Banner1.jpg

DSB (Austria) - D130.1013 2024-0.743.431

From GDPRhub
Revision as of 09:14, 8 January 2025 by Ao (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Austria |DPA-BG-Color= |DPAlogo=LogoAT.png |DPA_Abbrevation=DSB |DPA_With_Country=DSB (Austria) |Case_Number_Name=D130.1013 2024-0.743.431 |ECLI= |Original_Source_Name_1=GDPRhub |Original_Source_Link_1=https://gdprhub.eu/images/2/2b/D130.1013_2024-0.743.431.pdf |Original_Source_Language_1=German |Original_Source_Language__Code_1=DE |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language_2= |Original_Source_Language__C...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
DSB - D130.1013 2024-0.743.431
LogoAT.png
Authority: DSB (Austria)
Jurisdiction: Austria
Relevant Law: Article 15 GDPR
Type: Complaint
Outcome: Upheld
Started: 15.12.2021
Decided: 17.12.2024
Published: 17.12.2025
Fine: n/a
Parties: Google
National Case Number/Name: D130.1013 2024-0.743.431
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): German
Original Source: GDPRhub (in DE)
Initial Contributor: ao

The Austrian DPA found that Google LLC and Google Ireland are joint controllers for the processing of personal data in connection with Google services in the EEA.

English Summary

Facts

On the 11 November 2021, the data subject filed an access request with Google LLC through a digital form provided by Google LLC, here controller 1. The data subject specifically requested not to be referred to privacy policies or settings. Google LLC responded to the access request by providing links to privacy policies and flagging that the data subject can download his data through his Google account.

On the 15 December 2021, the data subject, represented by noyb filed a complaint with the Austrian DPA (Datenschutzbehörde – DSB) against Google LLC registered in the United States. The data subject alleged that Google LLC had infringed his right to access to information under Article 15 GDPR. The data subject brought forward that the information provided by Google LLC was only accessible through tedious collation of information included in different privacy statements and further this information was vague and not specifically related to the data subject.

On the 15 March 2022, Google LLC submitted that it is only responsible for a select few data processing activities such as the removal of search results. As the access request was not related to this practice, Google LLC argued that Google Ireland was the responsible controller. Responsibility had been transferred from Google LLC to Google Ireland on the 22 January 2019.

Further in the proceedings, Google LLC brought forward that it now functions as a processor for Google Ireland and that Google Ireland is the sole responsible controller in the EEA and Switzerland. Google LLC explained that Google Ireland decides on the means and purposes of the product life cycle in the EEA.

Holding

Controllership The DSB assessed that Google LLC functions as a controlling parent company based on for example the fact that Google LLC could not show that Google Ireland independently develops new products.

The DSB drew on the CJEU case IAB Europe which demonstrated that joint controllership is established when both controllers influence the means and processing of data. Further, unanimous decisions can be an indicator for joint controllership and the fact that decisions weren’t made at the same time or don’t follow the exact same scope does not preclude joint controllership.

The DSB assessed that Google LLC takes fundamentals decisions regarding the Google corporation and substantially influences the orientation and activity of subsidiaries. As Google LLC develops new products, which are intrinsically linked to the processing of data, it exerts direct influence on the means and processing of personal data. The DSB therefore concluded that Google LLC functions as a joint controller with Google Ireland.

Access request The DSB found that Google LLC had breached Article 15(1)(a)(b)(c) and Article 15(2) GDPR for failing to provide the requested information. The DSB ordered the controller to provide the requested information to the data subject within two weeks.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

Barichgasse 40-42
A-1030 Vienna
Tel.: +43-1-52152 0
E-mail: dsb@dsb.gv.at
GZ: D130.1013 Clerk:
2024-0.743.431
Attn: NOYB – European Center for Digital Rights, C-054
Data protection complaint (right to information)
/Google LLC
by email:
DECISION
APPEAL
The data protection authority decides on the data protection complaint of
(complainant), represented by NOYB – European Center for Digital Rights, ZVR: 1354838270,
dated December 15, 2021 against Google LLC (respondent), registered office: USA, represented by
, due to violation of the right to information as follows:
1) The complaint is upheld and it is determined that the respondent has violated the complainant's right to information by not fully complying with the complainant's request for information of November 11, 2021 with regard to the information specified in Art. 15, Paragraph 1, Letters a, b and c and Paragraph 2 of the GDPR.

2) The respondent is ordered to provide the complainant with information within a period of

two weeks, otherwise execution will result, which includes the information specified in Art. 15, Paragraph 1, Letters a, b and c and Paragraph 2 of the GDPR. The information must

relate to the complainant's personal data and must in any case include the

data processing in connection with the complainant's Google account

(@gmail.com).

Legal basis: Article 4(7), Article 12(1) and (4), Article 15, Article 26, Article 51(1), Article 57(1)
lit. f, Article 58(2) lit. c, Article 77(1) and Article 80(1) of Regulation (EU) 2016/679

(General Data Protection Regulation, hereinafter: GDPR), OJ No. L 119 of 4 May 2016, p. 1; Sections 18(1)

and 24(1), (2)(5) and (5) of the Data Protection Act (DSG), Federal Law Gazette I No. 165/1999 as amended. - 2 –

J U S T I O N

A. Arguments of the parties and course of proceedings

A.1. In a submission dated December 15, 2021, the complainant (hereinafter: BF) alleged a

violation of the right to information pursuant to Art. 15 GDPR and summarized as follows:

The BF owns the Google account for the email address @gmail.com. " " was the BF's

former surname. On November 11, 2024, the BF submitted a request for information to the respondent (hereinafter: BG) using an

online form. The

request for information concerned all of the BF's personal data. The

BF also requested not to be referred to data protection documents or account settings. The BG repeatedly pointed out to the BF that he could download the data via his Google

account. In addition, the BG provided several links. The

information was largely only apparent by laboriously compiling information in the linked data protection declaration; in addition, the information is abstract and not related to the

BF. The complaint in question is expressly directed against the BG (Google LLC)

and not Google Ireland Limited (hereinafter: GIL). The BF denies that GIL is responsible for the

data processing to which the request for information refers. The alleged

"change" of responsibility from the BG to GIL is a mere declaration; legal, technical

or organizational changes have not been proven. It is forum

shopping in order to achieve jurisdiction of the Irish supervisory authority. In addition, the

Google data protection declarations of the BG and GIL are also identical worldwide. The BF has substantiated its argument with

references to various other procedures. The BF requests that a violation of law

be established and that the BG be instructed to provide appropriate information relating

to the processing of the BF's data. Several attachments were attached to the submission.

A.2. In a submission dated March 15, 2022, the BG summarized the following:

The BG is the data protection controller for a small number of processing activities, such as the removal of search engine results. However, the complaint in question does not deal with this limited responsibility. GIL and not the BG is responsible for the processing relevant here. In particular, the BG is neither responsible for the data processing in connection with the Google accounts of Austrian users nor for the data processing of Austrian users in connection with the use of an Android device. GIL has not given up its status as controller either; this cannot be deduced from the attachments submitted by the BF. Only the controller is obliged to provide information. In the present case, this is an obligation of GIL. In addition, there is no right to bring a collective action under Art. 80 (2) GDPR. The BF is an employee of NOYB, which is why he is not authorized to file the complaint. Several - 3 -

attachments were attached to the submission, including a statement of information from the BG (see statement of facts C.2.,

Figure 2).

A.3. With submissions dated March 21, 2022 and April 20, 2024, the BF summarized

as follows:

The BF received a letter from the BG dated March 15, 2022. This letter

in no way eliminates the violation of law. The BG has not provided any evidence of the extent to which

there was a change in responsibility from the BG to GIL on January 22, 2019. The BG is obliged to cooperate in clarifying the facts. In the BF's opinion,

there are several indications that indicate that the BG is solely responsible. Constant

"data transfers" are in any case unrealistic. In addition, civil law

agreements (for example between BG and GIL) are irrelevant for establishing responsibility.

The structure of the Google Group (and the associated global concentration of

decision-making powers regarding data processing at BG) also indicate that GIL by no means

alone decides on the purposes and means of processing data of European users. The only

conceivable alternative is joint responsibility of BG and GIL. In the present case,

it is an individual complaint and NOYB has the authority to represent.

Several attachments were attached to the submission.

A.4. In a submission dated June 15, 2022, BG submitted in summary as follows:

BG acts as a processor on behalf of GIL with regard to user data of users from

the European Economic Area (hereinafter: EEA) and Switzerland. GIL is the sole controller for Google's consumer services in the EEA and Switzerland. This is also evident in the relevant terms of use. The contract with the user grants GIL both legal jurisdiction and factual influence over the processing. It is also GIL and not BG that may be liable to users for compliance with the terms of use. The privacy policy also explains to those affected that, regardless of the location of the data subject, BG is "the controller for the processing of information" that is indexed and displayed in services such as Google Search and Google Maps (e.g. all search results in Google Search). A data processing agreement has also been concluded between BG and GIL. Whenever the introduction of a new product/feature or a new use of data is on the table, an in-depth data protection review is carried out, which includes a detailed assessment of the proposal based on GIL's internal data protection guidelines. In addition, GIL also processes

requests from data subjects in the EEA and Switzerland. This also underlines GIL's sole

responsibility. GIL is the main location of Google's business activities in the EEA and

Switzerland. GIL is the largest of Google's European branches with more than 9,700

employees. - 4 -

A.5. An oral hearing took place on June 21, 2022 in the presence of the parties.

A.6. In a submission dated July 12, 2022, the BF summarized the following:

The BG is attempting to use the mandatory compliance with the provisions of the GDPR to justify GIL's

exclusive responsibility for users in the EEA and Switzerland. However, the

obligation to comply with legal obligations under the GDPR is the legal consequence

of a data protection responsibility, not the legal consequence of the offense. Compliance with legal obligations is never a decision about

ends and means. A company like BG that operates globally and thus in several legal systems must always comply with different local legal provisions. GIL is not responsible just because the GDPR must be followed in the EEA. In addition, the BF's submission contains comments on the minutes and the oral hearing of June 21, 2022.

A.7. In a submission dated July 19, 2022, the BG summarized the following:

In order to carry out the transfer of the controller status to GIL, technical

measures were initially taken to assign a single country to each Google account in a way

so that the assignment could also be changed dynamically again. Before the transfer of the controller status, around 1.6 billion Google account users were notified.

In the EEA and Switzerland, various Google products and services were introduced in a different form. The data is processed in a different way than in the

United States, for example when opening a Google account. In addition, the

"face grouping" function in Google Photos is implemented differently in the EEA and Switzerland than

in the United States. The "Live Albums" function and transactions via "Google Assistant" were

introduced in the United States, but not in the EEA and Switzerland. There are also significant product differences in connection with the cookie consent banner and Google devices. The BF's account was assigned to the country of Austria on November 11, 2021 and also before that. The screenshot submitted by the BF was probably due to a faulty link. Several attachments were attached to the submission. A.8. Following a request from the data protection authority, the BG submitted several attachments in a submission dated August 16, 2022. In addition, it was clarified that the group agreement mentioned on June 21, 2022 was the data processing agreement concluded between the BG and GIL (Appendix ./21). The data protection authority is requested to treat this document as confidential and to exclude it from inspection of the files. A.9. In a submission dated September 30, 2022, the BG referred in summary to other EU legal acts from which it can be deduced that, among other things, a conclusion can be drawn about responsibility under data protection law from legal requirements. The statements of the BG or the BG representative were taken out of context by the BF. In addition, the BG essentially repeated the previous submissions. A.10. With a settlement dated October 11, 2022, the data protection authority requested the BG as follows: "Subject: Request for further comment; list of questions; complaint procedure for GZ: D130.1013 The data protection authority has received your statement dated September 30, 2022. From the point of view of the data protection authority, the matter still needs to be clarified and a full answer to the following questions is requested: 1. During the oral hearing on June 21, 2022, the transfer of responsibility from Google LLC to Google Ireland Limited was discussed. In particular, the changes in the external relationship with the data subjects were discussed (information campaigns, changes to the terms and conditions, etc.). Please explain what changes in the internal relationship between Google LLC and Google Ireland Limited took place before the deadline of January 22, 2019 ("transfer to Google Ireland Limited") - apart from the conclusion of a group agreement. Please address at least the following points: a) What specific increase in personnel was there at Google Ireland Limited in the period before January 22, 2019 due to the upcoming changes? b) Has Google LLC supported Google Ireland Limited in adapting the processes to deal with the

new tasks (e.g. help in adapting Google Ireland Limited’s data protection

management system)?

c) Has Google LLC prepared Google Ireland Limited’s staff for the changes

(e.g. training in dealing with data subject rights requests) and if

so, how?

d) How many people are currently (as of October 11, 2022) employed by Google Ireland Limited

who are primarily responsible for data protection matters?

2. During the oral hearing on June 21, 2022 and in your last

statements, you gave examples of products (and associated

processing operations) that are offered by Google LLC but not by Google Ireland

Limited. - 6 –

What is Google Ireland Limited’s specific internal decision-making process when Google LLC

develops a new product (in which personal data is processed) and

wants to offer it in the EU as well?

For example, will the product be available in the EU? presented by Google LLC and then reviewed internally by Google Ireland Limited

before the decision is made at board level? If so, please describe how the

review usually takes place.

3. Has Google Ireland Limited already developed its own "Google products" (such as

Chromebook, Chromecast, Google Home, Google Nest, etc.) or methods for

data processing (e.g. algorithm for data processing in connection with a

Google account) in the past?

Or is it usually the case that the products or methods for data processing

are generally developed by Google LLC and subsequently presented to Google Ireland Limited (without obligation)?

[…]"

A.11. In a submission dated November 22, 2022, the BG summarized the following:

The BG referred to its previous submissions, according to which GIL's status as

controller with regard to the personal data of users from the EEA and Switzerland derives, among other things, from the exercise of its decision-making authority over the purposes and means of

processing in the various phases of the product life cycle. It had also already been

stated that GIL is subject to various legal obligations under EU law; this is also relevant to GIL's responsibility. With regard to the questions of the data protection authority, it should be noted that GIL can access BG's resources under the

processor agreement. Notwithstanding this, GIL has hired additional

data protection experts. GIL's staff and management have received comprehensive data protection training. GIL also employed several teams specializing in data protection. The Privacy, Safety and Security Team (“PSS”) reviews product launches from a data protection perspective. The PSS also includes technical experts. In addition, a Google Privacy Committee (“GPC”) has been set up, to which the GIL Board of Directors has delegated certain decision-making powers and responsibility for determining the purposes and means of data processing. Every time a new product/feature or new data usage is introduced, a thorough data protection review is carried out. This review includes completing a Privacy Design Document (“PDD”). A Privacy Working Group (“PWG”) then reviews the PDD and evaluates the proposed data usage. The PWG can refer questions to the Privacy Advisory Council. The GIL Board of Directors oversees the PWG and the Privacy Advisory Council. The definition of a controller does not require the development of “own” products. - 7 – A.12. In a submission dated December 20, 2022, the BF summarized the following:

The fact that individual services or configuration options differ in details

is not proof that GIL alone makes the decisions about the purposes and means

of data processing. It is normal and legally necessary for products from a

controller to be adapted in different countries. Many of the differences cited by the BG are due to the spatial applicability of the GDPR, not to

different responsibilities. The fact that user accounts are assigned to a specific (EU) state

also does not result in separate responsibilities. Whether in the BF's present case an incorrect assignment was made due to a "technical error" cannot be fully verified.

According to the responsibility model propagated by the BG, any company located outside the EEA can evade its responsibility under data protection law by transferring its user contracts to a branch in the EEA by changing its general terms and conditions. The BG always only emphasizes (supposed) differences between services in the EEA/Switzerland and in the USA. Legal provisions can give rise to responsibility if legal provisions explicitly provide for such responsibility or if this is an implicit consequence of a legal authority to specify purposes. The fact that certain legal provisions provide for obligations to process data can only lead to data protection responsibility with regard to those data that the relevant legal provision actually requires to be processed. The purposes listed in Google's global data protection declaration are not addressed in this form by the legal acts cited (such as the Digital Services Act). A.13. On June 11, 2024, the data protection authority submitted a request for administrative assistance to the Irish supervisory authority (Data Protection Commission, hereinafter: DPC). The request for administrative assistance concerned the allocation of roles between BG and GIL. The Irish supervisory authority responded on September 5, 2024 as follows: “It is of course the case that such an assessment will always be based on the facts of a given case, and the IE SA has not engaged in a formal assessment of Google Ireland's status as a controller for the particular processing operations in question through the means of a statutory inquiry. The IE SA has, however, over the course of our regulatory activities to date, seen no reason to doubt the position that Google LLC is the data controller for: - Personal data contained in information it sources and stores in the Search index, and re- displays in Search results, and in ancillary features of Google Search including Image Search, Knowledge Panels, and Local Listings; - Personal data contained in imagery data displayed in Google Maps, Google Earth and

       StreetView; and - 8 –


       - Personal data processed in the context of ‘right to be forgotten’ removal requests.

Similarly, over the course of our regulatory activities to date, we have had no reason to doubt that

Google Ireland Limited is the data controller for all other processing of users’ personal data.”

A.14. In its last submission of October 11, 2024, the BF summarized the following:

The DPC’s communication is an almost word-for-word reproduction of the position represented by the BG. A substantive discussion of the communication is obsolete. The DPC claims that it has not carried out any investigative activities on the question of responsibility in the present case. It is not clear in what form the DSB has urged the DPC to clarify the actual responsibility. The ECJ’s case law that has since been issued only allows the conclusion of joint responsibility. Reference should be made to the IAB Europe case, for example. Based on the results of the investigation to date, the influence of the BG on GIL is far more extensive than that which IAB Europe exerts on its members based on its regulatory framework. Reference should also be made to a ruling by the Cologne Higher Regional Court of July 4, 2024. In this ruling, GIL was considered (co-)responsible for processing in connection with the Google search engine, whereby data protection declarations were irrelevant. The court also pointed out that the responsibility of one Google company does not exclude the responsibility of another. In addition, reference should be made to the previous submissions. B. Subject matter of the complaint B.1. Based on the submissions of the BF, it emerges that the subject matter of the complaint is the question of whether the BG violated the BF's right to information under Art. 15 GDPR by not providing complete information about the complainant's personal data on the occasion of the application of November 11, 2021. In addition, the subject matter of the complaint is limited to an alleged violation of the right to information in connection with Art. 15 (1) (a), (b), (c) and (2) GDPR (see the BF's submission of December 15, 2021, p. 8 and in particular the minutes of the oral hearing of June 21, 2022, p. 3).

B.3. First of all, the question must be addressed as to whether the BG is responsible for the data processing relevant here (possibly jointly with GIL) in accordance with Art. 4 (7) GDPR, since only in this case is there an obligation to provide information. “Data processing relevant here” is to be understood as data processing in connection with Google services (in particular when using a Google account) by Google users in the EEA. - 9 –

C. Findings of fact

C.1. The BF uses the Google account for the email address @gmail.com. “ ”

was the BF’s previous last name. On the mobile phone, the BF used at least the following Google

services while logged into his Google account: Google Chrome, YouTube,

Google Maps, Google Messenger, Google Gmail and Google search engine.

On November 11, 2021, the BF submitted the following request to the BG using an online form

(https://support.google.com/policies/contact/sar):

Figure 1 - 10 –

On November 12, 2021, the BF received feedback from the address

@google.com that the requested information may already be available via a secure

online tool. The BF can log into the Google account and access the information via

a link. Reference was also made to the privacy policy. The sender is named as

"Google", although it is not clear whether this is BG (i.e. Google LLC) or

Google Ireland Limited (hereinafter: GIL).

On November 18, 2021, the BF replied to the address @google.com that

he wanted to receive all information in accordance with Art. 15 GDPR (including a copy of the data).

On December 3, 2021, the BF again received, among other things, feedback from the address

@google.com that the data processed in connection with the Google account

can be accessed remotely via the Google account. Specifically, the response from

December 3, 2021 was as follows:

"From: < @google.com>

Date: Fri., Dec. 3, 2021 at 12:01 p.m.

To: < @gmail.com>

Dear Sir,

Thank you for your email.

We understand that your request regarding personal data processed by Google refers to “ALL services where you process my data” and is not limited to information linked to your Google account.

Accordingly, we assume that you are referring to both use of Google services where you are signed in to your Google account and use where you are not signed in to a Google account. We will address both of these scenarios below.

Signed in use of Google services – Access to your Google account also gives you access to data processed in connection with your Google account. Through access to the Google account, we also provide users with a number of secure online tools to obtain additional copies of the data linked to their Google account. This remote access to data via the Google account is the most effective and secure way to meet users’ right to information about personal data processed as part of their use of Google services as signed in users. Providing the data in this way ensures that it is provided in the most precise, transparent, understandable and easily accessible form possible.

This remote access is in line with the GDPR, which provides that: “Where possible, the
controller should be able to provide remote access to a secure system that would allow the data subject
direct access to their personal data.” This form of access also reflects
the regulatory guidelines, which provide that the means by which a
controller facilitates the exercise of their rights by data subjects should be proportionate to the context and nature of the relationship and interactions between the controller and the data subject.

Given the variety of services available to our users and their interactive nature,

some data points may not appear in the online tools we make available to you. If you have used the access and tools and cannot find the data you are looking for,
respond to this email for further assistance. - 11 –

Unregistered use of Google services – If you, as a non-registered user, request data that is processed as part of your use of Google services, please note that

according to Art. 25 GDPR (data protection by design), Google uses its systems and services to implement the data protection principles, including data minimization. When Google provides its services to non-registered users, there is no need for Google to identify the data subjects based on any personal data that Google processes for the purposes described in Google's privacy policy in connection with the provision of these services.

Accordingly, Google is not able to identify the data subject based on such data.

Therefore, Google cannot confirm whether such personal data has been processed in relation to you if you were a non-registered user of Google services, nor can Google provide a copy of such personal data (if any) if it is still stored.

Our commitments

Regarding the information required by Articles 15(1) and 15(2) GDPR, we have already described in our
previous answer that we are committed to being clear about what information we
collect and how we use it. Our Privacy Policy and Security Center help you
understand, through clear language and descriptive videos, what information we collect, why we
collect it, how and to whom it is disclosed, and how we keep it safe and secure.

We also provide such information to you below

Why Google collects data. We use the data we collect through our Services to
provide our Services, maintain and improve our Services, develop new Services, provide personalized
services, including personalized content and ads, measure performance, communicate with you, protect Google, our users and the public. For more information, see
this section of our Privacy Policy.

Data collected by Google. We collect data to provide better services to all our users - from determining basic information like your language to more complex questions like ads you find most useful, the people you interact with most online, or the YouTube videos you find interesting. For more information, see this section of our privacy policy. Disclosure of data We do not disclose your personal data to companies, organizations or individuals outside of Google, except in limited circumstances, such as when you consent to do so; or when Google is required to share data for legal reasons. For more information, see this section of our privacy policy.

Retention of your information. We retain collected data for different periods of time, depending

on the data, how we use it, and how you configure your settings. When

personal data is no longer needed, Google deletes it or anonymizes it. How

long Google retains data depends on the reason for which it was originally collected. For more

information, see this section of our Privacy Policy.

Rights of the data subject. We provide the controls described in the Privacy Policy so that you can exercise your rights to access, update, delete, and restrict the processing of your data. In addition, you have the right to

object to the processing of your data or to export your data to another service. For more

information, see this section of our Privacy Policy. Concerns about your

privacy. You can contact your local data protection supervisory authority if you have concerns about

your rights under local law.

Data transfers. We operate servers around the world. Therefore, your data may be processed on servers located outside the country in which you live. Regardless of where your data is processed, we generally apply the same protective measures described in the privacy policy. We also adhere to certain legal frameworks for data transfers. If you have any further questions, please reply to this email with your reference number. Kind regards - 12 - Google" The Google privacy policy (as of December 15, 2021) provides information on data processing that does not relate to a specific data subject. The same applies to the current privacy policy at https://policies.google.com/privacy?hl=de. Appendix ./7 of the BF's submission of December 15, 2021 is used as the basis for the findings of fact. Assessment of evidence on C.1.: The findings are based on the BF's submission of

December 15, 2021 and the annexes ./3 (Figure 1) and ./4 (correspondence

between BF and BG) submitted therein. The findings are undisputed. The finding that the BF used certain Google services on

his mobile phone while he was logged into his Google account is based on his credible statement during the oral hearing

(see the minutes of the oral hearing of June 21, 2022, p. 4). In addition, the BG did not dispute these

statements by the BF.

The finding that the information contained in the Google data protection declaration does not

refer to specific data subjects results from the BF's submission of

December 15, 2021 and the annex ./7 (Google data protection declaration) submitted therein. In addition, the findings are based on an official search at https://policies.google.com/privacy?hl=de (last accessed on December 13, 2024). This information is general information that does not take into account the specific situation of the person concerned. C.2. The BF then filed the complaint in question (ref. no.: D130.1013) with the data protection authority. As part of the complaint procedure, the BG sent the following information to the BF on March 15, 2022: "Google LLC / - Request for information Dear Sir, We have been contacted by the Austrian data protection authority regarding a complaint filed by noyb on your behalf against our client Google LLC ("GLLC"). The complaint alleges that you are dissatisfied with GLLC's response to a request for information submitted on November 11, 2021 via an online web form. Please note that, as explained in the Google Privacy Policy, Google Ireland Limited ("GIL") is the controller of personal data of users of Google services located in the European Economic Area or Switzerland. GLLC is the controller with respect to the processing of information indexed and displayed in services such as Google Search and Google Maps and with respect to personal data processed in the context of related matters, such as responding to requests regarding data subject rights in relation to information processed in connection with data indexed and displayed in services such as Google Search and Google Maps and with respect to the processing of data for the establishment, exercise or defense of legal claims ("Procedural Data"). - 13 –

Neither your initial request, your subsequent response nor the subsequent complaint to the Austrian Data Protection Authority indicated that you were requesting access to the few personal data that GLLC could process as a controller.

Instead, the complaint filed with the Austrian Data Protection Authority claims in point 2.1 that you are a “customer” of GLLC by referring to the fact that you have a “Google account” and use Android devices.

GLLC is not the controller for the processing of personal data related to the Google accounts of Austrian users and is also not the controller for the processing of Austrian user data related to the use of an Android device. To the extent that a Google company processes data related to your use of an Android device or Google account as a controller, GIL is the controller. Accordingly, your request for information targets a processing for which GIL is the controller.

Even if one assumes that your request for information relates to data that is indexed and displayed in services such as Google Search and Google Maps, it is clearly unfounded because you can access this data yourself at any time by using the Google Search or Google Maps services. At least, such a request for information would be considered fulfilled by this. This is because GLLC thereby "makes available" a copy of the personal data in the simplest way possible for you.

Regardless of the fact that GIL has already complied with your request for information in accordance with Art. 15 GDPR,

we would also like to answer your request for information with regard to procedural data.

We note that our client is not obliged to provide this additional information and that it is therefore provided without prejudice and in excess of the obligations incumbent upon it.

1. Confirmation as to whether personal data concerning you is being processed
(Art. 15 para. 1 GDPR)

We hereby confirm that GLLC processes personal data concerning you in connection with

procedural data.

2. Processing purposes (Art. 15 para. 1 lit. a GDPR)

GLLC may process your personal data for the purposes of complying with legal obligations under

Chapter III GDPR and defending against legal claims.

3. Categories of personal data that are processed (Art. 15 para. 1 lit. b GDPR)

GLLC processes the following categories of personal data about you:

• Name, date of birth and contact details as well as correspondence on various pending

data protection proceedings in which you appear as an applicant, complainant or party representative

(procedural data)

4. Recipients or categories of recipients to whom the personal data

have been or will be disclosed (Art. 15 para. 1 lit. c GDPR)

GLLC has disclosed your personal data to the following categories of recipients:

• Data protection authorities conducting proceedings in which you appear as a complainant or party representative

• Law firms that advise or represent us in these proceedings, such as currently

in Austria

5. Planned duration for which the personal data will be stored or, if this is not possible, the criteria for determining this duration (Art. 15 Para. 1 lit. d GDPR)

Procedural data are generally retained as long as the respective procedure is still pending and
in addition, as long as the decisions made in the procedure may be relevant for GLLC for the determination,

assertion and defense of claims in further proceedings. - 14 –

6. Rights of the data subject (Art. 15 Para. 1 lit. e and f GDPR)

Under the conditions set out in Chapter III of the GDPR, you have the right to request that GLLC correct

or delete personal data or restrict the processing of personal data concerning you, or to object to such processing.

You also have the right to lodge a complaint with a supervisory authority.

7. If the personal data is not collected from you, all available information
on the origin of the data (Art. 15 para. 1 lit. g GDPR)

GLLC processes data concerning you from the following sources:

• Publicly accessible websites
• Administrative authorities, in particular the Austrian Data Protection Authority

8. Existence of automated decision-making including profiling in accordance with Art. 22 para. 1

and 4 and - at least in these cases - meaningful information about the logic involved and
the scope and intended effects of such processing for you (Art. 15 para. 1 lit.
h GDPR)

GLLC does not make any automated individual decisions that would have legal effects on you or significantly affect you in a

similar way.

9. If personal data is transferred to a third country or to an international organization,

Information on the appropriate safeguards pursuant to Art. 46 GDPR in connection with the

transfer (Art. 15 para. 2 GDPR)

In addition to the adequacy decisions of the European Commission pursuant to Art. 45 GDPR,

GLLC relies on the following appropriate safeguards for data transfers to third countries:

• Standard data protection clauses adopted by the European Commission pursuant to Art. 46(2)(c) GDPR,

if applicable, in conjunction with Art. 46(5) second sentence GDPR

10. Copy of the personal data that are the subject of the processing (Art. 15 para. 3 GDPR)

Figure 2

Assessment of evidence on C.2.: The findings made are based on the BG's submission of

March 15, 2022 and the Annex ./4 submitted therein (Figure 2). The findings made are

undisputed. - 15 –

C.3. BG is a world-leading technology company that is best known for its Google search engine. In addition to providing Internet search services, BG develops and operates numerous other products and services, including online advertising and cloud computing.

The Google Group has several branches in many countries around the world. BG's headquarters are in the USA. The group's top management is Alphabet Inc., and BG is a subsidiary of Alphabet Inc. BG is in turn the parent company of all European and African subsidiaries, including GIL.

The BG headquarters makes fundamental decisions about the Google Group that have a significant impact on the direction and activities of the international branches. In this way, Google ensures a uniform strategic direction and close integration of the group's global activities. In addition, the BG is involved in the introduction of new Google products in the EEA by making corresponding proposals to GIL.

Evaluation of evidence on C.3.: The findings on the basic activities of the BG and the Google Group are generally known and undisputed. The findings on the structure of the Google Group are based on the statement of a representative of the BG (see the minutes of the oral hearing of June 21, 2022, p. 9 f.). The finding that the Google Group pursues a uniform strategic direction globally is also based on a statement by a representative of the BG (see the minutes of the oral hearing of June 21, 2022, p. 13).

The findings that fundamental decisions are made from the headquarters of the BG and that the global corporate strategy is developed and that this has a significant influence on the direction and activities of international branches are based on several factors: From the point of view of the data protection authority, it is obvious from general experience that it is not other smaller locations of the Google Group, but the BG that sets the fundamental corporate strategy for Google and decides to what extent the introduction of products or features within certain markets (such as the EEA) should be sought. The fact that the Google Group may have an international network of development centers or that the specific circumstances of the introduction of products or features within a certain market are left to the respective subsidiaries (such as GIL, see the findings of fact C.5.) does not harm the BG's established influence on the international locations of the Google Group. The fact that BG is a controlling parent company (see the minutes of the oral hearing of June 21, 2022, p. 10) and that such a large group still needs a central office that makes decisions and determines the group strategy also supports the conclusion of the data protection authority. - 16 - The fact that BG only gave an evasive answer to the question of whether locations such as GIL are also developing new Google products (see the BG's statement of November 22, 2022, para. 34 ff) also supports the conclusion of the data protection authority. In conjunction with other statements by BG, the conclusion is that it is BG that - as already stated - initiates the introduction of new products and features within certain markets (see the BG's statement of November 22, 2022, para. 27 ff). In this respect, the orientation and activities of international branches are also significantly influenced.

C.4. Since January 22, 2019, GIL has been named as the data protection controller in all documents that affect Google users in the EEA. This includes in any case the terms of use that apply when using Google services and the privacy policy. Google users in the EEA have been informed of these circumstances. The changes were made, among other things, so that Google users have a Google company based in the EEA as a contact person and so that compliance with the requirements of the GDPR is guaranteed as best as possible.

In addition, BG has concluded a group agreement with GIL entitled "Data Processing Agreement (Controller to Processor)". This stipulates, among other things, on a contractual basis that BG will act as GIL's processor in connection with numerous Google services in the EEA.

Google users in the EEA are identified based on several factors. The assignment is primarily made using a geolocation tool (IP address, WiFi connection, language settings). This is intended to ensure that Google users in the EEA are provided with the appropriate version of Google services. Assessment of evidence on C.4.: The finding that GIL is named as the data protection controller in various documents of the Google Group as of January 22, 2019, results from the BF's submission of December 15, 2021 and the documents submitted therein (see, for example, Annex ./6). The finding that the changes were made, among other things, to establish a contact person in the EEA and to ensure compliance with the requirements of the GDPR, as well as the findings in connection with the geographical allocation of Google users in the EEA, arise from the statement of a representative of the BG (see the minutes of the oral hearing of June 21, 2022, p. 7 f.). From the point of view of the data protection authority, the statements of the representative of the BG were comprehensible and there are no indications to cast doubt on them. The findings in connection with the group agreement arise from the submission of the BG of August 16, 2022 and the appendix ./21 submitted therein, as well as from the statement of a representative - 17 - of the BG (see the minutes of the oral hearing of June 21, 2022, p. 9 f.). The above-mentioned Annex ./21 was excluded from the inspection of the files by the BF.

C.5. GIL is based in Ireland and employs several thousand people there. Different organizational units have been set up within

GIL. One organizational unit deals

with the processing of data protection applications.

GIL has introduced a process that is followed before new products (or features) are introduced

that are submitted to GIL by the BG and concern the processing of personal

data of Google users in the EEA.

First, the product is subjected to a data protection review by GIL and an assessment is made based on the internal data protection guidelines. In the second step, a Privacy Design

Document (PDD) is filled out for documentation purposes, among other things. A

Privacy Working Group (PWG) set up within GIL evaluates the proposed data processing. The data protection officer reviews planned processing as part of a data protection impact assessment if it is classified as potentially risky in the PDD. The PWG can, among other things, forward data protection issues to the Privacy Advisory Council (PAC). The representatives of the GIL board of directors are main members of the PAC. The GIL board of directors oversees the work of the PWG and the PAC through regular reporting, monitoring and evaluation of the data protection audits carried out. The BG does not give GIL any instructions to introduce or further develop a product (or feature) in the EEA. Such an introduction will not be implemented in the EEA without the will of GIL. Assessment of evidence on C.4.: The findings on the number of employees and the organizational units arise from the statement of a representative of the BG (see the minutes of the oral hearing of June 21, 2022, p. 8 f.) and from the BG's submission of November 22, 2022 (p. 5). The findings on the internal process and the associated decision-making authority of GIL arise from the BG's submission of November 22, 2022 (p. 8 f.). It is understandable that - given the legal framework, in particular the GDPR - a comprehensive review of products is carried out before their introduction in the EEA. From the point of view of the data protection authority, there are also no indications to doubt the steps of the process described. In addition, a representative of the BG credibly conveyed during the oral hearing that the decision on the introduction of new products is not made unilaterally by the BG and that GIL has the corresponding freedom of decision (see the minutes of the oral hearing of June 21, 2022, p. 10). The examples cited by the BG on the different design of Google services in the EEA compared to the rest of the world - 18 - (in particular the USA) also support the data protection authority's findings of fact (see the minutes of the oral hearing of June 21, 2022, p. 10 f.).

D. From a legal point of view, this means:

D.1. On the allocation of roles

a) General considerations

According to Article 7(7) GDPR, a “controller” is the natural or legal person, public authority,

institution or other body which, alone or jointly with others, decides on the purposes and means of

processing personal data.

The role of the controller arises primarily from the consideration that a specific

body has decided to process personal data for its own purposes. The “purpose”

describes an expected result, while the “means” determine the manner in which the

expected result is to be achieved (cf. European Data Protection Board, Guidelines 07/2020

on the terms “controller” and “processor” in GDPR version 2.0, adopted

on July 7, 2021, para. 15 ff.).

In addition, the term “controller” is a functional term. The

distribution of roles therefore does not depend on the legal status or a formal designation of an

actor; rather, the roles are generally assigned based on the analysis of the factual

elements or circumstances (cf. EDSA, Guidelines 07/2020 as amended, para. 12).

Based on these considerations, the following can be noted for the present case:

b) Regarding Google Ireland Limited (hereinafter: GIL)

The first step is to examine whether GIL makes the decision on the purposes and means of

data processing in connection with Google services (in particular when using a

Google account) by users in the EEA and is therefore to be classified as a controller in accordance with Art. 4 Z 7

GDPR. This is subsequently referred to as “data processing relevant here”.

GIL is a large company based in Ireland that employs several thousand

people. GIL has set up various organizational units for data protection, including a special team to handle data protection applications (see statement of facts C.5.). Therefore, it cannot be assumed that GIL's location was only set up pro forma. - 19 - In addition, GIL has developed a detailed process that is always followed before the introduction of new Google products or features in the EEA. The GIL Board of Directors monitors these processes closely and can intervene at any time. Since the Google Group's products and features often involve the processing of personal data of Google users, the GIL Board of Directors has influence over data processing. GIL's influence is also not limited - similar to legal advice - to a mere examination of the conformity of Google products with the GDPR before their introduction in the EEA. As

established, such an introduction will not be implemented without the will of GIL (see all of this,

Fact finding C.5.).

In this respect, the situation is comparable to the facts in the IAB Europe case.

In this case, the ECJ considered it sufficient for data protection liability that a body provides guidelines, instructions,

technical specifications, protocols and contractual obligations with regard to data processing that enable both the

provider of a website or application and data brokers or advertising platforms to

lawfully process personal data of a user of a website or application

(see ECJ March 7, 2024, C‑604/22 para. 62 ff.).

In the case of Nacionalinis visuomenės sveikatos centras prie Sveikatos apsaugos ministerijos, the ECJ once again reaffirmed the broad understanding of a data protection controller. For responsibility, it is sufficient if an entity has played an active role in the development of a mobile application and specified certain parameters of the application, even if the development was carried out by another entity (see ECJ 5 December 2023, C‑683/21, paras. 28 et seq. and 32 et seq.). In view of the ECJ's case law cited, nothing else can apply to GIL. Due to the processes described above, before the introduction of new Google products in the EEA, influence is exerted (by the GIL board) on the result that is pursued with the associated data processing and how this data processing is to be specifically designed for Google users in the EEA in order to ensure conformity with, among other things, the GDPR. The fact that GIL does not develop Google products itself is irrelevant here. c) Interim result Based on these considerations, it can be assumed that GIL influences the purposes and means of the data processing relevant here and that GIL meets the definition of Art. 4 Z 7 GDPR. GIL is therefore to be qualified as the controller in any case. - 20 - d) Regarding BG (Google LLC) In the second step, it must be checked whether BG is also to be classified as the controller for the data processing relevant here and whether there is joint responsibility within the meaning of Art. 26 GDPR with GIL. In the IAB Europe case already cited, the ECJ stated that participation in the decision on the purposes and means of data processing can take various forms and can result from a joint decision by two or more institutions as well as from consistent decisions by such institutions. In the latter case, these decisions must complement each other in such a way that each of them has a concrete impact on the decision on the purposes and means of processing. In addition, it does not harm joint responsibility that the decisions are made to different extents and at different stages (i.e. times) of data processing (see ECJ March 7, 2024, C-604/22 para. 58 et seq.). In the Jehovah's Witnesses case, the ECJ assumed joint responsibility of the religious community and its preaching members. In this regard, he stated that it is indeed up to the preaching members of the Jehovah's Witnesses community to decide under which specific circumstances they collect personal data about people they visit, what data they collect exactly and how they subsequently process it; however, the data collection takes place in the context of door-to-door preaching activities, with which the preaching members of the Jehovah's Witnesses community spread the faith of their community. Preaching activities are an essential form of activity of this community, which is organized and coordinated by it and which it encourages (cf. ECJ 10 July 2018, C-25/17 para. 70). In the present case, the BG makes the fundamental decisions about the Google Group and significantly influences the orientation and activities of the international branches. In addition,

the BG ensures a uniform strategic direction in order to be able to offer Google services worldwide as uniformly

as possible (see factual findings C.3.).

The BG's influence is not limited to business issues:

As stated, the BG promotes and coordinates the development of new products from the Google Group.

As Google products regularly involve the

processing of personal data due to the specific focus of the Google Group, the BG has a direct influence on data

processing. By promoting and coordinating product development, the BG also

influences the technical and organizational specifications of data processing. - 21 -

This influence is further strengthened by the fact that Google is involved in the introduction of these

products in the EEA. This is particularly evident in the fact that GIL does not develop its own Google

products and the introduction of new products in the EEA (and the associated

data processing) is always initiated by the BG.

In this context, the BG argues, with reference to Recital 78, fourth sentence of the GDPR, that
the definition of the controller does not require the development of "own" products and, for example,

Microsoft does not become the (joint) controller simply because the data protection authority records the

recording of a witness statement in a Microsoft Word document.

However, the BG overlooks the fact that the data protection authority has no corporate

relationship with Microsoft and that Microsoft Word is used exclusively to fulfill its own

purposes - namely the tasks described in Art. 57 GDPR and Section 21 DSG.

In contrast, the BG is the parent company of GIL, which - as stated - aims to offer Google products worldwide as identically as possible. By

offering Google products in the EEA, the Google brand is directly promoted, from which the

group as a whole and thus also the BG as the central control center benefits.

In this respect, the ECJ's considerations in the above-mentioned cases can be applied to the present case, especially since the relationship between BG and GIL is, for the reasons set out, even closer than that between IAB Europe and its industry members. This conclusion is not affected by the fact that no Google products will be introduced into the EEA without GIL's consent and that GIL has the corresponding decision-making authority (see factual findings C.5.): The fact that GIL does not have to follow any instructions from BG in this regard may be relevant to the question of order processing in accordance with Art. 28 GDPR. For joint responsibility in accordance with Art. 4 Z 7 in conjunction with Art. 26 GDPR, however, it is only necessary that a joint decision is made on purposes and means. As the case law of the

ECJ shows, this decision can also be based on converging decisions (see also EDSA, Guidelines 07/2020 as amended, para. 54 ff. on converging

decisions within the framework of joint responsibility).

In addition, it does not harm joint responsibility if no agreement has been concluded between the responsible parties

– as in the present case – in accordance with Art. 26 GDPR (see

ECJ December 5, 2023, C‑683/21 para. 35). - 22 –

e) Result

In summary, the decisions of the BG and GIL with regard to the data processing relevant here and the associated purposes and means complement each other in such a way that the processing would not be conceivable without

the involvement of the other body.

As a result, there is joint responsibility between BG and GIL in accordance with Art. 4 Z 7 in conjunction with

Art. 26 GDPR.

D.2. On point 1 of the ruling (determination)

a) On processing the request for information

In the present case, the BF submitted a request for information to the BG using an online form (see determination of facts C.1.).

Insofar as the BG repeatedly points out to the BF that GIL is the controller for the data processing relevant here, it must be countered that a data subject can assert his or her rights as a data subject against each of the joint controllers in accordance with Art. 26 Para. 3 GDPR. The aforementioned provision also states that internal agreements between the joint controllers are irrelevant to the data subject. It follows that it is up to the joint controllers to create internal structures in order to fulfill requests for information in a timely manner (cf. EDSA, Guidelines 07/2020 as amended, para. 186 ff). b) Regarding information As can be seen from the findings of fact, the BF was referred to the Google data protection declaration with regard to the information specified in Art. 15 Para. 1 lit. a, lit. b and lit. c and Para. 2 GDPR. In addition, general information was made available to the BF, which, however, does not relate to the BF (see factual findings C.1.).

In view of the requirements for notifications set out in Art. 12 Para. 1 GDPR - according to which they must be transmitted in a

precise, transparent, understandable and easily accessible form in clear and simple language - it cannot be assumed that the BF's request

has been fully met:

Due to the large number of Google products and the associated extensive and complex

processing activities, it is unreasonable to expect the complainant to independently deduce from the general

data protection declaration which specific data is processed for which specific

purposes, to whom this data was actually transmitted and which - 23 -

specific appropriate guarantees have been taken in connection with a possible international data transfer.

The wording of Article 15, Paragraph 1, Second Half of the GDPR already suggests that information about the data of the person concerned must be provided; blanket references to a far-reaching data protection declaration (such as the BG has) are therefore not sufficient.

The information provided by the BG in the context of the proceedings before the data protection authority is also not sufficient. As can be seen from the findings of fact, this information relates exclusively to the processing of the BF's data in connection with the complaint in question (see findings of fact C.2.).

The violation of law was therefore to be determined in accordance with Article 58, Paragraph 6 of the GDPR in conjunction with Section 24, Paragraph 2, Item 5 and Paragraph 5 of the Data Protection Act.

D.3. On point 2 of the ruling (performance contract)

The performance contract includes information about the personal data relating to the BF, insofar as the BG can assign this to the BG. It can be assumed that an assignment to the BF's Google account (@gmail.com) is possible in any case. Based on the above considerations, it is not permissible to refer the BF to the BG's data protection declaration in general. A period of two weeks is appropriate in view of the size of the BG and the resources available to it in order to fulfil the service contract, especially since this is limited to the information specified in Art. 15 Para. 1 lit. a, lit. b and lit. c and Para. 2 GDPR and, for example, no extensive redaction of documents is required when transmitting a data copy. The service contract is based on Art. 58 Para. 2 lit. c GDPR and had to be issued in accordance with Section 24 Para. 5 DSG. LEGAL REMEDIES INSTRUCTIONS

A written complaint can be lodged against this decision to the Federal Administrative Court within four weeks of delivery. The complaint must be lodged with the data protection authority

and must contain

- the name of the contested decision (reference number, subject)

- the name of the authority concerned,

- the reasons on which the claim of illegality is based,

- the request and

- the information required to assess whether the complaint was lodged in time, - 24 -

The data protection authority has the option of amending its decision within two months either by

a preliminary decision on the complaint or by submitting the complaint with the files of the

proceedings to the Federal Administrative Court.

A complaint against this decision is subject to a fee. The fixed fee for a

corresponding submission including attachments is 30 euros. The fee must be paid into the Austrian tax office account, stating the intended purpose. The fee must always be transferred electronically using the "tax office payment" function. The Austrian tax office - Department of Special Responsibilities must be specified or selected as the recipient (IBAN: AT83 0100 0000 0550 4109, BIC: BUNDATWW). The tax number/tax account number 10 999/9102, the tax type "EEE complaint fee", the date of the notice as the period and the amount must also be specified. If your bank's e-banking system does not have the "tax office payment" function, the eps procedure in FinanzOnline can be used. An electronic transfer can only be dispensed with if no e-banking system has been used to date (even if the taxpayer has an internet connection). Then the payment must be made by means of a payment order, making sure that the correct allocation is made. Further information can be obtained from the tax office and in the manual “Electronic payment and notification of payment of self-assessment taxes”. When submitting a complaint to the data protection authority, proof of payment of the fee must be provided by means of a payment receipt attached to the submission or a printout of the issuance of a payment order. If the fee is not paid or not paid in full, a report will be sent to the responsible tax office. A timely and admissible complaint to the Federal Administrative Court has a suspensive effect. The suspensive effect may have been excluded in the ruling of the decision or excluded by a separate decision. December 17, 2024 The head of the data protection authority: