AP (The Netherlands) - Takeaway B.V. - z2022-04011
From GDPRhub
| AP - Takeaway B.V. - z2022-04011 | |
|---|---|
 | |
| Authority: | AP (The Netherlands) |
| Jurisdiction: | Netherlands |
| Relevant Law: | Article 44 GDPR Article 46 GDPR 50 U.S. Code § 1881a |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | 18.08.2020 |
| Decided: | 20.08.2024 |
| Published: | 26.11.2024 |
| Fine: | n/a |
| Parties: | n/a |
| National Case Number/Name: | Takeaway B.V. - z2022-04011 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | English |
| Original Source: | AP (in EN) |
| Initial Contributor: | tjk |
The DPA reprimanded a food delivery company for violating Article 44 GDPR by transferring personal data of website users to the USA without any appropriate transfer instrument in place.
English Summary
Facts
The data subject, represented by noyb, advanced a complaint to the Dutch DPA against the controller, the Dutch food delivery company Takeaway B.V., as they transfered the data subject’s personal data to the U.S.A without using a valid transfer mechanism pursuant to Chapter 5 GDPR.
In its investigation, the DPA found that, in the span of approximately three years, the controller used Google Analytics to track and optimise the functioning of its websites. Subsequently, the controller transferred data, such as visitors’ unique online identifiers and cookie identifiers, to the Google Analytics servers in the U.S.A.
The controller did not dispute the transfer of personal data to the United States but argued the following points:
The identity of the controller in the context of the transfer to the U.S.A
The controller argued, that it only contracted with Google LLC (the processor) until 27 September 2021, and thus controlled the transfer to the U.S.A until that date only. However, aftwards, the controller transferred the data to Google Ireland. Subsequently it was Google Ireland that transferred the data as a new controller to Google LLC in the U.S.A.
The risk to which the data was exposed
The controller argued, that FISA legislation was not applicable to Google data and therefore not at risk for FISA requests of information.
The applicability of an absolute test for assessing the level of protection in the United States
The controller also argued, that a risk-based approach should be used when assessing the level of protection of personal data in the United States. As the controller had detected a low risk, it was of the opinion that the basic security measures are adequate. This, it argues, is also provided for by Schrems II, Article 24 and 44 GDPR and EDPB Recommendations 01/2020. Consequentially, the implementation of standard contractual clauses (SCCs) with the processor by the controller is sufficient as Google had not received a FISA request for Analytics data in the past fifteen years.
Holding
The identity of the controller in the context of the transfer to the U.S.A
The DPA concluded that the controller is ultimately responsible for showing compliance with Article 5(2) GDPR. This responsibility remains even when data processing is done by a processor, or a processor of that processor under Article 28(1) GDPR. Therefore the Controller was responsible for ensuring there was a adequate transfer mechanism in place, even though the transfer was don by their processor.
The risk to which the data was expose
The DPA held, that Google LLC clearly qualifies as an electronic communications services provider and as such is subject to supervision by American intelligence services as regulated in 50 U.S. Code § 1881a.
The applicability of an absolute test for assessing the level of protection in the U.S.A
The DPA mainly focused its analysis on whether Articles 24 and 44 GDPR provide for an absolute test or a risk based approach when assessing the level of protection of personal data in a third country. The DPA held that Schrems II, does not set out the requirement of a risk based approach. It highlighted that the provisions of Articles 24 and 44 GDPR are not ambiguous and that all the required protections under Chapter V must be in place. Therefore, the DPA concluded that a risk based approach does not apply to Chapter V of the GDPR. The DPA’s main argument is that the legislator aimed to preserve the absolute level of protection within the EU for exported data. Applying a risk based approach would undermine that guaranteed level of protection as risks could be underestimated.
In conclusion, the DPA held, that the controller and processor did not take sufficient additional measures to prevent the ability of U.S.A intelligence services to gain access. The DPA found the use of a proxy server to exclude direct contact between website visitors and Google’s websites insufficient to rule out re-identification considering the amount of data at Google and the capacities of the United States intelligence agencies. The controller could not therefore not rely on SCCs as a transfer instrument under Article 46 GDPR.
In consequence, the DPA issued a reprimand. While it found the violation aggravating under Article 83(2)(a) GDPR it considered the “specific situation” following the Schrems II judgment and the controllers (insufficient) attempts to increase protection through the use of a proxy server as mitigating factors under Article 83(2)(k) GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
Authority for Personal Data
PO Box 93374, 2509AJ The Hague
HogeNieuwstraat 8, 2514EL The Hague
Confidential/Registered T0708888500-F0708888501
Takeaway.comGroupB.V. autoriteitpersoonsgegevens.nl
Attn:theManagementBoard
PietHeinkade61
1019GMAMSTERDAM
COURTESYTRANSLATIONONLY
Date Ourreference
20August2024 z2022-04011
Contact person
[redacted]
Subject
Decisiontoimposeareprimand
DearManagementBoard,
TheDutchDataProtectionAuthority(hereinafterreferredtoasDutchDPA)hasinvestigatedthe
internationaltransferofpersonaldatatotheUnitedStatesbyTakeawayGroupB.V.(hereinafterreferred
toasTakeaway).TheDutchDPAhasestablishedthatTakeawayhastransferredpersonaldatatoGoogle
LLCintheUnitedStatesinthe contextoftheGoogleAnalyticsservice.However,Takeawaydidnotmeet
theconditionsapplicabletointernationaltransfersofpersonaldataintheperiodfrom18August2020to
1September2023,becauseTakeawaycouldnotrelyononeofthetransferinstrumentsregulatedinthe
GeneralDataProtectionRegulationduringthatperiod(hereinafterreferredtoasGDPR).Takeawayhas
thusviolatedArticle44oftheGDPR.
TheDutchDPAdecidestotakeenforcementactionagainstTakeaway,becausewiththeinternational
transferofpersonaldatatotheUnitedStates,Takeawayhasunderminedthelevelofprotectiontobe
guaranteedforthepersonaldataofdatasubjects.TheDutchDPAconsidersthisisseriousandtherefore
considersitnecessaryandappropriatetoreprimandTakeawayforthis.Thisdecisionexplainsthe
violationandthereprimand.Attheendofthisdecision,weexplainwhatyoucandoifyoudonotagree
withthedecision.
1 Date Unmarked
20August2024 z2022-04011
Tableofcontents
1. Courseoftheinvestigation ...............................................................................................................2
1.1. Background...................................................................................................................................2
1.2. Substanceofthecomplaint.......................................................................................................... 3
1.3. Investigationand procedure................................................................................................... 3
1.4. Developmentsaftertheinvestigation ...................................................................................... 4
2. Assessment ....................................................................................................................................... 4
2.1. Processing responsibility.................................................................................................................... 5
2.2. Personal data and processing................................................................................................... 5
2.3. Cross-borderprocessingandthecompetenceoftheDutchDPA..........................................9
2.4. TransferofpersonaldatatotheUnitedStates ......................................................................10
2.4.1. Investigation report...................................................................................................10
2.4.2. Safeguardsputinplaceaftertheinvestigation ..........................................................10
2.4.3. Responsibility for international transfers ......................................................................11
2.4.4. ApplicabilityofFISAlegislationtoGoogleandAnalyticsdata................................11
2.4.5. Risk-based approach..........................................................................................................12
2.4.6. Additionalmeasures..........................................................................................................20
3. Violation ...............................................................................................................................................23
4. Enforcementmeasuretobeimposed ............................................................................................24
5. Decision..........................................................................................................................................25
1. Courseoftheinvestigation
1.1. Background
1. On18August2020,theDutchDPAreceivedacomplaintfiledbynon-profitorganizationnoyb
(noneofyourbusiness;EuropeanCentreforDigitalRights)onbehalfofMr fromAustria
(hereinafterreferredtoasthecomplainant).Thecomplaintformspartofaseriesofcomplaintsthatnoyb
hasfiledwithvariousEuropeandataprotectionagencies.Thecomplainant'scomplaintisagainsttheuse
orGoogleAnalytics(hereinafterreferredtoasAnalytics)onthewebsitesofTakeaway,suchas
«www.thuisbezorgd.nl».
2/25 Date Unmarked
20August2024 z2022-04011
2. ThecomplaintboilsdowntothefactthatpersonaldataistransferredtotheUnitedStatesinthe
contextoftheAnalyticsservicewithoutusingavalidtransfermechanismsreferredtoinChapter5ofthe
GDPR.
1.2. Substanceofthecomplaint
3. Thecomplaintstatesthatthecomplainantvisitedthewebsite«www.thuisbezorgd.nl»on
17August2020.TakeawayhasembeddedHTML/JavaScriptcodeforGoogleservicesonthiswebsite,
includingAnalytics.TheiruseissubjecttotheAnalyticsConditionsofService.Boththoseconditionsand
theassociatedconditionsfordataprocessingofGoogleAdsstatethatGoogleLLCistheprocessorand
Takeawayisthecontroller.TheconditionsfurtherstatethatGoogle,asaprocessor,storesandprocesses
personaldataintheUnitedStates.
4. TheHARfilesentwiththecomplaintstatesthatpersonaldatawasprocessedandtransferredto
Googleduringthecomplainant'svisittotheTakeawaywebsite,including,inanycase,thecomplainant's
IPaddressandcookiedata.Accordingtothecomplainant,hispersonaldatahavethereforebeen
transferredandstoreintheUnitedStates.
5. UndertheGDPR,internationaltransfersofpersonaldatamustrelyononeoftheinstrumentslisted
inChapterVoftheGDPR.ThecomplainantpointsoutthattheCourtofJusticeoftheEuropeanUnion
(hereinafterreferredtoastheCourt)invalidatedtheadequacydecisiontakenfortheUnitedStates(“EU-
U.S.PrivacyShield”)byjudgmentof16July2020, sothetransfercannolongerrelyonthatinstrumentat
thetimeoffendingthecomplaint.
6. Furthermore, thecomplainantpointsoutthatthetransfertoathirdcountrycannotrelyonthe
instrumentofstandardprovisionsifthecountryofdestinationdoesnotprovideadequateprotectionfor
thepersonaldatatransferredunderEUlaw.Intheaforementionedjudgment,theCourtexplicitly
establishedthattransferstoAmericancompaniesthatfallunder§50U.S.Code1881(4)(b),violatenot
onlytherelevantarticlesofChapterVoftheGDPR,butalsoArticles7and8oftheCharterofFundamental
RightsoftheEuropeanUnion.Accordingtothecomplainant,Googleshouldberegardedasacompany
that fallsundertheaforementionedprovisionandisthereforesubjecttosupervisionbyAmerican
intelligenceservices.Accordingtothecomplainant,Takeawayisthereforeunabletoguaranteean
adequate level of personal data protection for the data transferred to Google in the United States.
7. ThecomplainantconcludesthatthetransferbyTakeawayviolatesChapterVoftheGDPR.
1.3. Investigationandproceeding
8. TheDutchDPAhasseenreasontostartabroaderinvestigationintotheuseofAnalyticsandthe
transferofpersonaldataofTakeawaywebsitevisitors.Thesupervisoryauthorities'findingsweresetoutin
1
JudgmentoftheCourtof16July2020incaseC-311/18(ECLI:EU:C:Schrems.I,
3/25 Date Unattribute
20August2024 z2022-04011
aninvestigationreportdated7April2022.
9. Takeawaywasgiventheopportunitytocommentonthereportandtookadvantageofthat
opportunitybyletterdated15August2022.OnTuesday8November2022,Takeawayexplaineditsview
verbally.Aftertheopinionhearing,theDutchDPAaskedfurtherquestionson5December2022,which
Takeawayansweredon6January2023.Takeawayalsoprovidedanadditionalopinion.
1.4. Developmentsaftertheinvestigation
10. On25March2022,theEuropeanCommissionandtheUnitedStatesannouncedtheyhadreached
anagreementinprincipleonanewTransatlanticDataPrivacyFramework.Theagreementscontained
hereinformthebasisforfurtherlegalmeasuresregardingtheprotectionofpersonaldataindatatraffic
betweentheEuropeanUnionandtheUnitedStates.Followingtheagreementinprinciple,theEuropean
CommissionmadeanotheradequacydecisionfortheUnitedStateson10July2023,referredtoas“EU-U.S.
DataPrivacyFramework”(hereinafterreferredtoasDPF).Fromthatdate,personaldatacanbe
transferredtopartiesintheUnitedStatesthathavecommittedtotheDPFthroughso-calledself-
certification.
11. InresponsetoquestionsfromtheDutchDPA,GoogleLLCstatedinaletterdated21August2023
thatitintendstobasetheinternationaltransferofpersonaldatafromtheEuropeanUniontotheUnited
StatesontheDPFwitheffectfrom1September2023.SinceGoogleLLChasremainedregisteredasa
certifiedparticipantofthe“EU-U.S.PrivacyShield”,andparticipantsthereofareautomaticallybrought
undertheoperationoftheDPF,noadditional(self)certificationisrequired,accordingtoGoogleLLC.
12. Inviewoftheforegoing,whathasbeenconsideredinthisdecisionrelatestotheperiodfrom18
August2020(thedayonwhichtheinvestigationstarted)to1September2023(thedayonwhichthe
transferisagainbasedonavalidadequacydecision).
13. Atthetimeoftheinvestigation,TakeawayusedGoogleAnalytics3(UniversalAnalytics).This
versionisnolongeravailableandhasbeenreplacedwithGoogleAnalytics4.Theinformationinthis
decisiononlyconcernsGoogleAnalytics3.TheDutchDPAhasnotconductedanyinvestigationinto
GoogleAnalytics4.
2. Assessment
14. Thissectiondiscussesthefindingsastheyfollowfromtheinvestigationreport,Takeaway’sopinion
of14August2022(hereinafterreferredtoastheopinion),theopinionhearingandthesupplementary
opinionof6January2023(hereinafterreferredtoasthesupplementaryopinion).
4/25 Datum Onskenmerk
20August2024 z2022-04011
2.1. Processingresponsibility
Investigationreport
15. Itfollowsfromsections2.1and2.2oftheinvestigationreportthatTakeawayusesAnalyticsto
monitor,evaluateandoptimisetheuseandfunctioningofitswebsites.Tothisend,Takeawayhas
implementedaJavaScriptcode,whichisexecutedonthevisitor’sdevicewhenheorshevisitsthewebsite.
ImplementingthiscodeisarequirementtouseAnalyticsandrequiresanactiveactionfromTakeaway.In
theinvestigationreport,Takeawayhasbeendesignatedasthecontroller,becauseithasbeenestablished
thatTakeawaydecidesonthepurposeoftheprocessingandthemeansforthis.
Takeaway’sopinion
16. Takeawayhassubstantivelydisputedinitsopinionthatitisthecontrollerofanumberofthe
websitesmentionedintheinvestigationreport.Duringtheopinionhearingitwasestablishedthat
Takeawayisinanycaseresponsibleforthewebsites« www.thuisbezorgd.nl»(theNetherlands),
«www.just-eat.dk»(Denmark),«www.just-eat.fr»(France),«www.lieferando.at»(Austria),
«www.lieferando.de»(Germany),«www.pyszne.pl»(Poland),«www.takeaway.com/be»(Belgium),
«www.takeaway.com/bg»(Bulgaria)and«www.takeaway.com/lu»(Luxembourg).
Assessmentandconclusion
17. TheDutchDPAnotesthatTakeawayisresponsibleforprocessingpersonaldatatogaininsight
intotheuseandfunctioningofitswebsitesviaAnalytics.InviewofTakeaway’sarguments,thisonly
concernsthewebsiteslistedinmarginal16.
2.2. Personaldataandprocessing
Investigationreport
18. Section2.2oftheinvestigationreportdetermineswhichcategoriesofpersonaldatahavebeen
transferredbyTakeawaytotheUnitedStates.Thisdeterminationisbasedontheinformationsubmitted
withthecomplaintdiscussedinsection1.2(HARfile)ontheonehandandonthefindingsofsupervisory
authoritiesoftheDutchDPAitselfontheother.Thetransferconcernsatleastthefollowingcategoriesof
personaldata:
1. informationaboutthebrowserusedbythevisitor,operatingsystem,referrerandlanguage;
2. trackingID;
3. screenresolutioninformation;
4. ██████;
5. ████████████████████████████████████.
5/25Datum Onskenmerk
20August2024 z2022-04011
Takeaway’sopinion
19. Takeawayhasnotdisputedthefindingsabouttheprocessedpersonaldata.Inresponsetoquestions
thataroseduringtheopinionhearing,Takeawayhasdrawnupanadditionaldocumentthatlists
additionalcategoriesofpersonaldatatransferredtotheUnitedStatesbyTakeaway.Thisdocument
includes(butisnotlimitedto)thefollowingdata:
6. ██████████████████████████████████████████████;
7. █████████████████████████████████████████████████████
███████████████████;
8. ████████████████████████████████████████████;
9. ████████████████████████████████████████████;
10.█████████████████████████████████████████████████████
██████████.
Assessmentandconclusion
20. IntheopinionoftheDutchDPA,thedatastatedintheinvestigationreportandinthedocument
drawnupbyTakeawayqualifiesaspersonaldatawithinthemeaningofArticle4,openingwordsand(1)of
theGDPR.TheDutchDPAtakesthefollowingintoaccount.
Legalframework
21. “Personaldata”meansanyinformationrelatingtoanidentifiedoridentifiablenaturalperson.An
identifiablenaturalpersonisonewhocanbeidentified,directlyorindirectly,inparticularonthebasisof
anidentifiersuchasaname,anidentificationnumber,locationdata,anonlineidentifieroroneormore
factorsspecifictothephysical,physiological,genetic,psychological,economic,culturalorsocialidentity
ofthatnaturalperson(compareArticle4,openingwordsand(1)oftheGDPR).
22. Initsjudgmentof4May2023(ECLI:EU:C:2023:369;F.F./ÖsterreichischeDatenschutzbehördeandCRIF
GmbH),theCourtconsideredthattheuseofthewords“allinformation”inthedefinitionoftheconceptof
“personaldata”indicatesthatitwastheintentionoftheEUlegislatortogiveabroadinterpretationtothis
concept.Themeaningisnotlimitedtosensitiveorpersonalinformation,butpotentiallyextendstoany
typeofinformation,bothobjectiveandsubjectivesuchasopinionsorassessments.Theonlyconditionis
thatthisinformation“concerns”thedatasubject.Thisconditionismetwhenthatinformationislinkedto
aspecificpersonbecauseofitscontent,purposeoreffect,accordingtotheCourt.
23. Accordingtorecital26oftheGDPR,whendeterminingwhetheranaturalpersonisidentifiable,
accountshouldbetakenofallmeanswhichcouldreasonablybeexpectedtobeusedbythecontrollerorby
anotherpersontodirectlyorindirectlyidentifythenaturalperson,forexample,selectiontechniques(in
theEnglishtextoftheGDPRreferredtoassinglingout).Toascertainwhethermeansarereasonablylikely
tobeusedtoidentifythenaturalperson,accountshouldbetakenofallobjectivefactors,suchasthecosts
6/25Datum Onskenmerk
20August2024 z2022-04011
ofandtheamountoftimerequiredforidentification,takingintoconsiderationtheavailabletechnologyat
thetimeoftheprocessingandtechnologicaldevelopments.Thequalificationofapieceofdataaspersonal
datawithinthemeaningoftheGDPRdoesnotrequirethatallinformationfromwhichthedatasubjectcan
beidentifiedbeheldbyoneandthesameperson(judgmentoftheCourtof7March2024;
ECLI:EU:C:2024:214;IABEurope).
24. Accordingtorecital30oftheGDPR,naturalpersonsmaybelinkedtoonlineidentifiersthrough
theirdevice,applications,instrumentsandprotocols,suchas(IP)addressesandidentificationcookies.
Thismayleavetracesthat,inparticularwhencombinedwithuniqueidentifiersandotherinformation
receivedbytheservers,canbeusedtocreateprofilesofnaturalpersonsandrecognisenaturalpersons.
Generalqualificationbycontroller
25. Initsroleascontroller,Takeawayendorsesthatthedatastatedinmargins18and19qualifiesas
personaldata.AdifferentviewwouldalsobeinconsistentwiththeprocessingagreementsthatTakeaway
hasconcludedwithGooglefortheuseofAnalytics.Afterall,theseagreementswouldnotbenecessaryif
nopersonaldatawasprocessed.
Withregardtothedatastatedinthereport
26. Itmustbeassumedthattheaforementioneddataisassociatedwithaspecificpersonduetoits
content.Althoughsomeofthedatacontainsinformationaboutthedeviceused(informationaboutthe
browser,operatingsystemandscreenresolution),thiscannotleadtotheconclusionthatthisdatarelates
exclusivelytothatdeviceandthereforenottoaperson.Afterall,thiswouldignorethefactthatthis
informationconcernsthepersonwhousedthedevice.Ifthedeviceandtheuserwereseparated,thedata
listedinmargin18wouldalwaysbenon-personal.Suchaviewwouldleadtoanoverlylimitedmeaningof
theconceptof“personaldata”,especiallysincetheCourthasconsideredthattheintentionoftheUnion
legislatorwastogiveabroadmeaningtothisconcept.Italsofollowsfromrecital30,statedinmargin24,
thatthelegislatordidnothavethisinmind.
27. Asstatedinmargin22,itfollowsfromthecaselawmentionedtherethatinformationispersonal
dataifitislinkedtoaspecificpersonduetoitscontent,purposeoreffect.Astheprevioussection
concludedthatthecategoriesofpersonaldataarealreadylinkedtoaspecificpersonbecauseoftheir
conten2,theDutchDPAwillignorethequestionofwhetherthisisalsothecasebecauseofthepurposeor
effect.
28. TheDutchDPAfurthernotesthatthedatastatedinmargin18makesthepersonsconcerned
identifiable.Thedataincludesuniqueonlineidentifierssuchas█████████████ andcookie
identifierssuchasthetrackingIDand██████.Bytheirnature,theseidentifiersservetodistinguish
visitorstoawebsitefromeachother(singlingout,inDutch“selectiontechniques”)and,forexample,to
2Withinthesamemeaning,compareOpinion4/2007ontheconceptofpersonaldataoftheArticle29DataProtectionWorkingParty,
p.10-11.
7/25Datum Onskenmerk
20August2024 z2022-04011
recogniseifitisaneworareturningvisitor.InaccordancewiththedecisionoftheEuropeanData
3
ProtectionSupervisor(hereinafterreferredtoastheEDPS)of5January2022 andthedecisionofthe
Austriansupervisoryauthority(hereinafterreferredtoasDSB)of22December2021, theDutchDPA 4
considersuniqueidentifiersincookiessuchasthoseofAnalyticsaspersonaldata,eveniftheactual
identityoftheuserinquestionisunknown.
29. ThepositionoftheDutchDPAisthatwhendistinguishing(singlingout)betweendifferentvisitors
bymeansofuniqueidentifyingdata,thatdatainitselfconstitutespersonaldata,whichisconsistentwith
viewsintheliterature.ItstatesthatbecausetheGDPRattemptstolimittherisksfordatasubjects,
5
singlingoutshouldbesufficienttocallitpersonaldata. Thereasoningisthattherisksoflarge-scaledata
collectionarenotreducedbecausenonamecanbelinkedtoauniqueonlineidentifier.Therefore,datathat
facilitatessinglingoutshouldberegardedaspersonaldata.
30. Lastly,theviewthatuniqueidentifiersforselectiontechniquesconstitutepersonaldataisinline
.6
withtherationaleoftheGDPRandthebroadinterpretationofthematerialscopeoftheGDPRincaselaw
Forexample,recital10oftheGDPRstatesthatahighlevelofprotectionisdesirable.TheCourthasalways
7
confirmedthisinitscaselaw. Furthermore,accordingtotheCourt,theGDPRmustbeinterpretedinthe
lightoftheCharter,inwhichtherighttorespectforprivacyandtherighttotheprotectionofpersonaldata
arelaiddowninArticles7and8.AccordingtosettledcaselawoftheCourt,theexceptionsandlimitations
totheprotectionofpersonaldatamustremainwithinthelimitsofwhatisstrictlynecessary. 8
31. Inconclusion,alluniqueidentifiersthatcanbeusedtodistinguishusersshouldbeconsidered,
9
treatedandprotectedaspersonaldata.
WithregardtotheinformationstatedinthedocumentdrawnupbyTakeaway
32. Asmentioned,aftertheopinionhearing,Takeawaypreparedanadditionaldocument,statingwhich
dataispassedontoGoogle.ThisincludesdatathatfallsoutsidetheregulardatacollectedbyAnalytics(so
calledcustommetrics).Thisdataincludesinformationabout█████████████████████████
█████████████████████████████████████████████████████████.
3
EDPSdecisionof5January2022incase2020-1013,p.13.
4DecisionoftheFrenchsupervisoryauthority(CNIL)of22December2021,p.4(thedecisioncanbeconsultedat
<https://www.cnil.fr/sites/cnil/files/atoms/files/decision_ordering_to_comply_anonymised_-_google_analytics.pdf>).
5FrederikJ.ZuiderveenBorgesius,‘Singlingoutpeoplewithoutknowingtheirnames’,ComputerLaw&SecurityReview32(2016),p.
267-269.
6JudgmentsoftheCourtofJusticeof20May2003incaseno.C-465/00(ECLI:EU:C:2003:294; ÖsterreichischerRundfunketal;.
preamble43),6November2003incaseno.C-101/01(ECLI:EU:C:2003:596; Lindqvistpreamble88),7May2009incaseno.C-553/07
(ECLI:EU:C:2009:293Rijkeboerpreamble59),20December2017incaseno.C-434/16(ECLI:EU:C:2017:994; Nowak ,preamble33)and
22June2021incaseno.C-439/19(ECLI:EU:C:2021:504;LatvijasRepublikasSaeimapreamble61).
7JudgmentoftheCourtofJusticeof16December2008incaseno.C-524/06(ECLI:EU:C:2008:724,preamble50)and13May2014incase
no.C-131/12(ECLI:EU:C:2014:31Google/Spain,preamble66.).
8JudgmentoftheCourtofJusticeof7November2013incaseno.C-473/12(ECLI:EU:C:2013:715; Institutprofessionneldesagents
immobilier;preamble39).
9
Comparep.13oftheEDPSdecisionof5January2022incaseno.2020-1013.
8/25 Datum Onskenmerk
20August2024 z2022-04011
Itrequiresnofurtherexplanationthatdataabout███████████████████████████is
relatedtoanidentifiablepersonaccordingtotheircontent,effectandpurposeandisthereforepersonal
datawithinthemeaningofArticle4,openingwordsand(1)oftheGDPR.
33. Furthermore,asaresultofthislatterconclusion,theuniqueidentifiersanddevicedatadiscussed
abovearedatarelatingtoanidentifiableindividual,evenifwhathasbeenconsideredaboutselection
techniquesisignored.
Conclusion
34. Thedatastatedinmargins18and19is,individuallyorinconjunctionwitheachother,personaldata
withinthemeaningofArticle4,openingwordsand(1)oftheGDPR.Thecollection,disclosureby
transmission,retentionandusethereofconstitutesprocessingwithinthemeaningofArticle4,opening
wordsand(2)oftheGDPR.
2.3. Cross-borderprocessingandthecompetenceoftheDutchDPA
Investigationreport
35. Section3.2.2oftheinvestigationreportstatesthatTakeawayfocusesonthemarketofseveral
memberstatesoftheEuropeanUnion(comparemargin16ofthisdecision)and,inadditiontoitsmain
establishmentintheNetherlands,hasestablishmentsinBelgium,Germany,Poland,Bulgariaand
Romania.AnalyticsisalsousedforwebsitesinotherMemberStates.Thereportthereforeconcludesthat
theprocessingtakesplaceinthecontextofactivitiesofestablishmentsinmorethanoneMemberState,
whichconstitutescross-borderprocessingwithinthemeaningofArticle4,openingwordsand(23)ofthe
GDPR.
Opinion
36. Takeawayhasnotdisputedtheconclusionintheinvestigationreport.
Assessmentandconclusion
37. AsTakeawayisestablishedintheNetherlands,theDutchDPAiscompetenttoexercisethepowers
grantedtoitundertheGDPRtowardsTakeaway.AstheDutchestablishmentisalsoTakeaway’smain
establishment,theDutchDPAisalsotheleadsupervisoryauthoritywithinthemeaningofArticle56(1)of
theGDPR.Thisconclusioniscoordinatedwiththesupervisoryauthoritiesinvolved.
9/25 Datum Onskenmerk
20August2024 z2022-04011
2.4. TransferofpersonaldatatotheUnitedStates
2.4.1. Investigationreport
38. Section2.3oftheinvestigationreportstatesthatGooglehasstatedthatalldatacollectedthrough
AnalyticsisstoredonserversintheUnitedStatesandthatthisconstitutesaninternationaltransferof
personaldata.Takeawayhasstatedthatthetransferissubjecttostandardprovisionswithinthemeaning
ofArticle46oftheGDPR.Until27September2021,theseweretheprovisionsofthestandardmodel
.10
contract‘Controllertoprocessor’ Onthisbasis,TakeawayistheexporterandGoogleLLCistheimporterof
personaldata.Thissituationchangedwitheffectfrom27September2021.Fromthatdate,Takeawayhas
beenconcludingthestandardmodelcontract‘Controllertoprocessor’withGoogleIreland.NotTakeaway,but
GoogleIrelandhassinceexportedthedatatoGoogleLLC.Thisisbasedonastandardmodelcontract
‘Controllertoprocessor’.
39. Section2.3.3ofthereportdiscussestheadditionalmeasurestakenbyTakeawayandGoogleatthe
timethereportwasdrawnup.Thesemeasuresconsistofacombinationoftechnical,contractualand
organisationalmeasures.Insummary,thetechnicalmeasuresrelatetotheencryptionofdataduring
trafficandinstorage.Thecontractualandorganisationalmeasuresrelateto,ontheonehand,thehandling
andassessmentofreceivedinformationrequestsfromintelligenceservicesandreportingthereonand,on
theotherhand,thephysicalanddigitalsecurityofGoogle’sdatacentres.Thesemeasuresarefurther
describedandassessedinsection2.4.6ofthisdecision.
40. Section3.4.2oftheinvestigationreportconcludesthatenteringintostandardmodelcontractsdoes
notsufficientlyguaranteethelevelofprotectionofpersonaldataintheUnitedStatestoallowthetransfer
tobebasedonstandardprovisionsalone.GoogleLLCisaproviderofelectroniccommunicationsservices
withinthemeaningof§50U.S.Code1881(4)(b)andisobligedtoprovidepersonaldatatotheAmerican
intelligenceservices.Therefore,transfercanonlyoccurifadequateadditionalsafeguardsareinplace.The
safeguardsputinplacebyGooglewerenotfoundtobeeffectiveinthereport,whichmeansTakeaway
cannotrelyonthetransferinstrumentofstandardprovisions.Thismeansthatatransferofpersonaldata
takesplacewithoutbeingbasedonavalidtransferinstrument,asaresultofwhichTakeawayhasviolated
Article44oftheGDPR.Thisapplies,asstatedinmargin12,from18August2020to1September2023.
2.4.2. Safeguardsputinplaceaftertheinvestigation
41. Intheopinionandsupplementaryopinion,Takeawayhasputforwardthatithastakenmore
additionalmeasures.Insummary,thisinvolvesimplementingaproxyserverintheEEA,█████████
██████████████████████████████████████████████████████████
█████████████████████████████████.Theseadditionalmeasuresarealso
discussedinmoredetailinsection2.4.6.
10
11hismodelcontractcorrespondstotheprovisionspublishedbytheEuropeanCommissioninitsdecision2010/87/EU.
ThismodelcontractcorrespondstotheprovisionspublishedbytheEuropeanCommissioninitsdecision2021/914/EU.
10/25 Datum Onskenmerk
20August2024 z2022-04011
2.4.3. Responsibilityforinternationaltransfers
Opinion
42. TakeawayfirstarguesthatinsofarasthereisaviolationofArticle44oftheGDPR,anincorrect
periodwastakenintoaccountintheinvestigationreport.Tothisend,Takeawaypointsoutthatit
contractedwithGoogleLLCuntil27September2021andthatTakeawaywasthereforeresponsibleforthe
internationaltransferuntilthatdate.However,fromthatdateonward,therehasbeenatransferfrom
TakeawaytoGoogleIreland,andsubsequentlyfromGoogleIrelandtoGoogleLLC.Sincethen,Google
Ireland,notTakeaway,hasbeenresponsibleforthetransfertocountriesoutsidetheEU.Asaresult,
Takeaway’sviolation,ifany,endednolaterthan27September2021,accordingtoTakeaway.
Assessmentandconclusion
43. ItfollowsfromArticle5(2)oftheGDPRthatthecontrollerisresponsiblefortheentireprocessing.
PursuanttoArticle24(1)oftheGDPR,thecontrollermusttakeappropriatetechnicalandorganisational
measurestoensureanddemonstratethattheprocessingiscarriedoutinaccordancewiththeGDPR.
AlthoughitfollowsfromArticle28(1)oftheGDPRthatthecontrollermayoutsourcetheprocessingor
partthereoftoaprocessor,thisdoesnotalterthefactthatinthatcasetheprocessinginaccordancewith
Article5(2)oftheGDPRremainsattheriskofthecontroller.Inviewoftheaforementionedprovisions,
thisisnodifferentforsub-processors,especiallynowthataccordingtoArticle28(2),oftheGDPR,they
mayonlybeinvolvedwiththeconsentofthecontroller.
44. Inviewoftheforegoing,Takeaway,asthecontroller,isresponsiblefortheprocessingofpersonal
data,includingtheinternationaltransferofthatdatabyGoogleIrelandonbehalfofTakeawaytothe
UnitedStatesduringtheperiodfrom18August2020to1September2023.Takeawayisthereforenot
followedintheargumentthatthereporttookintoaccountanincorrectperiodoftheviolation.
2.4.4. ApplicabilityofFISAlegislationtoGoogleandAnalyticsdata
Opinion
45. Takeawayarguesthattheinvestigationreportdoesnotsufficientlysubstantiatethat,withregardto
Analytics,GoogleLLCqualifiesasanelectroniccommunicationsserviceprovider(hereinafterreferredtoas
ECSP)asreferredtoinFISA.Theprovisionreferredtocontainsfivecategories,threeofwhichreferto
provisionsinotherlaws.ThereportfailstomentionwhichofthesecategoriesGooglefallsunder.
46. AccordingtoTakeaway,theinvestigationreportdoesnotfurtheraddressthestatementthatthe
Analyticsdatadoesnotqualifyasforeignintelligenceinformation.AccordingtoTakeaway,thisisrelevant
becausedatathatdoesnotqualifyassuchfallsoutsidethescopeofaFISArequestforinformation.
11/25 Datum Onskenmerk
20August2024 z2022-04011
Assessmentandconclusion
47. Takeaway’sargumentthatthereportdoesnotindicateonwhatgroundsGoogleLLCqualifiesasan
ECSPhasnofactualbasis.Insection3.4.2(margin87)ofthereport,itwasconcludedthatGoogleinany
casequalifiesasa“providerofelectroniccommunicationservice”,asreferredtoin50U.S.Code§1881,
partb(4)(b). Inshort,thisincludesallprovidersofservicesthatenableuserstoreceiveorsendvoice
13
messagesorelectroniccommunications. TheDutchDPAdoesnotruleoutthatGoogleLLCalsoqualifies
asanECSPonthebasisof(c)and/or(d). However,itisonlyimportantthatGooglecanberegardedasan
ECSP,asthiscircumstancemeansthatitisobligedtocooperatewithrequestsfromsecurityservices.
48. ThefactthatGooglecanbeclassifiedassuchalsofollowsfromtheinformationpublishedbyGoogle
itself.Googlehassetupawebsiteonwhichitpublishesinformationaboutrequestsfrompoliceand
securityservices.ItfollowsfromtheinformationpublishedthatGooglereceives,amongotherthings,FISA
requests. IntheperiodfromJuly2022toDecember2022(themostrecentforwhichGooglepublishes,
giventhedelayinreporting),Googleclaimstohavereceivedbetween0and499requestsregarding
metadata,whichrelatedto106,000to106,499accounts.Googlesaysithasreceivedanequalnumberof
requestsrelatedtothecontentusershavecreated.Itfollowsfromreceivingandcomplyingwiththe
requeststhatGoogleLLCqualifiesasanECSP.
49. Finally,Takeaway’sreferencetothestatementthatAnalyticsdatadoesnotqualifyasforeign
intelligenceinformationdoesnotleadtotheintendedpurpose.Thedefinitionofthatconceptissobroadthat
itcannotbecategoricallyexcludedinadvancewhichdatadoesordoesnotfallunderit.
50. TheconclusionisthatwhatTakeawayhasputforwardprovidesnogroundsforadifferent
conclusionthanthatintheinvestigationreport,thatGoogleLLCqualifiesasanECSPandassuchis
subjecttosupervisionbyAmericanintelligenceservicesasregulatedin50U.S.Code§1881a.
2.4.5. Risk-basedapproach
51. AccordingtoTakeaway,thereportincorrectlyusesanabsolutetestwhenassessingthelevelof
protectionofpersonaldataintheUnitedStates.Inthecaseofanabsolutetest,itisnotimportantwhether
1CompareinthesamesensethedecisionoftheDSBof22December2021,canbeconsultedvia
<https://www.dsb.gv.at/dam/jcr:c1eb937b-7527-450c-8771-74523b01223c/D155.027%20GA.pdf>,p.32,andthedecisionsofthe
Swedishsupervisoryauthorityof30June2023,referencesDI-2020-11397,DI-2020-11368,DI-2020-11370andDI-2020-11373(allpar.
2.4.2.2),whichcanbeconsultedvia<https://www.imy.se/en/news/four-companies-must-stop-using-google-analytics>.
13Pursuantto(b),anECSPis“aproviderofelectroniccommunicationsservice,asthattermisdefinedinsection2510oftitle18”.The
latterprovisionreads:‘“electroniccommunicationservice”meansanyservicewhichprovidestousersthereoftheabilitytosendor
14ceivewireorelectroniccommunications.
Pursuantto(c),anECSPcanalsobe“aproviderofaremotecomputingservice,asthattermisdefinedinsection2711oftitle18”.The
term“remotecomputingservice”isdefinedthereas“theprovisiontothepublicofcomputerstorageorprocessingservicesbymeans
ofanelectroniccommunicationssystem”.Onthebasisof(d),ECSPcan alsobedefinedas“anyothercommunicationserviceprovider
whohasaccesstowireorelectroniccommunicationseitherassuchcommunicationsaretransmittedorassuchcommunicationsare
stored”.
15Comparethedataat<https://transparencyreport.google.com/user-data/us-national-security>.
12/25Datum Onskenmerk
20August2024 z2022-04011
thechanceofanactualdeteriorationofthelevelofprotectionislargeorsmall,butthemereexistenceof
theriskisdecisive.AccordingtoTakeaway,arisk-basedapproachshouldbeused,whichnotonlylooksat
theoreticalrisksbutalsoatthelikelihoodthattheseriskswillmaterialise.Takeawayissupportedby(1)
thejudgmentoftheCourtof16July2020(SchremsII), (2)Article24oftheGDPRand(3)the
Recommendations01/2020oftheEDPB(hereinafterreferredtoastheRecommendations). Takeaway17
concludesthatonlytheimplementationofthestandardprovisionsissufficientforlawfultransfer,because
arisk-basedtestshowsthereareonlyveryminorrisksinvolvedintransfertotheUnitedStates.Inthis
regard,GooglearguesthatithasnotreceivedaFISArequestforAnalyticsdatainthepastfifteenyears.
Thetransfercouldthereforebebasedonthestandardprovisionsusedandnoadditionalmeasureswere
required,accordingtoTakeaway.
52. ThesubstantiationandassessmentofeachofthethreepointsputforwardbyTakeawaywillbe
discussedbelow.
SchremsIIJudgment
Opinion
53. AccordingtoTakeaway,theconclusionintheinvestigationreportthatthelevelofprotectioninthe
UnitedStatesisinsufficient,isbasedtoomuchonarecitaloftheSchremsIIjudgmentthatisplacedoutof
context.Theinvestigationreportattachesalotofweighttotheword“may”inrecital135ofthejudgment
(emphasisadded):
“135. WherethecontrolleroraprocessorestablishedintheEuropeanUnionisnotabletotakeadequate
additionalmeasurestoguaranteesuchprotection,thecontrollerorprocessoror,failingthat,thecompetent
supervisoryauthority,arerequiredtosuspendorendthetransferofpersonaldatatothethirdcountry
concerned.Thatisthecase,inparticular,wherethelawofthatthirdcountryimposesontherecipientof
personaldatafromtheEuropeanUnionobligationswhicharecontrarytothoseclausesandare,therefore,
capableofimpingingonthecontractualguaranteeofanadequatelevelofprotectionagainstaccessbythe
publicauthoritiesofthatthirdcountrytothatdata.”
54. Itfollowsfromtheinvestigationreportthatitdoesnotmatterwhetherthereductioninthelevelof
protectionishighlytheoretical.AccordingtoTakeaway,an“absolutetest”iswronglyapplied.TheDutch
translationoftheCourt’sjudgmentcontainserrorsandmissesimportantnuancesinrecitals126,131to
134and137,accordingtoTakeaway.Ifthisistakenintoaccount,itisclear,accordingtoTakeaway,thatin
itsjudgment,theCourtactuallyadvocatesarisk-basedapproach.AlthoughtheCourtdoesnotspecifically
mentionthis,accordingtoTakeawayitshouldnotbeconcludedfromthisthattheCourtdoesnotadopt
thatapproach.Afterall,theCourtdoesconsiderthatthelevelofprotectionofpersonaldatathathasbeen
transferredmustbe“essentiallyequivalent”,andleavesituptothecontrollertousethelawandpracticesof
16
17udgmentoftheCourtof16July2020incaseno.C-311/18(ECLI:EU:C:Schrems).
Recommendations01/2020onmeasurescomplementarytotransfertoolstoensurecompliancewiththelevelofpersonaldata
protectionintheUnion,version2.0(adoptedon18June2021).
13/25Datum Onskenmerk
20August2024 z2022-04011
thethirdcountryinquestiontoassesswhetherthisbenchmarkisachieved.AccordingtoTakeaway,this
followsfromrecital126ofthejudgment,inwhichtheCourtrefersto“thestateoflawandpracticesinthe
thirdcountryconcerned”inorderto“guaranteeprotection[…]inpractice”.Onlyifitisimpossiblein
practicetoensuretheeffectiveprotectionofthepersonaldatathathasbeentransferred,ifnecessarywith
additionalmeasures,willtheCourtconsidertheconsequencesinrecital135quotedabove.
55. Thus,accordingtoTakeaway,noguaranteeisrequiredthataccessbythirdpartiescanneveroccur;
theonlyrequirementisthatthelevelofprotectionrequiredunderUnionlawisguaranteedinpractice.Only
whenthelawsandthepracticesofthecountryinquestioninsufficientlyguaranteeeffectiveprotection,
shouldthecontrollertakeadditionalmeasures.
Assessment
56. ItmustbestatedfirstandforemostthattheSchremsIIjudgmentdoesnotshowthatarisk-based
testmustbeappliedtodeterminethelevelofprotectionof–inthiscase–theUnitedStates.AsTakeaway
itselfalsonotes,theCourtdidnotconsiderthisexplicitlyandunequivocally.18Giventheveryfar-reaching
consequencesofTakeaway’sinterpretation,itwouldbeexpectedthatarisk-basedtestwasexplicitly
mentionedinthejudgment.
57. Takeawayisalsonotfollowedintheinterpretationofthatjudgment.Inrecital126ofthejudgment,
theCourtfirstlyconsideredthattherearesituationsinwhichtherecipientofatransferofpersonaldatais,
inviewofthestateoflawandpracticesinthethirdcountryconcerned,abletoensuredataprotection.The
mereuseofthewords“lawandpractices”,contrarytowhatfollowsfromTakeaway’sargument,doesnot
showthattheCourtmeansbythisthatastatutoryprovisioncanbeignoredthat,accordingtoEuropean
lawstandards,iscontrarytothedataprotectionlawguaranteedbytheCharterandtheGDPR,solely
becauseithasnotbeenestablishedthatthedangerofthatstatutoryprovisionhasmaterialisedtodate.
WhattheCourtdoesexplicitlyandunequivocallyconsiderinthatrecitalisthatthesituationinwhichthe
lawofthethirdcountrymakesitpossibleforpublicauthoritiestointerveneintherightsofdatasubjects-
suchasintheUnitedStates-isanexampleinwhichstandardprovisionsalonemaybeinsufficientto
ensureeffectiveprotection.
58. ItalsodoesnotfollowfromtheotherrecitalspointedoutbyTakeaway(131to134,and137)thatin
itsjudgmenttheCourtintendedtooverrideastatutoryjurisdictionthatisproblematicaccordingto
Europeanlawstandardsbecausetheproblemhasnotyetmaterialised.Itdoesnotmatterwhetherthe
EnglishtextofthejudgmentisusedortheofficialDutchtranslation,which,accordingtoTakeaway,
contains“anumberoferrors”and“[misses]thenuancesoftheECJ’sjudgmentonanumberofpoints”.
18
AlthoughtheCourtreferstorecital101inrecital8oftheGDPR,whichstatesthatthemovementofpersonaldatatoandfromthe
Unionisnecessaryforthedevelopmentofinternationaltrade,thisrecitalisonlypartofthelegalframework.Thisconsiderationisnot
partoftheactualanswertothepreliminaryquestionsaboutthecircumstancesunderwhichaninternationaltransferisorisnot
legallypermissible.Thesameappliestoabalancingwithotherfundamentalrightssuchasfreedomofentrepreneurship.
14/25Datum Onskenmerk
20August2024 z2022-04011
59. Inviewoftheforegoing,theDutchDPAconcludesthattheSchremsIIjudgmentdoesnotsupport
Takeaway’sargumentthatthereportwronglyconcludedthatthelevelofprotectionintheUnitedStates
wasinadequateatthetimeoftheobservedviolation.
Article24oftheGDPR
Opinion
60. TakeawayfurtherpointsoutthattheformulationofArticle24oftheGDPRisrisk-based.According
tothetextofthatprovision,thecontrollermusttakeappropriatemeasurestoensurethattheprocessingis
carriedoutinaccordancewiththeGDPR,takingintoaccount“thenature,scope,contextandpurposesof
processingaswellastherisksofvaryinglikelihoodandseverityfortherightsandfreedomsofnatural
persons”.AccordingtoTakeaway,theprovisionhasahorizontalscopeofapplication,whichmeansthe
provisionappliestoboththestandardofproofandcompliancewiththeobligationsundertheentire
GDPR,includingtheobligationslaiddowninChapterVoftheGDPR.
61. InfurthersupportoftheargumentthatChapterVmustbeapproachedonarisk-basedbasis,
Takeawaypointsout–initsopinion–thetextofArticle44oftheGDPRitself.Underthatprovision,a
lawfultransferofpersonaldatarequiresatransferinstrument,“subjecttotheotherprovisionsofthis
Regulation”.AccordingtoTakeaway,thisphraseislogical,becauseChapterVoftheGDPRdoesnotstand
aloneandtransfersmustcomplywiththeentireGDPR,includingArticle24oftheGDPR.Thisarisesfrom
thefactthatChapterVoftheGDPRaimstoensurethataftertransfer,dataisstoredinacomparablemanner
andnotatahigherlevel.
62. TakeawayalsopointsoutthedevelopmenthistoryoftheGDPR.IntheEuropeanCommission’s
19
proposalforwhatwouldeventuallybecometheGDPR, Article22(now:Article24)stipulatesthatthe
controllershallestablishpoliciesandimplementappropriatemeasurestoensureandbeableto
demonstratethattheprocessingisperformedinaccordancewiththeregulation.Amemorandumfromthe
CypriotPresidencytotheCouncilof1March2013statesthatthisprovisionhasbeenamendedaftera
numberofMemberStatesobjectedtothehighprescriptivenatureoftheprovisionandexpressedtheview
thattheprovisionmuststipulatearisk-basedapproach. 2Thatiswhythereviseddraftcontainsa
‘horizontal’clauseinArticle22(now:Article24),whichisaccompaniedbyamorerisk-based
reformulationofprovisionsinthatchapter.Furthermore,theEuropeanCouncil’sexplanatory
memorandumtothefinaldrafttextoftheGDPRstatesthat,againstthebackgroundoftheincreased
accountabilityofcontrollers,anapproachbasedonriskanalysishasbeenoptedforthroughoutthe
regulation.Theobligationsofthecontrollerandprocessorareadjustedtotheriskofthedataprocessing
19
ProposalforaRegulationoftheEuropeanParliamentandoftheCouncilontheprotectionofnaturalpersonswithregardtothe
processingofpersonaldataandonthefreemovementofsuchdata(GeneralDataProtectionRegulation)of25January2012,EUR-Lex
20cument52012PC0011.
MemorandumfromthePresidencytotheCounciloftheEuropeanUnionof1March2013,EUR-Lexdocument6607/1/13REV1.
15/25Datum Onskenmerk
20August2024 z2022-04011
theyperform. Lastly,TakeawaypointsoutthecommunicationfromtheEuropeanCommissiontothe
22
EuropeanParliamentof11April2016, whichstatesthattheproposalmaintainsanddevelopstherisk-
basedapproach.AccordingtoTakeaway,itfollowsfromallthisthattherisk-basedapproachalsoapplies
totheobligationsarisingfromChapterVoftheGDPR.
Assessment
63. InthesituationwheretheinterpretationofaprovisionoftheGDPRiscalledintoquestion,the
precisewordingofthatprovisionmustfirstbeexamined.ItissettledcaselawoftheCourtthat,despitethe
clearandprecisewordingofaprovision,aninterpretationintendedtocorrecttheprovisionandthus
23
extendtherelevantobligationsofMemberStatescannotbegiven. Ifthewordingoftheprovisionis
unambiguous,itleavesnoroomforinterpretationbecausethatwoulddeprivethewordingofanyuseful
24
effect.
64. InthesituationthataprovisionoftheGDPRdoesnotcontainclearandprecisewording,for
example,becauseitisopenlyformulatedordoesnotcontainapreciseinterpretationoftheconceptsused,
thequestionariseshowtheprovisionshouldbeinterpreted.Afterall,apurelytextualinterpretationisnot
sufficient.TheinterpretationmustthenbemadeinthelightofthecontextandobjectivesoftheCharter
andtheGDPR. 25ThehistoryoftheCharterandtheGDPRmayalsocontainrelevantinformation. Given 26
variouspossibleinterpretations,priorityisgiventotheinterpretationthatbestensurestheintendedeffect
oftheregulation. 27
65. ItdoesnotfollowfromtheprecisewordingofArticle44thatthisprovisionmustbereadintherisk-
basedmanneradvocatedbyTakeaway.Onthecontrary,theprovisionexplicitlystatesthattransfersmay
onlytakeplaceiftheconditionslaiddowninChapterVoftheGDPRaremet,andthatallprovisionsof
ChapterVmustbeappliedsothatthelevelofprotectionguaranteedbytheGDPRisnotundermined.This
isimportantbecausethelegislatorhasalwaysexplicitlyandunambiguouslystatedinanumberofother
provisionsoftheGDPRthatarisk-basedapproachappliestotheapplicationofthoseprovisions.Compare
Articles25(1),Article30(5),Article32(1)and(2),Article34(1),Article35(1)and(2)andArticle37(1),
openingwordsand(b)and(c),oftheGDPR. 28Takeawaycannotthereforebefollowedinitsinterpretation
2PositionoftheCouncilatfirstreadingwithaviewtotheadoptionofaRegulationoftheEuropeanParliamentandoftheCouncilon
theprotectionofnaturalpersonswithregardtotheprocessingofpersonaldataandonthefreemovementofsuchdata,andrepealof
Directive95/46/EC(GeneralDataProtectionRegulation),EUR-LexdocumentST_5419_2016_ADD_1_REV_1,p.4.
22CommunicationfromtheCommissiontotheEuropeanParliamentpursuanttoArticle294(6)oftheTreatyontheFunctioningofthe
EuropeanUniononthepositionoftheCouncilontheadoptionofaregulationoftheEuropeanParliamentandoftheCouncilon
protectionofnaturalpersonsinrelationtotheprocessingofpersonaldataandonthefreemovementofsuchdata(GeneralData
ProtectionRegulation)andrepealingDirective95/46/EC,EUR-Lexdocument52016PC0214.
23JudgmentoftheCourtofJusticeoftheEUof15July2010(ECLI:EU:C:2010:429),par.51.
24JudgmentoftheCourtofJusticeoftheEUof10March2021(ECLI:EU:C:2021:188),par.78.
25JudgmentoftheCourtofJusticeoftheEUof14June2017(ECLI:EU:C:2017:451),par.26.
26JudgmentoftheCourtofJusticeoftheEUof03October2013(ECLI:EU:C:2013:625),par.50.
27JudgmentoftheCourtofJusticeoftheEUof22September1988(ECLI:EU:C:1988:439),par.19.
28
Inthesamesentence,compareArticle32oftheGDPRwiththedecisionoftheAustriansupervisoryauthorityof22December2021
(asmentionedabove).
16/25Datum Onskenmerk
20August2024 z2022-04011
ofArticle44,asthatinterpretationwoulddeprivetheprovisionofitsusefuleffect,despitethe
aforementionedcaselawoftheCourt.
66. BecauseArticle44oftheGDPRisclearintheopinionoftheDutchDPA,noweightisgiventothe
significanceofthesystemoftheGDPRandthehistoryofitsdevelopment.Butevenifthatwerethecase,
whatTakeawayargueswouldnotleadtotheinterpretationofArticle44itadvocates.TheDutchDPAtakes
thefollowingintoaccount.
67. Takeaway’sargumentisbasedontheideathatArticle24oftheGDPR(whichcontainsarisk-based
approach)hasahorizontalscope,meaningthatthisprovisionappliestoallobligationsofthecontroller.
AccordingtoTakeaway,thisalsoincludesobligationsunderChapterVoftheGDPR.Takeawaypointsout
areportbythethenPresidentoftheEuropeanCouncil,Cyprus,who,inawrittenreportdated
1March2013onthedevelopmentoftheGDPR,mentionedthetaskofmakingspecificproposalsfora
tightenedrisk-basedapproachinthetextofthethendraftregulation. Althoughitfollowsfromthat
reportthatvariousdraftprovisionshavebeenreformulatedonarisk-basedbasis,itdoesnotfollowfrom
thereportthatthisalsoappliestoChapterVoftheGDPR.Onthecontrary,itexplicitlyfollowsfromthe
reportthatthismainlyconcernsChapterIVoftheGDPR(“Controllerandprocessor”)andtoalimited
extentChapterIII(“Rightsofthedatasubject”):
“AlthoughChapterIVoftheRegulationprovidesthemostscopeforarisk-basedapproach,thePresidency
hassoughttointroduceelementsofthisapproachinpartsofChapterIII(particularlyArticles12,14and15)
inordertoensurethatrightsofdatasubjectsareexercisedeffectivelyandefficientlywhileatthesametime
improvingcertaintyandtransparency.”
68. Italsodoesnotunambiguouslyfollowfromthephrase“throughouttheRegulation,arisk-based
approachisintroduced”intheCouncil’sexplanatorymemorandumof31March2016,whichTakeaway
furtherpointsout,thatthelegislatorexplicitlyenvisagedarisk-basedapproachwhenapplyingChapterV.
WithChapterVoftheGDPR,thelegislatoraimstoensurethatthelevelofprotectionforpersonaldata
applicablewithintheEU“moves”withexporteddata.ThelegislatorhasexplicitlyprescribedinArticle44
thatthislevelofprotectionmaynotbeundermined.
69. Inviewoftheforegoing,evenwhenthedevelopmenthistoryistakenintoaccount,contrarytowhat
Takeawaystates,itcannotbeconcludedthatthelegislatorintendedthatarisk-basedapproachbeapplied
whenapplyingChapterVoftheGDPR.Thatinterpretationwouldactuallyunderminetheexplicit
requirementthattheguaranteedlevelofprotectionmaynotbeundermined.
70. Takeaway’sargumentaboutArticle24anditsformationdoesnotleadtotheconclusionthatthe
reportwronglyconcludedthatthelevelofprotectionintheUnitedStateswasinadequateatthetimeofthe
observedviolation.
2MemorandumfromthePresidencytotheCouncilof1March2013,EUR-Lexdocumentnumber6607/1/13REV1,canbeconsultedvia
<https://data.consilium.europa.eu/doc/document/ST-6607-2013-REV-1/nl/pdf>.
17/25Datum Onskenmerk
20August2024 z2022-04011
EDPBRecommendations01/2020
Opinion
71. Tofurthersubstantiatetheargumentthatarisk-basedtestshouldbeapplied,Takeawaypointsout
themethodandcontentoftheRecommendations.Firstofall,Takeawaynotesthatadjustmentshavebeen
madetothetextoftheRecommendationsasaresultofthepublicconsultation.Theconsultationversion
statesthatorganisationsshouldnot“relyonsubjectivefactors,suchashowlikelyitisthatpublic
authoritieswillaccessthedatainamannerthatisnotinaccordancewithEuropeanstandards.” This30
passagewasremovedafterthepublicconsultation.Secondly,Takeawaypointsoutmargins1,2,3,4,5,43
and43.3oftheRecommendations.Margin43statesthatthepartiesconcernedmustexaminethe
admissibilityofthetransferonthebasisofthepubliclyavailablelegislationofthethirdcountry,aswellas
thepracticesofthepublicauthoritiesofthethirdcountry.Margin43.3oftheRecommendationsstates
thatiftheexporterandimporterhavenoreasontobelievethatrelevantandproblematiclegislationwillbe
appliedinpractice,itmaybedecidednottotakeadditionalmeasures.
Assessment
72. TheEDPBdrewuptheRecommendationsfollowingtheSchremsIIjudgment.Withthese
Recommendations,theEDPBaimstoprovidepartiesthattransferpersonaldatawithguidanceonthe
complextaskofassessingtransfersofpersonaldatatothirdcountriesandidentifyingwhereadditional
measuresneedtobetaken.Inmargins1to5(whichTakeawaypointsout,amongotherthings),theEDPB
statesthattherighttodataprotectionisactiveinnature,andthatpartieswhotransferpersonaldatamust
gobeyondmererecognitionorpassivecompliancewiththisright.TheRecommendationsemphasisethat
aftertransfer,personaldatamuststillbeprocessedinamannerthatcorrespondstothelevelofprotection
underEuropeanlaw.Thetransferofpersonaldatatothirdcountriesshouldnotbeameansof
underminingorweakeningtheprotectionaffordedintheEEA.
73. Margins43and43.3,whichTakeawayfurtherpointsout,arepartofsection2.3ofthe
Recommendations(“2.3.AssesswhetherthetransferinstrumentyouuseunderArticle46oftheGDPRiseffectivein
lightofallthecircumstancesofthetransfer”).Thisstepexplainshowtodeterminewhetherthetransfer
instrumentused(inthecaseofTakeaway:usingtheprovisionsofastandardmodelcontract)offers
sufficientguarantees.Margins32andfurtherstateindetailwhichaspectsmustbeassessedinanycase.
Margin43discussestheassessmentofthelawandpracticesofthethirdcountryinquestion.Firstofall,it
isstatedthattheassessmentmustprimarilyandinparticularbebasedonthelegislationthatispublicly
available.Inaddition,itisstatedthattheassessmentoftheapplicablepracticesinthethirdcountryare
particularlyimportantinanumberofsituations.Oneofthosesituations,describedinmargin43.3,isthat
“Theassessmentmayshowthattherelevantlegislationinthethirdcountrymaybeproblematicandthat
thedatatransferredand/ortheimporterinquestionfallsormayfallwithinthescopeofthisproblematic
legislation.”Ifthatisthecase,accordingtotheRecommendationsitcanbedecidedto:
3ConsultationversionofRecommendations01/2020of11November2020,EDPBconsultationreferenceR01/2020.
18/25Datum Onskenmerk
20August2024 z2022-04011
• suspendthetransfer;
• takeadditionalmeasurestoavoidtheriskthatthelawsand/orpracticesofthethirdcountryofthe
dataimporterareappliedtotheimporterand/ortothedatatransferred;or
• continuewiththetransferwithouttakingadditionalmeasures,iftheexporterbelievesithasno
reasontobelievethatrelevantandproblematiclegislationwillbeappliedinpracticetotransferred
dataand/ortheimporter.
74. Inthelattercase,adetailedreportmustdemonstrateanddocumentthatthelegislationisnot,in
practice,interpretedand/orappliedinamannerthatwouldaffectthedatatransferredandtheimporter,so
thatthelegislationwillnotpreventtheimporterfromfulfillingitsobligationsunderthetransfer
instrumentofArticle46oftheGDPR.Margins44to47oftheRecommendationsstatewhichsourcescan
beusedandwhatrequirementsareimposedonthosesourcesandtheassessment.Thesourcesmust,
amongotherthings,berelevant,objective,reliable,verifiableandpubliclyavailableorotherwise
accessible.Theexportermustassessanddocumentwhetherthisisthecase.
75. Takeawayfirststatedinitsopinionthat,priortotheimplementationofAnalytics,itassessed
whetherGooglecouldprovidesufficientguaranteeswithregardto,amongotherthings,dataprotection.
Takeawaystatesthatithasassessedsecuritymeasuresandhasreceivedaconfidentialassessmentofthe
levelofprotectionofferedbyGoogle.AccordingtoTakeaway,thisshowsthatGoogledoesnotconsiderit
obviousthatitfallsunderthesurveillancelawsoftheUnitedStateswithregardtoAnalyticsandthat
GoogleclaimsthatithasnotreceivedaFISAwarrantinfifteenyears.Afterstudyingthisinformation,
TakeawaycametotheconclusionthatitcouldimplementAnalytics.
76. TheDutchDPAbelievesthatmerelyexamininginformationfromtheimporterinthethirdcountry
isnotsufficienttomeettherequirementsofArticle46oftheGDPRandtherelatedRecommendations.
ApartfromthefactthatTakeawaydoesnotstatethatithasdemonstratedanddocumentedwithadetailed
reportthattheproblematiclegislationappliestothepersonaldatatransferred–whichisafirstcondition
–itisnotsufficienttorefertoaconfidentialdocumentfromtheimporter.Whatisrequiredisthatthe
informationusedintheassessmentmustberelevant,objective,reliable,verifiableandpubliclyavailable
orotherwiseaccessible.Thatisnotthecasehere.
77. Takeaway’sargumentabouttheRecommendationsalsodoesnotleadtotheconclusionthatthe
reportwronglyconcludedthatthelevelofprotectionintheUnitedStateswasinadequateatthetimeofthe
observedviolation.
Conclusion
78. TheDutchDPAdoesnotfollowTakeawayinitsargumentthattheconclusionintheinvestigation
reportonthelevelofprotectionofpersonaldataintheUnitedStateswasincorrectlydeterminedbecause
anincorrectassessmentmethodwasused.Thereportrightlyconcludedthatadditionalmeasuresare
necessarytoprovidealevelofprotectionthatisequivalenttothelevelofprotectionoftheGDPR.
19/25 Datum Onskenmerk
20August2024 z2022-04011
2.4.6. Additionalmeasures
Investigationreport
79. TheinvestigationreportconcludesthattheCourtdoesnotsufficientlyguaranteethelevelof
protectionofpersonaldataintheUnitedStatestoallowthetransfertobebasedonstandardprovisions
alone.Googleisaproviderofelectroniccommunicationsserviceswithinthemeaningof§50U.S.Code
1881(4)(b)andisobligedtoprovidepersonaldatatotheAmericanintelligenceservices.Therefore,
transfercanonlytakeplaceifadequateadditionalsafeguardsareinplace.
80. Asmentionedinsection2.4.1,theinvestigationreportfoundthatTakeawayandGooglehavetaken
variousadditionalmeasures.Thesecanbedividedintotechnical,contractualandorganisational
measures.ThetechnicalmeasuresconsistofTakeaway████████████████████████and
obtaininginformationfromGoogleaboutthesecuretransferofJavaScriptandmeasurementdata,HTTP
StrictTransportSecurity(HTST)andencryptionofdatabetweenGoogledatacentres.Takeawayfurther
pointsoutthatGoogle(withregardtotheAnalyticsservice)hasanISO27001certificate.
81. ThereportfurthermentionsthatGooglestatesthatithastakenadditionalcontractualand
organisationalmeasures.Googlepointsoutthateveryrequestfromintelligenceservicestoprovideuser
dataiscarefullyassessedandcomplieswiththelawandtheproportionalityrequirement.Ifpermitted,
Googlewillinformtheuserconcernedoftheprovision.Inaddition,Googleperiodicallypublishesa
transparencyreport,whichcontainsinformationaboutrequestsfromsecurityservices.Googlealso
publishesitsownpolicyonhandlingsuchrequestsandinformationaboutdataprotection.
82. ThereportalsodiscussestechnicalmeasuresthatGoogleissaidtohavetaken.Forexample,Google
statesthatithastakensafeguardsfortheprotectionofdataduringtransport,suchasupgrading
connectionstoencryptedconnectionstopreventpassivemonitoring.WhendataisoutsideGoogle’s
controlarea(forexample,trafficbetweendatacentres),thedataisencrypted.Dataisalsoencryptedin
storage.Eachdatacentreisprotectedwithsixlayersofphysicalsecuritytopreventunauthorisedaccess.
Accesstodatabystaffislimitedtowhatisneededforhisorherposition.Lastly,Googleindicatesthat
Analyticsdataispseudonymised.Accessbythirdpartieswillthereforenormallynotprovidethe
opportunitytoidentifyadatasubjectbasedonthatdata.
83. Thereportconcludedthattheseadditionalmeasuresdonotactuallypreventorreducetheabilityof
Americanintelligenceservicestogainaccess.Googleisobligedtocooperatewiththoserequests,while
theCourthasruledthatthelegallypermissiblerequestsintheUnitedStatesarenotinlinewithEuropean
dataprotectionrequirements.Withregardtoencryptionofdata“intransit”and“atrest”,itisnotedthat
GoogleisobligedtohandoverthecryptokeystoAmericanintelligenceserviceswhenasked.Aslongas
Googlehastheabilitytoaccessthedatainlegibletext,encryptioncannotbeaneffectivemeasure.Lastly,
regardingtheanonymisationofIPaddresses,itisstatedthatthishappensaftertheIPaddresshasbeen
transferredtotheUnitedStates.Thismeansthatthereisstillapossibilitythatsecurityserviceshave
20/25Datum Onskenmerk
20August2024 z2022-04011
accesstoalldata.
84. Theadditionalmeasurestakenwerethereforenotfoundtobeeffectiveinthereport,whichmeans
Takeawaycannotrelyonthetransferinstrumentofstandardprovisions.Thismeansthatatthetimeofthe
periodinvestigated,atransferofpersonaldatatookplacewithoutbeingbasedonavalidtransfer
instrument,resultinginTakeawayhavingviolatedArticle44oftheGDPR.
Opinion
85. Initsopinion,TakeawayhasnotdisputedtheconclusionintheinvestigationreportthatGoogle’s
additionalmeasuresareinsufficienttopreventorreduceaccessbytheAmericanintelligenceservices.
Instead,Takeawayhaspointedoutsomeotheradditionalmeasuresthatithastakenitself.Takeaway
explainedthesemeasuresinmoredetailduringtheopinionhearing.Inresponsetoquestionsfromthe
DutchDPAaboutthesemeasures,Takeawayhasdiscussedtheoperationofthesemeasuresinthe
supplementaryopinion.Themeasuresconsist(insummary)ofusingaproxyserver,████████
█████████████████████████████████████████████████████████
█████████████████████████████████████████████████████████
█████████████████████████████████████████████████████████
██████████████████████████████.
86. Takeaway’sexplanationshowsthatitstartedusingaproxyserver████████.Theresultof
thisisthatthereisnodirectflowofinformationbetweenthewebsitevisitorandGoogle.Instead,first,
thereisaflowofinformationbetweenthewebsitevisitorandTakeaway,andthenbetweenTakeawayand
Google.ThisallowsTakeawaytodeterminewhatinformationaboutthewebsitevisitorisprovidedto
Analytics.
87. ████████████████████████████████████████████████████
████████████████████████████████████████████████████
█████████████████████████████████████████████████████████
████████████████████████████████████████████████████████
███████████████████████████████████████████████████████
████████████████████████████████████████████████████████
█████████████████████████████████████████████████████████
██████████████████████31█████████████████████████████
██████████████ ██████████████████████████████.
Assessmentandconclusion
88. TheuseofaproxyservertoexcludedirectcontactbetweenthewebsitevisitorandGoogleandto
filterorchangetransferredpersonaldataisameasureaimedatthepseudonymisationofpersonaldataas
referredtoinArticle4,openingwordsand(5)oftheGDPR.
3[dropped].
21/25Datum Onskenmerk
20August2024 z2022-04011
89. AsmentionedintheEDPBRecommendationsdiscussedabove,pseudonymisationofpersonal
32
datacanbeaneffectiveadditionalmeasureintheeventofaninternationaltransferofpersonaldata. For
thistobethecase,however,anumberofconditionsmustbemet.Forexample,thedataexportermustfirst
transfertheprocessedpersonaldatainsuchawaythatthepersonaldatacannolongerbelinkedtoa
specificdatasubjectorusedtosingleoutthedatasubjectinalargergroup,withoutadditionaldata.
Secondly,thisadditionaldata(necessaryforre-identification)mustbeheldsolelybytheexporterand
keptseparatelyinanEUMemberStateorinathirdcountry(inwhichcasesuchtransfermustalsobein
accordancewithChapterVoftheGDPR).Thirdly,thedisclosureorunauthoriseduseofsuchadditional
datashouldbepreventedbyappropriatetechnicalandorganisationalsafeguardsandtheexportershould
havesolecontroloverthedataonthebasisofwhichthepseudonymisedpersonaldatacanbere-
identified.Lastly,thecontrollermusthavedetermined,throughathoroughanalysisofthepersonaldatain
question-takingintoaccountpossibleinformationthatthepublicauthoritiesofthereceivingcountry
couldbeexpectedtohaveanduse-thatthepseudonymisedpersonaldatacannotbeattributedtothedata
subject,evenifsuchinformationismergedandcomparedwiththepersonaldata.
90. TheRecommendationsfurtherstatethatitshouldbetakenintoaccountthatinmanysituations,a
naturalpersoncanalsobeidentifiedonthebasisofelementsthatarecharacteristicof,amongother
things,thephysical,economic,culturalorsocialidentityofthatnaturalperson,theirphysicallocation,or
theirinteractionwithanInternetserviceatcertaintimes,evenifotheridentifyinginformationisomitted.
Thisisespeciallytruewhenthedatarelatestotheuseofinformationservices(timeofaccess,orderof
functionsaccessed,characteristicsofthedeviceused,etc.).
91. TheadditionalmeasurestakenbyTakeaway,consistingofusingaproxyserver██████████
██████████████████████████████████████████████████████
33 34
███████████████████,shouldintermsoftheireffectiveness andappropriateness be
assessedonthebasisofthecriterionsetoutinthepreviousmargins.
92. ████████████████████████████████████████████████████
████████████████████████████████████████████████████
█████████████████████████████████████████████████████████
████████████████████████████████████████████████████████
█████████████████████████████████████████████████████
████████████████████████████████████████████████████████
3Margins85etseq.oftheRecommendations.
3AsreferredtointheRecommendations.
3Asreferredtoinrecital20andprovision14ofDecision(EC)of4June2021establishingnewstandardcontractualclauses.This
‘appropriateness’isunderstoodinrelationtoitseffectivenessaccordingtothestandardsoftheRecommendationsandSchremsII.
Thisdoesnotconcern‘appropriateness’aslaiddowninArticle46oftheGDPR,becausethelatterconceptconstitutestherelative
appropriatenbetweenthedifferenttransferinstrforthespecifictransfersituation.
22/25 Datum Onskenmerk
20August2024 z2022-04011
███████████████████████████ ███████████████████████████
████████████████████████████████████████████████████████
███████████████████████████████████████████████████████
████████████████████████████████████████████████████████
████████████████████████████████████████████████████████
████████████.
93. Toassesswhethertheadditionalmeasuresareeffective,itisnotedthatthedegreeof
identifiability(thelikelihoodthatthedatacanbelinkedtoanaturalperson)isrelatedtoboththeamount
andthenatureofthedata.Stoppingthetransferofcertaincategoriesofdata██████████████
█████████████████,initselfhasanincreasedprotectioneffect.Nevertheless,Takeawayhas
continuedtopassonastillextensivesetofdata.InviewofthedatatransferredbyTakeawayafter
implementingtheadditionalmeasures,theDutchDPAbelievesthatre-identificationcannotbe
sufficientlyruledout.TheDutchDPAtakesintoaccountthat:
• █████████████████████████████████████████████████
█████████████████████████████████████████████████
███████████.Incombinationwiththeotherdata,re-identificationisaveryrealpossibility;
• theseriesoftransferreddataisstillextensiveandthesumofthevariousdatamakesthechanceof
identificationhigh.Thisconcernsdatasuchas█████████████████████████████
█████████████████thatcanbesignificantwhencombinedinviewoftheidentity
elementsstatedinmargin90;and
• withregardtothisdata,accordingtotheRecommendations, thepossibilitythatidentificationtakes
placethroughthecombinationofthepseudonymiseddatainthehandsofGoogleandadditionaldata
inthehandsoftheAmericanintelligenceservicesmustalsobetakenintoaccount.
94. Sincere-identificationhasnotbeensufficientlyruledout,Takeaway’suseoftheproxyserverto
pseudonymisethedataisnotsufficientandisthereforenotappropriateandeffectiveasanadditional
measure.Giventheremaininguncertaintiesregardingexpostidentificationbytheintelligenceservices,
anotheropinionwouldnotbeconsistentwiththehighlevelofprotectiontheGDPRaimstoguarantee.
95. TheconclusionisthatthetransferofpersonaldatabyTakeawaycouldnotbebasedonthe
appropriatesafeguardsreferredtoinArticle46oftheGDPR.
3. Violation
96. Section0ofthisdecisionconcludesthatTakeawayisthecontrollerfortheimplementationof
Analytics.Section2.2concludesthatTakeawayprocessespersonaldatainthiscontextandthat
35
██████████████████████████████████████████████████████████████████
███████████████████████████████████████████████████████████████████
36█████████████████████████████████████████████████████████████████.
Seemargin85.
23/25 Datum Onskenmerk
20August2024 z2022-04011
internationaltransferofpersonaldatatakesplace.Section0concludesthatintheperiodfrom
18August2020to1September2023,Takeawaywasresponsibleforhavingavalidtransferinstrumentfor
theprocessingaslaiddowninChapterVoftheGDPR.Section2.4.6concludesthatthetransferduringthat
periodwasnotbasedonavalidtransferinstrument.ThismeansthatTakeawayviolatedArticle44ofthe
GDPRduringthatperiod.
4. Enforcementmeasuretobeimposed
97. TheDutchDPAisauthorisedtoimposecorrectivemeasures,includingawarning,reprimandand
administrativefine(Article58(2)oftheGDPR).Thesemeasuresarenotmutuallyexclusiveandcan
thereforebeimposedsidebyside.Thequestionofwhethertoimposeafineshouldtakedueaccountofthe
factorssetoutinArticle83(2)oftheGDPR.Thosefactorsinclude,amongotherthings,thenature,
seriousnessanddurationoftheinfringement(factora)andanyotheraggravatingormitigating
circumstanceapplicabletothecircumstancesofthecase(factork)
98. Withregardtofactora(nature,severityandseriousnessoftheinfringement),theDutchDPAnotes
thatTakeaway,asstatedinmargin96,hastransferredpersonaldatatoathirdcountryinviolationof
Article44oftheGDPR,whilethattransferwasnotbasedonavalidtransferinstrument.Thisisaserious
violationandcountsasanaggravatingcircumstance.
99. However,inthelightoffactork(anyothercircumstanceapplicabletothecircumstancesofthe
case),theSchremsIIjudgmenthascreatedaveryspecificsituation.TheCourtdeclaredtheadequacy
decisionfortheUnitedStatesinvalid,afterwhichittookquitesometimebeforetheEDPBissuedits
Recommendationsofferingtoolstodealwiththenewlycreatedsituation.Furthermore,theDutchDPA
hasestablishedthat,inadditiontotheuseofstandardprovisions,Takeawayhastakenadditional
measuresintheformof,amongotherthings,aproxyserver.████████████████████
███████████████████████████████████████████████████████
████████████████████████████████████.Takeawayhasthusdemonstrablymade
significanteffortstoguaranteethelevelofprotectionofpersonaldata.Themeasurestakenactually
increaseprotection,althoughintheopinionoftheDutchDPA,thisisnotsufficienttoruleoutre-
identification.ThesituationcreatedbytheSchremsIIjudgmentandTakeaway’seffortstodealwithit
countasmitigatingcircumstances.
100. Giventhecircumstancesofthisspecificcase,theDutchDPAseesreasontorefrainfromimposing
anadministrativefineinthiscase.TheDutchDPAwillsufficebyimposingareprimandfortheobserved
violation.
24/25 Datum Onskenmerk
20August2024 z2022-04011
5. Decision
TheDutchDPAimposesareprimandonTakeawayGroupB.V.forviolatingArticle44oftheGDPRinthe
periodfrom18August2020to1September2023bytransferringpersonaldatatoathirdcountryduring
thatperiod,whilesuchtransferwasnotbasedonavalidtransferinstrument.
Sincerely,
TheDutchDPA,
Remedyclause
Ifyoudonotagreewiththisdecision,youcansubmitadigitalorpapernoticeofobjectiontotheDutch
DPAwithinsixweeksofthedayonwhichthedecisionwassent.Tosubmitadigitalobjection,see
www.autoriteitpersoonsgegevens.nl,undertheheadingContact,item“Objectionorcomplaintaboutthe
DutchDPA”.
Sendyourpapernoticeofobjectionto:
DutchDPA
(AutoriteitPersoonsgegevens)
Postbus93374
2509AJDenHaag,theNetherlands
Pleasequote‘Awbobjection’ontheenvelopeanduse‘noticeofobjection’inthetitleofyourletter.
Yournoticeofobjectionmustatleastcontain:
- yournameandaddress;
- thedateofyournoticeofobjection;
- thereferencementionedinthisletter(casenumber);orattachacopyofthisdecision;
- thereason(s)whyyoudonotagreewiththisdecision;
- yoursignature.
25/25
