AEPD (Spain) - EXP202306257
From GDPRhub
| AEPD - EXP202306257 | |
|---|---|
 | |
| Authority: | AEPD (Spain) |
| Jurisdiction: | Spain |
| Relevant Law: | Article 44 GDPR |
| Type: | Complaint |
| Outcome: | Rejected |
| Started: | |
| Decided: | |
| Published: | |
| Fine: | n/a |
| Parties: | VACACIONES EDREAMS, S.L. |
| National Case Number/Name: | EXP202306257 |
| European Case Law Identifier: | n/a |
| Appeal: | Appealed - Confirmed AEPD (Spain) PS/00349/2022 |
| Original Language(s): | Spanish Spanish |
| Original Source: | AEPD (in ES) AEPD (in ES) |
| Initial Contributor: | mgrd |
In another of the 101 complaints filed by noyb, the Spanish DPA also found that the controller unlawfully transferred personal data to the U.S. in violation of Chapter V GDPR.
English Summary
Facts
On 20 August 2020 the data subject, represented by noyb, filed a complaint against eDreams, the controller, with the Spanish DPA. The data subject stated that he visited the eDreams website, while connected to his Google account. His IP address and cookies information were collected and transferred to Google U.S. through the services of Google Analytics and Google Ads, contractualized by eDreams.
The Spanish DPA started an investigation. Based on the documents and the requests made by the Spanish DPA, it was confirmed that Google Analytics statistics were collected from stakeholders in other Member States where eDreams concentrates its activity. The data of the Google Analytics tool is accessed mainly from eDream's offices in Spain, led by the head of the Analytics team, but also from France and Germany by their country management teams in each country.
eDreams stated that they only communicate the data collected through Google Analytics to Google. In the event that the user provides their consent for advertising cookies and does not block cookies in its browser, Google Ad Manager and Google Ads tools will also be recipients of the data. The controller specified that legal basis for the incorporation of the Google Analytics tool was legitimate interest, based on the need to understand how their website is used as well as to provide a better service to users.
Concerning the international transfer of data to the U.S., the controller was using the Privacy Shield Certificate until the latter was declared invalid and subsequently the Standard Contractual Clauses adopted by the Commission, together with the appropriate complementary measures provided by Google. Additionally, eDreams did not have the option to opt-out from transferring data outside the EEA when using Google Analytics, since the configuration of the tool does not allow it.
The browsing and behavioral data of customers were pseudonymized by means of a cookie identifier "Cookie ID" that allowed eDreams to analyze how the user accessed and interacted with their website. The Cookie ID was also their internal identifier to analyze the results at a statistical level. The controller claimed that no processing of special categories of personal data took place as defined in Article 9 GDPR, nor any processing of personal data of particularly vulnerable persons. The data storage was 26 months, which allowed the controller to make comparisons with the previous year data.
On 12 October 2020, in response to the DPA’s requests, Google stated that customers using Google Analytics can enable IP anonymization immediately after the data is collected. When data collected through Google Analytics transferred by Google's customers are personal data, they would have to be pseudonymised (as mandated by Google Analytics Terms of Service). Also, Google highlighted that they obtained ISO 27001 certification and will allow customers or customer-appoint third-party auditor to conduct audits of Google Analytics and verify Google's compliance with its obligations.
Google also claimed that if any government request access to personal data stored in Google's systems in the course of an investigation, a dedicated team of Google lawyers and specially trained personnel will carefully review the request to verify that it is lawful, proportionate, and complies with Google's policies. Their infrastructure is not designed to, and does not, give the U.S. government or any other government "backdoor" access to customer data or its servers. In addition, they highlighted that it uses strong technical measures (such as encryption) to protect against interception, including surveillance attempts by government authorities around the world.
Despite all the arguments, on 26 July 2023, the DPA ordered eDreams to comply with Article 44 GDPR, specifically to adapt its data processing with Google Analytics to ensure no international data transfers to U.S. occur without adequate safeguards. The Spanish DPA determined the measures implemented by eDreams were insufficient to address the core issue of unlawful data transfers and the risk it posed to EU citizens' data protection rights.
Holding
eDreams contested the Resolution, leading to the appeal, based on the following arguments.
Firstly, eDreams claimed that the DPA infringed their right of defense, as the controller affected by the delay on the access to the case file. These circumstances limited their time for presenting allegations, and for not granting a requested trial period. They highlighted that further technical proof was unnecessary, since Google's terms allow data storage and processing in any country with Google facilities and all data collected via Google Analytics is hosted in the U.S. The DPA attributed the delays to technical issues and miscommunication rather than procedural fairness, and argued that the extension of deadlines to submit allegations was sufficient, countering claims of unjustified period limitation.
Secondly, eDreams contested the decision for failing to technically demonstrate international data transfers to the U.S and claimed that their privacy settings prevent such transfers. The DPA refuted these claims, stating that regardless of the eDream's ability to technically demonstrate international data transfers to the USA, these transfers have been documented and confirmed by the Terms of Use clause which allows Google to store and process citing customer personal data in any country where Google or its sub-processors have facilities, including the U.S.
Thirdly, eDreams argued that the decision did not consider the new U.S. legal framework and the European Commission's Adequacy Decision, claiming it is unfair and legally improper. The DPA disagreed, stating that the legal framework at the time of the infraction applies, and compliance with GDPR was required at the time of the complaint.
Fourthly, At the same time, eDreams contends that the imposed sanction presents an unattainable requirement. This is because EDREAMS would be compelled to administer and regulate a service that belongs to a third party (Google), and thus falls outside its sphere of control. The DPA disagrees that the decisions should be considered unattainable as it orders precise adaptation of data processing activity of the Google Analytics service with the provisions of Article 44 GDPR, in particular by ceasing the international transfer of data until it is established that the Google Analytics service complies with the GDPR provisions.
In light of the above, the DPA decided to dismiss the appeal by eDreams against the decision made on 26 July 2023, since eDreams did not provide new facts or legal arguments to reconsider the original decision.
Comment
In this case, the Spanish DPA was the lead supervisory authority and the Austrian, French and Italian DPA's concerned supervisory authorities.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/29
File no.: EXP202306257 (RR/00640/2023)
IMI Reference: A56ID 438120 – A60DD 448732 – Case Register - 448157
RESOLUTION OF REPLACEMENT APPEAL
Examined the appeal for reconsideration filed by VACACIONES EDREAMS, S.L.
(hereinafter, the appellant) against the resolution issued by the Director of the
Spanish Data Protection Agency dated July 26, 2023, and based on
the following
FACTS
FIRST: On July 26, 2023, a resolution was issued by the Director of the
Spanish Data Protection Agency in file EXP202306257, under
of which VACACIONES EDREAMS, S.L. was ordered for a violation of the
Article 44 of the GDPR, typified in Article 83.5 of the GDPR, adapt the activity of
data processing carried out through the Google Analytics service as provided
in articles 44 et seq. of Parliament Regulation (EU) 2016/679
European Parliament and of the Council of 27 April 2016, in particular by cessation of the
international data transfer until it is proven that the Google service
Analytics complies with the aforementioned provisions of the Regulation.
Said resolution, which was notified to the appellant on July 31, 2023,
was issued prior to the processing of the corresponding sanctioning procedure,
in accordance with the provisions of Organic Law 3/2018, of December 5, of
Protection of Personal Data and guarantee of digital rights (LOPDGDD), and
supplementarily in Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations (hereinafter, LPACAP), in matters of
processing of sanctioning procedures.
SECOND: As proven facts of the aforementioned sanctioning procedure,
PS/00349/2022, the following were recorded:
FIRST: A.A.A. (the complaining party) on 08/14/2020 at 4:44:00 a.m., visited the site
***URL.1 website while logged in to the Google account associated with the
address ***EMAIL.1 belonging to the complaining party.
Through HTML code embedded in the web page “***URL.1”, data have been collected
personal data (at least, the IP address and "cookies") of the complaining party and
have transferred to Google LLC, 1600 Amphitheater Parkway, Mountain View, CA 94043,
USA, through the Google Analytics and Google Ads services contracted by the
responsible for the portal, EDREAMS.
When the complaining party visited the aforementioned website, the following actions were carried out:
requests:
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/29
1. A GET request to the URL ***URL.2, which includes cookies and fields
the request with, among others, the following values:
Field Value
User-Agent (…)
_ga (…)
__gads (…)
_gid (…)
2. A GET request to the URL ***URL.3, which includes cookies and fields.
the request with, among others, the following values:
Field Value
User- (…)
agent
NID (…)
accept-
language (…)
u1 (…)
3. A POST request to URL ***URL.4 with the following header and parameters
encoded in the payload, among others:
Headboard
(…)
Field Value
User- (…)
agent
gjid (…)
cid (…)
tid (…)
_gid (…)
accept- (…)
language
SECOND: As stated in your response of 12/10/2020, in response to
requirement of this Agency, EDREAMS has introduced the tool code
Google Analytics on your website ***URL.1 and is currently still embedding it.
THIRD: As stated in your response of 12/10/2020, in response to
requirement of this Agency, Google Analytics statistics were collected
of interested parties in the Member States where EDREAMS concentrates its activity;
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/29
Germany, Austria, Czechia, Denmark, Spain, France, Finland, Greece, Hungary,
Italy, Netherlands, Poland, Portugal, Romania, Sweden.
FOURTH: As stated in your response of 12/10/2020, in response to request
of this Agency, the data from the Google Analytics tool is accessed
mainly from the EDREAMS offices in Spain led by the
responsible for the Analytics team, but also from France and Germany for the
management team from each country.
FIFTH: As stated in your response of 10/12/2020, in response to request
of this Agency, EDREAMS only communicate the data collected through Google
Analytics to GOOGLE. And in the event that the user provides consent
for advertising cookies and do not block cookies in your browser, they will also be
Recipients are the Google Ad Manager and Google Ads tools.
SIXTH: As stated in your response of 10/12/2020, in response to request
of this Agency, the legal basis for the incorporation of the Tool is double
legitimate interest in understanding how the EDREAMS website is used and providing a
better service to users.
SEVENTH: As stated in your response of 12/10/2020, in response to
requirement of this Agency, the initial legal basis for the international transfer of
data by EDREAMS fell on the Privacy Shield Certificate until
its nullity and the standard data protection clauses adopted by the Commission
("Standard Contractual Clauses", or "CCT"), since August 2020, together with the
appropriate complementary measures provided by Google.
EIGHTH: As stated in your response of 10/12/2020, in response to request
of this Agency, EDREAMS did not have the option of whether or not to transfer data outside the EEA
when using Google Analytics, since the tool's configuration does not allow it.
NINTH: As stated in your response of 10/12/2020, in response to request
of this Agency, EDREAMS processes the navigation and behavior data of the
clients on their pseudonymized websites using a cookie identifier “Cookie
ID” that allows you to analyze how the user accesses and
interacts with your website and your internal identifier to analyze the results at the level
statistical.
The “Booking ID” (internal reservation identifier) is used by EDREAMS to
Identify the sales conversion ratio. As well as the “Checked Booking ID”
allows you to know how many people have entered the “Manage my reservation” section and
have selected to cancel or modify it.
The "Session, Session or eDOuser ID" allow you to limit the amount of data as much as possible
that EDREAMS has in Google Analytics and uses them to solve problems
technicians.
For all these reasons, the data is limited to how users, through their
devices, interact with the EDREAMS website (internal browsing data
to the website).
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/29
In no case are special categories of data defined in article 9.1 processed.
of the GDPR, nor are data of particularly vulnerable people processed. I do not know
process non-pseudonymized data.
TENTH: As stated in your response of 10/12/2020, in response to request
of this Agency, GOOGLE may have knowledge of the personal data of the
users automatically, by saving the information on its own platform. He
Google Analytics tool code is integrated directly when the user
access the EDREAMS website. Any purpose that moves away from analyzing the use
of the aforementioned website, such as the advertising, will not be activated until there is
the prior consent of the user. That is, in the case in which the user does not
provide consent, Google Analytics will not connect with Google Ad
Manager and Google Ads in any way.
ELEVENTH: As stated in your response of 12/10/2020, in response to
requirement of this Agency, the data is stored for a period of 26 months, which
It is the period that allows them to make comparisons against the previous year.
TWELFTH: As stated in your response of 12/10/2020, in response to
requirement of this Agency, the data was stored according to clause 10.3 of the
current document “Conditions for the processing of Google Ads data”, whose
terms or configuration did not allow the change by EDREAMS.
THIRTEENTH: As stated in your response of 10/12/2020, in response to
requirement of this Agency, of the five purposes for sharing data with GOOGLE
Only EDREAMS had the GOOGLE technical service activated so that
can resolve any incident, without GOOGLE being able to use it for other purposes.
FOURTEENTH: As stated in your response of 12/10/2020, in response to
requirement of this Agency, the cookies are not refreshed even though the user
Please revisit the website so the 13 month duration is static.
FIFTEENTH: As stated in your response of 10/12/2020, in response to
requirement of this Agency, apart from the Google tool service itself
Analytics, data is connected with other services when prior
consent with:
Google Ads Linking: which links the Google Ads account to the Analytics account, allowing
see the full customer cycle, from how users interact with marketing
to how the objectives that have been established on the site are finally achieved
Web.
Adsense Linking: which allows you to see AdSense data in Analytics, as well as the
Key Analytics metrics on AdSense homepage cards.
Google Ad Manager Linking: Once the Ad Manager accounts are linked and
Analytics, Ad Manager metrics will be available in Analytics.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/29
Optimize and Tag Manager linking: Google Optimize allows you to test and customize the
website using Google Analytics data for measurement and targeting.
Ad Exchange Linking: which allows you to receive data from the Ad Exchange within the account
of Analytics regarding statistical advertising data.
Campaign Manager 360 Linking: which allows you to enable the import to Analytics 360
of campaign statistical data from Campaign Manager 360 and cost data.
SIXTEENTH: As of 10/12/2020, EDREAMS had the following linked services
with the Google Analytics tool:
to. “AdSense. Actively linked. Receiving data. AdSense helps you
earn money by displaying ads on your website that are relevant to your
audience.[…]"
b. “Google Adds. Actively linked. Sending and receiving information.
Google Ads is an online advertising program that helps you reach your
customers and grow your business, improve your ad campaigns and analyze the journey
of the client – from clicking on the ad to conversion.”
c. “Ad Exchange. Actively linked. Receiving data. Ad Exchange
helps you earn money by displaying ads on your website that are relevant to your
audience. Correlate key AdExchange metrics such as eCPM and
unit impressions, with more Analytics data.”
d. “Campaign Manager 360. Actively linked. Receiving data.
Campaign Manager 360 is an ad management and serving solution that
helps agencies and advertisers manage the full reach of advertising programs
digital advertising. This integration allows Google Analytics 360 customers to view and
analyze Campaign Manager 360 data in Analytics.”
and. “Google Optimize and Tag Manager for website and app optimization.
Actively linked. Receiving data. Google Optimize allows you to test and
Personalize your website using Google analytics to measure and personalize. […]”
F. “Search Console. Actively linked. Receiving data. Search
Console can help you understand how users find your website
through Google searches, identify ways to attract more attention to your website and
prioritize development efforts.”
SEVENTH: As of 10/12/2020, EDREAMS had the following configuration of the
Google Analytics account in the “Data Sharing Settings” section:
to. “Google product&services”. Not selected.
b. “Benchmarking”. Not selected.
c. “Technical Support”. Selected.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/29
d. “Account specialists”. Not selected.
and. “Give all Google sales experts Access to your data and account so you can get
more in Depth analysis, insights and recommendations across Google products.” No
selected.
26 months was the retention period with the minimum selectable period being 14
months and the maximum of 50 months. And there was the selectable option of not deleting
automatically the data after a specific period, but it was not selected.
EIGHTEENTH: AS OF 12/10/2020, GOOGLE IRELAND LTD. acted as manager
of the treatment.
NINETEENTH: As of 10/12/2020, in the Adhesion Contract proposed by
GOOGLE “Conditions for the processing of Google Ads data”, from the link
https://privacy.google.com/businesses/processorterms/, it was stated that:
“[…]
2.5 In the event that these Data Processing Conditions were translated into
any other language and there is any discrepancy between the English version and the
translated text, the English version will be applicable.
[…]”
TWENTIETH: As stated in your response of 12/10/2020, in response to
requirement of this Agency, from the same day that the STJUE C-
311/18, EDREAMS considered that they should update their contracting by eliminating the base
legal provisions of the Privacy Shield and including the Standard Contractual Clauses, which
They had to analyze the risks for the interested parties taking into account the type of data
treated personnel, who had to review the additional measures to those already contained
in the Standard Contractual Clauses. And, regarding the Privacy Shield, GOOGLE
proposed in a month (August 16, 2020) its new version with the changes in the
“Conditions for the processing of Google Ads data”. And the
transfer of the IP of whoever visits the website.
TWENTY-FIRST: As stated in your response of 12/10/2020, in response to
requirement of this Agency, in an email sent between EDREAMS and GOOGLE in
On September 24, GOOGLE declared that it had implemented the following
Additional safeguards to ensure Google Analytics data protection:
Yo. Google Analytics ensures the secure transmission of your content libraries.
Javascript and measurement data via HTTP Strict Transport protocol
Security (HSTS). ***URL.5.
ii. IP anonymization. GOOGLE offered the possibility of anonymizing IPs. Whether
activate this option, IPs are deleted immediately after collection and never
are stored on disk. That this measure was implemented from eDreams.
***URL.6
iii. Google has obtained ISO 27001 certification in relation to Google Analytics.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/29
iv. According to GOOGLE, they have a team that carefully reviews each request
of user data they receive from government authorities. Report
transparency in ***URL.7 and its policies in ***URL.8.
v. Encryption to protect personal data against interception in
transit.
TWENTY-SECOND: As stated in your response of 10/12/2020, in response to
requirement of this Agency, the legal basis for the international transfer of
data has as its legal basis the Privacy Shield until its nullity and the clauses
standard contractual agreements adopted by the Commission since August 2020, together with the
appropriate complementary measures provided by GOOGLE. The clauses
standard contractual agreements are located at ***URL.9.
TWENTY-THIRD: As stated in your response of 12/10/2020, in response to
requirement of this Agency, in the event that any US agency
security would like to obtain access to the data collected by EDREAMS in the
Google Analytics tool, first of all, could not do it directly, without
send request to Google, since said data is encrypted. Likewise, Google
has internal processes to question any management requirement
American that it considers disproportionate or incompatible with the regulations of
European data protection or with the Standard Contractual Clauses.
But in the hypothetical case that the corresponding US agency
ends up accessing the data, you will not be able to know which specific person is
behind the data collected in the Tool through identifiers, since
only personal data that would allow direct identification are protected
by EDREAMS and stored within the European Economic Area.
TWENTY-FOURTH: As stated in your response of 12/10/2020, in response to
requirement of this Agency, “OE 12333 (...) organizes and assigns functions and
responsibilities to the United States intelligence community and articulates
high-level principles that all intelligence activities must comply with. The activities
Specific intelligence actions carried out under OE NO 12333 are subject to
more specific application procedures (which can be classified) than
include safeguards and protections appropriate for that type of activity
intelligence. OE 12333 mainly governs intelligence activities that are carried out
performed outside the United States. It is understood that OE 12333 allows the
United States to conduct electronic surveillance outside the United States of
compliance with United States legal requirements; does not authorize surveillance
electronics within the United States nor does it impose requirements on providers of
services inside or outside the United States.
Section 702 of the FISA Amendments Act, which also requires the Government of
the United States that minimizes the use and dissemination of data, has two
components:
Section 702 "Upstream" authorizes United States authorities to collect
data that travels through the Internet "backbone" infrastructure controlled by the
1United States Executive Order 12333 (hereinafter EO 12333 or EO 123333)
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 8/29
United States electronic communications service providers (e.g.
example, telecommunications providers in the United States). As far
in which the data of any user or client crosses the networks subject to the
Upstream section 702 collection, that data is encrypted in transit as
has described previously.
Section 702 "Downstream" authorizes United States authorities to
obtain specific data directly from service providers
electronic communication. To the extent Google LLC may be subject to
specific requests related to Google customer data under
section 702 Downstream, we carefully review every request we receive
under FISA regulations in accordance with the guidelines described below
to ensure that you comply with all applicable legal requirements and policies
of Google".
TWENTY-FIFTH: As stated in your response of 12/10/2020, in response to
requirement of this Agency, Google declares that if any government requested
access personal data stored in Google systems in the course of
an investigation, a dedicated team of Google lawyers and staff
specially trained person will carefully review the application to verify that it is
legal, proportionate and that complies with Google policies.
Google states that Google's infrastructure is not designed for, and does not give the
United States government or any other government "back door" access to
customer data or to its servers that store customer data. Besides,
Google states that it uses strong technical measures (such as encryption) to
protect against interception in transit, including surveillance attempts
government authorities around the world.
Google declares that Google Analytics uses the HTTP Strict protocol by default
Transport Security (HSTS), which tells browsers that they support HTTP over
SSL (HTTPS) that use that encryption protocol for all
communications between end users, websites and Google servers
Analytics.
Google states that it protects service-to-service communications at the
applications through a system of mutual authentication and encryption of
Google states that after a handshake protocol between the client and the
server completes and the client and server negotiate cryptographic secrets
required to encrypt and authenticate network traffic, AL TS ensures
RPC (Remote Procedure Call) traffic forcing integrity, and encryption
optional, using negotiated shared secrets. Google supports multiple
protocols to ensure integrity, for example, AES-GMAC (Advanced
Encryption Standard) with 128-bit keys. Whenever traffic leaves a
physical border controlled by or on behalf of Google, for example, in transit through
of WAN (Wide Area Network) between data centers, all protocols are
automatically update to provide encryption as well as security guarantees.
integrity.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 9/29
Google states that it encrypts Google Analytics data that is stored at rest
in your data centers using the advanced encryption standard. Each center of
data is protected with six layers of physical security designed to prevent
Unauthorized access.
"At rest" encryption in this section means the encryption used to
protect user data that is stored on a disk (including hard drives
solid-state drive) or backup media. All user data is
encrypt at the storage level, typically using the encryption standard
advanced (AES256). Data is typically encrypted at multiple levels in the stack.
Google production storage in data centers, including at the level of
hardware, with no action required by Google customers.
Google states that it uses common cryptographic libraries that incorporate the
Google FIPS 140-2 validated module, to implement encryption in a way
consistent across all products. Consistent use of common libraries
means that only a small team of cryptographers need to implement and maintain
this code closely controlled and reviewed.
Google states that it builds dedicated servers for its data centers and
maintains an industry-leading security team to ensure that
Google data is among the most secure in the world. The centers of
Google production data is protected by multiple layers of security to
prevent any unauthorized access to data.
Google declares that it limits access to personal data for advertising and analysis of
Google to Google people who need them to do their jobs.
Google states that customers who use Google Analytics can activate the
IP anonymization to tell Google to anonymize all IP addresses
immediately after they are collected. If activated, at no time will
writes the full IP address to disk, since all anonymization occurs
in memory almost instantly after receiving the request.
Google declares that to the extent that Google Analytics data for the
measurements transferred by customers are personal data, they would have to be
considered pseudonyms. Google Analytics Terms of Service
order that no data that Google can use or recognize be transferred to Google
as personally identifiable information (PII).
Google has obtained ISO 27001 certification and will allow customers or an auditor
third party designated by a client to perform audits (including inspections) to
verify compliance with Google's obligations.
TWENTY-SIXTH: As of February 3, 2021, at the link ***URL.1 in the policy
privacy of EDREAMS stated that:
“[…]
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 10/29
V. Marketing activities. We use your information for marketing purposes, including
others:
[…]
II. Information we collect automatically when you use our services.
to. Information about your device (for example, your IP address, browser type,
Internet service providers, geographic location, information
technique of the device, the time and duration of the request and the visit and the method
used to send your request to the server). When you visit our websites or
our app, we automatically collect certain information from your device.
Please note that we may associate this information with your account.
b. Other technical information, for example how your device has interacted with
our website or our app (for example, the pages you have accessed, the
links you have clicked, etc.) or other means.
[…]
If you register on our website with a social network account, you link the account
that you use on our website with your social network account or use any other
our social media features, we may access information about you through
of such social media provider, in accordance with such provider's policies.
The information may include your name, email address, profile photo, gender, list
from friends and any other information that you authorize us to receive.
Some of this information may be collected through cookies or technology.
similar tracking. The processing of information collected through cookies is
based on different legal grounds (for example, it may be necessary to
provide our services based on your consent). to get more
information, consult our Cookies Policy.
[…]
III. International data transfers. Our servers are located in the
European Union. However, to facilitate our global operations
(carried out by external service providers) the transmission of personal data
to the recipients described above may include international transfers
of personal data to countries whose data protection regulations are not as
complete as that of the countries within the European Union. In this situations,
As required, we make contractual arrangements to ensure that your data
personal data continue to be protected in accordance with European standards.
[…]”
TWENTY-SEVENTH: As of February 3, 2021, in the url ***URL.10 it was stated that
(unofficial translation, in English in the original):
“Google Ads Data Processing Terms: Model Contract Clauses
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 11/29
Standard Contractual Clauses (Processors)
For the transfer of personal data to third party processors
countries that do not ensure an adequate level of data protection
Name of the organization exporting the data: the entity identified as the
“Client” in the Data Processing Terms (the data exporter)
and
Name of the organization importing the data: Google LLC, 1600 Amphitheater
Parkway, Mountain View, California 94043 USA (the data importer)
[…]
Clause 4
Obligations of the data exporter
The data exporter agrees and warrants:
(a) that the processing, including the transfer itself, of the personal data has been and
will be carried out in accordance with the relevant provisions of the legislation of
applicable data protection (and, where applicable, has been notified to the authorities
relevant to the Member State where the data exporter is established) and not
violates the relevant provisions of that State;
(b) that you have instructed and for the duration of the data processing services
personal data will instruct the data importer to process the personal data
transferred only at the expense of the data exporter and in accordance with the legislation of
applicable data protection and Clauses;
(c) that the data importer will provide sufficient guarantees regarding the security measures
technical and organizational security specified in Appendix 2 of this contract;
(d) that after analyzing the requirements of data protection legislation
applicable, security measures are adequate to protect the data
personal property against accidental or unlawful destruction or accidental loss, alteration,
unauthorized disclosure or access, in particular if the processing involves the transmission
of data over a network, and against all other forms of illicit processing, and that these
measures ensure a level of security appropriate to the risks presented by the
treatment and the nature of the data to be protected taking into account the state of the
art and the cost of its implementation;
[…]
Clause 5
Obligations of the data importer
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 12/29
The data importer agrees and warrants:
(a) process personal data only on behalf of the data exporter and in
compliance with your instructions and the Clauses; if I could not comply for any
reason, you agree to duly inform the data exporter of your inability to
fulfill, in which cso the data exporter can suspend the transfer of the
data and/or finalize the contract;
(b) that you have no reason to believe that applicable law prevents you from complying with
the instructions received from the data exporter and its obligations under the contract
and that in the event of a change in this legislation which is likely to have a
substantial adverse effect on the guarantees and obligations established by the
Clauses, will immediately notify the data exporter of the change as soon as
as it becomes aware of, in which case the data exporter may suspend the
transfer of data and/or terminate the contract;
(c) that has implemented technical and organizational security measures
specified in Appendix 2 before processing the transferred personal data;
(d) that it will immediately notify the data exporter of:
(i) any legally binding request for disclosure of personal data by
part of a law enforcement authority unless prohibited,
as a prohibition under […]
[…]
Clause 8
Cooperation with supervisory authorities
1. The data exporter agrees to deposit a copy of this contract with the authority
of supervision if this request or deposit would be mandatory under the legislation of
applicable data protection.
2. The parties agree that the supervisory authority has the right to carry out
an audit of the data importer, and any sub-processor, who has the
same scope and is subject to the same conditions that would apply to an audit
of the data exporter under applicable data protection legislation.
[…]
Appendix 2 to the Standard Contractual Clauses
This Appendix is part of the Clauses.
Description of the technical and organizational security measures implemented by
the data importer in accordance with Clauses 4(c) and 5(c) (or
attached document/legislation):
The data importer currently complies with Security Measures
established in Appendix 2 of the Data Processing Terms in ***URL.11.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 13/29
[…]”
TWENTY-EIGHTH: As of February 3, 2021, the url ***URL.12 contained:
“Conditions for the processing of Google Ads data
Google and the counterparty that accepts these Terms (the "Customer"), have
entered into a contract for the provision of the Services of the person in charge of the
treatment (as amended from time to time, the "Contract")
These Conditions for the processing of data from Google ads, (the
"Conditions of data processing") are entered into by Google and the Client and
complement the Contract.
[…]
Introduction
These Data Processing Conditions reflect the agreement of the parties
on the conditions governing the processing of certain personal data in
relationship with European data protection legislation and certain
Non-European data protection legislation.
Definitions and interpretation
[…]
"European or National Laws": as applicable: (a) the laws of the EU or its
Member States (if the EU GDPR applies to the processing of Personal Data of the
Customer); and/or (b) the law of the United Kingdom or a part of the United Kingdom (if the GDPR of
United Kingdom applies to the processing of Customer Personal Data).
[…]
"Google": the Google Entity that is a party to the Agreement.
"Google subsidiaries data processors" has the meaning
given in Section 11.1 (Consent for Hiring of the
Sub-processor of data processing).
"Google Entity": Google LLC (formerly known as Google Inc.), Google
Ireland Limited or any other Affiliate of Google LLC.
[…]
5. Data processing
5.1 Roles and regulatory compliance; authorization.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 14/29
5.1.1 Responsibilities of the person in charge of the treatment and of the person responsible for the
treatment. The parties acknowledge and agree that:
(a) Appendix 1 describes the purpose and details of the processing of the Data
client's personal
(b) Google is a processor of Customer Personal Data with
in accordance with European data protection legislation;
(c) The Client is a data controller or processor, according to
applicable, of Personal Data of the client in accordance with the European Legislation of
Data Protection; and
(d) each party will comply with its obligations under the
European data protection legislation regarding the processing of Data
client's personal
[…]
5.2. Client instructions. By celebrating these Conditions of the processing of
data, the Client instructs Google to process the Data
personal data of the client only in accordance with applicable legislation: (a)for
provide the Processor Services and any technical support
related; (b) as further specified through Customer's use of
the Processor Services (including configuration and other
functionalities of the Data Processor Services) and any support
related technical; (c) as documented by the Contract, including the
these Data Processing Conditions; and (d) as documented in
other instructions provided in writing by the Client and acknowledged by Google
as constitutive instructions for the purposes of these Conditions of the
data treatment.
5.3. Compliance with instructions by Google. Google will comply with the
instructions described in Section 5.2 (Customer Instructions) (including
relating to data transfers), unless European or National Laws
which Google is subject to requires other processing of personal data by
Google, in which case Google will inform the Customer (unless any of such
laws prohibit Google from doing so for important reasons of public interest).
[…]
10. Data transfers
10.1 Data storage and processing facilities. The Client accepts that
Google, without prejudice to Section 10.2 (Data Transfers), stores and performs
the processing of Customer Personal Data in any country in which Google or
any of its Subprocessors maintain facilities.
10.2 Data Transfers. If the storage and/or processing of the Data
Customer's personal data involves transfers of Customer's Personal Data from the
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 15/29
EEA, Switzerland or the United Kingdom to any third country that is not subject to a
adequacy decision under European data protection legislation:
(a) The client (as data exporter) will be deemed to have signed the Clauses
Type Contractual with Google LLC (as data importer);
(b) transfers will be subject to the Standard Contractual Clauses;
and
(c) Google will ensure that Google LLC fulfills its obligations under
said Standard Contractual Clauses with respect to said transfers.
[…]
11. Subprocessors of data processing.
11.1 Consent for hiring the Subprocessor of data processing.
The Client specifically authorizes the contracting of Google affiliates as
Subprocessors of data processing ("Subprocessors of data processing of
Google affiliates"). In addition, Customer generally authorizes the hiring of other
third parties as Subprocessors of the data processing ("Subprocessors of the data").
processing of third party data"). If the Standard Contractual Clauses are applied in
Under Section 10.2 (Data Transfers), the above authorizations
constitute the Client's prior written consent to subcontracting by
part of Google LLC of the processing of the Customer's Personal Data.
[…]
TWENTY-NINTH: As of February 3, 2021, the url ***URL.8 contained:
“[…]
Requests from US government agencies in cases involving
National security
In investigations related to national security, the U.S. government
You can use a National Security Letter (NSL) or one of the authorizations
granted under the Foreign Intelligence Surveillance Act (FISA) to
force Google to provide user information.
An NSL does not require judicial authorization and can only be used to force us to
provide limited subscriber information.
FISA Orders and Authorizations Can Be Used to Compel Surveillance
electronic and disclosure of stored data, including the content of services
like Gmail, Drive and Photos.”
[…]” (unofficial translation, in English in the original)
THIRTYTH: As of February 3, 2021, the url ***URL.13 contained:
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 16/29
“[…]
Basic concepts about personally identifiable information in contracts and
Google policies.
In many contracts, terms of service, and advertising product policies and
Google measurement is referred to as "personally identifiable information" (PII).
This is a categorization of data different from what the General Regulations of
Data Protection (GDPR) considers "personal data".
Please note that although Google does not identify certain data as information
personally identifiable, it is possible that the GDPR does or that data may be
considered personal information in accordance with the Privacy Law of the
California Consumer Protection Act (CCPA), and may be subject to those laws.
[…]
Google considers "personally identifiable information" information that can be
used alone to accurately identify or locate a person, or to contact
in contact with her directly. Among other information, it includes the following:
• Email addresses
• Postal mailing addresses
• Telephone numbers
• Precise locations (for example, GPS coordinates, except where specified)
mentioned below)
• Full names (first and last names) or usernames.
[…]
Among others, Google does not consider the following personally identifiable information:
data:
• Pseudonymous cookie IDs
• Pseudonymous advertising IDs
• IP addresses
• Other pseudonymous end-user identifiers
For example, if an IP address is sent with an advertisement request (something that
It happens with almost all ad requests as a result of the
Internet protocols), such shipment will not violate any prohibition related to the
sending personally identifiable information to Google.
Please note that although Google does not identify certain data as information
personally identifiable information, the GDPR, CCPA or other privacy laws may
consider them personal data or personal information.
[…]”
THIRTY-FIRST: As of February 1, 2021, after visiting the website ***URL.1 while
logged into a Google test account, was reflected in the section
“Activity on the Web and Applications” the visit made to said website.
THIRTY-SECOND: On February 17, 2021, after deleting cookies, it is confirmed that
that:
1. After logging in to a Google account, they are installed on the
browser cookies like NID, LSID, SID, __Secure-3PSID, __Secure-3PAPISID all
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 17/29
They are more than 30 alphanumeric characters where capital letters and
lowercase letters and an expiration period from 6 months to several years. They do not appear
cookies like _ga, _gid installed.
2. Being logged into the Google account and after visiting ***URL.1, rejecting
all your cookies and perform a navigation corresponding to a search for a
rental car from Madrid-Airport to Málaga-Airport with start date
of the rental on 02/25/2021 and end date on 02/28/2021 it is verified that they are installed
cookies _ga, _gid among others. It is also verified that there is a request
HTTP GET to the domain google-analytics.com in whose parameters within the url of the
request includes, among others, data such as:
to. the _ga cookie inside the cid parameter and the _gid cookie.
b. the url visited (***URL.14) and, among other data, the operation carried out within
the same, coded as:
“pickupDateTime”: “2021-02-25”
“returnDateTime”: “2021-02-28”
“pickupName”: “%3DMadrid%2520-%2520Airport”
“returnName”: “%3DM%25C3%25A1laga%2520-%2520Airport”
c. the “sr” parameter.
3. That the HTTP GET headers also contain data such as “user-
agent” and “accept-language”.
THIRTY-THIRD: On March 4, 2021, it is verified that, after logging in
in a Google account, followed by a logout and then followed by a
navigation in ***URL.1 corresponding to a flight plus hotel search from the 19th to
March 21 and selecting Madrid as origin and destination Malaga:
1. There is an HTTP POST request to the google-analytics.com domain where
sends data as payload, among others:
“***URL.1”
“sr=1920x1080”
the “cid” parameter that matches the value of the _ga cookie
the _gid parameter that matches the value of the _gid cookie
the date of departure and return, as well as the city of departure and arrival.
2. That the HTTP POST headers also contain data such as “user-
agent” and “accept-language”.
THIRTY-FOURTH: On June 23, 2021, it is verified that, after logging in to
a Google account, then browse the web ***URL.1:
1. Which consists of an HTTP GET request to the domain adservice.google.com where
sends as parameter u1 the same value as the content in the _ga cookie as well as
the “user-agent” and “accept-language” parameters. That in this same HTTP request
GET also sends the NID cookie.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 18/29
It is verified, on different dates, that the domain 18oogle-analytics.com as well as
several IP addresses corresponding to that domain are assigned to GOOGLE
LLC
THIRTY-FIFTH: As stated in your letter of May 12, 2021, the figure
total users in the period from April 1, 2020 to March 31, 2021
the website ***URL.1 as well as other versions of the page aimed at others
countries is, for example, in the German market 1,623,842 visits, in the Spanish
13,344,019 visits and in the French market 12,682,624 visits. And the number of users
total in the period described is 72,648,400 visits.
THIRTY-SIXTH: As stated in your letter of May 12, 20212, the version
that EDREAMS used was Google Analytics 360, since July 2012.
THIRTY-SEVENTH: As stated in your letter of May 28, 2021, the
EDREAMS establishments in which they process personal data in the context of the
present claim are Germany, Spain, France, Italy, United Kingdom.
THIRTY-EIGHTH: As stated in your letter of May 28, 2021, (…).
THIRTY-NINTH: On October 27, 2021, it is confirmed that in the plenary session of the
European Data Protection Committee dated September 2, 2020, it was decided
create a working group to ensure a coherent approach between the
European data authorities to handle the 101 NOYB complaints, which
deal with similar issues (whoever claims has visited a website of a
controller while you were logged in to your Google account or
Facebook, linked to your email address. And the person responsible for
treatment had embedded code from Google or Facebook services, which had
transferred your personal data to the United States, without having a legal basis for it).
FORTIETH: According to the diligence of October 27, 2021, GOOGLE LLC sent
to the Austrian data protection authority a document dated April 9,
2021, which shares it with the rest of the authorities through the Working Group
for NOYB's 101 claims in the context of the CJEU ruling
Schrems II (“101 taskforce”, hereinafter, task force TF101). In the document
in question includes the following information and statements (its translation is not
English official):
(…).
FORTY-FIRST: As of November 2, 2021, the website ***URL.1 is
Also available for the following EEA countries: Czech Republic, France,
Italy, Romania, Germany, Greece, Holland, Poland, Hungary, Portugal.
FORTY-SECOND: As of November 2, 2021, at url ***URL.15
The existence of requests for FISA (Foreign Intelligence
Surveillance Act) and NSL (National Security Letters) addressed to GOOGLE regarding
user information.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 19/29
FORTY-THIRD: On March 24 and 25, 2022, in the description of
Google Analytics located at the URLs ***URL.16 and ***URL.17 included, among other things,
information, that the _ga and _gid cookies were used to distinguish users and that the
“sr” parameter referred to the screen resolution.
And that, by executing tracert commands towards multiple IP addresses
assigned to GOOGLE LLC in relation to the domain google-analytics.com, the times
RTT are too low for said destination IPs to be geographically located
in United States.
THIRD: On August 30, 2023, the appellant has presented
appeal for reconsideration before this Agency, basing it, basically, on the fact that
defenseless, with infringement of the right of defense, with a denial
unjustified trial period. Furthermore, it considers that the sanctioning resolution
is incongruent and lacks the necessary motivation, and that the sanction imposed has
illegal effects and impossible content. Finally, the lack of purpose is alleged
of the sanctioning procedure and the subjective element and guilt.
FOUNDATIONS OF LAW
Yo
Competence
The Director of the Spanish Agency is competent to resolve this appeal.
of Data Protection, in accordance with the provisions of article 123 of the Law
39/2015, of October 1, of the Common Administrative Procedure of the
Public Administrations (hereinafter LPACAP) and article 48.1 of the Law
Organic 3/2018, of December 5, Protection of Personal Data and guarantee of
digital rights (hereinafter, LOPDGDD).
II
Response to the allegations presented in the appeal for reconsideration
In relation to the allegations made by the appellant in the appeal for
replacement, we proceed to respond to them according to the order set forth by
EDREAMS:
“FIRST.- Helplessness. Violation of the right of defense. Unjustified denial
of the probationary period.”
According to EDREAMS, this Agency has made EDREAMS defenseless by delaying
unjustifiably access to the File, by unjustifiably limiting the deadlines for
extension for the presentation of allegations and, even more so, by not agreeing to this AEPD
the opening of the trial period expressly requested by EDREAMS in several
occasions.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 20/29
Next, we proceed to give a due response to these arguments. With respect to
rejection of the request for evidence formulated by EDREAMS, it ignores in its
approach the provisions of point 10 of the “Terms of Data Processing
of Google Ads”, according to which the controller has agreed that Google
can store and process personal data of the client (in this case, data
of the complaining party) in any country in which Google or any of
its subprocessors maintain facilities. When
collects this information, it is transmitted to Google Analytics servers.
Specifically, the document in the file sent by Google LLC with
date April 9, 2021, in the last paragraph to the answer to question 8, Google
declares that all data collected through Google Analytics is hosted
in the U.S. Therefore, the data collected on the website «***URL.1» to
through Google Analytics are transferred to the United States.
Documentally accredited the international transfer of personal data to the
United States, it was not necessary to carry out technical proof of a fact that has been
recognized by Google, and is that, ultimately, all the data processed by
Google Analytics are hosted in the USA in accordance with the provisions of the
article 77.3 of the LPACAP, “the instructor of the procedure may only reject the
evidence proposed by the interested parties when they are manifestly inappropriate
or unnecessary, through a reasoned resolution”, in this way, a
“omnimode” right to the taking of evidence, which EDREAMS claims, but rather
can be rejected with reasons, as was done in the resolution, in the
terms that have been reproduced again in this paragraph.
Regarding what EDREAMS calls “unjustified delay in access to the
File”, the form of delivery of the file was motivated by the impossibility
technique of making it available to EDREAMS through the electronic headquarters, due to
to the size of the document, therefore it was decided to send the copy of the file in
electronic support through messaging. It was the will of this Agency that
EDREAMS had access to the copy of the EDREAMS file as soon as possible, to
which the personnel in charge of your shipment confirmed the address by telephone to
that had to be sent to EDREAMS personnel who, at that time, included
the database of this Agency, to which the shipment was sent on December 12,
2022.
Despite the aforementioned verification, as stated in the receipt issued by the
courier company on file, on December 13, 2022, when
There were still 6 business days left until the end of the period to submit allegations,
The delivery man of the courier company could not deliver the shipment for the following reason:
cause: “Unknown recipient at the delivery address.” After this first attempt
delivery, EDREAMS was contacted again to confirm the address.
Therefore, the delay in delivering the copy of the file is due to the fact that
EDREAMS had not notified this Agency of the change of address.
On December 15, 2022, EDREAMS personnel appeared before this
Agency, when there were four business days left for the last day of submission of
allegations. The EDREAMS representation was provided with a copy of the file
in person, and the copy cannot be provided two days before, when
appeared before this Agency without proving said representation. Without a doubt, this
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 21/29
This circumstance was also the cause of the delay in the delivery of the copy of the
proceedings.
In any case, since December 15, 2022, the day on which the
copy of the file, EDREAMS has had a fairly long period of time to
review the documents in the file; proof of this, as an example,
is constituted by the expert report that he attaches to his allegations (attached document no.
3), where in 134 pages technical issues of some of the
documents on file.
Finally, regarding what EDREAMS calls “unjustified limitation” of the
extension of the deadline to present allegations to the proposed resolution, provides
Article 32.1 of the LPACAP that “The Administration, unless otherwise provided,
may grant... an extension of the established deadlines...", so it is not
obliged to do so.” In the present case, the deadline for allegations to the initiation agreement was
extended five business days, the maximum period allowed by article 32.1 of the
LPACAP, taking into account that the initial period was ten business days, and, within the period
of allegations to the proposed resolution, two business days have been granted
additional, so it has been guaranteed that EDREAMS has a term longer than
sufficient to make allegations.
For all the above reasons, this allegation is rejected.
“SECOND.- Lack of motivation for the Sanctioning Resolution.”
In this section EDREAMS reiterates the lack of proof of the facts constituting the
infringement, without this Agency having been able to technically demonstrate that
cause international data transfers to the USA. EDREAMS considers
that the privacy settings with which you use the Google Analytics service
prevents international data transfers. Likewise, according to EDREAMS, in the
appealed resolution is sanctioned by the future prohibition of treatment, without
having carried out this risk analysis of what the risk is like today. By
Lastly, other arguments already supported in the previous sections are repeated, such as the
absence of proof in the procedure and configuration of Privacy in use
of Google Analytics by EDREAMS, which have already been the subject of a response.
In response to this allegation, first of all, it must be clarified in relation to the
assessment carried out by the Inspector who carried out in the previous actions of
investigation (page 5373 of the file) to which EDREAMS alludes in its appeal for
replacement that, regardless of whether this Agency has been able to demonstrate
Technically, international data transfers to the US occur,
These have been documented, as has been reasoned in the
response to EDREAMS' allegation in the section preceding this one, in which
refers to point 10 of the “Google Data Processing Terms
Ads”, according to which the controller has agreed that Google may
store and process customer personal data in any country in which Google or
any of its subprocessors maintain facilities and
that, specifically, the document in the file sent by Google LLC
dated April 9, 2021, in the last paragraph to the answer to question 8,
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 22/29
Google states that all data collected through Google Analytics is
hosted in the United States.
It was already justified in the appealed resolution that the configuration of Google Analytics
used by EDREAMS on its website, without having Google Signal enabled, did not prevent the
processing of personal data. In the document dated April 9, 2021 that
GOOGLE LLC refers to the Austrian data protection authority, in which
GOOGLE LLC answers a series of questions asked by the Austrian authority
in connection with a claim substantially similar to this
procedure, and to which EDREAMS has had access since it is incorporated into the
proceedings; In point number 9 (page 5234 of the file), the following is stated:
(unofficial translation):
“In this claim, the complaining party was logged into his account
Google when visiting the specific website of the site owner. Does the implementation of
Google services (including Google Analytics) allow Google to receive
information that a specific user of a Google account has visited a
specific website? If yes, please describe how and what information
about the user's Google account is collected.
No, the implementation of Google Analytics as such does not allow Google to receive the
information that a specific Google user has visited a specific website.
Implementing Google Analytics on a website allows Google to receive the
information that a certain Google user has visited a website
specific, only if the following additional conditions are met:
(1) The user has activated activity on the Internet and in their Google account and, in addition,
you have visited the website;
(2) The user has chosen to include the activity of companies that use the
Google services;
(3) The user has activated ad personalization;
(4) and the user logs in to their Google account in the same browser while
visit the website.
If Google Signals (see our answer to question 6(ii)) is activated in that
website, Google will then be able to visit the user to said website in the activity
of the user's Google account on the Internet and applications. “
As can be seen, again by Google's own response, it is not
It is necessary to have Google Signals activated for Google to receive information from a
Google user if the four transcribed conditions are met, being a function
optional whose deactivation does not prevent Google from receiving information that a
A certain user of a Google account has visited a specific website. In the
answer 6 (ii), Google says: “Google Signals is an optional feature of Google
Analytics that, when enabled, adds supplemental reports that are based on the
data from Google users who have activated ad personalization on
your account."
On the other hand, EDREAMS regarding the collection of IP Addresses: “The
IP addresses would be anonymized at the time of collection and such anonymization,
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 23/29
As confirmed by Google, it is produced within the European region for
users browsing from the EEA. Consequently, data that could be
potentially transferred to the USA is not personal data, but has undergone
a solid and irreversible anonymization process.” Neither Google nor EDREAMS have
accredited in any way - that the IPs are anonymized within the territory of the
European Union.
We can take as good the statements made by Google that IPs are
anonymized within the territory of the EU just as we have reproduced
previously how they treat cookies and their use to distinguish users, but,
They could be subject to treatment once collected. As an example, in
Google Analytics, according to Google's “Privacy and Data in the EU” document
(available at https://support.google.com/analytics/answer/12017362?
hl=es&ref_topic=2919631), “…IP address data is used only for
obtain the geolocation data and it is immediately discarded”, so it is
uses information that may be provided by the IP before anonymization.
EDREAMS, uses as proof that IPs are always anonymized in
territory of the European Union an email from a Google worker, therefore
that there is no technical evidence to prove it.
Consequently, in accordance with the most widely developed in the
Legal basis IV of the appealed resolution, especially in point 2,
“On the classification of the data subject to processing as personal data”,
EDREAMS carries out international transfers of personal data through
Google Analytics.
Finally, as expressed by EDREAMS, in the appealed resolution there has been no
taken into account the risk analysis of what the risk is like today. Without
However, the modification of the framework cannot be applied to this procedure
regulations on data protection that have taken place in the USA, which
has occurred after the events in question.
On the date on which the events object of the claim occurred, it was
application of the grounds of the CJEU ruling in case C-311/18 (Schrems
II), which declared Commission Implementing Decision (EU) 2016/1250 invalid,
July 12, 2016, on the adequacy of the protection conferred by the Shield of the
EU-US Privacy USA
In paragraphs 184 and 185 of this ruling it is established: “Therefore, it is evident
that neither section 702 of the FISA nor the E.O. 12333, interpreted in relation to the
PPD-28, satisfy the minimum requirements established by Union Law
with respect to the principle of proportionality, so that it cannot be considered
that surveillance programs based on these provisions be limited to what
strictly necesary.
In these circumstances, the limitations of the protection of personal data that are
derive from the domestic regulations of the United States relating to access and
use, by US authorities, of data transferred from the
Union to the United States, which the Commission assessed in the EP Decision, are not
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 24/29
regulated in accordance with requirements substantially equivalent to those required, in the
Union law, in Article 52, paragraph 1, second sentence, of the Charter.”
Google LLC (as importer of the data to the USA) should be qualified as
electronic communications service provider within the meaning of paragraph (b)
of point 4 of article 1881 of title 50 of the United States Code and, therefore,
Therefore, it is subject to surveillance by the US intelligence services of
in accordance with section (a) of article 1881 of title 50 of the State Code
United States ("FISA 702"). Therefore, Google LLC has the obligation to provide
personal data to the United States government when requested
pursuant to section (a) of article 1881 of title 50 of the United States Code
United States (FISA 702). As can be seen in the Transparency Report of
Google, Google LLC is regularly subject to access requests from
United States intelligence services. The report can be consulted at:
https://transparencyreport.google.com/user-data/us-national-security?hl=en
Consequently, international data transfers carried out by
EDREAMS through the Google Analytics tool at the time of the
claim did not comply with the provisions of article 44 of the RGPD, without the
application of the new adequacy decision “EU-Data Privacy Framework
“USA” can solve.
For all the above reasons, this allegation is rejected.
“THIRD.- Inconsistency of the Sanctioning Resolution. Sanction with effects
illegal and of impossible content.”
EDREAMS argues that it is incongruous that the appealed resolution does not analyze the
new US legal framework and the European Commission's Adequacy Decision
because it is not automatic nor does it apply to this procedure, but at the same time,
Precisely in the sanction that is imposed, reference is made to the current moment and to
adaptation to the applicable regulations that necessarily include the new framework
US legal and Adequacy Decision. According to EDREAMS, the sanction
generates disproportionate and unfair harm, and is illegal because they would be
prohibiting future treatments that are lawful. Finally, EDREAMS estimates that the
sanction imposed has an impossible content since it would be forcing
EDREAMS to impose and modulate a service that is not its own but that of a third party
(Google), and therefore does not fall under its sphere of control.
In response to the allegation about the new US legal framework and the new
Adequacy Decision “EU-US Data Privacy Framework.” “U.S.”, just as it is
Agency maintained in the appealed resolution and once again justified itself in the allegation
above, for the purposes of determining responsibility for the commission of the infraction, it is not
the current legal framework is applicable, but rather the legal regime in force on the date of the
facts constituting the infringement, in particular as established by the CJEU in the
judgment in case C-311,/18 (Schrems II), which declared invalid the Decision of
Commission Implementation (EU) 2016/1250 of 12 July 2016 on adequacy
of the protection conferred by the EU-US Privacy Shield. USA
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 25/29
Since Google LLC is required to provide personal data to the
United States Government when requested pursuant to section
(a) of section 1881 of title 50 of the United States Code (FISA 702), as
can be seen in its Transparency Report
(https://transparencyreport.google.com/user-data/us-national-security?hl=en), it is your
full application of the doctrine established by the CJEU in the aforementioned ruling.
Furthermore, in order to ensure that international data transfers
to the US comply with the GDPR, the approval of the Implementing Decision of the
Commission dated July 10, 2023, in accordance with Regulation (EU)
2016/679 of the European Parliament and of the Council on the appropriate level of
protection of personal data in the “EU-US Data Privacy Framework”,
establishes in its Annex I, “Principles of the EU-US Data Privacy Framework.
issued by the United States Department of Commerce” the following
(unofficial translation):
"2. In order to rely on the EU-US Data Privacy Framework. for
transfer personal data from the EU, an organization must
self-certify your adherence to the Principles to the Department (or your person
designated). Although the decisions of the organizations to thus enter the Framework
EU-US Privacy Policy are completely voluntary, effective compliance is
mandatory: organizations that self-certify before the Department and declare
publicly their commitment to adhere to the Principles must fully comply
with the Principles…
3. …The benefits of the EU-US Privacy Framework are insured from
the date the Department places the organization on the Framework List of
Data Privacy.”
However, at the time the resolution was issued, Google had not self-certified
its adherence to the Principles of the EU-US Data Privacy Framework. USA so
international data transfers could not be considered to be carried out with
sufficient guarantees and under the protection of the new Adequacy Decision.
The appealed resolution cannot be considered “illegal” when what it orders is
precisely compliance with current regulations, that is, adapting the activity of
data processing at the service of Google Analytics in accordance with the provisions of articles 44 and
following Regulation (EU) 2016/679 of the European Parliament and of the Council, of
April 27, 2016, in particular by cessation of the international transfer of
data until it is proven that the Google Analytics service complies with the aforementioned
provisions of the Regulation. Compliance with this mandate was not proven before
of issuing a resolution in the sanctioning procedure, without the adaptation
carried out subsequently determines the invalidity of that, on the contrary, it means that
The imposed measure has been complied with.
On the other hand, the mandate included in the appealed resolution does not have a content
impossible. Let us remember that, regardless of whether the current Clauses
Type Contractual Clauses (Google Ads and Measurement: Standard Contractual Clauses (Module 3:
Processor to Processor) consider Google Ireland as data exporter.
EDREAMS, as data controller, assumes, together with the other
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 26/29
conditions of contracting the services of Google LLC, the relative agreements
to data processing and the Standard Contractual Clauses that allow the data
are transferred to Google LLC, based in the United States.
Specifically, EDREAMS assumes point 10 of the “Terms of Treatment of
Google Ads Data”, so the data controller has agreed that
Google may store and process personal data of the customer (i.e. data
personal of the complaining party and of any user who visits the website in question)
in any country in which Google or any of its “subprocessors”
data processing facilities, including the USA, as declared by the
Google LLC itself in the document dated April 9, 2021.
Consequently, having contracted the services of GOOGLE, assuming its
contracting conditions, EDREAMS, as responsible for the treatment, is the one
You must take the necessary measures so that the data of those who visit your website
are treated in accordance with the GDPR.
For all the above reasons, this allegation is rejected.
“FOURTH.- Lack of purpose of the sanctioning procedure.”
In this allegation he summarizes what has already been argued in the allegations.
preceding this one: Application of the new Framework Adaptation Decision of
EU-US Data Privacy In the US, there are no international data transfers to
cannot be technically proven and due to the privacy settings of
Google Analytics selected by EDREAMS (IP anonymization and deactivation
of Google Signals). A novel argument is included: The European Committee of
Data Protection has confirmed “that all the guarantees that the
US government regulations apply to all data transfers to
"United States, regardless of the transfer mechanism used" and, in its
default, “even if the EU-US Privacy Framework were not applicable.” USA, the
European Commission and the EDPB have clearly confirmed that the Decision of
Adequacy is fully applicable to all transfers to the US.”
In response to this argument, it is worth highlighting that the adoption by the Commission of the
EU-US Data Privacy Framework Adequacy Decision. UU does not come but to
confirm that international data transfers carried out by EDREAMS
prior to the approval of that, represented a violation of the rights and
freedoms of European citizens in terms of data protection, through the
indiscriminate access to your personal data by the intelligence services of the
USA, from the moment in which the aforementioned Adequacy Decision was
justified based on the new guarantees regarding data protection
established by the U.S. These guarantees include the limitation of the
access by US intelligence services to data
of EU citizens to what is necessary and proportionate, and the
establishment of a Data Protection Appeal Court, to which
EU citizens will have access.
Well, none of these guarantees existed on the date of the events referred to.
refers to the appealed resolution, when EDREAMS, through its website, and because
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid Seeagpd.gob.es 27/29
operates in other Member States of the Union, transferred personal data of
citizens of the European Union to the USA in violation of the current regulatory framework
according to the ruling of the CJEU in case C-311/18 (Schrems II), which declared invalid
Commission Implementing Decision (EU) 2016/1250 of 12 July 2016 on
the adequacy of the protection conferred by the EU US Privacy Shield.
In this ruling, the Court considered that the requirements of national law
American, and in particular, some programs that allowed the authorities
Public authorities in the United States access personal data transferred from the
EU to the US for national security purposes, imposed limitations on the
protection of personal data that were not circumscribed in a way that
offered guarantees substantially equivalent to those required by the Law of the
Union, and that this legislation did not provide any means of judicial recourse against
the United States authorities to the data subjects.
However, EDREAMS maintains in its appeal for reconsideration the non-existence of the
infringement, and that your international data transfers to the US have complied
at all times with the legal system, even prior to the new
Adequacy Decision, through which the Commission concludes the existence of
guarantees in the US that ensure a level of protection equivalent to that of the EU for
European citizens, and considers that the questions have been answered
elucidated by the CJEU in the Schrems II ruling. This reasoning, according to which
EDREAMS defends the validity of its actions regardless of the legal framework
applicable, is completely incongruous. Furthermore, it is worth remembering that, among others
arguments, EDREAMS has defended ideas such as that the data sent is not
It was personal data, he has even questioned whether the data is sent to the US.
USA, when this has been recognized by Google itself. Consequently, it
maintains the validity of the appealed resolution and the need for the established mandate
in the same of “adapting the data processing activity to the Google service
Analytics in accordance with the provisions of articles 44 et seq. of Regulation (EU) 2016/679
of the European Parliament and of the Council of 27 April 2016, in particular by
the cessation of international data transfer until it is proven that the service
“Google Analytics complies with the aforementioned provisions of the Regulation.” that in the
Nowadays, there are new circumstances that allow treatments previously
contrary to the RGPD, can now be compliant with it, it does not prevent attributing to
EDREAMS the responsibility in the commission of the infraction, nor does it invalidate the order
imposed, without prejudice to the fact that, having recognized the facts and foundations of the right of
the sanctioning resolution, and in accordance with the measures adopted, allows
consider that EDREAMS has complied with the measure imposed in the resolution
appealed.
Furthermore, EDREAMS has not justified that it has signed with Google,
as a data processor, the standard contractual clauses adapted to the
Decision (EU) 2021/914 of June 4, 2021 regarding contractual clauses
type for the transfer of personal data to third countries, which, together with
the guarantees contemplated in the EU-US Data Privacy Framework. USA,
would allow the international transfer of data to the USA to be considered to be in accordance with
data protection regulations.
For all the above reasons, this allegation is rejected.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 28/29
“FIFTH.- Lack of subjective element and guilt.”
As EDREAMS already maintained in the Briefs of Allegations, the requirement of
guilt of the subject who carries out the illicit conduct is necessary for the imposition of
an administrative sanction.
In response to this allegation, as already stated in the response to the Fourth allegation
of the replacement appeal, EDREAMS assumes point 10 of the “Terms of the
Google Ads Data Processing”, so the person responsible for the treatment has
agreed that Google may store and process customer personal data (i.e.
personal data of the complaining party and of any user who visits the website in
issue) in any country in which Google or any of its “subprocessors”
data processing facilities, including the US, regardless of whether
the Standard Contractual Clauses have been modified with respect to those in force in the
moment of the events subject to claim, attributing the status of exporter
to Google Ireland. Thus, the actions of Google LLC. adheres to what is stipulated and, therefore,
EDREAMS account, carrying out the processing of personal data
necessary for the correct provision of the service, which determines the responsibility
administrative of the person responsible for the treatment.
For all the above reasons, this allegation is rejected.
III
Conclusion
Consequently, in the present appeal for reconsideration, the appellant has not
provided new facts or legal arguments that allow reconsideration of the validity
of the contested resolution.
Considering the aforementioned precepts and others of general application, the Director of the Agency
Spanish Data Protection RESOLVES:
FIRST: DISMISS the appeal for reconsideration filed by VACATIONS
EDREAMS, S.L. against the resolution of this Spanish Agency for the Protection of
Data issued on July 26, 2023, in file EXP202306257.
SECOND: NOTIFY this resolution to VACACIONES EDREAMS, S.L.
In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.
Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the
LOPDGDD, and in accordance with the provisions of article 123 of Law 39/2015, of 1
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 29/29
October, of the Common Administrative Procedure of Public Administrations
(LPACAP), interested parties may file a contentious-administrative appeal before
the Contentious-Administrative Chamber of the National Court, in accordance with the
provided in article 25 and in section 5 of the fourth additional provision of the
Law 29/1998, of July 13, regulating the Contentious-Administrative Jurisdiction,
within a period of two months counting from the day following notification of this act,
as provided in article 46.1 of the aforementioned Law.
Finally, it is noted that in accordance with the provisions of art. 90.3 a) LPACAP, it may be
provisionally suspend the final resolution through administrative channels if the interested party
expresses its intention to file a contentious-administrative appeal. If this is
the case, the interested party must formally communicate this fact in writing
addressed to the Spanish Data Protection Agency, presenting it through the
Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica-web/], or
through any of the other records provided for in art. 16.4 of the aforementioned
LPACAP. You must also transfer to the Agency the documentation that accredits the
effective filing of the contentious-administrative appeal. If the Agency did not have
knowledge of the filing of the contentious-administrative appeal within the period of
two months from the day following the notification of this resolution, it would be considered
the precautionary suspension has ended.
180-111122
Sea Spain Martí
Director of the Spanish Data Protection Agency
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es
