BVwG - W245 2252208-1/36E and W245 2252221-1/30E

From GDPRhub
Revision as of 08:25, 7 June 2023 by Mg (talk | contribs) (→‎Holding)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
BVwG - W245 2252208-1/36E & W245 2252221-1/30E
Courts logo1.png
Court: BVwG (Austria)
Jurisdiction: Austria
Relevant Law: Article 44 GDPR
Article 46(2)(c) GDPR
Decided: 12.05.2023
Published: 12.05.2023
Parties: Österreichischen Datenschutzbehörde (Austrian data protection authority)
Google LLC
National Case Number/Name: W245 2252208-1/36E & W245 2252221-1/30E
European Case Law Identifier:
Appeal from:
Appeal to:
Original Language(s): German
Original Source: Bundesverwaltungsgericht Republik Österreich (in German)
Initial Contributor: Norman Aasma

The use of Google Analytics by an Austrian website was declared unlawful by the Austrian Federal Administrative Court. The Court also held that Chapter V of the GDPR does not apply to the Google US, the data importer.

English Summary

Facts

This case concerns a judicial review against a 2021 decision of the Austrian DPA (Datenschützbehörde - DSB). The decision originally stemmed from a complaint filed by the NGO noyb, following the CJEU judgement in case C-311/18 ("Schrems II").

The Austrian DPA found that the use of Google Analytics by an Austrian website led to the transfer of personal data to the US in violation of Chapter V of the GDPR. At the same time, the supervisory authority ruled that Chapter V of the GDPR sets out obligation only for the data exporter - in the present case, the Austrian website - and not the data importer - Google LLC.

Google LLC appealed the decision. Google stated that transfers were lawful as they relied on Standard Contractual Clauses (SCCs) pursuant to Article 46(2)(c) GDPR. It also claimed to have adopted a "risk-based approach" to the transfers, by implementing technical and organisational measures aiming at mitigating the risks to Europeans' data protection rights.

The data subject also appealed the decision, arguing that Chapter V of the GDPR applies to data importers, too.

Holding

In addressing the controller's appeal, the court confirmed that the data transfer to Google LLC was unlawful.

Referring to the CJEU judgement in case C-311/18, the court held that SCCs can be considered effective only as long as - on their own or in combination with additional technical and organisational measures - they are able to compensate for the risks taken by a data exporter when transferring data to third countries. If the data exporter is not able to meet these requirements, data transfers are unlawful and shall not take place.

With regard to the present case, the court found that even though Google had implemented certain organisational and technical measures, these were not sufficient to prevent US intelligence agencies from accessing Europeans' personal data. As a matter of fact, Google's own report indicated that the number of requests made by such agencies was actually very high.

Assessing Google's organisational measures, the court noted that a contractual obligation to inform the data exporter about an access request by a public authority was not sufficient to address the risks to data subjects' fundamental rights. In case of emergency, US law enables public authorities to order the controller not to share with third parties information about the disclosure. In addition, and above all, Europeans have no effective legal remedy against unlawful disclosure. The publication of a transparency report by Google did not solve the issue, either.

As far as technical measures were concerned, the court stressed that encryption was not an effective tool. Under US law, Google is obliged to provide the requesting authority not only with data transferred, but also with encryption keys to decypher them. More in general, the court explicitly clarified that Chapter V of the GDPR is incompatible with the "risk-based approach" envisaged by the Google. As a matter of fact, a "business-friendly interpreation" of the GDPR did not play any role in C-311/18 and was thus inadmissible.

As far as the data subject's appeal was concerned, the court dismissed the data subject's arguments. The court upheld the Austrian DPA's interpretation that Chapter V of the GDPR applies only to the data exporter, and not to the data importer. The court stressed that obligations stemming from Chapter V of the GDPR should not be confused with contractual obligation binding the data importer in the context of SCCs or other private law agreements with the data exporter.

Comment

The data subject expressed their willingness to appeal the decision before the Austrian Supreme Administrative Court.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

Postal address:
                                                                      Erdbergstrasse 192 – 196
                                                                                 1030 Vienna
                                                                         Phone: +43 1 601 49-0

                                                                  Fax: + 43 1 711 23-889 15 41
                                                               Email: einlaufstelle@bvwg.gv.at
                                                                            www.bvwg.gv.at

decision date

05/12/2023
business number




W245 2252208-1/36E

W245 2252221-1/30E


     Written copy of the verbal decision announced on March 31, 2023


                I M N A M E N D E R E P U B L I K !



The Federal Administrative Court, judged by Mag. Bernhard SCHILDBERGER, LL.M.

as chairperson and Mag. Viktoria HAIDINGER as a competent lay judge and Mag.

Thomas GSCHAAR represented as a competent lay judge on the complaints of XXXX
by XXXX and XXXX, represented by Baker & McKenzie Rechtsanwälte LLP & Co KG,

Schottenring 25, 1010 Vienna against the partial decision of the Austrian

Data protection authority from December 22nd, 2021, GZ 2021-0.586.257 (DSB-D155.027), concerning the
Violation of the general principles of data transmission in accordance with Art. 44 GDPR, after

Carrying out an oral hearing, rightly recognised:


a)

    I. XXXX's complaint against point 2 of the disputed partial decision is

       rejected.

    II. The revision is permissible according to Art. 133 Para. 4 B-VG.



b)

    I. XXXX's complaint against point 3 of the disputed partial decision is
       rejected.


    II. The revision is permissible according to Art. 133 Para. 4 B-VG. - 2 -







                            Reasons for decision:


Subject of the proceedings:

Complainant XXXX (hereinafter also “BF1”) visited a website on August 14, 2020

XXXX of those involved XXXX (hereinafter also "MB"). On the MB website was the
Web analysis service XXXX Analytics of complainant XXXX (hereinafter also "BF2")

embedded. With the embedded web analysis service, personal data of the
BF1 transferred to a third country. The present decision addresses the question of whether

with the processing at issue to a violation of the general

Principles of data transmission in accordance with Art. 44 GDPR.


I. Procedure:

I.1. With a submission dated August 18, 2020, the BF1 lodged a complaint against the BF2 and the MB
(VWA ./01, see point II.2).

The reason given by the BF1 was that on August 14, 2020, at 10:45 a.m., the website of the MB

visited XXXX. While visiting the MB website, the BF1 was on a XXXX -

account was logged in. This account is linked to the email address of BF1 (XXXX
been. The MB has on its website the HTML code for XXXX services (including

XXXX -Analytics) embedded.

During the visit to the MB website, the BF1 received personal data from the

BF1 (at least the IP address of the BF1 and cookie data) processed. Apparently these are
been transmitted to the BF2 (VWA ./04).

According to point 10 of the order data processing conditions, the MB agreed that

the BF2 personal data of the BF1 in the United States of America or in

another country where XXXX or XXXX sub-processors have facilities
maintain, store and process. Such a transfer of

personal data of the BF1 from the MB to the BF2 require a legal basis

according to Art. 44 ff GDPR.

After the European Court of Justice declared the "EU-US Privacy Shield" with the decision of
16.07.2020, C-311/18 (Schrems II) declared invalid, the MB could

Data transmission to the BF2 in the United States is no longer limited to one

Support adequacy decision according to Art. 45 GDPR. Nevertheless, the MB and - 3 -


the BF2 still had to wait almost four weeks after the judgment for the “EU-US Privacy
Shield”. This can be done from point 10.2 of the order data processing conditions

for XXXX advertising products, version 01.01.2020 (VWA ./03).

In addition, the MB cannot base the data transmission on standard data protection clauses

in accordance with Article 46 (2) (c) and (d) GDPR if the third country of destination

Union law no adequate protection of the on the basis of
Standard data protection clauses guarantee transmitted personal data (ECJ

July 16, 2020, C-311/18 (Schrems II), para. 134 f). The ECJ expressly stated that
other transfers to entities falling under 50U.S. Code §1881a, not just

against the relevant articles in Chapter V GDPR, but also against Art. 7 and 8 GRC

would violate the essence of Art. 47 GRC (ECJ 06.10.2015, C-
362/14 (Schrems), para. 95). Any further transmission therefore violates the fundamental right

to privacy and data protection and the right to an effective remedy

a fair process.

BF2 is a provider of electronic communications services within the meaning of 50 U.S. code §

1881a (b) (49) and as such is subject to supervision by U.S.
Intelligence agencies under 50 U.S. Code § 1881a ("FISA 702"): As from the " XXXX " (VWA ./06)

and from the transparency report of the BF2 (see XXXX, the BF2 of the US
Government pursuant to 50 U.S. Code Section 1881a actively provides personal information. Before

Against this background, the MB was unable to adequately protect the

personal data of BF1, which are transmitted to BF2.

From August 12th, 2020, the MB and the BF2 have agreed on data transmissions to the United

States rely on default data protection clauses. This could be point 10.2 of
Order data processing conditions for XXXX advertising products, version 08/12/2020,

(VWA ./04). However, this procedure ignores the judgment of the European
Court of Justice (ECJ July 16, 2020, C-311/18 (Schrems II), para. 134 f). Accordingly, the MB

obliged to the transfer of personal data to the BF2 in the United

states to refrain from.

Finally accept the BF2 despite the clear judgment of the European Court of Justice

and in violation of Articles 44 to 49 GDPR, data transfers from the
EU/EEA under the data protection clauses. In addition, give the BF2

EU/EEA personal data to the US government in violation
against Art. 48 GDPR. - 4 -


According to Art. 58 Para. 1 GDPR, the BF1 requested that it be determined which
personal data from the MB to the BF2 in the United States or to a

another third country or an international organization on which

Transmission mechanism according to Art. 44 ff GDPR, the MB supports the data transmission
and whether the provisions of the applicable XXXX Analytics Terms of Use

and the (new) order data processing conditions for XXXX advertising products

Requirements of Art. 28 GDPR in relation to the transfer of personal data
fulfill or not.

Furthermore, the BF1 applied for this immediately in accordance with Art. 58 (2) lit. d, f and j GDPR

Ban or suspension of any data transfer from the MB to the BF2 in the

United States imposed and the return of this data to the EU/EEA or a
another country that guarantees adequate protection.


Finally, the BF1 requested the imposition of an effective, proportionate and
deterrent fine against the MB and the BF2.

In his complaint to the BA, the BF1 submitted the Terms of Use for XXXX Analytics (VWA

./02, see point II.2), the order data processing conditions for XXXX advertising products,

Version 01.01.2020 (VWA ./03, see point II.2), the order data processing conditions
for XXXX advertising products, version 08/12/2020 (VWA./04, see point II.2), the HAR data of the

Website visit (VWA ./05, see point II.2), the XXXX (VWA ./06, see point II.2) and

a certificate of representation (VWA ./07, see point II.2).

I.2. As a result, the BA continued the procedure until the responsible person was determined
supervisory authority and until the decision of the lead supervisory authority or the

European data protection committee with decision of 02.10.2020, Zl2020-0.527.385 (DSB-

D155.027) from (VWA ./08 and ./09, see point II.2). Furthermore, the bB called for the MB
Opinion on (VWA ./10, see point II.2).

I.3. In the statement of December 16, 2020, the MB stated (VWA ./11, see point II.2) that

she herself decided to edit the program code for XXXX -Analytics (hereinafter

also called "tool") on your XXXX. The tool is used to
to enable statistical evaluations of the behavior of website visitors (see

Point II.1.8) to organize the content of the website according to general topic interests

to adjust. Since the evaluation is carried out anonymously, the tool can be used
the content cannot be adapted to the specific website user. Based on the

Website usage and article views of anonymous users receive an aggregated MB

statistical evaluation. - 5 -


For the general user statistics and the already mentioned purpose no personal reference
is necessary, the MB was aware of the embedding of the anonymous version

determined. From the still embedded code it can be seen that the function

"anonymizeIp" was set to "true". Therefore, the tool only processes anonymous
Data. In the case of user IP addresses of the IPv4 type, the last octet and in the case of IPV6

addresses the last 80 of the 128 bits in memory are set to zero. With that find

before the data is saved or transmitted. Therefore, an access
therefore not to personal data by BF2 in the United States

possible.

In addition to anonymized IP addresses, the tool processes the user agent string. The user agent

String is used to tell the server which system specification the user used to access the
server access. Without personal reference, only the device, the operating system, the

Operating system version, the browser, the browser version and the device type are displayed

become. Since this information lacks a personal IP address or anything else
Identifiers cannot be assigned to an identifiable user, would not be personal

data available. Since the anonymization is already in the working memory of the respective

website user takes place, no processing takes place on servers of BF2 and sohin
not in a third country outside the EU.

Even before the cookie is finally set, the anonymization process finds the IP address

instead of. Only from this point in time would the statistical information about the

Website usage can be collected via the respective - now anonymous - cookie. The
The evaluations collected would accordingly only be carried out with the anonymous data

carried out and could therefore not be assigned to any person. on the

the process presented – namely the collection and evaluation of merely anonymous data
and information - would find neither the GDPR nor the DSG due to the lack of personal reference

Application. Accordingly, the consent of a website user is not required.

The concrete anonymization process initially accesses the IP address in order to access it immediately

anonymize. However, this required initial recording of the IP address takes place
regardless of the use of XXXX -Analytics and be always for the

functionality is mandatory. This survey is not for the purpose of the MB

(see point II.1.8), but inevitably with every website that can be called up on the Internet. This
takes place, as with any other website, on the basis of legitimate interest

Operation of a functioning, user-friendly and secure website in accordance with Art. 6 para.

1 lit. f GDPR. - 6 -


The BF2 process the data on behalf of and on the instructions of the MB. The MB take the role
of the person responsible, BF2 assumes the role of processor. The MB have

extensive decision-making power over the means of processing. You decide initially

about whether she wants to embed the tool at all and she also has the option to
Adjusting the tool to determine the needs and purposes of processing

or change as needed. Furthermore, the MB determines the storage period (26 months) as well as

the fate of the data after the termination of the contract. To secure any future
The MB

therefore concluded an order data processing agreement with BF2 (see VWA

./16).

According to the judgment of the European Court of Justice of July 16, 2020, C-311/18 (Schrems II).
the MB checked the settings of the tool and made sure that the so far

data protection-friendly implementation by anonymizing the IP addresses

is active. Therefore, the judgment of the ECJ is not on the contractual relationship between the MB and
the BF2 applicable. In order, however, also for any provision of personal data

To take data to the BF2 precautions, the MB with the BF2 have one as a precaution

Processor agreement concluded on August 12th, 2020 (see VWA ./16) and
Standard safeguard clauses included (see VWA ./22). With regard to the

The MB did not carry out a proactive review of standard safeguard clauses. This

because due to the transmission of anonymized IP addresses, a transmission
of personal data is not successful. Finally, arising from the processing

of anonymous data, which are subsequently only evaluated for general statistics,

no risks.

BF2 also took further technical and organizational measures (no
Backdoor access for authorities, information obligations of BF2 towards those responsible,

when a request from a competent authority arrives, publication of

transparency reports, examination of requests for information and appeals) to a high level
To provide a level of data protection for the data processed via the tool.

In its statement (VWA ./11) to the BA, the MB submitted reports from the tool (VWA ./12,

see point II.2), information on IP anonymization (VWA ./13, see point II.2),

Screenshot of the set storage period (VWA ./14, see point II.2), list of
Server locations (VWA ./15, see point II.2), order data processing conditions for

XXXX advertising products, version 08/16/2020 (VWA ./16, see point II.2),

Order data processing conditions for XXXX advertising products, version 08/12/2020
(VWA ./17, see point II.2), order data processing conditions for XXXX - 7 -


Advertising products, version 01.01.2020 (VWA ./18, see point II.2), comparison version AVV dated
01/01/2020 vs 08/12/2020 (VWA./19, see point II.2), comparison version AVV from 08/12/2020

vs 08/16/2020 (VWA ./20, see point II.2), screenshot for settings (VWA ./21, see

Point II.2), standard data protection clauses (VWA ./22, see point II.2), information on
Safety measures (VWA ./23, see point II.2) and a processing sheet for XXXX

Analytics (VWA ./24, see point II.2) at.

I.4. At the request of the bB of January 22, 2021 (VWA ./25, see point II.2), the BF1 in the

Follow an opinion (VWA ./26, see point II.2). In it he explained, although in code
the function "anonymizeIP" was set to "true", this did not result in his

anonymized IP address was transmitted. This is for data transfers in the World Wide

Web technically impossible. Referring to statements by BF2, BF1 stated that
the IP address only after it enters the Analytics data collection network,

anonymized or masked before being stored or processed.

In addition, the BF1 pointed out that at the time of the website visit, he was in his private
XXXX account was logged in and also cookie data (_ga, __gads, _gid, _gat,

_gat_UA-259349-11, _gat_UA-259349-1) were transferred. So in the result be

Contrary to the statements of the MB, it is clear that personal data (such as cookies and
IP addresses) were processed and transmitted to BF2 in the United States.

In addition, with a processor in a third country, there is a breach of anonymization

not enforceable or ascertainable
of the European Court of Justice (ECJ 19.10.2016, C-582/14 (Breyer)) at least by one

assignability to a specific natural person.

In order to prevent a violation of Art. 44 ff GDPR, a complete removal of the

Tools necessary and a change to another tool that does not transfer data to the
USA require to recommend. As far as the MB is convinced that no

personal data would be processed is a conclusion of

Order processing conditions contradictory. Also the fact that the MB
to be on the safe side, conclude standard data protection clauses with the BF2, point out that

she herself assumes that data will be transferred to the USA. Also that from

The processing directory (VWA ./24) submitted to the MB indicates that
personal data would be transmitted to BF2.

Contrary to statements by the MB, the sole purpose of collecting the IP address is not

carrying out the transmission of a message over a communications network,

rather, it is also collected for the use of XXXX analytics. As a result of possible
data tapping by US secret services can still be assumed that interests or - 8 -


Fundamental rights and freedoms of data subjects requiring protection
require personal data prevail. Like the European Court of Justice

stated that the existing system of access options from US

Secret services on personal data of EU citizens with Art. 7, 8 and 47 GRC
incompatible (ECJ July 16, 2020, C-311/18 (Schrems II)).


In its statement (VWA./26), the BF1 placed the attachments of third-party partners in the cookie banner
MB (VWA ./27, see point II.2), contacts from XXXX with US server (VWA ./28, see point

II.2), and contacts of XXXX with US server, reference to fingerprint technology (VWA ./29,
see point II.2) at.


I.5. In a letter dated February 26, 2021, the BA asked the BF2 to comment (VWA ./30,
see point II.2). With the submission of April 9th, 2021, the BF2 complied with this request (VWA

./31, see point II.2). In its statement, the BF2 describes, among other things, the

Web analysis service XXXX -Analytics (see point II.1.3.3), the implementation and the
Functionality of XXXX -Analytics (see point II.1.5), the embedding of the program code

for XXXX analytics on a website (see point II.1.6), the legal basis for use

of XXXX -Analytics (see point II.1.7), the measures which, according to the judgment of
European Court of Justice of July 16, 2020 in case C-311/18

(see point II.1.9), the additional measures that come with the introduction of the
standard contractual clauses have been set (see point II.1.10) and the effects if

a user of a XXXX account visits a website that uses XXXX analytics.

I.6. The entry of the BF2 (VWA ./32) transmitted the bB within the scope of the hearing of the parties

MB and the BF1 for comments.

I.7. With a statement of May 4th, 2021 (VWA ./33, see point II.2), the MB stated that they

only use the free version of XXXX Analytics. Both the
Order data processing conditions (terms of use) as well as the

Standard Contractual Clauses (SDK) have been agreed. The BF2 will only as

Contract processor used. The instructions are given by the MB about the settings of XXXX
-Analytics user interface and via the global website tag. It is the data release

Setting has not been activated. The code is embedded with the anonymization function

been. XXXX signals are also not used. The MB does not have its own
authentication system and also do not use user ID function. Currently support

does not refer to the exception rule of Art. 49 Para. 1 GDPR.

I.8. With a statement dated May 5th, 2021 (VWA ./34, see point II.2), the BF1 stated that

XXXX is not a party to the proceedings and is the sole object of the appeal with regard to BF2, - 9 -


that the transmission and receipt of the data Art. 44 ff DSGVO is pursued or the
thereafter unlawful processing in the United States. According to Art. 44 GDPR

"Responsible persons and processors" would have to comply with Chapter V GDPR

retain. As a processor, BF2 is the norm addressee of Chapter V GDPR. The bB be
directly responsible for BF2, which violated Art. 44 ff GDPR. Regarding

The GDPR is applicable to the processing carried out by BF2, since the factual

Scope of application according to Art. 2 Para. 1 and the geographical scope according to Art.
3 paragraph 2 lit. b leg.cit. be fulfilled.

With reference to the opinion of BF2 (VWA ./31, see point I.5), BF1 stated that

the data transmission to BF2 in the United States and the personal reference of

transmitted data is undisputed. The BF2 put out of dispute that all through XXXX -
Analytics collected would be hosted in the United States.

According to the explanations of the BF1, the MB and the BF2 themselves would assume that

that there is a processing of personal data, including their transmission in
a third country, otherwise a contract data processing contract will be concluded

including standard contractual clauses would be completely meaningless. Also state the BF2 itself,

that based on a "user ID" ("user identifer") a data subject for the purpose
of deletion can be identified. There is thus the possibility of

Identifiability within the meaning of Art.4 Para.1 GDPR. Furthermore, the BF itself states that XXXX

-Analytics unique identifiers associated with a specific user
use. As far as the BF2 explain that the data transmitted to her sometimes only

"Pseudonymous data" would be, on the one hand this is factually wrong and on the other hand it is closed

note that even pseudonymised data (Art. 4 Para. 5 GDPR) from the term
personal data are recorded in accordance with Art. 4 Para. 1 GDPR.

It is undeniable that the MB and the BF2 process personal data and in

the United States had submitted. At least some of the ones on the occasion of

Cookies set on the website visit on August 14, 2020 would be unique user
Identification numbers included. In the transaction between the browser of the BF1 and

https://tracking. XXXX , which was started on the specified date, are the user

Identification numbers _gads, _ga and _gid have been set. These numbers are in sequence
at https://www. XXXX -analytics.com/ has been transmitted. It's about the numbers

to online identifiers that serve to identify natural persons and a
Users would be specifically assigned (see also point II.1.3). In terms of

IP address, it should be noted that Chapter V GDPR no exceptions for subsequent

provide for anonymized data. It can be assumed that the IP address of the BF1 is not - 10 -


was once made anonymous in all transactions. The application for the imposition of a
Fine will be withdrawn, this is now a suggestion.


The additional measures put forward by the BF2 (see point II.1.10) are irrelevant.
In this regard, the European Court of Justice found the following elements of the US

Legislation than with the European fundamental rights according to Art. 7, 8 and 47 EU

Charter of Fundamental Rights (GRC) considered incompatible (ECJ July 16, 2020, C-311/18 (Schrems II), para
175 ff): The lack of any legal protection before US courts under Art. 47 GRC; the lack

any precise legal basis for monitoring, specifying the scope and
scope of the encroachment on fundamental rights itself and the requirement of

proportionality is sufficient; the lack of any individual ex ante decision of a

court, but the sole review of a surveillance system as a whole and that
Absence of any subsequent judicial control and finally the lack of any

Legal Protection for "Non-US Persons". Against this background, the additional

Measures (see point II.1.10) not suitable by the European Court of Justice
solve the problems presented. With comprehensive justification, the BF1 explained that no

of the supposed "additional measures" above the normal standard of the

Data processing pursuant to Art. 32 GDPR goes beyond or is relevant with regard to
U.S. Government data access pursuant to 50 U.S. Code § 1881a and/or EO 12.333.

In its statement (VWA ./34), the BF1 included the enclosures "XXXX -Analytics Cookie,

Use on website" (VWA ./35, see point II.2), "How XXXX uses cookies" (VWA

./36, see point II.2), and "Measurement Protocol Parameter Reference" (VWA ./37, see
Point II.2) at.


I.9. As a result, the bB asked the parties to the procedure to submit a new statement (VWA
./38, ./39 and ./40, see point II.2). With an e-mail dated May 12, 2021, BF2 applied for one

Extension of the period for comments (VWA ./41, see point II.2), which subsequently
was granted by the BA (VWA ./42, see point II.2).


I.10. In its statement of June 10, 2021 (VWA ./43, see point II.2), BF2 stated that
that the BF1's legitimacy to act had not been established because it had not been proven

had been stated that the data transmitted was personal data of BF1

act. In order to process the data (cookies, IP address) as a
To be able to qualify personal data of the BF1, he would have to on the basis of this

data are identifiable.

With regard to the _gid and cid numbers, it should be noted that these are first-party cookies,

which were set under the domain XXXX. It is therefore not cookies of BF2, - 11 -


but cookies of the website owner, and the cookie values are different for each user on each
site different. The BF1 stated that the numbers "_gid" and "cid" an

https://www. XXXX -analytics.com/ were transmitted. "_gid" has the value

1284433117.1597223478 and cid is 929316258.1597394734. To assess the
Active legitimation must therefore be determined whether these numbers (values) the BF1

make identifiable.

Considering that a single user may have different cid numbers for

have different websites and the cid numbers are randomly generated,
such a cid number cannot in itself identify a user. The

Number929316258.1597394734simplydon'tidentifytheBF1.TheBF1don'tbring

suggest that subsequent visits to the site would have taken place, let alone that data
in connection with such subsequent visits to the website in connection with the cid

929316258.1597394734 would have been recorded. There were no circumstances

on the basis of which one could argue that in connection with the cid number
929316258.1597394734 information collected would make the BF1 identifiable.

These statements essentially apply to the _gid numbers.

With regard to the IP address, it should be checked whether the IP address of the Internet

connected device is actually assigned to the BF1 and whether the person responsible or
another person has the legal means to obtain subscriber information from the

relevant internet access provider.

Even if it were determined that the MB or another person theoretically such

legal means within the meaning of recital 26 have to

Subscriber information related to the B1 from the internet access provider
received, it must also be determined whether, within the meaning of recital 26

GDPR reasonably likely that these means will be used
would. In general, it is not likely that the MB or any other

Person within the meaning of recital 26 legal means (if such available to them

standing) would use. In particular in the situation at issue, it would be
generally unlikely that such legal means will be used

would to identify any visitor to a website like the BF1 if

one considers the objective factors, such as the cost and time required for such means
identification (see recital 26).

As a processor, BF2 provides the website operator with numerous

XXXX -Analytics configuration options are available. The

Anonymization function is according to the declarations of the MB from December 16th, 2020 (VWA - 12 -


./11) and 05/04/2021 (VWA ./33) have been configured. However, due to a possible
Due to a configuration error on the part of the MB, the anonymization function does not work in all cases

been activated.

Under normal operating conditions and as far as users based in the EU are concerned,

there is a web server in the EEA, which is why the IP anonymization is always within

of the EEA. In the present case, normal operating conditions existed.

On August 14, 2020, the XXXX account of the BF1 ( XXXX ) has the Web & App activity
setting enabled. However, the account has not chosen activities of

Include websites using XXXX services. Since the MB according to its own information also

XXXX signal, the BF2 is not (was) able to determine that
the user of the XXXX account XXXX visited the XXXX.

With regard to international data traffic, it should be noted that even under the

Assumption that the complainant's personal data is concerned, this

are limited by their nature in terms of quantity and quality
data are to be qualified as personal data at all, it would also be

trade pseudonymous data.

Standard contractual clauses were concluded with the MB, in addition

additional measures have been implemented. The BF2 does not store user data according to EO
12333 open. FISA § 702 is in the present case given the encryption and the

Anonymization of IP addresses irrelevant.

Art. 44ff GDPR could not be the subject of a complaints procedure according to Art. 77 para.

1 GDPR, which is why the complaint should be rejected.

Finally, Art. 44 et seq. GDPR are also relevant with regard to BF2 as a data importer

not applicable.

I.11. The BF2 was entered by the bB, the BF1 and the MB as part of the
heard by the parties (VWA ./44, see point II.2). To that end, the BF1 applied

an extension of the period for comments (VWA ./45, see point II.2). Further demanded

the bB to announce the MB by letter dated June 16, 2021, whether there are legal
there have been changes and legal representation still exists (VWA ./46,

see point II.2).

I.12. With a statement dated June 18, 2021, the MB announced the change in its company name and the

Transfer of the website to another legal entity (see point II.1.2, as well as
VWA ./47, see point II.2). - 13 -


I.13.With a further statement of June 18, 2021 (VWA ./48, see point II.2). led the MB
assumes that the intended IP anonymization was not due to a programming error

had been activated. Due to the change made, now for all XXXX -

Analytics Properties activated IP anonymization on the XXXX website (VWA ./50, see
Point II.2). As a result, BF2 was instructed to use all of the XXXX -Analytics-

Properties collected data immediately delete. The BF2 have the deletion meanwhile

confirmed (VWA ./49, ./52 and ./53 see point II.2). Due to the deletion made
process neither the MB nor the BF2 data of the BF1. It will therefore be in accordance with Section 24 (6) DSG

encouraged the informal termination of the proceedings. The statement of the MB was the BF1

submitted for information (VWA ./51, see point II.2).

I.14. In the submission of July 9th, 2021 (VWA ./54, see point II.2), the BF2 stated that the
Appropriateness assessment according to the recommendations 01/2020 for supplementary measures

of transmission tools to ensure the level of protection under Union law for

personal data, version 2.0 of the European Data Protection Board (“EDPB-
Recommendations”) is not limited to examining the legislation of the third country.

It must also include any specific circumstances surrounding the transfer in question

be taken into account. In the present case, the processed personal data
To treat data differently than that due to the limited nature and low sensitivity

Data that are the subject of the Schrems I and Schrems II judgments. This is for him

relevant to the case at hand. As a result, the European Data Protection Board
a risk-taking approach is recommended.

They also include the actual probability of official access to the data

relevant factor for the adequacy assessment. Even in the presence of more problematic

Legislation may allow the data transfer to continue (even without
Implementation of additional measures) if the exporter has no reason to believe

that the problematic legislation was interpreted and/or applied in practice

could be that they are the transferred data and the specific data importer
In addition, the assessment is no longer exclusively based on the legislation of

third country, but also the question of whether or not this is applied in practice

not. For example, the white paper “Information on U.S. Privacy Safeguards Relevant to SCCs
and Other EU Legal Basis for EU-U.S. Data Transfers after Schrems ll" that the

most companies operating in the EU do not process data required for US
secret services are of interest.


When a data exporter transfers personal data in a way that the
personal data without the combination with other data no longer one - 14 -


can be assigned to a specific data subject, according to the EDSA
Recommendations that the pseudonymization carried out is an effective supplementary measure.

It is not to be expected that US authorities will have additional information that

would allow them to be stored behind the first party cookie values _gid and cid, respectively
to identify data subjects who have an IP address.


Finally, the BF1 did not apply for a finding that his rights in the
been injured in the past.

I.15. In its statement of 09.07.2021 (VWA ./55, see point II.2) the BF1 stated,

that personal data is being processed. This is through the

submitted documents (VWA ./5 and VWA ./34, point 5.3) have been verified. Also would
Contract documents (order data processing conditions or

Standard data protection clauses) do not create a personal reference, but these are

Documents an important indication that both the BF2 and the MB of a
Personal reference would go out. The BF2 itself also assumes that the

BF1 off. If it is ultimately for the identification of a website visitor only requirement

be whether he makes a certain declaration of intent in his XXXX account (such as the
Activation of "Ad personalisation"), for the BF2 all possibilities of

identifiability exist. Otherwise, the BF2 can in the account settings
expressed wishes of a user for "personalization" of the received

Promotional information does not match.

The universally unique identifier (UUID) in the _gid cookie with the UNIX timestamp

1597223478 is set on Wednesday 12 August 2020 at 11:11 and 18 seconds CET

those in the cid cookie with UNIX timestamp 1597394734 on Friday 14 August
2020 at 10:45 and 34 seconds CET. It follows that these cookies were already in place before

were used for the visit that is the subject of the complaint and also a longer-term one
tracking has taken place. To his knowledge, the BF1 does not have these cookies either

immediately deleted and the website XXXX also visited repeatedly.

The BF2 misjudges the broad understanding of the GDPR when assessing its existence

personal data. The specific IP address used is also no longer available for the BF1

detectable. However, this is irrelevant, since the UUID in the cookies gives a clear indication anyway
personal reference exists. Specifically allow the combination of cookie data and IP address

Tracking and evaluation of geographic localization, internet connection and context
of the visitor, which can be linked to the cookie data already described. For this

but would also include data such as the browser used, the screen resolution or the

operating system (“device fingerprinting”). - 15 -


In the context of the complaint, it is more relevant that US authorities are responsible for secret services
easily ascertainable data, such as IP address, as a starting point for monitoring

would use by individuals. It is the standard procedure for secret services to

to 'hang on' from one date to another. When the BF1's computer is about always
appears again on the Internet via the IP address of XXXX, this can be used

to spy on the work of the XXXX club and to target the BF1. in one

In a further step, other identifiers would then be searched for in the data, such as the ones mentioned
UUIDs, which in turn are an identification of the individual person for a surveillance

allow other places. The US secret services are in this context

thus an "other person" within the meaning of Recital 26 GDPR. The BF1 works
not only for XXXX , but also have a relevant role as a model complainant in

these efforts. Thus, according to US law, monitoring of BF1 according to 50 USC §

1881a (as well as by all other persons entrusted with this complaint) at any time
legally possible. Even with the application of the supposed "risk-based approach".

This case is a prime example of high risk.

The e-mail address XXXX is assigned to BF1, who until his marriage

Surname "XXXX". However, the old XXXX account is still in use.
The BF2 have not explained to what extent the undisputed data are linked, evaluated

or the result of an evaluation is simply not displayed to the user.

In addition, Chapter V GDPR does not recognize a "risk-based approach". This can only be found

in certain articles of the GDPR, such as in Art. 32 leg.cit. The new
Standard contractual clauses in the Implementing Decision (EU) 2021/914 are for the

Facts not relevant due to lack of temporal validity. A "transmission" is not

unilateral action of a data exporter, every "transfer" also requires one
receiving the data. Accordingly, Chapter V of the GDPR is also applicable to BF2, it

is a joint action by data exporter and importer.

If the BF2 has not violated Art. 44 ff GDPR, the provisions according to Art.

28 Para. 3 lit. a and Art. 29 GDPR to be taken into account as a "catch-all rule". Bar the BF2
following a corresponding instruction of a US secret service, he hits the

Decision, personal data about the specific order of the MB according to Art. 28

and Art. 29 GDPR and the corresponding contractual documents.
As a result, BF2 itself becomes the controller in accordance with Art. 28 (10) GDPR.

As a result, BF2 is also entitled to the provisions of Art. 5 et seq. GDPR

follow. A clandestine disclosure of data to US intelligence agencies under US law - 16 -


be without a doubt not with Art. 5 Para. 1 lit. f GDPR, Art. 5 Para. 1 lit. a GDPR and Art
compatible.


I.16. After being asked to comment (VWA ./56, see point II.2), BF2 took the lead
their submission of August 12, 2021 (VWA ./57, see point II.2) that the BF1 his

I have not shown any legitimacy to lodge a complaint. He has no part of the

BF2 raised questions about the identifiability of his person based on the IP address
answered. Regarding the _gid number and cid number, it should be noted that no

directory is available in order to make the BF2 identifiable. The fact that
in ErwGr 26 GDPR the "separation" is mentioned as a possible means of identification,

however, do not change the understanding of the words "identify" or "identification" or

“identifiability”.

The identifiability of the BF1 requires at least that his identification on

The basis of the data in question and with means that are possible according to general
discretion would likely be used. This has not been established and cannot

assumed and, on the contrary, improbable, if not impossible.

Also the fact that the BF2 contract data processing conditions are completed
have, does not mean that the data that are the subject of this procedure are different

personal data, nor that it is the data of BF1.

BF1's view that the data transfer should not be based on a risk-based approach

evaluate ("all or nothing"), do not follow. This is not consistent with the
GDPR and adhere to Recital 20 of the Implementing Decision (EU) 2021/914 of the European

see commission. This is also due to the different versions of the EDSA

Recommendation recognizable. Even if access to the above numbers by US
Authorities "legally" possible at any time, should be checked how likely this is. The BF1

have not provided any convincing arguments as to why or how the "cookie
Data” related to his visit to a publicly accessible, and by many

Austrian website used, such as the one in question, “Foreign Intelligence

Information" and thus to the goal of purpose-restricted data collection according to § 702
could become.


I.17. With the decision that is the subject of the proceedings (VWA ./59, see point II.2), the BA remedied
Point 1. first the notice of 02.10.2020, Zl 2020-0.527.385 (DSB-D155.027)

(see point I.2).

With point 2, the BA upheld the complaint against the MB and found that (a)

the MB as responsible by implementing the tool "XXXX -Analytics" on their - 17 -


Website under XXXX at least on August 14, 2020 personal data of BF1 (this
are at least unique user identification numbers, IP address and

browser parameters) to the BF2, (b) the standard data protection clauses that the

MB concluded with the BF2, no adequate level of protection according to Art. 44 DSGVO
would offer, since (i) the BF2 as a provider of electronic communication services within the meaning

from 50 US code § 1881(b)(4) and as such subject to surveillance by U.S.

Intelligence agencies under 50 U.S. Code § 1881a (“FISA 702”), and (ii) the actions,
in addition to the standard data protection clauses mentioned in clause 2. b).

were not effective, as these are the monitoring and

would not eliminate access opportunities by US intelligence services and (c) in
present case no other instrument according to Chapter V of the GDPR for the in Spruchpunkt

(2.a) mentioned data transmission can be used and the MB therefore for the

in the context of the data transfer mentioned in point 2.a) no appropriate
have guaranteed a level of protection in accordance with Art. 44 GDPR.

With point 3. the bB rejected the complaint because of a violation of the general

Principles of data transmission in accordance with Art. 44 GDPR against BF2.

In its legal justification, the bB first deals with its competence and its

Determination competency (see point II.3.4) apart. She also describes that Art.
44 DSGVO as a subjective right (see point II.3.4). In connection with

Paragraph 2.led the construction that the transmitted data (see point II.1.3 or II.1.3.1)

at least in combination, personal data according to Art. 4 Z 1 DSGVO. For the
lack of an appropriate level of protection in accordance with Art. 44 GDPR, the bB stated that the

European Court of Justice the "EU-US Privacy Shield" with the decision of July 16, 2020, C-

311/18 (Schrems II) declared invalid. The subject of the proceedings could also
Data transmission not only on the completed between the MB and the BF2

Standard data protection clauses in accordance with Article 46 (2) (c) GDPR are supported. also be

the additional measures identified by the BF2 are not suitable in the judgment
identified gaps in legal protection - inappropriate access and

Surveillance capabilities of US intelligence services and insufficient effective

Legal remedy for those affected – to close.

The rejection in point 3. justified the bB with the fact that the requirements of Art.
44 GDPR to which BF2 would not apply. The BF2 lay the personal data of

BF1 not open, just keep it. The requirements of Chapter V GDPR are dated

data exporter and not also by a data importer (in a third country). - 18 -


The notification was delivered to BF1 on January 12th, 2022, to BF2 and MB on January 13th
point 3 of the decision, the BF1 lodged a complaint on February 7th, 2022

(see point I.20). On February 9th, 2022, the BF2 filed a complaint against point 2 of the decision

Complaint (see point I.17I.18). The MB did not
complaint.


I.18. In its complaint (VWA ./62, see point II.2) the BF2 first gave reasons
their right to complain. Furthermore, BF2 stated that between the subject matter of

contested partial decision and the subject matter of the planned second decision
Partial notice of no separability according to § 59 paragraph 1 AVG. There is also a violation

of a data subject's right. In addition, a finding of alleged, in the

Past lying, injuries are not made. Also lie one
Class action entitlement according to Art. 80 Para. 2 GDPR does not exist.


Contrary to the view of the BB, the data at issue in the proceedings are not
personal i.S.d. GDPR. The BF2 explained that from the

processed data is not related to a natural person. According to the

Case law of the European Court of Justice (ECJ December 20, 2017, C-434/16 (Nowak), Rn
35) there is neither a content element, a purpose element nor a result element. Further

there is no identifiability of a natural person. From the specified IP
address, the XXXX -specific random numbers, the browser parameters and the page

A specific person cannot be identified from the data obtained. Also from one

Combination of this data is not possible identification. Furthermore, the BF2 has none
technical possibilities to identify the BF1 via his XXXX account.


BF2 also emphasized a risk-based approach. Even if you
subject to the proceedings a personal reference, so is under

Consideration of the low threshold of the transmitted data and the very
low basis risk, the inapplicability of and the fact that FISA 702 anyway

no practical application, no disclosure of data according to EO 12.333.

Since extensive supplementary measures had been implemented, a
appropriate level of protection for the procedural transmission of the data more

as given and these are permissible according to Art. 44 ff DSGVO.

In its complaint, BF2 enclosed the cookies and user identification (VWA

./63, see point II.2),Linker (VWA ./64, see point II.2),Report from XXXX (VWA ./65, see
Point II.2) and New EU-US data transfer framework (VWA ./66, see point II.2). - 19 -


I.19. In the statement (VWA ./67, see
Point II.2) in the course of the filing that the BF2 had no legitimacy to lodge a complaint, since

since the end of April 2021 the product XXXX -Analytics is now offered by XXXX. Also

the bB explained that it has a determination competence in complaint procedures because of
alleged violations of the DSG or the GDPR.


Furthermore, the DA stated that the BF2 was obviously involved in an agreement itself
personal data. This can be recognized by the fact that the BF2 with the MB

undisputedly a processor agreement in accordance with Art. 28 Para. 2 GDPR and a
Standard data protection clause according to Art. 46 Para. 2 lit. cDSGVO

the BF2 stated that a website operator in all cases standard data protection clauses

finish with the BF2 (VWA ./31, page 3). Also declare the BF2 itself that online
Labels are personal data (see point II.1.3.6). Irrespective of

these declarations or behavior of BF2 would be the subject of the proceedings

Consideration of the case law of the European Court of Justice and explanations of the
European data protection officer (VWA./68) personal data available. Also

In the present case, an assignment can be made via the IP address.

In addition, a combination can also be made with browser information. In
In this context, the DA referred to the definition of "fingerprinting": This is a

Process by which an observer connects a device or application instance with sufficient

Probability based on multiple pieces of information.

Finally, the BA extensively refuted the demonstrated risk-based approach of BF2 and
pointed out that economic interests played no role in the decision of the

European Court of Justice on July 16, 2020, C-311/18 (Schrems II).

His opinion presented the bB a decision of the European

Data protection officer of January 5th, 2022 (VWA ./68, see point II.2), a decision
of the LG Munich (VWA ./69, see point II.2), an expert opinion on the current status of the US

Surveillance law (VWA ./70, see point II.2) and essential findings of the report

on the current status of US surveillance law (VWA ./71, see point II.2).

I.20. In his complaint (VWA ./60, see point II.2) the BF1 stated that the

bB the rejection in point 3. with a misinterpretation of the word Art. 44
justify GDPR. As far as the bB justify their rejection with the fact that the BF2 as recipient

of personal data in the third country United States (data importer) the data
do not disclose it, but (only) receive it, the DA misunderstands that Art. 44 GDPR uses the term

Don't use "disclosure". Art. 44 GDPR uses the term "transfer". The

The distinction between these terms is objectively decisive: in contrast to - 20 -


a “disclosure” that can also occur without a designated recipient (e.g
by publication on a website) require a "submission" (or a

"Disclosure by transmission") namely always a recipient and also his

(at least minimal) assistance. While a "disclosure" with the act of
"Making available" has been completed, a "transmission" also requires one

Receipt by the recipient.

From a legal point of view, the design of Chapter V GDPR clarifies the technical one

Reality (meaning that for the transmission on the Internet there is always an interaction of a
transmitter and a receiver is required). Already Art. 44 GDPR generally requires

"Controller and the Processor" compliance with the provisions of the

chapter, without referring to the "person responsible for exporting the data or
order processor”. Also the guarantees mentioned in Art. 46(2) GDPR

consistently require cooperation between data exporter and data importer and

include in particular the obligations of the data importer. rightly be
also here both the data exporter and the data importer to comply with the

The provisions mentioned are obligatory, as they jointly transfer data out of the EU into the

third country and from the third country to the EU.

It should also be noted that obligations from the standard contractual clauses
(Implementing decision of the European Commission 2010/87/EU of February 5, 2010

about standard contractual clauses for the transfer of personal data

Processors in third countries according to Directive 95/46/EG of the European Parliament
and of the Council) for the data importer. Clause 3(2) clearly contains

a subsidiary obligation of the data importer, clauses 5(a) to (e), 6, 7, 8(2) and 9

to 12 to comply with the standard contractual clauses given to the data subject if the
company of the data exporter no longer exists in fact or in law and no

legal successor has assumed the obligations of the data exporter. Would Chapter V

GDPR not also applicable to the data importer would be the enforcement of the
subjective rights of the person concerned from the standard contractual clauses towards the

Data importer impossible.

I.21. In the statement (VWA ./61, see

Point II.2) in the course of the filing that it was correct from a technical point of view that a
Transmission (unlike disclosure to an indefinite group of addressees, e.g. in

form of publication on a website) assume that there is a recipient.

However, as already stated in the contested decision, one
Processing operation (here both "transmission") different from a legal point of view - 21 -


Duties and degrees of responsibility result (VWA ./59, page 40). In line with the
"Guidelines 5/2021 of the EDPB on the relationship between the scope of Art.3 and

the specifications for international data traffic in accordance with Chapter V GDPR” go the bB

assumes that the data importer does not have the legal obligation to comply with the requirements
of Art. 44 GDPR.


Finally, it should be noted that the data importer naturally also receives the corresponding
duties would meet. In the case of the conclusion of standard contractual clauses according to Art. 46

Paragraph 2 lit. c GDPR, a data importer has all contractual obligations
to be complied with, which had been concluded between the latter and his contractual partner.

However, these obligations are of a contractual nature. On the other hand, (only) the

Data exporter to comply with the obligations under Art. 44 GDPR, which also includes that
a suitable instrument - such as the conclusion of standard contractual clauses -

is in place to ensure an adequate level of protection.

I.22. With a submission dated July 8th, 2022, BF2 sent a reply to the complaint

of BF1 (OZ 4 to W245 2252208-1). In it, BF2 explained in detail that Art. 44 ff

GDPR is not applicable to XXXX as a data importer.

I.23. In its statement of January 13, 2022 (OZ 4 to W245 2252208-1), the BF2 referred
repeatedly points out that the subject of the proceedings is processing personal data

had been. In addition, the BF2 explained that Art. 44 ff GDPR requires a risk-based approach

is not to be taken.Furthermore, the BF2 explained with more justification that the BF1
as a data importer is directly covered by Chapter V GDPR.

I.24. With a statement dated February 14, 2023 (OZ 15 to W245 2252208-1), BF2 stated that

there is a binding effect on the basis of the asserted statements. In particular,

that the verdict stated that personal data had been transferred
are, have obvious effects on further proceedings at the bB. The BF2 could

not refute this fact in further proceedings.

With regard to personal reference, BF2 repeatedly stated that this was not available

also submitted two affidavits to prove that the BF2 is not in
was able to access MB's website via BF1's XXXX account

prove. It is also legally required to take a risk-based approach into account.

I.25. In preparation for the complaint hearing, the bB (OZ 23 to W245

2252208-1), the BF1 (OZ 24 to W245 2252208-1) and BF2 (OZ 25 to W245 2252208-1)
Observations. In these observations, the parties reiterated their positions so far in the proceedings

represented points of view. - 22 -


I.26. In the case at hand, the BVwG conducted a public
Oral hearing attended by the BF1 in the presence of his authorized representative

attended personally. A representative of the BA and BF2 also took part in the hearing.

After the conclusion of the oral hearing, an oral announcement of the
knowledge. The BF1 and the BF2 requested the BVwG in writing within the deadline

Execution of the orally announced knowledge.


II. The Federal Administrative Court considered:

II.1. Findings:

The facts relevant to the decision are clear.

II.1.1. About the procedure:

The course of the procedure presented under point I is determined and the decision made
laid the foundation.


II.1.2. About the owner of the website XXXX :
The XXXX has the website XXXX as part of an asset deal with effect from 02/01/2021

transferred to XXXX , Munich. The XXXX was then renamed to XXXX.

Until August 2021, XXXX continued to manage on behalf of and under the direction of XXXX,

Munich the website XXXX .

In August 2021, the XXXX website was completely transferred to the IT environment
the XXXX Munich. After the transfer, XXXX -Analytics will be preceded by a

Proxy server used. This even allows the IP addresses to be transmitted to the BF2

completely prevented.

II.1.3. For the data processing that is the subject of the procedure:

The BF1 visited the MB XXXX website at least on August 14, 2020, at 10:45 a.m.

In the transaction between the browser of the BF1 and https://tracking. XXXX were born on 14.
August 2020 at 12:46:19.344 CET unique user identification numbers at least

set in the “_ga” and “_gid” cookies. As a result, these identification numbers on August 14

2020 at 12:46:19.948 CET to https://www. XXXX -analytics.com/ and thus to the BF2
transmitted.

Specifically, the following user identification numbers, which are in the browser of the BF1

are transmitted to the BF2 (same values, each in different transactions

occurred are shown in italics or marked in orange and green):

           Domain Name Value Purpose - 23 -



 https://tracXXXX. _ga GA1.2.1284433117.1597223478 XXXX
                                                                             Analytics

 https://tracXXXX. _gid GA1.2.929316258.1597394734 XXXX
                                                                             Analytics

                                           ID=d77676ed5b074d05:T=1597223569: XXXX
 https://tracXXXX. _gads S=ALNI_MZcJ9EjC13lsaY1Sn8Qu5ovyKMhPw
                                                                             Advertising
                                                                              XXXX
 https://wwXXXX-analytics.com/gid 929316258.1597394734
                                                                             Analytics
                                                                              XXXX
 https://wwXXXX-analytics.com/id 1284433117.1597223478
                                                                             Analytics

These identification numbers each contain a preceding random number and a trailing one

UNIX timestamp showing when each cookie was set. The

Identifier in the _gid cookie with UNIX timestamp "1597394734" was set on Wednesday,

August 14, 2020 at 11:11 and 18 seconds CET, those in the cid cookie with the UNIX
Timestamp "1597223478" on Friday 12 August 2020 at 10:45 and 34 seconds CET.


With the help of these identification numbers it is possible for the BF2 to differentiate between website visitors

and also to get the information whether it is a new one or an old one
returning website visitors from www. XXXX trades. However, a website

Comprehensive analysis of behavior based on this key figure is not possible.


In addition, the following information (parameters) about the
BF1 browser in the course of requests to https://www. XXXX -

analytics.com/collect transmitted to the BF2 (excerpt from the HAR file, request URL

https://www. XXXX -analytics.com/collect, request excerpt with timestamp 2020-08-

14T10:46:19.924+02:00):

general

     Request URL https://www. XXXX-analytics.com/collect

     Request Method GET


     HTTP Version HTTP/2

Remote Address XXXX
headers

     Accept: image/webp,*/*

     Accept encoding: gzip, deflate, br

     Accept-Language: en-US,de;q=0.7,en;q=0.3


     Connection: keep alive - 24 -


     Host: www. XXXX-analytics.com

     Referer: https://www. XXXX .at/

     TE: Trailers

     User agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:79.0) Gecko/20100101
       Firefox/79.0

Query Arguments

     _gid: 929316258.1597394734

     _s: 1

     _u: QACAAEAB~

     _v: j83

     a: 443943525

     cid: 1284433117.1597223478

     de: UTF-8

    dl: https://www. XXXX .at/

dt: XXXX .at Home - XXXX
    ea: /

     ec: scroll depth

     el: 25

     gjid:

     gtm: 2wg871PHBM94Q

     each: 0

     jid:

     ni: 0
     sd: 24-bit

     sr: 1280x1024

     t: event

     tid: UA-259349-1

     ul: en-us

     v: 1

     vp: 1263x882

     z: 1764878454 - 25 -


Size

     Headers 677 bytes

     Body 0 bytes

     Total 677 bytes

These parameters can therefore be used to draw conclusions about the browser used
Browser settings, language selection, the website visited, the color depth, the

Screen resolution and the AdSense linking number are drawn.

The remote address XXXX is that of the BF2.

The IP address of the BF1 device is sent to https://www. XXXX -

analytics.com/collect transmitted to BF2. The IP address became the subject of the proceedings
of BF1 transmitted to BF2.


The BF1 worked in the home office on August 14th, 2020. In the home office, the BF2 uses one
Screen with a resolution of 1280x1024 (sr value). In addition, the visible part

of the web window transmits a size of 1263x882 (vp value).

II.1.3.1. For a summary of the information that was published on August 14th, 2020

         were transmitted to BF2:
As a result of the implementation of the XXXX -Analytics tool, on 08/14/2020 -

summarized - the following information from the browser of the BF1, which is the website XXXX

visited, transmitted to the servers of BF2:

 unique online identifiers (uniqueidentifier) that identify both the browser and the device
    of the BF1 as well as the MB (through the XXXX analytics account ID of the MB as

    identify website operator);

 the address and HTML title of the website and the sub-pages visited by the BF1

    has;

 Information about the browser, operating system, screen resolution, language selection and

    date and time of website visit;

 the IP address of the device that the BF1 used.

II.1.3.2. For information on the cookies used:

For Universal Analytics, the JavaScript library analytics.js or the JavaScript
library gtag.js are used. In both cases, the libraries use first-party-

Cookies to:

     Distinguish unique users and - 26 -



     Throttle the request rate

When using the recommended JavaScript snippet, cookies on the

highest possible domain level. If their website address for example

blog.example.co.uk, analytics.js and gtag.js set the cookie domain

at.example.co.uk. Setting cookies at the highest possible domain level
allows measurement across subdomains without requiring any additional configuration

is required.


Note: gtag.js and analytics.js do not require cookies to be set to send data to XXXX -
transmit analytics.


gtag.js and analytics.js set the following cookies:

  Cookie name Default expiry time Description

 _ga 2 years Used to distinguish users.
 _gid 24 hours Used to distinguish users.

 _gat 1 minute Used to throttle request rate. WXXXX

                                             Analytics is used via the XXXX Tag Manager
                                             named this cookie _dc_gtm_<property-id>.

 AMP_TOKEN 30 seconds to 1 year Contains a token used to retrieve a client ID from the AMP client
                                             ID service can be used. Show other possible values

                                             Optout, inflight request, or an error retrieving an
                                             Client ID from AMP Client ID service.
 _gac_<property-id> 90 days Contains campaign-related information for the user.

                                             If you linked yourXXXX Analytics andXXXX Ads accounts

                                             have the Website Conversion TagXXXXn Ads read this
                                             Cookie unless you opt out.


II.1.3.3. To link to the BF1's XXXX account:
During the visit to the XXXX website, the BF1 was logged into his XXXX account,

which is linked to the email address XXXX. This email address belongs to BF1.


A XXXX account is a user account used for authentication

at various XXXX online services that BF2 serves. A XXXX account is something like this
Prerequisite for the use of services such as " XXXX " or " XXXX Drive" (a file hosting

Service).


On August 14, 2020, the web & app activities were set in the XXXX account of BF1 ( XXXX ).
activated. However, the BF1's XXXX account has opted not to record activities from

Include websites that use XXXX services. - 27 -


Contrary to BF2's own statements, it is technically able to provide the information
get that a specific XXXX account user visited the XXXX website (on the XXXX -

Analytics is implemented) if this XXXX account user during the

was logged into the XXXX account when visiting the XXXX website.

Metadata from XXXX applications (such as from XXXX account) that the BF1 on 08/14/2020

used was stored on servers in the United States.

II.1.3.4. For (non)anonymized processing of the IP address of the BF1:
The IP anonymization function on the MB XXXX website was faulty

implemented. This did not ensure that on August 14, 2020 after transmission

of data to which BF2 the IP address was anonymized.

II.1.3.5. Regarding the deleted information:
The MB has instructed the BF2 in the course of the administrative procedure, all over

Delete the XXXX -Analytics Properties collected data for the XXXX website. The BF2

performed the deletion.

II.1.3.6. For the declaration of personal data by BF2:

On the page "Data processing terms for XXXX advertising products: Information on
the services", BF2 states that as part of the order processing service, "XXXX

Analytics" the data "online identifiers (including cookie identifiers), internet
Protocol addresses and device identifiers and identifiers assigned by the customer"

can be personal data.

II.1.4. About the web analysis service XXXX -Analytics:

 XXXX -Analytics is a measurement service that allows customers to track traffic to properties

measure, including traffic from visitors visiting a website owner's website
visit. Web analytics services are a popular category of services used by several

Providers are offered and are considered an essential tool for running a
site.


Website owners rely on web analytics services like XXXX Analytics to help them
help to understand how website visitors interact with their website and services

to interact. XXXX -Analytics helps them to create more engaging content and the

Monitor and maintain the stability of their websites.

In addition, website owners can set up dashboards that provide an overview of reports
and give metrics that customers care about the most, e.g. in real time the number of

Monitor visitors on a website. XXXX -Analytics can also help determine effectiveness - 28 -


from advertising campaigns run by website owners on XXXX ad services
measure and optimize.


All data collected by XXXX Analytics is hosted in the United States
(saved and processed).

II.1.5. About the implementation and functionality of XXXX -Analytics:

The web analytics service XXXX -Analytics becomes a

JavaScript codes embedded on the website owner's side. If user one
View a page on the website, this JavaScript code refers to a previous one on the device

user's downloaded JavaScript file which then enables tracking operation for XXXX -

runs analytics. The tracking operation retrieves data about the page request
various means and sends this information to via a list of parameters

the analytics servers connected to a single pixel GIF image request.

The data that XXXX -Analytics collects on behalf of the website owner comes from these

Sources:

     The user's HTTP request

     Browser/System Information

     First party cookies

An HTTP request for each web page contains details about the browser and computer,

who makes the request, such as host name, browser type, referrer and language. Over and beyond

Most browsers' Document Object Model (DOM) provides access to more detailed
Browser and system information, such as Java and Flash support and

screen resolution. XXXX -Analytics uses this information. XXXX -Analytics sets and

also reads first-party cookies on a user's browsers, which measure the
Allow user session and other information from page request.

When all this information is collected, it is sent to the analytics servers in the form

a long list of parameters sent to a single GIF image request to the

Domain XXXX-analytics.com. The data contained in the GIF request is
the data that is sent to the XXXX Analytics servers, which then further processes

and end up in the reports of the website owner.

II.1.6. To embed the program code for XXXX -Analytics on the XXXX website

       Associates:
Due to a decision by the MB, the program code for XXXX -Analytics was stored on their

site embedded. - 29 -


By configuring the tags or activating or deactivating various XXXX -
Analytics functions through the user interface determined the use of the MB

collected data. For example, the MB could set the retention period for data

specify, instruct that the IP address be anonymized after receipt by BF2,
determine who is allowed to receive data, etc.


II.1.7. The legal basis for the use of XXXX -Analytics by the participants:
The use of XXXX -Analytics requires a contract.

The MB and BF2 have an agreement entitled “Order data processing conditions

for XXXX advertising products”. This contract had the version dated August 12, 2020

(VWA ./18) valid at least on August 14, 2020. The contract regulates
Order data processing conditions for XXXX advertising products. It applies to them

Provision of data processing services and related thereto

technical support services for customers (MB) of BF2. The MB used the free one
Version of XXXX -Analytics.

The web analysis service XXXX -Analytics falls under the scope of the

"Order data processing conditions for XXXX advertising products".

With regard to the order data processing conditions for XXXX advertising products

in connection with the web analysis service XXXX -Analytics online identifiers
(including cookie identifiers), internet protocol addresses and device identifiers as well

Labels assigned by the customer Personal data of the customer (MB)

represent.

In addition, these order data processing conditions in point 10.2. the application

of standard data protection clauses before a transmission of personal
Customer data is transferred from the EEA to a third country that is not one

adequacy decision under European data protection legislation.
Based on this, MB and BF2 signed a second contract on August 12th, 2020 with the

Title "XXXXAdsDataProcessingTerms:ModelContractClauses,StandardContractualClauses

for Processors” (VWA./22). These are standard contractual clauses
for international data traffic (based on an implementation decision of the

European Commission 2010/87/EU of February 5, 2010 on Standard Contractual Clauses

for the transfer of personal data to processors in third countries
of Directive 95/46/EC of the European Parliament and of the Council, OJ L 2010/39, p. 5.).

In addition to implementing XXXX analytics, a website owner can

Share analytics data to XXXX by changing XXXX's data sharing setting - 30 -


products and services activated and the privacy policy for XXXX
Measurement Controller controllers that apply to the use of this setting,

accepted separately.

The data sharing setting has not been activated by the MB. Also, the MB XXXX

-Signal not on. The MB did not have its own authentication system and used

also no user ID function.

II.1.8. For the purpose of processing by the collaborators:
 XXXX -Analytics is used to perform the following general statistical evaluations about the

Enable website visitor behavior:

     Reach measurement (i.e. how many users access the site);

     Evaluation of which articles have the greatest traffic (i.e. which articles have the most

       were called),

     Average session duration,

     Evaluation of the average number of pages viewed per session

       become.

II.1.9. Regarding the measures taken by BF2 after the judgment of the European Court of Justice of

       07/16/2020 in Case C-311/18:

After the decision of the European Court of Justice, BF2 assumed that the verdict
also applies to the use of XXXX -Analytics by website owners. After the decision

of the European Court of Justice, the BF2 immediately began amending the
Data Processing Terms (DTPS) to replace the Standard Contractual Clauses (SCC) for

to make all affected contracts applicable. This included updating a

Variety of contracts, transmission of communications to website owners on
08/03/2020, the translations and the publication of the corresponding ones

Terms of Contract. These changes to the order data processing conditions

(DTPS) came into force on August 12, 2020.

Section 10 of the updated Order Data Processing Terms (DTPS) provides that
that, insofar as the storage and/or processing of personal data of customers,

including personal data in XXXX -Analytics data, the submission

personal data of customers from the EEA to a third country that is not one
subject to an adequacy decision under the GDPR, the website owner (as

data exporter) at XXXX (as data importer) for the transfer of personal

Data to processors in third countries who do not have adequate data protection - 31 -


ensure Standard Contractual Clauses (SCCs) are used. The Standard Contractual Clauses
(SCCs) are made available at XXXX. These Standard Contractual Clauses (SCCs)

would the European Commission in its Decision 2010/87/EU

comply with published clauses.

II.1.10.Regarding the additional measures that come with the introduction of the standard contractual clauses

       were set by the BF2:
The following measures were in place before the decision of the European Court of Justice

Case C-311/18 in force and therefore also existed during the period in which the
Conditions were updated by 08/12/2020. According to the statements of the BF2

these measures are suitable to ensure an adequate level of protection.

II.1.10.1.Legal and organizational measures:

The BF2 evaluates every request made by the state authorities for user data

receives to ensure they comply with applicable laws and XXXX policies.

BF2 notifies customers before any of their information is disclosed unless
unless such notice is prohibited by law or the request involves an emergency.


The BF2 publishes a transparency report.

The BF2 publishes its policy on dealing with government requests.

II.1.10.2.Technical measures:
BF2 uses robust technical measures to protect personal data during the

to protect transmission (default use of HTTP Strict Transport Security

(HSTS), encryption of data on one or more network layers (protection of the
Communication between XXXX services, protection of data in transit between

Data centers and protection of communications between users and websites)).

The BF2 uses robust technical measures to protect stored personal data

(The BF2 encrypts XXXX analytics data stored in their data centers
get saved; BF2 builds servers exclusively for their data centers and maintains them

an industry-leading security team, XXXX analytics data is only accessible to

employees who need the data for their work).

II.1.10.3. Pseudonymity of data from XXXX -Analytics:

The BF2 believes that the data for measurement by website owners
are personal data, they would have to be considered as pseudonymous. The BF2 is

of the opinion that if a third party accesses the XXXX -Analytics data, this - 32 -


will in principle not be able to identify the data subject on the basis of this data
identify.


II.1.10.4.Optional technical measure - IP anonymization:
In addition to the measures mentioned, website owners can use "IP anonymization"

use to instruct BF2 to delete all IP addresses immediately after collection

anonymize and thus contribute to data minimization. If this is used,
at no time the full IP address is written to disk, as all

Anonymization in memory occurs almost instantly after the request to the BF2
has been received.


II.1.11.The BF2 as an electronic communication service:
BF2 is a provider of electronic communications services within the meaning of Section 50 of the U.S. Code

1881(b)(4) and as such is subject to supervision by U.S.

Intelligence agencies under 50 U.S. Code § 1881a (“FISA 702”). The BF2 transmitted the US
Government personal information under U.S. Code § 1881a. It can be from the US

Government metadata and content data are requested.

II.2. Evidence assessment:

Evidence was collected through inspection of the administrative file of the bB [hereinafter referred to as "VWA"
with the components ./01 - data protection complaint of the BF1 from 08/18/2020 (see point

I.1), ./02 - Data protection complaint of the BF1 from August 18th, 2020 - Attachment -

XXXX Analytics Terms of Use (see point I.1), ./03 – Privacy Complaint
of the BF1 from 18.08.2020 - Supplement - Terms of Use for

Order data processing conditions for XXXX advertising products, version 01.01.2020

(see point I.1), ./04 - data protection complaint of the BF1 from August 18th, 2020 - enclosure -
Terms of Use for Order Data Processing Terms for XXXX

Advertising products, version 08/12/2020 (see point I.1),./05 - data protection complaint of the BF1
dated 08/18/2020 - Attachment - HAR data of the website visit (see point I.1), ./06 -

Data protection complaint of the BF1 from August 18th, 2020 - Enclosure - XXXX (see point I.1), ./07 -

Data protection complaint of the BF1 from August 18th, 2020 - attachment - certificate of representation (see
Point I.1), ./08 - Identification of lead responsibility (see point I.2), ./09 -

Decision of the BA regarding the suspension of the procedure (see point I.2), ./10 - request

the bB for the statement to the MB (see point I.2), ./11 - Statement of the MB from
December 16, 2020 (see point I.3), ./12 - Statement of the MB of December 16, 2020 - Enclosure -

Reports from the tool (see point I.3), ./13 - Statement of the MB from 16.12.2020 -

Enclosure - Information on IP anonymization (see point I.3), ./14 - Statement of
MB from December 16th, 2020 - Attachment - Screenshot of the set storage period (see point I.3), - 33 -


./15 - Statement of the MB of 16.12.2020 - Attachment - List of server locations (see
Point I.3), ./16 - Statement of the MB from 16.12.2020 - Enclosure -

Order data processing conditions for XXXX advertising products, version 08/16/2020

(see point I.3), ./17 - statement of the MB from 16.12.2020 - enclosure -
Order data processing conditions for XXXX advertising products, version 08/12/2020

(see point I.3), ./18 - statement of the MB from 16.12.2020 - enclosure -

Order data processing conditions for XXXX advertising products, version 01.01.2020
(see point I.3), ./19 - Statement of the MB from 16.12.2020 - Enclosure - Comparative version

AVV from January 1st, 2020 vs. August 12th, 2020 (see point I.3), ./20 - Statement of the MB from

12/16/2020 - Enclosure - Comparative version AVV from 08/12/2020 vs 08/16/2020 (see point I.3),
./21 - Statement of the MB from 16.12.2020 - Enclosure - Screenshot of settings (see

Point I.3), ./22 - Statement of the MB from 16.12.2020 - Enclosure -

Standard data protection clauses (see point I.3), ./23 - Statement of the MB of 16.12.2020
- Annex - Information on security measures (see point I.3), ./24 - Opinion

the MB from 16.12.2020 - Enclosure - List of processing activities for XXXX

Analytics (see point I.3), ./25 - Request from the bB for a statement to BF1 from
December 21, 2020 (see point I.4), ./26 – Opinion of the BF1 from January 22, 2021 (see point I.4),

./27 - Opinion of the BF1 from 22.01.2021 - Attachment - Third party in the cookie banner of
MB (see point I.4), ./28 - Opinion of the BF1 from 22.01.2021 - Attachment - Contacts of

XXXX with US server (see point I.4), ./29 - Opinion of BF1 from 01/22/2021 - Attachment

- Contacts of XXXX with US server, reference to fingerprint technology (see point I.4),./30
- Request of the bB for a statement to BF2 from February 26th, 2021 (see point I.5), ./31 -

Statement of the BF2 from April 9th, 2021 (see point I.5), ./32 - request of the bB to

Statement to BF1 and MB of April 14, 2021 (see point I.6), ./33 - statement of
MB from 05/04/2021 (see point I.7), ./34 - Statement of the BF1 from 05/05/2021 (see

Point I.8), ./35 - Opinion of the BF1 from May 5th, 2021 - Enclosure - XXXX -Analytics Cookie,

Use on website (see point I.8), ./36 - Opinion of BF1 from 05/05/2021 -
Enclosure - How XXXX uses cookies (see point I.8), ./37 - Opinion of the BF1 from

05/05/2021 - Attachment - Measurement Protocol Parameter Reference (see point I.8), ./38 -

Request of the bB for a statement to BF1 from 06.05.2021 (see point I.9), ./39 -
Request of the bB for a statement to BF2 from 06.05.2021 (see point I.9), ./40 -

Request of the bB for a statement to the MB of May 10th, 2021 (see point I.9),./41-application
BF2 to extend the deadline for comments from May 12, 2021 (see point I.9), ./42

– Granting of the requested extension of the deadline by the BB from May 14, 2021 (see point I.9),

./43 - Opinion of BF2 from May 14th, 2021 (see point I.10), ./44 - Request of the BA
on the statement to BF1 and MB of June 11, 2021 (see point I.11), ./45 - application of the BF1 - 34 -


on extension of the deadline for comments from June 11, 2021 (see point I.11), ./46 -
Request from the bB for a statement to the MB of June 16, 2021 (see point I.11), ./47 -

Statement of the MB (transfer) of June 18, 2021 (see point I.12), ./48 -

Statement of the MB (configuration error, deletion of data) from 06/18/2021 (see
Point I.13), ./49 - Statement of the MB (configuration error, deletion of data) from

06/18/2021 - Attachment - Notification of BF2 about the deletion of information (see point

I.13), ./50 - Statement of the MB (configuration error, deletion of data) from
06/18/2021 - Attachment - Presentation of the wrong and correct implementation of the

Anonymization function (see point I.13), ./51 - Transmission of the SO's opinion

(VWA ./48 to ./50) to BF1 (see point I.13), ./52 - notification from the MB of 06/24/2021 (see
Item I.13), ./53 - notification from the MB of 06/24/2021 - enclosure - confirmation of deletion

BF2 (see point I.13), ./54 - Statement of BF2 from 09.07.2021 (see point I.14), ./55

- Opinion of the BF1 from 09.07.2021 (see point I.15), ./56 - request of the bB to
Statement to BF1 from 22.07.2021 (see point I.16), ./57 - Statement from BF2 from

08/12/2021 (see point I.16),./58 - WebsiteEvidence Collection regarding the website of the MB,

./59 - Partial decision of the Federal Civil Service of December 22nd, 2021, delivered on January 12th and 13th, 2022 (see point
I.17), ./60 - Complaint by the BF1 from February 7th, 2022 (see point I.20), ./61 -

Statement of the bB on the complaint of the BF1 from February 15th, 2022, ./62 -
Complaint by the BF2 of February 9th, 2022 (see point I.18), ./63 - Complaint

the BF2 from 09.02.2022 - Enclosure - Cookies and User Identification (see point I.18), ./64 -

Complaint of the BF2 from 09.02.2022 - Attachment - Linker (see point I.18), ./65 -
Notice of complaint from the BF2 of 09.02.2022 - Enclosure - Report XXXX (see point I.18),./66

- Complaint of the BF2 from 09.02.2022 - Attachment - New EU-US data transfer

Framework (see point I.18), ./67 – Statement by the BA on the complaint by the BF2
from February 17th, 2022 (see point I.19), ./68 - Statement of the bB on the complaint of the

BF2 of 02/17/2022 - Attachment - Decision of the European Data Protection Supervisor

from 05.01.2022 (see point I.19), ./69 - Statement of the bB on the complaint of the
BF2 from February 17th, 2022 - Attachment - Decision of the LG Munich from February 20th, 2022 (see point

I.19),./70 - Opinion of the bB on the decision of the BF2 of 17.02.2022 - Attachment

– Opinion on the current status of US surveillance law (see point I.19) and ./71 –
Statement of the bB on the complaint of the BF2 from February 17th, 2022 - Attachment -

Key findings of the report on the current status of US surveillance law (see
Point I.19)] as well as in the court act of the BVwG (file components are with ordinal number,

marked "OZ" for short).

II.2.1. About the procedure: - 35 -


The above procedure results from the harmless and
undoubted file content of the submitted administrative file of the bB and the court file

of the BVwG.

II.2.2. To the owner of the website XXXX
The findings in this regard result without a doubt from the statement by the MB

from June 18, 2021 (VWA ./47).

II.2.3. For the data processing that is the subject of the procedure:

The findings in this regard result without a doubt from the findings of the
contested decision (VWA ./59, page 18 ff), the statement of the BF1 from May 5th, 2021

(VWA ./34) and the complaint by the BF2 (VWA ./62, page 6).

The determination that the IP address of BF1 is transmitted to BF2 in the course of the proceedings

was, results from the explanations of the BF1 or his representative in the

Complaints hearing. In this context, the representative of BF1
VPN solution shown is understandable and was subsequently used by the BF2 in the

Complaint hearing no longer in question. In addition, the BF1 on 14.08.2020

credibly worked in the home office. This follows from the credible statements of
BF1 that in 2020 he mainly worked in the home office due to the corona and

due to the use of a high/narrow monitor (negotiation protocol from
March 31, 2022, OZ 29 to W245 2252208, page 14). Sohin were pertinent statements

meet.

II.2.3.1. For a summary of the information that was published on August 14th, 2020

         were transmitted to BF2:

The pertinent findings result without a doubt from the explanations of the bB im
disputed decision (VWA ./59, page 27).

II.2.3.2. For information on the cookies used:

The findings in this regard result without a doubt from statements by the BF1 in the

administrative procedures (VWA ./05) and from the findings of the contested
decision (VWA ./59, page 15).

II.2.3.3. To link to the BF1's XXXX account:

The findings in this regard result without a doubt from the findings of the

contested decision (VWA ./59, page 18 ff) and the statement of the BF2 (VWA ./43,
page 10f).

In his statement of April 9th, 2021, the BF2 submitted in question 9 that he

only receives such information if certain conditions are met, such as - 36 -


such as the activation of specific settings in the XXXX account. He disproved this
BF1 or the bB in the process with the following comprehensible argument: If namely

a XXXX account user's request for "personalization" of the received

Advertising information can be met on the basis of a declaration of intent in the account, so
From a purely technical point of view, there is the possibility of obtaining information about the website visited

of the XXXX account user.

Irrespective of this, numerous metadata were available to BF2 on August 14, 2020 (OZ

25 to W2452252208-1, page 3), which is displayed when an application (e.g. XXXX account) is called up
be transmitted. At the time of the proceedings (08/14/2020) the BF1 also

used his XXXX account. With the metadata that is generated when using the XXXX account

were transmitted, was a link to the transmitted metadata in the course of the
XXXX (via XXXX -analytics) possible.


In addition, a link to the IP address was undoubtedly possible. The BF1 has on
08/14/2020 worked in the home office. In this context, the IP address was direct

transmitted by BF1 to BF2 (negotiation protocol of March 31, 2022, OZ 29 to W245

2252208, page 14). Since the BF1 visited the website XXXX (XXXX -Analytics)
If you were signed into the XXXX account at the same time, you can easily switch between these applications

a link can be established via the IP address. In both applications, the
IP address already transferred for technical reasons. Against this background, on

Reason for the transmission of the IP address via the XXXX -Analytics application

Personal reference to the XXXX account (or to the registration information of the BF1) established
become. Since the BF1 was working in the home office at that time and he lives alone,

only he could use the transmitted IP address.

Due to the easy linkability of metadata and IP address between the

individual applications ( XXXX -Account and XXXX -Analytics) can indisputably
Personal reference (login data for XXXX) can be established.


It was also found that metadata from XXXX applications (such as XXXX account)
were transferred to the United States, which the BF1 used on 08/14/2020

(Negotiation protocol from March 31, 2022, OZ 29 to W245 2252208, page 11 f).

II.2.3.4. For (non)anonymized processing of the IP address of the BF1:

The pertinent findings result without a doubt from the explanations of the MB in the
administrative procedures (VWA ./48)

II.2.3.5. About the deleted information: - 37 -


The pertinent findings result beyond doubt from the explanations of the MB and
the BF2 in administrative procedures (VWA ./48, ./49, ./50, ./52 and ./53).


II.2.3.6. For the declaration of personal data by BF2:
The relevant findings result from the explanations of the bB in the course of the

File template (VWA ./67, page 4) and from an inspection of the BF2 XXXX website

last accessed on March 26, 2023).

II.2.4. About the web analysis service XXXX -Analytics:
The pertinent findings result beyond doubt from explanations of the BF2 in the

administrative procedures (VWA ./31, page 4).

II.2.5. About the implementation and functionality of XXXX -Analytics:

The pertinent findings result beyond doubt from explanations of the BF2 in the
administrative procedures (VWA ./31, page 4 f).


II.2.6. To embed the program code for XXXX -Analytics on the XXXX website
       Associates:

The relevant findings result beyond doubt from the documents of the

submitted administrative act (VWA ./10, page 1 and VWA ./31, page 7 f)

II.2.7. The legal basis for the use of XXXX -Analytics by the participants:
The relevant findings result beyond doubt from the documents of the

submitted administrative act (VWA ./31, page 6).

II.2.8. For the purpose of processing by the collaborators:

The relevant findings result beyond doubt from the documents of the
submitted administrative act (VWA ./10, page 2, ./11, page 11, ./18, ./21, ./22 partial decision,

page 15 ff).

II.2.9. Regarding the measures taken by BF2 after the judgment of the European Court of Justice of

       07/16/2020 in Case C-311/18:
The pertinent findings result beyond doubt from explanations of the BF2 in the

administrative procedures (VWA ./31, page 21 f).

II.2.10.On the additional measures that come with the introduction of the standard contractual clauses

       were set by the BF2:

The pertinent findings result beyond doubt from explanations of the BF2 in the
administrative procedures (VWA ./31, page 24 ff and VWA ./43).

II.2.11.The BF2 as an electronic communication service: - 38 -


The findings in this regard result without a doubt from the expert opinion on
current status of US surveillance law and surveillance powers as well as from

the transparency report of BF2 XXXX last queried on 03/29/2023).

II.3. Legal assessment:

II.3.1. Regarding jurisdiction:

According to § 6 BVwGG, the Federal Administrative Court decides through a single judge, provided that

Federal or state laws do not provide for the decision to be made by senates.

The contested decision is based on a decision of the bB in accordance with Article 44 GDPR.
This matter is covered by Senate decisions in accordance with § 27 DSG.


The procedure of the administrative courts with the exception of the Federal Finance Court is through
the VwGVG, Federal Law Gazette I No. 33/2013 (§ 1 leg.cit.). According to § 58 Abs. 2 VwGVG stay

conflicting provisions in force at the time this

federal law already promulgated are in effect.

According to § 17 VwGVG, unless otherwise specified in this federal law,
Procedure for complaints according to Art. 130 Para. 1 B-VG with the provisions of the AVG

Exception of §§ 1 to 5 as well as part IV, the provisions of the Federal Fiscal Code

- BAO, Federal Law Gazette No. 194/1961, of the Agricultural Procedures Act - AgrVG, Federal Law Gazette No. 173/1950, and
of the Service Law Procedure Act 1984 – DVG, Federal Law Gazette No. 29/1984, and otherwise those

procedural provisions in federal or state laws mutatis mutandis

apply, which the authority in the proceedings before the administrative court
has applied or should have applied in previous proceedings.

According to § 28 para. 1 VwGVG, the administrative courts have the legal matter by cognition

to be dealt with if the complaint is not to be dismissed or the proceedings are to be discontinued.

According to para. 2 leg.cit. the administrative court has on complaints according to Art. 130 para. 1 no. 1
B-VG to decide in the matter itself, if

1. the relevant facts have been established or


2. the determination of the relevant facts by the administrative court itself
is in the interest of speed or associated with significant cost savings.

As stated above, the facts of the matter are relevant

based on the records. The Federal Administrative Court therefore has its own say in the matter

decide.

II.3.2. Regarding the legal situation in the present complaints procedure:
Art. 4 Z. 1 GDPR – Definitions – reads: - 39 -


For the purposes of this Regulation, the term means:
1.” any information relating to an identified or identifiable natural person

    (hereinafter "data subject"); as identifiable becomes a natural
    Person considered, directly or indirectly, in particular by means of assignment to a
    identifier such as a name, an identification number, location data, an online

    Identifier or one or more special characteristics expressing the
    physical, physiological, genetic, psychological, economic, cultural or

    social identity of that natural person can be identified;

Art. 44 GDPR – general principles of data transmission – reads:
Any transfer of personal data that is already being processed or after

be processed before it is transmitted to a third country or an international organization
is only permitted if the person responsible and the processor
Comply with the conditions laid down in Chapter and also the other provisions of these

regulation are complied with; this also applies to any further transmission
personal data from the relevant third country or the relevant

international organization to another third country or another international
Organization. All provisions of this chapter shall be applied to ensure that
the level of protection for natural persons guaranteed by this regulation

is undermined.

Art. 45 GDPR – Data transfer based on an adequacy decision –
reads in part:

(1) A transfer of personal data to a third country or an international
    Organization may be undertaken if the Commission has decided that the

    third country concerned, a territory or one or more specific sectors within it
    Third country or international organization concerned an adequate level of protection

    offers. Such data transmission does not require any special approval.
(2) When examining the adequacy of the required level of protection, the
    Commission the following in particular:

    a) the rule of law, respect for human rights and fundamental freedoms contained in
       the country or international organization concerned

       relevant legislation in force, both general and sectoral
       – also in relation to public safety, defence, national security and
       Criminal law and access by authorities to personal data - as well as the

       Application of this legislation, data protection regulations, professional rules and
       Security rules including onward transmission rules

       personal data to another third country or another international
       organization, jurisdiction, and effective and enforceable rights of
       data subject and effective administrative and judicial

       Remedies for data subjects whose personal data is transferred
       become, - 40 -


    b) the existence and effective functioning of one or more independent
       Supervisory authorities in the third country concerned or those of an international

       Organization is subject to and responsible for compliance with and enforcement of
       Data protection rules, including appropriate enforcement powers, for
       the support and advice of the persons concerned in the exercise of their

       rights and for cooperation with the supervisory authorities of the Member States
       are responsible, and

    c) those of the third country concerned or the international one concerned
       Organization entered into international commitments or others
       Obligations arising from legally binding agreements or instruments

       as well as from the participation of the third country or the international organization
       multilateral or regional systems, particularly in relation to protection

       result in personal data.
(3) After assessing the adequacy of the level of protection, the Commission may
    Ways of an implementing act decide that a third country, territory or a

    or several specific sectors in a third country or an international organization
    provide an adequate level of protection as referred to in paragraph 2 of this article.

    A mechanism for a periodic review is set out in the implementing act,
    which takes place at least every four years, at which all relevant
    developments in the third country or in the international organization

    will be carried. In the implementing act, the territorial and the sectoral
    Scope of application and, where applicable, those referred to in paragraph 2 letter b of the present

    Article-mentioned supervisory authority or supervisory authorities. The
    Implementing act shall be adopted in accordance with the examination procedure referred to in Article 93(2).
    enacted

Art. 46 GDPR – data transmission subject to suitable guarantees – reads

excerpts:

(1) If there is no decision pursuant to Article 45 paragraph 3, a person responsible or a
     Processor personal data to a third country or an international
     Organization only transmit if the controller or the processor

     has provided appropriate safeguards and provided the data subjects have enforceable ones
     Rights and effective remedies are available.

(2) The appropriate guarantees mentioned in paragraph 1 can, without a special
     approval of a supervisory authority would be required
    a) a legally binding and enforceable document between the authorities or

       public bodies
    b) Binding Corporate Rules pursuant to Article 47,

    c) standard data protection clauses adopted by the Commission in accordance with the examination procedure pursuant to
       Article 93 paragraph 2 are issued,
    d) standard data protection clauses adopted by a supervisory authority, issued by the

       have been approved by the Commission in accordance with the examination procedure set out in Article 93(2), - 41 -


    e) approved codes of conduct pursuant to Article 40 together with legally binding ones
       and enforceable obligations of the controller or the

       Processor in the third country to apply the appropriate guarantees,
       including in relation to the rights of data subjects, or

    (f) an approved certification mechanism in accordance with Article 42 together with
       legally binding and enforceable obligations of the controller or
       of the processor in the third country to apply the appropriate safeguards,

       including in relation to the rights of data subjects.

Art. 7 Charter of Fundamental Rights of the European Union - Respect for the private and
family life – reads:

Everyone has the right to respect for their private and family life, their home and

their communication.
Art. 8 Charter of Fundamental Rights of the European Union - Protection of personal data -

reads:

Every person has the right to protection of their personal data. This

Data may only be used in good faith for specified purposes and with the consent of

data subject or on another legitimate basis regulated by law
are processed. Every person has the right to information about the data collected about them

Obtain data and obtain rectification of data. Compliance with this

Regulations are monitored by an independent body.

Art. 47 Charter of Fundamental Rights of the European Union – Right to an effective remedy

and an impartial court – reads:

Any person whose rights or freedoms guaranteed by Union law is violated
have the right, subject to the conditions provided for in this article

to seek an effective remedy before a court. Every person has the right to

that their cause be established by an independent, impartial and previously established by law
court in a fair trial, heard publicly and within a reasonable time

is.Any person can consult, defend and be represented. Persons who do not have

have sufficient funds, legal aid will be granted to the extent that this aid is necessary
is to ensure effective access to justice.


Recital 26 of the GDPR - No application to anonymized data - reads:
1Principles of data protection should apply to all information relating to a
                                                                 2
identified or identifiable natural person. A pseudonymization
subjected personal data obtained by using additional information
could be attributed to a natural person should be considered information about a

identifiable natural person. To determine whether a natural - 42 -


Person is identifiable, all means should be taken into account by that

controller or another person reasonably likely
be used to identify the natural person directly or indirectly, such as
                                4
for example, weeding out. In determining whether funds are discretionary
likely to be used to identify the individual should all
objective factors such as the cost of identification and the time required for it

Time expended, which is available at the time of processing
Technology and technological developments must be taken into account. The principles of

Data protection should therefore not apply to anonymous information, i.e. information
which do not relate to an identified or identifiable natural person, or

personal data that has been anonymized in a way that the data subject
person cannot or can no longer be identified. This regulation therefore does not apply

the processing of such anonymous data, including for statistical or research purposes.

GDPR Recital 30 – Online Identifiers for Profiling and Identification –
reads:

1Natural persons may be given online identifiers such as IP addresses and

Cookie identifiers that his device or software applications and tools or protocols
provide, or assigned other identifiers such as radio frequency identifiers. This can
Leave traces, especially in combination with unique identifiers and

other information received by the server can be used to profile the
create and identify natural persons.

II.3.3. Regarding the scope of Art. 44 ff GDPR:

If the following three requirements are met, there is a transfer and

Chapter V (Art. 44 ff) GDPR is applicable (Guidelines 05/2021 on the Interplay between the

application of Article 3 and the provisions on international transfers as per Chapter V of the
GDPR, version 2.0, adopted on 02/14/2023):

1) A controller or processor ("Exporter")

    is subject to the GDPR in the respective processing.

2) The exporter transmits personal data that are the subject of this processing

    are, to another controller, one common to the

    controller or a processor ("importer") or provides

    them available in other ways.

3) The importer is located in a third country, regardless of whether this importer

    for the respective processing pursuant to Article 3 of the GDPR or a
    international organization is.

Art. 8 para. 1 EU-GRC results in an obligation to perpetuate EU law

Protection levels (ECJ 06.10.2015, C-362/14 (Schrems), para. 72). The objective - 43 -


Provisions regulate the conditions, which allow a person responsible or

Allow processors (exporters) to transfer personal data to a third country
to transfer. The not legally defined term of transmission is within the scope of Art. 44 ff

to be understood in terms of protection. It therefore includes any disclosure of

personal data to a place outside the territory of the European Union
or to an international organization (Kuhling/Buchner, DSGVO BDSG, Art. 44, Rn 16,

Jahnel, Commentary on the General Data Protection Regulation Art. 44 GDPR (as of December 1st, 2020,

rdb.at), para. 18). From Art. 44 GDPR it follows that the importer (recipient in the third country)
is not covered by the scope of the standard because it does not cover the transmission

driven by data. The term "transmission" describes an action of the

data exporter, but not an action of the data importer. Furthermore, Art. 46 provides
Para. 1 GDPR that a person responsible or a processor personal

Data may only be transferred to a third country or an international organization if the

The person responsible or the processor has provided appropriate guarantees and if
enforceable rights and effective remedies for data subjects

stand. As a result, the clear wording of Art. 44 et seq

Requirements for data importers (also correctly the BF2, VWA ./43, page 19).
Based on the case law of the European Court of Justice, the data exporter bears the responsibility

Responsibilityforexaminingthepermissibilityofthespecifictransmission.Hemustatanytime
                                                                                        3
check whether the data is protected in the third country (Kuhling/Buchner, DSGVO BDSG,
Art. 44, para. 16 with reference to ECJ July 16, 2020, C-311/18 (Schrems II)). Total are off

Chapter V GDPR does not confer any subjective public rights/duties on a data importer

remove.

This must be distinguished, for example, from the contractual obligations of a data importer, e.g
Example that he must inform the data exporter immediately if the for

the law applicable to him no longer allows him to process the data in accordance with the

to store and process special contractual clauses (Commission decision of
05.02.2010 on standard contractual clauses for the transmission of personal data

Processors in third countries according to the Directive 95/46/EG of the European Parliament

and of the Council (2010/87/EU), Clause 5 - Obligations of the data importer). However, these are
not the subject of administrative/judicial proceedings.


II.3.4. On Art. 44 GDPR as a subjective right:
Repeatedly, the BF2 stated in the proceedings that a violation of Art. 44ff GDPR was not a

permissible object of a complaint according to Art. 77 GDPR (VWA ./54, page 6, VWA

./62, page 36). This view cannot be followed for the following reasons: - 44 -


§ 24 DSG grants the person whose basic personal right has been violated the opportunity

to have the violation of rights committed against her determined. The
The declaratory statement here concerns the legal position of a specific person in terms of their rights

injured person and is dogmatic in its scope of legal force for this infringement

limited. Based on this determination, the data subject should be able to
further individual claims - such as claims for damages - to pursue (VwGH

14.12.2021, Ro 2020/04/0032).

A dependency in that the data protection authority only

Infringement may be established if the data subject has a data subject right (Article 12ff GDPR)
claims cannot be derived from § 24 DSG. In connection with Art. 77

GDPR, the data protection authority is obliged to make a decision if the data subject

person believes that the processing of personal data concerning them
violates this regulation. Contrary to the view of BF2, however, Art. 77 GDPR is a

Restriction on affected rights according to Art. 12ffDSGVO not to be taken (e.g. VWA

./43, page 17). A data subject can base an infringement on any
Support the provision of the GDPR, if the GDPR-violating processing of personal

data also leads to a violation of the legal position of the person concerned (as does the

Predominant lesson: Jahnel, Commentary on the General Data Protection Regulation Art. 77 GDPR
(as of December 1, 2020, rdb.at), para. 11; Bergt in Kühling/Buchner, DSGVO BDSG, Art. 77, para. 10;

Körffer in Paal/Pauly, General Data Protection Regulation · Federal Data Protection Act, Art. 77;
                                                         4
Moos/Schefzig in Taeger/Gabel, DSGVO BDSG TTDSG, Art. 77, para. 9; Boehm in
Simitis | Hornung | Spiecker, data protection law, Art. 77, Rn6).

Implementation of Art. 77 GDPR, the right to lodge a complaint with a supervisory authority and

the principles of the procedure before the supervisory authority are regulated (1761 BlgNR 25. GP
15). From the materials it is clearly recognizable that with § 24 DSG the right of a

Affected parties to complain to a supervisory authority in accordance with Art. 77 GDPR

is specified. It cannot be inferred from the materials that with Section 24 DSG the scope of the
The rights of a person concerned to lodge a complaint are restricted.


In accordance with Section 24 (1) DSG, every data subject has the right to lodge a complaint with the
Data Protection Authority when it considers that the processing is relevant to you

personal data - (among other things), meant among other things - against § 1 DSG, which also

protects the right to secrecy. According to § 24 para. 2 Z 5 DSG, the complaint
to refrain from seeking to establish the alleged infringement. As far as one

If the complaint proves to be justified, it must be followed according to Section 24 (5) first sentence DSG

Accordingly, the law provides a legal remedy in the event of a violation of data protection law - 45 -


explicitly submit an application for a determination as part of the complaint, which pursuant to Section 24 (5) DSG
It must be followed if it proves to be entitled (VwGH19.10.2022, Ro2022/04/0001).


Therefore, a person considers that the processing concerns them
personal data leads to a violation of their rights, according to § 24 DSG

a right expressly provided for in law to have this determined. In this

context, it should be noted that not only a finding of infringement
according to § 1 DSG (right to secrecy) is possible. With the expression "among other things"

the Administrative Court clearly indicates that not only violations of rights
can be determined, which are based on § 1 DSG (right to secrecy). Also § 24

Para. 2 DSG is no restriction to the effect that a data subject

could only request a declaration of a violation of the right to secrecy.

At the subject of the proceedings, the BF1 showed a violation of rights pursuant to Section 24 (2) DSG

to the effect that the processing of his personal data violates the GDPR
violates (Article 77 GDPR). Specifically, the BF1 requested a determination as to whether a violation of

general principles of data transmission in accordance with Art. 44 GDPR.

Without a doubt, every person has the subjective right if their personal data is processed by

are processed by others, that the processing of the personal data of
concerned in accordance with the GDPR. According to the jurisprudence of

European Court of Justice must agree with any processing of personal data

in line with the principles set out in Art. 5 of the GDPR for the processing of data
and on the other hand related to one of the principles listed in Art. 6 of the GDPR

comply with the lawfulness of the processing (ECJ 22.06.2021, C-439/19 (Latvijas

Republikas Saeima), para. 96). To the extent that a data subject believes that the
Processing of personal data does not comply with the GDPR, it is to that effect

an individual complaint according to § 24 DSG admissible.

It is particularly important to emphasize that the subject of the proceedings is that the European Court of Justice

(ECJ July 16, 2020, C-311/18 (Schrems II), para. 158) it was assumed that the
Noting that “[…] the law and practice of a country does not provide an adequate level of protection

ensure [...]" and "[...] the compatibility of this (appropriateness) decision with

the protection of privacy and the freedoms and fundamental rights of individuals […]” in
Asserted as a subjective right as part of a complaint under Art. 77 (1) GDPR

can be. In this context, the DA correctly stated that the question referred
of the mentioned procedure does not cover the "extent of the right of appeal of Art. 77 Para. 1

DSGVO "was the subject; the ECJ has the fact that also a violation of

Provisions of chapter VDSGVO in the context of a complaint according to Art. 77 Para.1 DSGVO - 46 -


can be invoked is evidently considered a necessary condition. At
From a different point of view, the ECJ would have said that the question of the validity of a

adequacy decision was not clarified at all in the context of a complaints procedure

(VWA ./59, page 23 f).

Overall, the bB is authorized to determine a violation of law according to Art. 44 ff DSGVO.

II.3.5. About the distribution of roles:

At the time of the proceedings, the MB, as the website owner,
Decision made to implement the "XXXX -Analytics" tool on the XXXX website.

Specifically, it has a JavaScript code ("tag") provided by BF2,

inserted in the source code of your website, which means that this JavaScript code is used when you visit the
website was running in the browser of the BF1. The MB has said tool for the purpose

used for statistical evaluations of the behavior of website visitors. Since the

MB about the purposes and means of those related to the tool
has decided on data processing, she is the person responsible within the meaning of Art. 4 Z 7 DSGVO

to watch.

Subject matter of the proceedings is to be noted that the subject matter of the complaint relates only to the

Data transfer to BF2 (United States). In connection with the
Data transmission with the tool XXXX -Analytics should be noted that the BF2 the tool only

makes available and has no influence on whether it is at all or to what extent the MB

makes use of the tool functions and which specific settings it chooses.
Insofar as BF2 XXXX only provides analytics (as a service), it has no influence

on "purposes and means" of data processing and is therefore in accordance with SdArt. 4Z8DSGVO case-related

to qualify as a processor.

II.3.6. Regarding point A.I) - rejection of the complaint by the BF2:

II.3.6.1. On the right to lodge a complaint with BF2:
With the help of the findings in point 2. in the decision that is the subject of the proceedings

clarified whether a violation of the general principles of data transmission according to Art. 44

DSGVO by the MB is available. The judgment point 2. is according to § 59 paragraph 1 AVG of the rest
Spell points separable because he stands alone without an inner connection with

other parts of the procedure is accessible to a separate objection (cf. e.g. VwGH

September 12, 2018, Ra 2015/08/0032). The bB correctly stated that the possible violation of
Art. 5 ff in conjunction with Art. 38 Para. 3 lit. a and Art. 29 GDPR by the BF2 in no connection

with the requirements of Art. 44 GDPR (VWA ./67, page 14). - 47 -


The question of who has party status in a specific administrative procedure can be answered on the basis of
of the AVG alone cannot be solved. Rather, the party position must derive from the

substantive regulations are derived. On the ground of the material

Administrative law it must according to the subject of the relevant administrative procedure
and assessed according to the content of the applicable administrative regulations

become. The constituent element of party status in administrative matters

determined according to the normative content of the case to be applied
regulations. The terms "legal claim" and "legal interest" are only gaining ground

the applicable administrative regulation on a specific content,

according to which only the question of party status can be answered (VwGH April 19, 2022, Ra
2021/02/0251). Against this background, a party position in the administrative court

Proceedings cannot be justified with it, because the results of the proceedings are different

procedures may affect; the party status (or legal interests) is derived
Rather, it depends on the relevant administrative regulation that is the subject of the

administrative procedures.

As explained under point II.3.3, Art. 44 GDPR regulates the admissibility of a

Data transfer to a third country. Based on the case law of the European
Court of Justice, the data exporter (the MB) is responsible for checking the

Admissibility of the specific transmission. He must check at any time whether the data

are protected in the third country. Against this background, it is clear that the
Regulations in Chapter V GDPR without exception subject public rights/duties of the

data exporters (thus the MB) have as their subject. In contrast, subjective

public rights/duties for the data importer in a third country from Chapter V GDPR
not to be taken. This is also evident from the fact that for the assessment of the

Legal question as to whether a data exporter has violated obligations under Chapter V GDPR,
in principle, the data importer does not have to participate in the procedure. Is

therefore a data importer for example for a supervisory authority not at all

reachable, this circumstance does not prevent the supervisory authority from
Violation of the data exporter's rights to be determined in accordance with Chapter VDSGVO

therefore the BF2 in connection with the assessment of the legal question of whether the data exporter

(i.e. the MB) violated obligations under Chapter V GDPR in the procedure of the bB (VWA ./59,
Point 2) no party status.

In point 3 of the ruling at issue, the BF2 was a party to the

Procedure because the bB clarified the legal question as to whether the BF2 violated obligations under Art. 44 GDPR

has violated. However, since Art. 44 or Chapter V GDPR no public law - 48 -


provides for obligations for a data importer in a third country, the BA has a
BF1's request to that effect rejected. The BA confirmed to that effect

Right view of the BF2 (see point II.3.3 above).

As explained, the BF2 did not come in connection with ruling point 2 in the procedure of the DA

party position. However, this party position in administrative procedures is

essential prerequisite for filing a complaint against a decision
administrative court. Party status in administrative proceedings and authority to

Complaints are directly related according to the domestic legal situation
(VwGH 05.04.2022, Ra 2022/03/0073). Since the BF2 in the administrative procedure to verdict point

2. no party status was accorded to the decision at issue in the proceedings was hers

dismiss the complaint to that effect.

Furthermore, it is pointed out that a preliminary question-based assessment in decisions

generally no binding effect for other authorities (or even the same authority in a
other procedures), for whose decision the same question or one with content

comparable (although not to be qualified as a preliminary question in the legal sense) question from

(VwGH 01/20/2016, Ro 2014/04/0045). In addition, the main question
the partial decision that is the subject of the proceedings, the agreement regarding a violation of

Art. 44 GDPR, i.e. the question of whether the data transfer in question is in a
third country was legally permissible. The main question, however, does not include individual statements

some elements of the facts of Art. 44 ff GDPR, which are explained in point 2

are.

It should also be noted that BF2 acted as a processor for MB

Attributable to actions of the MB (Art. 28 GDPR), which finally lead to a
infringement of rights by the MB. In this context it is pointed out that

that the MB did not appeal against the decision of the DA.

II.3.6.2. On the lack of infringement of subjective rights of BF2:

Regardless of the lack of party status (see point II.3.6.1), contrary to the
Explanations of BF2 (VWA ./62, page 8), in the case of a violation of subjective

Basically no rights. This is due to the following considerations:

II.3.6.2.1. For the processing of personal data:

According to Art. 2 Para. 1 GDPR, personal data are the starting point for this factual
Applicability of the GDPR. In this regard, the European Court of Justice

repeatedly stated that the scope of the GDPR should be understood very broadly

(ECJ 06/22/2021, C-439/19 (Latvijas Republikas Saeima), para. 61; 12/20/2017, C-434/16 - 49 -


(Peter Nowak), marginal note 59). This basic understanding is the further explanations
to take as a basis. Against this background, the view of the BA is to be followed that an intervention

in the fundamental right to data protection according to Art. 8 EU-GRC and § 1 DSG already exists,

if certain measures are taken (e.g. assignment of identification numbers) to website
individualize visitors.


In the present case, BF2's own explanations and behavior indicate that
that the information that is the subject of the proceedings (see point II.1.3.1)

represent personal data. The BF2 itself explains that within the framework of the
Order processing service "XXXX Analytics" the data "Online identifiers

(including cookie identifiers), internet protocol addresses and device identifiers and

identifiers assigned by the customer" can be personal data. In addition
set the BF after the judgment of the European Court of Justice of July 16, 2020 in the

Case C-311/18 several measures to ensure a legally compliant transfer of

personal data to the United States (see point II.1.9) to allow.
These explanations and behavior are the less convincing explanations

the MB or the BF2 against that the change of

Order data processing conditions (DTPS) from August 12th, 2020 including the
Standard Contractual Clauses (SCCs) were only made for proactive reasons.

In principle, it should be noted that from the information transmitted on August 14th, 2020

(see point II.1.3 and II.1.3.1) no direct personal reference can be inferred.

Online identifiers (IP address, cookies, etc.) identify on their own
regularly no person, since from them directly neither the identity of the natural

person who owns the end device (computer) from which a website was accessed,

nor the identity of another person who could use this computer (ECJ
October 19, 2016, C-582/14 (Breyer), para. 38). However, identifiability depends on the circumstances

possible.

A piece of information makes a natural person identifiable if through it alone the

Although identification (i.e. recognition) itself is not directly possible, a
corresponding identification but by means of linking to further information

can be made. According to Art. 4 Z 1 DSGVO, a person is identified as identifiable

viewed directly or indirectly, in particular by means of assignment to an identifier such as
a name, identification number, location data, online identifier, or

one or more special characteristics that express the physical, physiological,

genetic, psychological, economic, cultural or social identity of these
natural person can be identified. Knowing the name of the natural - 50 -


However, a person is not absolutely necessary for identifiability (Art.-29-

Data Protection Working Party, WP 136, page 16 f).

To determine whether a natural person is identifiable, all means are to
take into account that of the person responsible or another person according to general

Discretion likely to be exercised directly or indirectly to the individual

identify (recital 26, 3rd sentence). The purely hypothetical possibility of identifying the
However, person is not sufficient for the person to be considered identifiable. It is however

It is also not necessary for the person responsible to actually initiate or cross efforts

already has the appropriate means to bring about identification, but it
the probability that he initiates them or acquire corresponding funds is sufficient

becomes. For the assessment of the question of identifiability, it is therefore not important whether

a controller has actually attempted identification
to do. It is sufficient that utilizing a means under purely abstract too

judging point of view is likely.

In determining whether funds are reasonably likely to identify

of the natural person are used in the context of a risk analysis or forecast

(according to recital 26, 4th sentence) all objective factors, such as the cost of identification and the
time required for this, which is at the time of processing

available technology and technological development must be taken into account.

According to the case law of the European Court of Justice, this is a factual one
Risk of creating a personal reference required (ECJ 19.10.2016, C-582/14

(Breyer), para. 38). To determine whether such a risk exists, it is - in addition to the in ErwG

26, 3rd sentence expressly mentioned factors – also to consider whether the purpose of
Processing requires identification, whether identification to a

Increase in usage and whether the identification is contractual and/or organizational
                                                                                    4
Obstacles (e.g. contractual penalties) (Taeger/Gabel, GDPR BDSG TTDSG, Art. 4,
31). In the present case, an increase in use can be assumed because

e.g. through the online identifiers used (IP address, cookies) a distinction from

website visitors is allowed. Also, in the context of big data applications, the
Threshold for assuming a personal reference is simply low (Kuhling/Buchner,

DSGVO BDSG, Art. 4 No. 1, Rn 22). For example, does a company have two different

Databases store information about people (however, viewed in isolation, none
enable clear assignment to a person), their merging into one

Identification would lead and considering the typical way on the market

available data analysis tools with a reasonable amount of time and money - 51 -


would be, the identifiability of the not (yet) merged databases would be too
                                           4
affirm (Taeger/Gabel, GDPR BDSG TTDSG , Art. 4, Rn31).
already a "digital footprint" that allows devices - and subsequently the

specific user - to be clearly individualized, represents a personal date

(cf. KarglinSimits/Hornung/Spiecker, data protection law, Art. 4Z1, Rn52mwN).
Fingerprinting (RFC6973) can be used by an observer using a device or application instance

sufficient probability on the basis of several information elements (online

identifiers, IP address, browser information, etc.).

In addition, the argumentation of the bB is to be followed that the implementation of XXXX-Analytics
on XXXX results in segregation within the meaning of ErwG 26. In other words: who a tool

used, which makes such a segregation possible in the first place, cannot refer to the

position not to use any means to obtain natural
to make people identifiable. It can be assumed that without using the

procedural information (see point II.1.3.1) the BF2 not able

would be to offer a usable measurement service (see point II.1.4), because for example the BF2 without
Cookies would not be able to provide traceable measurements of website visits

to perform.

Due to the circumstances at hand – big data, benefit increases, the purpose and the

Functionality of the web analytics service XXXX -Analytics and Fingerprinting - is from a

factual risk that the BF2 as the processor of the MB
reasonably likely means of identifying the individual

uses.

With the information transmitted to the BF2 (see point II.2.3 or II.2.3.1), a

"digital footprint" of the BF1 generated, which the BF2 as the processor of the MB
allows to identify the BF1.


With regard to online identifiers, it should be noted that the cookies in question
"_ga" or "cid" (client ID) and "_gid" (user ID) unique XXXX -Analytics identifiers

contained and stored on the end device or in the browser of the BF1. With these

Identifiers, it is sometimes possible for the BF2 to distinguish website visitors and also the
Receive information about a new or returning website

XXXX visitors. Without these identification numbers is therefore a distinction from

Website visitors not possible. In this context, the European
Data protection officers consider that all records containing identifiers

contain, with which users can be singled out, according to the regulation (meant - 52 -


Regulation (EU) 2018/1725) are considered personal data and treated as such
must be protected (VWA ./68).


With regard to the IP address, it should be noted that the "anonymization function" of the IP
Address was not correctly implemented at the time of data transmission to the BF2

and was therefore completely saved by the BF2. In this context is to

note that the general storage of IP addresses constitutes a serious intrusion into the in
fundamental rights enshrined in Articles 7 and 8 of the Charter, since it is possible with IP addresses

is accurate conclusions about the private life of the user of the relevant electronic
to draw means of communication. This can be a deterrent to the

exercise the freedom of expression guaranteed in Article 11 of the Charter (ECJ

20.09.2022 in joined cases C-793/19 and C-794/19 (SpaceNetAG/Telekom
Germany GmbH), para. 100). It also doesn't matter who my IP address actually belongs to:

The decisive factor is whether the IP address can be used to draw conclusions about the data subject

(User) can be drawn. Therefore, the statements of BF2 no
Justification value if it considers that the IP address used

possibly owned by BF1's employer. Regardless, the procedure

revealed that the IP address of BF1 was transmitted directly to BF2.

Already from the combination of the transmitted information (see point II.1.3.1) - online
identifiers, IP address, browser information, operating system, screen resolution,

language selection, etc. - a "digital footprint" can be generated that allows

To clearly individualize the end device and subsequently the specific user.
Irrespective of this, in the present case for BF2 as the processor

Traceability to the BF1 possible:

So the BF1 was XXXX on his XXXX account at the time he visited the website

logged in. The BF2 explained that due to the fact that the tool XXXX -
Analytics is implemented on a website that receives information. This includes the

Information that a specific XXXX account user visited a specific website

(VWA ./31, Question 9). In this context, BF2 explained that this only applies to
Activation of specific settings in the XXXX account is possible (activation of

"Personalized Advertising" and "Web and App Activity" through the XXXX -Account-

users and activation of XXXX signals on the target website). The BB led to this
understandable from the fact that the identifiability of a website visitor does not depend on it

may depend on whether certain declarations of intent are made in the XXXX account, since

from a technical point of view, all possibilities for identification would still be available.
On the other hand, the BF2 could - 53 -


User after personalization of the received advertising information do not match.
In this regard, it must be taken into account that Art. 4 Z 1 GDPR is linked to “can”.

("can be identified") and not whether an identification ultimately also

is made.

Regardless of this, it should be noted that certain settings in a XXXX account

or by activating XXXX signals on a website merely adapting to the
personal needs of users of XXXX applications. The adjustments

by the users do not give any conclusions about the processing of
Meta information by the BF2, which in the course of calling up an application ( XXXX -

Analytics, XXXX account, XXXX ,etc) are transmitted to BF2. In process is in this

Connection of meta information and IP address between XXXX -
Account and XXXX -Analytics emerged, which an undisputed personal reference

enabled.

Regardless of the BF2, there is a real risk that US authorities will

Discretion likely to use means to identify the BF1. In this

In this context, the BF1 understandably explained that US intelligence services online
Identifiers (IP address or unique identifiers) as a starting point for the

Engage surveillance of individuals. Thus, in particular, cannot be ruled out
be that these intelligence services have already collected information with which

Help the data transmitted here can be traced back to the person of BF1. This is how the

BF2 due to data requests metadata and content data. The fact that it is
This is not just a "theoretical danger", as can be seen from the judgment of the

European Court of Justice from July 16th, 2020, C-311/18 (Schrems II), due to the

Incompatibility of such methods and access possibilities of the US authorities with the
Fundamental right to data protection according to Art. 8 EU-GRC ultimately also the EU-US

adequacy decision (“Privacy Shield”) has been declared invalid. In this

context, neither the BF1 nor the MB have the opportunity to verify whether US
Authorities have already received personal data, or whether US authorities

already have personal data from BF1. This circumstance may be of affected

People like the BF1 are not to be blamed. So it was ultimately the MB and also
the BF2, which despite the publication of the above-mentioned judgment of the European Court of Justice

July 16, 2020 continued to use the XXXX -Analytics tool. After all, he is too
To follow the reasoning of the bB that the MB is subject to accountability (Art. 5 para.

2 in conjunction with Article 24 (1) in conjunction with Article 28 (1) GDPR) that processing is carried out in accordance with the regulation

took place. In this context, the MB has its processor (BF2) in the process - 54 -


no organizational or technical measures identified which are suitable,
Methods and ways of accessing the US authorities to prevent it from happening

Violation of the fundamental right to data protection according to Art. 8 EU-GRC.

As a result, the transmitted information (see point II.1.3 or II.1.3.1) represents in any case

in combination represents personal data in accordance with Art. 4 Z 1 DSGVO.

II.3.6.2.2. On the lack of an appropriate level of protection in accordance with Art. 44 GDPR:

Art. 44 GDPR sees a basic provision for international data transfer
two-stage admissibility check. The first requirement that data is ever in a

third country may be transmitted, is that the other provisions

of the GDPR (such as Art. 5 f, Art. 13 f GDPR) are complied with. As part of the second
At the first stage, it must be checked whether one of the requirements of Art. 45 – 49 GDPR is met. The first in

According to Art. 45 GDPR, the admissibility in question is present if the

Commission has determined in an adequacy decision for the third country concerned that
that it offers an adequate level of protection. Is there such a thing?

adequacy decision, no approval is required for data transfer in

the respective third country. If there is no adequacy decision, it must be checked further whether the
Requirements according to Art. 46, 47 or 49 GDPR are met.

After the European Court of Justice declared the "EU-US Privacy Shield" with the decision of

16.07.2020, C-311/18 (SchremsII) declared invalid, the procedural

Data transmission on August 14, 2020 (see point II.1.3 or II.1.3.1) on the basis of a
adequacy decision can no longer be justified. With the decision of

European Court of Justice clarified that the United States until further notice

are to be regarded as a "third country" and are currently privileged for the transmission of
personal data according to Art. 45 GDPR does not exist.

Since there is no adequacy decision according to Art. 45 Para. 3 GDPR, Art. 46

GDPR further admissibility ("suitable guarantees"). If one of the in Art. 46

Para. 2 GDPR listed guarantees, is international data traffic
allowed without permission. The guarantees of Art. 3 GDPR exist subject to one

Approval by the competent supervisory authority. If none of the provisions in Art. 46 Para. 2 and

Para. 3 GDPR, it must be checked further whether one of the
Exceptions for a permissible third-country transfer according to Art. 49 GDPR are fulfilled.

At issue in the proceedings, the MB based the transfer on standard data protection clauses

in accordance with Article 46 (2) (c) GDPR. For further "suitable guarantees" according to Art. 46 DSGVO

the transfer of the data at issue in the proceedings was not supported by the MB. - 55 -


Therefore, the admissibility of the data transmission according to Art. 46 Para. 2 lit. c
GDPR examined.


II.3.6.2.2.1. For data transfer based on standard data protection clauses in accordance with
            Article 46 (2) (c) GDPR:

On August 12, 2020, the MB and the BF2 have in accordance with Article 46 (2) (c) GDPR

Standard data protection clauses for the transfer of personal data to the
United States completed. (“ XXXX Ads Data Processing Terms: Model Contract

Clauses, Standard Contractual Clauses for Processors”). Specifically, it was about
at the point in time at which the complaint is made by those clauses in the version of

Implementing decision of the European Commission 2010/87/EU of February 5, 2010

about standard contractual clauses for the transfer of personal data
Processors in third countries according to the Directive 95/46/EG of the European Parliament

and of the Council, OJ L 2010/39, p.

When transferring personal data to a third country, the

Standard Data Protection Clauses Enforceable Rights and Effective Remedies

ensure that they enjoy a level of protection equivalent to that in the Union through the GDPR in
The level guaranteed by the Charter is equivalent in substance. In this

In connection with this, the contractual regulations must be taken into account in particular
between the controller based in the Union and that in the third country concerned

resident recipients of the transfer have been agreed, as well as what any

Access of the authorities of this third country to the transmitted personal data
concerns, the relevant elements of the legal system of that country, in particular the

Article 45 (2) of the GDPR (ECJ July 16, 2020, C-311/18 (Schrems II), Rn

105). The competent supervisory authority is obliged to draw up a standard data protection clause
to suspend or permit the assisted transfer of personal data to a third country

prohibit if that authority considers in light of all the circumstances of this transfer

is that the clauses in this third country are not respected or not respected
and that according to Union law, in particular according to Articles 45 and 46

of the GDPR and according to the charter, the required protection of the transmitted data

can be guaranteed by other means (ECJ July 16, 2020, C-311/18 (Schrems II), para
121).

In the present case, it should first be noted that the European Court of Justice used the “EU-US

Privacy Shield” has therefore been declared invalid, as this with Articles 7, 8 and 47 of the Charter

was incompatible (ECJ July 16, 2020, C-311/18 (Schrems II), para. 150 ff), since it was for US authorities
(intelligence services) offered disproportionate access opportunities and no effective - 56 -


Legal remedies for victims (non-US citizens) were available. That's how he led
European Court of Justice guaranteed that regarding Art. 7 and 8 of the Charter

Fundamental Rights neither Section 702 of FISA nor the E.O. 12333 in conjunction with the PPD-28

those existing in Union law based on the principle of proportionality
Meet the minimum requirements, so it cannot be assumed that the on these

regulation-based surveillance programs to the extent absolutely necessary

are limited. Also, with regard to those based on Section 702 of FISA as well
with regard to the E.O. 12333 supported monitoring programs to note that

neither the PPD-28 nor the E.O. 12333 confer rights on data subjects that

can be legally enforced against the American authorities, so that
these persons do not have an effective remedy. In this connection

the ombudsman mechanism mentioned in the adequacy decision does not offer legal recourse

to an entity that provides individuals whose data is transferred to the United States
would offer guarantees equivalent to the guarantees of the thing required under Article 47 of the Charter

after would be equivalent.

These circumstances, which led to the lifting of the "EU-US Privacy Shield", are also at the

assessment of a data transfer in accordance with Article 46 (2) (c) GDPR.
In this regard, it should be noted that the standard data protection clauses are by their nature not

Can offer guarantees that go beyond the contractual obligation, for compliance with the

to ensure the level of protection required under Union law. In particular, they can
due to the nature of the contract, no third-country authorities (such as US

intelligence services) (ECJ July 16, 2020, C-311/18 (Schrems II), para. 132 f).

These considerations can be applied to the present case. So is

obvious that the BF2 as a provider of electronic communication services within the meaning of
50 U.S. Code § 1881(b)(4) and thus subject to surveillance by U.S.

Intelligence agencies are subject to 50 U.S. Code Section 1881a (“FISA 702”). Accordingly, the BF2

the obligation to report to U.S. authorities under 50 U.S. Code § 1881a personal data
to provide. The agreed between the MB and the BF2

Standard data clauses do not offer any options in this context

To meet requirements effectively or to prevent them. How from the
transparency report of BF2, such inquiries are also regularly received from US

authorities placed on them.

The data transmission in question can therefore not solely be based on the between the MB and

of the BF2 concluded standard data protection clauses in accordance with Article 46 (2) (c) GDPR
be supported. - 57 -


Because, by their very nature, these standard data protection clauses cannot provide any guarantees that
about the contractual obligation to comply with what is required under Union law

Levels of protection going beyond that may vary depending on the situation in a particular third country

given situation, it may be necessary for the person responsible to take additional measures (see
point II.3.6.2.2.2) to ensure compliance with this level of protection.


II.3.6.2.2.2. Regarding the additional measures:
In its "Recommendations 01/2020 on measures to supplement transmission tools for

Ensuring the Union legal level of protection for personal data, version
2.0 of the European Data Protection Board (“EDPB Recommendations”)” the EDPB

stated that in the event that the law of the third country affects the effectiveness of

appropriate safeguards (such as standard data protection clauses), the data exporter
either suspend the data transfer or take additional measures

implement (EDSA recommendations Rn 28 ff and Rn 52 or ECJ July 16, 2020, C-

311/18 (Schrems II), para. 121).

According to the recommendations of the EDPB, such “additional measures” can be contractual,

be of a technical or organizational nature (EDSA recommendations, para. 52):

With regard to contractual measures, it is stated that these "[...] the guarantees that
provide the transmission tool and the relevant legislation in the third country,

supplement and strengthen, as far as the guarantees, taking into account all circumstances

of transmission, do not meet all the requirements necessary to register
to ensure a level of protection essentially equivalent to that in the EU. Since the

contractual measures, by their very nature, the authorities of the third country generally do not

can bind, if they are not themselves a party to the contract, they must with others
technical and organizational measures are combined to achieve the required

to ensure a level of data protection. Just because you have one or more of these actions
selected and applied does not necessarily mean that it is systematic

it is ensured that the intended transfer meets the requirements of Union law

(ensuring an essentially equivalent level of protection) is sufficient” (EDSA-
Recommendations 01/2020, para. 99).


With regard to organizational measures, it is stated that they are "[...] internal strategies,
Organizational methods and standards act that those responsible and

apply to processors themselves and to data importers in third countries
could impose. These can be uniform throughout the processing cycle

Protection of personal data. Organizational measures can also contribute to this

help ensure that data exporters are aware of the risks related to data access in - 58 -


Third countries and related access attempts are better aware and more alert
can react. Just because you selected one or more of these measures and

applied, this does not necessarily mean that it is systematically ensured that

the intended transfer meets the requirements of Union law (ensuring a
of items with equivalent levels of protection) is sufficient. Depending on the special circumstances of

transmission and the assessment of the legal situation in the third country

organizational measures to supplement the contractual and/or technical ones
Measures required to ensure the protection of personal data

is equivalent to the level of protection guaranteed in the EEA" (EDSA-

Recommendations 01/2020, para. 128).

Regarding the technical measures, it is stated that these "[...] guarantees that the
offer transmission instruments in Art.l 46 DSGVO, can supplement to ensure

that the protection required under Union law also applies to the transmission of personal data

data to a third country is guaranteed. These measures are particularly
required if the law of the third country in question tells the data importer

Obligations imposed that correspond to the guarantees of the transmission instruments mentioned in Art.

46 GDPR and are therefore suitable for the contractual guarantee of one thing
according to equivalent levels of protection as far as official data access in the third country is concerned,

to undermine" (EDSA Recommendations 01/2020, para. 77).

An additional measure is only considered effective within the meaning of the judgment of the European

Court of Justice (ECJ 16.07.2020, C-311/18 (Schrems II)), if and to the extent that they -
alone or in connection with others - closes precisely the legal protection gaps,

that of the data exporter in its review of the applicable to its transfer

established legislation and practice in the third country. Should it be the data exporter
ultimately not be possible to achieve an equivalent level of protection,

he may not transmit the personal data (EDSA Recommendations 01/2020, Rn

75).

Applied to the present case, this means that it must be examined whether the
"Additional measures taken" by BF2 (see point II.1.10 or VWA ./31, page 23 ff)

within the framework of the judgment of the European Court of Justice (ECJ July 16, 2020, C-311/18

(Schrems II)) identified gaps in legal protection - i.e. inappropriate access and
Surveillance capabilities of US intelligence services and insufficient effective

Legal remedy for those affected – close.

Against this background, it must therefore be checked whether the additional measures taken by BF2

Measures are suitable, the illegal circumstances - disproportionate - 59 -


Possibilities of access by US authorities or the lack of effective legal remedies for
Affected – to eliminate, so that the fundamental rights guaranteed in Articles 7, 8 and 47 of the Charter

not get hurt.

With regard to the contractual and organizational measures set out, is not

recognizable to what extent through a review of a request from US authorities by XXXX -

Attorneys or by specially trained personnel to comply with applicable laws and
XXXX guidelines that do not violate the fundamental rights guaranteed in Articles 7, 8 and 47 of the Charter

become. Compliance with US laws – i.e. the obligation to release data
– leads precisely to the violation of the fundamental rights of the Union citizens concerned. As well

there is no justification value for notifying customers before any of their

Information US authorities will be announced. This is because a transfer of
Information is disproportionate under European law and the data subject

Union citizens have no effective legal remedies against disclosure. Also it comes to

a violation of fundamental rights of EU citizens concerned, if a notification to
customers are omitted for US legal reasons. Even if the request of a US

authority is omitted due to an emergency, the disclosure is unlawful, since the

Union citizens concerned do not have the opportunity to use an effective legal remedy
to verify the emergency. Finally, the release of a

transparency report and the publication of BF2's policy on dealing with

Government requests do not remove the unlawful circumstances for the purposes set out in Art. 7, 8 and
47 of the charter are not violated.

The technical measures presented are also not suitable for preventing the violation of the

eliminate fundamental rights. The technical measures listed in the

Access options in connection with the transmission or storage of the data
by US intelligence services based on US law neither prevent nor

restrict. As correctly led by the bBaus, the technical measures cannot be considered

be considered effective if the BF2 itself still has the ability to access the
access data in plain text. As far as the BF2 refers to an encryption technology,

it can be inferred from EDSA recommendations that a data importer (the BF2), the 50 U.S.

Code is subject to Section 1881a (“FISA 702”) with respect to the imported data contained in its
possession or custody or under his control, has a direct obligation to

grant access to or release them. This obligation can
also expressly extend to the cryptographic keys, without which the data cannot be processed

are legible (margin no. 81). - 60 -


Also, the explanations of the BF2 are that as far as XXXX -Analytics data for measurement by
Website owners are personal data, should be considered as pseudonymous,

not suitable as an "additional measure". In this context, the

convincing view of the German Data Protection Conference, according to which "[...] the
The fact that the users are made identifiable via IDs or identifiers, none

pseudonymization measure within the meaning of the GDPR. In addition, it is not about

appropriate guarantees to comply with data protection principles or to safeguard the
Rights of data subjects if IP addresses, cookie

IDs, advertising IDs, unique user IDs or other identifiers are used. Then,

other than in cases where data is pseudonymized to the identifying data
obscure or delete it so that the persons concerned are no longer addressed

can, IDs or identifiers are used to distinguish the individual individuals

and make it addressable. Consequently, there is no protective effect. It is about
therefore not about pseudonymizations within the meaning of Recital 28, which the risks for those affected

Lower people and those responsible and the processors in compliance

support their data protection obligations" (cf. the guidance of the supervisory authorities
for providers of telemedia from March 2019, p. 15).

In addition, the arguments of BF2 cannot be followed because the XXXX -

Analytics ID combined with other elements anyway and even with a dem

BF2 indisputably attributable XXXX account can be connected.

The "anonymization function of the IP address" mentioned is not relevant to the case
Relevance because it was not implemented correctly (see point II.1.3.4).


Overall, the additional measures identified by BF2 are not suitable
Gaps in legal protection identified in the judgment – inappropriate access and

Surveillance capabilities of US intelligence services and insufficient effective
Legal remedy for those affected – close.


II.3.6.2.2.3. Summary:
Based on the decision of the European Court of Justice of July 16, 2020, C-311/18

(Schrems II), the data transfer at issue was not with the "EU-US

Privacy Shield". Also, the data transfer that is the subject of the proceedings cannot
based solely on the standard data protection clauses concluded between MB and BF2

in accordance with Article 46 (2) (c) GDPR. In addition, those of the BF2
The additional measures identified are not suitable for those identified in the judgement

Legal protection loopholes – inadequate access and monitoring options by US

intelligence services and insufficient effective legal remedies for those affected - to - 61 -


close. Overall, the data transmission that is the subject of the proceedings is not covered
in Art. 46 GDPR.


As far as the BF2 in administrative procedures a risk-based approach
Assuming, it should be noted that this approach already differs from the wording of Art. 44 GDPR

Article 44 GDPR covers any transmission of personal

Data. The standard therefore does not differentiate between extremely low-threshold data
are transferred for which there is only a very low basis risk. Although the GDPR sees in

Individual provisions stipulate a risk-based approach (e.g. Art. 24 Para. 1 and Para. 2, Art.
Article 25(1), Article 30(5), Article 32(1) and (2), Article 34(1), Article 35(1) and Article 35(3).

or Art. 37 Para. 1 lit. b and lit. c GDPR), however, this circumstance does not mean that the

risk-based approach is to be applied analogously to Art. 44 GDPR.

The European Court of Justice (ECJ July 16, 2020, C-311/18 (Schrems II)) is in relation to the

Legal position of the US now just assumes that due to the disproportionate
Access possibilities of US authorities as well as insufficient effective legal remedies for

Those affected cannot be assumed to have an “appropriate level of data protection”, which is why

he finally also declared the EU-US adequacy decision to be invalid. The
The European Court of Justice has expressly not aimed at the fact that the obligations

which is a Privacy Shield certified company from the United States
subject, may be appropriate in individual cases (e.g. because the certified

Company only non-sensitive or non-criminal relevant personal data

data received).

With the help of the GDPR, the free movement of data should also be guaranteed. However, it stands

free traffic in this context on the premise that the specifications of
GDPR - and this also includes Chapter V - are fully complied with. A softening in the

In the sense of a "business-friendly interpretation" of the specifications of Chapter V in favor
however, free data traffic is not planned. Economic interests played

also irrelevant in the judgment of the ECJ of July 16, 2020, C-311/18 (Schrems II).

II.3.6.3. Regarding the exceptions for certain cases according to Art. 49 GDPR:

According to the MB's own information, the exception was in accordance with Art. 49 GDPR

not relevant for the data transfer in question (VWA ./11, page 13). also is
In the process it did not come out that his consent according to Art. 49 Para. 1 lit. a DSGVO

was caught. Since altogether no circumstances arose that a fact
according to Art. 49 GDPR would be fulfilled, the data transfer that is the subject of the procedure

are not based on Art. 49 GDPR. - 62 -


II.3.6.4. Result:
Since for the data transmission in question the MBan the BF2 (in the United States)

no adequate level of protection guaranteed by an instrument of Chapter V of the GDPR

there is a violation of Art. 44. The MB was (at least) for
Complaint-relevant time - i.e. August 14th, 2020 - for the operation of the XXXX website

responsible. The data protection violation of Art. 44 GDPR relevant here is

therefore attributable to the MB.

Overall, the BF2 was not in a position to rule that point 2. of the
To justify the CB's decision which would have violated its legal interests. Also

for this reason, the complaint by the BF2 was to be rejected.

II.3.7. Regarding point A.II) – inadmissibility of the revision:

According to § 25a Abs. 1 VwGG, the administrative court in the ruling of its knowledge or

Pronounce a resolution as to whether the revision is permissible in accordance with Art. 133 Para. 4 B-VG. The
Statement must be briefly justified.

The revision is allowed because the question of whether a data recipient (data importer in

a third country) in the procedure for establishing a violation of the general

Principles of data transmission according to Art. 44 GDPR are not yet sufficient
Judiciary of the Administrative Court exists.

It was therefore to be decided accordingly.


II.3.8. Regarding point B.I) - rejection of the complaint by the BF1:
As explained under point II.3.3, there are no subjective public ones from Chapter V GDPR

Rights/obligations to refer to BF2 as data importer. Against this background, the

BF1's complaint about a decision to be dismissed.

II.3.9. Re point B.II) - admissibility of the revision:
According to § 25a Abs. 1 VwGG, the administrative court in the ruling of its knowledge or

Pronounce a resolution as to whether the revision is permissible in accordance with Art. 133 Para. 4 B-VG. The

Statement must be briefly justified.

The revision is allowed because the legal questions shown here are not yet sufficient
Judiciary of the Administrative Court exists.


It was therefore to be decided accordingly.