AEPD (Spain) - E/10529/2021: Difference between revisions

From GDPRhub
mNo edit summary
Line 67: Line 67:
}}
}}


[in progress]
The Spanish DPA dismissed a complaint regarding the use of Google Analytics by a Spanish public law institution, indicating that the controller did not process any data that could have identified a particular user, and that the controller had stopped using Google Analytics short after the Schrems II ruling, so there was no violation of Chapter V of the GDPR.


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
[in progress]
==== Background ====
==== Background ====
About a month after the "Schrems II ruling" by the CJEU ([[CJEU - C-311/18 - Schrems II]]) the NGO ''noyb'' filed 101 complaints regarding data transfers from EEA based websites to Google LLC and Facebook Inc. in the U.S (s''ee [https://noyb.eu/en/101-complaints-eu-us-transfers-filed here] and [https://noyb.eu/en/update-noybs-101-complaints-eu-us-data-transfers here]).'' In order to coordinate the work of all involved DPAs, the EDPB created a [https://edpb.europa.eu/news/news/2020/european-data-protection-board-thirty-seventh-plenary-session-guidelines-controller_en?mkt_tok=eyJpIjoiTVRrMVlqRmpOMlF3TnpCbCIsInQiOiJFekdLKzFydWlOSHpaU1RDUTNUaHVWR2JxTVN4MnRDUm9jYTRkOGRxWG1LSDBWY1lBQkhaM2dsTkdoSEdYNlQrN2lFbm84d1Y3STRWMFlXZk5lM0dzeGFMd2p2NGFjVmltS1wvNnlCSmhrK3Nra1dGcGNjd2lEQWN6UW9EQVdtNmsifQ%3D%3D special task force].  
About a month after the "Schrems II ruling" by the CJEU ([[CJEU - C-311/18 - Schrems II]]) the NGO ''noyb'' filed 101 complaints regarding data transfers from EEA based websites to Google LLC and Facebook Inc. in the U.S (s''ee [https://noyb.eu/en/101-complaints-eu-us-transfers-filed here] and [https://noyb.eu/en/update-noybs-101-complaints-eu-us-data-transfers here]).'' In order to coordinate the work of all involved DPAs, the EDPB created a [https://edpb.europa.eu/news/news/2020/european-data-protection-board-thirty-seventh-plenary-session-guidelines-controller_en?mkt_tok=eyJpIjoiTVRrMVlqRmpOMlF3TnpCbCIsInQiOiJFekdLKzFydWlOSHpaU1RDUTNUaHVWR2JxTVN4MnRDUm9jYTRkOGRxWG1LSDBWY1lBQkhaM2dsTkdoSEdYNlQrN2lFbm84d1Y3STRWMFlXZk5lM0dzeGFMd2p2NGFjVmltS1wvNnlCSmhrK3Nra1dGcGNjd2lEQWN6UW9EQVdtNmsifQ%3D%3D special task force].  
Line 84: Line 82:
The controller alleged that it is a public law institution that uses Google Analytics tools solely and exclusively for fulfilling the general interest purposes that constitute its ultimate goal, which is to ensure the development, dissemination, proper use and update of the Spanish language; in order to achieve that, it is necessary to have access to statistical data related to the access and use of these instruments, and also to know its evolution and adaptation to the reality of the use of the language at any given moment (e.g. statistics related to the use of terms not included in the dictionary can allow a better knowledge of the evolution in the use of the language and the possible inclusion of such terms in the future).  
The controller alleged that it is a public law institution that uses Google Analytics tools solely and exclusively for fulfilling the general interest purposes that constitute its ultimate goal, which is to ensure the development, dissemination, proper use and update of the Spanish language; in order to achieve that, it is necessary to have access to statistical data related to the access and use of these instruments, and also to know its evolution and adaptation to the reality of the use of the language at any given moment (e.g. statistics related to the use of terms not included in the dictionary can allow a better knowledge of the evolution in the use of the language and the possible inclusion of such terms in the future).  


Through the use of Google Analytics, the controller can know essential information related to the use of the language and its diffusion worldwide, and can know in an aggregate form the geographic origin of the website visitors -with a minimum level of aggregation by city-, their visit flow, the configurations of their browsing devices, as well as the browser and operating system used, screen resolution and the recurrence of their visits.  
Through the use of Google Analytics, the controller can know essential information related to the use of the language and its diffusion worldwide.  


[in progress]
The controller also alleged that it only had access to aggregated data that did not allow for identification of users. The controller had no access to personal data whatsoever, nor IPs or any other information. Hence, no personal data was processed. 
 
The controller also indicated that it had subscribed a contract with Google LLC (Conditions for the Processing of Data) and that therefore the RAE was a controller while Google was a processor. 
 
Furthermore, the controller alleged that it had only used the most basic functionalities of Google Analytics, guaranteeing the minimization of the use of data, so only aggregated data was processed. 
 
Only the following data was gathered:
 
# Identification of the geographic area (city and country) from which the user of the user accessed the website and statistics by country. 
# Language. 
# Source from which the visit originates. 
# Statistical flow of visits to the Web Site. 
# Statistical analysis of visits, offering percentages of recurrent or first access visits. 
# Browser used for access. 
# Type of mobile device used. 
# Screen resolution of the device and its operating system.
 
Nor Google Signals nor Comparatives were activated.
 
On 08.09.2020, the AEPD verified that the code of the website included the creation and storage of Google Analytics cookies.
 
On 27.10.2021, the AEPD confirmed that such code was not on the website anymore.


=== Holding ===
=== Holding ===
[in progress]
The AEPD decided to accept the allegations of the controller and considered that the controller had not violated [[Article 45 GDPR]] nor any of the subsequent Articles from Chapter V of the GDPR. The AEPD took into account that the controller had stopped using Google Analytics short after the Schrems II ruling and that it had never used the obtained information to identify specific users.
 
Therefore, the DPA concluded that, at the time of issuing the decision, the controller was not in breach of the GDPR under the competential scope of the AEPD.


== Comment ==
== Comment ==

Revision as of 22:12, 24 January 2023

AEPD - E-10529-2021
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 45 GDPR
Article 46 GDPR
Type: Complaint
Outcome: Rejected
Started:
Decided:
Published: 15.12.2022
Fine: n/a
Parties: GOOGLE LLC
REAL ACADEMIA ESPAÑOLA
noyb – European Centre for Digital Rights
National Case Number/Name: E-10529-2021
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: Carmen Villarroel

The Spanish DPA dismissed a complaint regarding the use of Google Analytics by a Spanish public law institution, indicating that the controller did not process any data that could have identified a particular user, and that the controller had stopped using Google Analytics short after the Schrems II ruling, so there was no violation of Chapter V of the GDPR.

English Summary

Facts

Background

About a month after the "Schrems II ruling" by the CJEU (CJEU - C-311/18 - Schrems II) the NGO noyb filed 101 complaints regarding data transfers from EEA based websites to Google LLC and Facebook Inc. in the U.S (see here and here). In order to coordinate the work of all involved DPAs, the EDPB created a special task force.

Complaint

On 18.08.2020, a data subject (represented by noyb) filed a complaint with the DSB against both the website provider (in its role as data exporter) and Google LLC (in its role as data importer), arguing that both respondents violated Articles 44 et. seqq. GDPR in light of the "Schrems II" ruling by transferring their personal data to Google LLC. As Google LLC qualifies as "electronic communication service provider" under 50 U.S. Code § 1881(b)(4), it is subject to surveillance by U.S. intelligence services and can be ordered to disclose data of European citizens - such as the data subject - to them.

The complaint was filed against the Spanish Royal Academy (Real Academia Española, "RAE").

The controller alleged that it is a public law institution that uses Google Analytics tools solely and exclusively for fulfilling the general interest purposes that constitute its ultimate goal, which is to ensure the development, dissemination, proper use and update of the Spanish language; in order to achieve that, it is necessary to have access to statistical data related to the access and use of these instruments, and also to know its evolution and adaptation to the reality of the use of the language at any given moment (e.g. statistics related to the use of terms not included in the dictionary can allow a better knowledge of the evolution in the use of the language and the possible inclusion of such terms in the future).

Through the use of Google Analytics, the controller can know essential information related to the use of the language and its diffusion worldwide.

The controller also alleged that it only had access to aggregated data that did not allow for identification of users. The controller had no access to personal data whatsoever, nor IPs or any other information. Hence, no personal data was processed.

The controller also indicated that it had subscribed a contract with Google LLC (Conditions for the Processing of Data) and that therefore the RAE was a controller while Google was a processor.

Furthermore, the controller alleged that it had only used the most basic functionalities of Google Analytics, guaranteeing the minimization of the use of data, so only aggregated data was processed.

Only the following data was gathered:

  1. Identification of the geographic area (city and country) from which the user of the user accessed the website and statistics by country.
  2. Language.
  3. Source from which the visit originates.
  4. Statistical flow of visits to the Web Site.
  5. Statistical analysis of visits, offering percentages of recurrent or first access visits.
  6. Browser used for access.
  7. Type of mobile device used.
  8. Screen resolution of the device and its operating system.

Nor Google Signals nor Comparatives were activated.

On 08.09.2020, the AEPD verified that the code of the website included the creation and storage of Google Analytics cookies.

On 27.10.2021, the AEPD confirmed that such code was not on the website anymore.

Holding

The AEPD decided to accept the allegations of the controller and considered that the controller had not violated Article 45 GDPR nor any of the subsequent Articles from Chapter V of the GDPR. The AEPD took into account that the controller had stopped using Google Analytics short after the Schrems II ruling and that it had never used the obtained information to identify specific users.

Therefore, the DPA concluded that, at the time of issuing the decision, the controller was not in breach of the GDPR under the competential scope of the AEPD.

Comment

This decision is the first DPA decision following noyb's 101 complaints regarding EEA-US data transfers. The EDPB formed a "task force" on these cases to come to similar decisions in the EEA. Further decisions are expected soon. For details see here and here.

Some decisions have already been published by European DPAs. E.g. see here and here.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

1/15








     File No.: E/10529/2021

                  RESOLUTION OF ACTIONS FILE



Of the actions carried out by the Spanish Agency for Data Protection and
based on the following:

                                       FACTS


FIRST: Don A.A.A. (hereinafter, the claiming party), dated August 21,
2020, filed a claim with the Spanish Agency for Data Protection. The
The claim is directed against GOOGLE LLC and the ROYAL SPANISH ACADEMY (in
forward, this last RAE or the claimed party).


The reasons on which the claim is based are the following:

- Through HTML code embedded in the WWW.RAE.ES web page,
collected personal data from the claimant and have transferred it to the US through the
Google Analytics and Google Ads services contracted by the person in charge of the portal,

the RAE.

- During the visit of the complaining party to the mentioned website, the person in charge treated
your personal data (at least IP address and "cookies"), and, apparently,
some of this data was transferred to Google LLC. The complaining party had

signed in to your Google account associated with your email inbox.

- The complaining party maintains that the transfer of personal data to the US by
part of the person in charge through his treatment manager has no legal basis,
since the CJEU has invalidated the decision on the "EU-US Privacy Shield" in the
ruling C-311/18 ("Schrems II"), and the controller can no longer base the transfer of

data to Google in the USA in an adequacy decision pursuant to Art. 45 of the
GDPR.

- The person in charge cannot base the transfer of data on the clauses
contractual type provided for in arts. 46.2.c and 46.2.d of the GDPR, if the third country of
destination does not guarantee adequate protection of the personal data transferred

under those clauses, in accordance with EU law. The CJEU has ruled
explicitly that onward transfers to companies covered by the
Article 50 of the United States Code (USC), as is the case of Google,
violate the relevant articles of Chapter 5 of the GDPR, since, by virtue of this
regulations (50 USC Par. 1881, or "FISA 702"), are subject to surveillance by the

US intelligence. As can be seen from the "Snowden Slides" and from the
Google Transparency Report, this entity is actively providing data
personal data to the US government under that precept.

- The controller and Google have continued to rely on the "EU-US Privacy Shield" and on
the standard data protection clauses for the aforementioned transfers

of data.

 Therefore, it requests that the claim be fully investigated and that the following be established:
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/15









 1. What personal data was transferred from the controller to Google LLC in
 USA or any other third country and international organization.

 2. In which transfer mechanism under article 44 et seq. of the

 GDPR the controller based this data transfer.

 3. If the provisions of the Google Analytics Terms of Service and the
 new Conditions for the treatment of data of Google Ads in its current version
 and with effect from 08/31/2020 they comply with the requirements of article 28 GDPR
 regarding the transfer of personal data to third countries.


 4. Immediately impose a ban or suspension of any
 flow of data to Google LLC in the USA and order the return of that data to the
 EU/EEA or to another country offering adequate protection under Articles
 58(2)(d), (f) and (j) GDPR.


 5. That an administrative fine be imposed on the person responsible and on Google.

 And, among other things, attach the following documentation:

 - HAR file containing, among others:

       a. A GET request with the following header:
        “Host www.rae.es
        User Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:79.0)
        Gecko/20100101 Firefox/79.0
        Accepttext/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/
        *;q=0.8

        Accept-Language en-GB,en;q=0.5
        Accept-Encoding gzip, deflate, br
        Connection keep-alive
        Cookie _ga=GA1.2.345900854.1597222413; cookie-agreed=2;
        __unam=67c8073-173e205d800-f576793-2;
        TS018cf77a=017ccc203c9e7bc4149f20e42e6a3643881397eb41e025f2c54bb

        e7141c720c53441c2483c; has_js=1; _gid=GA1.2.1837808855.1597415922;
        _gat=1
        Upgrade-Insecure-Requests 1
        If-None-Match" 1597405902-1"
        Cache-Control max-age=0”


b. A GET request with the following header and url-encoded parameters:
            https://www.google-analytics.com/collect?
            v=1&_v=j83&a=1005550321&t=pageview&_s=1&dl=https%3A%2F
            %2Fwww.rae.es%2F&ul=en-gb&de=UTF-8&dt=Real%20Academia
            %20Spain%C3%B1ola&sd=24-

            bit&sr=1920x1080&vp=1903x716&je=0&_u=AACAAEAB~&jid=&gjid=&cid
            =345900854.1597222413&tid=UA-44263049-
            1&_gid=1837808855.1597415922&z=1892337212

        “Host www.google-analytics.com

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/15








        User Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:79.0)
        Gecko/20100101 Firefox/79.0
        Accept image/webp,*/*
        Accept-Language en-GB,en;q=0.5
        Accept-Encoding gzip, deflate, br

        Referer https://www.rae.es/
        Connection keep-alive
        TE Trailers”

        Parameters encoded in the url:
        v 1

        _v j83
        to 1005550321
        t page view
        _s 1
        dl https://www.rae.es/

        ul en-gb
        from UTF-8
        dt Royal Spanish Academy
        24-bit sd
        mr 1920x1080
        vp 1903x716

        heh 0
        _u AACAAEAB~
        jid
        gjid
        cid 345900854.1597222413
        time UA-44263049-1

        _gid 1837808855.1597415922
        z 1892337212”


SECOND: On October 5, 2020, the claim was admitted for processing
presented by the claimant, under the provisions of article 65.5 of

the LOPDGDD.

THIRD: The General Subdirectorate of Data Inspection proceeded to carry out
of previous investigative actions to clarify the facts in
matter, by virtue of the investigative powers granted to the authorities of
control in article 58.1 of Regulation (EU) 2016/679 (General Regulation of

Data Protection, hereinafter GDPR), and in accordance with the provisions of the
Title VII, Chapter I, Second Section, of the LOPDGDD, being aware of the
following extremes:

 - On September 8, 2020, it is verified that in the url

 www.rae.es/info/aviso-legal contains the following information:

 1. The identification and contact of the person in charge, about the purpose,
 legitimizing basis, as well as conservation period, exercise of rights of the
 personal data collected.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/15









 2. It is stated "The RAE does not carry out international data transfers or
 transfers of information provided by users”.

 - On December 10, 2020, the RAE sends this Agency the following

 information and demonstrations:

 1. That the RAE is a public law corporation integrated into the Institute of
 Spain since:

       a. According to art. 4 of the RAE Regulation "in accordance with the provisions

       In its statutes, the main mission of the Academy is to ensure the unity of
       the Spanish language, in close collaboration with all the academies
       integrated into the Association of Academies of the Spanish Language (ASALE)"

       b. According to art- 1.2.a) of Royal Decree 1160/2010 of September 17 by

       which regulates the Institute of Spain, the RAE is part of the Institute of
       Spain, which according to article 1.1 of the worthy Royal Decree "is a
       corporation governed by public law, with legal personality and capacity to
       act for the fulfillment of its purposes, which brings together the Royal Academies of
       national level that are listed in the following section, for the
       coordination of the functions that they must perform in common".


 2. That according to section 1 of article XXXVIII of the RAE Statutes:
       "The funds of the Academy will consist of:
       1.9 In the ordinary allocation that is granted in the budgets of the
       State, and in the extraordinary ones with which the Government and donors or
       private founders want to favor the activities of the corporation.”


 3. That according to article 39 of its Regulations
       "the assets and resources of the Royal Spanish Academy will include the
       movable and immovable property, the rights and rents of any kind that
       to which they belong, the ordinary allocation provided for in the State budget,
       as well as the subsidies and aid agreed by any administration

       public. It will count among its income the donations that sponsors
       private parties agree to grant it, especially those coming from the Foundation
       pro-RAE. The profits derived from the exploitation will integrate its patrimony
       economics of his works. Likewise, the subsidies, legacies, donations or
       personal benefits that you receive and accept, perpetually or
       temporary".


 4. That all this means that, although the use of Google tools
 Analytics may be aimed at obtaining commercial or business revenue,
 In the case of the RAE, said use has the sole and exclusive purpose of
 compliance with the purposes of general interest that constitute its object which are

 guarantee the development, dissemination, diffusion, good use and updating of the language
 Spanish.

 5. That it is essential to have tools that allow you to know data
 statistics related to the access and use of said instruments,

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/15








 allowing you not only to configure strategies that guarantee a better knowledge and
 diffusion of our language and grammar but also to know its evolution and
 adaptation to the reality of the use of the language at all times (e.g. statistics
 related to the use of terms not included in the dictionary may allow a
 better knowledge of the evolution in the use of the language and the possible inclusion of

 such terms in the future).

 6. That through the use of Google Analytics they could know information
 related to the use of the Spanish language and its diffusion worldwide,
 being able to access in an aggregated way about the geographical origin of the
 visitors to your website, with a minimum level of aggregation by city, your flow

 visit the website, the settings of your browsing devices, as well as
 such as the browser and operating system, screen resolution and the recurrence of
 your visits.

 7. That the use of Google Analytics has been limited solely and exclusively to the

 access to statistical and aggregate information that will not allow the aforementioned to be identified
 users.

 8. That he did keep the Google Analytics tool embedded on his website.

 9. That no data was obtained that could be considered as data

 personal, as information that identifies or allows direct or direct identification is not processed.
 indirectly to those users.

 10. That they did not have access to the IP address of the users or any
 information that could be considered personal data.


 11. That the only information that could individualize the users would be the
 related to the random ID that Google gives to its users. that the RAE does not
 may, based on that information, take any action to achieve its
 reidentification.

 12. That all the pages of the domain rae.es are established in Spain. That

 the RAE is not established in any other state.

 13. That since December 3, 2020 no RAE domain
 makes use of the Google Analytics tool.

 14. That the legal relationship between RAE and Google LLC is that of the relationship

 existing between the person in charge and the person in charge of the treatment, being RAE the person in charge
 and Google in charge of the treatment. That this is stated in the Conditions for the
 Processing of Google Ads Data both in its previous versions and in its
 last version dated August 16, 2020 and in the Terms of Service of
 Google Analytics.


 15. That in response to the measures adopted so that Google does not process
 personal data for your own purposes or for the purposes of third parties, you refer to the
 section 5.2. and 5.3. of the Conditions for the Treatment of Data of Google Ads.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/15








 16. That in relation to the guarantees that Google grants to the RAE for the purposes of
 verifying compliance with the provisions is referred to sections 7.5.1. and 7.5.2 of
 the Google Ads Data Processing Conditions.

 Provide a copy of the Google Ads Data Processing Conditions where

 consists:
       "[…]
       5.2 Customer Instructions. By entering into these Conditions of
       data processing, the Client instructs Google to carry out the
       processing of Customer Personal Data only in accordance with the
       applicable law: (a) to provide the Services of the processor of the

       treatment and any related technical support; (b) as
       further specified through Customer's use of the Services of the
       in charge of the treatment (including the configuration and other functionalities of
       Processor Services) and any technical support
       related; (c) as documented by the Agreement, including any

       these Conditions of data processing; and (d) as
       documented in other instructions provided in writing by the Customer and
       recognized by Google as constitutive instructions for the purposes
       of these Conditions of data processing.
       5.3 Compliance with instructions by Google. gooqle will comply
       the instructions described in Section 5.2 (Customer Instructions)

       (including those relating to data transfers), unless the Leves
       European or National to which Google is subject requires another treatment
       of personal data by Gooqle, in which case Gooqle will inform the
       Customer (unless Google is prohibited by any such law from doing so for
       important reasons of public interest).
       […]

       7.5.1 Security Documentation Reviews. To demonstrate the
       Google's performance of its obligations under the
       present Conditions of data processing, Google will provide the
       Security documentation Will be reviewed by the Client.
       7.5.2 Customer Audit Rights.
       (a) Google will allow the Client or an external auditor designated by the

       Client perform audits (including inspections) to verify that Google
       comply with the obligations contracted under these Conditions of the
       data processing in accordance with Section 7.5.3 (Terms
       additional commercial for audits). Google will contribute to such audits
       as described in Section 7.4 (Safety Certification) and in the
       this Section 7.5 (Regulatory Compliance Audits and Reviews).

       (b) If the Standard Contractual Clauses apply under Section 10.2
       (Data Transfers), Gooq will allow the Client or an external auditor
       designated by the Client to carry out audits as described in Clauses
       Contractual Type in accordance with Section 7.5.3 (Conditions of Business
       additional for audits).

       (c) The Client may also perform an audit to verify the
       Google's compliance with its obligations under the
       present Conditions of data processing by reviewing the
       certificate issued for ISO 27001 Certification (reflecting the result of
       an audit by an external auditor)."

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/15








 Provide a copy of the Google Analytics Terms of Service where it states:
       “[…]
       7. Privacy
       The User must not send information to Google that Google may consider
       personally identifiable information or use as such, nor must you allow a

       third party to do it, nor help him to do it. The User must have a Privacy Policy
       Adequate privacy and comply with it. You must also comply with all laws,
       applicable policies and regulations related to the collection of information
       of Users and publish a Privacy Policy that notifies the use of
       cookies, mobile device identifiers (eg, the identifier of
       advertising for Android or the advertising identifier for iOS) or technology

       similar to collect data. In addition, you must disclose the use of Google Analytics and
       the way in which this Service collects and processes the data. To do this, you can
       include a prominent link on the website "How Google uses the
       information from websites or apps used by our partners" (which
       located at www.google.com/polici es/privacy/partners/ or at any

       another URL provided by Google). The User must take measures
       commercially reasonable to ensure that Users receive
       complete and clear information about the storage of cookies and the
       access to them or any other information about the device of the
       Users, and that they give their consent in this regard, when such
       activity occurs in connection with the Service and when required by law

       provide such information and obtain such consent.
       […]”

 17. That the RAE did not provide or communicate any data that could be derived from the use
 of Google Analytics to any third party. That he has not accessed data either
 any staff so it is hardly possible to make a transfer to

 third parties. That you cannot specify the specific suppliers or locations to which
 that Google may have transmitted the data collected by Google Analytics. That
 Links are included in the Google Ads Data Processing Conditions
 with the identification of the sub-processors https://privacy.google.com/
 businesses/subprocessors/ and with geographic locations
 https://www.google.com/intl/es/about/datacenters/locations/


 18. That only the basic functionalities of Google Analytics were used
 guaranteeing the minimization of the impact on the privacy of users so that
 there is no processing of information referring to persons identified or
 identifiable but only aggregate information. that they have not carried out
 any data processing related to the users' IP.


 19. That they have only had access to the following aggregate information provided by
 Google Analytics:

       a. Identification of the geographical area (city and country) from which the

       Website user accesses it and access statistics by country.
       b. Idiom.
       c. Source from which the visit comes.
       d. Statistical flow of visits to the Website.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 8/15








        and. Statistical analysis of visits, offering percentages of visits
        recurring or first access.
        F. Browser used in your access.
        g. Type of mobile device used.
        h. Screen resolution of the device and its operating system.


        Provide screenshots of Google Analytics where the
        classifications of:

        a. language with at least 10 different values
        b. country with at least 10 different values

        c. city with at least 10 different values
        d. System with subsections:
               Yo. browser with at least 10 different values
               ii. Operating system with at least 10 different values
               iii. Service provider

        and. Mobile with the subsections of:
               Yo. Operating system with at least 10 different values
               ii. Service provider
               iii. Screen resolution with at least 10 different values.
        F. Mobile devices/devices with at least 9 different values.


        There is no data on age or sex. There are no data of interest.

        Google Signals is not activated.

        The Comparisons are not activated.


        There are no custom or user-defined variables.

        On the contrary, the RAE has not made use of any of the information
        advanced capabilities provided by Google Analytics, which require a
        specific enablement within the tool. They have not had access to:


a. Age.
b. Sex.
c. Affinity categories.
d. Segments with purchase intent.
and. Multi-device section.
F. Comparison sections.


 20. That there are no treatments of special categories of data.

 21. That, since they did not process age data, they do not have information to
 specify if any of the users of the website could be minors.


 22. That art. 22.2 of the LSSI since its
 activity must be classified as providing a public service.



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 9/15








 23. "On the other hand, in the denied assumption that my client had carried out
 carry out a treatment of personal data of the users of its website, the same
 would have been developed for the fulfillment of the purposes established in its
 Statutes and its Regulations, such treatment being necessary for compliance with
 a mission of public interest and thus being covered by article 6.1 e) of the

 GDPR.”

 24. “Regarding data transmissions to Google LLC, as has already been
 indicated in a previous place of this writing, were based on the condition of
 person in charge of the treatment of the aforementioned entity and in its adherence to the
 "Privacy Shield" Agreement, pursuant to the Enforcement Decision

 (EU) 2016/1250 of the Commission, of July 12, 2016, as well as, subsequently,
 in the application, as of August 12, 2020, of the standard contractual clauses
 for international data transfers between controllers and processors
 treatment, approved by Commission Decision 2010/87/UE, of February 5,
 2010.”


 25. That Google Analytics establishes a predefined period of conservation of the
 information collected for 26 months.

 26. That according to clause 6.2 of the Conditions for the Treatment of Data of
 Google Ads establishes "Deletion at the expiration of the validity period. To the

 expiration of the term, Customer instructs Google to
 delete all Customer Personal Data (including existing copies) from the
 Google systems in accordance with applicable law. Google will comply with the
 present instructions as soon as reasonably possible and within a
 maximum period of 180 days, unless European or National Laws require its
 storage."


 - On 06/01/2021, the ROYAL SPANISH ACADEMY sends this Agency the
 following information and representations:

1. That the RAE is a public law corporation, having established the
having established the Supreme Court in its judgment of November 17,

2015 (appeal 764/2014) the public nature of all the
functions and activities carried out by the Royal Academies (first section of the
letter of December 10, 2010).

2. That the Google Analytics tool they used was the free version.


3. That they started using Google Analytics on September 12,
2019.

4. That it does not maintain web pages aimed at third countries, there being a
sole domain of it.


5. That from December 1, 2019 to November 30, 2020 there were
210,555,443 visits to the RAE portal, corresponding to a total of 100,131,355
users.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 10/15








A report is provided where it is stated that from December 1, 2019 to December 30,
November 2020 there was the following breakdown of visits by country, with the 10 being
first in number of visits:


              Number of Percentage on the
              total visits
 Spain 77,829,236 36.96%
 Mexico 35,409,134 16.82%

 Colombia 16,817,104 7.99%
 Argentina 15,312,395 7.27%
 Peru 11,861,855 5.63%

 Chile 10,642,227 5.05%
 United 6,248,681 2.97%
 states

 Ecuador 4,511,765 2.14%
 Venezuela 2,935,038 1.39%
 Guatemala 2,669,888 1.27%


And where it also states that:

 France 1,261,921 0.60%

 Italy 1,208,428 0.57%
 Germany 1,091,227 0.52%
 Honduras 989,860 0.47%

 Portugal 325,589 0.15%

- On 09/08/2020 it is verified that in the code of the website www.rae.es
loaded in the browser contains the following code:

       <head>
       […]
       </script>
       <!--[if lt IE 9]><script
       src="http://html5shiv.googlecode.com/svn/trunk/html5.js"></script><![endif]-->
       <script>

       //<![CDATA[(function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||
       function(){
       (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new
       Date();a=s.createElement(o),m=s.getElementsByTagName(o)
       [0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)})
       (window,document,'script','//www.google-analytics.com/analytics.js','ga');

       ga('create', 'UA-44263049-1', 'auto');
       ga('send', 'pageview');
       if(Drupal.eu_cookie_compliance != undefined && !
       Drupal.eu_cookie_compliance.hasAgreeed()){window['ga-disable-UA-44263049-
       1'] = true;
       }

       //]]>
       </script>
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 11/15








        </head>

- On October 27, 2021 it is verified that:

1. The code of the website www.rae.es loaded in the browser does not contain

the above code.

2. While browsing the web www.rae.es there are no HTTP requests to the
domain google-analytics.com, nor are cookies associated with Google Analytics installed.

3. In the url https://policies.google.com/technologies/cookies?hl=es#types-of-

cookies consists:
        “[…]
        Analytics
        Cookies used for analytical purposes help collect data that
        They allow services to understand how users interact with them. Is

        information is used to improve the content of the services and its
        functions, as well as to offer a better experience to users.
        Some cookies help sites understand how visitors interact
        with its properties. For example, Google Analytics, a Google product
        with which site and application owners can understand how
        users interact with its services, uses a set of cookies to

        collect information and offer statistics of use of the sites without identifying
        personally to each visitor. The main cookie used by Google Analytics
        is "_ga", which allows services to distinguish one user from another and lasts 2
        years. It is used by all sites where Google Analytics is implemented,
        including Google services.
        [,,,]


4. Check that in the url https://developers.google.com/analytics/devguides/
collection/analytics consists of:

        “The analytics.js library (known as "the Google Analytics tag") is
        a JavaScript library used to measure user interactions

        users with your website. This document explains how to add the
        Google Analytics tag to a website.”
        It also states that the tag to add analytics.js to the website is:
        <!-- Google Analytics -->
        <script>
        (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){

        (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
        m=s.getElementsByTagName(o)
        [0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m
        })(window,document,'script','https:∕∕www.google-analytics.com∕analytics.js','ga'
        ga('create', 'UA-XXXXX-Y', 'auto');

        ga('send', 'pageview');
        <∕script>
        <!-- End Google Analytics -->

                                FUNDAMENTALS OF LAW

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 12/15









                                            Yo


In accordance with the investigative and corrective powers that article 58 of the
Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter
GDPR) grants each control authority, and according to the provisions of article 47 of the
Organic Law 3/2018, of December 5, Protection of Personal Data and
guarantee of digital rights (hereinafter LOPDGDD), is competent to
resolve these investigative actions the Director of the Spanish Agency for

Data Protection.

                                           II

The claim presented by the claimant, represented by Noyb –

European Center for Digital Rights, is based on data processing
data made by RAE and that have been transferred to Google LLC, that is, they have
been subject to international data transfer in violation of articles 44 to 49 of the
GDPR. Requests that the facts be investigated, that the RAE data flow be prohibited
against Google LLC in the US, and that a fine be imposed on RAE and Google LLC.


Indicates that the transfers made by RAE have been produced when the
HTML code on the website www.rae.es for Google services (including
Google Analytics), and personal data of the claimant have been collected and
transferred to the US.


The complaining party has filed 101 claims for similar events, which are
being investigated by the control authorities of the country where it is
established the data controller.

This procedure refers to the performance of the RAE in relation to the
international data transfers through the installation of certain

cookies.

In order for all control authorities to act jointly and coherently, it is
created a working group, which has convened numerous meetings. In them, they have
developed questionnaires to make information requirements about the
treatment carried out, addressed both to the data controller and to Google.

The will of all data protection control authorities is the cessation
of the flow of data to third countries without the guarantees established in the GDPR.


                                           II


Article 45 of the GDPR establishes the following:

       "one. A transfer of personal data may be made to a third country or
international organization when the Commission has decided that the third country, a ter-
territory or one or several specific sectors of that third country, or the international organization

national law in question guarantee an adequate level of protection. Said transfer-
cia will not require any specific authorization.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 13/15








       2. When assessing the adequacy of the level of protection, the Commission shall take into account
In particular, it covers the following elements: a) the rule of law, respect for
human rights and fundamental freedoms, the relevant legislation, both ge-

both general and sectoral, including that related to public safety, defense, security
national law and criminal law, and public authorities' access to data
personal data, as well as the application of said legislation, the rules for the protection of
data, professional standards and security measures, including rules on
about onward transfers of personal data to another third country or international organisation.
international law observed in that country or international organization, jurisprudence, as well

such as recognition of the interested parties whose personal data is being transferred
conferred effective and enforceable rights and administrative resources and legal actions
cials that are effective; b) the existence and effective functioning of one or more
independent supervisory authorities in the third country or to which a
international organization, with the responsibility of guaranteeing and enforcing the

data protection rules, including appropriate enforcement powers,
to assist and advise the interested parties in the exercise of their rights, and to cooperate
with the supervisory authorities of the Union and of the Member States, and c) the com-
international commitments assumed by the third country or international organization of
in question, or other obligations derived from legally binding agreements or instruments
binding, as well as their participation in multilateral or regional systems, in

particularly in relation to the protection of personal data.

       3. The Commission, after having assessed the adequacy of the level of protection, may
may decide, by means of an implementing act, that a third country, a territory or one or several
various specific sectors of a third country, or an international organization guaranteeing

provide an adequate level of protection in accordance with the provisions of section 2 of the pre-
feel article. The implementing act will establish a periodic review mechanism,
least every four years, taking into account all relevant events
in the third country or in the international organization. The act of execution will specify
its scope of territorial and sectoral application, and, where appropriate, will determine the authority or

control authorities referred to in section 2, letter b), of this article. The
The implementing act shall be adopted in accordance with the examination procedure referred to in
re article 93, paragraph 2.

       4. The Commission will continuously monitor developments in the country
third parties and international organizations that may affect the effective application

tion of decisions taken pursuant to paragraph 3 of this article and of
decisions taken on the basis of Article 25(6) of the Directive
95/46/EC.

       5. When the information available, particularly after the review referred to,

For the purposes of paragraph 3 of this article, show that a third country, a territory or a
specific sector of that third country, or an international organization no longer guarantees
an adequate level of protection within the meaning of paragraph 2 of this Article, the Commission
tion, through acts of execution, will repeal, modify or suspend, to the extent
necessary and without retroactive effect, the decision referred to in section 3 of the present

you article. Those implementing acts shall be adopted in accordance with the procedure
examination referred to in article 93, paragraph 2. For compelling reasons of urgency,
duly justified gency, the Commission will adopt acts of immediate execution.
applicable in accordance with the procedure referred to in article 93,

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 14/15








paragraph 3.

       6. The Commission shall enter into consultations with the third country or international organization

with a view to remedying the situation that gave rise to the decision taken to
accordance with section 5.

       7. Any decision in accordance with paragraph 5 of this article shall be
without prejudice to transfers of personal data to the third country, to a te-
territory or one or several specific sectors of that third country, or to the international organization

national concerned under articles 46 to 49.

       8. The Commission shall publish in the Official Journal of the European Union and on its website
na web a list of third countries, territories and specific sectors in a third
country, and international organizations for which it has decided that

guarantees, or no longer, an adequate level of protection.

       9. Decisions taken by the Commission under Article 25, paragraph
6 of Directive 95/46/CE will remain in force until they are modified, replaced
protected or repealed by a Commission decision taken in accordance with the
paragraphs 3 or 5 of this article.”


Article 46 establishes the possibility of transmitting personal data to a third country or
international organization if it had offered adequate guarantees and on condition of
that the interested parties have enforceable rights and effective legal actions. The ar-
The following article regulates the binding corporate rules and article 49 establishes

the exceptions in which personal data may be transferred if certain circumstances occur
specific circumstances.

In the present case, during the previous investigation actions, it has been
It has been noted that, shortly after learning of the Schrems II Judgment, RAE stopped using

the Google Analytics tool. In addition, RAE has never used information with the
in order to identify the users of its website.

In accordance with what is indicated in the previous paragraphs and with the information of the
that is available at this time, no evidence has been found that proves in
the current moment the existence of infringement in the area of competence of the Agency

Spanish Data Protection.

Therefore, in accordance with what has been indicated, by the Director of the Spanish Agency for
Data Protection,
HE REMEMBERS:


FIRST: PROCEED TO THE ARCHIVE of the present proceedings.

SECOND: NOTIFY this resolution to A.A.A. and GOOGLE LLC and REAL
SPANISH ACADEMY.


In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once the interested parties have been notified.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 15/15









Against this resolution, which puts an end to the administrative process as prescribed by
the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure
Common for Public Administrations, and in accordance with the provisions of the

arts. 112 and 123 of the aforementioned Law 39/2015, of October 1, interested parties may
file, optionally, an appeal for reversal before the Director of the Agency
Spanish Data Protection Agency within a period of one month from the day

following the notification of this resolution or directly contentious appeal
before the Contentious-Administrative Chamber of the National Court,
in accordance with the provisions of article 25 and paragraph 5 of the provision
additional fourth of Law 29/1998, of July 13, regulating the Jurisdiction

Contentious-Administrative, within a period of two months from the day following
to the notification of this act, as provided in article 46.1 of the aforementioned Law.


                                                                                940-051121

Mar Spain Marti
Director of the Spanish Data Protection Agency












































28001 – Madrid 6 sedeagpd.gob.es