Garante per la protezione dei dati personali (Italy) - 9782890: Difference between revisions
No edit summary |
(fixed broken source link) |
||
Line 11: | Line 11: | ||
|Original_Source_Name_1=GPDP | |Original_Source_Name_1=GPDP | ||
|Original_Source_Link_1=https://www.garanteprivacy.it/ | |Original_Source_Link_1=https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9782890 | ||
|Original_Source_Language_1=Italian | |Original_Source_Language_1=Italian | ||
|Original_Source_Language__Code_1=IT | |Original_Source_Language__Code_1=IT |
Revision as of 16:22, 29 June 2022
Garante per la protezione dei dati personali - 9782890 | |
---|---|
Authority: | Garante per la protezione dei dati personali (Italy) |
Jurisdiction: | Italy |
Relevant Law: | Article 5(1)(a) GDPR Article 5(2) GDPR Article 13(1)(f) GDPR Article 24 GDPR Article 44 GDPR Article 46 GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | 09.06.2022 |
Published: | 27.06.2022 |
Fine: | n/a |
Parties: | n/a |
National Case Number/Name: | 9782890 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Italian |
Original Source: | GPDP (in IT) |
Initial Contributor: | MW |
Italy's DPA reprimanded a website operator for failing to provide appropriate safeguards for the transfer of personal data to the US through Google Analytics, ordering it to comply with Article 46 GDPR or suspend data transfers to Google LLC.
English Summary
Facts
Following the Schrems II decision, the data subject, represented by noyb – European Center for Digital Rights, complained to the Italian DPA that the controller was sending his personal data to the US without appropriate safeguards required by Article 46 GDPR.
The transfers took place through the use of the Google Analytics web service. The controller operated a news website that used Google Analytics to collect statistcal data on the use of its services. Google Analytics cookies collected data on users' IP address, browser or device, operating system, screen resolution, selected language, date and time of access, and interaction with the website. For users who logged in with their Google account, this information could be associated with other identifiers like email adress, telephone number, gender, date of birth, and profile picture.
Google LLC (based in the US), and later Google Ireland, were responsible for processing the collected information; even after the Google Analytics terms of service were changed to list Google Ireland as processor, Google LLC was still designated as a sub-processor. In response to the DPA's investigation, Google claimed it had adopted technical measures sufficient to safeguard data subjects' rights under the GDPR. These measures consisted of encryption (for which Google LLC held a copy of the encryption key) and a service called "IP-Anonymisation," wherein Google truncated users' IP addresses to hamper identification. This process, however, was actually a form of pseudoanonymisation, because the truncated IP address could be used in combination with the other collected data to re-identify natural persons.
Both Google and the controller also offered that, taking into account the nature of the data and the context in which it was collected, the likelihood of actually being forced to disclose this data to the US government was exceedingly low. This attenuated risk, they argued, meant that less stringent safeguards were sufficient to protect data subjects' rights under the GDPR (the so-called "risk-based approach"). Google claimed that in over 15 years of providing its Google Analytics service, it had never received an access request like the one contemplated in the data subject's complaint.
For its part, the controller deemed the technical measures implemented by Google sufficient. However, the controller also lacked the technical means to verify the implementation of these measures, nor did it have any authority to decide what measures were appropriate or to dictate to Google choices regarding data transfers to third countries.
Holding
The DPA declared unlawful any processing carried out by the controller through the use of Google Analytics. It also clarified that, regardless of any asymmetry in bargaining power or technical resources, the controller is responsible for ensuring that processing is lawful per Articles 5(2) and 24 GDPR (the accountability principle). The controller must decide independently on the methods, guarantees, and limits of processing.
Regarding data transfers to a third country, the DPA rejected the risk-based approach, finding the controller in violation of Articles 44 and 46 GDPR. The low probability of an access request from US authorities did not relieve the controller of its responsibility to guarantee on a case-by-case basis that transfers of personal data to a third country had adequate safeguards. Encryption was an insufficient technical safeguard because Google LLC remained in possession of the relevant encryption key. US authorities could simply compel Google LLC to turn over this key along with the encrypted data.
The DPA also found the controller in violation of Article 13(f) GDPR because its privacy policy did not disclose the intention to transfer personal data to a third country, the lack of an adequacy decision or what safegaurds were in place per Article 46(2) GDPR.
For these violations, the DPA reprimanded the controller and ordered it to comply with the GDPR (specifically Article 46 GDPR) within 90 days or suspend the transfer of data through Google Analytics.
Comment
- From the 23 June 2022 GPDP press release: "The Italian SA wishes to draw the attention of all the Italian website operators, both public and private, to the unlawfulness of the data transfers to the USA as resulting from the use of GA – partly on account of the many alerts and queries received so far. The Italian SA calls upon all controllers to verify that the use of cookies and other tracking tools on their websites is compliant with data protection law; this applies in particular to Google Analytics and similar services."
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.
Provision of 9 June 2022 [9782890] SEE ALSO PRESS RELEASE OF 23 JUNE 2022 [web doc. no. 9782890] Provision of 9 June 2022 Record of measures no 224 of 9 June 2022 THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA IN today's meeting, which was attended by prof. Pasquale Stanzione, president, the prof.ssa Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and the lawyer Guido Scorza, components and the cons. Fabio Mattei, general secretary; GIVEN the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter, the "Regulations"); GIVEN the Code regarding the protection of personal data, containing provisions for the adaptation of the national law to Regulation (EU) 2016/679 (Legislative Decree 30 June 2003, n. 196, as amended by Legislative Decree 10 August 2018, n. 101, hereinafter the "Code"); GIVEN the complaint of 17 August 2020 presented pursuant to art. 77 of the Regulations by Mr. XX against Caffeina Media Srl; EXAMINED the documentation in deeds; GIVEN the observations made by the secretary general pursuant to art. 15 of the regulation of Guarantor No. 1/2000; RAPPORTEUR prof. Pasquale Stanzione; WHEREAS 1. The complaint against the company and the preliminary investigation. With a complaint presented on August 17, 2020, Mr. XX complained that Caffeina Media Srl (hereinafter 'the Company'), would have transferred the data to Google LLC, based in the United States personal data concerning him processed through the website www.caffeinamagazine.it; that in absence of the guarantees provided for by Chapter V of the Regulation. As part of the investigation launched by the Guarantor, the Office, with notes of 30 July and 7 December 2021, asked the Company to provide information and clarifications on the facts concerned complaint. With the communications of October 15, November 3 and December 22 2021, in giving feedback to the requests of the Office, Caffeina Media Srl stated the following: the ownership of the treatments put in place through the website www.caffeinamagazine.it is to society; this unlike what was previously indicated in the information model, made available on the aforementioned website pursuant to art. 13 of the Regulation, which contained the erroneous reference - now adjusted - to Caffeina Media Ltd; the processing of personal data of users of the site www.caffeinamagazine.it is placed in be from the Company through the Google Analytics tool (hereinafter also "GA") in its "free version" (see note of October 15, 2021, page 3 and note of 22 December 2021, p. 2); the Company "has neither visibility of the details of the data collected, nor can it precisely describe the types "and" chose to use [Google Analytics] also because Google claims to only process pseudonymous and cookie-based data'; in detail: '(i) cookies, (ii) data relating to the device / browser (iii) IP address and (iv) activity on the site "(see note of October 15, 2021, pp. 2 and 3); Caffeina Media Srl "is bound by the contractual text [" Google Analytics Terms of Service "] approved in the platform (standard text imposed by the Google supplier) "and" as it emerges from the contractual documentation imposed by Google, Google acts as responsible for the processing of data collected through Google Analytics "(see note of 15 October 2021, p. 3); more specifically, "the contractual counterpart [of the Google Analytics Terms of Service in the version dated March 31, 2021] is Google Ireland Limited "; unlike the version precedent of the aforementioned 'Google Analytics Terms of Service' - dated June 17, 2019 - which is signed with Google LLC (see note of 22 December 2021, page 2). Therefore, "Caffeine Media Srl acts as data controller and, (..) [from May 2021], Google Ireland Limited acts as the data controller of the data collected through Google Analytics' (see note of October 15, 2021, page 7 and note of December 22, 2021, page 3); Caffeina Media Srl "does not have any level of autonomy regarding the choices related to data transfers to third countries, including the identification of the types of data object of the aforementioned transfer" (see note of October 15, 2021, page 7 and note of December 22, 2021, pp. 2 and 4); in particular, this specific processing operation is governed by art. 10 of the "Google Ads Data Processing Terms" under which "Caffeine as an exporter of the data, through Google Ireland Limited, may have carried out activities of data transfer to the United States, with Google LLC as data importer'. Furthermore, pursuant to the same provision, "the owner of the website agrees so that Google can be supported in the processing activities by other companies of the its group and, among the companies indicated, there is Google LLC, which would act as sub-processor" (see note of 15 October 2021, pages 6 and 7 and note of 22 December 2021, p. 3); the transfer of data to Google LLC is carried out through the Clauses standard contractual arrangements that correspond to the standard scheme adopted on February 5, 2010 by European Commission with decision no. 2010/87 / UE, as per communication made by Google to the Company on 3 August 2020 (see note of 15 October 2021, page 7, in particular Annex B "Google Communication 3.08.2020"); these clauses have been supplemented by the additional measures adopted by Google, with respect to which the Company has "no possibility of verifying the implementation at a technical level (...), or to issue specific instructions on the effective implementation of [the same]" (see note of 22 December 2021, p. 4); as part of the services offered through Google Analytics, Caffeina Media Srl has not joined to the data sharing option, the so-called data sharing option (note of 15 October 2021, p. 5); in relation to the disputed transfer to Google LLC of the data relating to the complainant, Caffeina Media Srl "has no particular autonomy in the use of the [Google Analytics], including the ability to know if the complainant's data was actually transferred to third countries" (see note of 15 October 2021, page 6); in relation to the obligations put in place pursuant to art. 13 of the Regulation, Caffeina Media Srl "uses the automatic service of the company Iubenda srl for the management of the privacy and cookie information "(with reference to the model of information updated on 5 October 2021, v. note of October 15, 2021, p. 9; and in this regard to the information provided to the complainant on 12 August 2020, v. communication of November 3 2021). On 11 January 2022 the Office notified, pursuant to art. 166, paragraph 5, of the Code, the alleged violations of the Regulation found with reference to art. 5, par. 1, lett. a), and par. 2, in art. 13, to art. 24 as well as art. 44 and 46, par. 2, lett. c), of the Regulation. On 10 February 2022 the Company sent its defence writings in which it represented that: a) the US legislation taken into consideration by the Court of Justice of the Europea, in its ruling no. C-311/18, dated July 16, 2020 (so-called "Schrems II"), must be subject to a new assessment of adequacy by the Protection Authorities of data in consideration of the regulatory developments that occurred after the adoption of the Privacy Shield and promptly outlined by the US government in the White Paper of September 2020 called "Information on US Privacy Safeguards Relevant to SCCs and Other EU Legal Bases for EU-US data Transfers after Schrems II" (see note dated 10 February 2022, para. 1, pp. 3-9); b) with specific reference to the scope of application of art. 702 of the Foreign Intelligence Surveillance Act "it is virtually impossible for intelligence agencies to use only an IP address or a cookie - the only data possibly transferred by Caffeina - "; that is considering that, taking into account the procedures (so-called targeting procedures) times identification of data that can be accessed by the Authorities address data are of primary interest for intelligence activities e-mail and telephone number of users (see note of 10 February 2022, pages 6-7); c) regarding the disputed unsuitability of the additional measures of a technical nature implemented by Google, the latter has adopted "high standards of (...) security" and "internal procedures (...) subject to various certifications. (...) Moreover, the (...) evaluations about the adequacy of the security measures to be adopted have been carried out by the supplier himself, who, after having carried out this analysis, then warned the same Caffeine of the updating of the security measures and of the contractual documentation, precisely a continuation of the Schrems II pronunciation (...). And this in any case in line with the requirements of art. 14 of the new SCC". However, with respect to these measures, 'Caffeine has neither the means nor the operational or technical possibilities for imposing changes to the [aforementioned] measures on the supplier security", not having" any bargaining force to enter into dialogues commercial with its counterpart [nor] (...) to interact with the same "(see note of 10 February 2022, pp. 10 and 12); d) 'with regard to the disputed transfer to Google LLC of the data relating to the complainant, Caffeina Media Srl does not have particular autonomy in the use of the [Google Analytics] tool "not having" at a technical level the possibility of knowing whether the data personal of Mr. XX were transferred "(see note of 10 February 2022, p. 13); (e) as regards the adequacy of the additional technical measures implemented by Google, Caffeina deemed them "relevant and effective in relation to the nature of the data and the context in which they were collected 'as well as the risk level of the transfer. All this in consideration of the fact that: i) the processing of data connected to the transfer in examination is part of a daily information site with a "light cut, concentrated on entertainment areas"; ii) "the Company uses the instrument only in form aggregate and statistical, never seeing the raw data "and limiting itself to processing data pseudonymised; iii) the level of risk must also be assessed on the basis of the degree of probability of the actual occurrence of access by public authorities to the data collected through Google Analytics on the website www.caffeinamagazine.it. To the in this regard, the Company reported what Google stated in a recent blog post by last 19 January 2022 (available at the following address: https://blog.google/around-the- globe / google-europe / its-time-for-a-new-eu-us-data-transfer-framework /), compared to circumstance that 'the supplier has offered the Google Analytics service for over 15 years globally and has never received a request like the one complained by the complainant' (note of 10 February 2022, pages 10, 17,18, 26 and 29; see also integrative note of 4 April 2022, p. 5). On 25 March 2022, during the hearing requested by the Company, the latter, in recalling the aforementioned briefs in full, he also represented that he had adopted a series of technical-legal measures, relating to: updating the text of the information present on the Company's website (see, in particular, "Cookie Policy" available at the address https://www.caffeinamagazine.it/cookie-policy/); the implementation of a new technical structure of the site, created by updating to the most recent version of content management system used by the Company and the migration of the aforementioned site on a new infrastructure that guarantees a higher level of safety; adherence to the so-called "IP-Anonymisation" option envisaged from the Google Analytics tool; the start of the implementation of a new web tool analytics, based, among other things, on the non-use of cookies and the absence of IP tracking (see minutes of March 25, 2022 and explanatory notes of April 4, 2022, page 2). 2. Observations on the legislation on the protection of personal data relevant in the case in point and ascertained violations. First of all it is represented that, unless the fact constitutes a more serious crime, anyone, in a proceeding before the Guarantor, falsely declares or certifies news or circumstances or produces documents or false documents are liable pursuant to art. 168 of the Code "Falsehood in declarations to the Guarantor and interruption of the execution of the duties or the exercise of the powers of the Guarantor". All this dutifully stated, at the outcome of the preliminary investigation and examination of the documentation acquired during the same, it was ascertained that the transfers made by Caffeina Media Srl to Google LLC (based in the United States), through the Google tool Analytics, have been put in place in violation of articles 44 and 46 of the Regulation; It is detected, furthermore, that the violations of art. 5, par. 1, lett. a) and par. 2, of the art. 13, par. 1, lett. f), and of the art. 24, of the Regulation, as explained below. 2.1 The transfers of personal data to the United States made through Google Analytics. Google Analytics is a web analytics tool provided by Google to website managers who allows the latter to analyse detailed statistics on users in order to optimise the services rendered and to monitor their marketing campaigns. Caffeina Media Srl uses GA in its free version for the pursuit of purposes purely statistics or aimed at obtaining aggregate information on user activity within its website. The same acts as data controller and designates Google responsible, pursuant to art. 28 of the Regulation, on the basis of "Google Analytics Terms of Service "and the" Google Ads Data Processing Terms ". More specifically, in the case in question, Google LLC has held, until 30 April 2021, the role of responsible for the processing of data collected through Google Analytics upon subscription of the "Google Analytics Terms of Service" (see note dated 22 December 2021, page 2). As of 1 May 2021, "Google Analytics Terms of Service", Google Ireland Limited which, pursuant to the aforementioned terms of service, may use other subjects, as sub-processors, including Google LLC (v. note of October 15, 2021, p. 7 and note of 22 December 2021, p. 3). As regards the processing carried out through Google Analytics, it was found that Caffeina Media Srl collects information in order of the methods of interaction of the latter with the website, as well as with the individual pages and with the services offered. More specifically, the data collected consist of: unique online identifiers that allow both the identification of the browser or device of the user visiting the website, and the site manager himself (through the Google account ID); address, website name and data of navigation; IP address of the device used by the user; information relating to the browser, al operating system, screen resolution, selected language, as well as date and time of the visit to the website. In this regard, it should be noted that the IP address constitutes personal data to the extent that allows to identify an electronic communication device, thus making indirectly identifiable the interested party as a user (see Group pursuant to art. 29, WP 136 - Opinion no 4/2007 on the concept of personal data, of 20 June 2007, p. 16). All this especially where, as in the present case, the IP is associated with other information relating to the browser used, to the date and time of navigation (see recital 30 of the Regulation). In addition, if the website visitor logs in to their account Google account -circumstances occurring in the hypothesis under examination-, the data indicated above may be associated with other information in the relevant account, such as the email address (which constitutes the user ID of the account), the telephone number and any other personal data including gender, the date of birth or profile picture. In this regard, it is represented that Google, as part of the Google Analytics service, has put a available to the website operators the option called "IP-Anonymisation" which involves sending to Google Analytics of the user's IP address after obscuring the less significant octet (based on this operation, for example, the addresses from 122.48.54.0 to 122.48.54.255 would be replaced by 122.48.54.0). In the present case, the Company has declared that the aforementioned option, at the date of the filing of the complaint, had not been activated and also represented to have joined it only later, as part of the adoption of a series of technical measures legal implemented following the initiation of the procedure, by the Guarantor, pursuant to of the art. 166, paragraph 5 of the Code. On this point, however, it is worth highlighting right now that "IP-Anonymisation" actually consists of a pseudonymisation of the data relating to the user's network address, as the truncation of the last octet does not prevent Google LLC from re-identifying the user himself, taking into account of the overall information held by the same relating to web users. Subsists, furthermore, on Google LLC the possibility if the interested party has carried out access to their Google profile to associate the IP address with other additional information already in their possession (such as information contained in the user account). This operation, therefore, despite the activation of 'IP-Anonymization', it still allows the possible re- user identification. In light of the overall findings, it should therefore be noted that the use of GA, by of website managers such as Caffeina Media Srl involves the transfer of personal data of visitors of the aforementioned sites to Google LLC based in the United States. Such transfers, in that carried out to a third country that does not guarantee an adequate level of protection pursuant to data protection legislation (i.e. the United States), must be in place in compliance to Chapter V of the Regulations. 2.2 The unlawfulness of transfers following ruling C-311/18, of 16 July 2020, cd Schrems II. It is recalled that the Court of Justice of the European Union, with ruling C-311/18, dated 16 July 2020 (so-called Schrems II), in declaring the EU Commission decision n. 2016/1250 of 12 July 2016, on the adequacy of the protection offered by the EU shield regime USA for privacy (so-called Privacy Shield), found that the domestic law of the United States (in in particular, the Executive Order 12333 and art. 702 of the Foreign Intelligence Surveillance Act - di hereinafter 'FISA 702') entails exceptions to the data protection legislation that exceeds restrictions deemed necessary in a democratic society. All this with particular reference the provisions that allow public authorities, within the framework of certain programmes national security, to access without adequate limitations to the personal data subject to transfer, as well as the failure to provide for the rights of the interested parties, which can be enforced in judicial seat. The Court, with the same ruling, also reaffirmed the validity of decision no. 2010/87 / EC of the Commission of 5 February 2010 concerning the standard contractual clauses for the transfer of personal data to managers established in third countries - clauses adopted by Caffeina in the present case (see paragraph 1 above). At the same time, he pointed out that, based on the principle of accountability, the data controllers, as exporters, are in any case required to verify, case by case and, where necessary, in collaboration with the importer in the third country, if the law or the practice of the latter affect the effectiveness of the adequate guarantees contained in the aforementioned clauses clauses; this in order to determine whether the guarantees provided for by the standard contractual clauses can be respected in practice (Article 5, paragraph 2, and Article 24; see also Recommendation No. 1/2020 relating to the measures that integrate the transfer tools in order to ensure compliance with the Personal Data Protection Level of the EU, of 18 June 2021, paragraphs 1-5). In general terms, it is therefore necessary to evaluate, in practice, that is, on the basis of the circumstances of the transfer, if the instrument chosen by the exporter, among those identified by art. 46 of Regulation, is effective in the specific case. This examination, as noted by the European Data Protection Board - hereinafter "EDPB" (see Recommendation No. 1/2020, cit., P. 4), must "focus first of all on the legislation of third country [and applicable practices] relevant [i] to the transfer [as well as] the instrument of transfer [identified] pursuant to article 46 of the RGPD "in order to verify that the aforementioned legislation and the aforementioned practices do not in fact prevent the importer's compliance with of the obligations established by the instrument used. More specifically, the above evaluation "Involves the need to determine whether or not the transfer in question falls within the scope of application of the [aforementioned legislation] ". It must "be based on objective factors, regardless of the likelihood of access to personal data' (see Joint Opinion 2/2021 of the EDPB and the EDPS on the European Commission Implementing Decision on standard contractual clauses for the transfer of personal data to third countries, adopted on 14 January 2021, par. 86).The characteristics of the specific transfer carried out are relevant for this purpose, such as: the purposes, the nature of the subjects involved, the sector in which the transfer takes place, the categories of personal data transferred, the fact that the data are stored in the third country or accessed remotely, the format of the data to be transferred and any subsequent transfers (see Recommendation no. 1/2020, cit., Par. 33). The assessment required of the exporter, therefore, must focus on legislation and practices applicable, in the third country, to the data specifically transferred and entail the verification of the "Possibility or not, for the public authorities of the third country (...) to attempt to access the data" as well as the "ability or not, for the public authorities of the third country (...) to access the data through the importer himself or through telecommunications providers or channels communication' (see Recommendation No. 1/2020, cit., par. 31). With regard to the aforementioned possibility of access, by the US authorities, however, it is necessary consider that it is confirmed in the "Transparency report on United States national security requests for user information "made available by Google on its website (available at following link https://transparencyreport.google.com/user-data/us-national-security?hl=en); report where the numerical data relating to access requests are reported (which, as expressly therein reported, may also concern "non-content metadata" such as IP addresses) received from Google, under FISA 702, at the request of the US National Authorities. All this dutifully stated, with reference to the claims made by the Company in its own defensive memoirs, it is worth highlighting that: with regard to the inadequacy of the US legislation (see above, paragraph 1, point a), the Court of justice was not limited to examining the legal framework in force at the time of the adoption of the Privacy Shield. Rather, it took into account the regulatory provisions relating to the programmes (see, in particular, FISA 702) in force at the time of issue of the ruling, stating that they do not substantially guarantee a level of protection equivalent to that referred to in Article 52 (1) of the Charter of Fundamental Rights of the European Union (see sentence cit., points 168-202); relating to the identification of data that can be accessed by of the US Authorities pursuant to FISA 702 (see above, paragraph 1, point b), in the White Paper of September 2020 contains general indications regarding the subject of the access requests that can be made by intelligence agencies, such as not to exclude a priori that, in addition to the e-mail address and telephone number of users, they may also refer to IP addresses (see in this regard White Paper of September 2020, cit. page 7). To confirm this, it should also be noted that in the 'Transparency report on United States national security requests for user information' (see above) made available by Google on its site, the IP address appears to be included among the information that can be the subject of an access request pursuant to FISA 702 together with other metadata (see in particular, the description contained in the section called "non-content requests under FISA"); lastly, with respect to the assessment of the suitability of the additional measures adopted in the case of species (see above, paragraph 1, point e), the Company, - in taking into consideration elements other than those contemplated by the EDPB such as: the "economic availability" of Caffeine Media Srl, "the implementation costs" of the technical and organisational measures to be implemented, "the tenor articles and themes (...) with a light cut and concentrated on entertainment areas " conveyed by the website www.caffeinamagazine.it (see note of 10 February 2022, pages 10, 15, 16, 17 and 8) -, substantially based the aforementioned assessment on the "probability that yes verify the risk of access to data by third parties "and the" seriousness of the possible onset of the [aforementioned] risk' (see note of 10 February 2022, page 24). In this regard, on the other hand, it is reiterated that the Court, in the aforementioned ruling, did not refer to "any subjective factor, such as, for example, the probability of access 'to the personal data transferred (see Joint Opinion 2/2021 of the EDPB and the EDPS, cit., Para. 87). 2.3. Unsuitability of the additional measures adopted by the data controller. If following the above assessment it is found that the legislation and practices of the country thirdly, prevent the importer from complying with the obligations under the transfer instrument chosen, as found in the present case, exporters must take measures that substantially guarantee a level of protection of personal data equivalent to that provided for by the Regulation (see Recommendation No. 1/2020, cit., paragraphs 50- 57, which indicates the criteria for identifying the measures to be adopted). In this regard, with regard to additional measures of a technical nature, but also contractual and organisational structure, adopted in the hypothesis under examination, it is worth noting the following. The measures of a technical nature consist in the adoption of data encryption mechanisms, during the transfer between systems (in transit) and when they are stored in the systems (at rest). In-transit encryption is adopted where data is transferred between different systems, services or data centres through networks or infrastructures not controlled by the Company (eg geographic networks). At rest encryption, on the other hand, concerns user data that is stored on disk drives or drives backup and is based on data encryption using standard algorithms (usually via AES256) and on encryption, at different levels, starting from encryption at the hardware level, based on the type of application and specific risks. Access to Google LLC data centres is protected by 6 levels of physical security measures. In this regard, it should be noted that, taking into account the indications provided by the EDPB in the Recommendation no 1/2020, the aforementioned technical measures are not adequate. As for the data encryption mechanisms highlighted above, they are not sufficient for avoid the risks of access, for national security purposes, to data transferred from the European Union from part of the public authorities of the United States, as the encryption techniques adopted provide that the availability of the encryption key is in the hands of Google LLC which holds it, as importer, by virtue of the need to have clear data for processing and provide services. It is also worth noting that the obligation to allow access by the US authorities, falls on Google LLC not only with reference to imported personal data, but also with regard to any cryptographic keys necessary to make them intelligible (see also Recommendation 1/2020, cit., Par. 81). From this it follows that as long as the encryption key remains available importer, the measures adopted cannot be considered adequate (see Recommendation 1/2020, cit., par. 95). This also taking into account some specific contractual and organisational measures in the commitment to: verify, in accordance with US law, the legitimacy of each individual request for access to user data transferred by public authorities, evaluating their proportionality; not welcome the same where, following careful evaluation, it is concluded that the conditions according to the regulations do not exist reference; promptly notify the interested party of access requests from the Authorities US public, unless such communication is prohibited by relevant legislation, informing the interested party in any case if the above prohibition is lifted; publish a "Transparency Report" containing a summary of the requests for access to data received from US public authorities, to the extent such publication is permitted by the relevant legislation; publish the policy for managing requests for access to user data subject to transfer by US public authorities. In this regard, it is noted that, as considered by the EDPB, in the absence of suitable technical measures - circumstance ascertained in this case - the contractual and organisational measures indicated above, of per se, cannot reduce or prevent the possibilities of access to the data being transferred by the by the US authorities (see Recommendation 1/2020, cit., par. 53). In the light of the foregoing, therefore, the additional measures adopted in the present case cannot be considered adequate with consequent unlawfulness under pursuant to Articles 44 and 46 of the Regulation, of the relevant transfers of personal data to the United States. 2.4 Accountability of the data controller The controller is required to put in place "appropriate technical and organisational measures to ensure, and be able to demonstrate that processing is carried out in accordance with the [Regulation]" (so-called accountability principle; see Art. 5(2) and Art. 24(1) of the Regulation). It is therefore up to the data controller to decide independently on the methods, guarantees and limits of the processing of personal data in compliance with the relevant legislation. The Regulation, in fact, strongly emphasises the 'empowerment' of the data controller, i.e, on the adoption of proactive behaviour such as to demonstrate the concrete adoption of measures aimed at ensuring the application of the rules on the protection of personal data (see, in in particular Article 24 of the Regulation). The implementation of the accountability principle with regard to data transfers to third countries places the responsibility on the controller, as exporter, to verify, on a case-by-case basis and where necessary, in cooperation with the importer in the third country, whether the law or practice of of the latter affect the effectiveness of the appropriate safeguards contained in the transfer instruments transfer instruments referred to in Article 46 of the Regulation. In such cases, the exporter is required to take, in application of this principle, additional measures additional measures enabling the importer to comply with the obligations under the instrument adopted pursuant to Article 46 of the Regulation; all this in order to ensure that the level of protection of natural persons guaranteed by the Regulation is not undermined (see Art. 44 of the Regulation; cf Regulation; see in this respect, Recommendation 1/2020, cit., paragraphs 1-5). For all the reasons set out above, without prejudice to the finding that the additional measures adopted in the present case, the arguments put forward by Caffeina Media Srl as to the lack of autonomy from the regarding the lack of autonomy of the same with respect to the decisions to be taken on the transfer of data to third countries (see paragraph 1(c) and (d) above); this in view of the fact that the Company, by reason of its role under the data protection regulations, is required, as already clarified, to put in place, even in the context of cross-border transfers appropriate and effective measures to protect the rights and freedoms of data subjects and to be able to to demonstrate their compliance with the Regulation. In the light of the above considerations, in engaging in the conduct described above, Caffeina Media Srl has therefore infringed Articles 5(2) and 24 of the Regulation. 2.5. Inadequacy of the information provided pursuant to Article 13 of the Regulation.With reference to the information that must be provided to the data subject, pursuant to Article 13 of the Regulation, please note that, in the notice provided to the complainant on the website www.caffeinamagazine.it, at the time of the collection of the data concerning him (see communication of 3 november 2021), some of the elements referred to in Article 13(1)(f) of the Regulation. Indeed, in view of the fact that personal data must be 'processed lawfully , fair and transparent to the data subject' (Art. 5(1)(a) of the Regulation), the data controller, where a transfer of personal data takes place, has an obligation in compliance with the principle of transparency, to inform the data subject also of "the 'intention to transfer personal data to a third country' as well as 'the existence or absence of an adequacy decision by the Commission or, in the case of transfers pursuant to Article 46 or 47, or Article 49(1), second subparagraph, the reference to appropriate safeguards or appropriate safeguards and the means of obtaining a copy of those safeguards or the place where they have been made available available' (Art. 13(1) of the Regulation). In this regard, however, in taking note of the update on 23 March 2022 of the information to be made available to users at www.caffeinamagazine.it (see note of 10 February 2022, p. 30; see "Cookies Policy" available at https://www.caffeinamagazine.it/cookie- policy/), it should be noted that the template provided by Caffeina Media Srl to the complainant in the case present case (see communication of 3 November 2021), did not clearly define the elements of article 13(1)(f) of the Regulation concerning the transfer. It follows, therefore, with reference to that model, that Article 5(1)(a) and of Article 13(1)(f) of the Regulation. 3. Conclusion: declaration of unlawfulness of the processing. Corrective measures pursuant to Art. 58, para. 2 of the Regulation. For the above reasons, the Authority considers that the statements, documentation and reconstructions provided by the data controller in the course of the investigation do not make it possible to overcome the findings notified by the Office with the act initiating the procedure and that they are therefore unsuitable to order dismissal of these proceedings, since none of the cases provided for in Article. 11 of the Guarantor's Regulation No 1/2019. The processing of personal data carried out by the Company is therefore unlawful, in the terms overall indicated above, in relation to Article 5(1)(a) and (2), to Article 13(1) (f), Article 24, and Articles 44 and 46 of the Regulation. Violation of the aforementioned provisions entails the application of sanctions article 83(5)(a), (b) and (c) of the Regulation. In this regard, with reference to the elements to be taken into consideration in order to assess whether to imposing an administrative pecuniary sanction (Article 83(2) of the Regulation), it should be noted in first of all, in relation to the nature and gravity of the infringement, the processing operations object of dispute did not concern special categories of personal data. As regards the subjective element of the infringer, it must be considered that Caffeina Media Srl - in view of the asymmetry of contractual power resulting from the primary market position assumed by Google in the field of web analytics services- wrongly assumed as appropriate, on the basis of the information provided by Google, the additional measures adopted by the latter without exercising any decision-making power over them. With regard to the measures adopted by the Company to mitigate the damage suffered by the persons concerned, we also takes note of the initiatives taken by the data controller, following the notification pursuant to Article 166, paragraph 5 of the Code, concerning: the updating of the text of the information on the company's website; adherence to the "IP-Anonymization" option made available by Google; infrastructural improvements in terms of security; the updating of the content management system used for the creation and management of the site; feasibility analysis of the implementation of an alternative web analytics tool that 'will no longer rely exclusively on rely exclusively on tracking via cookies and which (...) will no longer store the IP addresses of the interested data subjects' (see minutes of 25 March 2022 and supplementary note of 4 April 2022, p. 2). Finally, for the purposes of the Authority's assessments, the absence of previous infringements and the loyal cooperation with the Garante during the proceedings. The nature and seriousness of the infringement, its culpable nature, and the additional elements mentioned above therefore lead to classify the case in question as a 'minor breach' (see Art. 83 minor infringement' (see Rule 83(2) and Rule 148). It is therefore considered that, in the present case, the data controller should be admonished, pursuant to Article 143 of the Code and Article 58(2)(b) of the Regulation, for having carried out a processing in breach of Articles 5(1)(a) and (2), 13(1)(f), 24, and articles 44 and 46 of the Regulation. Lastly, it should be noted that the conditions laid down in Article 17 of the Garante's Regulation no. 1/2019, concerning internal procedures having external relevance, aimed at the performance of the tasks and the exercise of the powers entrusted to the Garante. ALL THE FOREGOING THE GUARANTOR: (a) pursuant to Article 57(1)(f) of the Regulation, declares unlawful the processing of personal data of users of the website www.caffeinamagazine.it carried out, by means of Google Analytics, by Caffeina Media Srl with registered office in Rosignano Marittimo (LI), PI 13524951004, alleging infringement of Articles 5(1)(a) and (2), 13(1)(f) of Art, (f), Article 24, and Articles 44 and 46 of the Regulation; b) pursuant to Article 58(2)(d) of the Regulation, orders Caffeina Media Srl to comply with Chapter V of the Regulation within a period of 90 days from the notification of this measure, the processing of personal data of users of the site www.caffeinamagazine.it carried out by means of Google Analytics, adopting appropriate appropriate additional measures; c) pursuant to Article 58(2)(j) of the Regulation, orders the suspension of the flow, towards Google LLC based in the United States, of the personal data identified above, if Caffeina Media Srl does not comply with what is established in point b) of this provision within the term provided for therein; d) pursuant to recital 148 and Article 58(2)(b) of the Regulation admonishes Caffeina Media Srl for having processed personal data in breach of articles 5(1)(a) and (2), 13(1)(f), 24, 44 and 46 of the Regulation Regulation; e) considers that the requirements of Article 17 of Regulation No 1/2019 are met, concerning internal procedures with external relevance, aimed at the performance of the tasks and the exercise of the powers delegated to the Supervisor. Pursuant to 157 of the Code, it requests Caffeina Media Srl to communicate which initiatives have been undertaken in order to implement the provisions of this provision and, in any event, to provide adequately documented feedback within ninety days from the date of notification of this decision; any failure to do so any failure to reply may result in the application of the pecuniary administrative sanction provided for in this decision article 83(5)(e) of the Regulation. Pursuant to Art. 78 of the Regulation, Art. 152 of the Code and Art. 10 of Legislative Decree of 1 september 2011, no. 150, an appeal against this measure may be lodged before the ordinary judicial authority, under penalty of inadmissibility, within thirty days of the date of communication of the measure itself, or within sixty days if the appellant resides abroad. Rome, 9 June 2022 PRESIDENT Stanzione THE REPORTER Stanzione THE SECRETARY GENERAL Mattei