BVwG - W245 2252208-1/36E and W245 2252221-1/30E
BVwG - W245 2252208-1/36E & W245 2252221-1/30E | |
---|---|
Court: | BVwG (Austria) |
Jurisdiction: | Austria |
Relevant Law: | Article 44 GDPR Article 46(2)(c) GDPR |
Decided: | 12.05.2023 |
Published: | 12.05.2023 |
Parties: | Österreichischen Datenschutzbehörde (Austrian data protection authority) Google LLC |
National Case Number/Name: | W245 2252208-1/36E & W245 2252221-1/30E |
European Case Law Identifier: | |
Appeal from: | |
Appeal to: | |
Original Language(s): | German |
Original Source: | Bundesverwaltungsgericht Republik Österreich (in German) |
Initial Contributor: | Norman Aasma |
In the latest installment of the "data transfer saga", the use of Google Analytics by an Austrian website was declared unlawful by the Austrian Federal Administrative Court. However, Chapter V of the GDPR does not apply to Google, the data importer.
English Summary
Facts
This case concerns two actions brought against a 2021 decision of the Austrian DPA (Datenschützbehörde - DSB). The decision originally stemmed from a complaint filed by the NGO noyb, following the CJEU judgement in case C-311/18 ("Schrems II").
The Austrian DPA found that the use of Google Analytics by an Austrian website led to the transfer of personal data to the US in violation of Chapter V of the GDPR. At the same time, the supervisory authority ruled that Chapter V of the GDPR sets out obligation only for the data exporter - in the present case, the Austrian website - and not the data importer - Google LLC.
Google LLC appealed the decision. Google stated that transfers were lawful as they relied on Standard Contractual Clauses (SCCs) pursuant to Article 46(2)(c) GDPR. It also claimed to have adopted a "risk-based approach" to the transfers, by implementing technical and organisational measures aiming at mitigating the risks to Europeans' data protection rights.
The data subject also appealed the decision, arguing that Chapter V of the GDPR applies to data importers, too.
Holding
In addressing the controller's appeal, the court confirmed that the data transfer to Google LLC was unlawful.
Referring to the CJEU judgement in case C-311/18, the court held that SCCs can be considered effective only as long as - on their own or in combination with additional technical and organisational measures - they are able to compensate for the risks taken by a data exporter when transferring data to third countries. If the data exporter is not able to meet these requirements, data transfers are unlawful and shall not take place.
With regard to the present case, the court found that even though Google had implemented certain organisational and technical measures, these were not sufficient to prevent US intelligence agencies from accessing Europeans' personal data. As a matter of fact, Google's own report indicated that the number of requests made by such agencies was actually very high.
Assessing Google's organisational measures, the court noted that a contractual obligation to inform the data exporter about an access request by a public authority was not sufficient to address the risks to data subjects' fundamental rights. In case of emergency, US law enables public authorities to order the controller not to share with third parties information about the disclosure. In addition, and above all, Europeans have no effective legal remedy against unlawful disclosure. The publication of a transparency report by Google did not solve the issue, either.
As far as technical measures were concerned, the court stressed that encryption was not an effective tool. Under US law, Google is obliged to provide the requesting authority not only with data transferred, but also with encryption keys to decypher them.
More in general, the court explicitly clarified that Chapter V of the GDPR is incompatible with the "risk-based approach" envisaged by the Google. As a matter of fact, a "business-friendly interpreation" of the GDPR did not play any role in C-311/18 and was thus inadmissible.
However, the court also dismissed the data subject's appeal. The court upheld the Austrian DPA's argument that Chapter V of the GDPR applies only to the data exporter, and not to the data importer.
Comment
The data subject expressed their willingness to appeal the decision before the Austrian Supreme Administrative Court.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the German original. Please refer to the German original for more details.
Postal address: Erdbergstrasse 192 – 196 1030 Vienna Phone: +43 1 601 49-0 Fax: + 43 1 711 23-889 15 41 Email: einlaufstelle@bvwg.gv.at www.bvwg.gv.at decision date 05/12/2023 business number W245 2252208-1/36E W245 2252221-1/30E Written copy of the verbal decision announced on March 31, 2023 I M N A M E N D E R E P U B L I K ! The Federal Administrative Court, judged by Mag. Bernhard SCHILDBERGER, LL.M. as chairperson and Mag. Viktoria HAIDINGER as a competent lay judge and Mag. Thomas GSCHAAR represented as a competent lay judge on the complaints of XXXX by XXXX and XXXX, represented by Baker & McKenzie Rechtsanwälte LLP & Co KG, Schottenring 25, 1010 Vienna against the partial decision of the Austrian Data protection authority from December 22nd, 2021, GZ 2021-0.586.257 (DSB-D155.027), concerning the Violation of the general principles of data transmission in accordance with Art. 44 GDPR, after Carrying out an oral hearing, rightly recognised: a) I. XXXX's complaint against point 2 of the disputed partial decision is rejected. II. The revision is permissible according to Art. 133 Para. 4 B-VG. b) I. XXXX's complaint against point 3 of the disputed partial decision is rejected. II. The revision is permissible according to Art. 133 Para. 4 B-VG. - 2 - Reasons for decision: Subject of the proceedings: Complainant XXXX (hereinafter also “BF1”) visited a website on August 14, 2020 XXXX of those involved XXXX (hereinafter also "MB"). On the MB website was the Web analysis service XXXX Analytics of complainant XXXX (hereinafter also "BF2") embedded. With the embedded web analysis service, personal data of the BF1 transferred to a third country. The present decision addresses the question of whether with the processing at issue to a violation of the general Principles of data transmission in accordance with Art. 44 GDPR. I. Procedure: I.1. With a submission dated August 18, 2020, the BF1 lodged a complaint against the BF2 and the MB (VWA ./01, see point II.2). The reason given by the BF1 was that on August 14, 2020, at 10:45 a.m., the website of the MB visited XXXX. While visiting the MB website, the BF1 was on a XXXX - account was logged in. This account is linked to the email address of BF1 (XXXX been. The MB has on its website the HTML code for XXXX services (including XXXX -Analytics) embedded. During the visit to the MB website, the BF1 received personal data from the BF1 (at least the IP address of the BF1 and cookie data) processed. Apparently these are been transmitted to the BF2 (VWA ./04). According to point 10 of the order data processing conditions, the MB agreed that the BF2 personal data of the BF1 in the United States of America or in another country where XXXX or XXXX sub-processors have facilities maintain, store and process. Such a transfer of personal data of the BF1 from the MB to the BF2 require a legal basis according to Art. 44 ff GDPR. After the European Court of Justice declared the "EU-US Privacy Shield" with the decision of 16.07.2020, C-311/18 (Schrems II) declared invalid, the MB could Data transmission to the BF2 in the United States is no longer limited to one Support adequacy decision according to Art. 45 GDPR. Nevertheless, the MB and - 3 - the BF2 still had to wait almost four weeks after the judgment for the “EU-US Privacy Shield”. This can be done from point 10.2 of the order data processing conditions for XXXX advertising products, version 01.01.2020 (VWA ./03). In addition, the MB cannot base the data transmission on standard data protection clauses in accordance with Article 46 (2) (c) and (d) GDPR if the third country of destination Union law no adequate protection of the on the basis of Standard data protection clauses guarantee transmitted personal data (ECJ July 16, 2020, C-311/18 (Schrems II), para. 134 f). The ECJ expressly stated that other transfers to entities falling under 50U.S. Code §1881a, not just against the relevant articles in Chapter V GDPR, but also against Art. 7 and 8 GRC would violate the essence of Art. 47 GRC (ECJ 06.10.2015, C- 362/14 (Schrems), para. 95). Any further transmission therefore violates the fundamental right to privacy and data protection and the right to an effective remedy a fair process. BF2 is a provider of electronic communications services within the meaning of 50 U.S. code § 1881a (b) (49) and as such is subject to supervision by U.S. Intelligence agencies under 50 U.S. Code § 1881a ("FISA 702"): As from the " XXXX " (VWA ./06) and from the transparency report of the BF2 (see XXXX, the BF2 of the US Government pursuant to 50 U.S. Code Section 1881a actively provides personal information. Before Against this background, the MB was unable to adequately protect the personal data of BF1, which are transmitted to BF2. From August 12th, 2020, the MB and the BF2 have agreed on data transmissions to the United States rely on default data protection clauses. This could be point 10.2 of Order data processing conditions for XXXX advertising products, version 08/12/2020, (VWA ./04). However, this procedure ignores the judgment of the European Court of Justice (ECJ July 16, 2020, C-311/18 (Schrems II), para. 134 f). Accordingly, the MB obliged to the transfer of personal data to the BF2 in the United states to refrain from. Finally accept the BF2 despite the clear judgment of the European Court of Justice and in violation of Articles 44 to 49 GDPR, data transfers from the EU/EEA under the data protection clauses. In addition, give the BF2 EU/EEA personal data to the US government in violation against Art. 48 GDPR. - 4 - According to Art. 58 Para. 1 GDPR, the BF1 requested that it be determined which personal data from the MB to the BF2 in the United States or to a another third country or an international organization on which Transmission mechanism according to Art. 44 ff GDPR, the MB supports the data transmission and whether the provisions of the applicable XXXX Analytics Terms of Use and the (new) order data processing conditions for XXXX advertising products Requirements of Art. 28 GDPR in relation to the transfer of personal data fulfill or not. Furthermore, the BF1 applied for this immediately in accordance with Art. 58 (2) lit. d, f and j GDPR Ban or suspension of any data transfer from the MB to the BF2 in the United States imposed and the return of this data to the EU/EEA or a another country that guarantees adequate protection. Finally, the BF1 requested the imposition of an effective, proportionate and deterrent fine against the MB and the BF2. In his complaint to the BA, the BF1 submitted the Terms of Use for XXXX Analytics (VWA ./02, see point II.2), the order data processing conditions for XXXX advertising products, Version 01.01.2020 (VWA ./03, see point II.2), the order data processing conditions for XXXX advertising products, version 08/12/2020 (VWA./04, see point II.2), the HAR data of the Website visit (VWA ./05, see point II.2), the XXXX (VWA ./06, see point II.2) and a certificate of representation (VWA ./07, see point II.2). I.2. As a result, the BA continued the procedure until the responsible person was determined supervisory authority and until the decision of the lead supervisory authority or the European data protection committee with decision of 02.10.2020, Zl2020-0.527.385 (DSB- D155.027) from (VWA ./08 and ./09, see point II.2). Furthermore, the bB called for the MB Opinion on (VWA ./10, see point II.2). I.3. In the statement of December 16, 2020, the MB stated (VWA ./11, see point II.2) that she herself decided to edit the program code for XXXX -Analytics (hereinafter also called "tool") on your XXXX. The tool is used to to enable statistical evaluations of the behavior of website visitors (see Point II.1.8) to organize the content of the website according to general topic interests to adjust. Since the evaluation is carried out anonymously, the tool can be used the content cannot be adapted to the specific website user. Based on the Website usage and article views of anonymous users receive an aggregated MB statistical evaluation. - 5 - For the general user statistics and the already mentioned purpose no personal reference is necessary, the MB was aware of the embedding of the anonymous version determined. From the still embedded code it can be seen that the function "anonymizeIp" was set to "true". Therefore, the tool only processes anonymous Data. In the case of user IP addresses of the IPv4 type, the last octet and in the case of IPV6 addresses the last 80 of the 128 bits in memory are set to zero. With that find before the data is saved or transmitted. Therefore, an access therefore not to personal data by BF2 in the United States possible. In addition to anonymized IP addresses, the tool processes the user agent string. The user agent String is used to tell the server which system specification the user used to access the server access. Without personal reference, only the device, the operating system, the Operating system version, the browser, the browser version and the device type are displayed become. Since this information lacks a personal IP address or anything else Identifiers cannot be assigned to an identifiable user, would not be personal data available. Since the anonymization is already in the working memory of the respective website user takes place, no processing takes place on servers of BF2 and sohin not in a third country outside the EU. Even before the cookie is finally set, the anonymization process finds the IP address instead of. Only from this point in time would the statistical information about the Website usage can be collected via the respective - now anonymous - cookie. The The evaluations collected would accordingly only be carried out with the anonymous data carried out and could therefore not be assigned to any person. on the the process presented – namely the collection and evaluation of merely anonymous data and information - would find neither the GDPR nor the DSG due to the lack of personal reference Application. Accordingly, the consent of a website user is not required. The concrete anonymization process initially accesses the IP address in order to access it immediately anonymize. However, this required initial recording of the IP address takes place regardless of the use of XXXX -Analytics and be always for the functionality is mandatory. This survey is not for the purpose of the MB (see point II.1.8), but inevitably with every website that can be called up on the Internet. This takes place, as with any other website, on the basis of legitimate interest Operation of a functioning, user-friendly and secure website in accordance with Art. 6 para. 1 lit. f GDPR. - 6 - The BF2 process the data on behalf of and on the instructions of the MB. The MB take the role of the person responsible, BF2 assumes the role of processor. The MB have extensive decision-making power over the means of processing. You decide initially about whether she wants to embed the tool at all and she also has the option to Adjusting the tool to determine the needs and purposes of processing or change as needed. Furthermore, the MB determines the storage period (26 months) as well as the fate of the data after the termination of the contract. To secure any future The MB therefore concluded an order data processing agreement with BF2 (see VWA ./16). According to the judgment of the European Court of Justice of July 16, 2020, C-311/18 (Schrems II). the MB checked the settings of the tool and made sure that the so far data protection-friendly implementation by anonymizing the IP addresses is active. Therefore, the judgment of the ECJ is not on the contractual relationship between the MB and the BF2 applicable. In order, however, also for any provision of personal data To take data to the BF2 precautions, the MB with the BF2 have one as a precaution Processor agreement concluded on August 12th, 2020 (see VWA ./16) and Standard safeguard clauses included (see VWA ./22). With regard to the The MB did not carry out a proactive review of standard safeguard clauses. This because due to the transmission of anonymized IP addresses, a transmission of personal data is not successful. Finally, arising from the processing of anonymous data, which are subsequently only evaluated for general statistics, no risks. BF2 also took further technical and organizational measures (no Backdoor access for authorities, information obligations of BF2 towards those responsible, when a request from a competent authority arrives, publication of transparency reports, examination of requests for information and appeals) to a high level To provide a level of data protection for the data processed via the tool. In its statement (VWA ./11) to the BA, the MB submitted reports from the tool (VWA ./12, see point II.2), information on IP anonymization (VWA ./13, see point II.2), Screenshot of the set storage period (VWA ./14, see point II.2), list of Server locations (VWA ./15, see point II.2), order data processing conditions for XXXX advertising products, version 08/16/2020 (VWA ./16, see point II.2), Order data processing conditions for XXXX advertising products, version 08/12/2020 (VWA ./17, see point II.2), order data processing conditions for XXXX - 7 - Advertising products, version 01.01.2020 (VWA ./18, see point II.2), comparison version AVV dated 01/01/2020 vs 08/12/2020 (VWA./19, see point II.2), comparison version AVV from 08/12/2020 vs 08/16/2020 (VWA ./20, see point II.2), screenshot for settings (VWA ./21, see Point II.2), standard data protection clauses (VWA ./22, see point II.2), information on Safety measures (VWA ./23, see point II.2) and a processing sheet for XXXX Analytics (VWA ./24, see point II.2) at. I.4. At the request of the bB of January 22, 2021 (VWA ./25, see point II.2), the BF1 in the Follow an opinion (VWA ./26, see point II.2). In it he explained, although in code the function "anonymizeIP" was set to "true", this did not result in his anonymized IP address was transmitted. This is for data transfers in the World Wide Web technically impossible. Referring to statements by BF2, BF1 stated that the IP address only after it enters the Analytics data collection network, anonymized or masked before being stored or processed. In addition, the BF1 pointed out that at the time of the website visit, he was in his private XXXX account was logged in and also cookie data (_ga, __gads, _gid, _gat, _gat_UA-259349-11, _gat_UA-259349-1) were transferred. So in the result be Contrary to the statements of the MB, it is clear that personal data (such as cookies and IP addresses) were processed and transmitted to BF2 in the United States. In addition, with a processor in a third country, there is a breach of anonymization not enforceable or ascertainable of the European Court of Justice (ECJ 19.10.2016, C-582/14 (Breyer)) at least by one assignability to a specific natural person. In order to prevent a violation of Art. 44 ff GDPR, a complete removal of the Tools necessary and a change to another tool that does not transfer data to the USA require to recommend. As far as the MB is convinced that no personal data would be processed is a conclusion of Order processing conditions contradictory. Also the fact that the MB to be on the safe side, conclude standard data protection clauses with the BF2, point out that she herself assumes that data will be transferred to the USA. Also that from The processing directory (VWA ./24) submitted to the MB indicates that personal data would be transmitted to BF2. Contrary to statements by the MB, the sole purpose of collecting the IP address is not carrying out the transmission of a message over a communications network, rather, it is also collected for the use of XXXX analytics. As a result of possible data tapping by US secret services can still be assumed that interests or - 8 - Fundamental rights and freedoms of data subjects requiring protection require personal data prevail. Like the European Court of Justice stated that the existing system of access options from US Secret services on personal data of EU citizens with Art. 7, 8 and 47 GRC incompatible (ECJ July 16, 2020, C-311/18 (Schrems II)). In its statement (VWA./26), the BF1 placed the attachments of third-party partners in the cookie banner MB (VWA ./27, see point II.2), contacts from XXXX with US server (VWA ./28, see point II.2), and contacts of XXXX with US server, reference to fingerprint technology (VWA ./29, see point II.2) at. I.5. In a letter dated February 26, 2021, the BA asked the BF2 to comment (VWA ./30, see point II.2). With the submission of April 9th, 2021, the BF2 complied with this request (VWA ./31, see point II.2). In its statement, the BF2 describes, among other things, the Web analysis service XXXX -Analytics (see point II.1.3.3), the implementation and the Functionality of XXXX -Analytics (see point II.1.5), the embedding of the program code for XXXX analytics on a website (see point II.1.6), the legal basis for use of XXXX -Analytics (see point II.1.7), the measures which, according to the judgment of European Court of Justice of July 16, 2020 in case C-311/18 (see point II.1.9), the additional measures that come with the introduction of the standard contractual clauses have been set (see point II.1.10) and the effects if a user of a XXXX account visits a website that uses XXXX analytics. I.6. The entry of the BF2 (VWA ./32) transmitted the bB within the scope of the hearing of the parties MB and the BF1 for comments. I.7. With a statement of May 4th, 2021 (VWA ./33, see point II.2), the MB stated that they only use the free version of XXXX Analytics. Both the Order data processing conditions (terms of use) as well as the Standard Contractual Clauses (SDK) have been agreed. The BF2 will only as Contract processor used. The instructions are given by the MB about the settings of XXXX -Analytics user interface and via the global website tag. It is the data release Setting has not been activated. The code is embedded with the anonymization function been. XXXX signals are also not used. The MB does not have its own authentication system and also do not use user ID function. Currently support does not refer to the exception rule of Art. 49 Para. 1 GDPR. I.8. With a statement dated May 5th, 2021 (VWA ./34, see point II.2), the BF1 stated that XXXX is not a party to the proceedings and is the sole object of the appeal with regard to BF2, - 9 - that the transmission and receipt of the data Art. 44 ff DSGVO is pursued or the thereafter unlawful processing in the United States. According to Art. 44 GDPR "Responsible persons and processors" would have to comply with Chapter V GDPR retain. As a processor, BF2 is the norm addressee of Chapter V GDPR. The bB be directly responsible for BF2, which violated Art. 44 ff GDPR. Regarding The GDPR is applicable to the processing carried out by BF2, since the factual Scope of application according to Art. 2 Para. 1 and the geographical scope according to Art. 3 paragraph 2 lit. b leg.cit. be fulfilled. With reference to the opinion of BF2 (VWA ./31, see point I.5), BF1 stated that the data transmission to BF2 in the United States and the personal reference of transmitted data is undisputed. The BF2 put out of dispute that all through XXXX - Analytics collected would be hosted in the United States. According to the explanations of the BF1, the MB and the BF2 themselves would assume that that there is a processing of personal data, including their transmission in a third country, otherwise a contract data processing contract will be concluded including standard contractual clauses would be completely meaningless. Also state the BF2 itself, that based on a "user ID" ("user identifer") a data subject for the purpose of deletion can be identified. There is thus the possibility of Identifiability within the meaning of Art.4 Para.1 GDPR. Furthermore, the BF itself states that XXXX -Analytics unique identifiers associated with a specific user use. As far as the BF2 explain that the data transmitted to her sometimes only "Pseudonymous data" would be, on the one hand this is factually wrong and on the other hand it is closed note that even pseudonymised data (Art. 4 Para. 5 GDPR) from the term personal data are recorded in accordance with Art. 4 Para. 1 GDPR. It is undeniable that the MB and the BF2 process personal data and in the United States had submitted. At least some of the ones on the occasion of Cookies set on the website visit on August 14, 2020 would be unique user Identification numbers included. In the transaction between the browser of the BF1 and https://tracking. XXXX , which was started on the specified date, are the user Identification numbers _gads, _ga and _gid have been set. These numbers are in sequence at https://www. XXXX -analytics.com/ has been transmitted. It's about the numbers to online identifiers that serve to identify natural persons and a Users would be specifically assigned (see also point II.1.3). In terms of IP address, it should be noted that Chapter V GDPR no exceptions for subsequent provide for anonymized data. It can be assumed that the IP address of the BF1 is not - 10 - was once made anonymous in all transactions. The application for the imposition of a Fine will be withdrawn, this is now a suggestion. The additional measures put forward by the BF2 (see point II.1.10) are irrelevant. In this regard, the European Court of Justice found the following elements of the US Legislation than with the European fundamental rights according to Art. 7, 8 and 47 EU Charter of Fundamental Rights (GRC) considered incompatible (ECJ July 16, 2020, C-311/18 (Schrems II), para 175 ff): The lack of any legal protection before US courts under Art. 47 GRC; the lack any precise legal basis for monitoring, specifying the scope and scope of the encroachment on fundamental rights itself and the requirement of proportionality is sufficient; the lack of any individual ex ante decision of a court, but the sole review of a surveillance system as a whole and that Absence of any subsequent judicial control and finally the lack of any Legal Protection for "Non-US Persons". Against this background, the additional Measures (see point II.1.10) not suitable by the European Court of Justice solve the problems presented. With comprehensive justification, the BF1 explained that no of the supposed "additional measures" above the normal standard of the Data processing pursuant to Art. 32 GDPR goes beyond or is relevant with regard to U.S. Government data access pursuant to 50 U.S. Code § 1881a and/or EO 12.333. In its statement (VWA ./34), the BF1 included the enclosures "XXXX -Analytics Cookie, Use on website" (VWA ./35, see point II.2), "How XXXX uses cookies" (VWA ./36, see point II.2), and "Measurement Protocol Parameter Reference" (VWA ./37, see Point II.2) at. I.9. As a result, the bB asked the parties to the procedure to submit a new statement (VWA ./38, ./39 and ./40, see point II.2). With an e-mail dated May 12, 2021, BF2 applied for one Extension of the period for comments (VWA ./41, see point II.2), which subsequently was granted by the BA (VWA ./42, see point II.2). I.10. In its statement of June 10, 2021 (VWA ./43, see point II.2), BF2 stated that that the BF1's legitimacy to act had not been established because it had not been proven had been stated that the data transmitted was personal data of BF1 act. In order to process the data (cookies, IP address) as a To be able to qualify personal data of the BF1, he would have to on the basis of this data are identifiable. With regard to the _gid and cid numbers, it should be noted that these are first-party cookies, which were set under the domain XXXX. It is therefore not cookies of BF2, - 11 - but cookies of the website owner, and the cookie values are different for each user on each site different. The BF1 stated that the numbers "_gid" and "cid" an https://www. XXXX -analytics.com/ were transmitted. "_gid" has the value 1284433117.1597223478 and cid is 929316258.1597394734. To assess the Active legitimation must therefore be determined whether these numbers (values) the BF1 make identifiable. Considering that a single user may have different cid numbers for have different websites and the cid numbers are randomly generated, such a cid number cannot in itself identify a user. The Number929316258.1597394734simplydon'tidentifytheBF1.TheBF1don'tbring suggest that subsequent visits to the site would have taken place, let alone that data in connection with such subsequent visits to the website in connection with the cid 929316258.1597394734 would have been recorded. There were no circumstances on the basis of which one could argue that in connection with the cid number 929316258.1597394734 information collected would make the BF1 identifiable. These statements essentially apply to the _gid numbers. With regard to the IP address, it should be checked whether the IP address of the Internet connected device is actually assigned to the BF1 and whether the person responsible or another person has the legal means to obtain subscriber information from the relevant internet access provider. Even if it were determined that the MB or another person theoretically such legal means within the meaning of recital 26 have to Subscriber information related to the B1 from the internet access provider received, it must also be determined whether, within the meaning of recital 26 GDPR reasonably likely that these means will be used would. In general, it is not likely that the MB or any other Person within the meaning of recital 26 legal means (if such available to them standing) would use. In particular in the situation at issue, it would be generally unlikely that such legal means will be used would to identify any visitor to a website like the BF1 if one considers the objective factors, such as the cost and time required for such means identification (see recital 26). As a processor, BF2 provides the website operator with numerous XXXX -Analytics configuration options are available. The Anonymization function is according to the declarations of the MB from December 16th, 2020 (VWA - 12 - ./11) and 05/04/2021 (VWA ./33) have been configured. However, due to a possible Due to a configuration error on the part of the MB, the anonymization function does not work in all cases been activated. Under normal operating conditions and as far as users based in the EU are concerned, there is a web server in the EEA, which is why the IP anonymization is always within of the EEA. In the present case, normal operating conditions existed. On August 14, 2020, the XXXX account of the BF1 ( XXXX ) has the Web & App activity setting enabled. However, the account has not chosen activities of Include websites using XXXX services. Since the MB according to its own information also XXXX signal, the BF2 is not (was) able to determine that the user of the XXXX account XXXX visited the XXXX. With regard to international data traffic, it should be noted that even under the Assumption that the complainant's personal data is concerned, this are limited by their nature in terms of quantity and quality data are to be qualified as personal data at all, it would also be trade pseudonymous data. Standard contractual clauses were concluded with the MB, in addition additional measures have been implemented. The BF2 does not store user data according to EO 12333 open. FISA § 702 is in the present case given the encryption and the Anonymization of IP addresses irrelevant. Art. 44ff GDPR could not be the subject of a complaints procedure according to Art. 77 para. 1 GDPR, which is why the complaint should be rejected. Finally, Art. 44 et seq. GDPR are also relevant with regard to BF2 as a data importer not applicable. I.11. The BF2 was entered by the bB, the BF1 and the MB as part of the heard by the parties (VWA ./44, see point II.2). To that end, the BF1 applied an extension of the period for comments (VWA ./45, see point II.2). Further demanded the bB to announce the MB by letter dated June 16, 2021, whether there are legal there have been changes and legal representation still exists (VWA ./46, see point II.2). I.12. With a statement dated June 18, 2021, the MB announced the change in its company name and the Transfer of the website to another legal entity (see point II.1.2, as well as VWA ./47, see point II.2). - 13 - I.13.With a further statement of June 18, 2021 (VWA ./48, see point II.2). led the MB assumes that the intended IP anonymization was not due to a programming error had been activated. Due to the change made, now for all XXXX - Analytics Properties activated IP anonymization on the XXXX website (VWA ./50, see Point II.2). As a result, BF2 was instructed to use all of the XXXX -Analytics- Properties collected data immediately delete. The BF2 have the deletion meanwhile confirmed (VWA ./49, ./52 and ./53 see point II.2). Due to the deletion made process neither the MB nor the BF2 data of the BF1. It will therefore be in accordance with Section 24 (6) DSG encouraged the informal termination of the proceedings. The statement of the MB was the BF1 submitted for information (VWA ./51, see point II.2). I.14. In the submission of July 9th, 2021 (VWA ./54, see point II.2), the BF2 stated that the Appropriateness assessment according to the recommendations 01/2020 for supplementary measures of transmission tools to ensure the level of protection under Union law for personal data, version 2.0 of the European Data Protection Board (“EDPB- Recommendations”) is not limited to examining the legislation of the third country. It must also include any specific circumstances surrounding the transfer in question be taken into account. In the present case, the processed personal data To treat data differently than that due to the limited nature and low sensitivity Data that are the subject of the Schrems I and Schrems II judgments. This is for him relevant to the case at hand. As a result, the European Data Protection Board a risk-taking approach is recommended. They also include the actual probability of official access to the data relevant factor for the adequacy assessment. Even in the presence of more problematic Legislation may allow the data transfer to continue (even without Implementation of additional measures) if the exporter has no reason to believe that the problematic legislation was interpreted and/or applied in practice could be that they are the transferred data and the specific data importer In addition, the assessment is no longer exclusively based on the legislation of third country, but also the question of whether or not this is applied in practice not. For example, the white paper “Information on U.S. Privacy Safeguards Relevant to SCCs and Other EU Legal Basis for EU-U.S. Data Transfers after Schrems ll" that the most companies operating in the EU do not process data required for US secret services are of interest. When a data exporter transfers personal data in a way that the personal data without the combination with other data no longer one - 14 - can be assigned to a specific data subject, according to the EDSA Recommendations that the pseudonymization carried out is an effective supplementary measure. It is not to be expected that US authorities will have additional information that would allow them to be stored behind the first party cookie values _gid and cid, respectively to identify data subjects who have an IP address. Finally, the BF1 did not apply for a finding that his rights in the been injured in the past. I.15. In its statement of 09.07.2021 (VWA ./55, see point II.2) the BF1 stated, that personal data is being processed. This is through the submitted documents (VWA ./5 and VWA ./34, point 5.3) have been verified. Also would Contract documents (order data processing conditions or Standard data protection clauses) do not create a personal reference, but these are Documents an important indication that both the BF2 and the MB of a Personal reference would go out. The BF2 itself also assumes that the BF1 off. If it is ultimately for the identification of a website visitor only requirement be whether he makes a certain declaration of intent in his XXXX account (such as the Activation of "Ad personalisation"), for the BF2 all possibilities of identifiability exist. Otherwise, the BF2 can in the account settings expressed wishes of a user for "personalization" of the received Promotional information does not match. The universally unique identifier (UUID) in the _gid cookie with the UNIX timestamp 1597223478 is set on Wednesday 12 August 2020 at 11:11 and 18 seconds CET those in the cid cookie with UNIX timestamp 1597394734 on Friday 14 August 2020 at 10:45 and 34 seconds CET. It follows that these cookies were already in place before were used for the visit that is the subject of the complaint and also a longer-term one tracking has taken place. To his knowledge, the BF1 does not have these cookies either immediately deleted and the website XXXX also visited repeatedly. The BF2 misjudges the broad understanding of the GDPR when assessing its existence personal data. The specific IP address used is also no longer available for the BF1 detectable. However, this is irrelevant, since the UUID in the cookies gives a clear indication anyway personal reference exists. Specifically allow the combination of cookie data and IP address Tracking and evaluation of geographic localization, internet connection and context of the visitor, which can be linked to the cookie data already described. For this but would also include data such as the browser used, the screen resolution or the operating system (“device fingerprinting”). - 15 - In the context of the complaint, it is more relevant that US authorities are responsible for secret services easily ascertainable data, such as IP address, as a starting point for monitoring would use by individuals. It is the standard procedure for secret services to to 'hang on' from one date to another. When the BF1's computer is about always appears again on the Internet via the IP address of XXXX, this can be used to spy on the work of the XXXX club and to target the BF1. in one In a further step, other identifiers would then be searched for in the data, such as the ones mentioned UUIDs, which in turn are an identification of the individual person for a surveillance allow other places. The US secret services are in this context thus an "other person" within the meaning of Recital 26 GDPR. The BF1 works not only for XXXX , but also have a relevant role as a model complainant in these efforts. Thus, according to US law, monitoring of BF1 according to 50 USC § 1881a (as well as by all other persons entrusted with this complaint) at any time legally possible. Even with the application of the supposed "risk-based approach". This case is a prime example of high risk. The e-mail address XXXX is assigned to BF1, who until his marriage Surname "XXXX". However, the old XXXX account is still in use. The BF2 have not explained to what extent the undisputed data are linked, evaluated or the result of an evaluation is simply not displayed to the user. In addition, Chapter V GDPR does not recognize a "risk-based approach". This can only be found in certain articles of the GDPR, such as in Art. 32 leg.cit. The new Standard contractual clauses in the Implementing Decision (EU) 2021/914 are for the Facts not relevant due to lack of temporal validity. A "transmission" is not unilateral action of a data exporter, every "transfer" also requires one receiving the data. Accordingly, Chapter V of the GDPR is also applicable to BF2, it is a joint action by data exporter and importer. If the BF2 has not violated Art. 44 ff GDPR, the provisions according to Art. 28 Para. 3 lit. a and Art. 29 GDPR to be taken into account as a "catch-all rule". Bar the BF2 following a corresponding instruction of a US secret service, he hits the Decision, personal data about the specific order of the MB according to Art. 28 and Art. 29 GDPR and the corresponding contractual documents. As a result, BF2 itself becomes the controller in accordance with Art. 28 (10) GDPR. As a result, BF2 is also entitled to the provisions of Art. 5 et seq. GDPR follow. A clandestine disclosure of data to US intelligence agencies under US law - 16 - be without a doubt not with Art. 5 Para. 1 lit. f GDPR, Art. 5 Para. 1 lit. a GDPR and Art compatible. I.16. After being asked to comment (VWA ./56, see point II.2), BF2 took the lead their submission of August 12, 2021 (VWA ./57, see point II.2) that the BF1 his I have not shown any legitimacy to lodge a complaint. He has no part of the BF2 raised questions about the identifiability of his person based on the IP address answered. Regarding the _gid number and cid number, it should be noted that no directory is available in order to make the BF2 identifiable. The fact that in ErwGr 26 GDPR the "separation" is mentioned as a possible means of identification, however, do not change the understanding of the words "identify" or "identification" or “identifiability”. The identifiability of the BF1 requires at least that his identification on The basis of the data in question and with means that are possible according to general discretion would likely be used. This has not been established and cannot assumed and, on the contrary, improbable, if not impossible. Also the fact that the BF2 contract data processing conditions are completed have, does not mean that the data that are the subject of this procedure are different personal data, nor that it is the data of BF1. BF1's view that the data transfer should not be based on a risk-based approach evaluate ("all or nothing"), do not follow. This is not consistent with the GDPR and adhere to Recital 20 of the Implementing Decision (EU) 2021/914 of the European see commission. This is also due to the different versions of the EDSA Recommendation recognizable. Even if access to the above numbers by US Authorities "legally" possible at any time, should be checked how likely this is. The BF1 have not provided any convincing arguments as to why or how the "cookie Data” related to his visit to a publicly accessible, and by many Austrian website used, such as the one in question, “Foreign Intelligence Information" and thus to the goal of purpose-restricted data collection according to § 702 could become. I.17. With the decision that is the subject of the proceedings (VWA ./59, see point II.2), the BA remedied Point 1. first the notice of 02.10.2020, Zl 2020-0.527.385 (DSB-D155.027) (see point I.2). With point 2, the BA upheld the complaint against the MB and found that (a) the MB as responsible by implementing the tool "XXXX -Analytics" on their - 17 - Website under XXXX at least on August 14, 2020 personal data of BF1 (this are at least unique user identification numbers, IP address and browser parameters) to the BF2, (b) the standard data protection clauses that the MB concluded with the BF2, no adequate level of protection according to Art. 44 DSGVO would offer, since (i) the BF2 as a provider of electronic communication services within the meaning from 50 US code § 1881(b)(4) and as such subject to surveillance by U.S. Intelligence agencies under 50 U.S. Code § 1881a (“FISA 702”), and (ii) the actions, in addition to the standard data protection clauses mentioned in clause 2. b). were not effective, as these are the monitoring and would not eliminate access opportunities by US intelligence services and (c) in present case no other instrument according to Chapter V of the GDPR for the in Spruchpunkt (2.a) mentioned data transmission can be used and the MB therefore for the in the context of the data transfer mentioned in point 2.a) no appropriate have guaranteed a level of protection in accordance with Art. 44 GDPR. With point 3. the bB rejected the complaint because of a violation of the general Principles of data transmission in accordance with Art. 44 GDPR against BF2. In its legal justification, the bB first deals with its competence and its Determination competency (see point II.3.4) apart. She also describes that Art. 44 DSGVO as a subjective right (see point II.3.4). In connection with Paragraph 2.led the construction that the transmitted data (see point II.1.3 or II.1.3.1) at least in combination, personal data according to Art. 4 Z 1 DSGVO. For the lack of an appropriate level of protection in accordance with Art. 44 GDPR, the bB stated that the European Court of Justice the "EU-US Privacy Shield" with the decision of July 16, 2020, C- 311/18 (Schrems II) declared invalid. The subject of the proceedings could also Data transmission not only on the completed between the MB and the BF2 Standard data protection clauses in accordance with Article 46 (2) (c) GDPR are supported. also be the additional measures identified by the BF2 are not suitable in the judgment identified gaps in legal protection - inappropriate access and Surveillance capabilities of US intelligence services and insufficient effective Legal remedy for those affected – to close. The rejection in point 3. justified the bB with the fact that the requirements of Art. 44 GDPR to which BF2 would not apply. The BF2 lay the personal data of BF1 not open, just keep it. The requirements of Chapter V GDPR are dated data exporter and not also by a data importer (in a third country). - 18 - The notification was delivered to BF1 on January 12th, 2022, to BF2 and MB on January 13th point 3 of the decision, the BF1 lodged a complaint on February 7th, 2022 (see point I.20). On February 9th, 2022, the BF2 filed a complaint against point 2 of the decision Complaint (see point I.17I.18). The MB did not complaint. I.18. In its complaint (VWA ./62, see point II.2) the BF2 first gave reasons their right to complain. Furthermore, BF2 stated that between the subject matter of contested partial decision and the subject matter of the planned second decision Partial notice of no separability according to § 59 paragraph 1 AVG. There is also a violation of a data subject's right. In addition, a finding of alleged, in the Past lying, injuries are not made. Also lie one Class action entitlement according to Art. 80 Para. 2 GDPR does not exist. Contrary to the view of the BB, the data at issue in the proceedings are not personal i.S.d. GDPR. The BF2 explained that from the processed data is not related to a natural person. According to the Case law of the European Court of Justice (ECJ December 20, 2017, C-434/16 (Nowak), Rn 35) there is neither a content element, a purpose element nor a result element. Further there is no identifiability of a natural person. From the specified IP address, the XXXX -specific random numbers, the browser parameters and the page A specific person cannot be identified from the data obtained. Also from one Combination of this data is not possible identification. Furthermore, the BF2 has none technical possibilities to identify the BF1 via his XXXX account. BF2 also emphasized a risk-based approach. Even if you subject to the proceedings a personal reference, so is under Consideration of the low threshold of the transmitted data and the very low basis risk, the inapplicability of and the fact that FISA 702 anyway no practical application, no disclosure of data according to EO 12.333. Since extensive supplementary measures had been implemented, a appropriate level of protection for the procedural transmission of the data more as given and these are permissible according to Art. 44 ff DSGVO. In its complaint, BF2 enclosed the cookies and user identification (VWA ./63, see point II.2),Linker (VWA ./64, see point II.2),Report from XXXX (VWA ./65, see Point II.2) and New EU-US data transfer framework (VWA ./66, see point II.2). - 19 - I.19. In the statement (VWA ./67, see Point II.2) in the course of the filing that the BF2 had no legitimacy to lodge a complaint, since since the end of April 2021 the product XXXX -Analytics is now offered by XXXX. Also the bB explained that it has a determination competence in complaint procedures because of alleged violations of the DSG or the GDPR. Furthermore, the DA stated that the BF2 was obviously involved in an agreement itself personal data. This can be recognized by the fact that the BF2 with the MB undisputedly a processor agreement in accordance with Art. 28 Para. 2 GDPR and a Standard data protection clause according to Art. 46 Para. 2 lit. cDSGVO the BF2 stated that a website operator in all cases standard data protection clauses finish with the BF2 (VWA ./31, page 3). Also declare the BF2 itself that online Labels are personal data (see point II.1.3.6). Irrespective of these declarations or behavior of BF2 would be the subject of the proceedings Consideration of the case law of the European Court of Justice and explanations of the European data protection officer (VWA./68) personal data available. Also In the present case, an assignment can be made via the IP address. In addition, a combination can also be made with browser information. In In this context, the DA referred to the definition of "fingerprinting": This is a Process by which an observer connects a device or application instance with sufficient Probability based on multiple pieces of information. Finally, the BA extensively refuted the demonstrated risk-based approach of BF2 and pointed out that economic interests played no role in the decision of the European Court of Justice on July 16, 2020, C-311/18 (Schrems II). His opinion presented the bB a decision of the European Data protection officer of January 5th, 2022 (VWA ./68, see point II.2), a decision of the LG Munich (VWA ./69, see point II.2), an expert opinion on the current status of the US Surveillance law (VWA ./70, see point II.2) and essential findings of the report on the current status of US surveillance law (VWA ./71, see point II.2). I.20. In his complaint (VWA ./60, see point II.2) the BF1 stated that the bB the rejection in point 3. with a misinterpretation of the word Art. 44 justify GDPR. As far as the bB justify their rejection with the fact that the BF2 as recipient of personal data in the third country United States (data importer) the data do not disclose it, but (only) receive it, the DA misunderstands that Art. 44 GDPR uses the term Don't use "disclosure". Art. 44 GDPR uses the term "transfer". The The distinction between these terms is objectively decisive: in contrast to - 20 - a “disclosure” that can also occur without a designated recipient (e.g by publication on a website) require a "submission" (or a "Disclosure by transmission") namely always a recipient and also his (at least minimal) assistance. While a "disclosure" with the act of "Making available" has been completed, a "transmission" also requires one Receipt by the recipient. From a legal point of view, the design of Chapter V GDPR clarifies the technical one Reality (meaning that for the transmission on the Internet there is always an interaction of a transmitter and a receiver is required). Already Art. 44 GDPR generally requires "Controller and the Processor" compliance with the provisions of the chapter, without referring to the "person responsible for exporting the data or order processor”. Also the guarantees mentioned in Art. 46(2) GDPR consistently require cooperation between data exporter and data importer and include in particular the obligations of the data importer. rightly be also here both the data exporter and the data importer to comply with the The provisions mentioned are obligatory, as they jointly transfer data out of the EU into the third country and from the third country to the EU. It should also be noted that obligations from the standard contractual clauses (Implementing decision of the European Commission 2010/87/EU of February 5, 2010 about standard contractual clauses for the transfer of personal data Processors in third countries according to Directive 95/46/EG of the European Parliament and of the Council) for the data importer. Clause 3(2) clearly contains a subsidiary obligation of the data importer, clauses 5(a) to (e), 6, 7, 8(2) and 9 to 12 to comply with the standard contractual clauses given to the data subject if the company of the data exporter no longer exists in fact or in law and no legal successor has assumed the obligations of the data exporter. Would Chapter V GDPR not also applicable to the data importer would be the enforcement of the subjective rights of the person concerned from the standard contractual clauses towards the Data importer impossible. I.21. In the statement (VWA ./61, see Point II.2) in the course of the filing that it was correct from a technical point of view that a Transmission (unlike disclosure to an indefinite group of addressees, e.g. in form of publication on a website) assume that there is a recipient. However, as already stated in the contested decision, one Processing operation (here both "transmission") different from a legal point of view - 21 - Duties and degrees of responsibility result (VWA ./59, page 40). In line with the "Guidelines 5/2021 of the EDPB on the relationship between the scope of Art.3 and the specifications for international data traffic in accordance with Chapter V GDPR” go the bB assumes that the data importer does not have the legal obligation to comply with the requirements of Art. 44 GDPR. Finally, it should be noted that the data importer naturally also receives the corresponding duties would meet. In the case of the conclusion of standard contractual clauses according to Art. 46 Paragraph 2 lit. c GDPR, a data importer has all contractual obligations to be complied with, which had been concluded between the latter and his contractual partner. However, these obligations are of a contractual nature. On the other hand, (only) the Data exporter to comply with the obligations under Art. 44 GDPR, which also includes that a suitable instrument - such as the conclusion of standard contractual clauses - is in place to ensure an adequate level of protection. I.22. With a submission dated July 8th, 2022, BF2 sent a reply to the complaint of BF1 (OZ 4 to W245 2252208-1). In it, BF2 explained in detail that Art. 44 ff GDPR is not applicable to XXXX as a data importer. I.23. In its statement of January 13, 2022 (OZ 4 to W245 2252208-1), the BF2 referred repeatedly points out that the subject of the proceedings is processing personal data had been. In addition, the BF2 explained that Art. 44 ff GDPR requires a risk-based approach is not to be taken.Furthermore, the BF2 explained with more justification that the BF1 as a data importer is directly covered by Chapter V GDPR. I.24. With a statement dated February 14, 2023 (OZ 15 to W245 2252208-1), BF2 stated that there is a binding effect on the basis of the asserted statements. In particular, that the verdict stated that personal data had been transferred are, have obvious effects on further proceedings at the bB. The BF2 could not refute this fact in further proceedings. With regard to personal reference, BF2 repeatedly stated that this was not available also submitted two affidavits to prove that the BF2 is not in was able to access MB's website via BF1's XXXX account prove. It is also legally required to take a risk-based approach into account. I.25. In preparation for the complaint hearing, the bB (OZ 23 to W245 2252208-1), the BF1 (OZ 24 to W245 2252208-1) and BF2 (OZ 25 to W245 2252208-1) Observations. In these observations, the parties reiterated their positions so far in the proceedings represented points of view. - 22 - I.26. In the case at hand, the BVwG conducted a public Oral hearing attended by the BF1 in the presence of his authorized representative attended personally. A representative of the BA and BF2 also took part in the hearing. After the conclusion of the oral hearing, an oral announcement of the knowledge. The BF1 and the BF2 requested the BVwG in writing within the deadline Execution of the orally announced knowledge. II. The Federal Administrative Court considered: II.1. Findings: The facts relevant to the decision are clear. II.1.1. About the procedure: The course of the procedure presented under point I is determined and the decision made laid the foundation. II.1.2. About the owner of the website XXXX : The XXXX has the website XXXX as part of an asset deal with effect from 02/01/2021 transferred to XXXX , Munich. The XXXX was then renamed to XXXX. Until August 2021, XXXX continued to manage on behalf of and under the direction of XXXX, Munich the website XXXX . In August 2021, the XXXX website was completely transferred to the IT environment the XXXX Munich. After the transfer, XXXX -Analytics will be preceded by a Proxy server used. This even allows the IP addresses to be transmitted to the BF2 completely prevented. II.1.3. For the data processing that is the subject of the procedure: The BF1 visited the MB XXXX website at least on August 14, 2020, at 10:45 a.m. In the transaction between the browser of the BF1 and https://tracking. XXXX were born on 14. August 2020 at 12:46:19.344 CET unique user identification numbers at least set in the “_ga” and “_gid” cookies. As a result, these identification numbers on August 14 2020 at 12:46:19.948 CET to https://www. XXXX -analytics.com/ and thus to the BF2 transmitted. Specifically, the following user identification numbers, which are in the browser of the BF1 are transmitted to the BF2 (same values, each in different transactions occurred are shown in italics or marked in orange and green): Domain Name Value Purpose - 23 - https://tracXXXX. _ga GA1.2.1284433117.1597223478 XXXX Analytics https://tracXXXX. _gid GA1.2.929316258.1597394734 XXXX Analytics ID=d77676ed5b074d05:T=1597223569: XXXX https://tracXXXX. _gads S=ALNI_MZcJ9EjC13lsaY1Sn8Qu5ovyKMhPw Advertising XXXX https://wwXXXX-analytics.com/gid 929316258.1597394734 Analytics XXXX https://wwXXXX-analytics.com/id 1284433117.1597223478 Analytics These identification numbers each contain a preceding random number and a trailing one UNIX timestamp showing when each cookie was set. The Identifier in the _gid cookie with UNIX timestamp "1597394734" was set on Wednesday, August 14, 2020 at 11:11 and 18 seconds CET, those in the cid cookie with the UNIX Timestamp "1597223478" on Friday 12 August 2020 at 10:45 and 34 seconds CET. With the help of these identification numbers it is possible for the BF2 to differentiate between website visitors and also to get the information whether it is a new one or an old one returning website visitors from www. XXXX trades. However, a website Comprehensive analysis of behavior based on this key figure is not possible. In addition, the following information (parameters) about the BF1 browser in the course of requests to https://www. XXXX - analytics.com/collect transmitted to the BF2 (excerpt from the HAR file, request URL https://www. XXXX -analytics.com/collect, request excerpt with timestamp 2020-08- 14T10:46:19.924+02:00): general Request URL https://www. XXXX-analytics.com/collect Request Method GET HTTP Version HTTP/2 Remote Address XXXX headers Accept: image/webp,*/* Accept encoding: gzip, deflate, br Accept-Language: en-US,de;q=0.7,en;q=0.3 Connection: keep alive - 24 - Host: www. XXXX-analytics.com Referer: https://www. XXXX .at/ TE: Trailers User agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:79.0) Gecko/20100101 Firefox/79.0 Query Arguments _gid: 929316258.1597394734 _s: 1 _u: QACAAEAB~ _v: j83 a: 443943525 cid: 1284433117.1597223478 de: UTF-8 dl: https://www. XXXX .at/ dt: XXXX .at Home - XXXX ea: / ec: scroll depth el: 25 gjid: gtm: 2wg871PHBM94Q each: 0 jid: ni: 0 sd: 24-bit sr: 1280x1024 t: event tid: UA-259349-1 ul: en-us v: 1 vp: 1263x882 z: 1764878454 - 25 - Size Headers 677 bytes Body 0 bytes Total 677 bytes These parameters can therefore be used to draw conclusions about the browser used Browser settings, language selection, the website visited, the color depth, the Screen resolution and the AdSense linking number are drawn. The remote address XXXX is that of the BF2. The IP address of the BF1 device is sent to https://www. XXXX - analytics.com/collect transmitted to BF2. The IP address became the subject of the proceedings of BF1 transmitted to BF2. The BF1 worked in the home office on August 14th, 2020. In the home office, the BF2 uses one Screen with a resolution of 1280x1024 (sr value). In addition, the visible part of the web window transmits a size of 1263x882 (vp value). II.1.3.1. For a summary of the information that was published on August 14th, 2020 were transmitted to BF2: As a result of the implementation of the XXXX -Analytics tool, on 08/14/2020 - summarized - the following information from the browser of the BF1, which is the website XXXX visited, transmitted to the servers of BF2: unique online identifiers (uniqueidentifier) that identify both the browser and the device of the BF1 as well as the MB (through the XXXX analytics account ID of the MB as identify website operator); the address and HTML title of the website and the sub-pages visited by the BF1 has; Information about the browser, operating system, screen resolution, language selection and date and time of website visit; the IP address of the device that the BF1 used. II.1.3.2. For information on the cookies used: For Universal Analytics, the JavaScript library analytics.js or the JavaScript library gtag.js are used. In both cases, the libraries use first-party- Cookies to: Distinguish unique users and - 26 - Throttle the request rate When using the recommended JavaScript snippet, cookies on the highest possible domain level. If their website address for example blog.example.co.uk, analytics.js and gtag.js set the cookie domain at.example.co.uk. Setting cookies at the highest possible domain level allows measurement across subdomains without requiring any additional configuration is required. Note: gtag.js and analytics.js do not require cookies to be set to send data to XXXX - transmit analytics. gtag.js and analytics.js set the following cookies: Cookie name Default expiry time Description _ga 2 years Used to distinguish users. _gid 24 hours Used to distinguish users. _gat 1 minute Used to throttle request rate. WXXXX Analytics is used via the XXXX Tag Manager named this cookie _dc_gtm_<property-id>. AMP_TOKEN 30 seconds to 1 year Contains a token used to retrieve a client ID from the AMP client ID service can be used. Show other possible values Optout, inflight request, or an error retrieving an Client ID from AMP Client ID service. _gac_<property-id> 90 days Contains campaign-related information for the user. If you linked yourXXXX Analytics andXXXX Ads accounts have the Website Conversion TagXXXXn Ads read this Cookie unless you opt out. II.1.3.3. To link to the BF1's XXXX account: During the visit to the XXXX website, the BF1 was logged into his XXXX account, which is linked to the email address XXXX. This email address belongs to BF1. A XXXX account is a user account used for authentication at various XXXX online services that BF2 serves. A XXXX account is something like this Prerequisite for the use of services such as " XXXX " or " XXXX Drive" (a file hosting Service). On August 14, 2020, the web & app activities were set in the XXXX account of BF1 ( XXXX ). activated. However, the BF1's XXXX account has opted not to record activities from Include websites that use XXXX services. - 27 - Contrary to BF2's own statements, it is technically able to provide the information get that a specific XXXX account user visited the XXXX website (on the XXXX - Analytics is implemented) if this XXXX account user during the was logged into the XXXX account when visiting the XXXX website. Metadata from XXXX applications (such as from XXXX account) that the BF1 on 08/14/2020 used was stored on servers in the United States. II.1.3.4. For (non)anonymized processing of the IP address of the BF1: The IP anonymization function on the MB XXXX website was faulty implemented. This did not ensure that on August 14, 2020 after transmission of data to which BF2 the IP address was anonymized. II.1.3.5. Regarding the deleted information: The MB has instructed the BF2 in the course of the administrative procedure, all over Delete the XXXX -Analytics Properties collected data for the XXXX website. The BF2 performed the deletion. II.1.3.6. For the declaration of personal data by BF2: On the page "Data processing terms for XXXX advertising products: Information on the services", BF2 states that as part of the order processing service, "XXXX Analytics" the data "online identifiers (including cookie identifiers), internet Protocol addresses and device identifiers and identifiers assigned by the customer" can be personal data. II.1.4. About the web analysis service XXXX -Analytics: XXXX -Analytics is a measurement service that allows customers to track traffic to properties measure, including traffic from visitors visiting a website owner's website visit. Web analytics services are a popular category of services used by several Providers are offered and are considered an essential tool for running a site. Website owners rely on web analytics services like XXXX Analytics to help them help to understand how website visitors interact with their website and services to interact. XXXX -Analytics helps them to create more engaging content and the Monitor and maintain the stability of their websites. In addition, website owners can set up dashboards that provide an overview of reports and give metrics that customers care about the most, e.g. in real time the number of Monitor visitors on a website. XXXX -Analytics can also help determine effectiveness - 28 - from advertising campaigns run by website owners on XXXX ad services measure and optimize. All data collected by XXXX Analytics is hosted in the United States (saved and processed). II.1.5. About the implementation and functionality of XXXX -Analytics: The web analytics service XXXX -Analytics becomes a JavaScript codes embedded on the website owner's side. If user one View a page on the website, this JavaScript code refers to a previous one on the device user's downloaded JavaScript file which then enables tracking operation for XXXX - runs analytics. The tracking operation retrieves data about the page request various means and sends this information to via a list of parameters the analytics servers connected to a single pixel GIF image request. The data that XXXX -Analytics collects on behalf of the website owner comes from these Sources: The user's HTTP request Browser/System Information First party cookies An HTTP request for each web page contains details about the browser and computer, who makes the request, such as host name, browser type, referrer and language. Over and beyond Most browsers' Document Object Model (DOM) provides access to more detailed Browser and system information, such as Java and Flash support and screen resolution. XXXX -Analytics uses this information. XXXX -Analytics sets and also reads first-party cookies on a user's browsers, which measure the Allow user session and other information from page request. When all this information is collected, it is sent to the analytics servers in the form a long list of parameters sent to a single GIF image request to the Domain XXXX-analytics.com. The data contained in the GIF request is the data that is sent to the XXXX Analytics servers, which then further processes and end up in the reports of the website owner. II.1.6. To embed the program code for XXXX -Analytics on the XXXX website Associates: Due to a decision by the MB, the program code for XXXX -Analytics was stored on their site embedded. - 29 - By configuring the tags or activating or deactivating various XXXX - Analytics functions through the user interface determined the use of the MB collected data. For example, the MB could set the retention period for data specify, instruct that the IP address be anonymized after receipt by BF2, determine who is allowed to receive data, etc. II.1.7. The legal basis for the use of XXXX -Analytics by the participants: The use of XXXX -Analytics requires a contract. The MB and BF2 have an agreement entitled “Order data processing conditions for XXXX advertising products”. This contract had the version dated August 12, 2020 (VWA ./18) valid at least on August 14, 2020. The contract regulates Order data processing conditions for XXXX advertising products. It applies to them Provision of data processing services and related thereto technical support services for customers (MB) of BF2. The MB used the free one Version of XXXX -Analytics. The web analysis service XXXX -Analytics falls under the scope of the "Order data processing conditions for XXXX advertising products". With regard to the order data processing conditions for XXXX advertising products in connection with the web analysis service XXXX -Analytics online identifiers (including cookie identifiers), internet protocol addresses and device identifiers as well Labels assigned by the customer Personal data of the customer (MB) represent. In addition, these order data processing conditions in point 10.2. the application of standard data protection clauses before a transmission of personal Customer data is transferred from the EEA to a third country that is not one adequacy decision under European data protection legislation. Based on this, MB and BF2 signed a second contract on August 12th, 2020 with the Title "XXXXAdsDataProcessingTerms:ModelContractClauses,StandardContractualClauses for Processors” (VWA./22). These are standard contractual clauses for international data traffic (based on an implementation decision of the European Commission 2010/87/EU of February 5, 2010 on Standard Contractual Clauses for the transfer of personal data to processors in third countries of Directive 95/46/EC of the European Parliament and of the Council, OJ L 2010/39, p. 5.). In addition to implementing XXXX analytics, a website owner can Share analytics data to XXXX by changing XXXX's data sharing setting - 30 - products and services activated and the privacy policy for XXXX Measurement Controller controllers that apply to the use of this setting, accepted separately. The data sharing setting has not been activated by the MB. Also, the MB XXXX -Signal not on. The MB did not have its own authentication system and used also no user ID function. II.1.8. For the purpose of processing by the collaborators: XXXX -Analytics is used to perform the following general statistical evaluations about the Enable website visitor behavior: Reach measurement (i.e. how many users access the site); Evaluation of which articles have the greatest traffic (i.e. which articles have the most were called), Average session duration, Evaluation of the average number of pages viewed per session become. II.1.9. Regarding the measures taken by BF2 after the judgment of the European Court of Justice of 07/16/2020 in Case C-311/18: After the decision of the European Court of Justice, BF2 assumed that the verdict also applies to the use of XXXX -Analytics by website owners. After the decision of the European Court of Justice, the BF2 immediately began amending the Data Processing Terms (DTPS) to replace the Standard Contractual Clauses (SCC) for to make all affected contracts applicable. This included updating a Variety of contracts, transmission of communications to website owners on 08/03/2020, the translations and the publication of the corresponding ones Terms of Contract. These changes to the order data processing conditions (DTPS) came into force on August 12, 2020. Section 10 of the updated Order Data Processing Terms (DTPS) provides that that, insofar as the storage and/or processing of personal data of customers, including personal data in XXXX -Analytics data, the submission personal data of customers from the EEA to a third country that is not one subject to an adequacy decision under the GDPR, the website owner (as data exporter) at XXXX (as data importer) for the transfer of personal Data to processors in third countries who do not have adequate data protection - 31 - ensure Standard Contractual Clauses (SCCs) are used. The Standard Contractual Clauses (SCCs) are made available at XXXX. These Standard Contractual Clauses (SCCs) would the European Commission in its Decision 2010/87/EU comply with published clauses. II.1.10.Regarding the additional measures that come with the introduction of the standard contractual clauses were set by the BF2: The following measures were in place before the decision of the European Court of Justice Case C-311/18 in force and therefore also existed during the period in which the Conditions were updated by 08/12/2020. According to the statements of the BF2 these measures are suitable to ensure an adequate level of protection. II.1.10.1.Legal and organizational measures: The BF2 evaluates every request made by the state authorities for user data receives to ensure they comply with applicable laws and XXXX policies. BF2 notifies customers before any of their information is disclosed unless unless such notice is prohibited by law or the request involves an emergency. The BF2 publishes a transparency report. The BF2 publishes its policy on dealing with government requests. II.1.10.2.Technical measures: BF2 uses robust technical measures to protect personal data during the to protect transmission (default use of HTTP Strict Transport Security (HSTS), encryption of data on one or more network layers (protection of the Communication between XXXX services, protection of data in transit between Data centers and protection of communications between users and websites)). The BF2 uses robust technical measures to protect stored personal data (The BF2 encrypts XXXX analytics data stored in their data centers get saved; BF2 builds servers exclusively for their data centers and maintains them an industry-leading security team, XXXX analytics data is only accessible to employees who need the data for their work). II.1.10.3. Pseudonymity of data from XXXX -Analytics: The BF2 believes that the data for measurement by website owners are personal data, they would have to be considered as pseudonymous. The BF2 is of the opinion that if a third party accesses the XXXX -Analytics data, this - 32 - will in principle not be able to identify the data subject on the basis of this data identify. II.1.10.4.Optional technical measure - IP anonymization: In addition to the measures mentioned, website owners can use "IP anonymization" use to instruct BF2 to delete all IP addresses immediately after collection anonymize and thus contribute to data minimization. If this is used, at no time the full IP address is written to disk, as all Anonymization in memory occurs almost instantly after the request to the BF2 has been received. II.1.11.The BF2 as an electronic communication service: BF2 is a provider of electronic communications services within the meaning of Section 50 of the U.S. Code 1881(b)(4) and as such is subject to supervision by U.S. Intelligence agencies under 50 U.S. Code § 1881a (“FISA 702”). The BF2 transmitted the US Government personal information under U.S. Code § 1881a. It can be from the US Government metadata and content data are requested. II.2. Evidence assessment: Evidence was collected through inspection of the administrative file of the bB [hereinafter referred to as "VWA" with the components ./01 - data protection complaint of the BF1 from 08/18/2020 (see point I.1), ./02 - Data protection complaint of the BF1 from August 18th, 2020 - Attachment - XXXX Analytics Terms of Use (see point I.1), ./03 – Privacy Complaint of the BF1 from 18.08.2020 - Supplement - Terms of Use for Order data processing conditions for XXXX advertising products, version 01.01.2020 (see point I.1), ./04 - data protection complaint of the BF1 from August 18th, 2020 - enclosure - Terms of Use for Order Data Processing Terms for XXXX Advertising products, version 08/12/2020 (see point I.1),./05 - data protection complaint of the BF1 dated 08/18/2020 - Attachment - HAR data of the website visit (see point I.1), ./06 - Data protection complaint of the BF1 from August 18th, 2020 - Enclosure - XXXX (see point I.1), ./07 - Data protection complaint of the BF1 from August 18th, 2020 - attachment - certificate of representation (see Point I.1), ./08 - Identification of lead responsibility (see point I.2), ./09 - Decision of the BA regarding the suspension of the procedure (see point I.2), ./10 - request the bB for the statement to the MB (see point I.2), ./11 - Statement of the MB from December 16, 2020 (see point I.3), ./12 - Statement of the MB of December 16, 2020 - Enclosure - Reports from the tool (see point I.3), ./13 - Statement of the MB from 16.12.2020 - Enclosure - Information on IP anonymization (see point I.3), ./14 - Statement of MB from December 16th, 2020 - Attachment - Screenshot of the set storage period (see point I.3), - 33 - ./15 - Statement of the MB of 16.12.2020 - Attachment - List of server locations (see Point I.3), ./16 - Statement of the MB from 16.12.2020 - Enclosure - Order data processing conditions for XXXX advertising products, version 08/16/2020 (see point I.3), ./17 - statement of the MB from 16.12.2020 - enclosure - Order data processing conditions for XXXX advertising products, version 08/12/2020 (see point I.3), ./18 - statement of the MB from 16.12.2020 - enclosure - Order data processing conditions for XXXX advertising products, version 01.01.2020 (see point I.3), ./19 - Statement of the MB from 16.12.2020 - Enclosure - Comparative version AVV from January 1st, 2020 vs. August 12th, 2020 (see point I.3), ./20 - Statement of the MB from 12/16/2020 - Enclosure - Comparative version AVV from 08/12/2020 vs 08/16/2020 (see point I.3), ./21 - Statement of the MB from 16.12.2020 - Enclosure - Screenshot of settings (see Point I.3), ./22 - Statement of the MB from 16.12.2020 - Enclosure - Standard data protection clauses (see point I.3), ./23 - Statement of the MB of 16.12.2020 - Annex - Information on security measures (see point I.3), ./24 - Opinion the MB from 16.12.2020 - Enclosure - List of processing activities for XXXX Analytics (see point I.3), ./25 - Request from the bB for a statement to BF1 from December 21, 2020 (see point I.4), ./26 – Opinion of the BF1 from January 22, 2021 (see point I.4), ./27 - Opinion of the BF1 from 22.01.2021 - Attachment - Third party in the cookie banner of MB (see point I.4), ./28 - Opinion of the BF1 from 22.01.2021 - Attachment - Contacts of XXXX with US server (see point I.4), ./29 - Opinion of BF1 from 01/22/2021 - Attachment - Contacts of XXXX with US server, reference to fingerprint technology (see point I.4),./30 - Request of the bB for a statement to BF2 from February 26th, 2021 (see point I.5), ./31 - Statement of the BF2 from April 9th, 2021 (see point I.5), ./32 - request of the bB to Statement to BF1 and MB of April 14, 2021 (see point I.6), ./33 - statement of MB from 05/04/2021 (see point I.7), ./34 - Statement of the BF1 from 05/05/2021 (see Point I.8), ./35 - Opinion of the BF1 from May 5th, 2021 - Enclosure - XXXX -Analytics Cookie, Use on website (see point I.8), ./36 - Opinion of BF1 from 05/05/2021 - Enclosure - How XXXX uses cookies (see point I.8), ./37 - Opinion of the BF1 from 05/05/2021 - Attachment - Measurement Protocol Parameter Reference (see point I.8), ./38 - Request of the bB for a statement to BF1 from 06.05.2021 (see point I.9), ./39 - Request of the bB for a statement to BF2 from 06.05.2021 (see point I.9), ./40 - Request of the bB for a statement to the MB of May 10th, 2021 (see point I.9),./41-application BF2 to extend the deadline for comments from May 12, 2021 (see point I.9), ./42 – Granting of the requested extension of the deadline by the BB from May 14, 2021 (see point I.9), ./43 - Opinion of BF2 from May 14th, 2021 (see point I.10), ./44 - Request of the BA on the statement to BF1 and MB of June 11, 2021 (see point I.11), ./45 - application of the BF1 - 34 - on extension of the deadline for comments from June 11, 2021 (see point I.11), ./46 - Request from the bB for a statement to the MB of June 16, 2021 (see point I.11), ./47 - Statement of the MB (transfer) of June 18, 2021 (see point I.12), ./48 - Statement of the MB (configuration error, deletion of data) from 06/18/2021 (see Point I.13), ./49 - Statement of the MB (configuration error, deletion of data) from 06/18/2021 - Attachment - Notification of BF2 about the deletion of information (see point I.13), ./50 - Statement of the MB (configuration error, deletion of data) from 06/18/2021 - Attachment - Presentation of the wrong and correct implementation of the Anonymization function (see point I.13), ./51 - Transmission of the SO's opinion (VWA ./48 to ./50) to BF1 (see point I.13), ./52 - notification from the MB of 06/24/2021 (see Item I.13), ./53 - notification from the MB of 06/24/2021 - enclosure - confirmation of deletion BF2 (see point I.13), ./54 - Statement of BF2 from 09.07.2021 (see point I.14), ./55 - Opinion of the BF1 from 09.07.2021 (see point I.15), ./56 - request of the bB to Statement to BF1 from 22.07.2021 (see point I.16), ./57 - Statement from BF2 from 08/12/2021 (see point I.16),./58 - WebsiteEvidence Collection regarding the website of the MB, ./59 - Partial decision of the Federal Civil Service of December 22nd, 2021, delivered on January 12th and 13th, 2022 (see point I.17), ./60 - Complaint by the BF1 from February 7th, 2022 (see point I.20), ./61 - Statement of the bB on the complaint of the BF1 from February 15th, 2022, ./62 - Complaint by the BF2 of February 9th, 2022 (see point I.18), ./63 - Complaint the BF2 from 09.02.2022 - Enclosure - Cookies and User Identification (see point I.18), ./64 - Complaint of the BF2 from 09.02.2022 - Attachment - Linker (see point I.18), ./65 - Notice of complaint from the BF2 of 09.02.2022 - Enclosure - Report XXXX (see point I.18),./66 - Complaint of the BF2 from 09.02.2022 - Attachment - New EU-US data transfer Framework (see point I.18), ./67 – Statement by the BA on the complaint by the BF2 from February 17th, 2022 (see point I.19), ./68 - Statement of the bB on the complaint of the BF2 of 02/17/2022 - Attachment - Decision of the European Data Protection Supervisor from 05.01.2022 (see point I.19), ./69 - Statement of the bB on the complaint of the BF2 from February 17th, 2022 - Attachment - Decision of the LG Munich from February 20th, 2022 (see point I.19),./70 - Opinion of the bB on the decision of the BF2 of 17.02.2022 - Attachment – Opinion on the current status of US surveillance law (see point I.19) and ./71 – Statement of the bB on the complaint of the BF2 from February 17th, 2022 - Attachment - Key findings of the report on the current status of US surveillance law (see Point I.19)] as well as in the court act of the BVwG (file components are with ordinal number, marked "OZ" for short). II.2.1. About the procedure: - 35 - The above procedure results from the harmless and undoubted file content of the submitted administrative file of the bB and the court file of the BVwG. II.2.2. To the owner of the website XXXX The findings in this regard result without a doubt from the statement by the MB from June 18, 2021 (VWA ./47). II.2.3. For the data processing that is the subject of the procedure: The findings in this regard result without a doubt from the findings of the contested decision (VWA ./59, page 18 ff), the statement of the BF1 from May 5th, 2021 (VWA ./34) and the complaint by the BF2 (VWA ./62, page 6). The determination that the IP address of BF1 is transmitted to BF2 in the course of the proceedings was, results from the explanations of the BF1 or his representative in the Complaints hearing. In this context, the representative of BF1 VPN solution shown is understandable and was subsequently used by the BF2 in the Complaint hearing no longer in question. In addition, the BF1 on 14.08.2020 credibly worked in the home office. This follows from the credible statements of BF1 that in 2020 he mainly worked in the home office due to the corona and due to the use of a high/narrow monitor (negotiation protocol from March 31, 2022, OZ 29 to W245 2252208, page 14). Sohin were pertinent statements meet. II.2.3.1. For a summary of the information that was published on August 14th, 2020 were transmitted to BF2: The pertinent findings result without a doubt from the explanations of the bB im disputed decision (VWA ./59, page 27). II.2.3.2. For information on the cookies used: The findings in this regard result without a doubt from statements by the BF1 in the administrative procedures (VWA ./05) and from the findings of the contested decision (VWA ./59, page 15). II.2.3.3. To link to the BF1's XXXX account: The findings in this regard result without a doubt from the findings of the contested decision (VWA ./59, page 18 ff) and the statement of the BF2 (VWA ./43, page 10f). In his statement of April 9th, 2021, the BF2 submitted in question 9 that he only receives such information if certain conditions are met, such as - 36 - such as the activation of specific settings in the XXXX account. He disproved this BF1 or the bB in the process with the following comprehensible argument: If namely a XXXX account user's request for "personalization" of the received Advertising information can be met on the basis of a declaration of intent in the account, so From a purely technical point of view, there is the possibility of obtaining information about the website visited of the XXXX account user. Irrespective of this, numerous metadata were available to BF2 on August 14, 2020 (OZ 25 to W2452252208-1, page 3), which is displayed when an application (e.g. XXXX account) is called up be transmitted. At the time of the proceedings (08/14/2020) the BF1 also used his XXXX account. With the metadata that is generated when using the XXXX account were transmitted, was a link to the transmitted metadata in the course of the XXXX (via XXXX -analytics) possible. In addition, a link to the IP address was undoubtedly possible. The BF1 has on 08/14/2020 worked in the home office. In this context, the IP address was direct transmitted by BF1 to BF2 (negotiation protocol of March 31, 2022, OZ 29 to W245 2252208, page 14). Since the BF1 visited the website XXXX (XXXX -Analytics) If you were signed into the XXXX account at the same time, you can easily switch between these applications a link can be established via the IP address. In both applications, the IP address already transferred for technical reasons. Against this background, on Reason for the transmission of the IP address via the XXXX -Analytics application Personal reference to the XXXX account (or to the registration information of the BF1) established become. Since the BF1 was working in the home office at that time and he lives alone, only he could use the transmitted IP address. Due to the easy linkability of metadata and IP address between the individual applications ( XXXX -Account and XXXX -Analytics) can indisputably Personal reference (login data for XXXX) can be established. It was also found that metadata from XXXX applications (such as XXXX account) were transferred to the United States, which the BF1 used on 08/14/2020 (Negotiation protocol from March 31, 2022, OZ 29 to W245 2252208, page 11 f). II.2.3.4. For (non)anonymized processing of the IP address of the BF1: The pertinent findings result without a doubt from the explanations of the MB in the administrative procedures (VWA ./48) II.2.3.5. About the deleted information: - 37 - The pertinent findings result beyond doubt from the explanations of the MB and the BF2 in administrative procedures (VWA ./48, ./49, ./50, ./52 and ./53). II.2.3.6. For the declaration of personal data by BF2: The relevant findings result from the explanations of the bB in the course of the File template (VWA ./67, page 4) and from an inspection of the BF2 XXXX website last accessed on March 26, 2023). II.2.4. About the web analysis service XXXX -Analytics: The pertinent findings result beyond doubt from explanations of the BF2 in the administrative procedures (VWA ./31, page 4). II.2.5. About the implementation and functionality of XXXX -Analytics: The pertinent findings result beyond doubt from explanations of the BF2 in the administrative procedures (VWA ./31, page 4 f). II.2.6. To embed the program code for XXXX -Analytics on the XXXX website Associates: The relevant findings result beyond doubt from the documents of the submitted administrative act (VWA ./10, page 1 and VWA ./31, page 7 f) II.2.7. The legal basis for the use of XXXX -Analytics by the participants: The relevant findings result beyond doubt from the documents of the submitted administrative act (VWA ./31, page 6). II.2.8. For the purpose of processing by the collaborators: The relevant findings result beyond doubt from the documents of the submitted administrative act (VWA ./10, page 2, ./11, page 11, ./18, ./21, ./22 partial decision, page 15 ff). II.2.9. Regarding the measures taken by BF2 after the judgment of the European Court of Justice of 07/16/2020 in Case C-311/18: The pertinent findings result beyond doubt from explanations of the BF2 in the administrative procedures (VWA ./31, page 21 f). II.2.10.On the additional measures that come with the introduction of the standard contractual clauses were set by the BF2: The pertinent findings result beyond doubt from explanations of the BF2 in the administrative procedures (VWA ./31, page 24 ff and VWA ./43). II.2.11.The BF2 as an electronic communication service: - 38 - The findings in this regard result without a doubt from the expert opinion on current status of US surveillance law and surveillance powers as well as from the transparency report of BF2 XXXX last queried on 03/29/2023). II.3. Legal assessment: II.3.1. Regarding jurisdiction: According to § 6 BVwGG, the Federal Administrative Court decides through a single judge, provided that Federal or state laws do not provide for the decision to be made by senates. The contested decision is based on a decision of the bB in accordance with Article 44 GDPR. This matter is covered by Senate decisions in accordance with § 27 DSG. The procedure of the administrative courts with the exception of the Federal Finance Court is through the VwGVG, Federal Law Gazette I No. 33/2013 (§ 1 leg.cit.). According to § 58 Abs. 2 VwGVG stay conflicting provisions in force at the time this federal law already promulgated are in effect. According to § 17 VwGVG, unless otherwise specified in this federal law, Procedure for complaints according to Art. 130 Para. 1 B-VG with the provisions of the AVG Exception of §§ 1 to 5 as well as part IV, the provisions of the Federal Fiscal Code - BAO, Federal Law Gazette No. 194/1961, of the Agricultural Procedures Act - AgrVG, Federal Law Gazette No. 173/1950, and of the Service Law Procedure Act 1984 – DVG, Federal Law Gazette No. 29/1984, and otherwise those procedural provisions in federal or state laws mutatis mutandis apply, which the authority in the proceedings before the administrative court has applied or should have applied in previous proceedings. According to § 28 para. 1 VwGVG, the administrative courts have the legal matter by cognition to be dealt with if the complaint is not to be dismissed or the proceedings are to be discontinued. According to para. 2 leg.cit. the administrative court has on complaints according to Art. 130 para. 1 no. 1 B-VG to decide in the matter itself, if 1. the relevant facts have been established or 2. the determination of the relevant facts by the administrative court itself is in the interest of speed or associated with significant cost savings. As stated above, the facts of the matter are relevant based on the records. The Federal Administrative Court therefore has its own say in the matter decide. II.3.2. Regarding the legal situation in the present complaints procedure: Art. 4 Z. 1 GDPR – Definitions – reads: - 39 - For the purposes of this Regulation, the term means: 1.” any information relating to an identified or identifiable natural person (hereinafter "data subject"); as identifiable becomes a natural Person considered, directly or indirectly, in particular by means of assignment to a identifier such as a name, an identification number, location data, an online Identifier or one or more special characteristics expressing the physical, physiological, genetic, psychological, economic, cultural or social identity of that natural person can be identified; Art. 44 GDPR – general principles of data transmission – reads: Any transfer of personal data that is already being processed or after be processed before it is transmitted to a third country or an international organization is only permitted if the person responsible and the processor Comply with the conditions laid down in Chapter and also the other provisions of these regulation are complied with; this also applies to any further transmission personal data from the relevant third country or the relevant international organization to another third country or another international Organization. All provisions of this chapter shall be applied to ensure that the level of protection for natural persons guaranteed by this regulation is undermined. Art. 45 GDPR – Data transfer based on an adequacy decision – reads in part: (1) A transfer of personal data to a third country or an international Organization may be undertaken if the Commission has decided that the third country concerned, a territory or one or more specific sectors within it Third country or international organization concerned an adequate level of protection offers. Such data transmission does not require any special approval. (2) When examining the adequacy of the required level of protection, the Commission the following in particular: a) the rule of law, respect for human rights and fundamental freedoms contained in the country or international organization concerned relevant legislation in force, both general and sectoral – also in relation to public safety, defence, national security and Criminal law and access by authorities to personal data - as well as the Application of this legislation, data protection regulations, professional rules and Security rules including onward transmission rules personal data to another third country or another international organization, jurisdiction, and effective and enforceable rights of data subject and effective administrative and judicial Remedies for data subjects whose personal data is transferred become, - 40 - b) the existence and effective functioning of one or more independent Supervisory authorities in the third country concerned or those of an international Organization is subject to and responsible for compliance with and enforcement of Data protection rules, including appropriate enforcement powers, for the support and advice of the persons concerned in the exercise of their rights and for cooperation with the supervisory authorities of the Member States are responsible, and c) those of the third country concerned or the international one concerned Organization entered into international commitments or others Obligations arising from legally binding agreements or instruments as well as from the participation of the third country or the international organization multilateral or regional systems, particularly in relation to protection result in personal data. (3) After assessing the adequacy of the level of protection, the Commission may Ways of an implementing act decide that a third country, territory or a or several specific sectors in a third country or an international organization provide an adequate level of protection as referred to in paragraph 2 of this article. A mechanism for a periodic review is set out in the implementing act, which takes place at least every four years, at which all relevant developments in the third country or in the international organization will be carried. In the implementing act, the territorial and the sectoral Scope of application and, where applicable, those referred to in paragraph 2 letter b of the present Article-mentioned supervisory authority or supervisory authorities. The Implementing act shall be adopted in accordance with the examination procedure referred to in Article 93(2). enacted Art. 46 GDPR – data transmission subject to suitable guarantees – reads excerpts: (1) If there is no decision pursuant to Article 45 paragraph 3, a person responsible or a Processor personal data to a third country or an international Organization only transmit if the controller or the processor has provided appropriate safeguards and provided the data subjects have enforceable ones Rights and effective remedies are available. (2) The appropriate guarantees mentioned in paragraph 1 can, without a special approval of a supervisory authority would be required a) a legally binding and enforceable document between the authorities or public bodies b) Binding Corporate Rules pursuant to Article 47, c) standard data protection clauses adopted by the Commission in accordance with the examination procedure pursuant to Article 93 paragraph 2 are issued, d) standard data protection clauses adopted by a supervisory authority, issued by the have been approved by the Commission in accordance with the examination procedure set out in Article 93(2), - 41 - e) approved codes of conduct pursuant to Article 40 together with legally binding ones and enforceable obligations of the controller or the Processor in the third country to apply the appropriate guarantees, including in relation to the rights of data subjects, or (f) an approved certification mechanism in accordance with Article 42 together with legally binding and enforceable obligations of the controller or of the processor in the third country to apply the appropriate safeguards, including in relation to the rights of data subjects. Art. 7 Charter of Fundamental Rights of the European Union - Respect for the private and family life – reads: Everyone has the right to respect for their private and family life, their home and their communication. Art. 8 Charter of Fundamental Rights of the European Union - Protection of personal data - reads: Every person has the right to protection of their personal data. This Data may only be used in good faith for specified purposes and with the consent of data subject or on another legitimate basis regulated by law are processed. Every person has the right to information about the data collected about them Obtain data and obtain rectification of data. Compliance with this Regulations are monitored by an independent body. Art. 47 Charter of Fundamental Rights of the European Union – Right to an effective remedy and an impartial court – reads: Any person whose rights or freedoms guaranteed by Union law is violated have the right, subject to the conditions provided for in this article to seek an effective remedy before a court. Every person has the right to that their cause be established by an independent, impartial and previously established by law court in a fair trial, heard publicly and within a reasonable time is.Any person can consult, defend and be represented. Persons who do not have have sufficient funds, legal aid will be granted to the extent that this aid is necessary is to ensure effective access to justice. Recital 26 of the GDPR - No application to anonymized data - reads: 1Principles of data protection should apply to all information relating to a 2 identified or identifiable natural person. A pseudonymization subjected personal data obtained by using additional information could be attributed to a natural person should be considered information about a identifiable natural person. To determine whether a natural - 42 - Person is identifiable, all means should be taken into account by that controller or another person reasonably likely be used to identify the natural person directly or indirectly, such as 4 for example, weeding out. In determining whether funds are discretionary likely to be used to identify the individual should all objective factors such as the cost of identification and the time required for it Time expended, which is available at the time of processing Technology and technological developments must be taken into account. The principles of Data protection should therefore not apply to anonymous information, i.e. information which do not relate to an identified or identifiable natural person, or personal data that has been anonymized in a way that the data subject person cannot or can no longer be identified. This regulation therefore does not apply the processing of such anonymous data, including for statistical or research purposes. GDPR Recital 30 – Online Identifiers for Profiling and Identification – reads: 1Natural persons may be given online identifiers such as IP addresses and Cookie identifiers that his device or software applications and tools or protocols provide, or assigned other identifiers such as radio frequency identifiers. This can Leave traces, especially in combination with unique identifiers and other information received by the server can be used to profile the create and identify natural persons. II.3.3. Regarding the scope of Art. 44 ff GDPR: If the following three requirements are met, there is a transfer and Chapter V (Art. 44 ff) GDPR is applicable (Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR, version 2.0, adopted on 02/14/2023): 1) A controller or processor ("Exporter") is subject to the GDPR in the respective processing. 2) The exporter transmits personal data that are the subject of this processing are, to another controller, one common to the controller or a processor ("importer") or provides them available in other ways. 3) The importer is located in a third country, regardless of whether this importer for the respective processing pursuant to Article 3 of the GDPR or a international organization is. Art. 8 para. 1 EU-GRC results in an obligation to perpetuate EU law Protection levels (ECJ 06.10.2015, C-362/14 (Schrems), para. 72). The objective - 43 - Provisions regulate the conditions, which allow a person responsible or Allow processors (exporters) to transfer personal data to a third country to transfer. The not legally defined term of transmission is within the scope of Art. 44 ff to be understood in terms of protection. It therefore includes any disclosure of personal data to a place outside the territory of the European Union or to an international organization (Kuhling/Buchner, DSGVO BDSG, Art. 44, Rn 16, Jahnel, Commentary on the General Data Protection Regulation Art. 44 GDPR (as of December 1st, 2020, rdb.at), para. 18). From Art. 44 GDPR it follows that the importer (recipient in the third country) is not covered by the scope of the standard because it does not cover the transmission driven by data. The term "transmission" describes an action of the data exporter, but not an action of the data importer. Furthermore, Art. 46 provides Para. 1 GDPR that a person responsible or a processor personal Data may only be transferred to a third country or an international organization if the The person responsible or the processor has provided appropriate guarantees and if enforceable rights and effective remedies for data subjects stand. As a result, the clear wording of Art. 44 et seq Requirements for data importers (also correctly the BF2, VWA ./43, page 19). Based on the case law of the European Court of Justice, the data exporter bears the responsibility Responsibilityforexaminingthepermissibilityofthespecifictransmission.Hemustatanytime 3 check whether the data is protected in the third country (Kuhling/Buchner, DSGVO BDSG, Art. 44, para. 16 with reference to ECJ July 16, 2020, C-311/18 (Schrems II)). Total are off Chapter V GDPR does not confer any subjective public rights/duties on a data importer remove. This must be distinguished, for example, from the contractual obligations of a data importer, e.g Example that he must inform the data exporter immediately if the for the law applicable to him no longer allows him to process the data in accordance with the to store and process special contractual clauses (Commission decision of 05.02.2010 on standard contractual clauses for the transmission of personal data Processors in third countries according to the Directive 95/46/EG of the European Parliament and of the Council (2010/87/EU), Clause 5 - Obligations of the data importer). However, these are not the subject of administrative/judicial proceedings. II.3.4. On Art. 44 GDPR as a subjective right: Repeatedly, the BF2 stated in the proceedings that a violation of Art. 44ff GDPR was not a permissible object of a complaint according to Art. 77 GDPR (VWA ./54, page 6, VWA ./62, page 36). This view cannot be followed for the following reasons: - 44 - § 24 DSG grants the person whose basic personal right has been violated the opportunity to have the violation of rights committed against her determined. The The declaratory statement here concerns the legal position of a specific person in terms of their rights injured person and is dogmatic in its scope of legal force for this infringement limited. Based on this determination, the data subject should be able to further individual claims - such as claims for damages - to pursue (VwGH 14.12.2021, Ro 2020/04/0032). A dependency in that the data protection authority only Infringement may be established if the data subject has a data subject right (Article 12ff GDPR) claims cannot be derived from § 24 DSG. In connection with Art. 77 GDPR, the data protection authority is obliged to make a decision if the data subject person believes that the processing of personal data concerning them violates this regulation. Contrary to the view of BF2, however, Art. 77 GDPR is a Restriction on affected rights according to Art. 12ffDSGVO not to be taken (e.g. VWA ./43, page 17). A data subject can base an infringement on any Support the provision of the GDPR, if the GDPR-violating processing of personal data also leads to a violation of the legal position of the person concerned (as does the Predominant lesson: Jahnel, Commentary on the General Data Protection Regulation Art. 77 GDPR (as of December 1, 2020, rdb.at), para. 11; Bergt in Kühling/Buchner, DSGVO BDSG, Art. 77, para. 10; Körffer in Paal/Pauly, General Data Protection Regulation · Federal Data Protection Act, Art. 77; 4 Moos/Schefzig in Taeger/Gabel, DSGVO BDSG TTDSG, Art. 77, para. 9; Boehm in Simitis | Hornung | Spiecker, data protection law, Art. 77, Rn6). Implementation of Art. 77 GDPR, the right to lodge a complaint with a supervisory authority and the principles of the procedure before the supervisory authority are regulated (1761 BlgNR 25. GP 15). From the materials it is clearly recognizable that with § 24 DSG the right of a Affected parties to complain to a supervisory authority in accordance with Art. 77 GDPR is specified. It cannot be inferred from the materials that with Section 24 DSG the scope of the The rights of a person concerned to lodge a complaint are restricted. In accordance with Section 24 (1) DSG, every data subject has the right to lodge a complaint with the Data Protection Authority when it considers that the processing is relevant to you personal data - (among other things), meant among other things - against § 1 DSG, which also protects the right to secrecy. According to § 24 para. 2 Z 5 DSG, the complaint to refrain from seeking to establish the alleged infringement. As far as one If the complaint proves to be justified, it must be followed according to Section 24 (5) first sentence DSG Accordingly, the law provides a legal remedy in the event of a violation of data protection law - 45 - explicitly submit an application for a determination as part of the complaint, which pursuant to Section 24 (5) DSG It must be followed if it proves to be entitled (VwGH19.10.2022, Ro2022/04/0001). Therefore, a person considers that the processing concerns them personal data leads to a violation of their rights, according to § 24 DSG a right expressly provided for in law to have this determined. In this context, it should be noted that not only a finding of infringement according to § 1 DSG (right to secrecy) is possible. With the expression "among other things" the Administrative Court clearly indicates that not only violations of rights can be determined, which are based on § 1 DSG (right to secrecy). Also § 24 Para. 2 DSG is no restriction to the effect that a data subject could only request a declaration of a violation of the right to secrecy. At the subject of the proceedings, the BF1 showed a violation of rights pursuant to Section 24 (2) DSG to the effect that the processing of his personal data violates the GDPR violates (Article 77 GDPR). Specifically, the BF1 requested a determination as to whether a violation of general principles of data transmission in accordance with Art. 44 GDPR. Without a doubt, every person has the subjective right if their personal data is processed by are processed by others, that the processing of the personal data of concerned in accordance with the GDPR. According to the jurisprudence of European Court of Justice must agree with any processing of personal data in line with the principles set out in Art. 5 of the GDPR for the processing of data and on the other hand related to one of the principles listed in Art. 6 of the GDPR comply with the lawfulness of the processing (ECJ 22.06.2021, C-439/19 (Latvijas Republikas Saeima), para. 96). To the extent that a data subject believes that the Processing of personal data does not comply with the GDPR, it is to that effect an individual complaint according to § 24 DSG admissible. It is particularly important to emphasize that the subject of the proceedings is that the European Court of Justice (ECJ July 16, 2020, C-311/18 (Schrems II), para. 158) it was assumed that the Noting that “[…] the law and practice of a country does not provide an adequate level of protection ensure [...]" and "[...] the compatibility of this (appropriateness) decision with the protection of privacy and the freedoms and fundamental rights of individuals […]” in Asserted as a subjective right as part of a complaint under Art. 77 (1) GDPR can be. In this context, the DA correctly stated that the question referred of the mentioned procedure does not cover the "extent of the right of appeal of Art. 77 Para. 1 DSGVO "was the subject; the ECJ has the fact that also a violation of Provisions of chapter VDSGVO in the context of a complaint according to Art. 77 Para.1 DSGVO - 46 - can be invoked is evidently considered a necessary condition. At From a different point of view, the ECJ would have said that the question of the validity of a adequacy decision was not clarified at all in the context of a complaints procedure (VWA ./59, page 23 f). Overall, the bB is authorized to determine a violation of law according to Art. 44 ff DSGVO. II.3.5. About the distribution of roles: At the time of the proceedings, the MB, as the website owner, Decision made to implement the "XXXX -Analytics" tool on the XXXX website. Specifically, it has a JavaScript code ("tag") provided by BF2, inserted in the source code of your website, which means that this JavaScript code is used when you visit the website was running in the browser of the BF1. The MB has said tool for the purpose used for statistical evaluations of the behavior of website visitors. Since the MB about the purposes and means of those related to the tool has decided on data processing, she is the person responsible within the meaning of Art. 4 Z 7 DSGVO to watch. Subject matter of the proceedings is to be noted that the subject matter of the complaint relates only to the Data transfer to BF2 (United States). In connection with the Data transmission with the tool XXXX -Analytics should be noted that the BF2 the tool only makes available and has no influence on whether it is at all or to what extent the MB makes use of the tool functions and which specific settings it chooses. Insofar as BF2 XXXX only provides analytics (as a service), it has no influence on "purposes and means" of data processing and is therefore in accordance with SdArt. 4Z8DSGVO case-related to qualify as a processor. II.3.6. Regarding point A.I) - rejection of the complaint by the BF2: II.3.6.1. On the right to lodge a complaint with BF2: With the help of the findings in point 2. in the decision that is the subject of the proceedings clarified whether a violation of the general principles of data transmission according to Art. 44 DSGVO by the MB is available. The judgment point 2. is according to § 59 paragraph 1 AVG of the rest Spell points separable because he stands alone without an inner connection with other parts of the procedure is accessible to a separate objection (cf. e.g. VwGH September 12, 2018, Ra 2015/08/0032). The bB correctly stated that the possible violation of Art. 5 ff in conjunction with Art. 38 Para. 3 lit. a and Art. 29 GDPR by the BF2 in no connection with the requirements of Art. 44 GDPR (VWA ./67, page 14). - 47 - The question of who has party status in a specific administrative procedure can be answered on the basis of of the AVG alone cannot be solved. Rather, the party position must derive from the substantive regulations are derived. On the ground of the material Administrative law it must according to the subject of the relevant administrative procedure and assessed according to the content of the applicable administrative regulations become. The constituent element of party status in administrative matters determined according to the normative content of the case to be applied regulations. The terms "legal claim" and "legal interest" are only gaining ground the applicable administrative regulation on a specific content, according to which only the question of party status can be answered (VwGH April 19, 2022, Ra 2021/02/0251). Against this background, a party position in the administrative court Proceedings cannot be justified with it, because the results of the proceedings are different procedures may affect; the party status (or legal interests) is derived Rather, it depends on the relevant administrative regulation that is the subject of the administrative procedures. As explained under point II.3.3, Art. 44 GDPR regulates the admissibility of a Data transfer to a third country. Based on the case law of the European Court of Justice, the data exporter (the MB) is responsible for checking the Admissibility of the specific transmission. He must check at any time whether the data are protected in the third country. Against this background, it is clear that the Regulations in Chapter V GDPR without exception subject public rights/duties of the data exporters (thus the MB) have as their subject. In contrast, subjective public rights/duties for the data importer in a third country from Chapter V GDPR not to be taken. This is also evident from the fact that for the assessment of the Legal question as to whether a data exporter has violated obligations under Chapter V GDPR, in principle, the data importer does not have to participate in the procedure. Is therefore a data importer for example for a supervisory authority not at all reachable, this circumstance does not prevent the supervisory authority from Violation of the data exporter's rights to be determined in accordance with Chapter VDSGVO therefore the BF2 in connection with the assessment of the legal question of whether the data exporter (i.e. the MB) violated obligations under Chapter V GDPR in the procedure of the bB (VWA ./59, Point 2) no party status. In point 3 of the ruling at issue, the BF2 was a party to the Procedure because the bB clarified the legal question as to whether the BF2 violated obligations under Art. 44 GDPR has violated. However, since Art. 44 or Chapter V GDPR no public law - 48 - provides for obligations for a data importer in a third country, the BA has a BF1's request to that effect rejected. The BA confirmed to that effect Right view of the BF2 (see point II.3.3 above). As explained, the BF2 did not come in connection with ruling point 2 in the procedure of the DA party position. However, this party position in administrative procedures is essential prerequisite for filing a complaint against a decision administrative court. Party status in administrative proceedings and authority to Complaints are directly related according to the domestic legal situation (VwGH 05.04.2022, Ra 2022/03/0073). Since the BF2 in the administrative procedure to verdict point 2. no party status was accorded to the decision at issue in the proceedings was hers dismiss the complaint to that effect. Furthermore, it is pointed out that a preliminary question-based assessment in decisions generally no binding effect for other authorities (or even the same authority in a other procedures), for whose decision the same question or one with content comparable (although not to be qualified as a preliminary question in the legal sense) question from (VwGH 01/20/2016, Ro 2014/04/0045). In addition, the main question the partial decision that is the subject of the proceedings, the agreement regarding a violation of Art. 44 GDPR, i.e. the question of whether the data transfer in question is in a third country was legally permissible. The main question, however, does not include individual statements some elements of the facts of Art. 44 ff GDPR, which are explained in point 2 are. It should also be noted that BF2 acted as a processor for MB Attributable to actions of the MB (Art. 28 GDPR), which finally lead to a infringement of rights by the MB. In this context it is pointed out that that the MB did not appeal against the decision of the DA. II.3.6.2. On the lack of infringement of subjective rights of BF2: Regardless of the lack of party status (see point II.3.6.1), contrary to the Explanations of BF2 (VWA ./62, page 8), in the case of a violation of subjective Basically no rights. This is due to the following considerations: II.3.6.2.1. For the processing of personal data: According to Art. 2 Para. 1 GDPR, personal data are the starting point for this factual Applicability of the GDPR. In this regard, the European Court of Justice repeatedly stated that the scope of the GDPR should be understood very broadly (ECJ 06/22/2021, C-439/19 (Latvijas Republikas Saeima), para. 61; 12/20/2017, C-434/16 - 49 - (Peter Nowak), marginal note 59). This basic understanding is the further explanations to take as a basis. Against this background, the view of the BA is to be followed that an intervention in the fundamental right to data protection according to Art. 8 EU-GRC and § 1 DSG already exists, if certain measures are taken (e.g. assignment of identification numbers) to website individualize visitors. In the present case, BF2's own explanations and behavior indicate that that the information that is the subject of the proceedings (see point II.1.3.1) represent personal data. The BF2 itself explains that within the framework of the Order processing service "XXXX Analytics" the data "Online identifiers (including cookie identifiers), internet protocol addresses and device identifiers and identifiers assigned by the customer" can be personal data. In addition set the BF after the judgment of the European Court of Justice of July 16, 2020 in the Case C-311/18 several measures to ensure a legally compliant transfer of personal data to the United States (see point II.1.9) to allow. These explanations and behavior are the less convincing explanations the MB or the BF2 against that the change of Order data processing conditions (DTPS) from August 12th, 2020 including the Standard Contractual Clauses (SCCs) were only made for proactive reasons. In principle, it should be noted that from the information transmitted on August 14th, 2020 (see point II.1.3 and II.1.3.1) no direct personal reference can be inferred. Online identifiers (IP address, cookies, etc.) identify on their own regularly no person, since from them directly neither the identity of the natural person who owns the end device (computer) from which a website was accessed, nor the identity of another person who could use this computer (ECJ October 19, 2016, C-582/14 (Breyer), para. 38). However, identifiability depends on the circumstances possible. A piece of information makes a natural person identifiable if through it alone the Although identification (i.e. recognition) itself is not directly possible, a corresponding identification but by means of linking to further information can be made. According to Art. 4 Z 1 DSGVO, a person is identified as identifiable viewed directly or indirectly, in particular by means of assignment to an identifier such as a name, identification number, location data, online identifier, or one or more special characteristics that express the physical, physiological, genetic, psychological, economic, cultural or social identity of these natural person can be identified. Knowing the name of the natural - 50 - However, a person is not absolutely necessary for identifiability (Art.-29- Data Protection Working Party, WP 136, page 16 f). To determine whether a natural person is identifiable, all means are to take into account that of the person responsible or another person according to general Discretion likely to be exercised directly or indirectly to the individual identify (recital 26, 3rd sentence). The purely hypothetical possibility of identifying the However, person is not sufficient for the person to be considered identifiable. It is however It is also not necessary for the person responsible to actually initiate or cross efforts already has the appropriate means to bring about identification, but it the probability that he initiates them or acquire corresponding funds is sufficient becomes. For the assessment of the question of identifiability, it is therefore not important whether a controller has actually attempted identification to do. It is sufficient that utilizing a means under purely abstract too judging point of view is likely. In determining whether funds are reasonably likely to identify of the natural person are used in the context of a risk analysis or forecast (according to recital 26, 4th sentence) all objective factors, such as the cost of identification and the time required for this, which is at the time of processing available technology and technological development must be taken into account. According to the case law of the European Court of Justice, this is a factual one Risk of creating a personal reference required (ECJ 19.10.2016, C-582/14 (Breyer), para. 38). To determine whether such a risk exists, it is - in addition to the in ErwG 26, 3rd sentence expressly mentioned factors – also to consider whether the purpose of Processing requires identification, whether identification to a Increase in usage and whether the identification is contractual and/or organizational 4 Obstacles (e.g. contractual penalties) (Taeger/Gabel, GDPR BDSG TTDSG, Art. 4, 31). In the present case, an increase in use can be assumed because e.g. through the online identifiers used (IP address, cookies) a distinction from website visitors is allowed. Also, in the context of big data applications, the Threshold for assuming a personal reference is simply low (Kuhling/Buchner, DSGVO BDSG, Art. 4 No. 1, Rn 22). For example, does a company have two different Databases store information about people (however, viewed in isolation, none enable clear assignment to a person), their merging into one Identification would lead and considering the typical way on the market available data analysis tools with a reasonable amount of time and money - 51 - would be, the identifiability of the not (yet) merged databases would be too 4 affirm (Taeger/Gabel, GDPR BDSG TTDSG , Art. 4, Rn31). already a "digital footprint" that allows devices - and subsequently the specific user - to be clearly individualized, represents a personal date (cf. KarglinSimits/Hornung/Spiecker, data protection law, Art. 4Z1, Rn52mwN). Fingerprinting (RFC6973) can be used by an observer using a device or application instance sufficient probability on the basis of several information elements (online identifiers, IP address, browser information, etc.). In addition, the argumentation of the bB is to be followed that the implementation of XXXX-Analytics on XXXX results in segregation within the meaning of ErwG 26. In other words: who a tool used, which makes such a segregation possible in the first place, cannot refer to the position not to use any means to obtain natural to make people identifiable. It can be assumed that without using the procedural information (see point II.1.3.1) the BF2 not able would be to offer a usable measurement service (see point II.1.4), because for example the BF2 without Cookies would not be able to provide traceable measurements of website visits to perform. Due to the circumstances at hand – big data, benefit increases, the purpose and the Functionality of the web analytics service XXXX -Analytics and Fingerprinting - is from a factual risk that the BF2 as the processor of the MB reasonably likely means of identifying the individual uses. With the information transmitted to the BF2 (see point II.2.3 or II.2.3.1), a "digital footprint" of the BF1 generated, which the BF2 as the processor of the MB allows to identify the BF1. With regard to online identifiers, it should be noted that the cookies in question "_ga" or "cid" (client ID) and "_gid" (user ID) unique XXXX -Analytics identifiers contained and stored on the end device or in the browser of the BF1. With these Identifiers, it is sometimes possible for the BF2 to distinguish website visitors and also the Receive information about a new or returning website XXXX visitors. Without these identification numbers is therefore a distinction from Website visitors not possible. In this context, the European Data protection officers consider that all records containing identifiers contain, with which users can be singled out, according to the regulation (meant - 52 - Regulation (EU) 2018/1725) are considered personal data and treated as such must be protected (VWA ./68). With regard to the IP address, it should be noted that the "anonymization function" of the IP Address was not correctly implemented at the time of data transmission to the BF2 and was therefore completely saved by the BF2. In this context is to note that the general storage of IP addresses constitutes a serious intrusion into the in fundamental rights enshrined in Articles 7 and 8 of the Charter, since it is possible with IP addresses is accurate conclusions about the private life of the user of the relevant electronic to draw means of communication. This can be a deterrent to the exercise the freedom of expression guaranteed in Article 11 of the Charter (ECJ 20.09.2022 in joined cases C-793/19 and C-794/19 (SpaceNetAG/Telekom Germany GmbH), para. 100). It also doesn't matter who my IP address actually belongs to: The decisive factor is whether the IP address can be used to draw conclusions about the data subject (User) can be drawn. Therefore, the statements of BF2 no Justification value if it considers that the IP address used possibly owned by BF1's employer. Regardless, the procedure revealed that the IP address of BF1 was transmitted directly to BF2. Already from the combination of the transmitted information (see point II.1.3.1) - online identifiers, IP address, browser information, operating system, screen resolution, language selection, etc. - a "digital footprint" can be generated that allows To clearly individualize the end device and subsequently the specific user. Irrespective of this, in the present case for BF2 as the processor Traceability to the BF1 possible: So the BF1 was XXXX on his XXXX account at the time he visited the website logged in. The BF2 explained that due to the fact that the tool XXXX - Analytics is implemented on a website that receives information. This includes the Information that a specific XXXX account user visited a specific website (VWA ./31, Question 9). In this context, BF2 explained that this only applies to Activation of specific settings in the XXXX account is possible (activation of "Personalized Advertising" and "Web and App Activity" through the XXXX -Account- users and activation of XXXX signals on the target website). The BB led to this understandable from the fact that the identifiability of a website visitor does not depend on it may depend on whether certain declarations of intent are made in the XXXX account, since from a technical point of view, all possibilities for identification would still be available. On the other hand, the BF2 could - 53 - User after personalization of the received advertising information do not match. In this regard, it must be taken into account that Art. 4 Z 1 GDPR is linked to “can”. ("can be identified") and not whether an identification ultimately also is made. Regardless of this, it should be noted that certain settings in a XXXX account or by activating XXXX signals on a website merely adapting to the personal needs of users of XXXX applications. The adjustments by the users do not give any conclusions about the processing of Meta information by the BF2, which in the course of calling up an application ( XXXX - Analytics, XXXX account, XXXX ,etc) are transmitted to BF2. In process is in this Connection of meta information and IP address between XXXX - Account and XXXX -Analytics emerged, which an undisputed personal reference enabled. Regardless of the BF2, there is a real risk that US authorities will Discretion likely to use means to identify the BF1. In this In this context, the BF1 understandably explained that US intelligence services online Identifiers (IP address or unique identifiers) as a starting point for the Engage surveillance of individuals. Thus, in particular, cannot be ruled out be that these intelligence services have already collected information with which Help the data transmitted here can be traced back to the person of BF1. This is how the BF2 due to data requests metadata and content data. The fact that it is This is not just a "theoretical danger", as can be seen from the judgment of the European Court of Justice from July 16th, 2020, C-311/18 (Schrems II), due to the Incompatibility of such methods and access possibilities of the US authorities with the Fundamental right to data protection according to Art. 8 EU-GRC ultimately also the EU-US adequacy decision (“Privacy Shield”) has been declared invalid. In this context, neither the BF1 nor the MB have the opportunity to verify whether US Authorities have already received personal data, or whether US authorities already have personal data from BF1. This circumstance may be of affected People like the BF1 are not to be blamed. So it was ultimately the MB and also the BF2, which despite the publication of the above-mentioned judgment of the European Court of Justice July 16, 2020 continued to use the XXXX -Analytics tool. After all, he is too To follow the reasoning of the bB that the MB is subject to accountability (Art. 5 para. 2 in conjunction with Article 24 (1) in conjunction with Article 28 (1) GDPR) that processing is carried out in accordance with the regulation took place. In this context, the MB has its processor (BF2) in the process - 54 - no organizational or technical measures identified which are suitable, Methods and ways of accessing the US authorities to prevent it from happening Violation of the fundamental right to data protection according to Art. 8 EU-GRC. As a result, the transmitted information (see point II.1.3 or II.1.3.1) represents in any case in combination represents personal data in accordance with Art. 4 Z 1 DSGVO. II.3.6.2.2. On the lack of an appropriate level of protection in accordance with Art. 44 GDPR: Art. 44 GDPR sees a basic provision for international data transfer two-stage admissibility check. The first requirement that data is ever in a third country may be transmitted, is that the other provisions of the GDPR (such as Art. 5 f, Art. 13 f GDPR) are complied with. As part of the second At the first stage, it must be checked whether one of the requirements of Art. 45 – 49 GDPR is met. The first in According to Art. 45 GDPR, the admissibility in question is present if the Commission has determined in an adequacy decision for the third country concerned that that it offers an adequate level of protection. Is there such a thing? adequacy decision, no approval is required for data transfer in the respective third country. If there is no adequacy decision, it must be checked further whether the Requirements according to Art. 46, 47 or 49 GDPR are met. After the European Court of Justice declared the "EU-US Privacy Shield" with the decision of 16.07.2020, C-311/18 (SchremsII) declared invalid, the procedural Data transmission on August 14, 2020 (see point II.1.3 or II.1.3.1) on the basis of a adequacy decision can no longer be justified. With the decision of European Court of Justice clarified that the United States until further notice are to be regarded as a "third country" and are currently privileged for the transmission of personal data according to Art. 45 GDPR does not exist. Since there is no adequacy decision according to Art. 45 Para. 3 GDPR, Art. 46 GDPR further admissibility ("suitable guarantees"). If one of the in Art. 46 Para. 2 GDPR listed guarantees, is international data traffic allowed without permission. The guarantees of Art. 3 GDPR exist subject to one Approval by the competent supervisory authority. If none of the provisions in Art. 46 Para. 2 and Para. 3 GDPR, it must be checked further whether one of the Exceptions for a permissible third-country transfer according to Art. 49 GDPR are fulfilled. At issue in the proceedings, the MB based the transfer on standard data protection clauses in accordance with Article 46 (2) (c) GDPR. For further "suitable guarantees" according to Art. 46 DSGVO the transfer of the data at issue in the proceedings was not supported by the MB. - 55 - Therefore, the admissibility of the data transmission according to Art. 46 Para. 2 lit. c GDPR examined. II.3.6.2.2.1. For data transfer based on standard data protection clauses in accordance with Article 46 (2) (c) GDPR: On August 12, 2020, the MB and the BF2 have in accordance with Article 46 (2) (c) GDPR Standard data protection clauses for the transfer of personal data to the United States completed. (“ XXXX Ads Data Processing Terms: Model Contract Clauses, Standard Contractual Clauses for Processors”). Specifically, it was about at the point in time at which the complaint is made by those clauses in the version of Implementing decision of the European Commission 2010/87/EU of February 5, 2010 about standard contractual clauses for the transfer of personal data Processors in third countries according to the Directive 95/46/EG of the European Parliament and of the Council, OJ L 2010/39, p. When transferring personal data to a third country, the Standard Data Protection Clauses Enforceable Rights and Effective Remedies ensure that they enjoy a level of protection equivalent to that in the Union through the GDPR in The level guaranteed by the Charter is equivalent in substance. In this In connection with this, the contractual regulations must be taken into account in particular between the controller based in the Union and that in the third country concerned resident recipients of the transfer have been agreed, as well as what any Access of the authorities of this third country to the transmitted personal data concerns, the relevant elements of the legal system of that country, in particular the Article 45 (2) of the GDPR (ECJ July 16, 2020, C-311/18 (Schrems II), Rn 105). The competent supervisory authority is obliged to draw up a standard data protection clause to suspend or permit the assisted transfer of personal data to a third country prohibit if that authority considers in light of all the circumstances of this transfer is that the clauses in this third country are not respected or not respected and that according to Union law, in particular according to Articles 45 and 46 of the GDPR and according to the charter, the required protection of the transmitted data can be guaranteed by other means (ECJ July 16, 2020, C-311/18 (Schrems II), para 121). In the present case, it should first be noted that the European Court of Justice used the “EU-US Privacy Shield” has therefore been declared invalid, as this with Articles 7, 8 and 47 of the Charter was incompatible (ECJ July 16, 2020, C-311/18 (Schrems II), para. 150 ff), since it was for US authorities (intelligence services) offered disproportionate access opportunities and no effective - 56 - Legal remedies for victims (non-US citizens) were available. That's how he led European Court of Justice guaranteed that regarding Art. 7 and 8 of the Charter Fundamental Rights neither Section 702 of FISA nor the E.O. 12333 in conjunction with the PPD-28 those existing in Union law based on the principle of proportionality Meet the minimum requirements, so it cannot be assumed that the on these regulation-based surveillance programs to the extent absolutely necessary are limited. Also, with regard to those based on Section 702 of FISA as well with regard to the E.O. 12333 supported monitoring programs to note that neither the PPD-28 nor the E.O. 12333 confer rights on data subjects that can be legally enforced against the American authorities, so that these persons do not have an effective remedy. In this connection the ombudsman mechanism mentioned in the adequacy decision does not offer legal recourse to an entity that provides individuals whose data is transferred to the United States would offer guarantees equivalent to the guarantees of the thing required under Article 47 of the Charter after would be equivalent. These circumstances, which led to the lifting of the "EU-US Privacy Shield", are also at the assessment of a data transfer in accordance with Article 46 (2) (c) GDPR. In this regard, it should be noted that the standard data protection clauses are by their nature not Can offer guarantees that go beyond the contractual obligation, for compliance with the to ensure the level of protection required under Union law. In particular, they can due to the nature of the contract, no third-country authorities (such as US intelligence services) (ECJ July 16, 2020, C-311/18 (Schrems II), para. 132 f). These considerations can be applied to the present case. So is obvious that the BF2 as a provider of electronic communication services within the meaning of 50 U.S. Code § 1881(b)(4) and thus subject to surveillance by U.S. Intelligence agencies are subject to 50 U.S. Code Section 1881a (“FISA 702”). Accordingly, the BF2 the obligation to report to U.S. authorities under 50 U.S. Code § 1881a personal data to provide. The agreed between the MB and the BF2 Standard data clauses do not offer any options in this context To meet requirements effectively or to prevent them. How from the transparency report of BF2, such inquiries are also regularly received from US authorities placed on them. The data transmission in question can therefore not solely be based on the between the MB and of the BF2 concluded standard data protection clauses in accordance with Article 46 (2) (c) GDPR be supported. - 57 - Because, by their very nature, these standard data protection clauses cannot provide any guarantees that about the contractual obligation to comply with what is required under Union law Levels of protection going beyond that may vary depending on the situation in a particular third country given situation, it may be necessary for the person responsible to take additional measures (see point II.3.6.2.2.2) to ensure compliance with this level of protection. II.3.6.2.2.2. Regarding the additional measures: In its "Recommendations 01/2020 on measures to supplement transmission tools for Ensuring the Union legal level of protection for personal data, version 2.0 of the European Data Protection Board (“EDPB Recommendations”)” the EDPB stated that in the event that the law of the third country affects the effectiveness of appropriate safeguards (such as standard data protection clauses), the data exporter either suspend the data transfer or take additional measures implement (EDSA recommendations Rn 28 ff and Rn 52 or ECJ July 16, 2020, C- 311/18 (Schrems II), para. 121). According to the recommendations of the EDPB, such “additional measures” can be contractual, be of a technical or organizational nature (EDSA recommendations, para. 52): With regard to contractual measures, it is stated that these "[...] the guarantees that provide the transmission tool and the relevant legislation in the third country, supplement and strengthen, as far as the guarantees, taking into account all circumstances of transmission, do not meet all the requirements necessary to register to ensure a level of protection essentially equivalent to that in the EU. Since the contractual measures, by their very nature, the authorities of the third country generally do not can bind, if they are not themselves a party to the contract, they must with others technical and organizational measures are combined to achieve the required to ensure a level of data protection. Just because you have one or more of these actions selected and applied does not necessarily mean that it is systematic it is ensured that the intended transfer meets the requirements of Union law (ensuring an essentially equivalent level of protection) is sufficient” (EDSA- Recommendations 01/2020, para. 99). With regard to organizational measures, it is stated that they are "[...] internal strategies, Organizational methods and standards act that those responsible and apply to processors themselves and to data importers in third countries could impose. These can be uniform throughout the processing cycle Protection of personal data. Organizational measures can also contribute to this help ensure that data exporters are aware of the risks related to data access in - 58 - Third countries and related access attempts are better aware and more alert can react. Just because you selected one or more of these measures and applied, this does not necessarily mean that it is systematically ensured that the intended transfer meets the requirements of Union law (ensuring a of items with equivalent levels of protection) is sufficient. Depending on the special circumstances of transmission and the assessment of the legal situation in the third country organizational measures to supplement the contractual and/or technical ones Measures required to ensure the protection of personal data is equivalent to the level of protection guaranteed in the EEA" (EDSA- Recommendations 01/2020, para. 128). Regarding the technical measures, it is stated that these "[...] guarantees that the offer transmission instruments in Art.l 46 DSGVO, can supplement to ensure that the protection required under Union law also applies to the transmission of personal data data to a third country is guaranteed. These measures are particularly required if the law of the third country in question tells the data importer Obligations imposed that correspond to the guarantees of the transmission instruments mentioned in Art. 46 GDPR and are therefore suitable for the contractual guarantee of one thing according to equivalent levels of protection as far as official data access in the third country is concerned, to undermine" (EDSA Recommendations 01/2020, para. 77). An additional measure is only considered effective within the meaning of the judgment of the European Court of Justice (ECJ 16.07.2020, C-311/18 (Schrems II)), if and to the extent that they - alone or in connection with others - closes precisely the legal protection gaps, that of the data exporter in its review of the applicable to its transfer established legislation and practice in the third country. Should it be the data exporter ultimately not be possible to achieve an equivalent level of protection, he may not transmit the personal data (EDSA Recommendations 01/2020, Rn 75). Applied to the present case, this means that it must be examined whether the "Additional measures taken" by BF2 (see point II.1.10 or VWA ./31, page 23 ff) within the framework of the judgment of the European Court of Justice (ECJ July 16, 2020, C-311/18 (Schrems II)) identified gaps in legal protection - i.e. inappropriate access and Surveillance capabilities of US intelligence services and insufficient effective Legal remedy for those affected – close. Against this background, it must therefore be checked whether the additional measures taken by BF2 Measures are suitable, the illegal circumstances - disproportionate - 59 - Possibilities of access by US authorities or the lack of effective legal remedies for Affected – to eliminate, so that the fundamental rights guaranteed in Articles 7, 8 and 47 of the Charter not get hurt. With regard to the contractual and organizational measures set out, is not recognizable to what extent through a review of a request from US authorities by XXXX - Attorneys or by specially trained personnel to comply with applicable laws and XXXX guidelines that do not violate the fundamental rights guaranteed in Articles 7, 8 and 47 of the Charter become. Compliance with US laws – i.e. the obligation to release data – leads precisely to the violation of the fundamental rights of the Union citizens concerned. As well there is no justification value for notifying customers before any of their Information US authorities will be announced. This is because a transfer of Information is disproportionate under European law and the data subject Union citizens have no effective legal remedies against disclosure. Also it comes to a violation of fundamental rights of EU citizens concerned, if a notification to customers are omitted for US legal reasons. Even if the request of a US authority is omitted due to an emergency, the disclosure is unlawful, since the Union citizens concerned do not have the opportunity to use an effective legal remedy to verify the emergency. Finally, the release of a transparency report and the publication of BF2's policy on dealing with Government requests do not remove the unlawful circumstances for the purposes set out in Art. 7, 8 and 47 of the charter are not violated. The technical measures presented are also not suitable for preventing the violation of the eliminate fundamental rights. The technical measures listed in the Access options in connection with the transmission or storage of the data by US intelligence services based on US law neither prevent nor restrict. As correctly led by the bBaus, the technical measures cannot be considered be considered effective if the BF2 itself still has the ability to access the access data in plain text. As far as the BF2 refers to an encryption technology, it can be inferred from EDSA recommendations that a data importer (the BF2), the 50 U.S. Code is subject to Section 1881a (“FISA 702”) with respect to the imported data contained in its possession or custody or under his control, has a direct obligation to grant access to or release them. This obligation can also expressly extend to the cryptographic keys, without which the data cannot be processed are legible (margin no. 81). - 60 - Also, the explanations of the BF2 are that as far as XXXX -Analytics data for measurement by Website owners are personal data, should be considered as pseudonymous, not suitable as an "additional measure". In this context, the convincing view of the German Data Protection Conference, according to which "[...] the The fact that the users are made identifiable via IDs or identifiers, none pseudonymization measure within the meaning of the GDPR. In addition, it is not about appropriate guarantees to comply with data protection principles or to safeguard the Rights of data subjects if IP addresses, cookie IDs, advertising IDs, unique user IDs or other identifiers are used. Then, other than in cases where data is pseudonymized to the identifying data obscure or delete it so that the persons concerned are no longer addressed can, IDs or identifiers are used to distinguish the individual individuals and make it addressable. Consequently, there is no protective effect. It is about therefore not about pseudonymizations within the meaning of Recital 28, which the risks for those affected Lower people and those responsible and the processors in compliance support their data protection obligations" (cf. the guidance of the supervisory authorities for providers of telemedia from March 2019, p. 15). In addition, the arguments of BF2 cannot be followed because the XXXX - Analytics ID combined with other elements anyway and even with a dem BF2 indisputably attributable XXXX account can be connected. The "anonymization function of the IP address" mentioned is not relevant to the case Relevance because it was not implemented correctly (see point II.1.3.4). Overall, the additional measures identified by BF2 are not suitable Gaps in legal protection identified in the judgment – inappropriate access and Surveillance capabilities of US intelligence services and insufficient effective Legal remedy for those affected – close. II.3.6.2.2.3. Summary: Based on the decision of the European Court of Justice of July 16, 2020, C-311/18 (Schrems II), the data transfer at issue was not with the "EU-US Privacy Shield". Also, the data transfer that is the subject of the proceedings cannot based solely on the standard data protection clauses concluded between MB and BF2 in accordance with Article 46 (2) (c) GDPR. In addition, those of the BF2 The additional measures identified are not suitable for those identified in the judgement Legal protection loopholes – inadequate access and monitoring options by US intelligence services and insufficient effective legal remedies for those affected - to - 61 - close. Overall, the data transmission that is the subject of the proceedings is not covered in Art. 46 GDPR. As far as the BF2 in administrative procedures a risk-based approach Assuming, it should be noted that this approach already differs from the wording of Art. 44 GDPR Article 44 GDPR covers any transmission of personal Data. The standard therefore does not differentiate between extremely low-threshold data are transferred for which there is only a very low basis risk. Although the GDPR sees in Individual provisions stipulate a risk-based approach (e.g. Art. 24 Para. 1 and Para. 2, Art. Article 25(1), Article 30(5), Article 32(1) and (2), Article 34(1), Article 35(1) and Article 35(3). or Art. 37 Para. 1 lit. b and lit. c GDPR), however, this circumstance does not mean that the risk-based approach is to be applied analogously to Art. 44 GDPR. The European Court of Justice (ECJ July 16, 2020, C-311/18 (Schrems II)) is in relation to the Legal position of the US now just assumes that due to the disproportionate Access possibilities of US authorities as well as insufficient effective legal remedies for Those affected cannot be assumed to have an “appropriate level of data protection”, which is why he finally also declared the EU-US adequacy decision to be invalid. The The European Court of Justice has expressly not aimed at the fact that the obligations which is a Privacy Shield certified company from the United States subject, may be appropriate in individual cases (e.g. because the certified Company only non-sensitive or non-criminal relevant personal data data received). With the help of the GDPR, the free movement of data should also be guaranteed. However, it stands free traffic in this context on the premise that the specifications of GDPR - and this also includes Chapter V - are fully complied with. A softening in the In the sense of a "business-friendly interpretation" of the specifications of Chapter V in favor however, free data traffic is not planned. Economic interests played also irrelevant in the judgment of the ECJ of July 16, 2020, C-311/18 (Schrems II). II.3.6.3. Regarding the exceptions for certain cases according to Art. 49 GDPR: According to the MB's own information, the exception was in accordance with Art. 49 GDPR not relevant for the data transfer in question (VWA ./11, page 13). also is In the process it did not come out that his consent according to Art. 49 Para. 1 lit. a DSGVO was caught. Since altogether no circumstances arose that a fact according to Art. 49 GDPR would be fulfilled, the data transfer that is the subject of the procedure are not based on Art. 49 GDPR. - 62 - II.3.6.4. Result: Since for the data transmission in question the MBan the BF2 (in the United States) no adequate level of protection guaranteed by an instrument of Chapter V of the GDPR there is a violation of Art. 44. The MB was (at least) for Complaint-relevant time - i.e. August 14th, 2020 - for the operation of the XXXX website responsible. The data protection violation of Art. 44 GDPR relevant here is therefore attributable to the MB. Overall, the BF2 was not in a position to rule that point 2. of the To justify the CB's decision which would have violated its legal interests. Also for this reason, the complaint by the BF2 was to be rejected. II.3.7. Regarding point A.II) – inadmissibility of the revision: According to § 25a Abs. 1 VwGG, the administrative court in the ruling of its knowledge or Pronounce a resolution as to whether the revision is permissible in accordance with Art. 133 Para. 4 B-VG. The Statement must be briefly justified. The revision is allowed because the question of whether a data recipient (data importer in a third country) in the procedure for establishing a violation of the general Principles of data transmission according to Art. 44 GDPR are not yet sufficient Judiciary of the Administrative Court exists. It was therefore to be decided accordingly. II.3.8. Regarding point B.I) - rejection of the complaint by the BF1: As explained under point II.3.3, there are no subjective public ones from Chapter V GDPR Rights/obligations to refer to BF2 as data importer. Against this background, the BF1's complaint about a decision to be dismissed. II.3.9. Re point B.II) - admissibility of the revision: According to § 25a Abs. 1 VwGG, the administrative court in the ruling of its knowledge or Pronounce a resolution as to whether the revision is permissible in accordance with Art. 133 Para. 4 B-VG. The Statement must be briefly justified. The revision is allowed because the legal questions shown here are not yet sufficient Judiciary of the Administrative Court exists. It was therefore to be decided accordingly.