Commissioner (Cyprus) - 11.17.001.008.228
Commissioner - 11.17.001.008.228 | |
---|---|
Authority: | Commissioner (Cyprus) |
Jurisdiction: | Cyprus |
Relevant Law: | Article 5(2) GDPR Article 44 GDPR |
Type: | Complaint |
Outcome: | Partly Upheld |
Started: | 14.08.2020 |
Decided: | 28.02.2024 |
Published: | 18.06.2024 |
Fine: | n/a |
Parties: | Google LLC Cyprus News Agency |
National Case Number/Name: | 11.17.001.008.228 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Greek |
Original Source: | Office of the Commissioner for Personal Data Protection (in EL) |
Initial Contributor: | im |
The DPA issued a reprimand to the Cyprus News Agency for a failure to ensure the level of data protection during the transfer of its website visitors’ data to the U.S. through embedded Google LLC tools.
English Summary
Facts
The data subject represented by noyb visited http://www.cna.org.cy ("website") operated by Cyprus News Agency (‘controller’) while logged in with their Google account. The controller is a legal person governed by the laws of Cyprus News Agency Law where they were established and targeted data subjects in Cyprus. The controller processed their personal data, including IP address and cookie data. Some of this data was transmitted to Google through embedded Google services, including Google Analytics.
Google Analytics is a measurement service that enables website owners to track visitor traffic and behaviour on their site. It provides insights into visitor interactions and allows owners to view detailed reports via a dashboard. Additionally, it helps measure and optimize the effectiveness of advertising campaigns run on Google Ads. Under the Google Analytics Terms of Service, Google LLC processed personal data for the controller, who agreed to data storage and processing in the USA or any other country where Google or its sub-processors operate.
The data subject claimed that the transfer of their personal data from the controller to Google LLC in the USA or any other country outside of the EEA requires a legal basis under Article 44 GDPR. However, the controller continued to rely on the annulled EU-US Privacy Shield by the decision C-311/18 and, therefore, is unable to ensure adequate protection of the data subject’s personal data. Moreover, Google LLC attempted to rely on standard contractual clauses (‘SCC’) for the transfer of data to the USA as evidenced by section 10.2 of the New Google Ads Data Processing Terms contrary to the mentioned CJEU judgment.
As a result, the data subject requested the DPA to fully investigate the complaint and clarify:
-what personal data was transferred by the controller to Google LLC in the US
- on which transmission mechanism the controller based the data transfer
-whether the provisions of the Google Analytics Terms of Service and the (New) Google Ads Data Processing Terms of Service, at the time of the complaint, met the requirements of Article 28 of the Regulation regarding the transfer of personal data to third countries.
In addition, the data subject requested an immediate prohibition or suspension of any transfer of data from the controller to Google LLC in the US and an order to return the data to the EU/EEA or another country providing adequate protection pursuant to GDPR.
The controller confirmed that it embedded the code for Google Analytics on its website but they did not retain access to any information collected by Google Analytics. They claimed the reasons for this integration to be purely statistical, to record the traffic of the website and thus improve and upgrade it.
Additionally, the controller stated that the integration is free of charge and there is no legal basis on which it is based. Google LLC is an independent controller and it has no contractual relationship with the controller. Therefore, the controller confirmed its position that no data is transmitted to third countries by them.
Holding
Firstly, the DPA determined that Cyprus News Agency is in fact the controller due to their own decision to integrate the tool which enabled processing of personal data of the data subject. For this reason, the controller was obliged to take all measures so as not to undermine the level of protection of the personal data it processed or when it outsourced the processing to a processor.
Moreover, the DPA determined that Google LLC is based on the Adds Data Terms a processor which stored and processed data subject data in country in which Google or any of its sub processors maintained facilities. It can be assumed that Google LLC has a contractual relationship with the controller based on which Google LLC is entrusted with the processing of data on behalf of the controller. This processing can take place outside of the EU/EEA countries.
More specifically, the further investigation revealed that processing in question included data sharing through cookies which are stored on the device of the data subject and process unique user identification numbers making it possible to distinguish between visitors on a website.
The answer to the data subject’s first question therefore is that there was a procession of their data by the controller to Google LLC, namely their unique user identification numbers and IP address. According to the case law of the CJEU, it follows that the IP address constitutes personal data under Article 4 GDPR. Furthermore, the IP address does not lose its status as personal data because the means of identification belong to third parties. As a result, the data subject was identifiable by the tool integrated on the controllers’ website.
Secondly, the controller stated that there was no legal basis for the processing of data subject’s data in relation to processing in question. However, a processing is lawful only if and insofar as at least one of the conditions set out in Article 6 GDPR apply.
Thirdly, the DPA listed the cumulative criteria for qualifying a processing operation as a transfer under Chapter V GDPR:
1) the controller or processor (‘exporter’) is subject to the GDPR for the processing in question.
2) the exporter shall communicate by transfer or otherwise make available personal data subject to such processing to another controller, joint controller or processor ('importer').
3) the importer is located in a third country, regardless of whether or not that importer is subject to the GDPR for the given processing in accordance with Article 3 GDPR, or is an international organisation.
Based on the facts of this case it is said that:
1) the controller is established in Cyprus and is responsible for the website operations
2) the controller disclosed data subject’s personal data to Google LLC in the USA
3) Google LLC has a registered office in the USA
Moreover, Google LLC qualifies as an electronic provider within the meaning of 50 U.S. Code § 1881(b)(4) and is therefore subject to oversight by the US intelligence agencies pursuant to 50 U.S. Code § 1881a. Since the US authorities could have access to data subject’s personal data, the controller is not relieved of its responsibility to protect it.
Additionally, the controller could not ensure any of the safeguards necessary in accordance with Article 44 GPDR to ensure adequate level of data protection in the event of data transmission to the US. Firstly, the EU-US Privacy Shield was annulled by case C-311/18, therefore no adequacy decision was in place at that time. Secondly, on the basis of this decision it also follows that SCC as a transmission tool cannot bind the authorities of the third country. While SCC can sometimes ensure necessary data protection during transfers to third countries, there are cases where these clauses are insufficient. This is particularly true if the third country's laws allow public authorities to interfere with the data subjects' rights like in this case. Thirdly, the last safeguard option is provided under Article 49 GPDR, however, no reference is nor should be made to it in the case at hand as the user’s consent cannot be used for normal recurrent transmissions such as the one triggered each time the users visits the website but only as a derogation for specific situations.
As a result, the controller failed to demonstrate that, the level of protection of natural persons during the transfer guaranteed by the GDPR is not undermined which is in breach of Article 44 GDPR and Article 5(2) GDPR. Additionally, it should be determined if Google LLC is subject to Chapter V obligations of the GDPR. According to the European Data Protection Board's Guidelines 5/2021, a transfer occurs when personal data is communicated or made available to another controller or processor. Therefore, the controller, as the data exporter, must comply with Chapter V requirements, but Google LLC, the data importer, is not obligated to do so. Therefore, evaluating this transmission, no violation of Article 44 GDPR can be established by Google LLC.
In conclusion, the DPA decided to issue a reprimand to the controller for breach of Article 5(2) and 44 GDPR. Additionally, the DPA ordered the controller to ensure that the transfer through the embedded tool, should it continue use it, can be carried out on the basis of the new EU-US Data Protection Framework, Implementing Decision (EU) 2023/1795, or on the basis of an appropriate guarantee under Article 46 GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.
REPUBLIC OF CYPRUS OFFICE OF THE COMMISSIONER FOR PROTECTION OF PERSONAL DATA No. Fax: 11.17.001.008.228 DECISION Complaint for personal data breach Based on the duties and powers conferred on me by Article 57(1)(f) of Regulation (EU) 2016/679 on the protection of natural persons against processing of personal data and for the free circulation of such data (hereinafter the "Regulation"), I examined a complaint submitted to my Office, pursuant to Article 77(1) of the Regulation, against the Cyprus News Agency (hereinafter the "Cath th complaint" or the "Professor"), as well as against the company Google LLC. The complaint was submitted to the Austrian Data Protection Supervisory Authority, on August 17, 2020, by a resident of Austria (hereinafter the “complainant”), who is represented, pursuant to Article 80(1) of the Regulation, by the non-profit organization noyb – European Center for Digital Rights. Based on the investigation, I found a violation of the Regulation by the Defendant and, therefore, issue this Decision. A. Incidents of the Case Positions of the complainant 2. The complaint concerns an alleged violation of the provisions of Chapter V of the Regulation. In the complaint, it is stated, among other things, that: 2.1. the complainant, on August 14, 2020 at 10:42 a.m., visited the website http://www.cna.org.cy (hereinafter the "website"), while connected, with his email address, to Google account, 2.2. the Customer has integrated the HTML code for Google Services (including Google Analytics), 2.3. during the complainant's visit to the website, the Defendant processed his personal data (at least the IP address and cookie data), of which, at least some, was transmitted to Google. 2.4. the use of Google Analytics is subject to the Google Analytics Terms of Service and the Google Ads Data Processing Terms, which Kypranoros 15, 1061 NICOSIA / P.O. 23378, 1682 Nicosia – Cyprus, Tel: 22818456, Fax: 22304565 E-mail: commissioner@dataprotection.gov.cy, Website: http://www.dataprotection.gov.cy have been updated, with effect from August 12, 2020 (New Google Ads Data Processing Terms), 2.5. according to the Google Analytics Terms of Service, Google LLC (1600 Amphitheater Parkway Mountain View, CA 94043, USA) is the contractual partner of the controller. Pursuant to point 5.1.1(b) of the Google Ads Data Processing Terms and the New Google Ads Data Processing Terms, Google LLC processes personal data on behalf of the controller and qualifies as a data processor in accordance with Article 4(8) of the Regulation, 2.6. according to point 10 of the Google Ads Data Processing Terms, the controller has agreed that Google may store and process personal data (in the case of the complainant) “[…] in the USA or any other country in which Google or any of its Subprocessors maintain facilities." Such transfer of the complainant's personal data by the controller (a company based in the EEA) to Google LLC or its subcontractors, in the USA (or in any other country outside the EEA) requires a legal basis according to Article 44 et seq. articles of the Regulation, 2.7. as the CJEU has invalidated the "EU-US Privacy Shield" in decision C-311/18, the controller can no longer base the transfer of data to Google LLC in the US on an adequacy decision; pursuant to article 45 of the Regulation. However, the controller and Google LLC continued to rely on the canceled "EU-US Privacy Shield" for almost four weeks after the decision, as evidenced by point 10.2. of the Google Ads Data Processing Terms, 2.8. the controller may also not base the transfer of data on standard contractual clauses, in accordance with Article 46(2)(c) and (d) of the Regulation, if the third country does not ensure adequate protection of the personal data transferred under these clauses, under EU law. The CJEU expressly found that onward transmission to companies falling under 50 U.S.C. Code § 1881a, not only violates the relevant articles of Chapter V of the Regulation, but also Articles 7 and 8 of the Charter of Fundamental Rights of the EU, as well as the substance of Article 47 of the Charter (C- 362/14 ("Schrems I "), para. 95.). Therefore, any further transmission violates the fundamental right to privacy, data protection and the right to effective legal protection and a fair trial, 2.9. Google LLC qualifies as a provider of electronic communications services within the meaning of 50 U.S.C. Code § 1881(b)(4) and, therefore, subject to U.S. intelligence surveillance pursuant to 50 U.S.C. Code § 1881a (“FISA 702”). According to the Snowden Slides and the Google LLC Transparency Report (https://transparencyreport.google.com/userdata/us-national-security), Google LLC actively provides personal data to the US government ., pursuant to 50 U.S.C. Code § 1881a, 2.10. consequently, the controller is unable to ensure adequate protection of the complainant's personal data transferred to Google LLC. However, since August 12, 2020, the controller and 2Google LLC have tried to rely on standard contractual clauses for the transfer of data to the USA, as evidenced by point 10.2. of the New Google Ads Data Processing Terms, 2.11. this practice completely ignores paragraphs 134 and 135 of the above decision of the CJEU, which imposes on the controller the legal obligation to refrain from transmitting the data of the complainant, or others, to Google LLC in the USA. However, for more than one month after the decision, the controller has not acted on the decision, 2.12. respectively, Google LLC continues to accept data transfers from the EU / EEA, on the basis of standard contractual clauses, despite the clear judgment of the CJEU and in violation of Articles 44 to 49 of the Regulation. Google LLC further discloses personal data from the EU / EEA to the US government. in violation of article 48 of the Regulation. In several public statements, Google has acknowledged that it has not changed this practice: "The Privacy Shield frameworks provided a mechanism to comply with data protection requirements when transferring EEA, UK or Swiss personal data to the United States and onwards. While the Swiss-U.S. Privacy Shield currently remains valid, in light of the recent Court of Justice of the European Union ruling on data transfers, invalidating the EU-U.S. Privacy Shield, Google will be moving to rely on Standard Contractual Clauses for relevant data transfers, which, as per the ruling, can continue to be a valid legal mechanism to transfer data under the GDPR. We are committed to having a lawful basis for data transfers in compliance with applicable data protection laws.", 2.13. pursuant to articles 58 and 83 of the Regulation, the competent Supervisory Authority may use corrective and sanctioning powers, both against the controller and the processor, i.e. Google LLC, 2.14. according to the above decision of the CJEU, the competent Supervisory Authority must suspend or terminate the transmission of personal data to the third country, pursuant to article 58(2)(f) and (j) of the Regulation, 2.15. the complainant requests as follows: 2.15.1. fully investigate the complaint, pursuant to Article 58(1) of the Regulation, and clarify: (a) what personal data was transmitted by the Defendant to Google LLC in the U.S. or to any other third country or international organization, (b) on which transmission mechanism the Defendant based the transmission of data, (c) whether the provisions of the Google Analytics Terms of Service and the (New) Google Data Processing Terms Ads, when submitting the complaint, met the requirements of article 28 of the Regulation, regarding the transmission of personal data to third countries, 2.15.2. an immediate ban or suspension of any data transmission from the Defendant to Google LLC in the U.S. P.A., and order the return of the data to the EU / EEA or to another country that provides adequate protection, pursuant to article 58(2)(d), (f) and (j) of the Regulation, 32.15.3.imposed effective, proportionate and dissuasive fine against the Defendant and Google LLC, pursuant to Article 83(5)(c) of the Regulation, taking into account that: (a) the complainant is, possibly, only one of the thousands of users (Article 83 (2)(a) of the Regulation), (b) when the complaint was submitted, more than a month had passed since the CJEU decision C-311/18 and the Defendant did not take any measures to bring it into compliance processing operations with the provisions of the Regulation (Article 83(2)(b) of the Regulation). Where above reference is made to the data controller, it is understood the Professor. Positions of the Professor 3. As part of the investigation of the complaint, my Office sent letters to the Professor with clarifying questions on December 23, 2020, January 14, 2021 and June 10, 2022. 4. The Professor, in letters of, dated January 12, 2021, February 15, 2021 and July 18, 2022, stated, among other things, the following: 4.1. it is confirmed that there is code for Google Analytics on the website, and each language of the website has its own code, 4.2. the Customer does not maintain access to any information and/or element collected by Google Analytics, 4.3. the Defendant does not have facilities in European member states, 4.4. the reasons for integration are purely statistical, to record the traffic of the website and by extension its improvement and upgrading, 4.5. there is no other website version in another European country. Therefore, the statistics obtained did not relate to data subjects in more than one Member State, 4.6. there is no possibility to transfer data to the USA, 4.7. the only use made is to drive traffic to the website. No data is revealed by the Professor, to anyone. No data was ever revealed, which even the Master does not receive. Traffic report delivered only to company XXX in March 2020, 4.8. no processing is done or was done by the Professor. Also, there is no possibility to categorize data, since such data is not processed. 4.9. the code for the tool website is free and the data received is only about traffic. No data is received or processed in any way, either by the Defendant or by any other person, 44.10. the Client is not a data controller and therefore there is no set time for data storage. Also, no data is collected or stored, 4.11. the Defendant is based and operates only in Cyprus. Therefore, it does not process personal data in other countries, 4.12. regarding the legal basis for the integration of Google Analytics, and the consequent processing of personal data, including any disclosure to recipients (in particular Google), it was stated that the integration is available free of charge and there is no legal basis on which the integration in website, 4.13. no legal or other contractual relationship with Google. Google is an "independent (processor)", 4.14. recipients are not provided with any personal data, 4.15. there is no data controller - processor relationship, 4.16. in relation to Google's terms of use, which apply to Google Analytics and the terms of data processing that were to be updated on 31 August 2020, the Defendant stated that the information required is not available as there is no way to locate or track it, 4.17 . the only settings available in Google Analytics are the general overview of the traffic, audience review and the language of the visitors, 4.18. with regard to the decision of the European Court of Justice, case C-311/18, by which the "EU-US Privacy Shield" was declared invalid as of July 16, 2020 (Executive Decision (EU) 2016/1250 of the Commission, of July 12, 2016), it was reported that the aforementioned decision, both interim and final, does not apply to the Defendant, since no information is transmitted, 4.19. it is the position of the Professor that no data is transmitted to third countries by him. B. Legal Framework 5. According to article 4 of the Regulation, personal data is interpreted as "any information concerning an identified or identifiable natural person ("data subject"); an identifiable natural person is one whose identity can be ascertained, directly or indirectly, in particular by reference to an identifier such as a name, an identity number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, psychological, economic, cultural or social identity of the natural person in question". 56. The controller, in article 4 of the Regulation, is defined as "the natural or legal person, public authority, agency or other entity that, alone or jointly with others, determines the purposes and manner of processing personal data; where the purposes and manner of such processing are determined by Union law or the law of a Member State, the controller or the specific criteria for his appointment may be provided for by Union law or the law of a Member State." 7. The processor, in article 4 of the Regulation, is defined as "the natural or legal person, public authority, agency or other entity that processes personal data on behalf of the data controller". 8. Regarding the principles governing the processing of personal data, article 5 of the Regulation provides the following: "1. Personal data: a) are processed lawfully and legitimately in a transparent manner in relation to the data subject ("legality, objectivity and transparency"), b) are collected for specified, explicit and lawful purposes and are not further processed against in a manner incompatible with those purposes; further processing for archiving purposes in the public interest or scientific or historical research purposes or statistical purposes shall not be deemed incompatible with the original purposes pursuant to Article 89(1) ("purpose limitation"), c) are appropriate, relevant and limited to what is necessary for the purposes for which they are processed ("data minimization"), d) are accurate and, where necessary, updated; all reasonable steps must be taken to promptly delete or correct of personal data which are inaccurate, in relation to the purposes of the processing ("accuracy"), e) are kept in a form that allows the identification of the data subjects only for the period necessary for the purposes of the processing of the personal data; personal data may be stored for longer periods, as long as the personal data will only be processed for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes, in accordance with Article 89(1) and if applicable the appropriate technical and organizational measures required by this regulation to safeguard the rights and freedoms of the data subject ("limitation of the storage period"), f) are processed in a way that guarantees the appropriate security of personal data, among others protecting them from unauthorized or illegal processing and accidental loss, destruction or damage, using appropriate technical or organizational measures ("integrity and confidentiality"). 2. The controller shall be responsible and able to demonstrate compliance with paragraph 1 ("accountability")." 69. Pursuant to article 44 of the Regulation, it is provided that: "Any transmission of personal data that is processed or is intended to be processed after being transferred to a third country or international organization takes place only if, without prejudice to the other provisions of this regulation, the conditions established in this chapter are met by the controller and the processor, including for further transfers of personal data from the third country or international organization to another third country or other international organization. All the provisions of this chapter shall be applied with a view to ensuring that the level of protection of natural persons guaranteed by this Regulation is not undermined.' 10. Pursuant to article 57, paragraph 1, subsection f) of the Regulation, the Commissioner for Personal Data Protection has the duty to: "handle the complaints submitted by the data subject or by an institution or organization or association in accordance with article 80 and investigate, to the extent appropriate, the subject of the complaint and inform the complainant of the progress and outcome of the investigation within a reasonable period of time, in particular if further investigation or coordination with another supervisory authority is required." 11. Regarding the submission of a complaint to the Supervisory Authority, article 77 of the Regulation provides that: "Without prejudice to any other administrative or judicial appeals, each data subject has the right to submit a complaint to a supervisory authority, in particular in the Member State in which has his habitual residence or his place of work or the place of the alleged infringement, if the data subject considers that the processing of personal data concerning him infringes this Regulation.' 12. Pursuant to article 58, paragraph 2, of the Regulation, the Personal Data Protection Commissioner has the following remedial powers: "a) to issue warnings to the controller or processor that intended processing operations are likely to violate the provisions of this regulation, b) to address reprimands to the data controller or the processor when processing operations have violated provisions of this regulation, c) to instruct the data controller or the processor to comply with the data subject's requests for the exercise of his rights in accordance with this regulation, d) to instruct the data controller or the processor to make the processing operations comply with the provisions of this regulation, if necessary, in a specific way and within a certain period, e) to give order the data controller to notify the data subject of the personal data breach, 7 f) to impose a temporary or definitive restriction, including the prohibition of the processing, g) to give an order to correct or delete personal data or limit the processing pursuant to articles 16, 17 and 18 and an order to notify these actions to recipients to whom the personal data disclosed pursuant to Article 17(2) and Article 19, h) withdraw the certification or order the certification body to withdraw a certificate issued in accordance with Articles 42 and 43 or order the certification body not to issue a certification, if the certification requirements are not met or are no longer met, i) to impose an administrative fine pursuant to article 83, in addition to or instead of the measures referred to in this paragraph, depending on the circumstances of each individual case, j) to order the suspension of traffic data to a recipient in a third country or an international organization."13.Regarding the general conditions for imposing administrative fines, in article 83, paragraph 2, of the Regulation, the following is provided: "2. Administrative fines, depending on the circumstances of each individual case, are imposed in addition to or instead of the measures referred to in Article 58(2)(a) to (h) and Article 58(2)(j). When deciding on the imposition of an administrative fine, as well as on the amount of the administrative fine for each individual case, the following shall be duly taken into account: a) the nature, gravity and duration of the infringement, taking into account the nature, extent or purpose of the relevant processing, as well as the number of data subjects affected by the breach and the degree of damage suffered by them, b) the intent or negligence that caused the breach, c) any actions taken by the controller or the processor to mitigate the damage suffered by the data subjects, d) the degree of responsibility of the controller or the processor, taking into account the technical and organizational measures they apply pursuant to articles 25 and 32, e) any relevant previous violations of the controller or processor, f) the degree of cooperation with the supervisory authority to remedy the violation and limit its possible adverse effects, g) the categories of personal data affected by the violation, h) the way with which the supervisory authority was informed of the breach, in particular if and to what extent the data controller or processor notified the breach, i) in case the measures referred to in Article 58 paragraph 2 were previously ordered to be taken against the data controller involved or of the processor in relation to the same object, compliance with said measures, 8 j) compliance with approved codes of conduct in accordance with article 40 or approved certification mechanisms in accordance with article 42 and k) any other aggravating or mitigating factor arising from the circumstances of the particular case, such as the financial benefits obtained or losses avoided, directly or indirectly, from the infringement. 3. In the event that the controller or processor, for the same or related processing operations, violates several provisions of this regulation, the total amount of the administrative fine does not exceed the amount set for the most serious violation. 4. Violations of the following provisions shall attract, in accordance with paragraph 2, administrative fines of up to EUR 10 000 000 or, in the case of undertakings, up to 2 % of the total worldwide annual turnover of the previous financial year, whichever is higher: a ) the obligations of the controller and the processor in accordance with Articles 8, 11, 25 to 39 and 42 and 43, b) the obligations of the certification body in accordance with Articles 42 and 43, c) the obligations of the monitoring body in accordance with Article 41 paragraph 4. 5. Violations of the following provisions shall attract, in accordance with paragraph 2, administrative fines of up to EUR 20 000 000 or, in the case of undertakings, up to 4 % of the total global annual turnover of the previous financial year, depending whichever is higher: a) the basic principles for processing, including the conditions applicable to consent, in accordance with Articles 5, 6, 7 and 9, b) the rights of data subjects in accordance with Articles 12 to 22, c) the transmission of personal data to a recipient in a third country or an international organization in accordance with articles 44 to 49, d) any obligations under the law of the Member State which are established by virtue of chapter IX, e) non-compliance with order or to temporarily or permanently limit the processing or to suspend the circulation of data imposed by the supervisory authority pursuant to Article 58(2) or not to provide access in violation of Article 58(1).' C. Rationale 14. Based on the information provided by the complainant, it appears that the subject of the complaint is the potential transmission of the complainant's data and whether there was an adequate level of protection of his data, as provided for in article 44 of the Regulation, due to the integration of the Google Analytics tool (hereinafter the "tool") on the website. In this context, it should be investigated whether Google LLC has an obligation to comply with article 44 of the Regulation. 915. At this point, I note that possible further processing is not considered in this Decision. 16. The Defendant is a legal entity under public law and its operation is regulated by the Cyprus News Agency Law. The mission of the University is to inform public opinion on a wide range of issues, as a public information service. Kat'ou broadcasts news in Greek, English and Turkish. Taking into account the subject matter of the website's content, it appears that the website is aimed at persons located in Cyprus. Also, the Defendant is based and operates only in Cyprus and not in another member state. 17. The Google Analytics tool is a measurement service that allows website owners to measure, among other things, traffic characteristics. This includes measuring the traffic of visitors to a particular website. In this way, it becomes possible to understand the behavior of website visitors and how they interact with a particular website. Specifically, a website owner can create a Google Analytics account and view reports about the website using a dashboard. Google Analytics can also measure and optimize the effectiveness of advertising campaigns that website owners run on Google advertising services. 18. It is not known when the tool was installed on the site. However, given that, as the Defendant stated, a traffic report was delivered to XXX in March 2020, it follows that the tool was installed by March 2020 at the latest. 19. The Defendant decided to incorporate the tool into website http://www.cna.org.cy, so that, as he mentioned, the traffic of the website is pumped. After all, the Defendant mentioned that the reasons for integration are purely statistical, to record the traffic of the website and, by extension, its improvement and upgrading. Therefore, due to his own decision, he installed the tool code, which was provided to him by Google LLC. 20. Based on the above decision of the Defendant, I find that the Defendant is the controller for the specific processing, since he himself has determined the purposes and means of the processing. 21. Therefore, the position of the Defendant that he is not the controller is not valid. Due to his own decision to integrate the tool, there was processing of the complainant's personal data. Even if it were true that no processing is or was not done by the Defendant, any processing that is done occurred due to the decision of the Defendant himself. 22. Therefore, as a controller, he had to take all measures so as not to undermine the level of protection of personal data, which he processes or when he entrusts the processing to processors. 1023. Point 5.1.1(b) of the Google Ads Data Processing Terms (dated January 1, 2020) and the New Google Ads Data Processing Terms (dated August 12, 2020) states: "(b) Google is a processor of Customer Personal Data under the European Data Protection Legislation?". 24. Point 10 of the Google Ads Data Processing Terms (dated January 1, 2020) states that: "Data Storage and Processing Facilities. Customer agrees that Google may, subject to Section 10.2 (Transfers of Data), store and process Customer Personal Data in the United States of America and any other country in which Google or any of its Subprocessors maintains facilities." 24.1. Also, in point 10 of the New Google Ads Data Processing Terms (dated August 12, 2020), it is stated that: "Data Storage and Processing Facilities. Customer agrees that Google may, subject to Section 10.2 (Transfers of Data), store and process Customer Personal Data in any country in which Google or any of its Subprocessors maintains facilities." 25. There is, therefore, the admission by Google LLC of the relationship it has with the Defendant, regarding the processing of the personal data of the website visitors. Based on this relationship, Google LLC is entrusted with data processing, on behalf of the data controller, which may take place in any country where Google LLC or its subcontractors have facilities. 26. Therefore, the Defendant's position that there is no legal or other contractual relationship with Google LLC and that there is no data controller - processor relationship is not valid. 27. As reported by the complainant, on August 14, 2020 at 10:42 a.m., he visited the website while logged in to a Google account with his email address. The har file, which the complainant submitted to my Office, contains information about the communication between the web server and the complainant - visitor, but also information about cookies used during navigation. Also, data sharing, through cookies, from services provided by Google, for marketing and analytics purposes, has become apparent. 28. Also included are the cookies files _ga and _gid, which are stored on the device of the user - visitor of a website. In these cookies, unique user identification numbers are processed. Unique numbers make it possible to distinguish visitors to a website and whether or not visitors have previously visited that website. By using only these identification numbers it is possible to distinguish the visitors of a website. 29. Based on the above, it appears that there was processing of the complainant's personal data. There has been processing, including transmission, of unique user identification numbers and their IP address. 30. Therefore, the Defendant's position that no processing is or has been done and that no data is received by the Defendant or any other person is not valid. Neither is the position that no data is collected and stored. 31. According to the Regulation, "a processing is lawful only if and as long as at least one of the conditions referred to in Article 6 of this applies". Therefore, since there was processing of personal data, there should also be the relevant legal basis for processing, which, however, the Professor not only did not indicate to my Office, but stated that there is no legal basis for the integration of the tool. 32. Because the tool is integrated into the website, Google LLC has the technical possibility to obtain the information that a specific Google account user has visited this website, as long as the user is logged in to his Google account. 33. In the decision of the European Data Protection Supervisor, dated January 5, 2022, against the European Parliament, regarding the use of Google Analytics, it is stated that cookies that make the user identifiable are personal data, regardless of whether the user's identity is unknown or has been deleted after collection. It is also stated that all data that includes identification codes that can be used to identify / separate users is considered personal data and should be handled and protected as such. Despite the fact that the European Data Protection Supervisor is responsible for the implementation of Regulation (EU) 2018/1725, a relevant interpretation can also be attributed to the present case. 34. According to ECJ jurisprudence, specifically based on the Court's decision of June 17, 2021, C-597/19, and the Court's decision of October 19, 2016, C-582/14, it follows that the IP address is personal data , pursuant to article 4 of the Regulation. Also, the IP address does not lose its status as personal data, because the means of identification belong to third parties. 35. The combination of unique user identification numbers with other elements, such as for example browser data or IP address, may lead to identification of the user. Therefore, as it turns out, it was possible to identify the complainant, due to the integration of the tool on the website. 36. In the Guidelines 5/2021 of the European Data Protection Board, regarding the interaction between the application of Article 3 and the provisions on international transfers according to Chapter V of the Regulation, the following three cumulative criteria are provided for the characterization of an act processing as transmission: "1) The controller or processor ("exporter") is subject to the GDPR for that processing. 2) The exporter communicates by transmission or otherwise makes available personal data, which is subject to such processing, to another controller, joint controller or processor ("importer"). 123) The importer is located in a third country, regardless of whether or not that importer is subject to the GDPR for the given processing in accordance with Article 3, or is an international organization.' 37. In relation to the above, the following arise: 37.1. the Defendant is established in Cyprus and is responsible for the operation of the website, 37.2. the Defendant disclosed personal data of the complainant, due to the installation of the tool on the website, which resulted in their disclosure to Google LLC in the USA, 37.3. Google LLC has a registered office in the USA. 38. Therefore, it appears that the installation of the tool on the website resulted in the transmission of the complainant's data to the USA. 39. Google LLC qualifies as a provider of electronic communications services within the meaning of 50 U.S.C. Code § 1881(b)(4) and is therefore subject to surveillance by the US intelligence agencies. pursuant to 50 U.S.C. Code § 1881a ("FISA 702"), and therefore, has an obligation to provide US authorities with privacy. 40. Due to the transfer to the USA, access by the USA authorities could take place. in the complainant's personal data, a fact which the Defendant cannot verify. In this case, the Defendant is not relieved of his responsibility for protecting the personal data of the complainant. After all, the Defendant continued to keep the tool installed on his website even after the decision of the European Court of Justice, case C-311/18, dated July 16, 2020, according to which the Privacy Shield was deemed invalid EU - USA" (Commission Implementing Decision (EU) 2016/1250 of 12 July 2016). 41. In case of transfer, the relevant obligations defined in Chapter V of the Regulation should be observed. In particular, an adequate level of protection of the transmitted data should be provided, as provided for in article 44 of the Regulation. Therefore, one of the following conditions must be met: 41.1. adequacy decision, pursuant to article 45 of the Regulation, 41.2. appropriate guarantees, pursuant to article 46 of the Regulation, 41.3. derogations for special situations, pursuant to article 49 of the Regulation. 42. Due to the above decision of the European Court of Justice, case C-311/18, there was no US adequacy decision at the material time. 43. A more detailed analysis of the US legal situation is not required in this Decision. (as a third country), since the CJEU has already dealt with it, in the aforementioned decision of 16 July 2020. Based on the CJEU decision, it follows that the EU-US adequacy decision did not provide an adequate level of protection for natural persons under the relevant legislation of the USA. and implementing official surveillance programs, including under FISA section 702 and Executive Order 12333 in conjunction with Presidential Policy Directive 28 (PPD-28). 1344. In the above decision of the CJEU, dated July 16, 2020, it was stated that standard contractual clauses as a transfer tool cannot bind the authorities of third countries. Specifically, and among others, the following are mentioned: "125. However, although the aforementioned clauses are binding on the controller who is established within the Union and on the recipient of the transfer of personal data who is established in a third country, in the event that they have entered into a contract referring to these clauses, it is not disputed that the said clauses do not bind the authorities of the third country, since they are not parties to the convention. 126. Although, therefore, there are situations in which, depending on the stage of development of the law and the practices in force in the third country concerned, the recipient of such transfer is able to ensure the necessary data protection solely and solely on the basis of the standard protection clauses data, there are other cases in which the terms contained in these clauses may not be a sufficient means to ensure, in practice, the effective protection of personal data transferred to the third country concerned. This happens, for example, when the law of the third country allows its public authorities to interfere with the exercise of rights enjoyed by data subjects in relation to that data.' 45. Therefore, the CJEU concluded in its decision that standard contractual clauses cannot provide, in order to meet the level of protection required by Union law, guarantees that go beyond the contractual obligation. Specifically, the decision explains that: "133. It therefore becomes clear that the standard data protection clauses established by the Commission pursuant to Article 46(2)(c) of the GDPR have the sole purpose of providing controllers or processors established within the Union with contractual guarantees that apply uniformly in all third countries and, therefore, regardless of the level of protection guaranteed in each of them. To the extent that these standard data protection clauses cannot, by their nature, provide guarantees that go beyond a contractual duty of care to meet the level of protection required by Union law, it may be required, depending on the situation prevailing in such and such a third country, the taking of additional measures by the controller in order to ensure that this level of protection is met." 46. However, the Defendant has not informed my Office of the existence of appropriate guarantees, pursuant to Article 46 of the Regulation, nor of any additional measures that were required. 47. Furthermore, the Defendant did not make any report to my Office about derogations for special situations, pursuant to article 49 of the Regulation. In every case, one of its derogations cannot be invoked as a legal basis article 49 of the Regulation. User consent cannot be used for regular recurring transfers (such as the one triggered on every case the user visits the website), but only as a derogation for special cases. Besides, I remind you that with regard to the decision in question, Professor 14th stated that this is not applicable by him, because they are not transmitted any data. 48. Therefore, the Defendant did not prove that, due to the transmission, the level protection of natural persons guaranteed by the Regulation is not undermined, v violation of article 44 of the Regulation. 49. Pursuant to article 5(2) of the Regulation, the controller bears the responsibility and is able to demonstrate compliance with paragraph 1 ("accountability"). However, based on the positions that the Defendant submitted to my Office, I find that not only has he failed to demonstrate his compliance with Article 5(1) of the Regulation but nor does it recognize the processing that was carried out due to its own decision to integrate the tool. 50. Therefore, I find a violation of Article 5(2) by the Defendant. THE this finding would apply even if there was no transfer of his data complainant in the U.S. 51. In addition to the above, it should be considered whether Google LLC is subject, in the present case, to the obligations set forth in Chapter V thereof Regulation. Based on the Guidelines 5/2021 of the European Council of Data Protection, it follows that there is a transmission if "The exporter transmits or otherwise makes available personnel data; character, which are subject to said processing, to another person in charge processor, joint controller or processor ('importer')'. Therefore, the requirements of Chapter V of the Regulation must are kept by the exporter of the data, i.e. the Customer, but not the importer of the data, in this case Google LLC. 52. Therefore, assessing the said conveyance, it cannot be ascertained violation of Article 44 of the Regulation by Google LLC. D. Conclusion 53. Taking into account all the above elements, as they have been set, and with based on the powers granted to me by virtue of article 57(1)(f) of the Regulation, I find that there is a violation by the Defendant: 53.1. of Article 5(2) of Regulation (EU) 2016/679, because he did not prove the compliance with paragraph 1 of article 5 of the Regulation, i.e. its principle accountability, and 53.2. of Article 44 of Regulation (EU) 2016/679, because it did not ensure that the level of protection of the complainant guaranteed by the Regulation is not undermined. 54. Having taken into account and considered: (a) the applicable statutory basis regarding the prescribed administrative sanctions in the provisions of article 58(2) and article 83 of the Regulation, (b) all the circumstances and factors raised by the Complainant and the Defendant before me based on all existing correspondence, 15 I consider that, under the circumstances, the imposition of an administrative fine is not justified. Also, due to the new EU-US Data Protection Framework, i.e. the Executive of Commission Decision (EU) 2023/1795 of 10 July 2023 on the adequacy the level of protection of personal data under the EU framework - USA for data protection, I consider that the imposition of direct is not justified prohibition or suspension of any transmission of data by the Defendant to Google LLC in the USA 55. However, having regard to the above mentioned facts, the legal aspect in on which this Decision is based and the analysis as it has been explained above, and exercising the powers granted to me by article 58(2)(b) of the Regulation, I decided at my discretion and in compliance with the above provisions, to address to the Cyprus Government News agency: Reprimand for the violation of Article 5(2) of Regulation (EU) 2016/679, Reprimand for the violation of Article 44 of Regulation (EU) 2016/679, and Command like, in case you continue to use the tool, ensure that the transmission can be carried out on the basis of the new Protection Framework EU – US Data, Executive Decision (EU) 2023/1795, or on the basis of an appropriate guarantee pursuant to article 46 of the Regulation, and inform me accordingly within one month from the receipt of this Decision. Irini Loizidou Nikolaidou Protection Commissioner of Personal Data February 28, 2024 16