DSB (Austria) - 2021-0.586.257: Difference between revisions

From GDPRhub
No edit summary
Line 90: Line 90:
On 14.08.2020, the data subject visited a website on health topics hosted by an Austrian company while logged into his personal Google account. The website used Google Analytics, a tool provided by Google LLC used to measure and track website use. According to the website provider and Google LLC, the website controller qualifies as controller (Article 4(7) GDPR) and Google LLC as processor (Article 4(8) GDPR) for data processing in connection with Google Analytics. Furthermore, according to the privacy documents provided on the website or included via hyperlink, the website provider and Google LLC entered into standard contractual clauses under Article 46(2)(c) GDPR ([https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=celex%3A32010D0087 Commission Decision2010/87 of 05.02.2010]; SCCs) as a mechanism for transfers of personal data with regard to Google Analytics.
On 14.08.2020, the data subject visited a website on health topics hosted by an Austrian company while logged into his personal Google account. The website used Google Analytics, a tool provided by Google LLC used to measure and track website use. According to the website provider and Google LLC, the website controller qualifies as controller (Article 4(7) GDPR) and Google LLC as processor (Article 4(8) GDPR) for data processing in connection with Google Analytics. Furthermore, according to the privacy documents provided on the website or included via hyperlink, the website provider and Google LLC entered into standard contractual clauses under Article 46(2)(c) GDPR ([https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=celex%3A32010D0087 Commission Decision2010/87 of 05.02.2010]; SCCs) as a mechanism for transfers of personal data with regard to Google Analytics.


On 18.08.2020, the data subject (represented by noyb) filed a complaint with the DSB against both the website provider (in its role as data exporter) and Google LLC (in its role as data importer), arguing that both respondents violated Articles 44 et. seqq. GDPR in light of the "Schrems II" ruling by transferring their personal data to Google LLC. As Google LLC qualifies as "''electronic communication service provider''" under 50 U.S. Code § 1881(b)(4), it is subject to surveillance by U.S. intelligence services and can be ordered to diclose data of European citizens - such as the data subject - to them.
On 18.08.2020, the data subject (represented by ''noyb'') filed a complaint with the DSB against both the website provider (in its role as data exporter) and Google LLC (in its role as data importer), arguing that both respondents violated Articles 44 et. seqq. GDPR in light of the "Schrems II" ruling by transferring their personal data to Google LLC. As Google LLC qualifies as "''electronic communication service provider''" under 50 U.S. Code § 1881(b)(4), it is subject to surveillance by U.S. intelligence services and can be ordered to disclose data of European citizens - such as the data subject - to them.


In the course of the procedure, which took almost one and a half years and included the exchanges of multiple submissions between the parties, the respondents argued in essence, that even if there had been a data transfer to Google LLC in the U.S., the transferred data do not qualify as personal data under Article 4(1) GDPR as they could not be assigned to the data subject. Furthermore, the respondent argued that they had put sufficient additional measures in place in case of an actual transfer of personal data. Lastly they brought forward the argument, that Chapter V GDPR and the concluded SCCs follow a "risk based approach" and that there was a very low risk of the data subject actually having been subject to U.S. surveillance. Google LLc in particular also argued that Chapter V. GDPR only applied to the data exporter i.e. the entity actually transferring the data to a third country but not to Google LLC in its role as mere data importer.
In the course of the procedure, which took almost one and a half years and included the exchanges of multiple submissions between the parties, the respondents argued in essence, that even if there had been a data transfer to Google LLC in the U.S., the transferred data do not qualify as personal data under Article 4(1) GDPR as they could not be assigned to the data subject. Furthermore, the respondent argued that they had put sufficient additional measures in place in case of an actual transfer of personal data. Lastly they brought forward the argument, that Chapter V GDPR and the concluded SCCs follow a "risk based approach" and that there was a very low risk of the data subject actually having been subject to U.S. surveillance. Google LLC in particular also argued that Chapter V. GDPR only applied to the data exporter i.e. the entity actually transferring the data to a third country but not to Google LLC in its role as mere data importer.


=== Holding ===
=== Holding ===
Line 100: Line 100:


==== On the website provider ====
==== On the website provider ====
Lorem ipsum
The DSB fully upheld the complaint with regard to the website provider. It held that
 
* the website had transferred the data subject's personal data to Google LLC on 1408.2020, including user identifiers, IP address and browser parameters;
* The SCCs concluded between the respondents do not offer an adequate level of protection, because
** Google LLC qualifies as as "''electronic communication service provider''" under 50 U.S. Code § 1881(b)(4) and is subject to surveillance by US intelligence services and
** any additional safeguards which have been put into place in addition to where insufficient as they could not prevent US US intelligence services from accessing the data subject's personal data.
* the website provider could not rely on other transfer mechanism under Chapter V. of the GDPR. Consequently, the website provider failed to provide an adequate level of protection within the meaning of Articles 44 et seqq. GDPR.
 
In its legal reasoning the DSB pointed out the following aspects in particular:
 
* The considered itself competent under Article 55(1) GDPR. The fact that Google LLC argued that Google Analytics is allegedly provided by Google Ireland Ltd since April 2021 was not considered relevant, as the violation occurred in August 2020.
* IP addresses and only identifiers qualify as personal data under Article 4(1) GDPR, especially because they allow to single out a data subject within the meaning of recital 26 of the GDPR. It is sufficient that the data subject can be identified; an actual identification is not necessary
* It is irrelevant that the website provider might require additional information from Google LLC in order to identify the data subject. According to CJEU 20.12.2017, C-434/16 and 19.10.2016, C-434/16, there is no requirement that all the information enabling the identification of the data subject must be in the hands of one person.
* The fact that Google allows user to opt in and out of personalized ads shows that Google LLC possesses all means to identify the data subject.
* Neither respondent showed the existence of and additional measures that would provide an adequate level of protection within the meaning of Articles 44 et seqq. GDPR together with the concluded SCCs. Goggle LLC in particular had tried to frame basic technical and organisational measures under Article 32 GDPR as "additional measures", which did not convince the DSB.


== Comment ==
== Comment ==

Revision as of 15:35, 12 January 2022

DSB (Austria) - 2021-0.586.257 (D155.027)
LogoAT.png
Authority: DSB (Austria)
Jurisdiction: Austria
Relevant Law: Article 4(1) GDPR
Article 4(2) GDPR
Article 4(7) GDPR
Article 4(8) GDPR
Article 5 GDPR
Article 44 GDPR
Article 46(1) GDPR
Article 46(2)(c) GDPR
Article 51(1) GDPR
Article 57(1)(d) GDPR
Article 57(1)(f) GDPR
Article 77(1) GDPR
Article 80(1) GDPR
Article 93(2) GDPR
§ 18 Abs 1 Austrian Data Protection Act (Datenschutzgesetz - DSG)
§ 24 Austrian Data Protection Act (Datenschutzgesetz - DSG)
Type: Complaint
Outcome: Partly Upheld
Started:
Decided: 22.12.2021
Published:
Fine: None
Parties: website visitor and Google user (data subject and complainant)
Austrian website provider (data exporter and respondent #1)
Google LLC (data importer and respondent #2)
National Case Number/Name: 2021-0.586.257 (D155.027)
European Case Law Identifier: unknown
Appeal: Unknown
Original Language(s): German
Original Source: noyb.eu (in DE)
Initial Contributor: n/a

The Austrian DPA held that the use of Google Analytics by an Austrian website provider led to transfers of personal data to Google LLC in the U.S. in violation of Chapter V. of the GDPR.

English Summary

Facts

Background

About a month after the "Schrems II ruling" by the CJEU (CJEU - C-311/18 - Schrems II) the NGO noyb filed 101 complaints regarding data transfers from EEA based websites to Google LLC and Facebook Inc. in the U.S (see here and here). In order to coordinate the work of all involved DPA, the EDPB created a special task force. The Austrian DPA (Datenschutzbehörde - DSB) now issued the first decision on one of these 101 complaints.

Website visit and data transfer to Google LLC

On 14.08.2020, the data subject visited a website on health topics hosted by an Austrian company while logged into his personal Google account. The website used Google Analytics, a tool provided by Google LLC used to measure and track website use. According to the website provider and Google LLC, the website controller qualifies as controller (Article 4(7) GDPR) and Google LLC as processor (Article 4(8) GDPR) for data processing in connection with Google Analytics. Furthermore, according to the privacy documents provided on the website or included via hyperlink, the website provider and Google LLC entered into standard contractual clauses under Article 46(2)(c) GDPR (Commission Decision2010/87 of 05.02.2010; SCCs) as a mechanism for transfers of personal data with regard to Google Analytics.

On 18.08.2020, the data subject (represented by noyb) filed a complaint with the DSB against both the website provider (in its role as data exporter) and Google LLC (in its role as data importer), arguing that both respondents violated Articles 44 et. seqq. GDPR in light of the "Schrems II" ruling by transferring their personal data to Google LLC. As Google LLC qualifies as "electronic communication service provider" under 50 U.S. Code § 1881(b)(4), it is subject to surveillance by U.S. intelligence services and can be ordered to disclose data of European citizens - such as the data subject - to them.

In the course of the procedure, which took almost one and a half years and included the exchanges of multiple submissions between the parties, the respondents argued in essence, that even if there had been a data transfer to Google LLC in the U.S., the transferred data do not qualify as personal data under Article 4(1) GDPR as they could not be assigned to the data subject. Furthermore, the respondent argued that they had put sufficient additional measures in place in case of an actual transfer of personal data. Lastly they brought forward the argument, that Chapter V GDPR and the concluded SCCs follow a "risk based approach" and that there was a very low risk of the data subject actually having been subject to U.S. surveillance. Google LLC in particular also argued that Chapter V. GDPR only applied to the data exporter i.e. the entity actually transferring the data to a third country but not to Google LLC in its role as mere data importer.

Holding

On Google LLC

In its decision, the DSB mostly followed the data subject's arguments and waived most of the objections raised by the respondents. However, with regard to Google LLC, the DSB held that Chapter V. of the GPPR only imposes legal duties on the data exporter but not on the data recipient. Consequently, the DSB dismissed the complaint against Google LLC, but declared that it will conduct an ex officio investigation and issue a separate decision on the question if Google LLC violated Articles 5 et seqq. GDPR in connection with Article 28(3)(a) and Article 29 GDPR.

On the website provider

The DSB fully upheld the complaint with regard to the website provider. It held that

  • the website had transferred the data subject's personal data to Google LLC on 1408.2020, including user identifiers, IP address and browser parameters;
  • The SCCs concluded between the respondents do not offer an adequate level of protection, because
    • Google LLC qualifies as as "electronic communication service provider" under 50 U.S. Code § 1881(b)(4) and is subject to surveillance by US intelligence services and
    • any additional safeguards which have been put into place in addition to where insufficient as they could not prevent US US intelligence services from accessing the data subject's personal data.
  • the website provider could not rely on other transfer mechanism under Chapter V. of the GDPR. Consequently, the website provider failed to provide an adequate level of protection within the meaning of Articles 44 et seqq. GDPR.

In its legal reasoning the DSB pointed out the following aspects in particular:

  • The considered itself competent under Article 55(1) GDPR. The fact that Google LLC argued that Google Analytics is allegedly provided by Google Ireland Ltd since April 2021 was not considered relevant, as the violation occurred in August 2020.
  • IP addresses and only identifiers qualify as personal data under Article 4(1) GDPR, especially because they allow to single out a data subject within the meaning of recital 26 of the GDPR. It is sufficient that the data subject can be identified; an actual identification is not necessary
  • It is irrelevant that the website provider might require additional information from Google LLC in order to identify the data subject. According to CJEU 20.12.2017, C-434/16 and 19.10.2016, C-434/16, there is no requirement that all the information enabling the identification of the data subject must be in the hands of one person.
  • The fact that Google allows user to opt in and out of personalized ads shows that Google LLC possesses all means to identify the data subject.
  • Neither respondent showed the existence of and additional measures that would provide an adequate level of protection within the meaning of Articles 44 et seqq. GDPR together with the concluded SCCs. Goggle LLC in particular had tried to frame basic technical and organisational measures under Article 32 GDPR as "additional measures", which did not convince the DSB.

Comment

This decision is the first DPA decision following noyb's 101 complaints regarding EEA-US data transfers. For details see here and here. Further decisions are expected soon.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

                                                                                  Barichgasse 40-42

                                                                                       A-1030 Vienna
                                                                             Tel .: + 43-1-52152 302565

                                                                                Email: dsb@dsb.gv.at


GZ: D155.027 Clerk: XXX XXX
    2021-0.586.257

    XXX XXX

    zH NOYB - European Center for Digital Rights

    Goldschlagstrasse 172/4/3/2
    1140 Vienna






Data protection complaint (Art. 77 Para. 1 GDPR)
XXX XXX / 1. XXX GmbH (formerly: XXX.at GmbH), 2. Google LLC

(101 Dalmatians)



by email delivery / email legal@noyb.eu






                                   T E I L B E S C H E I D


                                          S P R U C H


The data protection authority decides on the data protection complaint from XXX XXX

(Complainant) of August 18, 2020, represented by NOYB - European Center for Digital
Rights, Goldschlagstrasse 172/4/3/2, 1140 Vienna, ZVR: 1354838270, against 1) XXX GmbH (formerly: XXX.at GmbH) (respondent first), represented by DORDA

Rechtsanwälte GmbH, Universitätsring 10, 1010 Vienna and 2) Google LLC, 1600 Amphitheater

Parkway, Mountain View, CA 94043, USA (Second Respondent), represented by Baker McKenzie

Lawyers LLP & Co KG, Schottenring 25, 1010 Vienna, because of a violation of the general
Principles of data transfer according to Art. 44 GDPR as follows:


   1. The decision of the data protection authority of October 2, 2020, Zl. D155.027, 2020-0.527.385,

       will be fixed.


   2. The complaint against the First Respondent is allowed and it is determined

       that

        a) the first respondent as the person responsible by implementing the tool

               "Google Analytics" on their website at www.XXX.at at least on August 14th - 2 -


               2020 personal data of the complainant (these are at least
               unique user identification numbers, IP address and browser parameters)

               has transmitted the second respondent,


        b) the standard data protection clauses that the first respondent with the

               Second Respondent has concluded no adequate level of protection in accordance with
               Art. 44 GDPR, there


               i) the Second Respondent as a provider of electronic

                       Communication services within the meaning of 50 U.S. Code § 1881 (b) (4) too
                       qualify and as such of surveillance by US intelligence agencies

                       according to 50 U.S. Code § 1881a (“FISA 702”), and


               ii) the measures in addition to those mentioned in point 2. b)

                       Standard data protection clauses are not effective as these
                       the possibilities of surveillance and access by US intelligence services

                       do not eliminate,


        c) In the present case, no other instrument pursuant to Chapter V of the GDPR for the in

               Spruchpunkt 2.a) mentioned data transmission can be used and the
               First Respondent therefore for the in the context of ruling point 2.a)

               The data transfer mentioned does not provide an adequate level of protection in accordance with Art. 44

               GDPR has guaranteed.


   3. The complaint against the second respondent because of a violation of the general
       The principles of data transfer in accordance with Art. 44 GDPR are rejected.


Legal bases: Art. 4 no. 1, no. 2, no. 7 and 8, Art. 5, Art. 44, Art. 46 Paragraph 1 and Paragraph 2 lit. c, Art. 51

Paragraph 1, Art. 57 Paragraph 1 lit. d and lit. f, Art. 77 Paragraph 1, Art. 80 Paragraph 1 and Art. 93 Paragraph 2 of the Regulation

(EU) 2016/679 (General Data Protection Regulation, GDPR), OJ No. L 119 of 4.5.2016 p. 1; §§ 18
Paragraph 1 and 24 Paragraph 1, Paragraph 2 Item 5 and Paragraph 5 of the Data Protection Act (DSG), Federal Law Gazette I No. 165/1999

idgF; Section 68 (2) of the General Administrative Procedure Act 1991 (AVG), Federal Law Gazette 51/1991 as amended. - 3 -


                                  REASON

A. Arguments of the parties and course of the procedure


A.1. The complainant summarized in his submission of August 18, 2020

The following:


On August 14, 2020, at 10:45 a.m., he had the website of the Respondent at
www.XXX.at/ visited. During the visit he was logged into his Google account,

which is linked to the complainant's email address, XXX.XXX@gmail.com. the

First Respondent has an HTML code for Google services (including

Google Analytics) embedded. In the course of the visit, the first respondent said
personal data, namely at least the IP address and the cookie data of the

Complainant processed. Let some of this data be sent to the second respondent

has been transmitted. Such a data transfer requires a legal basis in accordance with the
Art. 44 ff GDPR.


According to the judgment of the European Court of Justice of July 16, 2020, Case C-11/18 (“Schrems II”), the

Respondents no longer respond to a data transfer to the USA

Support adequacy decision ("Privacy Shield") according to Art. 45 GDPR. the
The first respondent is also not allowed to transfer data to standard data protection clauses

support if the third country of destination does not provide an appropriate one in accordance with EU law

Protection of the personal transmitted on the basis of standard data protection clauses

Data guarantee. The second respondent is said to be an electronic provider
Communication services within the meaning of 50 U.S. Code § 1881 (b) (4) qualify and are subject to

those of surveillance by US intelligence agencies pursuant to 50 U.S. Code § 1881a ("FISA 702"). the

Second Respondent complained to the U.S. government under 50 U.S. Code § 1881a active
personal data available.


As a result, the respondents are not in a position to adequately protect the

to ensure the complainant's personal data if his data is sent to

Second respondent will be transmitted. The transmission of the complainant's data to the
USA is illegal. Several enclosures were attached to the complaint.


A.2. In a statement dated December 16, 2020, the respondent first brought

summarized the following:


The first respondent is only based in Austria. She is in favor of the decision
responsible for embedding the tool on the XXX.at website. The tool is used to

to enable general statistical evaluations of the behavior of the website visitors. The

However, the tool does not allow the content to be adapted to a specific website user, as the - 4 -


Evaluation is carried out anonymously and no reference to a specific user is made possible.
User IP addresses would also be anonymized before storage or transmission ("IP

Anonymization "). The so-called user agent string is used to inform the server which

System specification of the user to access the server. Without reference to a person, only devices
Operating system and version, browser and browser version and the device type are displayed. in the

the best case scenario is an assignment to a specific device, but never to a specific person,

who use the device, possible. The processing of the anonymous statistics takes place predominantly in

Data centers in Europe, but also by the second respondent on servers outside of the country
of the EEA.


If the GDPR is applicable, the first respondent is responsible and the

Second respondent is a processor. It is a processor agreement

been completed. Since no personal data would be transmitted, the verdict is
of the ECJ of July 16, 2020 in case C311 / 18 not applicable. However, in order for any

Making arrangements for the transfer of personal data to the second respondent

- e.g. in the event that IP anonymization is deactivated due to a data breach - have
the first respondent entered into a data processing agreement with the second respondent

completed, as well as standard data protection clauses (SDK) included. This is purely from

Implemented as a precaution. The second respondent had further technical and

Organizational measures are set to ensure a high level of data protection for those using the tools
to provide processed data. Several enclosures were attached to the opinion.


A.3. With a statement of January 22, 2021, the complainant summarized

The following:


In the case of a processor in a third country, a breach of anonymization is not enforceable
or detectable. In case of doubt, 50 U.S.C § 1881a applies and not an advertising text on the Google website.

The personal data processed first would only be processed subsequently in a second step

be anonymized. This anonymization, which may have taken place after the transfer, is effective
does not rely on previous processing. The statement contains a more detailed one at this point

technical description.


Apart from that, the complainant does not only refer to the processing of his IP address,

but also other personal data, such as cookie data. At the time of the website
During the visit, he was logged into his private Google account. "Google" cookies are set

been. In order to prevent a violation of Art. 44 ff GDPR, a complete removal of the

Tools required and a change to another tool without data transmission to the USA is recommended.

If the first respondent is convinced that no personal data
would be processed, the conclusion of order processing conditions is absurd. the

Several enclosures were attached to the statement. - 5 -


A.4. The second respondent submitted his answers in a statement dated April 9, 2021
to the questionnaire of the data protection authority.


A.5. With a statement of May 4, 2021, the Respondent brought the

Second respondent of April 9, 2021 summarized the following:


The First Respondent only uses the free version of Google Analytics. Included
both the terms of use and the SDK have been approved. Neither is that

Google Analytics 4 version implemented, the data sharing setting has been activated. the

Code was embedded with the anonymization function. The second respondent will only
used as a processor. The Respondent gave the instructions via the

Settings in the Google Analytics user interface and via the global website tag. Google

Signals are not used. The first respondent did not have her own

Authentication system and don't use any user ID function either. Currently one does not support oneself
to the exception of Art. 49 Para. 1 GDPR.


A.6. With an opinion of 5 May 2021, the complainant brought the

Second respondent of April 9, 2021 summarized the following:


The complaint is directed against the first and second respondents. Google Ireland Limited is
not party to the proceedings. The data protection authority is direct for the second respondent

responsible for violating Art. 44 ff GDPR. The Second Respondent was said to be

Processor standard addressee of Chapter V GDPR. The second Respondent also asserts

Dispute that all data collected by Google Analytics would be hosted in the United States.

At least some of the cookies set when you visited the website on August 14, 2020 would be

contain unique user identification numbers. In the transaction between the browser of the

Complainant and https://tracking.XXX.at, which was started on the stated date,
the user identification numbers "_gads", _ "ga" and "_gid" were set. These numbers

were subsequently transmitted to https://www.google-analytics.com/. It is with the

Numbers around "online identifiers" that were used to identify natural persons and a

Users would be specifically assigned. With regard to the IP address, it should be noted that
Chapter V GDPR does not provide for any exceptions for "subsequently anonymized data". Let it be

assume that the complainant's IP address is not even used in all transactions

had been anonymized. The application for the imposition of a fine is withdrawn, this is
now a suggestion.


A.7. In a statement dated June 10, 2021, the second respondent summarized

The following before: - 6 -


The complainant's legitimacy to act was not established because it had not been proven
that the data transmitted are personal data of the complainant.

The cookies in question are first-party cookies that are stored under the domain XXX.at

had been set. They are therefore cookies of the first and not of the
Second respondent. Accordingly, these are not unique Google Analytics cookie IDs

per user that would be used on multiple websites using Google Analytics. One user

have different cid numbers for different websites. It is not stated that the

numbers would make the complainant identifiable. The submission
contains further technical information on the cookies used at this point. With regard

the IP address is to be checked whether the IP address of the device connected to the Internet is actually

to be assigned to the complainant and whether the responsible person or "another person" the
have legal means to receive subscriber information from the provider in question.


As a processor, the second respondent provided the website operator with numerous

Configuration options from Google Analytics are available. Based on the received

Information should be noted that the First Respondent configured Google Analytics in this way
got as stated. The First Respondent had a possible configuration error

the IP anonymization function is not activated in all cases. Under normal operating conditions and

as far as users based in the EU are concerned, a web server is located in the EEA, which is why the IP

Anonymization is generally carried out within the EEA. In the present case they are normal
Operating conditions exist.


On August 14, 2020 the account XXX.XXX@gmail.com has the web & app activities

Setting activated. However, the account did not choose website activity
include those who used Google services. As the first respondent stated that it was

also did not activate Google signals, the second respondent was therefore not in a position to

determine that the user of the account XXX.XXX@gmail.com has visited this website.


With regard to international data traffic, it should be noted that - even assuming
that it concerns personal data of the complainant - these by their nature im

Are limited in terms of quantity and quality. As far as the transmitted data is at all as

personal data are to be qualified, it would also be pseudonymous data.

Standard contractual clauses were also concluded with the respondent
supplementary measures have been implemented. The second respondent did not submit any

User data according to EO 12333 open. FISA § 702 is in the present case in view of the

Encryption and anonymization of IP addresses are irrelevant. Art. 44 ff GDPR could
not be the subject of a complaint procedure according to Art. 77 Para. 1 GDPR, which is why the

The complaint is to be rejected in this regard. The Art. 44 ff GDPR are with regard to the

Second respondent as data importer also not applicable. - 7 -


A.8. With comments from June 18 and 24, 2021, the respondent first brought
summarized the following:


As part of an asset deal, the website www.XXX.at will be available on February 1, 2021

XXX GmbH in Munich. Subsequently, the first respondent was from

XXX.at GmbH has been renamed XXX GmbH. In addition, got
the first respondent instructed the second respondent to use Google Analytics

Properties to delete collected data immediately. The configuration error related to the

IP anonymization function has been fixed. In the meantime, the
Second Respondent confirms the final deletion of all data, as evidence

Enclosure presented. It is suggested to discontinue the procedure in accordance with Section 24 (6) DSG.


A.9. With statements of July 9, 2021, the second respondent summarized

The following:

In the opinion of the European Data Protection Board, an adequacy assessment was made

(EDSA) is not limited to examining the legal provisions of the third country, but must also

take into account all specific circumstances of the transfer in question. This is for the

relevant case. The pseudonymization is here - in line with the EDSA guidelines
- an effective complementary measure. It is not expected that US authorities will have additional

Had information that enabled them to understand what was behind the first party cookie values "gid" and

Identify “cid” or data subjects behind an IP address. the
The complainant also did not request a declaration that his rights were in the past

had been injured.


A.10. With comments of July 9, 2021, the complainant summarized

The following:

There is a processing of personal data, among other things through the submitted

Side dishes occupied. If in the end it is only a prerequisite for the identification of a website visitor

whether he makes certain declarations of intent in his account (such as the activation of “Ad

personalization ”), all possibilities of identifiability would be available for the second respondent
are present. Otherwise, the second respondent can use the account settings

expressed wishes of a user for "personalization" of the advertising information received

do not match.


The UUID (Universally Unique Identifier) in the _gid cookie with the UNIX time stamp 1597223478 is
on Wednesday, August 12, 2020 at 11:11 and 18 seconds CET, those in the cid cookie

the UNIX timestamp 1597394734 on Friday, August 14, 2020 at 10:45 and 34 seconds CET.

It follows that these cookies are used before the visit to which the complaint is made - 8 -


and longer-term tracking has taken place. The complainant had
to the best of his knowledge, these cookies are not deleted immediately, and neither is the XXX.at website

visited repeatedly.


The second respondent misunderstood the broad understanding of the GDPR when assessing the

Presence of personal data. The specific IP address used is also for the
Complainant can no longer be identified. However, this is irrelevant because the UUID in the cookies

In any case, there is a clear personal reference. Especially the combination of cookie data and IP

Address allow tracking and the evaluation of geographic location, internet connection and
Context of the visitor, which can be linked to the cookie data already described. For this

but would also include data such as the browser used, the screen resolution or the operating system

("Device Fingerprinting") come.


In the context of the complaint, it is more relevant that US authorities are easy for secret services in particular
discoverable data, such as the IP address, as a starting point for monitoring

Individuals would use. It is the standard practice of secret services to get away from you

Date to “go on” to others. When the complainant's computer keeps coming back
If the IP address of NOYB appears on the Internet, this can be used to facilitate the work of the

To spy out the NOYB association and to target the complainant. In another

Step would then look for other identifiers in the data, such as the UUIDs mentioned, what

in turn, an identification of the individual person for monitoring in other places
enable. In this context, US intelligence services are “different

Person "within the meaning of recital 26 GDPR. The complainant does not only work for

NOYB, but also had a relevant role as a model complainant in these efforts.
According to US law, this would mean that the complainant would be monitored in accordance with 50 USC § 1881a (also

as of all other persons entrusted with this complaint) legally possible at any time. Even at

the application of the supposed “risk-based approach” is the case at hand

Prime example of high risk.

The email address XXX.XXX@gmail.com should be assigned to the complainant, who was up to

had the surname "XXX" during a marriage. The old Google account will, however

still used. It is not explained to what extent the undisputed data are linked,

evaluated or the result of an evaluation is just not displayed to the user.

In addition, Chapter V GDPR does not know a "risk-based approach". This can only be found in

certain articles of the GDPR, such as in Art. 32 leg.cit. The new standard contractual clauses in

Implementing decision (EU) 2021/914 are not applicable to the matter due to lack of temporal validity

relevant. A "transfer" is not a unilateral act by a data exporter, every "transfer"
also request receipt of the data. Accordingly, Chapter V of the GDPR is also applicable to the - 9 -


Second Respondent applicable, it was a matter of joint action by
Data exporter and importer.


Even if the second respondent did not violate Art. 44 ff GDPR, they are

Provisions according to Art. 28 Para. 3 lit. a and Art. 29 GDPR as "standard rules"

consider. If the Second Respondent provides a corresponding instruction from a US
Secret service consequence, he makes the decision to transfer personal data about the

specific order of the first respondent in accordance with Art. 28 and Art. 29 GDPR and the

to process the corresponding contractual documents. This becomes the
Second respondent according to Art. 28 Para. 10 GDPR himself as the person responsible. Consequently

In particular, the second respondent was also entitled to the provisions of Art. 5 ff GDPR

follow. A secret data transfer to US secret services according to US law is without

Doubt not compatible with Art. 5 Para. 1 lit. f GDPR, Art. 5 Para. 1 lit. a GDPR and Art. 6 GDPR.

A.9. With the last statement dated August 12, 2021, the second respondent brought

summarized the following:


The complainant had not shown his active legitimation to lodge a complaint. He

did not have any questions raised by the second respondent about the identifiability of his
Person answered based on the IP address. Regarding the _gid number and cid number, let

to record that there was no directory in order to identify the complainant

close. The fact that in Recital 26 GDPR the "segregation" as a possible means of
Identification should be mentioned, but does not change the understanding of the words "identify" or

"Identification" or "Identifiability".


The identifiability of the complainant presupposes at least that his identification on

Basis of the present data and with means is possible at the general discretion
would likely be used. This has not been established and cannot and is not assumed

on the contrary, even improbable, if not impossible. Also the fact that the

Second Respondent has concluded processor agreements does not mean
that the data that are the subject of this procedure are personal data

act, nor that it concerns the complainant's data.


The complainant's view that the data transfer was not according to a risk-based

Approach to be assessed (“all-or-nothing”) is not to be followed. This is not in line with the
GDPR and be in recital 20 of the implementation decision (EU) 2021/914 of the European

To see commission. This is also due to the different versions of the

EDSA recommendation 01/2020 recognizable. Even if you have access to the above numbers

is possible “legally at any time” by US authorities, it should be checked how likely this is. the
The complainants had not put forward any convincing arguments as to why or how the - 10 -


"Cookie data" in connection with his visit to a publicly available, and by many
used Austrian website such as the "Foreign Intelligence Information" in question

and thus could become the goal of the purpose-restricted data collection according to § 702.


B. Subject matter of the complaint


Based on the submission of the complainant, it can be seen that the subject of the complaint
at least the question is


           - whether the First Respondent by implementing the Google Analytics tool

              their website www.XXX.at provides the complainant's personal data

              has forwarded the second respondent and,
           - whether there is an appropriate level of protection for this data transfer in accordance with Art. 44 GDPR

              was guaranteed.


In this context, it must also be clarified whether in addition to the first respondent (as

Data exporter) also the second respondent (as data importer) to comply with Art. 44
GDPR was committed.


On the application, against the first respondent (as the person responsible) now

an immediate ban on the transmission of data to the second respondent is to be imposed
not to be discussed because - as will be explained below - the responsibility for the operation of the

Website www.XXX.at in the course of the complaint procedure (but only after the

transmission of data relevant to complaints) to XXX GmbH based in Munich

is. Regarding the imposition of such a ban, the data protection authority would have the case to the
contact the competent German supervisory authority.


Likewise, the application for the imposition of a fine is not to be discussed, as this is on the part of the

Was withdrawn with an opinion of 5 May 2021 and this is now as

Suggestion is to be understood.

Finally, it should be noted that the present partial notification does not cover the alleged

Violations by the second respondent in accordance with Art. 5 ff in conjunction with Art. 28 Paragraph 3 lit. a and Art. 29 GDPR

is discussed. In this regard, further steps are necessary and will be discussed here
agreed in a further notification.


C. Factual Findings


C.1. In any case, the first Respondent was the website operator of on August 14, 2020

www.XXX.at. The Austrian version of "XXX" is a
Information portal on the subject of health. The website www.XXX.at is only available in German

Language offered. The Respondent did not operate any other versions of the website - 11 -


www.XXX.at in the EU. The first respondent is also only based in Austria
and has no further branches in other EU countries. There is one for Germany

German version of "XXX" at www.XXX.de, which, however, is not provided by the

First Respondent was operated.


Assessment of evidence re C.1 .: The findings made are based on the opinion of the
First respondent dated December 16, 2020 (questions 1 to 3) and were therefore not on the part of

disputed by the complainant.


C.2. On February 1, 2021, the website www.XXX.at was transferred to the
XXXGmbH based in Munich. Subsequently, the first respondent became

Renamed from XXX.at GmbH to XXX GmbH. the

First Respondent has the website www.XXX.at for XXX GmbH until August 2021

supervised. The first respondent has ceased to be the operator of www.XXX.at since August 2021
and no longer makes the decision about whether to use the Google Analytics tool.


Evaluation of evidence re C.2 .: The findings are based on the opinion of the

First Respondent from June 18, 2021 and were therefore not on the part of the Appellant

disputed. In addition, the findings are based on an official research by
Data protection authority in the commercial register for Zl. FN 186415 s.


C.3. The second respondent developed the Google Analytics tool. With Google Analytics

it is a measurement service that enables customers of the second respondent to

Measure traffic characteristics. This also includes the measurement of traffic from visitors who have a
visit specific website. This enables the behavior of website visitors to be traced

and measure how they interact with a specific website. Specifically, a

Website operators create a Google Analytics account and use a dashboard to create reports on the
Look at website. Likewise, the effectiveness of

Measured and measured advertising campaigns that website owners run on Google Ad Services

be optimized.


There are two versions of Google Analytics: a free version and a paid version
called Google Analytics 360. The free version was approved by the second respondent

at least made available by the end of April 2021. Since the end of April 2021, both have been Google

Analytics versions provided by Google Ireland Limited.

Assessment of evidence re C.3 .: The findings made are based on the opinion of the

Second respondent dated April 9, 2021 (p. 3 and questions 1 and 2) and were therefore not

disputed by the complainant.


C.4. The first Respondent - as the website operator - has at least as of August 14 - 12 -


In 2020 made the decision to use the free version of the Google Analytics tool for the website
www.XXX.at to be used. For this purpose, it has a JavaScript code ("tag") that the

Second respondent is made available, built into the source code of their website. the

First Respondent used the tool to make general statistical evaluations about the
Enable website visitor behavior. The additional tool Google Signals was not

activated.


In any case, these evaluations will be used by the Respondent to assess the

To present the content of the website www.XXX.at in accordance with the general interest in the topic
that the channels that meet the most demand are placed in the foreground and the presentation

can be adapted depending on the topicality of a specific topic.


The first respondent has set up a Google Analytics account for this purpose. The Google Analytics

Account ID with the account name "XXX" is 259349. The above evaluations can
the First Respondent by logging into the "XXX" Google Analytics account

logs in and can view reports on the traffic from www.XXX.at in the dashboard. Reports

are divided into the categories real-time, target group, acquisition, behavior and conversions. the
First Respondent can select custom reporting preferences that

Second Respondent has no influence on this. The second respondent also accepts

has no influence on the extent to which the Respondent subsequently uses the reports prepared

used.

The dashboard is designed as follows (formatting not reproduced 1: 1): - 13 -
























































Evaluation of evidence re C.4 .: The findings made are based on the input of the

First Respondent from December 16, 2020 and were not on the part of the Appellant
disputed. The above screenshots were taken from enclosures ./1 and ./10, the

A detailed description of the reporting process is given in Appendix ./1.


C.5. The Google Analytics tool works as follows: When visitors visit the website - 14 -


www.XXX.at, the JavaScript code inserted in the source text of the website refers to a
JavaScript file previously downloaded to the user's device, which will then operate the tracking

for Google Analytics. The tracking operation also retrieves data about the page request

various means and sends this information via a list of parameters to the
Analytics server attached to a single pixel GIF image request.


The data that are collected using Google Analytics on behalf of the website operator,

come from the following sources:


    - the user's HTTP request;
    - browser / system information;

    - (First-party) cookies.


An HTTP request for each website contains details about the browser and computer that is hosting the

Requests, such as host name, browser type, referrer and language. In addition, the DOM
Interface the browser (the interface between HTML and dynamic JavaScript) access to

more detailed browser and system information, such as Java and Flash support and

Screen resolution. Google Analytics uses this information. Google Analytics sets and reads too

First-party cookies on one user's browsers that measure the user's session and others
Enable information from the page request.


When all this information is collected, it will be sent to the Analytics server in the form of a

long list of parameters sent to a single GIF image request (the meaning of the GIF

Request parameter is described here) to the domain google-analytics.com. the
The data contained in the GIF request are those that are sent to the analytics server and then

are further processed and end up in the reports of the website operator.


The information page of the second respondent on the Google Analytics tool can be found
The following information (formatting not reproduced 1: 1, requested on

December 22, 2021): - 15 -











































Assessment of evidence re C.5 .: The findings are based on the opinion of the

Second respondent dated April 9, 2021 (question 2) as well as an official search by

Data protection authority at https://developers.google.com/analytics/devguides/collection/gajs/cookie-
usage and https://developers.google.com/analytics/devguides/collection/gtagjs/cookies-user-id

(both queried on December 22, 2021).


C.6. First and second respondents have a contract with the title

"Processor conditions for Google advertising products" concluded. This contract had in
the version of August 12, 2020 is valid at least on August 14, 2020. The contract regulates

Order processing conditions for "Google advertising products". It applies to the provision of

Order processing services and related technical support services for
Customers of the Second Respondent. The aforementioned contract in the version dated August 12, 2020

(Enclosure ./7) is used as the basis for the findings of the facts.


In addition, first and second respondents have a second contract on August 12, 2020 - 16 -


entitled "Google Ads Data Processing Terms: Model Contract Clauses, Standard Contractual
Clauses for Processors ”completed. These are standard contractual clauses for the

international traffic. Also the mentioned second contract in the version of August 12, 2020

(Enclosure ./11) is used as the basis for the findings of the facts.


With regard to the data categories listed in Annex 1 of the second contract, the link
https://privacy.google.com/businesses/adsservices/ referenced. Under the link mentioned is

The following is displayed in extracts (highlighted in red by the data protection authority,

Formatting not reproduced 1: 1, requested on December 22, 2021): - 17 -






























In addition to the conclusion of standard contractual clauses, the second respondent has additional clauses

contractual, organizational and technical measures implemented. These measures
supplement the obligations contained in the standard contractual clauses. The measures will be

described in the second respondent's statement of April 9, 2021, question 28. This

Description is used as a basis for the determinations of the facts.


The second respondent publishes so-called transparency reports on a regular basis
("Transparency Reports") on data requests from US authorities. These are available at:


https://transparencyreport.google.com/user-data/us-national-security?hl=en


Assessment of evidence re C.6 .: The findings made are based on the opinion of the

First respondent of December 16, 2020, question 15. The cited enclosures ./7 and ./11
are included in the act and known to all involved. In addition, the struck are based

Findings based on an official search by the data protection authority under

https://privacy.google.com/businesses/adsservices/ (accessed on December 22, 2021). the
Findings made with regard to the "additionally implemented measures" result

from the statement of the second respondent from 9. April 2021 (question 28). The opinion

of the second respondent dated April 9, 2021 is included in the file and is known to all parties involved.

The finding with regard to the transparency reports results from an official research
the data protection authority at https://transparencyreport.google.com/user-data/us-national-

security? hl = en (accessed on December 22, 2021). - 18 -


C.7. In the course of using the Google Analytics tool, the option is offered to use an "IP
Anonymization function ”. In any case, this function did not become effective on August 14, 2020

correctly implemented on www.XXX.at.


Evaluation of evidence re C.7 .: The findings made are based on the opinion of the

First Respondent dated June 18, 2021. Therein she admits that the aforementioned "IP
Anonymization function ”was not implemented properly due to a code error.


C.8. The complainant visited the website at least on August 14, 2020, at 10:45 a.m.

www.XXX.at. During the visit, he was logged into his Google account, which was linked to the
Email address XXX.XXX@gmail.com is linked. The email address belongs to the

Complainant. The complainant had the last name "XXX" in the past.


A Google account is a user account that is used for authentication

serves the second respondent's various Google online services. So is a google account
for example, a prerequisite for the use of services such as "Gmail" or "Google Drive" (a file hosting

Service).


Assessment of evidence re C.8 .: The findings are based on the input of the

Complainant of August 18, 2020 (p. 3) and were not on the part of the respondents
disputed. The findings made with regard to the basic functions of a Google

Accounts are based on official research by the data protection authority at

https://support.google.com/accounts/answer/27441?hl=de and https://policies.google.com/privacy
(both queried on December 22, 2021).


C.9. In the transaction between the complainant's browser and

https://tracking.XXX.at/ were unique user-

Identification numbers are set at least in the cookies "_ga" and _ "gid". As a result, these were
Identification numbers on August 14, 2020 at 12:46: 19.948 CET at https://www.google-analytics.com/ and

thus transmitted to the second respondent.


Specifically, the following user identification numbers were found in the complainant's browser

are transmitted to the second respondent (same values, each in different
Transactions that have occurred are each color-coded with orange and green): - 19 -




















These identification numbers each contain a UNIX time stamp at the end, which shows when

the respective cookie was set. The identification number in the _gid cookie with the UNIX time stamp
"1597394734" was set on Wednesday, August 14, 2020, at 11:11 and 18 seconds CET

cid cookie with the UNIX timestamp "1597223478" on Friday, August 12, 2020 at 10:45 and 34

Seconds CET.


With the help of these identification numbers it is possible for the respondents to website visitors
differentiate and also get the information whether it is a new one or a

returning website visitors from www.XXX.at.


In addition, the following information (parameters) was also obtained via the browser of the
Complainant in the course of inquiries to https://www.google-analytics.com/collect

transmitted to the second respondent (excerpt from the HAR file, request URL

https://www.google-analytics.com/collect, extract of the request with time stamp 2020-08-

14T10: 46: 19.924 + 02: 00):

general


    - Request URL https://www.google-analytics.com/collect

    - Request method GET

    - HTTP VersionHTTP / 2
    - Remote Address 172.217.23.14


Headers


    - Accept: image / webp, * / *

    - Accept-Encoding: gzip, deflate, br
    - Accept-Language: en-US, de; q = 0.7, en; q = 0.3

    - Connection: keep-alive

    - Host: www.google-analytics.com - 20 -


    - Referer: https://www.XXX.at/
    - TE: Trailers

    - User agent: Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv: 79.0) Gecko / 20100101

         Firefox / 79.0


Query Arguments

    - _gid: 929316258.1597394734

    - _s: 1

    - _u: QACAAEAB ~
    - _v: j83

    - a: 443943525

    - cid: 1284433117.1597223478

    - de: UTF-8
    - dl: https://www.XXX.at/

    - dt: XXX.at homepage - your independent health portal

    - ea: /
    - ec: scroll depth

    - el: 25

    - gjid:

    - gtm: 2wg871PHBM94Q
    - each: 0

    - yid:

    - ni: 0
    - sd: 24-bit

    - sr: 1280x1024

    - t: event

    - tid: UA-259349-1
    - ul: en-us

    - v: 1

    - vp: 1263x882
    - z: 1764878454


Size


   - Headers 677 bytes
   - Body 0 bytes
   - Total 677 bytes - 21 -


From these parameters, conclusions can be drawn about the browser used, which
Browser settings, language selection, the website visited, the color depth, the screen resolution

and the AdSense linking number will be drawn.


The remote address 172.217.23.14 is that of the second respondent.


The IP address of the complainant's device is used as part of these inquiries
https://www.google-analytics.com/collect transmitted to the second respondent.


The content of the HAR file (Enclosure ./4), which the complainant submitted with the entry of

August 18, 2020, the factual findings will be used as the basis.


Assessment of evidence re C.9 .: The findings are based on the input of the
Complainant of August 18, 2020 and the HAR file presented therein, enclosure ./4. At a

HAR file is an archive format for HTTP transactions. The HAR file was created by

checked by the data protection authority. The complainant's arguments agree with those therein
archive data contained. The presented HAR file (or its content) is the participant

known. In addition, the findings are based on the opinion of the

Complainant of May 5, 2021 (p. 8 ff) and the screenshots contained therein. As above

carried out, according to the information provided by the second respondent, the purpose of the identification numbers is
Distinguish users. The times determined when the cookies were set are calculated from the

respective UNIX timestamps. The Unix time is a time definition that is used by the Unix operating system

was developed and established as a POSIX standard. The Unix time counts the seconds that have passed
since Thursday, January 1st 1970, 00:00 UTC. The finding with regard to the remote

The address results from an official Who-Is query of the data protection authority at

https://who.is/whois-ip/ip-address/172.217.23.14 (accessed on December 22, 2021).


C.10. As far as the Google Analytics tool is implemented on a website, the
Second respondent the technical possibility to get the information that a

certain Google account users visited this website (on which Google Analytics is implemented)

if this Google account user is logged into the Google account during the visit.


Assessment of evidence re C.10 .: In his statement of April 9, 2021, the second respondent
in question 9, it was argued that he would only get such information if certain

Requirements are met, such as the activation of specific settings in the Google

Account. In the opinion of the data protection authority, this argument is not convincing.
Namely, if the request of a Google account user for "personalization" of the received

Advertising information can be complied with on the basis of a declaration of intent in the account, so there is

from a purely technical point of view the possibility of displaying the information about the visited website of the Google

Account user. In this context, the data protection law - 22 -


Accountability to point out which in the context of the legal assessment in more detail
is received. For the establishment of the facts, this means data protection law

Accountability that the respondents (or in any case the first respondent as

Controller) - and not the complainant or the data protection authority - one
must provide sufficient evidence. Such sufficient evidence - that is, that from technical

There is no possibility of data receipt for the second respondent - was in this one

Context not established, especially since it is an essential part of the Google concept

Analytics is to be implemented on as many websites as possible in order to be able to collect data.

C.11. The first respondent has the second respondent in the course of the proceedings

instructed to use all data collected through the Google Analytics Properties for the website

www.XXX.at to delete. The second respondent has confirmed the deletion.


Assessment of evidence re C.11 .: The findings are based on the opinion of the
First Respondent dated June 18 and 24, 2021 as well as the copy of the correspondence presented

between first and second respondents.


D. From a legal point of view, it follows:


D.1. General

a) To the competence of the data protection authority


The European Data Protection Board (hereinafter: EDPB) has already dealt with the relationship between

GDPR and Directive 2002/58 / EC ("e-Data Protection Directive") dealt with (cf.

Opinion 5/2019 on the interaction between the e-Data Protection Directive and the GDPR from
March 12, 2019).


With a decision of November 30, 2018, the data protection authority

Zl. DSB-D122.931 / 0003-DSB / 2018, with the relationship between GDPR and the national

Implementation provision (in Austria now: TKG 2021, Federal Law Gazette I No. 190/2021 as amended)
dealt with.


It was basically stated that the e-Data Protection Directive (or the respective national

Implementation provision) of the GDPR acts as a lex specialis. Art. 95 GDPR stipulates that the

Regulation natural or legal persons in relation to processing in connection with
the provision of publicly available electronic communication services in public

Communication networks in the Union do not impose any additional obligations insofar as they are specific in

of the e-Data Protection Directive are subject to obligations that pursue the same goal. - 23 -


In the e-Data Protection Directive, however, there are no obligations within the meaning of Chapter V of the GDPR for the
Case of the transfer of personal data to third countries or to international ones

Organizations.


It should be noted at this point again that the responsibility for the operation of the website

www.XXX.at only after the complaint-relevant data has been transmitted on August 14, 2020 to a
German society has passed over.


Against this background, the GDPR is applicable and still exists for such data transmission

thus a competence of the data protection authority to handle the complaint in question
according to Art. 77 Para. 1 GDPR.


b) On Art. 44 GDPR as a subjective right


Based on the previous rulings by the data protection authority and the courts, it should be noted that

that both the legality of the data processing according to Art. 5 Para. 1 lit. a in conjunction with Art. 6 ff GDPR

as well as the data protection rights postulated in Chapter III of the regulation as
Subjective right can be asserted in the context of a complaint in accordance with Art. 77 Para. 1 GDPR

be able.


The transfer of personal data to a third country, which in the sense of Art. 44 GDPR
(allegedly) an adequate level of protection has not yet been guaranteed

Subject of the complaint in the context of a complaint procedure before the data protection authority.


In this context, it should be noted that Art. 77 Para. 1 GDPR (and otherwise also the

national provision of Section 24 (1) DSG) for exercising the right of appeal only
requires that "[...] the processing of the personal data concerning them against them

Regulation violates ".


In its judgment of July 16, 2020, the ECJ also assumed that the finding that

"[...] the law and practice of a country do not guarantee an adequate level of protection [...]"
as well as "[...] the compatibility of this (adequacy) decision with the protection of privacy

as well as the freedoms and fundamental rights of persons [...] "in the context of a complaint according to Art. 77

Paragraph 1 GDPR can be asserted as a subjective right (see the judgment of the ECJ of
July 16, 2020, C ‑ 311/18 margin no.158).


It should be noted that the question referred in the above procedure does not cover the “scope of the

Right of appeal under Art. 77 Para. 1 GDPR ”; but the ECJ has

The fact that a violation of the provisions of Chapter V GDPR in the context of a
Complaint according to Art. 77 Para. 1 GDPR can be asserted, obviously as necessary

Considered a prerequisite. Looking at it differently, the ECJ would have said that the question - 24 -


the validity of an adequacy decision in the context of a complaint procedure not at all
can be clarified.


Insofar as the second respondent also asserts Article 44 GDPR as

Subjective law - with reference to the wording of recital 141 leg.cit. - is denying that

to counter that the mentioned recital is linked to the fact that the "rights according to this regulation"
a complaint according to Art. 77 Para. 1 GDPR are accessible (and not, for example: "the rights according to

Chapter III of this regulation ").


Although the term "rights of a data subject" is used in certain places in the GDPR,
Conversely, however, this does not mean that other standards in which this

Wording is not chosen, as a subjective right can be invoked. Most

The provisions of the GDPR are on the one hand an obligation of the person responsible (and partly

of the processor), but on the other hand can also apply as a subjective right of data subjects
be made. For example, it is undisputed that Art. 13 and Art. 14 GDPR are subjective

Establish the right to information, although the right to information is not specified in Art. 12 para. 2 leg. Cit. as "their

Rights ”(ie“ rights of the data subject ”) and Art. 13 and Art. 14 GDPR the wording
are designed as an information obligation of the person responsible.


The decisive factor is whether a data subject is affected by an alleged violation of the law in a

individual legal position is impaired. The alleged infringement must therefore

negatively affect and affect the person concerned.


Apart from that, the ErwGr are an important instrument for interpreting the GDPR, however
they cannot be used to contradict the text of the regulation

standing result (here, as stated above, the fact that the administrative

Remedy generally linked to "the processing") (cf. the judgment of the ECJ of
May 12, 2005, C-444/03 margin no.25 and the further judicature cited there).


Finally, according to the domestic judicature of the VwGH, in case of doubt it can be assumed that

Standards that prescribe an official procedure also and especially in the interest of the person concerned,

Grant this a subjective right that can be enforced through the appeal process (cf.
VwSlg. 9151 A / 1976, 10.129 A / 1980, 13.411 A / 1991, 13.985 A / 1994).


Against the background of the wording of Art. 77 Para. 1 GDPR and the cited case law of the

The ECJ and the VwGH should be noted as an interim result that the information in Chapter V and in particular

the obligation for controllers and processors standardized in Art. 44 GDPR, which is carried out by
ensure the level of protection for natural persons guaranteed by the regulation, and vice versa

valid as a subjective right before the competent supervisory authority in accordance with Art. 77 Para. 1 GDPR

can be done. - 25 -


c) On the determination competence of the data protection authority

According to the judicature of the VwGH and the BVwG, the data protection authority comes a

Assessment competence with regard to violations of the right to secrecy in

Complaints procedure (so expressly the decision of the BVwG of May 20, 2021,

Zl. W214 222 6349-1 / 12E; implicitly the decision of the VwGH of February 23, 2021, Ra 2019/04/0054,
in which this is related to the establishment of a past

Has dealt with the breach of confidentiality, without the lack of jurisdiction of the alleged

Authority to pick up).

There are no factual reasons to suspect the determination competence according to Art. 58 Para. 6 GDPR in conjunction with

§ 24 para. 2 no. 5 GDPR and para. 5 DSG not also for the determination of a violation of Art. 44

DSGVO to be used, as in the present case, among other things, one that was in the past

Violation of the law - namely a data transfer to the USA - is complained about and that
Right to lodge a complaint in accordance with Section 24 (1) GDPR - as well as Article 77 (1) GDPR - generally to one

Violation of the GDPR. When the verdict of a notice in one

Complaint procedures contain only instructions according to Art. 58 Para. 2 GDPR
could, as a result, there would be no room for Section 24 (2) 5 and 24 (5) DSG.


Contrary to the opinion of the respondents, Section 24 (6) DSG applies to the one relevant here

The subject of the complaint cannot be considered, as data transmission has been complained about in the past

will. In other words: the alleged illegality (here: incompatibility with Art. 44 GDPR)
an already completed data transfer is a process completion according to § 24 para. 6

DSG not accessible.


Against the background of these remarks, it should be noted as a further interim result that the

Determination competence of the data protection authority in the present complaint procedure
given is.


D.2. Ruling point 1


As stated, the data protection authority set the procedure in question with a decision of

October 2, 2020, Zl. D155.027, 2020-0.527.385, until it is determined which authority is responsible for the content
Procedural management is responsible (lead supervisory authority) or until a decision is made by a

lead supervisory authority or the EDPB.


Based on the results of the investigation, it should be noted that a

Cross-border data processing within the meaning of Art. 4 Z 23 in conjunction with Art. 56 Paragraph 1 GDPR
on the subject of the complaint - a data transfer to the USA in August 2020 - is not available

and the "one-stop-shop" mechanism in accordance with Art. 60 GDPR therefore does not apply

finds: - 26 -


According to its own statements (see statement of December 16, 2020,
Question 2) neither established in more than one Member State (data processing within the meaning of

Art. 4 Z23 lit. a GDPR in the context of the activities of branches in more than one member state

can therefore not be present), nor has the data transmission and thus the processing
Personal data of the first respondent have a significant impact on those affected

Persons in more than one member state (Art. 4 No. 23 lit. b leg. Cit.).


With regard to the effects of the present data processing, the

Factual findings that the target audience of the relevant website www.XXX.at
namely (primarily) persons resident in Austria, also because it is with the website

www.XXX.de gives its own version for the German audience. According to the

This was the first respondent (see the statement of December 16, 2020, question 2)

(at least in August 2020) only responsible for the Austrian version of www.XXX.at.

The theoretical possibility that German-speaking people from a Member State other than

Austria can access www.XXX.at, the fact "Effects on

affected persons in more than one member state "according to Art. 4 Z 23 lit. b GDPR
establish. In the event of a different view, every complaint against the operator would be

of a website - regardless of the intended target audience of the website - according to the rules

To deal with Art. 60 ff GDPR. This would lead to a too broad interpretation of Art. 4 No. 23 lit. b

GDPR (and consequently lead to too wide a scope of application of the "one-stop-shop"), which -
in the opinion of the data protection authority - cannot be wanted by the regulator.


The complaint related to the subject matter of the complaint was consequential

exclusively from the Austrian data protection authority in accordance with Art. 55 Para. 1 GDPR

treat.

As ex officio notices from which no one has a right, both from the

Authority that issued the decision, as well as in exercising the supervisory right of the factual

relevant higher authority can be canceled or changed, and as a result of a
Suspension of proceedings of a party to the proceedings does not give rise to a right of non-decision was the

The above-mentioned notification of October 2, 2020 is available for rectification in accordance with Section 68 (2) AVG.


D.2. Ruling point 2. a)


a) General information on the term "personal data"


The material scope of Art. 2 Para. 1 GDPR - and thus the success of this
Complaint - fundamentally requires that "personal data" are processed. - 27 -


According to the legal definition of Art. 4 No. 1 GDPR, "personal data is all information,
referring to an identified or identifiable natural person (hereinafter "data subject")

relate; A natural person is regarded as identifiable if, directly or indirectly,

in particular by means of assignment to an identifier such as a name, to an identification number
Location data, an online identifier or one or more special features

can be identified that express the physical, physiological, genetic, psychological,

economic, cultural or social identity of this natural person

can".

As can be seen from the factual findings (see point C.9.), The Respondent has

- as the operator of the website - implemented the tool Google Analytics on your website. As a result

this implementation - i.e. triggered by the JavaScript executed when visiting the website

Code - at least the following information was received from the complainant's browser, which the
Visited the website www.XXX.at, transmitted to the server of the second respondent:


    - Unique online identifiers, which both the browser and the device of the

        Complainant as well as the First Respondent (through the Google Analytics Account
        Identify the ID of the first respondent as the website operator);

    - the address and the HTML title of the website, as well as the sub-pages that the complainant had

        has visited;

    - Information on the browser, operating system, screen resolution, language selection and
        Date and time of the website visit;

    - the IP address of the device that the complainant used.


It must be checked whether this information falls under the definition of Art. 4 No. 1 GDPR, i.e. whether it is

the complainant's personal data is involved.

b) Identification numbers as "personal data"


With regard to the online IDs, it should again be remembered that the representational

Cookies “_ga” or “cid” (Client ID) and “_gid” (User ID) unique Google Analytics identification numbers

and were stored on the device or in the complainant's browser. As
established, it is possible for certain bodies - here, for example, the respondents - to use them

Identification numbers to distinguish website visitors and also to get the information whether it is

is a new or a returning website visitor from www.XXX.at. With
In other words: Only the use of such identification numbers enables a distinction to be made between website

Visitors who were not possible before this assignment. - 28 -


In the opinion of the data protection authority, there is an interference with the fundamental right to data protection
Art. 8 EU-GRC as well as § 1 DSG already then when certain bodies take measures - here the

Assignment of such identification numbers - in order to individualize website visitors in this way.


A measure of “identifiability” to the effect that it must be immediately possible to do so

Identification numbers also with a certain "face" of a natural person - in particular with
the name of the complainant - is not required (see already

Opinion 4/2007, WP 136, 01248/07 / DE of the former Art. 29 Data Protection Working Party on

Term "personal data" p. 16 f; see the guidance of the supervisory authorities for
Telemedia provider from March 2019, p. 15).


Recital 26 GDPR speaks in favor of such an interpretation, according to which the question of whether a natural person

is identifiable, "[...] all means are taken into account by the person responsible or by a

other person, according to general discretion, likely to be used to the natural person
to identify directly or indirectly, such as segregation ”(English language version of

Regulation: "singling out"). The term "sorting out" means "searching out of a crowd"

to understand (see https://www.duden.de/rechtschreibung/aussondern, requested on December 22nd
2021), which corresponds to the above considerations for the individualization of website visitors

is equivalent to.


In the literature it is also expressly stated that there is already a "digital footprint" that it

allows devices - and subsequently the specific user - to be clearly individualized
represents a personal date (see Karg in Simitis / Hornung / Spiecker, GDPR Comment Art. 4

Z 1 margin no. 52 with further references). This consideration can be due to the uniqueness of the identification numbers on the

present case, especially since - which is to be discussed in more detail immediately - this

Identification numbers can also be combined with other elements.

As far as the Respondents point out that no “means” have been used to counteract the here

to bring the reference numbers in connection with the person of the complainant

Against them to counter that the implementation of Google Analytics on
www.netddoktor.at results in a separation within the meaning of Recital 26 GDPR. In other words: who

a tool that has just made such a removal possible cannot affect the

Take the position not to use "general discretion" means to avoid natural persons

to make identifiable.

As an interim result, it should be noted that the Google Analytics

Identification numbers for personal data (in the form of an online identifier) in accordance with Art. 4 No. 1 GDPR

could be. - 29 -


c) Combination with other elements

The fulfillment of the requirements of Art. 4 Z 1 GDPR becomes even more clearly recognizable if one

takes into account that the identification numbers can be combined with other elements:


By combining all of these elements - that is, unique identification numbers and the others above

cited information such as browser data or IP address - is it all the more likely
that the complainant can be identified (see again recital 30 GDPR). The "digital

Such a combination makes the complainant's footprint even more unique.


The respondents' submissions about the "anonymization function of the IP

Address "remain open, since the respondents have admitted that this function (for
at the time of the complaint) was not implemented correctly (see for example the

Opinion of the Respondent dated June 18, 2021).


Likewise, the question of whether an IP address, viewed in isolation, is personal data,

remain open, as these - as mentioned - with further elements (in particular the Google
Analytics identification number) can be combined. In this context it should be noted that the

According to the case law of the European Court of Justice, the IP address can represent a personal date (see the judgments

of the ECJ of June 17, 2021, C ‑ 597/19, margin no. 102, as well as of October 19, 2016, C ‑ 582/14, margin no. 49) and
this does not lose its status as a personal date simply because it has the means to

Identifiability lie with a third party.


Finally, the data protection authority points out that it is an essential part of the

The concept of Google Analytics (at least in the free version) is based on as many as possible
Websites to be implemented to collect information about website visitors.

Accordingly, it would be with the basic right to data protection according to Art. 8 EU-GRC or § 1 DSG

incompatible with the applicability of the GDPR to those related to the Google Analytics tool
standing data processing - in which individual website visitors using Google Analytics

Identification number can be individualized - to be excluded.


d) Traceability to the complainant


Regardless of the above considerations, however, there is any traceability to the

"Face" of the complainant - such as his name - to go out:

It is not necessary that the respondents each have a personal reference

so that all information required for identification is with them

(see the rulings of the European Court of Justice of December 20, 2017, C-434/16, margin number 31, as well as of October 19, 2016,
C ‑ 582/14, margin no.43). Rather, it is sufficient that someone - with legally permissible means and - 30 -


reasonable effort - can establish this personal reference (see Bergauer in Jahnel, GDPR
Comment Art. 4 no. 1 margin no. 20 mVa Albrecht / Jotzo, The new data protection law of the EU 58).


Such an interpretation of the scope of Art. 4 No. 1 GDPR is - in addition to the

cited legal and literature sources - derived from Recital 26 GDPR, according to which the question of

Identifiability not only the means of the person responsible (here: the first respondent)
are to be taken into account, but also those of "another person" (English language version of

Regulation: "by another person"). This also arises from the idea of affected persons

to offer the greatest possible protection for your data.

The ECJ has repeatedly stated that the scope of the GDPR is "very broad"

is to be understood (see for example the rulings of the European Court of Justice of June 22, 2021, C ‑ 439/19, margin no. 61;

comparable legal situation, the judgments of December 20, 2017, C ‑ 434/16, margin no.33, as well as of May 7

2009, C ‑ 553/07, margin no.59).


It is not overlooked that, according to Recital 26 GDPR, it must also be taken into account with which
"Probability" means anyone who uses means to directly or indirectly affect an individual

identify. In fact, in the opinion of the Data Protection Authority, the term "anyone" -

and thus the scope of Art. 4 No. 1 GDPR - not to be interpreted so broadly,
that some unknown actor could theoretically have special knowledge to relate to a person

to manufacture; this would mean that almost all information in the

The scope of the GDPR falls and a demarcation to non-personal data

becomes difficult or even impossible.

Rather, the decisive factor is whether it can be identified with justifiable and reasonable effort

can be produced (see the notification of December 5, 2018, GZ DSB-D123.270 / 0009-

DSB / 2018, according to which personal data is no longer available if the person responsible or
a third party can only establish a personal reference with disproportionate effort).


In the present case, however, there are certain actors who have special knowledge, which

it makes it possible to establish a reference to the complainant in the sense of the above and

therefore identify him.

First of all, this is the second respondent:


As can be seen from the factual findings, the complainant was at the time of

Visiting the website www.XXX.at with his Google account XXX.XXX@gmail.com

logged in. The Second Respondent stated that because of the fact that the
Tool Google Analytics is implemented on a website, receives information. This includes the

Information that a certain Google account user has visited a certain website (cf.

Opinion of April 9, 2021, question 9). - 31 -


This means that the Second Respondent has at least received the information that the
User of the Google account XXX.XXX@gmail.com has visited the website www.XXX.at.


So even if one takes the view that the above online IDs are a

must be assignable to certain "faces", such an assignment can in any case via the Google

Account of the complainant.

The further statements made by the second respondent that for a

such assignment must meet certain requirements, such as the activation of

specific settings in the Google account (see again its statement of April 9, 2021,
Question 9).


If, however - and this was convincingly stated by the complainant - the identifiability

of a website visitor only depends on whether certain declarations of intent have been made in the account

there are (from a technical point of view) all possibilities for identifiability. With others
Consideration could be the secondary respondent as expressed in the account settings

No wish of a user to “personalize” the advertising information received

correspond.


In this context, the unambiguous wording of Art. 4 no. 1
GDPR, which is linked to a skill ("can be identified") and not to whether a

Identification is ultimately also made.


The accountability of the

First respondent - as the person responsible, further below - to be indicated in accordance with Art. 5
Paragraph 2 in conjunction with Art. 24 Paragraph 1 in conjunction with Art. 28 Paragraph 1 GDPR suitable technical and organizational

Take measures to ensure and to be able to provide evidence that the

Processing (with the help of a processor) is carried out in accordance with the regulation. It is therefore
an obligation to deliver.


This also includes proof that processing is currently not subject to the regulation. A

such was not provided - despite the possibilities granted several times.


Independent of the second respondent, however - and this is case-related of greater
Relevance - the US authorities to consider:


As the complainant has also correctly pointed out, the intelligence services of the

USA certain online identifiers (such as the IP address or unique identification numbers) as s

Starting point for monitoring individuals. In particular, it cannot

it can be ruled out that these intelligence services have already collected information
whose help the data transferred here can be traced back to the person of the complainant. - 32 -


The fact that this is not just a "theoretical danger" is evident from the judgment
of the ECJ of July 16, 2020, C ‑ 311/18, which due to the incompatibility of such methods and

Access possibilities of the US authorities with the basic right to data protection according to Art. 8 EU-GRC

ultimately also declared the EU-US adequacy decision ("Privacy Shield") to be invalid.


This can be seen in particular in the transparency report - cited in the factual findings
of the Second Respondent, who proves that there are data requests from US authorities to the

Second Respondent comes. Metadata and content data from

Second respondents can be requested.


It is true that it is not overlooked that it is of course not possible for the respondent to check,
whether there is such access by US authorities in individual cases - i.e. per website visitor

and what information US authorities already have; but this can be reversed

data subjects, such as the complainant, are not accused. So it was ultimately that
First Respondent as (then) website operator who - despite the publication of the

mentioned judgment of the European Court of Justice of July 16, 2020 - continued to use the Google Analytics tool.


As a further interim result, it should be noted that the in the

Factual findings under C.9. listed information (at least in combination)
personal data in accordance with Art. 4 No. 1 GDPR.


e) Distribution of roles


As already stated, the First Respondent as the website operator has to

At the time of the complaint, the decision was made to use the "Google Analytics" tool
the website www.XXX.at to implement. Specifically, it has a JavaScript code ("tag") that

is made available by the second respondent, inserted in the source text of their website,

which causes this JavaScript code to appear in the complainant's browser when visiting the website
was executed. In this regard, the Respondent stated that the aforementioned tool

is used for the purpose of statistical evaluations of the behavior of website visitors

(see opinion of December 16, 2020, question 2).


As a result, the Respondent has “purposes and means” in connection with the tool
standing data processing, which is why this (at least) as the person responsible within the meaning of Art. 4

Z 7 GDPR is to be considered.


As far as the second respondent is concerned, it should be noted that the relevant here

The subject of the complaint (only) relates to the data transfer to the second respondent in the USA
relates. A possible further data processing of the factual determinations under C.9.

cited information (by Google Ireland Limited or the second respondent) is not

Subject of the complaint and was therefore not determined in more detail in this direction. - 33 -


As for the data processing in connection with the Google Analytics tool, is
to state that the Second Respondent only makes this available and also does not

Has an influence on whether and to what extent the first respondent benefits from the tool functions

Makes use and what specific settings she chooses.


Insofar as the second respondent therefore only provides Google Analytics (as a service), takes
this has no influence on the "purposes and means" of data processing and is therefore within the meaning of Art. 4 no. 8

GDPR qualify as a processor on a case-by-case basis.


These considerations are without prejudice to a further official review procedure in accordance with Art. 58
Para. 1 lit.b GDPR and without prejudice to the data protection role of the second respondent

with a view to possible further data processing.


D.3. Ruling point 2. b)


a) Scope of Chapter V GDPR


First of all, it must be checked whether the Respondent complies with Chapter V of the Ordinance
is subject to standardized obligations.


According to Art. 44 GDPR, any "[...] transmission of personal data that is already

processed or after their transmission to a third country or an international organization

are to be processed, [...] only permitted if the controller and the processor have the
comply with the conditions laid down in this chapter and the other provisions of these

Regulation are complied with; this also applies to any further transmission of personal data

Data from the relevant third country or the relevant international organization
another third country or another international organization. All provisions of this chapter

are to be applied to ensure that the level of protection guaranteed by this Ordinance

is not undermined for natural persons. "


In the “Guidelines 5/2021 on the relationship between the scope of Art. 3 and the
Specifications for international data traffic according to Chapter V GDPR "(currently still in public

Consultation), the EDPB has identified three cumulative conditions for when a “transmission to

a third country or an international organization "within the meaning of Art. 44 GDPR exists (ibid. margin no. 7):


    - the controller or a processor is subject to the
       relevant processing of the GDPR;

    - the person responsible for the processing or the processor ("data exporter")

       by submitting or otherwise personal data that is the subject of this
       Processing are, one other person responsible for the processing, one joint

       Controller or a processor, open ("data importer"); - 34 -


    - the data importer is located in a third country or is an international organization,
       regardless of whether this data importer in relation to the processing in question in accordance with

       Art. 3 of the GDPR is subject or not.


The first respondent is based in Austria and was on the subject of the complaint

Time for the operation of the website www.XXX.at responsible for data protection.
In addition, the Respondent (as the data exporter) has personal data of the

The complainant disclosed by proactively using the Google Analytics tool on their website

www.XXX.at has implemented and as a direct consequence of this implementation a
Data was transferred to the second respondent (to the USA). After all, he has

Second respondent in his capacity as a processor (and data importer)

Based in the USA.


Since all the requirements set out in the EDPB guidelines are met, the
First Respondent as data exporter complies with the provisions of Chapter V of the Ordinance.


b) Regulations of Chapter V GDPR


It is then necessary to check whether the data transmission complies with the requirements of

Chapter V GDPR has taken place in the USA.

Chapter V of the regulation provides three instruments to achieve what is required by Art. 44 GDPR

appropriate level of protection for data transfers to a third country or an international one

To ensure organization:


    - Adequacy decision (Art. 45 GDPR);
    - Appropriate guarantees (Art. 46 GDPR);

    - Exceptions for certain cases (Art. 49 GDPR).


c) Adequacy decision


The ECJ has ruled that the EU-US adequacy decision ("Privacy Shield") - without
Maintaining its effect - is invalid (see the judgment of July 16, 2020, C ‑ 311/18 margin no. 201 f).


The present data transfer is therefore not covered by Art. 45 GDPR.


d) Appropriate guarantees


As can be seen from the factual findings, the respondents on August 12, 2020

Standard data protection clauses (hereinafter: SDK) according to Art. 46 Para. 2 lit. c GDPR for the transmission
of personal data to the USA ("Google Ads Data Processing Terms: Model

Contract Clauses, Standard Contractual Clauses for Processors "). Specifically, on - 35 -


at the time of the complaint about those clauses in the version of
Implementing decision of the European Commission 2010/87 / EU of February 5, 2010 on

Standard contractual clauses for the transmission of personal data to processors in

Third countries according to Directive 95/46 / EC of the European Parliament and of the Council, OJ L 2010/39,
P. 5.


In the aforementioned ruling of July 16, 2020, the ECJ stated that SDK was an instrument for the

International data traffic are basically not objectionable, however, the ECJ has

also noted that SDKs are by their nature a contract and therefore made up of authorities
cannot bind a third country:


"Accordingly, there are situations in which the recipient of such a transmission is considering
the legal situation and practice in the third country concerned, the necessary data protection is solely based on the
Can guarantee on the basis of the standard data protection clauses, but also situations in which the in

The provisions contained in these clauses may not be a sufficient means of getting into
in practice, the effective protection of personal data transferred to the third country in question
Data to ensure. This is the case, for example, if the law of this third country is its authorities
Intervention in the rights of the data subjects with regard to this data is permitted ”(ibid. Margin no. 126).

A more detailed analysis of the legal situation in the USA (as a third country) can be omitted at this point,

as the ECJ already dealt with this in the cited judgment of July 16, 2020

has. He came to the conclusion that the EU-US adequacy decision due to
of relevant US law and the implementation of regulatory

Monitoring programs - based on Section 702 of FISA and the E.O. 12333 in connection

with PPD-28 - no adequate level of protection guaranteed for natural persons (ibid.

180 ff).

These considerations can be transferred to the present case. So it is evident

that the second respondent as a provider of electronic communication services within the meaning of

50 U.S. Code § 1881 (b) (4) is to qualify and thus the surveillance by US intelligence services

subject to 50 U.S. Code Section 1881a ("FISA 702"). Accordingly, the Second Respondent has the
Obligation to notify US authorities under 50 U.S. Code § 1881a personal data for

To make available.


As emerges from the second respondent's "Transparency Report",
such inquiries are also regularly made to them by US authorities (cf.

https://transparencyreport.google.com/user-data/us-national-security?hl=en, requested on

December 22, 2021).


If now, however, already the EU-US adequacy decision due to the legal situation in the USA
has been declared invalid, it cannot be assumed, on a case-by-case basis, that the (mere)

Conclusion of SDK an appropriate level of protection according to Art. 44 GDPR for the subject

Data transfer guaranteed. - 36 -


Against this background, the ECJ also stated in the cited judgment of July 16, 2020 that
"[...] By their nature, standard data protection clauses cannot offer guarantees that go beyond the

contractual obligation to ensure compliance with the level of protection required by Union law,

go beyond [...] "and it" [...] may be necessary depending on the situation in a particular third country
[may] be that the person responsible takes additional measures to ensure compliance with this

To ensure the level of protection ”(ibid. Margin no. 133).


The present data transfer can therefore not only relate to the between the

Standard data protection clauses concluded by respondents in accordance with Article 46 (2) c
GDPR supported.


e) General information on "additional measures"


In his "Recommendations 01/2020 on measures to supplement transmission tools for

Guaranteeing the level of protection under Union law for personal data ”is the responsibility of the EDPS
stated that in the event that the law of the third country affects the effectiveness of appropriate

Guarantees (such as SDK) means that the data exporter will either suspend the data transfer

or has to implement additional measures (“supplementary measures”) (ibid. margin no. 28 ff as well as

52).

Such "additional measures" within the meaning of the judgment of the European Court of Justice of July 16, 2020, can according to the

EDSA recommendations of a contractual, technical or organizational nature (ibid. Margin no. 47):


With regard to contractual measures, it is stated that these "[...] the guarantees that the

The transmission tool and the relevant legislation in the third country provide, complement and
reinforce, as far as the guarantees, taking into account all circumstances of the transmission, do not

meet all requirements that are necessary to ensure a level of protection that corresponds to the

is essentially equivalent in the EU. Since the contractual measures are by their nature the
Third country authorities generally cannot bind them if they are not themselves a contracting party

they must be combined with other technical and organizational measures in order to

to ensure the required level of data protection. Just because you got one or more of these

Having selected and applied measures, this does not necessarily mean that it is systematic
it is ensured that the intended transmission meets the requirements of Union law

(Guarantee of an essentially equivalent level of protection) is sufficient ”(ibid. Margin no. 93).


Regarding organizational measures, it is stated that "[...] are internal strategies,
Organizational methods and standards [can] act, those responsible and

Apply processors to themselves and impose on data importers in third countries

could. […] Depending on the particular circumstances of the transmission and the one carried out

Assessment of the legal situation in the third country requires organizational measures to supplement the - 37 -


contractual and / or technical measures required to ensure that the protection of the
personal data is essentially equivalent to the level of protection guaranteed in the EU

is (ibid. margin no.122).


With regard to technical measures, it is stated that these are intended to ensure that "[...]

the access of the authorities in third countries to the transmitted data the effectiveness of the data set out in Article 46
GDPR does not undermine the appropriate guarantees listed. Even if the government has access to

is in accordance with the law of the country of the data importer, these measures are to be considered

pull when the authority's access goes beyond what is in a democratic society
is a necessary and proportionate measure. These measures aim to

Eliminate potentially infringing access by preventing the authorities from

to identify data subjects, to develop information about them, to use them in other contexts

to determine or to link the transmitted data with other data records held by the authorities,
including data on online IDs of the devices, applications, tools and protocols

that the data subjects have used in other contexts (ibid. margin no.74).


Finally, the EDPS has stated that such “additional measures” can only be considered effective
in the sense of the judgment of July 16, 2020 are to be considered, "[...] if and to the extent that the measure is precise

the legal protection loopholes that the data exporter closes when examining the legal situation in the third country

Has been established. Should the data exporter ultimately not be able to do an essentially

to achieve an equivalent level of protection, he may not transmit the personal data "(ibid.
70).


Applied to the present case, this means that it must be investigated whether the “additionally

Measures taken "by the second respondent in the context of the ECJ ruling of

Legal protection gaps identified on June 20, 2020 - i.e. the access and monitoring options
from US intelligence services - close.


f) "Additional Measures" by the Second Respondent


The second respondent now has various measures in addition to completing the SDK

implemented (see his statement of April 9, 2021, question 28).

With regard to the contractual and organizational measures outlined, it is not apparent

to what extent a notification of the data subject about data requests (this should be done on a case-by-case basis

be allowed at all), the publication of a transparency report or a “guideline for the

Dealing with Government Inquiries ”are effective for the purposes of the above considerations. It is also unclear
to what extent the "careful examination of every data access request" is an effective measure,

since the European Court of Justice stated in the aforementioned judgment of June 20, 2020 that permissible (i.e. according to - 38 -


US law legal) requests from US intelligence services do not interfere with the fundamental right
Data protection according to Art. 8 EU-GRC are compatible.


If the technical measures are affected, it is also not recognizable - and was on the part of the

Respondent also not comprehensibly explained - to what extent the protection of communication

between Google services, the protection of data in transit between data centers, the protection of the
Communication between users and websites or an "on-site security" the access options

actually prevent or prevent from US intelligence services based on US law

restrict.

Insofar as the second respondent subsequently relies on encryption technologies - such as the

Encryption of "data at rest" in the data centers - refers to him again

To oppose recommendations 01/2020 of the EDPS. There it is stated that a

Data importer (such as the second respondent), the 50 U.S. Code § 1881a ("FISA 702") is subject to,
with regard to the imported data in his possession or custody or under his

Is in control, has a direct obligation to grant access to, or has a direct obligation to provide access to it

to surrender. This obligation can expressly also apply to the cryptographic key
without which the data cannot be read (ibid. margin no. 76).


As long as the second respondent has the option of accessing data in plain text

to access, the technical measures taken cannot be considered effective within the meaning of the

considerations above.

As a further technical measure, the second respondent adds that to the extent that "[...]

Google Analytics data is used to measure personal data by website owners, […] them

should be regarded as a pseudonym ”(cf. his statement of April 9, 2021, p. 26).


However, this is countered by the convincing view of the German Data Protection Conference,
according to which "[...] the fact that the user can be identified using IDs or identifiers

no pseudonymization measure i. S. d. GDPR represents. Besides, it is not

suitable guarantees for compliance with data protection principles or for safeguarding rights

data subjects, if for (re) recognition of the user IP addresses, cookie IDs, advertising IDs,
Unique user IDs or other identifiers are used. Because, unlike in cases in

which data is pseudonymized in order to disguise or delete the identifying data,

IDs or identifiers are used so that the persons concerned can no longer be addressed
used to make the individual individuals distinguishable and addressable. One

As a result, there is no protective effect. It is therefore not a matter of pseudonymizations i. S. d.

Recital 28, which lower the risks for the data subjects and those responsible and the

Support processors in compliance with their data protection obligations "(cf. the
Guideline from the supervisory authorities for providers of telemedia from March 2019, p. 15). - 39 -


In addition, the submission of the second respondent cannot be accepted because
the Google Analytics identifier - as stated above - combined with other elements anyway

and even in connection with a Google account which is undisputedly attributable to the complainant

can be brought.


The mentioned "anonymization function of the IP address" is not relevant on a case-by-case basis, because
this - as also stated above - was not implemented correctly. Apart from that, the

In any case, the IP address is just one of the many “pieces of the puzzle” in the digital footprint of the

Complainant.

As a further interim result, it should be noted that the “additional

Measures "are not effective, since they are the ones in the framework of the judgment of the European Court of Justice of June 20, 2020

identified legal protection gaps - i.e. the access and monitoring options of US

Intelligence services - do not close.

The data transfer in question is therefore not covered by Art. 46 GDPR.


D.4. Ruling point 2. c)


a) On Art. 49 GDPR


According to the Respondent's own statements, the exemption under Art. 49

GDPR is not relevant for the present data transfer (see the opinion of
December 16, 2020).


Consent in accordance with Article 49 (1) (a) GDPR was not obtained. For the

The data protection authority is also not discernible to what extent another offense under Art. 49 GDPR
should be fulfilled.


The present data transfer can therefore not be based on Art. 49 GDPR.


b) Result


As for the relevant data transmission from the Respondent to the

Second Respondent (in the USA) does not have an adequate level of protection through an instrument of
Chapter V of the regulation was guaranteed, there is a violation of Art. 44 GDPR.


The first respondent was (at least) at the time relevant to the complaint - i.e. on the 14th

August 2020 - responsible for the operation of the website www.XXX.at. The one relevant here

The first respondent is therefore the breach of data protection law against Art. 44 GDPR
attributable.


It was therefore to be decided according to the ruling. - 40 -


D.5. To the remedial powers

In the opinion of the data protection authority, the tool Google Analytics (at least in version

dated August 14, 2020) can therefore not be used in accordance with the requirements of Chapter V GDPR.


Since the responsibility for the operation of the website www.XXX.at during the

Complaint procedure (but only after August 14, 2020) to XXX GmbH based in
Munich passed and Google Analytics was still implemented at the time of the decision,

becomes the data protection authority with regard to the (possible) use of the remedial powers

refer the case to the competent German supervisory authority in accordance with Art. 58 (2) GDPR.


D.6. Ruling point 3

It must be checked whether the second respondent (as data importer) also complies with the requirements set out in Chapter V of the

Regulation is subject to standardized obligations.


Based on the above-mentioned guidelines 5/2021 of the EDPB, it should again be stated that

a transfer to a third country or an international organization "within the meaning of Art. 44 GDPR only then
exists if, among other things, the person responsible for the processing or the processor (data exporter)

by submitting or otherwise personal data that is the subject of this

Processing are, one other person responsible for the processing, one joint
Data controller or a processor (data importer).


In the present case, this requirement does not apply to the second respondent, as this (as

Data importer) does not disclose the complainant's personal data, but them

(only) receives. In other words: The requirements of Chapter V GDPR are from the data exporter, not
however, to be observed by the data importer.


The complainant's argument that a data transfer

necessarily requires a recipient and that the second respondent (at least from

technical view) is part of the data transmission. However, it can be countered that the
data protection responsibility for a processing operation (from a legal point of view) anyway

"Share", so depending on the phase of the processing process, a different degree of

Can give responsibility (see EDPB guidelines 7/2020 on the concept of responsible persons
and contract processors, margin no. 63 ff with further references).


A violation of Art. 44 GDPR by the second respondent is in the opinion of

Data protection authority therefore not before.


Overall, therefore, a decision had to be made in accordance with the ruling. - 41 -


Finally, it should be pointed out that the question of the (possible) violation of Art. 5 ff in conjunction with
Art. 28 Para. 3 lit. a and Art. 29 GDPR by the second respondent with another

Notification is discussed.





                     R E C H T S M I T T E L B E L E H R U N G

You can lodge a written complaint against this notification within four weeks of delivery

to the Federal Administrative Court. The complaint is with the data protection authority

bring in and must

- the name of the contested decision (GZ, subject)

- the name of the authority concerned,

- the reasons on which the allegation of illegality is based,
- the desire as well

- the information required to assess whether the complaint has been submitted in good time,

contain.


The data protection authority has the option to either through within two months

The preliminary decision on the complaint to change your decision or the complaint with the files of the
Procedure to be submitted to the Federal Administrative Court.


The complaint against this decision is subject to a fee. The fixed fee for a

the corresponding entry including attachments is 30 euros. The fee is stating the

To be paid for the purpose of use to the account of the Austrian tax office.

The fee is generally to be transferred electronically using the “tax office payment” function. When

The recipient is to indicate the Austrian Tax Office - Special Responsibilities Office or

(IBAN: AT83 0100 0000 0550 4109, BIC: BUNDATWW). Furthermore they are

Tax number / tax account number 10 999/9102, the tax type "EEE complaint fee", the
State the date of the decision as the period and the amount.


If the e-banking system of your bank does not have the "tax office payment" function,

the eps procedure can be used in FinanzOnline. From an electronic transfer can

can only be waived if no e-banking system has been used so far (even if the
Taxpayer has an internet connection). Payment must then be made by means of

Payment instructions take place, paying attention to the correct allocation. Further information

can be obtained from the tax office and in the manual “Electronic payment and reporting for payment of
Self-assessment taxes ". - 42 -


The fee is paid when the complaint is lodged with the
Data Protection Authority by means of a payment receipt or a

Proof of a printout that a payment order has been issued. The fee won't

or not fully paid, a report is sent to the responsible tax office.


Has a timely and admissible complaint to the Federal Administrative Court
suspensive effect. The suspensive effect can be excluded in the ruling of the decision

have been or have been excluded by a separate decision.


                                      December 22, 2021

                            For the head of the data protection authority:

                                          XXX