Commissioner (Cyprus) - 11.17.001.008.229
Commissioner - 11.17.001.008.229 | |
---|---|
Authority: | Commissioner (Cyprus) |
Jurisdiction: | Cyprus |
Relevant Law: | Article 5(2) GDPR Article 44 GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | 17.08.2020 |
Decided: | 28.02.2024 |
Published: | |
Fine: | n/a |
Parties: | ARKTINOS” Publications Ltd |
National Case Number/Name: | 11.17.001.008.229 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Greek |
Original Source: | Office of the Commissioner for Personal Data Protection (in EL) |
Initial Contributor: | im |
In one of the 101 complaints filed by noyb, the DPA reprimanded a private news company for transferring personal data in the US without a legal basis in accordance with Chapter V GDPR.
English Summary
Facts
On 12 August 2020, the data subject visited the website politis.com.cy while logged in to a Facebook account with his e-mail address. The private news company managing the website, the controller, integrated HTML code for Facebook Services, including Facebook Connect. Facebook Connect is a service used by third party websites, that allows Facebook users to log into other websites with their Facebook profile, without having to create separate accounts there. At the same time, this service enables the flow of user’s personal data between the site and Facebook.
While the data subject visited the website, the controller processed their personal data of which at least some were transferred to Facebook Inc, in the United States.
Because the CJEU has annulled the EU-US Privacy Shield in judgment C-311/18, the data transfer could not be based on the adequacy decision as per Article 45 GDPR. Yet, the data transfers were still based on the invalidated EU-US Privacy Shield, as was evident by section 4 of the Facebook Data Processing Terms. Facebook Inc. is subject to oversight by U.S. intelligence services in accordance with 50 U.S. Code § 1881 and therefore obliged to provide U.S. authorities with personal data.
For this reason, the data subject filed a complaint against the controller for a breach of provisions of Chapter V concerning the transfer of personal data to third countries. Additionally, the data subject requested a clarification whether Facebook Business Tools Terms and Facebook Data Processing Terms met the requirements of Article 28 GDPR on the transfer of personal data to third countries.
The controller claimed that they did not collect personal data of any users who visited the website from a Facebook link and the only use of Facebook tools made by the controller was to promote their news articles to more people on the basis of the criteria provided to them. After the DPA asked the controller to clarify whether the data received from the use of Facebook pixel tool led to user’s identification and, therefore, processing of their personal data, even if it was not their intention, no statement was submitted.
Holding
The DPA started an investigation into the relationship between the controller and Facebook Inc, analysing the Terms of Use of Facebook Business Tools. the DPA confirmed that Facebook Inc. is acknowledged as a data processor and a joint controller for processing occurring on websites which use Facebook Business Tools.
Moreover, the DPA stated that due to the implementation of the Facebook Pixel tool on the website, at least the IP address, browser information, website location, pixel ID and click data of the data subject were processed. On the basis of the evidence provided, the DPA found that a data transfer to the United States occurred. The DPA clarified that data processing took place due to the decision of a controller to incorporate the Facebook Service Tools on its website. Furthermore, the abovementioned processing was based on the EU-US Privacy Shield even after its invalidation by the CJEU decision of 16 July 2020.
Thus, the DPA found a violation of Article 5(2) GPDR since the controller failed to demonstrate compliance with Article 5(1) GDPR and a violation of Article 44 GDPR since the controller did not ensure a level of protection of the data subject guaranteed by the GDPR.
The DPA did not fine the controller and did not prohibit or suspend the data transfer. Instead the DPA ordered the controller to ensure that transfer of data takes place on the basis of the new EU-US Data Protection Framework, Implementing Decision (EU) 2023/1795, or on the basis of an appropriate guarantee under Article 46 GDPR, if the use of services in question continue.
Regarding the analysis of whether Facebook Inc.’s bears responsibilities of a controller, the DPA concluded that in the present case Facebook Inc. does not determine purposes and means of the processing. At the same time, the possibility that Facebook Inc. will receive requests from U.S security authorities does not automatically lead to that conclusion.
Additionally, the DPA analysed that Facebook Inc. is a data importer and not a data exporter. Therefore, the obligations set out in Chapter V of GDPR do not apply to Facebook Inc. and no breach of Article 44 GDPR by Facebook Inc. can be established.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.
REPUBLIC OF CYPRUS OFFICE OF THE COMMISSIONER FOR PERSONAL DATA PROTECTION MACHINE TRANSLATED Case Reg.: 11.17.001.008.229 DECISION Complaint of a personal data breach In the light of the tasks and powers conferred on me by Article 57(1)(f) of Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter referred to as “the Regulation”), I have examined a complaint lodged at my Office, pursuant to Article 77(1) of the Regulation, against “ARKTINOS” Publications Ltd (“Politis” newspaper) (hereinafter the “defendant”); Facebook Ireland Ltd (hereinafter “Facebook Ireland”) and Facebook Inc. The complaint was lodged with the Austrian Data Protection Supervisory Authority on 17 August 2020 by a resident of Austria (hereinafter the “complainant”), represented, pursuant to Article 80(1) of the Regulation, by the non-profit organisation noyb – European Centre for Digital Rights. On the basis of the investigation, I have found an infringement of the Regulation by the defendant and therefore adopt this Decision. A. Facts of the case Positions of the Complainant 2. The complaint relates to an alleged breach of the provisions of Chapter V of the Regulation. The complaint states inter alia that: 2.1. the complainant, on 12 August 2020, at 11:43 a.m., visited the website https://politis.com.cy (hereinafter the “website”) while logged in to a Facebook account with his e-mail address, 2.2. the defendant has integrated HTML code for Facebook Services (including Facebook Connect). 2.3. during the complainant’s visit to the website, the defendant processed the complainant’s personal data (at least the IP address and cookie data), of which at least some were transferred to Facebook Inc, in the United States. The complainant does not have the technical means to determine whether such data transfer took place directly between defendant and Facebook Inc. or via Facebook Ireland as an intermediary, 2.4. Facebook Connect is a service used by third party websites, enabling the flow of user’s personal data between the site and Facebook; Kypranoros 15, Nicosia 1061, CYPRUS / P.O.23378, 1682 Nicosia, CYPRUS. Tel: +35722818456, Fax: +35722304565 E-mail: commissioner@dataprotection.gov.cy, Website: http://www.dataprotection.gov.cy2.5. the use of Facebook Connect was subject, when submitting the complaint, to the documents Facebook Business Tools Terms and Facebook Data Processing Terms. These two documents would be updated with effect from 31 August 2020 (New Facebook Business Tools Terms and New Facebook Data Processing Terms); 2.6. interpreting the Facebook Business Tools Terms and Facebook Data Processing Terms, which were in force at the time of the complaint, it is concluded that: 2.6.1. Facebook Ireland is the contractual partner of the controller and acts as processor in accordance with Article 4(8) of the Regulation, 2.6.2. Facebook Inc. acts as a sub-processor. This conclusion is also apparent from the New Facebook Business Tools Terms and New Facebook Data Processing Terms. 2.7. in any case, the complainant’s personal data has been transferred by the defendant in the United States. This transfer, by the defendant, which is an EEA-based company, to Facebook Inc. or to any other processor in the United States (or to any other country outside the EEA) requires a legal basis in accordance with Article 44 of the Regulation; 2.8. as the CJEU has annulled the EU-US Privacy Shield in judgment C-311/18, the controller can no longer base the transfer of data to Facebook Inc. on an adequacy decision under Article 45 of the Regulation; 2.9. however, the Facebook team and the controller are still trying to base the transfer on the invalidated “EU-US Privacy Shield”, as evidenced by point 4 of the Facebook Data Processing Terms: Facebook, Inc. has made commitments under the EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield that may apply to data transferred by you or Facebook Ireland Limited to Facebook, Inc. under the Applicable Product Terms. When applicable as the means to transfer Personal Data outside of the EU or Switzerland to Facebook, Inc. where you are in the European Union or Switzerland, you acknowledge that the Privacy Shield Terms (https://www.facebook.com/legal/privacyshieldtermsforadvertisers) apply to such data in addition to the Applicable Product Terms.’; 2.10. regarding these data transfers, the Facebook Data Processing Terms contains a link and reference to Privacy Shield Terms, which in turn is linked to Facebook Inc. and the EU-U.S. and Swiss-U.S. Privacy Shield. 2.11. a similar reference can be found in the New Facebook Data Processing Terms document, which would be implemented 6 weeks after the CJEU’s ruling: Facebook, Inc., which is used by Facebook Ireland as a sub-processor, has made commitments under the EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield that may apply to Personal Information transferred by you or Facebook Ireland to Facebook, Inc. under the Applicable Product Terms. When applicable as the means to transfer Personal Information outside of the EU/EEA or Switzerland to Facebook, Inc., you acknowledge that the Privacy Shield Terms apply in addition to the Applicable Product Terms.’; 2.12. a regular data transmission system based on an annulled adequacy decision constitutes a serious, systematic and, in view of the New Facebook Data Processing Terms, an intentional violation of Article 45 and subsequent articles of the Regulation; 22.13. nor can the controller base the transfer of data on standard contractual clauses, in accordance with Article 46(2)(c) and (d) of the Regulation, if the third country does not ensure adequate protection of personal data transferred in accordance with these clauses, under EU law. The CJEU explicitly found that onward transfer to companies falling under 50 U.S. Code § 1881a, not only violates the relevant articles of Chapter V of the Regulation, but also Articles 7 and 8 of the EU Charter of Fundamental Rights, as well as the substance of Article 47 of the Charter (C-362/14 (“Schrems I”), para. 95). Therefore, any onward transfer violates the fundamental right to privacy, data protection and the right to effective judicial protection and a fair trial; 2.14. Facebook Inc. qualifies as a provider of electronic communications services within the meaning of 50 U.S. Code § 1881(b)(4) and is therefore subject to U.S. intelligence surveillance under 50 U.S. Code § 1881a (“FISA 702”). As evidenced by the Snowden Transparencys and the Facebook Transparency Report (https://transparencyreport.google.com/userdata/us-national-security), Facebook Inc. actively provides personal data to the U.S. Government pursuant to 50 U.S. Code § 1881a; 2.15. consequently, the controller is not in a position to ensure adequate protection of the complainant’s personal data transferred to Facebook Inc. Therefore, the controller has a legal obligation to refrain from transferring the complainant’s data – or any other personal data – to Facebook Inc. However, for more than one month after the decision, the controller has not acted on the basis of the decision, 2.16. the Facebook group continues to accept data transfers from the EU/EEA, both on the basis of the invalidated “EU-US Privacy Shield” and standard contractual clauses, despite the CJEU’s clear judgement and violation of Articles 44 to 49 of the Regulation. Facebook Inc. further discloses personal data from the EU/EEA to the U.S. government, in violation of Article 48 of the Regulation. 2.17. in accordance with Article 3(2)(a) of the Regulation, the Regulation is extended to sub-performers, who are not established in the Union, where the processing activities relate to the offering of services to data subjects in the Union. Consequently, there is direct jurisdiction against Facebook Inc. While Facebook Ireland may claim to fall under the jurisdiction of the Supervisory Authority of Ireland, as the lead Supervisory Authority (Article 56 of the Regulation), there is no main establishment of Facebook Inc. in the Union. Therefore, any Data Protection Authority of the Union has direct jurisdiction over Facebook Inc., under its sub-processor activities, 2.18 pursuant to Articles 58 and 83 of the Regulation, the competent Supervisory Authority may use corrective and sanctioning powers against both the controller and the processor Facebook Ireland and the underprocessor Facebook Inc., 2.19. in accordance with the above CJEU ruling, the competent Supervisory Authority must suspend or terminate the transfer of personal data to the third country, pursuant to Article 58(2)(f) and (j) of the Regulation; 2.20. the complainant requests that: 2.20.1. the complaint under Article 58 of the Regulation has been fully investigated and clarified: 3(a) what personal data has been transferred by defendant and/or Facebook Ireland to Facebook Inc. in the United States or to any other third country or international organisation; (b) on which transfer mechanism the defendant and/or Facebook Ireland based the transfer of data; (c) whether the provisions of the Facebook Business Tools Terms and Facebook Data Processing Terms, at the time of lodging the complaint and as to be amended as from 31 August 2020, met the requirements of Article 28 of the Regulation concerning the transfer of personal data to third countries; 2.20.2.immediately prohibit or suspend any transfer of data by defendant and/or Facebook Ireland to Facebook Inc. in the United States, and order the data to be returned to the EU/EEA or another country providing adequate protection pursuant to Article 58(2)(d), (f) and (j) of the Regulation; 2.20.3.an effective, proportionate and dissuasive fine shall be imposed on the defendant, Facebook Ireland and Facebook Inc. pursuant to Article 83(5)(c) of the Regulation, taking into account that: (a) the complainant is probably only one out of thousands of users (Rule 83(2)(a) of the Rules of Procedure); (b) at the time of the complaint, more than a month had elapsed since judgment C- 311/18 of the CJEU and the defendant did not take any measures to bring the processing operations into compliance with the provisions of the Regulation (Rule 83(2)(b) of the Rules of Procedure). Where reference is made to the controller above, the defendant is understood. Positions of the Defendant 3. As part of the investigation of the complaint, my Office sent a letter to the defendant with clarification questions on 23 December 2020. This letter was sent again to the defendant on 7 January and 18 February 2021. 4. In a letter dated 18 February 2021, the defendant submitted the reply of the technician, who developed the website. In particular, it was mentioned that to the best of his knowledge, there were no specific codes on the site, as “login with facebook etc” was never used. However, the relevant questionnaire sent was not answered. 5. On 20 January 2022, my Office sent a new letter to the defendant, and after it was reiterated that, based on the analysis of the data and file submitted by the complainant, as well as an audit on the website, a Facebook tool was used, new questions were asked and the questions contained in the Office’s letter of 23 December 2020 requested to be answered. 6. In a letter dated 26 January 2022, the defendant stated inter alia the following: 6.1. as regards the questions contained in my Office’s letter of 23 December 2020 concerning the Facebook Connect tool, it was already mentioned in the letter dated 18 February 2021 that the Facebook Connect tool is not used. However, the technical developer of the website was contacted again, who confirmed that this tool was never used on the website. A user chooses to access a third-party website through Facebook Connect, 4they allow that website to retrieve information they have given to Facebook, including their full name, pictures, wall posts, friend information, etc.. It was stated that the defendant never had access to such sensitive information, let alone to process it, 6.2. the Facebook tools that were, and still were, at the time of submitting the reply, are the Facebook domain verification and the Facebook pixel. 6.2.1. Facebook domain verification is a tool for website validation purposes, to avoid blocking from the platform, in cases of spam reporting, and 6.2.2. the Facebook pixel tool is a tool for paid ads (“paid ads”) of defendant’s news articles on Facebook, 6. 3. under no circumstances does the defendant collect or process personal data of users. The only use of Facebook made by the defendant is to promote her news articles to more people on the basis of the criteria provided by the platform. 6.4. the defendant does not keep a record of the personal data of any user who visits the site from a Facebook link. 7. In a letter from my Office to the defendant dated 30 May 2022, it was stated inter alia that the use of the Facebook pixel tool results in the processing of data of users – visitors to the website. This data can lead to user-visitor identification, possibly in combination with other data. Therefore, the visit of internet users to the website results in the processing of their personal data, even if it was not the intention of the defendant. Therefore, the respondent was again requested to reply to the questions contained in the Office’s letter of 20 January 2022. 8. However, the defendant did not provide any reply or information to my Office. B. Legal framework 9. According to Article 4 of the Regulation, personal data are to be interpreted as ‘any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person’. 10. The controller is defined in Article 4 of the Regulation as ‘the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law’. 11. A processor is defined in Article 4 of the Regulation as ‘a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller’. 12. Regarding the principles governing the processing of personal data, Article 5 of the Regulation provides the following: 5 ‘1. Personal data shall be: (a) processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’); (b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’); (c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’); (d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’); (e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’); (f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’). 2. The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).’ 13. Pursuant to Article 44 of the Regulation, it is provided that: “Any transfer of personal data which are undergoing processing or are intended for processing after transfer to a third country or to an international organisation shall take place only if, subject to the other provisions of this Regulation, the conditions laid down in this Chapter are complied with by the controller and processor, including for onward transfers of personal data from the third country or an international organisation to another third country or to another international organisation. All provisions in this Chapter shall be applied in order to ensure that the level of protection of natural persons guaranteed by this Regulation is not undermined.” 14. Pursuant to Article 57(1)(f) of the Regulation, the Commissioner for Personal Data Protection has the duty to: “handle complaints lodged by a data subject, or by a body, organisation or association in accordance with Article 80, and investigate, to the extent appropriate, the subject matter of the complaint and inform the complainant of the progress and the outcome of the investigation within a reasonable period, in particular if further investigation or coordination with another supervisory authority is necessary.” 615. As regards the submission of a complaint to the Supervisory Authority, Article 77 of the Regulation provides that: “Without prejudice to any other administrative or judicial remedy, every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes this Regulation.” 16. Pursuant to Article 58(2) of the Regulation, the Commissioner for Personal Data Protection has the following corrective powers: “a) to issue warnings to a controller or processor that intended processing operations are likely to infringe provisions of this Regulation; (b) to issue reprimands to a controller or a processor where processing operations have infringed provisions of this Regulation; (c) to order the controller or the processor to comply with the data subject's requests to exercise his or her rights pursuant to this Regulation; (d) to order the controller or processor to bring processing operations into compliance with the provisions of this Regulation, where appropriate, in a specified manner and within a specified period; (e) to order the controller to communicate a personal data breach to the data subject; (f) to impose a temporary or definitive limitation including a ban on processing; (g) to order the rectification or erasure of personal data or restriction of processing pursuant to Articles 16, 17 and 18 and the notification of such actions to recipients to whom the personal data have been disclosed pursuant to Article 17(2) and Article 19; (h) to withdraw a certification or to order the certification body to withdraw a certification issued pursuant to Articles 42 and 43, or to order the certification body not to issue certification if the requirements for the certification are not or are no longer met; (i) to impose an administrative fine pursuant to Article 83, in addition to, or instead of measures referred to in this paragraph, depending on the circumstances of each individual case; (j) to order the suspension of data flows to a recipient in a third country or to an international organisation.’ 17. As regards the general conditions for imposing administrative fines, Article 83(2) of the Regulation provides: ‘2. Administrative fines shall, depending on the circumstances of each individual case, be imposed in addition to, or instead of, measures referred to in points (a) to (h) and (j) of Article 58(2). When deciding whether to impose an administrative fine and deciding on the amount of the administrative fine in each individual case due regard shall be given to the following: (a) the nature, gravity and duration of the infringement taking into account the nature scope or purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them; (b) the intentional or negligent character of the infringement; 7(c) any action taken by the controller or processor to mitigate the damage suffered by data subjects; (d) the degree of responsibility of the controller or processor taking into account technical and organisational measures implemented by them pursuant to Articles 25 and 32; (e) any relevant previous infringements by the controller or processor; (f) the degree of cooperation with the supervisory authority, in order to remedy the infringement and mitigate the possible adverse effects of the infringement; (g) the categories of personal data affected by the infringement; (h) the manner in which the infringement became known to the supervisory authority, in particular whether, and if so to what extent, the controller or processor notified the infringement; (i) where measures referred to in Article 58(2) have previously been ordered against the controller or processor concerned with regard to the same subject- matter, compliance with those measures; (j) adherence to approved codes of conduct pursuant to Article 40 or approved certification mechanisms pursuant to Article 42; and (k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the infringement. 3. If a controller or processor intentionally or negligently, for the same or linked processing operations, infringes several provisions of this Regulation, the total amount of the administrative fine shall not exceed the amount specified for the gravest infringement. 4. Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to 10 000 000 EUR, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher: (a) the obligations of the controller and the processor pursuant to Articles 8, 11, 25 to 39 and 42 and 43; (b) the obligations of the certification body pursuant to Articles 42 and 43; (c) the obligations of the monitoring body pursuant to Article 41(4). 5. Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher: (a) the basic principles for processing, including conditions for consent, pursuant to Articles 5, 6, 7 and 9; (b) the data subjects' rights pursuant to Articles 12 to 22; (c) the transfers of personal data to a recipient in a third country or an international organisation pursuant to Articles 44 to 49; (d) any obligations pursuant to Member State law adopted under Chapter IX; (e) non-compliance with an order or a temporary or definitive limitation on processing or the suspension of data flows by the supervisory authority pursuant to Article 58(2) or failure to provide access in violation of Article 58(1).” 8C. Rationale 18. On the basis of the information provided by the complainant, it appears that the subject of the complaint is the possible transfer of data by the complainant and whether there was an adequate level of data protection, as provided for in Article 44 of the Regulation, due to the inclusion of a Facebook tool on the website. In this context, it should also be investigated whether Facebook Ireland and/or Facebook Inc. have an obligation to comply with Article 44 of the Regulation. 19. At this point, I note that any further processing is not addressed in this Decision. I also note that I do not consider whether the transfer was made directly by defendant to Facebook Inc. or via Facebook Ireland. The question is whether, in the case of a transfer, there was the required level of protection of the data transmitted. 20. The defendant is a private news company. The defandant’s website contains articles of a variety of topics, in Greek. Taking into account the themes of the website’s content, it appears that the website is targeted at persons present in Cyprus. Furthermore, the defendant is based and active only in Cyprus and not in another Member State. 21. The Facebook Pixel tool (hereinafter the “tool”) is a piece of code that is placed on a website and allows measuring the effectiveness of the company’s website ads by understanding the actions that users take on the site. Based on information on a Facebook website, Meta’s Pixel tool (as it’s now called) can help the site-company understand the effectiveness of its ads and the actions users take on the site, such as visiting a page or adding a product to the cart. It is also possible for the company to see when customers have taken any action after seeing the ad on Facebook and Instagram, which can help with retargeting. The Facebook Pixel tool is used to make sure the company’s ads are displayed to the right people, increase the company’s sales, and measure the results of its ads. 22. Regarding the tool, a relevant Facebook website mentions the following: The Meta Pixel can collect the following data: — HTTP Headers – Anything that is generally present in HTTP headers, a standard web protocol sent between any browser request and any server on the internet. This information may include data like IP addresses, information about the web browser, page location, document, referrer and person using the website. — Pixel-specific Data – Includes Pixel ID and the Facebook Cookie. — Click Data – Includes any buttons clicked by site visitors, the labels of those buttons and any pages visited as a result of the button clicks. — Optional Values – Developers and marketers can optionally choose to send additional information about the visit through Custom Data events. Example custom data events are conversion value, page type and more. — Form Field Names – Includes website field names like email, address, quantity, etc., for when you purchase a product or service. We don't capture field values unless you include them as part of Advanced Matching or optional values. 23. It is not known when the tool was installed on the site. However, by studying the har file submitted by the complainant, it is confirmed that at the material time the tool was installed. 24. The defendant decided to integrate the tool into the website for purposes that it has defined. The defendant did not mention to my office the purpose for which she incorporated 9the tool. However, in view of its reply that the Facebook pixel tool is a paid ads tool of the defendant’s Facebook news articles, I consider that the purpose of the inclusion is included in the above reply. Therefore, because of its own choice decision, the tool code, which was provided to it by Facebook, was installed. 25. In the light of the above, I find that the defendant is the controller for that processing, after it has determined the purposes and means of the processing. 26. Due to its own decision to incorporate the tool, the complainant’s personal data was processed. Even if no processing is carried out directly by the defendant or, as she herself mentioned, does not keep a record of the personal data of any user who visits the site, from a Facebook link, any processing is made due to the defendant’s own decision to integrate the tool. 27. Therefore, as a controller, it had to take all measures so as not to undermine the level of protection of personal data which it processes or entrusts to a processor. 28. The Terms of Use of Facebook Business Tools, in section 5.a., state that: To the extent that Business Tool Data includes Personal Data that you process in accordance with the General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”), the following terms will apply: I. The parties acknowledge and agree that you will have the role of Data Controller in relation to the processing of Personal Data included in the Business Tool Data for the purposes of providing the matching, measurement and analysis services described in paragraphs 2.a.i and 2.a.ii above (e.g. for the provision of Analysis and Reporting for Campaigns), and that you give to Facebook Ireland Ltd.; 4 Grand Canal Square, Grand Canal Harbour, Dublin 2 Ireland (“Facebook Ireland”) to process on your behalf, and as a Data Processor, such Personal Data for these purposes, in accordance with the Terms of Use of the Business Tools and the Facebook Data Processing Terms. The Data Processing Terms are explicitly incorporated herein by reference and govern your relationship with Facebook Ireland in conjunction with the Terms of Use of the Business Tools. II. With regard to Personal Data contained in Event Data, it concerns user actions on your websites and apps that incorporate Facebook Business Tools, and for the means and purposes of which you jointly decide with Facebook Ireland, you and Facebook Ireland acknowledge and agree that you will act as Data Controller jointly, in accordance with Article 26 of the GDPR. The joint responsibility for the processing of the data also extends to the collection of such Personal Data through Facebook Business Tools and its subsequent transmission to Facebook Ireland for use for the purposes specified in paragraphs 2.a.iii to 2.a.v.1 (“Joint Processing”) above. For more information, click here. The Joint Processing is subject to the Annex for Data Controllers, which is expressly incorporated herein by reference and governs your relationship with Facebook Ireland in conjunction with the Terms of Use of the Business Tools. Facebook Ireland remains an independent Data Controller pursuant to Article 4(7) of the GDPR for the processing that takes place after the data has been transferred to Facebook Ireland. III. You, as appropriate, and Facebook Ireland remain independent Data Controllers pursuant to Article 4(7) of the GDPR for the processing of Personal Data included in Tool 10Data for businesses that, according to the GDPR, are not subject to paragraphs 5.a.i and 5.a.ii.” 29. There is therefore an assumption by Facebook of the relationship it has with the defendant in relation to the processing of the personal data of visitors to the site. On the basis of this relationship, Facebook Ireland is entrusted with the processing of data by the controller. There are also cases where the defendant and Facebook Ireland have the role of joint controller. However, it is not stated in any way that the defendant has a role other than the above. 30. As mentioned by the complainant, on 12 August 2020 at 11:43 a.m., he visited the website while logged in to a Facebook account with his email address. The har file, which the complainant submitted to my Office, contains information on the communication between the web server and the complainant – visitor, as well as information on cookies used during navigation. Also, data sharing, through cookies, has been revealed from services provided by Facebook. 31. It also includes the cookie file _fbp, which is stored on the user’s device – visitor to a website. With regard to this file, Facebook provides the following information on its website: When the Meta Pixel is installed on a website, and the Pixel uses first-party cookies, the Pixel automatically saves a unique identifier to an _fbp cookie for the website if one does not already exist. The FBP event parameter value must be of the form version.subdomainIndex.creationTime.randomnumber, where: — version is always this prefix: FB — subdomainIndex is which domain the cookie is defined on (‘com’ = 0, ‘facebook.com’ = 1, ‘www.facebook.com’ = 2). If you're generating this field on a server, and not saving an _fbp cookie, use the value 1. — creationTime is the UNIX time since epoch in milliseconds when the _fbp cookie was saved. If you don't save the _fbp cookie, use the timestamp when you first observed or received this FBP value. — Randomnumber is generated by the Meta Pixel SDK to ensure every fbp cookie is unique. Here’s an example of what the FBP value could look like: fb.1.1596403881668.1116446470’ 32. The Facebook Data Processing Terms document states that: Facebook, Inc. has made commitments under the EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield that may apply to data transferred by you or Facebook Ireland Limited to Facebook, Inc. under the Applicable Product Terms. This refers to a transfer of data from the EU/EEA either directly from the website – company or from Facebook Ireland. 33. Therefore, due to the application of the Facebook Pixel tool on the website, at least the IP address, browser information, website location, pixel ID and click data on the complainant’s terminal were processed. 1134. Because the tool is embedded in the website, Facebook has the technical ability to obtain the information that a particular Facebook account user has visited that website if the user is logged in to his Facebook account. 35. As a result of the application of the Facebook Business Tools tool on the website, cookies were placed on the complainant’s terminal device, which contain a unique randomly generated price. This makes it possible to personalise the complainant’s terminal device and record his/her navigation behaviour in order to display appropriate personalised advertising. 36. The defendant stated that under no circumstances does it collect or process personal data of users. However, even if it does not process it itself, this processing is carried out because of its own decision to integrate the tool into the website. 37. The European Data Protection Supervisor’s decision of 5 January 2022 against the European Parliament on the use of Google Analytics states that cookies that make the user identifiable constitute personal data, regardless of whether the user’s identity is unknown or deleted after its collection. It is also stated that all data containing identifiers that can be used to identify/segregate users are considered personal data and should be handled and protected as such. Although the European Data Protection Supervisor is responsible for the application of Regulation (EU) 2018/1725, this can also be interpreted in this case. 38. Guidelines 5/2021 of the European Data Protection Board on the interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the Regulation provide for the following three cumulative criteria for the qualification of a processing operation as a transfer: “1) A controller or a processor (“exporter”) is subject to the GDPR for the given processing. 2) The exporter discloses by transmission or otherwise makes personal data, subject to this processing, available to another controller, joint controller or processor (“importer”). 3) The importer is in a third country, irrespective of whether or not this importer is subject to the GDPR for the given processing in accordance with Article 3, or is an international organisation.” 39. In relation to the above, the following are apparent: 39.1. the defendant is established in Cyprus and is responsible for the operation of the website, 39.2. the defendant disclosed personal data of the complainant due to the installation of the tool on the website, which resulted in their (final) disclosure to Facebook Inc., 39.3. Facebook Inc. has a registered office in the U.S. 40. Therefore, sharing data on Facebook Inc. is a data transfer. 41. Pursuant to Article 28(1) of the Regulation, the defendant, as a controller, is obliged to use only processors who provide sufficient assurances for the implementation of appropriate technical and organisational measures in such a way that the processing meets the requirements of the Regulation and ensures the protection of the data subject’s rights. In the present case, after the defendant incorporated the tool, it implies that the defendant accepted the terms of data processing contained in the Facebook Business 12Tools document and agreed that Facebook Inc. acts as a sub-processor. That document states, inter alia, that: ‘2. You agree that Facebook may subcontract its data processing obligations under these Terms of Use for data processing to a subprocessor. However, this can only be done by means of a written agreement with the subprocessor which imposes obligations on the subprocessor that are no less burdensome than those imposed on Facebook by these data processing terms. If a subprocessor fails to comply with such obligations, Facebook remains fully liable to you for the fulfilment of the obligations of this subprocessor. You currently authorise Facebook to oblige Facebook Inc. (and other Facebook companies) as its subprocessors. Facebook must inform you in advance of (any) any additional subprocessor(s). 42. On the basis of the information on a Facebook website on the EU-US Privacy Shield, the following is provided: You acknowledge that the use of certain Facebook services for advertisements or measurements (the “Services”) may result in Facebook, Inc. (“Facebook”) receiving data from you (either directly or when acting on behalf of Facebook Ireland Ltd). This is done by referring to the EU-US Privacy Shield or the Swiss-US Privacy Shield (collectively, ‘Privacy Shield’). If the Privacy Shield applies to the data you provide and without limiting any agreement between you and Facebook, you acknowledge and agree to: — Facebook’s Privacy Shield Notice is available at www.facebook.com/about/privacyshield; he explains the certification of Facebook. In accordance with your obligations in connection with your use of the Services, you undertake to provide persons with reasonable and appropriate information about the Services. — Facebook may provide data subjects with contact information about you through the Services, allowing them, among other things, to contact you directly in order to exercise their rights under the Privacy Shield. — Facebook may receive requests or complaints from data subjects and may provide them with an independent mechanism for recourse and dispute resolution. However, you will remain responsible for resolving any complaints made to you by data subjects regarding your processing of the personal data subjects in connection with the Services (whether they are directly addressed to you or to us). — You undertake to take all reasonable steps (including those reasonably requested by Facebook) to enable Facebook to comply with its Privacy Shield obligations, including assistance to resolve complaints. In the event of a conflict between these Terms of Use and other Terms of Use that invoke these Terms of Use, these Terms of shall Use Prevail. Last change: September 29, 2017» 43. On the basis of the above, it appears that due to the visit to the website, data may be transferred to the United States. However, the defendant does not acknowledge at all the possibility of transmission, nor has it answered the relevant questions put to it. Furthermore, it has not provided me with any evidence that no data transmission took place. 44. Furthermore, it appears that at the material time, data transfers made due to the visit to the website were based on the EU-US Privacy Shield. 45. Facebook Inc. is classified as a provider of electronic communications services within the meaning of 50 U.S. Code § 1881(b)(4) and is therefore subject to oversight by 13U.S. intelligence services in accordance with 50 U.S. Code § 1881a (“FISA 702”), and is therefore obliged to provide U.S. authorities with personal data. 46. Due to the transfer to the United States of America, access to the complainant’s personal data could be made by the U.S. authorities, which the defendant cannot ascertain. In this case, the defendant is not relieved of its responsibility for the protection of the complainant’s personal data. Moreover, the defendant continued to maintain the tool on its website, even after the judgment of the European Court of Justice, Case C-311/18, dated 16 July 2020, declaring the ‘EU-US Privacy Shield’ invalid (Commission Implementing Decision (EU) 2016/1250 of 12 July 2016). 47. In the case of transmission, the relevant obligations set out in Chapter V of the Regulation should be complied with. In particular, an adequate level of protection of the data transferred should be provided, as provided for in Article 44 of the Regulation. Therefore, one of the following conditions should be met: 47.1. an adequacy decision pursuant to Article 45 of the Regulation, 47.2. appropriate safeguards, pursuant to Article 46 of the Rules of Procedure, 47.3. derogations for specific situations under Rule 49 of the Rules of Procedure. 48. Due to the above ruling of the European Court of Justice, Case C-311/18, there was no U.S. adequacy decision at the material time. 49. This Decision does not require a more detailed analysis of the legal situation of the United States (as a third country), since the CJEU has already dealt with it in its abovementioned judgment of 16 July 2020. Based on the CJEU ruling, it appears that the EU-US adequacy decision did not provide an adequate level of protection for individuals under the relevant U.S. legislation and the implementation of official surveillance programmes, including under section 702 FISA and Executive Order 12333 in conjunction with Presidential Policy Directive 28 (PPD-28). 50. Furthermore, the defendant has not informed my Office of the existence of appropriate safeguards under Article 46 of the Regulation or of derogations for specific situations under Article 49 of the Regulation. In any event, one of the derogations provided for in Rule 49 of the Rules of Procedure cannot be invoked as a legal basis. 51. On the basis of all the foregoing, I therefore find that the defendant has not shown that, as a result of the transfer, the level of protection of natural persons guaranteed by the Regulation is not undermined, contrary to Article 44 of the Regulation. 52. Pursuant to Article 5(2) of the Regulation, the controller is responsible and is able to demonstrate compliance with paragraph 1 (‘accountability’). However, on the basis of the positions submitted by the defendant to my Office, I note that it has not only failed to demonstrate compliance with Article 5(1) of the Regulation, but also does not recognise the processing carried out as a result of its own decision to incorporate the tool. 53. I therefore find that Article 5(2) has been infringed by the defendant. This would be the case even if the complainant’s data were not transferred to the United States. 54. The complainant also requested that it be clarified whether the provisions of the Facebook Business Tools Terms and Facebook Data Processing Terms, at the time of 14lodging the complaint and as to be amended as of 31 August 2020, met the requirements of Article 28 of the Regulation on the transfer of personal data to third countries. 55. According to Article 5 of the Regulation, the controller is responsible for complying with the principles governing the processing of personal data. However, the possibility that Facebook Inc. will receive requests from U.S. security authorities does not automatically lead to the conclusion that it has determined the purposes and means of the processing, i.e. that it is considered a controller under Article 28(10) of the Regulation. Nor can Facebook Ireland or Facebook Inc. be held liable for a breach of Article 28, since, under that article, the controller bears such responsibility. 56. In addition to the above, it will be necessary to examine whether Facebook Inc. is, in the present case, subject to the obligations set out in Chapter V of the Regulation. On the basis of Guidelines 5/2021 of the European Data Protection Board, a transfer exists where “The exporter communicates by means of a transfer or otherwise makes available personal data, which are subject to such processing, to another controller, joint controller or processor (‘importer’)”. Therefore, the requirements of Chapter V of the Regulation must be complied with by the data exporter, i.e. the defendant, but not the data importer, in this case Facebook Inc. 57. Therefore, in assessing this transfer, no breach of Article 44 of the Regulation by Facebook Inc. can be established. D. Conclusion 58. In the light of all the above elements, as set out above, and in the light of the powers conferred on me under Article 57(1)(f) of the Regulation, I find that there has been a breach by the defendant: 58.1. Article 5(2) of Regulation (EU) 2016/679, by failing to demonstrate compliance with Article 5(1) of the Regulation, i.e. the principle of accountability; and 58.2. Article 44 of Regulation (EU) 2016/679, because it did not ensure that the level of protection of the reporting person guaranteed by the Regulation is not undermined. 59. After taking into account and taking into account: (a) the legal basis in force concerning the administrative penalties provided for in Article 58(2) and Article 83 of the Regulation, (B) all the circumstances and factors which the complainant and the defendant brought before me on the basis of all existing correspondence, I consider that, in the circumstances, the imposition of an administrative fine is not justified. Also, in view of the new EU-US Data Protection Framework, Commission Implementing Decision (EU) 2023/1795 of 10 July 2023 on the adequacy of the level of protection of personal data under the EU-US Data Protection Framework, I consider that it is not justified to impose an immediate prohibition or suspension of any transfer of data by Defendant to Facebook Inc. 1560. Nevertheless, having regard to the above facts, the legal aspect on which this Decision is based and the analysis as explained above, and exercising the powers conferred on me by Article 58(2)(b) of the Regulation, I decided in my opinion and in compliance with the above provisions, I should address to the ARKTInos Publications Ltd (“Politis” newspaper): Reprimand for the violation of Article 5(2) of Regulation (EU) 2016/679; Reprimand for the violation of Article 44 of Regulation (EU) 2016/679, and Order to ensure that, if it continues to use the tool, the transfer can take place on the basis of the new EU-US Data Protection Framework, Implementing Decision (EU) 2023/1795, or on the basis of an appropriate guarantee under Article 46 of the Regulation,and inform me thereof within one month of receipt of this Decision. Irene Loizidou Nicolaidou Commissioner for Personal Data Protection 28 February 2024 16