization is here - in line with the EDSA guidelines - an effective complementary measure. It is not expected that US authorities will have additional Had information that enabled them to understand what was behind the first party cookie values "gid" and Identify “cid” or data subjects behind an IP address. the The complainant also did not request a declaration that his rights were in the past had been injured. A.10. With comments of July 9, 2021, the complainant summarized The following: There is a processing of personal data, among other things through the submitted Side dishes occupied. If in the end it is only a prerequisite for the identification of a website visitor whether he makes certain declarations of intent in his account (such as the activation of “Ad personalization ”), all possibilities of identifiability would be available for the second respondent are present. Otherwise, the second respondent can use the account settings expressed wishes of a user for "personalization" of the advertising information received do not match. The UUID (Universally Unique Identifier) in the _gid cookie with the UNIX time stamp 1597223478 is on Wednesday, August 12, 2020 at 11:11 and 18 seconds CET, those in the cid cookie the UNIX timestamp 1597394734 on Friday, August 14, 2020 at 10:45 and 34 seconds CET. It follows that these cookies are used before the visit to which the complaint is made - 8 - and longer-term tracking has taken place. The complainant had to the best of his knowledge, these cookies are not deleted immediately, and neither is the XXX.at website visited repeatedly. The second respondent misunderstood the broad understanding of the GDPR when assessing the Presence of personal data. The specific IP address used is also for the Complainant can no longer be identified. However, this is irrelevant because the UUID in the cookies In any case, there is a clear personal reference. Especially the combination of cookie data and IP Address allow tracking and the evaluation of geographic location, internet connection and Context of the visitor, which can be linked to the cookie data already described. For this but would also include data such as the browser used, the screen resolution or the operating system ("Device Fingerprinting") come. In the context of the complaint, it is more relevant that US authorities are easy for secret services in particular discoverable data, such as the IP address, as a starting point for monitoring Individuals would use. It is the standard practice of secret services to get away from you Date to “go on” to others. When the complainant's computer keeps coming back If the IP address of NOYB appears on the Internet, this can be used to facilitate the work of the To spy out the NOYB association and to target the complainant. In another Step would then look for other identifiers in the data, such as the UUIDs mentioned, what in turn, an identification of the individual person for monitoring in other places enable. In this context, US intelligence services are “different Person "within the meaning of recital 26 GDPR. The complainant does not only work for NOYB, but also had a relevant role as a model complainant in these efforts. According to US law, this would mean that the complainant would be monitored in accordance with 50 USC § 1881a (also as of all other persons entrusted with this complaint) legally possible at any time. Even at the application of the supposed “risk-based approach” is the case at hand Prime example of high risk. The email address XXX.XXX@gmail.com should be assigned to the complainant, who was up to had the surname "XXX" during a marriage. The old Google account will, however still used. It is not explained to what extent the undisputed data are linked, evaluated or the result of an evaluation is just not displayed to the user. In addition, Chapter V GDPR does not know a "risk-based approach". This can only be found in certain articles of the GDPR, such as in Art. 32 leg.cit. The new standard contractual clauses in Implementing decision (EU) 2021/914 are not applicable to the matter due to lack of temporal validity relevant. A "transfer" is not a unilateral act by a data exporter, every "transfer" also request receipt of the data. Accordingly, Chapter V of the GDPR is also applicable to the - 9 - Second Respondent applicable, it was a matter of joint action by Data exporter and importer. Even if the second respondent did not violate Art. 44 ff GDPR, they are Provisions according to Art. 28 Para. 3 lit. a and Art. 29 GDPR as "standard rules" consider. If the Second Respondent provides a corresponding instruction from a US Secret service consequence, he makes the decision to transfer personal data about the specific order of the first respondent in accordance with Art. 28 and Art. 29 GDPR and the to process the corresponding contractual documents. This becomes the Second respondent according to Art. 28 Para. 10 GDPR himself as the person responsible. Consequently In particular, the second respondent was also entitled to the provisions of Art. 5 ff GDPR follow. A secret data transfer to US secret services according to US law is without Doubt not compatible with Art. 5 Para. 1 lit. f GDPR, Art. 5 Para. 1 lit. a GDPR and Art. 6 GDPR. A.9. With the last statement dated August 12, 2021, the second respondent brought summarized the following: The complainant had not shown his active legitimation to lodge a complaint. He did not have any questions raised by the second respondent about the identifiability of his Person answered based on the IP address. Regarding the _gid number and cid number, let to record that there was no directory in order to identify the complainant close. The fact that in Recital 26 GDPR the "segregation" as a possible means of Identification should be mentioned, but does not change the understanding of the words "identify" or "Identification" or "Identifiability". The identifiability of the complainant presupposes at least that his identification on Basis of the present data and with means is possible at the general discretion would likely be used. This has not been established and cannot and is not assumed on the contrary, even improbable, if not impossible. Also the fact that the Second Respondent has concluded processor agreements does not mean that the data that are the subject of this procedure are personal data act, nor that it concerns the complainant's data. The complainant's view that the data transfer was not according to a risk-based Approach to be assessed (“all-or-nothing”) is not to be followed. This is not in line with the GDPR and be in recital 20 of the implementation decision (EU) 2021/914 of the European To see commission. This is also due to the different versions of the EDSA recommendation 01/2020 recognizable. Even if you have access to the above numbers is possible “legally at any time” by US authorities, it should be checked how likely this is. the The complainants had not put forward any convincing arguments as to why or how the - 10 - "Cookie data" in connection with his visit to a publicly available, and by many used Austrian website such as the "Foreign Intelligence Information" in question and thus could become the goal of the purpose-restricted data collection according to § 702. B. Subject matter of the complaint Based on the submission of the complainant, it can be seen that the subject of the complaint at least the question is - whether the First Respondent by implementing the Google Analytics tool their website www.XXX.at provides the complainant's personal data has forwarded the second respondent and, - whether there is an appropriate level of protection for this data transfer in accordance with Art. 44 GDPR was guaranteed. In this context, it must also be clarified whether in addition to the first respondent (as Data exporter) also the second respondent (as data importer) to comply with Art. 44 GDPR was committed. On the application, against the first respondent (as the person responsible) now an immediate ban on the transmission of data to the second respondent is to be imposed not to be discussed because - as will be explained below - the responsibility for the operation of the Website www.XXX.at in the course of the complaint procedure (but only after the transmission of data relevant to complaints) to XXX GmbH based in Munich is. Regarding the imposition of such a ban, the data protection authority would have the case to the contact the competent German supervisory authority. Likewise, the application for the imposition of a fine is not to be discussed, as this is on the part of the Was withdrawn with an opinion of 5 May 2021 and this is now as Suggestion is to be understood. Finally, it should be noted that the present partial notification does not cover the alleged Violations by the second respondent in accordance with Art. 5 ff in conjunction with Art. 28 Paragraph 3 lit. a and Art. 29 GDPR is discussed. In this regard, further steps are necessary and will be discussed here agreed in a further notification. C. Factual Findings C.1. In any case, the first Respondent was the website operator of on August 14, 2020 www.XXX.at. The Austrian version of "XXX" is a Information portal on the subject of health. The website www.XXX.at is only available in German Language offered. The Respondent did not operate any other versions of the website - 11 - www.XXX.at in the EU. The first respondent is also only based in Austria and has no further branches in other EU countries. There is one for Germany German version of "XXX" at www.XXX.de, which, however, is not provided by the First Respondent was operated. Assessment of evidence re C.1 .: The findings made are based on the opinion of the First respondent dated December 16, 2020 (questions 1 to 3) and were therefore not on the part of disputed by the complainant. C.2. On February 1, 2021, the website www.XXX.at was transferred to the XXXGmbH based in Munich. Subsequently, the first respondent became Renamed from XXX.at GmbH to XXX GmbH. the First Respondent has the website www.XXX.at for XXX GmbH until August 2021 supervised. The first respondent has ceased to be the operator of www.XXX.at since August 2021 and no longer makes the decision about whether to use the Google Analytics tool. Evaluation of evidence re C.2 .: The findings are based on the opinion of the First Respondent from June 18, 2021 and were therefore not on the part of the Appellant disputed. In addition, the findings are based on an official research by Data protection authority in the commercial register for Zl. FN 186415 s. C.3. The second respondent developed the Google Analytics tool. With Google Analytics it is a measurement service that enables customers of the second respondent to Measure traffic characteristics. This also includes the measurement of traffic from visitors who have a visit specific website. This enables the behavior of website visitors to be traced and measure how they interact with a specific website. Specifically, a Website operators create a Google Analytics account and use a dashboard to create reports on the Look at website. Likewise, the effectiveness of Measured and measured advertising campaigns that website owners run on Google Ad Services be optimized. There are two versions of Google Analytics: a free version and a paid version called Google Analytics 360. The free version was approved by the second respondent at least made available by the end of April 2021. Since the end of April 2021, both have been Google Analytics versions provided by Google Ireland Limited. Assessment of evidence re C.3 .: The findings made are based on the opinion of the Second respondent dated April 9, 2021 (p. 3 and questions 1 and 2) and were therefore not disputed by the complainant. C.4. The first Respondent - as the website operator - has at least as of August 14 - 12 - In 2020 made the decision to use the free version of the Google Analytics tool for the website www.XXX.at to be used. For this purpose, it has a JavaScript code ("tag") that the Second respondent is made available, built into the source code of their website. the First Respondent used the tool to make general statistical evaluations about the Enable website visitor behavior. The additional tool Google Signals was not activated. In any case, these evaluations will be used by the Respondent to assess the To present the content of the website www.XXX.at in accordance with the general interest in the topic that the channels that meet the most demand are placed in the foreground and the presentation can be adapted depending on the topicality of a specific topic. The first respondent has set up a Google Analytics account for this purpose. The Google Analytics Account ID with the account name "XXX" is 259349. The above evaluations can the First Respondent by logging into the "XXX" Google Analytics account logs in and can view reports on the traffic from www.XXX.at in the dashboard. Reports are divided into the categories real-time, target group, acquisition, behavior and conversions. the First Respondent can select custom reporting preferences that Second Respondent has no influence on this. The second respondent also accepts has no influence on the extent to which the Respondent subsequently uses the reports prepared used. The dashboard is designed as follows (formatting not reproduced 1: 1): - 13 - Evaluation of evidence re C.4 .: The findings made are based on the input of the First Respondent from December 16, 2020 and were not on the part of the Appellant disputed. The above screenshots were taken from enclosures ./1 and ./10, the A detailed description of the reporting process is given in Appendix ./1. C.5. The Google Analytics tool works as follows: When visitors visit the website - 14 - www.XXX.at, the JavaScript code inserted in the source text of the website refers to a JavaScript file previously downloaded to the user's device, which will then operate the tracking for Google Analytics. The tracking operation also retrieves data about the page request various means and sends this information via a list of parameters to the Analytics server attached to a single pixel GIF image request. The data that are collected using Google Analytics on behalf of the website operator, come from the following sources: - the user's HTTP request; - browser / system information; - (First-party) cookies. An HTTP request for each website contains details about the browser and computer that is hosting the Requests, such as host name, browser type, referrer and language. In addition, the DOM Interface the browser (the interface between HTML and dynamic JavaScript) access to more detailed browser and system information, such as Java and Flash support and Screen resolution. Google Analytics uses this information. Google Analytics sets and reads too First-party cookies on one user's browsers that measure the user's session and others Enable information from the page request. When all this information is collected, it will be sent to the Analytics server in the form of a long list of parameters sent to a single GIF image request (the meaning of the GIF Request parameter is described here) to the domain google-analytics.com. the The data contained in the GIF request are those that are sent to the analytics server and then are further processed and end up in the reports of the website operator. The information page of the second respondent on the Google Analytics tool can be found The following information (formatting not reproduced 1: 1, requested on December 22, 2021): - 15 - Assessment of evidence re C.5 .: The findings are based on the opinion of the Second respondent dated April 9, 2021 (question 2) as well as an official search by Data protection authority at https://developers.google.com/analytics/devguides/collection/gajs/cookie- usage and https://developers.google.com/analytics/devguides/collection/gtagjs/cookies-user-id (both queried on December 22, 2021). C.6. First and second respondents have a contract with the title "Processor conditions for Google advertising products" concluded. This contract had in the version of August 12, 2020 is valid at least on August 14, 2020. The contract regulates Order processing conditions for "Google advertising products". It applies to the provision of Order processing services and related technical support services for Customers of the Second Respondent. The aforementioned contract in the version dated August 12, 2020 (Enclosure ./7) is used as the basis for the findings of the facts. In addition, first and second respondents have a second contract on August 12, 2020 - 16 - entitled "Google Ads Data Processing Terms: Model Contract Clauses, Standard Contractual Clauses for Processors ”completed. These are standard contractual clauses for the international traffic. Also the mentioned second contract in the version of August 12, 2020 (Enclosure ./11) is used as the basis for the findings of the facts. With regard to the data categories listed in Annex 1 of the second contract, the link https://privacy.google.com/businesses/adsservices/ referenced. Under the link mentioned is The following is displayed in extracts (highlighted in red by the data protection authority, Formatting not reproduced 1: 1, requested on December 22, 2021): - 17 - In addition to the conclusion of standard contractual clauses, the second respondent has additional clauses contractual, organizational and technical measures implemented. These measures supplement the obligations contained in the standard contractual clauses. The measures will be described in the second respondent's statement of April 9, 2021, question 28. This Description is used as a basis for the determinations of the facts. The second respondent publishes so-called transparency reports on a regular basis ("Transparency Reports") on data requests from US authorities. These are available at: https://transparencyreport.google.com/user-data/us-national-security?hl=en Assessment of evidence re C.6 .: The findings made are based on the opinion of the First respondent of December 16, 2020, question 15. The cited enclosures ./7 and ./11 are included in the act and known to all involved. In addition, the struck are based Findings based on an official search by the data protection authority under https://privacy.google.com/businesses/adsservices/ (accessed on December 22, 2021). the Findings made with regard to the "additionally implemented measures" result from the statement of the second respondent from 9. April 2021 (question 28). The opinion of the second respondent dated April 9, 2021 is included in the file and is known to all parties involved. The finding with regard to the transparency reports results from an official research the data protection authority at https://transparencyreport.google.com/user-data/us-national- security? hl = en (accessed on December 22, 2021). - 18 - C.7. In the course of using the Google Analytics tool, the option is offered to use an "IP Anonymization function ”. In any case, this function did not become effective on August 14, 2020 correctly implemented on www.XXX.at. Evaluation of evidence re C.7 .: The findings made are based on the opinion of the First Respondent dated June 18, 2021. Therein she admits that the aforementioned "IP Anonymization function ”was not implemented properly due to a code error. C.8. The complainant visited the website at least on August 14, 2020, at 10:45 a.m. www.XXX.at. During the visit, he was logged into his Google account, which was linked to the Email address XXX.XXX@gmail.com is linked. The email address belongs to the Complainant. The complainant had the last name "XXX" in the past. A Google account is a user account that is used for authentication serves the second respondent's various Google online services. So is a google account for example, a prerequisite for the use of services such as "Gmail" or "Google Drive" (a file hosting Service). Assessment of evidence re C.8 .: The findings are based on the input of the Complainant of August 18, 2020 (p. 3) and were not on the part of the respondents disputed. The findings made with regard to the basic functions of a Google Accounts are based on official research by the data protection authority at https://support.google.com/accounts/answer/27441?hl=de and https://policies.google.com/privacy (both queried on December 22, 2021). C.9. In the transaction between the complainant's browser and https://tracking.XXX.at/ were unique user- Identification numbers are set at least in the cookies "_ga" and _ "gid". As a result, these were Identification numbers on August 14, 2020 at 12:46: 19.948 CET at https://www.google-analytics.com/ and thus transmitted to the second respondent. Specifically, the following user identification numbers were found in the complainant's browser are transmitted to the second respondent (same values, each in different Transactions that have occurred are each color-coded with orange and green): - 19 - These identification numbers each contain a UNIX time stamp at the end, which shows when the respective cookie was set. The identification number in the _gid cookie with the UNIX time stamp "1597394734" was set on Wednesday, August 14, 2020, at 11:11 and 18 seconds CET cid cookie with the UNIX timestamp "1597223478" on Friday, August 12, 2020 at 10:45 and 34 Seconds CET. With the help of these identification numbers it is possible for the respondents to website visitors differentiate and also get the information whether it is a new one or a returning website visitors from www.XXX.at. In addition, the following information (parameters) was also obtained via the browser of the Complainant in the course of inquiries to https://www.google-analytics.com/collect transmitted to the second respondent (excerpt from the HAR file, request URL https://www.google-analytics.com/collect, extract of the request with time stamp 2020-08- 14T10: 46: 19.924 + 02: 00): general - Request URL https://www.google-analytics.com/collect - Request method GET - HTTP VersionHTTP / 2 - Remote Address 172.217.23.14 Headers - Accept: image / webp, * / * - Accept-Encoding: gzip, deflate, br - Accept-Language: en-US, de; q = 0.7, en; q = 0.3 - Connection: keep-alive - Host: www.google-analytics.com - 20 - - Referer: https://www.XXX.at/ - TE: Trailers - User agent: Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv: 79.0) Gecko / 20100101 Firefox / 79.0 Query Arguments - _gid: 929316258.1597394734 - _s: 1 - _u: QACAAEAB ~ - _v: j83 - a: 443943525 - cid: 1284433117.1597223478 - de: UTF-8 - dl: https://www.XXX.at/ - dt: XXX.at homepage - your independent health portal - ea: / - ec: scroll depth - el: 25 - gjid: - gtm: 2wg871PHBM94Q - each: 0 - yid: - ni: 0 - sd: 24-bit - sr: 1280x1024 - t: event - tid: UA-259349-1 - ul: en-us - v: 1 - vp: 1263x882 - z: 1764878454 Size - Headers 677 bytes - Body 0 bytes - Total 677 bytes - 21 - From these parameters, conclusions can be drawn about the browser used, which Browser settings, language selection, the website visited, the color depth, the screen resolution and the AdSense linking number will be drawn. The remote address 172.217.23.14 is that of the second respondent. The IP address of the complainant's device is used as part of these inquiries https://www.google-analytics.com/collect transmitted to the second respondent. The content of the HAR file (Enclosure ./4), which the complainant submitted with the entry of August 18, 2020, the factual findings will be used as the basis. Assessment of evidence re C.9 .: The findings are based on the input of the Complainant of August 18, 2020 and the HAR file presented therein, enclosure ./4. At a HAR file is an archive format for HTTP transactions. The HAR file was created by checked by the data protection authority. The complainant's arguments agree with those therein archive data contained. The presented HAR file (or its content) is the participant known. In addition, the findings are based on the opinion of the Complainant of May 5, 2021 (p. 8 ff) and the screenshots contained therein. As above carried out, according to the information provided by the second respondent, the purpose of the identification numbers is Distinguish users. The times determined when the cookies were set are calculated from the respective UNIX timestamps. The Unix time is a time definition that is used by the Unix operating system was developed and established as a POSIX standard. The Unix time counts the seconds that have passed since Thursday, January 1st 1970, 00:00 UTC. The finding with regard to the remote The address results from an official Who-Is query of the data protection authority at https://who.is/whois-ip/ip-address/172.217.23.14 (accessed on December 22, 2021). C.10. As far as the Google Analytics tool is implemented on a website, the Second respondent the technical possibility to get the information that a certain Google account users visited this website (on which Google Analytics is implemented) if this Google account user is logged into the Google account during the visit. Assessment of evidence re C.10 .: In his statement of April 9, 2021, the second respondent in question 9, it was argued that he would only get such information if certain Requirements are met, such as the activation of specific settings in the Google Account. In the opinion of the data protection authority, this argument is not convincing. Namely, if the request of a Google account user for "personalization" of the received Advertising information can be complied with on the basis of a declaration of intent in the account, so there is from a purely technical point of view the possibility of displaying the information about the visited website of the Google Account user. In this context, the data protection law - 22 - Accountability to point out which in the context of the legal assessment in more detail is received. For the establishment of the facts, this means data protection law Accountability that the respondents (or in any case the first respondent as Controller) - and not the complainant or the data protection authority - one must provide sufficient evidence. Such sufficient evidence - that is, that from technical There is no possibility of data receipt for the second respondent - was in this one Context not established, especially since it is an essential part of the Google concept Analytics is to be implemented on as many websites as possible in order to be able to collect data. C.11. The first respondent has the second respondent in the course of the proceedings instructed to use all data collected through the Google Analytics Properties for the website www.XXX.at to delete. The second respondent has confirmed the deletion. Assessment of evidence re C.11 .: The findings are based on the opinion of the First Respondent dated June 18 and 24, 2021 as well as the copy of the correspondence presented between first and second respondents. D. From a legal point of view, it follows: D.1. General a) To the competence of the data protection authority The European Data Protection Board (hereinafter: EDPB) has already dealt with the relationship between GDPR and Directive 2002/58 / EC ("e-Data Protection Directive") dealt with (cf. Opinion 5/2019 on the interaction between the e-Data Protection Directive and the GDPR from March 12, 2019). With a decision of November 30, 2018, the data protection authority Zl. DSB-D122.931 / 0003-DSB / 2018, with the relationship between GDPR and the national Implementation provision (in Austria now: TKG 2021, Federal Law Gazette I No. 190/2021 as amended) dealt with. It was basically stated that the e-Data Protection Directive (or the respective national Implementation provision) of the GDPR acts as a lex specialis. Art. 95 GDPR stipulates that the Regulation natural or legal persons in relation to processing in connection with the provision of publicly available electronic communication services in public Communication networks in the Union do not impose any additional obligations insofar as they are specific in of the e-Data Protection Directive are subject to obligations that pursue the same goal. - 23 - In the e-Data Protection Directive, however, there are no obligations within the meaning of Chapter V of the GDPR for the Case of the transfer of personal data to third countries or to international ones Organizations. It should be noted at this point again that the responsibility for the operation of the website www.XXX.at only after the complaint-relevant data has been transmitted on August 14, 2020 to a German society has passed over. Against this background, the GDPR is applicable and still exists for such data transmission thus a competence of the data protection authority to handle the complaint in question according to Art. 77 Para. 1 GDPR. b) On Art. 44 GDPR as a subjective right Based on the previous rulings by the data protection authority and the courts, it should be noted that that both the legality of the data processing according to Art. 5 Para. 1 lit. a in conjunction with Art. 6 ff GDPR as well as the data protection rights postulated in Chapter III of the regulation as Subjective right can be asserted in the context of a complaint in accordance with Art. 77 Para. 1 GDPR be able. The transfer of personal data to a third country, which in the sense of Art. 44 GDPR (allegedly) an adequate level of protection has not yet been guaranteed Subject of the complaint in the context of a complaint procedure before the data protection authority. In this context, it should be noted that Art. 77 Para. 1 GDPR (and otherwise also the national provision of Section 24 (1) DSG) for exercising the right of appeal only requires that "[...] the processing of the personal data concerning them against them Regulation violates ". In its judgment of July 16, 2020, the ECJ also assumed that the finding that "[...] the law and practice of a country do not guarantee an adequate level of protection [...]" as well as "[...] the compatibility of this (adequacy) decision with the protection of privacy as well as the freedoms and fundamental rights of persons [...] "in the context of a complaint according to Art. 77 Paragraph 1 GDPR can be asserted as a subjective right (see the judgment of the ECJ of July 16, 2020, C ‑ 311/18 margin no.158). It should be noted that the question referred in the above procedure does not cover the “scope of the Right of appeal under Art. 77 Para. 1 GDPR ”; but the ECJ has The fact that a violation of the provisions of Chapter V GDPR in the context of a Complaint according to Art. 77 Para. 1 GDPR can be asserted, obviously as necessary Considered a prerequisite. Looking at it differently, the ECJ would have said that the question - 24 - the validity of an adequacy decision in the context of a complaint procedure not at all can be clarified. Insofar as the second respondent also asserts Article 44 GDPR as Subjective law - with reference to the wording of recital 141 leg.cit. - is denying that to counter that the mentioned recital is linked to the fact that the "rights according to this regulation" a complaint according to Art. 77 Para. 1 GDPR are accessible (and not, for example: "the rights according to Chapter III of this regulation "). Although the term "rights of a data subject" is used in certain places in the GDPR, Conversely, however, this does not mean that other standards in which this Wording is not chosen, as a subjective right can be invoked. Most The provisions of the GDPR are on the one hand an obligation of the person responsible (and partly of the processor), but on the other hand can also apply as a subjective right of data subjects be made. For example, it is undisputed that Art. 13 and Art. 14 GDPR are subjective Establish the right to information, although the right to information is not specified in Art. 12 para. 2 leg. Cit. as "their Rights ”(ie“ rights of the data subject ”) and Art. 13 and Art. 14 GDPR the wording are designed as an information obligation of the person responsible. The decisive factor is whether a data subject is affected by an alleged violation of the law in a individual legal position is impaired. The alleged infringement must therefore negatively affect and affect the person concerned. Apart from that, the ErwGr are an important instrument for interpreting the GDPR, however they cannot be used to contradict the text of the regulation standing result (here, as stated above, the fact that the administrative Remedy generally linked to "the processing") (cf. the judgment of the ECJ of May 12, 2005, C-444/03 margin no.25 and the further judicature cited there). Finally, according to the domestic judicature of the VwGH, in case of doubt it can be assumed that Standards that prescribe an official procedure also and especially in the interest of the person concerned, Grant this a subjective right that can be enforced through the appeal process (cf. VwSlg. 9151 A / 1976, 10.129 A / 1980, 13.411 A / 1991, 13.985 A / 1994). Against the background of the wording of Art. 77 Para. 1 GDPR and the cited case law of the The ECJ and the VwGH should be noted as an interim result that the information in Chapter V and in particular the obligation for controllers and processors standardized in Art. 44 GDPR, which is carried out by ensure the level of protection for natural persons guaranteed by the regulation, and vice versa valid as a subjective right before the competent supervisory authority in accordance with Art. 77 Para. 1 GDPR can be done. - 25 - c) On the determination competence of the data protection authority According to the judicature of the VwGH and the BVwG, the data protection authority comes a Assessment competence with regard to violations of the right to secrecy in Complaints procedure (so expressly the decision of the BVwG of May 20, 2021, Zl. W214 222 6349-1 / 12E; implicitly the decision of the VwGH of February 23, 2021, Ra 2019/04/0054, in which this is related to the establishment of a past Has dealt with the breach of confidentiality, without the lack of jurisdiction of the alleged Authority to pick up). There are no factual reasons to suspect the determination competence according to Art. 58 Para. 6 GDPR in conjunction with § 24 para. 2 no. 5 GDPR and para. 5 DSG not also for the determination of a violation of Art. 44 DSGVO to be used, as in the present case, among other things, one that was in the past Violation of the law - namely a data transfer to the USA - is complained about and that Right to lodge a complaint in accordance with Section 24 (1) GDPR - as well as Article 77 (1) GDPR - generally to one Violation of the GDPR. When the verdict of a notice in one Complaint procedures contain only instructions according to Art. 58 Para. 2 GDPR could, as a result, there would be no room for Section 24 (2) 5 and 24 (5) DSG. Contrary to the opinion of the respondents, Section 24 (6) DSG applies to the one relevant here The subject of the complaint cannot be considered, as data transmission has been complained about in the past will. In other words: the alleged illegality (here: incompatibility with Art. 44 GDPR) an already completed data transfer is a process completion according to § 24 para. 6 DSG not accessible. Against the background of these remarks, it should be noted as a further interim result that the Determination competence of the data protection authority in the present complaint procedure given is. D.2. Ruling point 1 As stated, the data protection authority set the procedure in question with a decision of October 2, 2020, Zl. D155.027, 2020-0.527.385, until it is determined which authority is responsible for the content Procedural management is responsible (lead supervisory authority) or until a decision is made by a lead supervisory authority or the EDPB. Based on the results of the investigation, it should be noted that a Cross-border data processing within the meaning of Art. 4 Z 23 in conjunction with Art. 56 Paragraph 1 GDPR on the subject of the complaint - a data transfer to the USA in August 2020 - is not available and the "one-stop-shop" mechanism in accordance with Art. 60 GDPR therefore does not apply finds: - 26 - According to its own statements (see statement of December 16, 2020, Question 2) neither established in more than one Member State (data processing within the meaning of Art. 4 Z23 lit. a GDPR in the context of the activities of branches in more than one member state can therefore not be present), nor has the data transmission and thus the processing Personal data of the first respondent have a significant impact on those affected Persons in more than one member state (Art. 4 No. 23 lit. b leg. Cit.). With regard to the effects of the present data processing, the Factual findings that the target audience of the relevant website www.XXX.at namely (primarily) persons resident in Austria, also because it is with the website www.XXX.de gives its own version for the German audience. According to the This was the first respondent (see the statement of December 16, 2020, question 2) (at least in August 2020) only responsible for the Austrian version of www.XXX.at. The theoretical possibility that German-speaking people from a Member State other than Austria can access www.XXX.at, the fact "Effects on affected persons in more than one member state "according to Art. 4 Z 23 lit. b GDPR establish. In the event of a different view, every complaint against the operator would be of a website - regardless of the intended target audience of the website - according to the rules To deal with Art. 60 ff GDPR. This would lead to a too broad interpretation of Art. 4 No. 23 lit. b GDPR (and consequently lead to too wide a scope of application of the "one-stop-shop"), which - in the opinion of the data protection authority - cannot be wanted by the regulator. The complaint related to the subject matter of the complaint was consequential exclusively from the Austrian data protection authority in accordance with Art. 55 Para. 1 GDPR treat. As ex officio notices from which no one has a right, both from the Authority that issued the decision, as well as in exercising the supervisory right of the factual relevant higher authority can be canceled or changed, and as a result of a Suspension of proceedings of a party to the proceedings does not give rise to a right of non-decision was the The above-mentioned notification of October 2, 2020 is available for rectification in accordance with Section 68 (2) AVG. D.2. Ruling point 2. a) a) General information on the term "personal data" The material scope of Art. 2 Para. 1 GDPR - and thus the success of this Complaint - fundamentally requires that "personal data" are processed. - 27 - According to the legal definition of Art. 4 No. 1 GDPR, "personal data is all information, referring to an identified or identifiable natural person (hereinafter "data subject") relate; A natural person is regarded as identifiable if, directly or indirectly, in particular by means of assignment to an identifier such as a name, to an identification number Location data, an online identifier or one or more special features can be identified that express the physical, physiological, genetic, psychological, economic, cultural or social identity of this natural person can". As can be seen from the factual findings (see point C.9.), The Respondent has - as the operator of the website - implemented the tool Google Analytics on your website. As a result this implementation - i.e. triggered by the JavaScript executed when visiting the website Code - at least the following information was received from the complainant's browser, which the Visited the website www.XXX.at, transmitted to the server of the second respondent: - Unique online identifiers, which both the browser and the device of the Complainant as well as the First Respondent (through the Google Analytics Account Identify the ID of the first respondent as the website operator); - the address and the HTML title of the website, as well as the sub-pages that the complainant had has visited; - Information on the browser, operating system, screen resolution, language selection and Date and time of the website visit; - the IP address of the device that the complainant used. It must be checked whether this information falls under the definition of Art. 4 No. 1 GDPR, i.e. whether it is the complainant's personal data is involved. b) Identification numbers as "personal data" With regard to the online IDs, it should again be remembered that the representational Cookies “_ga” or “cid” (Client ID) and “_gid” (User ID) unique Google Analytics identification numbers and were stored on the device or in the complainant's browser. As established, it is possible for certain bodies - here, for example, the respondents - to use them Identification numbers to distinguish website visitors and also to get the information whether it is is a new or a returning website visitor from www.XXX.at. With In other words: Only the use of such identification numbers enables a distinction to be made between website Visitors who were not possible before this assignment. - 28 - In the opinion of the data protection authority, there is an interference with the fundamental right to data protection Art. 8 EU-GRC as well as § 1 DSG already then when certain bodies take measures - here the Assignment of such identification numbers - in order to individualize website visitors in this way. A measure of “identifiability” to the effect that it must be immediately possible to do so Identification numbers also with a certain "face" of a natural person - in particular with the name of the complainant - is not required (see already Opinion 4/2007, WP 136, 01248/07 / DE of the former Art. 29 Data Protection Working Party on Term "personal data" p. 16 f; see the guidance of the supervisory authorities for Telemedia provider from March 2019, p. 15). Recital 26 GDPR speaks in favor of such an interpretation, according to which the question of whether a natural person is identifiable, "[...] all means are taken into account by the person responsible or by a other person, according to general discretion, likely to be used to the natural person to identify directly or indirectly, such as segregation ”(English language version of Regulation: "singling out"). The term "sorting out" means "searching out of a crowd" to understand (see https://www.duden.de/rechtschreibung/aussondern, requested on December 22nd 2021), which corresponds to the above considerations for the individualization of website visitors is equivalent to. In the literature it is also expressly stated that there is already a "digital footprint" that it allows devices - and subsequently the specific user - to be clearly individualized represents a personal date (see Karg in Simitis / Hornung / Spiecker, GDPR Comment Art. 4 Z 1 margin no. 52 with further references). This consideration can be due to the uniqueness of the identification numbers on the present case, especially since - which is to be discussed in more detail immediately - this Identification numbers can also be combined with other elements. As far as the Respondents point out that no “means” have been used to counteract the here to bring the reference numbers in connection with the person of the complainant Against them to counter that the implementation of Google Analytics on www.***.at results in a separation within the meaning of Recital 26 GDPR. In other words: who a tool that has just made such a removal possible cannot affect the Take the position not to use "general discretion" means to avoid natural persons to make identifiable. As an interim result, it should be noted that the Google Analytics Identification numbers for personal data (in the form of an online identifier) in accordance with Art. 4 No. 1 GDPR could be. - 29 - c) Combination with other elements The fulfillment of the requirements of Art. 4 Z 1 GDPR becomes even more clearly recognizable if one takes into account that the identification numbers can be combined with other elements: By combining all of these elements - that is, unique identification numbers and the others above cited information such as browser data or IP address - is it all the more likely that the complainant can be identified (see again recital 30 GDPR). The "digital Such a combination makes the complainant's footprint even more unique. The respondents' submissions about the "anonymization function of the IP Address "remain open, since the respondents have admitted that this function (for at the time of the complaint) was not implemented correctly (see for example the Opinion of the Respondent dated June 18, 2021). Likewise, the question of whether an IP address, viewed in isolation, is personal data, remain open, as these - as mentioned - with further elements (in particular the Google Analytics identification number) can be combined. In this context it should be noted that the According to the case law of the European Court of Justice, the IP address can represent a personal date (see the judgments of the ECJ of June 17, 2021, C ‑ 597/19, margin no. 102, as well as of October 19, 2016, C ‑ 582/14, margin no. 49) and this does not lose its status as a personal date simply because it has the means to Identifiability lie with a third party. Finally, the data protection authority points out that it is an essential part of the The concept of Google Analytics (at least in the free version) is based on as many as possible Websites to be implemented to collect information about website visitors. Accordingly, it would be with the basic right to data protection according to Art. 8 EU-GRC or § 1 DSG incompatible with the applicability of the GDPR to those related to the Google Analytics tool standing data processing - in which individual website visitors using Google Analytics Identification number can be individualized - to be excluded. d) Traceability to the complainant Regardless of the above considerations, however, there is any traceability to the "Face" of the complainant - such as his name - to go out: It is not necessary that the respondents each have a personal reference so that all information required for identification is with them (see the rulings of the European Court of Justice of December 20, 2017, C-434/16, margin number 31, as well as of October 19, 2016, C ‑ 582/14, margin no.43). Rather, it is sufficient that someone - with legally permissible means and - 30 - reasonable effort - can establish this personal reference (see Bergauer in Jahnel, GDPR Comment Art. 4 no. 1 margin no. 20 mVa Albrecht / Jotzo, The new data protection law of the EU 58). Such an interpretation of the scope of Art. 4 No. 1 GDPR is - in addition to the cited legal and literature sources - derived from Recital 26 GDPR, according to which the question of Identifiability not only the means of the person responsible (here: the first respondent) are to be taken into account, but also those of "another person" (English language version of Regulation: "by another person"). This also arises from the idea of affected persons to offer the greatest possible protection for your data. The ECJ has repeatedly stated that the scope of the GDPR is "very broad" is to be understood (see for example the rulings of the European Court of Justice of June 22, 2021, C ‑ 439/19, margin no. 61; comparable legal situation, the judgments of December 20, 2017, C ‑ 434/16, margin no.33, as well as of May 7 2009, C ‑ 553/07, margin no.59). It is not overlooked that, according to Recital 26 GDPR, it must also be taken into account with which "Probability" means anyone who uses means to directly or indirectly affect an individual identify. In fact, in the opinion of the Data Protection Authority, the term "anyone" - and thus the scope of Art. 4 No. 1 GDPR - not to be interpreted so broadly, that some unknown actor could theoretically have special knowledge to relate to a person to manufacture; this would mean that almost all information in the The scope of the GDPR falls and a demarcation to non-personal data becomes difficult or even impossible. Rather, the decisive factor is whether it can be identified with justifiable and reasonable effort can be produced (see the notification of December 5, 2018, GZ DSB-D123.270 / 0009- DSB / 2018, according to which personal data is no longer available if the person responsible or a third party can only establish a personal reference with disproportionate effort). In the present case, however, there are certain actors who have special knowledge, which it makes it possible to establish a reference to the complainant in the sense of the above and therefore identify him. First of all, this is the second respondent: As can be seen from the factual findings, the complainant was at the time of Visiting the website www.XXX.at with his Google account XXX.XXX@gmail.com logged in. The Second Respondent stated that because of the fact that the Tool Google Analytics is implemented on a website, receives information. This includes the Information that a certain Google account user has visited a certain website (cf. Opinion of April 9, 2021, question 9). - 31 - This means that the Second Respondent has at least received the information that the User of the Google account XXX.XXX@gmail.com has visited the website www.XXX.at. So even if one takes the view that the above online IDs are a must be assignable to certain "faces", such an assignment can in any case via the Google Account of the complainant. The further statements made by the second respondent that for a such assignment must meet certain requirements, such as the activation of specific settings in the Google account (see again its statement of April 9, 2021, Question 9). If, however - and this was convincingly stated by the complainant - the identifiability of a website visitor only depends on whether certain declarations of intent have been made in the account there are (from a technical point of view) all possibilities for identifiability. With others Consideration could be the secondary respondent as expressed in the account settings No wish of a user to “personalize” the advertising information received correspond. In this context, the unambiguous wording of Art. 4 no. 1 GDPR, which is linked to a skill ("can be identified") and not to whether a Identification is ultimately also made. The accountability of the First respondent - as the person responsible, further below - to be indicated in accordance with Art. 5 Paragraph 2 in conjunction with Art. 24 Paragraph 1 in conjunction with Art. 28 Paragraph 1 GDPR suitable technical and organizational Take measures to ensure and to be able to provide evidence that the Processing (with the help of a processor) is carried out in accordance with the regulation. It is therefore an obligation to deliver. This also includes proof that processing is currently not subject to the regulation. A such was not provided - despite the possibilities granted several times. Independent of the second respondent, however - and this is case-related of greater Relevance - the US authorities to consider: As the complainant has also correctly pointed out, the intelligence services of the USA certain online identifiers (such as the IP address or unique identification numbers) as s Starting point for monitoring individuals. In particular, it cannot it can be ruled out that these intelligence services have already collected information whose help the data transferred here can be traced back to the person of the complainant. - 32 - The fact that this is not just a "theoretical danger" is evident from the judgment of the ECJ of July 16, 2020, C ‑ 311/18, which due to the incompatibility of such methods and Access possibilities of the US authorities with the basic right to data protection according to Art. 8 EU-GRC ultimately also declared the EU-US adequacy decision ("Privacy Shield") to be invalid. This can be seen in particular in the transparency report - cited in the factual findings of the Second Respondent, who proves that there are data requests from US authorities to the Second Respondent comes. Metadata and content data from Second respondents can be requested. It is true that it is not overlooked that it is of course not possible for the respondent to check, whether there is such access by US authorities in individual cases - i.e. per website visitor and what information US authorities already have; but this can be reversed data subjects, such as the complainant, are not accused. So it was ultimately that First Respondent as (then) website operator who - despite the publication of the mentioned judgment of the European Court of Justice of July 16, 2020 - continued to use the Google Analytics tool. As a further interim result, it should be noted that the in the Factual findings under C.9. listed information (at least in combination) personal data in accordance with Art. 4 No. 1 GDPR. e) Distribution of roles As already stated, the First Respondent as the website operator has to At the time of the complaint, the decision was made to use the "Google Analytics" tool the website www.XXX.at to implement. Specifically, it has a JavaScript code ("tag") that is made available by the second respondent, inserted in the source text of their website, which causes this JavaScript code to appear in the complainant's browser when visiting the website was executed. In this regard, the Respondent stated that the aforementioned tool is used for the purpose of statistical evaluations of the behavior of website visitors (see opinion of December 16, 2020, question 2). As a result, the Respondent has “purposes and means” in connection with the tool standing data processing, which is why this (at least) as the person responsible within the meaning of Art. 4 Z 7 GDPR is to be considered. As far as the second respondent is concerned, it should be noted that the relevant here The subject of the complaint (only) relates to the data transfer to the second respondent in the USA relates. A possible further data processing of the factual determinations under C.9. cited information (by Google Ireland Limited or the second respondent) is not Subject of the complaint and was therefore not determined in more detail in this direction. - 33 - As for the data processing in connection with the Google Analytics tool, is to state that the Second Respondent only makes this available and also does not Has an influence on whether and to what extent the first respondent benefits from the tool functions Makes use and what specific settings she chooses. Insofar as the second respondent therefore only provides Google Analytics (as a service), takes this has no influence on the "purposes and means" of data processing and is therefore within the meaning of Art. 4 no. 8 GDPR qualify as a processor on a case-by-case basis. These considerations are without prejudice to a further official review procedure in accordance with Art. 58 Para. 1 lit.b GDPR and without prejudice to the data protection role of the second respondent with a view to possible further data processing. D.3. Ruling point 2. b) a) Scope of Chapter V GDPR First of all, it must be checked whether the Respondent complies with Chapter V of the Ordinance is subject to standardized obligations. According to Art. 44 GDPR, any "[...] transmission of personal data that is already processed or after their transmission to a third country or an international organization are to be processed, [...] only permitted if the controller and the processor have the comply with the conditions laid down in this chapter and the other provisions of these Regulation are complied with; this also applies to any further transmission of personal data Data from the relevant third country or the relevant international organization another third country or another international organization. All provisions of this chapter are to be applied to ensure that the level of protection guaranteed by this Ordinance is not undermined for natural persons. " In the “Guidelines 5/2021 on the relationship between the scope of Art. 3 and the Specifications for international data traffic according to Chapter V GDPR "(currently still in public Consultation), the EDPB has identified three cumulative conditions for when a “transmission to a third country or an international organization "within the meaning of Art. 44 GDPR exists (ibid. margin no. 7): - the controller or a processor is subject to the relevant processing of the GDPR; - the person responsible for the processing or the processor ("data exporter") by submitting or otherwise personal data that is the subject of this Processing are, one other person responsible for the processing, one joint Controller or a processor, open ("data importer"); - 34 - - the data importer is located in a third country or is an international organization, regardless of whether this data importer in relation to the processing in question in accordance with Art. 3 of the GDPR is subject or not. The first respondent is based in Austria and was on the subject of the complaint Time for the operation of the website www.XXX.at responsible for data protection. In addition, the Respondent (as the data exporter) has personal data of the The complainant disclosed by proactively using the Google Analytics tool on their website www.XXX.at has implemented and as a direct consequence of this implementation a Data was transferred to the second respondent (to the USA). After all, he has Second respondent in his capacity as a processor (and data importer) Based in the USA. Since all the requirements set out in the EDPB guidelines are met, the First Respondent as data exporter complies with the provisions of Chapter V of the Ordinance. b) Regulations of Chapter V GDPR It is then necessary to check whether the data transmission complies with the requirements of Chapter V GDPR has taken place in the USA. Chapter V of the regulation provides three instruments to achieve what is required by Art. 44 GDPR appropriate level of protection for data transfers to a third country or an international one To ensure organization: - Adequacy decision (Art. 45 GDPR); - Appropriate guarantees (Art. 46 GDPR); - Exceptions for certain cases (Art. 49 GDPR). c) Adequacy decision The ECJ has ruled that the EU-US adequacy decision ("Privacy Shield") - without Maintaining its effect - is invalid (see the judgment of July 16, 2020, C ‑ 311/18 margin no. 201 f). The present data transfer is therefore not covered by Art. 45 GDPR. d) Appropriate guarantees As can be seen from the factual findings, the respondents on August 12, 2020 Standard data protection clauses (hereinafter: SDK) according to Art. 46 Para. 2 lit. c GDPR for the transmission of personal data to the USA ("Google Ads Data Processing Terms: Model Contract Clauses, Standard Contractual Clauses for Processors "). Specifically, on - 35 - at the time of the complaint about those clauses in the version of Implementing decision of the European Commission 2010/87 / EU of February 5, 2010 on Standard contractual clauses for the transmission of personal data to processors in Third countries according to Directive 95/46 / EC of the European Parliament and of the Council, OJ L 2010/39, P. 5. In the aforementioned ruling of July 16, 2020, the ECJ stated that SDK was an instrument for the International data traffic are basically not objectionable, however, the ECJ has also noted that SDKs are by their nature a contract and therefore made up of authorities cannot bind a third country: "Accordingly, there are situations in which the recipient of such a transmission is considering the legal situation and practice in the third country concerned, the necessary data protection is solely based on the Can guarantee on the basis of the standard data protection clauses, but also situations in which the in The provisions contained in these clauses may not be a sufficient means of getting into in practice, the effective protection of personal data transferred to the third country in question Data to ensure. This is the case, for example, if the law of this third country is its authorities Intervention in the rights of the data subjects with regard to this data is permitted ”(ibid. Margin no. 126). A more detailed analysis of the legal situation in the USA (as a third country) can be omitted at this point, as the ECJ already dealt with this in the cited judgment of July 16, 2020 has. He came to the conclusion that the EU-US adequacy decision due to of relevant US law and the implementation of regulatory Monitoring programs - based on Section 702 of FISA and the E.O. 12333 in connection with PPD-28 - no adequate level of protection guaranteed for natural persons (ibid. 180 ff). These considerations can be transferred to the present case. So it is evident that the second respondent as a provider of electronic communication services within the meaning of 50 U.S. Code § 1881 (b) (4) is to qualify and thus the surveillance by US intelligence services subject to 50 U.S. Code Section 1881a ("FISA 702"). Accordingly, the Second Respondent has the Obligation to notify US authorities under 50 U.S. Code § 1881a personal data for To make available. As emerges from the second respondent's "Transparency Report", such inquiries are also regularly made to them by US authorities (cf. https://transparencyreport.google.com/user-data/us-national-security?hl=en, requested on December 22, 2021). If now, however, already the EU-US adequacy decision due to the legal situation in the USA has been declared invalid, it cannot be assumed, on a case-by-case basis, that the (mere) Conclusion of SDK an appropriate level of protection according to Art. 44 GDPR for the subject Data transfer guaranteed. - 36 - Against this background, the ECJ also stated in the cited judgment of July 16, 2020 that "[...] By their nature, standard data protection clauses cannot offer guarantees that go beyond the contractual obligation to ensure compliance with the level of protection required by Union law, go beyond [...] "and it" [...] may be necessary depending on the situation in a particular third country [may] be that the person responsible takes additional measures to ensure compliance with this To ensure the level of protection ”(ibid. Margin no. 133). The present data transfer can therefore not only relate to the between the Standard data protection clauses concluded by respondents in accordance with Article 46 (2) c GDPR supported. e) General information on "additional measures" In his "Recommendations 01/2020 on measures to supplement transmission tools for Guaranteeing the level of protection under Union law for personal data ”is the responsibility of the EDPS stated that in the event that the law of the third country affects the effectiveness of appropriate Guarantees (such as SDK) means that the data exporter will either suspend the data transfer or has to implement additional measures (“supplementary measures”) (ibid. margin no. 28 ff as well as 52). Such "additional measures" within the meaning of the judgment of the European Court of Justice of July 16, 2020, can according to the EDSA recommendations of a contractual, technical or organizational nature (ibid. Margin no. 47): With regard to contractual measures, it is stated that these "[...] the guarantees that the The transmission tool and the relevant legislation in the third country provide, complement and reinforce, as far as the guarantees, taking into account all circumstances of the transmission, do not meet all requirements that are necessary to ensure a level of protection that corresponds to the is essentially equivalent in the EU. Since the contractual measures are by their nature the Third country authorities generally cannot bind them if they are not themselves a contracting party they must be combined with other technical and organizational measures in order to to ensure the required level of data protection. Just because you got one or more of these Having selected and applied measures, this does not necessarily mean that it is systematic it is ensured that the intended transmission meets the requirements of Union law (Guarantee of an essentially equivalent level of protection) is sufficient ”(ibid. Margin no. 93). Regarding organizational measures, it is stated that "[...] are internal strategies, Organizational methods and standards [can] act, those responsible and Apply processors to themselves and impose on data importers in third countries could. […] Depending on the particular circumstances of the transmission and the one carried out Assessment of the legal situation in the third country requires organizational measures to supplement the - 37 - contractual and / or technical measures required to ensure that the protection of the personal data is essentially equivalent to the level of protection guaranteed in the EU is (ibid. margin no.122). With regard to technical measures, it is stated that these are intended to ensure that "[...] the access of the authorities in third countries to the transmitted data the effectiveness of the data set out in Article 46 GDPR does not undermine the appropriate guarantees listed. Even if the government has access to is in accordance with the law of the country of the data importer, these measures are to be considered pull when the authority's access goes beyond what is in a democratic society is a necessary and proportionate measure. These measures aim to Eliminate potentially infringing access by preventing the authorities from to identify data subjects, to develop information about them, to use them in other contexts to determine or to link the transmitted data with other data records held by the authorities, including data on online IDs of the devices, applications, tools and protocols that the data subjects have used in other contexts (ibid. margin no.74). Finally, the EDPS has stated that such “additional measures” can only be considered effective in the sense of the judgment of July 16, 2020 are to be considered, "[...] if and to the extent that the measure is precise the legal protection loopholes that the data exporter closes when examining the legal situation in the third country Has been established. Should the data exporter ultimately not be able to do an essentially to achieve an equivalent level of protection, he may not transmit the personal data "(ibid. 70). Applied to the present case, this means that it must be investigated whether the “additionally Measures taken "by the second respondent in the context of the ECJ ruling of Legal protection gaps identified on June 20, 2020 - i.e. the access and monitoring options from US intelligence services - close. f) "Additional Measures" by the Second Respondent The second respondent now has various measures in addition to completing the SDK implemented (see his statement of April 9, 2021, question 28). With regard to the contractual and organizational measures outlined, it is not apparent to what extent a notification of the data subject about data requests (this should be done on a case-by-case basis be allowed at all), the publication of a transparency report or a “guideline for the Dealing with Government Inquiries ”are effective for the purposes of the above considerations. It is also unclear to what extent the "careful examination of every data access request" is an effective measure, since the European Court of Justice stated in the aforementioned judgment of June 20, 2020 that permissible (i.e. according to - 38 - US law legal) requests from US intelligence services do not interfere with the fundamental right Data protection according to Art. 8 EU-GRC are compatible. If the technical measures are affected, it is also not recognizable - and was on the part of the Respondent also not comprehensibly explained - to what extent the protection of communication between Google services, the protection of data in transit between data centers, the protection of the Communication between users and websites or an "on-site security" the access options actually prevent or prevent from US intelligence services based on US law restrict. Insofar as the second respondent subsequently relies on encryption technologies - such as the Encryption of "data at rest" in the data centers - refers to him again To oppose recommendations 01/2020 of the EDPS. There it is stated that a Data importer (such as the second respondent), the 50 U.S. Code § 1881a ("FISA 702") is subject to, with regard to the imported data in his possession or custody or under his Is in control, has a direct obligation to grant access to, or has a direct obligation to provide access to it to surrender. This obligation can expressly also apply to the cryptographic key without which the data cannot be read (ibid. margin no. 76). As long as the second respondent has the option of accessing data in plain text to access, the technical measures taken cannot be considered effective within the meaning of the considerations above. As a further technical measure, the second respondent adds that to the extent that "[...] Google Analytics data is used to measure personal data by website owners, […] them should be regarded as a pseudonym ”(cf. his statement of April 9, 2021, p. 26). However, this is countered by the convincing view of the German Data Protection Conference, according to which "[...] the fact that the user can be identified using IDs or identifiers no pseudonymization measure i. S. d. GDPR represents. Besides, it is not suitable guarantees for compliance with data protection principles or for safeguarding rights data subjects, if for (re) recognition of the user IP addresses, cookie IDs, advertising IDs, Unique user IDs or other identifiers are used. Because, unlike in cases in which data is pseudonymized in order to disguise or delete the identifying data, IDs or identifiers are used so that the persons concerned can no longer be addressed used to make the individual individuals distinguishable and addressable. One As a result, there is no protective effect. It is therefore not a matter of pseudonymizations i. S. d. Recital 28, which lower the risks for the data subjects and those responsible and the Support processors in compliance with their data protection obligations "(cf. the Guideline from the supervisory authorities for providers of telemedia from March 2019, p. 15). - 39 - In addition, the submission of the second respondent cannot be accepted because the Google Analytics identifier - as stated above - combined with other elements anyway and even in connection with a Google account which is undisputedly attributable to the complainant can be brought. The mentioned "anonymization function of the IP address" is not relevant on a case-by-case basis, because this - as also stated above - was not implemented correctly. Apart from that, the In any case, the IP address is just one of the many “pieces of the puzzle” in the digital footprint of the Complainant. As a further interim result, it should be noted that the “additional Measures "are not effective, since they are the ones in the framework of the judgment of the European Court of Justice of June 20, 2020 identified legal protection gaps - i.e. the access and monitoring options of US Intelligence services - do not close. The data transfer in question is therefore not covered by Art. 46 GDPR. D.4. Ruling point 2. c) a) On Art. 49 GDPR According to the Respondent's own statements, the exemption under Art. 49 GDPR is not relevant for the present data transfer (see the opinion of December 16, 2020). Consent in accordance with Article 49 (1) (a) GDPR was not obtained. For the The data protection authority is also not discernible to what extent another offense under Art. 49 GDPR should be fulfilled. The present data transfer can therefore not be based on Art. 49 GDPR. b) Result As for the relevant data transmission from the Respondent to the Second Respondent (in the USA) does not have an adequate level of protection through an instrument of Chapter V of the regulation was guaranteed, there is a violation of Art. 44 GDPR. The first respondent was (at least) at the time relevant to the complaint - i.e. on the 14th August 2020 - responsible for the operation of the website www.XXX.at. The one relevant here The first respondent is therefore the breach of data protection law against Art. 44 GDPR attributable. It was therefore to be decided according to the ruling. - 40 - D.5. To the remedial powers In the opinion of the data protection authority, the tool Google Analytics (at least in version dated August 14, 2020) can therefore not be used in accordance with the requirements of Chapter V GDPR. Since the responsibility for the operation of the website www.XXX.at during the Complaint procedure (but only after August 14, 2020) to XXX GmbH based in Munich passed and Google Analytics was still implemented at the time of the decision, becomes the data protection authority with regard to the (possible) use of the remedial powers refer the case to the competent German supervisory authority in accordance with Art. 58 (2) GDPR. D.6. Ruling point 3 It must be checked whether the second respondent (as data importer) also complies with the requirements set out in Chapter V of the Regulation is subject to standardized obligations. Based on the above-mentioned guidelines 5/2021 of the EDPB, it should again be stated that a transfer to a third country or an international organization "within the meaning of Art. 44 GDPR only then exists if, among other things, the person responsible for the processing or the processor (data exporter) by submitting or otherwise personal data that is the subject of this Processing are, one other person responsible for the processing, one joint Data controller or a processor (data importer). In the present case, this requirement does not apply to the second respondent, as this (as Data importer) does not disclose the complainant's personal data, but them (only) receives. In other words: The requirements of Chapter V GDPR are from the data exporter, not however, to be observed by the data importer. The complainant's argument that a data transfer necessarily requires a recipient and that the second respondent (at least from technical view) is part of the data transmission. However, it can be countered that the data protection responsibility for a processing operation (from a legal point of view) anyway "Share", so depending on the phase of the processing process, a different degree of Can give responsibility (see EDPB guidelines 7/2020 on the concept of responsible persons and contract processors, margin no. 63 ff with further references). A violation of Art. 44 GDPR by the second respondent is in the opinion of Data protection authority therefore not before. Overall, therefore, a decision had to be made in accordance with the ruling. - 41 - Finally, it should be pointed out that the question of the (possible) violation of Art. 5 ff in conjunction with Art. 28 Para. 3 lit. a and Art. 29 GDPR by the second respondent with another Notification is discussed. R E C H T S M I T T E L B E L E H R U N G You can lodge a written complaint against this notification within four weeks of delivery to the Federal Administrative Court. The complaint is with the data protection authority bring in and must - the name of the contested decision (GZ, subject) - the name of the authority concerned, - the reasons on which the allegation of illegality is based, - the desire as well - the information required to assess whether the complaint has been submitted in good time, contain. The data protection authority has the option to either through within two months The preliminary decision on the complaint to change your decision or the complaint with the files of the Procedure to be submitted to the Federal Administrative Court. The complaint against this decision is subject to a fee. The fixed fee for a the corresponding entry including attachments is 30 euros. The fee is stating the To be paid for the purpose of use to the account of the Austrian tax office. The fee is generally to be transferred electronically using the “tax office payment” function. When The recipient is to indicate the Austrian Tax Office - Special Responsibilities Office or (IBAN: AT83 0100 0000 0550 4109, BIC: BUNDATWW). Furthermore they are Tax number / tax account number 10 999/9102, the tax type "EEE complaint fee", the State the date of the decision as the period and the amount. If the e-banking system of your bank does not have the "tax office payment" function, the eps procedure can be used in FinanzOnline. From an electronic transfer can can only be waived if no e-banking system has been used so far (even if the Taxpayer has an internet connection). Payment must then be made by means of Payment instructions take place, paying attention to the correct allocation. Further information can be obtained from the tax office and in the manual “Electronic payment and reporting for payment of Self-assessment taxes ". - 42 - The fee is paid when the complaint is lodged with the Data Protection Authority by means of a payment receipt or a Proof of a printout that a payment order has been issued. The fee won't or not fully paid, a report is sent to the responsible tax office. Has a timely and admissible complaint to the Federal Administrative Court suspensive effect. The suspensive effect can be excluded in the ruling of the decision have been or have been excluded by a separate decision. December 22, 2021 For the head of the data protection authority: XXX