Garante per la protezione dei dati personali (Italy) - 9782890: Difference between revisions

From GDPRhub
(fixed broken source link)
(→‎English Machine Translation of the Decision: renewed formatting renewed some really bad english)
 
Line 104: Line 104:


<pre>
<pre>
Provision of 9 June 2022 [9782890]
Measure of 9 June 2022


Register of Measures
No. 224 of 9 June 2022


THE PERSONAL DATA PROTECTION SUPERVISOR


SEE ALSO PRESS RELEASE OF 23 JUNE 2022
AT TODAY'S MEETING, attended by Prof. Pasquale Stanzione, president, Prof. Ginevra Cerrina Feroni, vice-president, Dr. Agostino Ghiglia and Mr. Guido Scorza, members, and Cons. Fabio Mattei, Secretary General;


  [web doc. no. 9782890]
HAVING REGARD TO Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter, the "Regulation")


Provision of 9 June 2022
HAVING REGARD TO the Personal Data Protection Code, containing provisions for the adaptation of the national system to Regulation (EU) 2016/679 (Legislative Decree No. 196 of 30 June 2003, as amended by Legislative Decree No. 101 of 10 August 2018, hereinafter, the "Code");


Record of measures
HAVING REGARD to the complaint dated 17 August 2020 filed pursuant to Article 77 of the Regulation by Mr XX against Caffeina Media S.r.l.;
  no 224 of 9 June 2022


HAVING EXAMINED the documentation on file


THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA
HAVING CONSIDERED the observations made by the Secretary General pursuant to Article 15 of the Rules of the Garante No. 1/2000;


IN today's meeting, which was attended by prof. Pasquale Stanzione, president, the
BE IT RESOLVED by Prof. Pasquale Stanzione;
prof.ssa Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and the lawyer Guido Scorza,
components and the cons.  Fabio Mattei, general secretary;


GIVEN the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016
WHEREAS
(hereinafter, the "Regulations");
 
 
GIVEN the Code regarding the protection of personal data, containing provisions for the adaptation
of the national law to Regulation (EU) 2016/679 (Legislative Decree 30 June 2003, n. 196, as
amended by Legislative Decree 10 August 2018, n. 101, hereinafter the "Code");
 
GIVEN the complaint of 17 August 2020 presented pursuant to art. 77 of the Regulations by Mr. XX
against Caffeina Media Srl;
 
EXAMINED the documentation in deeds;
 
 
GIVEN the observations made by the secretary general pursuant to art. 15 of the regulation of
Guarantor No. 1/2000;
 
RAPPORTEUR prof. Pasquale Stanzione;
 
WHEREAS


1. The complaint against the company and the preliminary investigation.
1. The complaint against the company and the preliminary investigation.


With a complaint presented on August 17, 2020, Mr. XX complained that Caffeina Media Srl
In a complaint lodged on 17 August 2020, Mr XX complained that Caffeina Media S.r.l. (hereinafter 'the Company') had transferred to Google LLC, based in the United States, the personal data concerning him processed through the website www.caffeinamagazine.it; this in the absence of the guarantees provided for by Chapter V of the Regulation.  
 
(hereinafter 'the Company'), would have transferred the data to Google LLC, based in the United States
personal data concerning him processed through the website www.caffeinamagazine.it; that in
absence of the guarantees provided for by Chapter V of the Regulation.
 
As part of the investigation launched by the Guarantor, the Office, with notes of 30 July and 7
December 2021, asked the Company to provide information and clarifications on the facts concerned
 
complaint.
 
With the communications of October 15, November 3 and December 22 2021, in giving feedback
to the requests of the Office, Caffeina Media Srl stated the following: the ownership of the treatments put in place through the website www.caffeinamagazine.it is
to society; this unlike what was previously indicated in the information model, made available
 
on the aforementioned website pursuant to art. 13 of the Regulation, which contained the erroneous
reference - now adjusted - to Caffeina Media Ltd;
 
the processing of personal data of users of the site www.caffeinamagazine.it is placed in
be from the Company through the Google Analytics tool (hereinafter also
"GA") in its "free version" (see note of October 15, 2021, page 3 and note of 22
 
December 2021, p. 2);
 
the Company "has neither visibility of the details of the data collected, nor can it precisely
describe the types "and" chose to use [Google Analytics] also because Google
claims to only process pseudonymous and cookie-based data'; in detail: '(i)
cookies, (ii) data relating to the device / browser (iii) IP address and (iv) activity on the site "(see note of
 
October 15, 2021, pp. 2 and 3);
 
Caffeina Media Srl "is bound by the contractual text [" Google Analytics Terms of Service "]
approved in the platform (standard text imposed by the Google supplier) "and" as it emerges
from the contractual documentation imposed by Google, Google acts as
responsible for the processing of data collected through Google Analytics "(see note of 15 October
 
2021, p. 3);
 
more specifically, "the contractual counterpart [of the Google Analytics Terms of Service in the
version dated March 31, 2021] is Google Ireland Limited "; unlike the version
precedent of the aforementioned 'Google Analytics Terms of Service' - dated June 17, 2019 - which is
signed with Google LLC (see note of 22 December 2021, page 2).  Therefore, "Caffeine
 
Media Srl acts as data controller and, (..) [from May 2021], Google
Ireland Limited acts as the data controller of the data collected through
Google Analytics' (see note of October 15, 2021, page 7 and note of December 22, 2021, page 3);
 
Caffeina Media Srl "does not have any level of autonomy regarding the choices related to
data transfers to third countries, including the identification of the types of data object
 
of the aforementioned transfer" (see note of October 15, 2021, page 7 and note of December 22, 2021,
pp. 2 and 4); in particular, this specific processing operation is governed by art. 10
of the "Google Ads Data Processing Terms" under which "Caffeine as an exporter
of the data, through Google Ireland Limited, may have carried out activities of
data transfer to the United States, with Google LLC as data importer'.
Furthermore, pursuant to the same provision, "the owner of the website agrees
 
so that Google can be supported in the processing activities by other companies of the
its group and, among the companies indicated, there is Google LLC, which would act as
sub-processor" (see note of 15 October 2021, pages 6 and 7 and note of 22
December 2021, p. 3);
 
the transfer of data to Google LLC is carried out through the Clauses
 
standard contractual arrangements that correspond to the standard scheme adopted on February 5, 2010 by
European Commission with decision no. 2010/87 / UE, as per communication made by
Google to the Company on 3 August 2020 (see note of 15 October 2021, page 7, in particular
Annex B "Google Communication 3.08.2020");
 
these clauses have been supplemented by the additional measures adopted by Google, with respect to
 
which the Company has "no possibility of verifying the implementation at a technical level (...),
or to issue specific instructions on the effective implementation of [the same]" (see note
of 22 December 2021, p. 4); as part of the services offered through Google Analytics, Caffeina Media Srl has not joined
to the data sharing option, the so-called data sharing option (note of 15 October 2021, p.
 
5);
 
in relation to the disputed transfer to Google LLC of the data relating to the complainant,
Caffeina Media Srl "has no particular autonomy in the use of the [Google
Analytics], including the ability to know if the complainant's data was actually
transferred to third countries" (see note of 15 October 2021, page 6);
 
 
in relation to the obligations put in place pursuant to art. 13 of the Regulation,
Caffeina Media Srl "uses the automatic service of the company Iubenda srl for the
management of the privacy and cookie information "(with reference to the model of
information updated on 5 October 2021, v. note of October 15, 2021, p. 9; and in this regard
to the information provided to the complainant on 12 August 2020, v. communication of November 3
 
2021).
 
On 11 January 2022 the Office notified, pursuant to art. 166, paragraph 5, of the Code, the alleged
violations of the Regulation found with reference to art. 5, par. 1, lett. a), and par. 2, in art. 13,
to art. 24 as well as art. 44 and 46, par. 2, lett. c), of the Regulation.
 
On 10 February 2022 the Company sent its defence writings in which it represented that:
 
 
a) the US legislation taken into consideration by the Court of Justice of the
Europea, in its ruling no.  C-311/18, dated July 16, 2020 (so-called "Schrems II"), must be
subject to a new assessment of adequacy by the Protection Authorities of
data in consideration of the regulatory developments that occurred after the adoption of the
Privacy Shield and promptly outlined by the US government in the White Paper of
 
September 2020 called "Information on US Privacy Safeguards Relevant to SCCs and
Other EU Legal Bases for EU-US data Transfers after Schrems II" (see note dated 10 February
2022, para. 1, pp. 3-9);
 
b) with specific reference to the scope of application of art. 702 of the Foreign Intelligence
Surveillance Act "it is virtually impossible for intelligence agencies to use
only an IP address or a cookie - the only data possibly transferred by Caffeina - "; that is
 
considering that, taking into account the procedures (so-called targeting procedures) times
identification of data that can be accessed by the Authorities
address data are of primary interest for intelligence activities
e-mail and telephone number of users (see note of 10 February 2022, pages 6-7);
 
c) regarding the disputed unsuitability of the additional measures of a technical nature
 
implemented by Google, the latter has adopted "high standards of (...) security" and
"internal procedures (...) subject to various certifications.  (...) Moreover, the (...) evaluations about
the adequacy of the security measures to be adopted have been carried out by the supplier himself,
who, after having carried out this analysis, then warned the same Caffeine
of the updating of the security measures and of the contractual documentation, precisely a
 
continuation of the Schrems II pronunciation (...).  And this in any case in line with the requirements of art.
14 of the new SCC".  However, with respect to these measures, 'Caffeine has neither the means nor the
operational or technical possibilities for imposing changes to the [aforementioned] measures on the supplier
security", not having" any bargaining force to enter into dialogues
commercial with its counterpart [nor] (...) to interact with the same "(see note of 10
 
February 2022, pp. 10 and 12);
 
d) 'with regard to the disputed transfer to Google LLC of the data relating to the complainant,
Caffeina Media Srl does not have particular autonomy in the use of the [Google Analytics] tool "not having" at a technical level the possibility of knowing whether the data
personal of Mr. XX were transferred "(see note of 10 February 2022, p.
 
13);
 
(e) as regards the adequacy of the additional technical measures implemented by
Google, Caffeina deemed them "relevant and effective in relation to the nature of the data and the
context in which they were collected 'as well as the risk level of the transfer.  All
this in consideration of the fact that: i) the processing of data connected to the transfer in
 
examination is part of a daily information site with a "light cut,
concentrated on entertainment areas"; ii) "the Company uses the instrument only in form
aggregate and statistical, never seeing the raw data "and limiting itself to processing data
pseudonymised; iii) the level of risk must also be assessed on the basis of the degree of
probability of the actual occurrence of access by public authorities
 
to the data collected through Google Analytics on the website www.caffeinamagazine.it.  To the
in this regard, the Company reported what Google stated in a recent blog post by
last 19 January 2022 (available at the following address: https://blog.google/around-the-
globe / google-europe / its-time-for-a-new-eu-us-data-transfer-framework /), compared to
circumstance that 'the supplier has offered the Google Analytics service for over 15 years
 
globally and has never received a request like the one complained by the complainant'
(note of 10 February 2022, pages 10, 17,18, 26 and 29; see also integrative note of 4 April
2022, p. 5).
 
On 25 March 2022, during the hearing requested by the Company, the latter, in
recalling the aforementioned briefs in full, he also represented that he had adopted a
 
series of technical-legal measures, relating to: updating the text of the information
present on the Company's website (see, in particular, "Cookie Policy" available at the address
https://www.caffeinamagazine.it/cookie-policy/); the implementation of a new technical structure
of the site, created by updating to the most recent version of content management
system used by the Company and the migration of the aforementioned site on a new infrastructure that


guarantees a higher level of safety; adherence to the so-called "IP-Anonymisation" option envisaged
Within the framework of the preliminary investigation activity launched by the Garante, the Office, by means of notes dated 30 July and 7 December 2021, asked the Company to provide information and clarifications on the facts which were the subject of the complaint.
from the Google Analytics tool; the start of the implementation of a new web tool
analytics, based, among other things, on the non-use of cookies and the absence of IP tracking
(see minutes of March 25, 2022 and explanatory notes of April 4, 2022, page 2).


2. Observations on the legislation on the protection of personal data relevant in the
In its communications of 15 October, 3 November and 22 December 2021, in response to the Office's requests, Caffeina Media S.r.l. stated the following
case in point and ascertained violations.


the ownership of the processing operations carried out through the website www.caffeinamagazine.it is in the hands of the Company; this is in contrast with what was at the time indicated in the model of the information notice, provided on the aforementioned website pursuant to Article 13 of the Regulation, which contained the erroneous reference - now corrected - to Caffeina Media Ltd;


First of all it is represented that, unless the fact constitutes a more serious crime, anyone, in a
the processing of personal data of users of the www.caffeinamagazine.it website is carried out by the Company by means of the Google Analytics tool (hereinafter also 'GA') in its 'free version' (see note of 15 October 2021, p. 3 and note of 22 December 2021, p. 2)
proceeding before the Guarantor, falsely declares or certifies news or circumstances or produces documents
or false documents are liable pursuant to art. 168 of the Code "Falsehood in declarations to the
Guarantor and interruption of the execution of the duties or the exercise of the powers of the Guarantor".


All this dutifully stated, at the outcome of the preliminary investigation and examination of the documentation
the Company "has neither visibility of the details of the data collected, nor can it precisely describe the types of data collected" and "has chosen to use [Google Analytics] also because Google claims to process only pseudonymous and cookie-based data"; these are in detail: "(i) cookies, (ii) device/browser data (iii) IP address and (iv) activity on the site" (see note of 15 October 2021, pp. 2 and 3);


acquired during the same, it was ascertained that the transfers made by Caffeina Media
Caffeina Media S.r.l. "is bound to the contractual text ["Google Analytics Terms of Service"] approved on the platform (standard text imposed by Google's supplier)" and "as it emerges from the contractual documentation imposed by Google, Google acts as data controller of the data collected through Google Analytics" (see note of 15 October 2021, p. 3)
Srl to Google LLC (based in the United States), through the Google tool
Analytics, have been put in place in violation of articles 44 and 46 of the Regulation; It is detected,
furthermore, that the violations of art. 5, par. 1, lett. a) and par. 2, of the art. 13, par. 1, lett. f), and
of the art. 24, of the Regulation, as explained below.


more specifically, "the contractual counterparty [of the Google Analytics Terms of Service in the version of 31 March 2021] is Google Ireland Limited"; unlike the previous version of the aforementioned "Google Analytics Terms of Service" -dated 17 June 2019- which was signed with Google LLC (see note of 22 December 2021, p. 2). Therefore, "Caffeina Media S.r.l. acts as data controller and, (..) [from May 2021], Google Ireland Limited acts as data processor of the data collected through Google Analytics" (see note of 15 October 2021, p. 7 and note of 22 December 2021, p. 3);


2.1 The transfers of personal data to the United States made through Google
Caffeina Media S.r.l. "does not possess any level of autonomy with regard to the choices relating to the transfer of data to third countries, including the identification of the types of data subject to the aforesaid transfer" (see note of 15 October 2021, p. 7 and note of 22 December 2021, pp. 2 and 4); in particular, this specific processing operation is governed by Article 10 of the 'Google Ads Data Processing Terms', according to which 'Caffeina as data exporter, through Google Ireland Limited, may have carried out data transfer activities to the United States, with Google LLC as data importer'. Moreover, according to the same provision, 'the owner of the website agrees that Google may be supported in its processing activities by other companies in its group and, among the companies mentioned, Google LLC is present, which would act as sub-processor' (see memorandum of 15 October 2021, p. 6 and 7 and memorandum of 22 December 2021, p. 3);
Analytics.


Google Analytics is a web analytics tool provided by Google to website managers who
the transfer of the data to Google LLC is carried out by means of the Standard Contractual Clauses that correspond to the model scheme adopted on 5 February 2010 by the European Commission by decision no. 2010/87/EU, as per Google's communication to the Company dated 3 August 2020 (see note of 15 October 2021, p. 7, in particular Annex B "Google Communication 3.08.2020")
allows the latter to analyse detailed statistics on users in order to optimise the services rendered and to monitor their marketing campaigns.


Caffeina Media Srl uses GA in its free version for the pursuit of purposes
such clauses have been supplemented by the additional measures adopted by Google, with respect to which the Company has "no possibility to verify the implementation at a technical level (...), or to give specific instructions on the actual implementation of [the same]" (see note of 22 December 2021, p. 4)


purely statistics or aimed at obtaining aggregate information on user activity
in the context of the services offered through Google Analytics, Caffeina Media S.r.l. has not subscribed to the so-called data sharing option (note of 15 October 2021, p. 5);
within its website.  The same acts as data controller and designates
Google responsible, pursuant to art. 28 of the Regulation, on the basis of "Google Analytics
Terms of Service "and the" Google Ads Data Processing Terms ".


More specifically, in the case in question, Google LLC has held, until 30 April 2021, the role of
with regard to the contested transfer to Google LLC of the data relating to the complainant, Caffeina Media S.r.l. "has no particular autonomy in the use of the tool [Google Analytics], including the possibility of knowing whether the complainant's data have actually been transferred to third countries" (see note of 15 October 2021, p. 6)


responsible for the processing of data collected through Google Analytics upon subscription
with regard to the fulfilments put in place pursuant to Article 13 of the Regulation, Caffeina Media S.r.l. "makes use of the automated service of the company Iubenda s.r.l. for the management of the privacy policy and the cookie policy" (with reference to the model of the policy updated to 5 October 2021, see note of 15 October 2021, p. 9; and with regard to the policy provided to the complainant on 12 August 2020, see communication of 3 November 2021).
of the "Google Analytics Terms of Service" (see note dated 22 December 2021, page 2).


As of 1 May 2021, "Google
On 11 January 2022, the Office notified, pursuant to Article 166(5) of the Code, the alleged violations of the Regulation found with reference to Article 5(1)(a) and (2), Article 13, Article 24 as well as Articles 44 and 46(2)(c) of the Regulation.
Analytics Terms of Service", Google Ireland Limited which, pursuant to the aforementioned terms of service,
may use other subjects, as sub-processors, including Google LLC (v.


note of October 15, 2021, p. 7 and note of 22 December 2021, p. 3).
On 10 February 2022, the Company sent its defence submissions in which it represented that:


As regards the processing carried out through Google Analytics, it was found that
a) the US legislation considered by the Court of Justice of the European Union, in ruling No. C-311/18, of 16 July 2020 (so-called 'Schrems II'), must be subject to a new adequacy assessment by the Data Protection Authorities in view of the regulatory developments that have taken place since the adoption of the Privacy Shield and punctually outlined by the US Government in the White Paper of September 2020 called “Information on U.S. Privacy Safeguards Relevant to SCCs and Other EU Legal Bases for EU-U.S. data Transfers after Schrems II” (see note of 10 February 2022, para. 1, pp. 3-9);
Caffeina Media Srl collects information in
order of the methods of interaction of the latter with the website, as well as with the individual pages and
with the services offered. More specifically, the data collected consist of: unique online identifiers that


allow both the identification of the browser or device of the user visiting the website, and
b) with specific reference to the scope of application of Article 702 of the Foreign Intelligence Surveillance Act "it is practically impossible that intelligence agencies can only use an IP address or a cookie -the only data possibly transferred by Caffeina-"; this considering that, taking into account the procedures (so-called targeting procedures) aimed at identifying the data that can be accessed by the US Authorities, the data relating to the e-mail address and telephone number of the users are of main interest for intelligence activities (see note of 10 February 2022, p. 6-7);
the site manager himself (through the Google account ID); address, website name and data of
navigation; IP address of the device used by the user; information relating to the browser, al
operating system, screen resolution, selected language, as well as date and time
of the visit to the website.


c) with regard to the alleged unsuitability of the additional technical measures implemented by Google, the latter had adopted "high standards of (...) security" and "internal procedures (...) subject to various certifications. (...) Moreover, the (...) assessments as to the adequacy of the security measures to be adopted were carried out by the supplier itself, who, after having carried out such analysis, then notified Caffeina itself of the updating of the security measures and of the contractual documentation, precisely following the Schrems II ruling (...). And this in any case in line with the requirements of Article 14 of the new SCC". In any case, with respect to such measures, "Caffeina has neither the means nor the operational or technical possibilities to impose changes to the [aforementioned] security measures on the supplier", as it does not have "any contractual power to enter into commercial dialogues with its counterparty [nor] (...) to interact with the same" (see note of 10 February 2022, p. 10 and 12);


In this regard, it should be noted that the IP address constitutes personal data to the extent that
d) "with regard to the contested transfer to Google LLC of the data relating to the complainant, Caffeina Media S.r.l. has no particular autonomy in the use of the tool [Google Analytics]" not having "at a technical level the possibility of knowing whether Mr. XX's personal data have actually been transferred" (see note of 10 February 2022, p. 13)
allows to identify an electronic communication device, thus making
indirectly identifiable the interested party as a user (see Group pursuant to art. 29, WP 136 - Opinion
no 4/2007 on the concept of personal data, of 20 June 2007, p. 16).  All this especially where,
as in the present case, the IP is associated with other information relating to the browser used, to the


date and time of navigation (see recital 30 of the Regulation).
e) as regards the adequacy of the additional technical measures implemented by Google, Caffeina considered them 'relevant and effective in relation to the nature of the data and the context in which they were collected' as well as the level of risk of the transfer. All this in consideration of the fact that: i) the data processing connected with the transfer in question is part of the context of a daily information site with a 'light slant, focused on entertainment areas'; ii) 'the Company uses the tool only in aggregate and statistical form, never seeing the raw data' and limiting itself to processing pseudonymised data; iii) the level of risk must also be assessed on the basis of the degree of likelihood of the actual occurrence of access by the US public authorities to the data collected through Google Analytics on the site www.caffeinamagazine.it. In this regard, the Company has reported what Google stated in a recent blog post of 19 January 2022 (available at the following address: https://blog.google/around-the-globe/google-europe/its-time-for-a-new-eu-us-data-transfer-framework/), with respect to the circumstance that 'the provider has offered the Google Analytics service for more than 15 years globally and has never received a request such as the one complained of by the complainant' (note of 10 February 2022, p. 10, 17, 18, 26 and 29; see also note of 4 April 2022, p. 5).


In addition, if the website visitor logs in to their account
On 25 March 2022, during the hearing requested by the Company, the latter, in recalling the above-mentioned memoranda in their entirety, also represented that it had adopted a series of measures of a technical-legal nature relating to: the updating of the text of the information on the Company's website (see, in particular, the "Cookie Policy" available at , in particular, the "Cookie Policy" available at https://www.caffeinamagazine.it/cookie-policy/); the implementation of a new technical structure of the site, achieved by updating to the most recent version of the content management system used by the Company and the migration of the aforesaid site to a new infrastructure that guarantees a higher level of security; the adherence to the so-called "IP-Anonymization" option; the adoption of a new technical structure of the site, which is based on the "Cookie Policy" available at https://www.caffeinamagazine.it/cookie-policy/. d. "IP-Anonymization" option provided by the Google Analytics tool; the start of the implementation of a new web analytics tool, based, inter alia, on the non-use of cookies and the absence of IP tracking (see minutes of 25 March 2022 and explanatory note of 4 April 2022, p. 2).
Google account -circumstances occurring in the hypothesis under examination-, the data indicated above may be
associated with other information in the relevant account, such as the email address (which constitutes
the user ID of the account), the telephone number and any other personal data including gender, the
date of birth or profile picture.


In this regard, it is represented that Google, as part of the Google Analytics service, has put a
2. Observations on the data protection legislation relevant to the present case and violations established.
available to the website operators the option called "IP-Anonymisation" which involves sending
to Google Analytics of the user's IP address after obscuring the less significant octet
(based on this operation, for example, the addresses from 122.48.54.0 to 122.48.54.255 would be
replaced by 122.48.54.0).  In the present case, the Company has declared that the aforementioned option, at the


date of the filing of the complaint, had not been activated and also represented to have
First of all, it should be noted that, unless the act constitutes a more serious offence, anyone who, in proceedings before the Garante, falsely declares or certifies information or circumstances or produces false deeds or documents shall be held liable pursuant to Article 168 of the Code 'False statements to the Garante and interruption of the performance of the Garante's duties or exercise of its powers'.
joined it only later, as part of the adoption of a series of technical measures
legal implemented following the initiation of the procedure, by the Guarantor, pursuant to
of the art. 166, paragraph 5 of the Code.
On this point, however, it is worth highlighting right now that "IP-Anonymisation" actually consists of a


pseudonymisation of the data relating to the user's network address, as the truncation
Having said that, at the outcome of the preliminary investigation and of the examination of the documentation acquired in the course of the same, it was ascertained that the transfers made by Caffeina Media S.r.l. to Google LLC (based in the United States), by means of the Google Analytics tool, were carried out in breach of Articles 44 and 46 of the Regulation. 44 and 46 of the Regulation; it was also found that there had been breaches of Article 5(1)(a) and (2), Article 13(1)(f) and Article 24 of the Regulation, as explained below.
of the last octet does not prevent Google LLC from re-identifying the user himself, taking into account
of the overall information held by the same relating to web users.  Subsists,
furthermore, on Google LLC the possibility if the interested party has carried out
access to their Google profile to associate the IP address with other additional information already in their possession (such as information contained in the user account). This operation, therefore,
despite the activation of 'IP-Anonymization', it still allows the possible re-


user identification.
2.1 Transfers of personal data to the United States made through Google Analytics.
In light of the overall findings, it should therefore be noted that the use of GA, by
of website managers such as Caffeina Media Srl involves the transfer of personal data of
visitors of the aforementioned sites to Google LLC based in the United States. Such transfers, in that
carried out to a third country that does not guarantee an adequate level of protection pursuant to


data protection legislation (i.e. the United States), must be in place in compliance
Google Analytics is a web analytics tool provided by Google to website operators that enables the latter to analyse detailed statistics on users with a view to optimising the services rendered and monitoring their marketing campaigns.
to Chapter V of the Regulations.


2.2 The unlawfulness of transfers following ruling C-311/18, of 16 July 2020, cd
Caffeina Media S.r.l. uses GA in its free version for the pursuit of purely statistical purposes, i.e. to obtain aggregate information on users' activity within its website. The same acts as data controller and designates Google as data processor, pursuant to Article 28 of the Regulation, on the basis of the 'Google Analytics Terms of Service' and the 'Google Ads Data Processing Terms'.
Schrems II.


It is recalled that the Court of Justice of the European Union, with ruling C-311/18, dated 16
More specifically, in the case at hand, Google LLC acted as data controller of the data collected through Google Analytics until 30 April 2021 on the basis of the 'Google Analytics Terms of Service' (see note of 22 December 2021, p. 2).


July 2020 (so-called Schrems II), in declaring the EU Commission decision n.
As from 1 May 2021, Google Ireland Limited took over the role of contractual counterparty to the same "Google Analytics Terms of Service" and, pursuant to the aforesaid Terms of Service, it may avail itself of other entities as sub-processors, including Google LLC (see note of 15 October 2021, p. 7 and note of 22 December 2021, p. 3).
2016/1250 of 12 July 2016, on the adequacy of the protection offered by the EU shield regime
USA for privacy (so-called Privacy Shield), found that the domestic law of the United States (in
in particular, the Executive Order 12333 and art. 702 of the Foreign Intelligence Surveillance Act - di
hereinafter 'FISA 702') entails exceptions to the data protection legislation that exceeds


restrictions deemed necessary in a democratic society. All this with particular reference
With regard to the processing carried out through Google Analytics, it has been noted that Caffeina Media S.r.l. collects, by means of cookies transmitted to the users' browsers, information on how the latter interact with the website, as well as with the individual pages and services offered. More in detail, the data collected consist of: unique online identifiers that allow both the identification of the browser or device of the user visiting the website, and of the website operator itself (through the Google Account ID); address, website name and navigation data; IP address of the device used by the user; information relating to the browser, operating system, screen resolution, selected language, and date and time of the website visit.
the provisions that allow public authorities, within the framework of certain programmes
national security, to access without adequate limitations to the personal data subject to
transfer, as well as the failure to provide for the rights of the interested parties, which can be enforced in
judicial seat.


In this respect, it is worth pointing out that the IP address constitutes personal data insofar as it makes it possible to identify an electronic communication device, thus indirectly making the data subject identifiable as a user (see Article 29 Working Party, WP 136 - Opinion No 4/2007 on the concept of personal data, of 20 June 2007, p. 16). This is especially so where, as in the present case, the IP is associated with other information relating to the browser used and the date and time of browsing (see recital 30 of the Regulation).


The Court, with the same ruling, also reaffirmed the validity of decision no. 2010/87 / EC
In addition to this, if the website visitor accesses his Google account - which is the case here - the above-mentioned data may be associated with other information in the relevant account, such as the email address (which constitutes the account's user ID), the telephone number and any other personal data, such as gender, date of birth or profile picture.
of the Commission of 5 February 2010 concerning the standard contractual clauses for the
In this regard, it should be noted that Google, as part of its Google Analytics service, has made available to website operators the option known as 'IP-Anonymization', which entails sending Google Analytics the user's IP address after obscuring the least significant octet (on the basis of this operation, for example, the addresses 122.48.54.0 to 122.48.54.255 would be replaced by 122.48.54.0). In the case at hand, the Company declared that the aforesaid option had not been activated at the date of the filing of the complaint and also represented that it had adhered to the same only afterwards, as part of the adoption of a series of technical-legal measures implemented following the initiation of the proceedings by the Garante, pursuant to Article 166, paragraph 5 of the Code.
transfer of personal data to managers established in third countries - clauses adopted by Caffeina
On this point, it is worth pointing out, however, that the 'IP-Anonymization' actually consists in a pseudonymisation of the data relating to the user's network address, since the truncation of the last octet does not prevent Google LLC from re-identifying the user, taking into account the overall information held by the same on web users. Moreover, Google LLC itself has the possibility - if the interested party has accessed his Google profile - of associating the IP address with other additional information already in its possession (such as the information contained in the user account). This operation, therefore, despite the activation of 'IP-Anonymisation', still allows for the possible re-identification of the user.
in the present case (see paragraph 1 above). At the same time, he pointed out that, based on the principle of
In the light of the above, we therefore point out that the use of GA, by the managers of the websites -such as Caffeina Media S.r.l.- entails the transfer of the personal data of the visitors of the aforesaid sites to Google LLC, based in the United States. Such transfers, insofar as they are made to a third country that does not ensure an adequate level of protection under data protection law (i.e. the United States), must be carried out in compliance with Chapter V of the Regulation.
accountability, the data controllers, as exporters, are in any case required to verify,


case by case and, where necessary, in collaboration with the importer in the third country, if the law or
2.2 The unlawfulness of the transfers following ruling C-311/18, of 16 July 2020, so-called Schrems II.
the practice of the latter affect the effectiveness of the adequate guarantees contained in the aforementioned clauses
clauses; this in order to determine whether the guarantees provided for by the standard contractual clauses can
be respected in practice (Article 5, paragraph 2, and Article 24; see also Recommendation No. 1/2020
relating to the measures that integrate the transfer tools in order to ensure compliance with the
Personal Data Protection Level of the EU, of 18 June 2021, paragraphs 1-5).


It is recalled that the Court of Justice of the European Union, in ruling C-311/18, 16 July 2020 (so-called Schrems II), in declaring the invalidity of EU Commission Decision No. 2016/1250 of 12 July 2016 on the adequacy of the protection offered by the EU-US Privacy Shield regime (so-called. Privacy Shield), found that US domestic law (in particular Executive Order 12333 and Section 702 of the Foreign Intelligence Surveillance Act - hereinafter 'FISA 702') contains exemptions to data protection law that exceed the restrictions deemed necessary in a democratic society. This is with particular reference to the provisions allowing public authorities, within the framework of certain national security programmes, to have access without appropriate limitations to the personal data subject to transfer, and to the failure to provide the data subjects with rights that can be enforced before the courts.


In general terms, it is therefore necessary to evaluate, in practice, that is, on the basis of the circumstances of the
In the same judgment, the Court also upheld the validity of Commission Decision 2010/87/EC of 5 February 2010 concerning standard contractual clauses for the transfer of personal data to data controllers established in third countries - clauses adopted by Caffeina in the present case (see paragraph 1 above). At the same time, it pointed out that, in accordance with the principle of accountability, data controllers, in their capacity as data exporters, are in any case required to verify, on a case-by-case basis and, where necessary, in cooperation with the data importer in the third country, whether the latter's law or practice affects the effectiveness of the appropriate safeguards contained in the aforementioned clauses; this is to determine whether the safeguards provided for in the standard contractual clauses can be complied with in practice (Art. 5(2) and Art. 24; see also Recommendation No 1/2020 on measures supplementing the means of transfer to ensure compliance with the EU level of protection of personal data of 18 June 2021, paragraphs 1-5).
transfer, if the instrument chosen by the exporter, among those identified by art. 46 of
Regulation, is effective in the specific case.


This examination, as noted by the European Data Protection Board - hereinafter "EDPB" (see
In general terms, it is therefore necessary to assess, in concreto, i.e. on the basis of the circumstances of the transfer, whether the instrument chosen by the exporter, among those identified in Article 46 of the Regulation, is effective in the specific case.
Recommendation No. 1/2020, cit., P. 4), must "focus first of all on the legislation of


third country [and applicable practices] relevant [i] to the transfer [as well as] the instrument of
Such an examination, as pointed out by the European Data Protection Board - hereinafter 'EDPB' (see Recommendation No 1/2020, cit., p. 4), must 'focus first of all on the third country legislation [and applicable practices] relevant to the transfer [as well as] on the transfer instrument [identified] pursuant to Article 46 of the GDPR]' in order to verify that the aforesaid legislation and practices do not de facto prevent the importer from complying with the obligations laid down by the instrument used. More specifically, the above assessment 'entails the need to determine whether or not the transfer in question falls within the scope of the [above-mentioned legislation]'. It must 'be based on objective factors, irrespective of the likelihood of access to personal data' (see EDPB and EDPS Joint Opinion 2/2021 on the European Commission Implementing Decision on standard contractual clauses for the transfer of personal data to third countries, adopted on 14 January 2021, para. 86).
transfer [identified] pursuant to article 46 of the RGPD "in order to verify that the aforementioned
legislation and the aforementioned practices do not in fact prevent the importer's compliance with
of the obligations established by the instrument used. More specifically, the above evaluation
"Involves the need to determine whether or not the transfer in question falls within the scope of


application of the [aforementioned legislation] ".  It must "be based on objective factors,
Relevant for this purpose are the characteristics of the specific transfer carried out, such as: the purposes, the nature of the entities involved, the sector in which the transfer takes place, the categories of personal data transferred, whether the data are stored in the third country or accessed remotely, the format of the data to be transferred, and any subsequent transfers (see Recommendation No 1/2020, cit., para. 33).
regardless of the likelihood of access to personal data' (see Joint Opinion 2/2021
of the EDPB and the EDPS on the European Commission Implementing Decision on
standard contractual clauses for the transfer of personal data to third countries, adopted on 14
January 2021, par. 86).The characteristics of the specific transfer carried out are relevant for this purpose, such as: the purposes, the
nature of the subjects involved, the sector in which the transfer takes place, the categories of personal data


transferred, the fact that the data are stored in the third country or accessed remotely, the
The assessment required from the data exporter must therefore focus on the legislation and practices applicable in the third country to the specifically transferred data and involve verification of 'whether or not the public authorities in the third country (...) can attempt to access the data' as well as 'whether or not the public authorities in the third country (...) can access the data through the importer itself or through telecommunication providers or communication channels' (see Recommendation No 1/2020, cit., para. 31).
format of the data to be transferred and any subsequent transfers (see Recommendation no.
1/2020, cit., Par. 33).


The assessment required of the exporter, therefore, must focus on legislation and practices
As regards the aforementioned possibility of access by the US Authorities, it must be borne in mind that it is confirmed by the "Transparency report on United States national security requests for user information" made available by Google on its website (available at the following link https://transparencyreport.google.com/user-data/us-national-security?hl=en); this report contains the numerical data relating to the access requests (which, as expressly indicated therein, may also concern "non-content metadata" such as IP addresses) received by Google, pursuant to FISA 702, at the request of the US national Authorities.
applicable, in the third country, to the data specifically transferred and entail the verification of the


"Possibility or not, for the public authorities of the third country (...) to attempt to access the data"
Having said this, with reference to what has been argued by the Company in its defence briefs, it is worth pointing out that
as well as the "ability or not, for the public authorities of the third country (...) to access the data
through the importer himself or through telecommunications providers or channels
communication' (see Recommendation No. 1/2020, cit., par. 31).


With regard to the aforementioned possibility of access, by the US authorities, however, it is necessary
with regard to the inadequacy of the US legislation (see paragraph 1(a) above), the Court of Justice did not limit itself to an examination of the legal framework in force at the time of the adoption of the Privacy Shield. Rather, it took into account the regulatory provisions relating to surveillance programmes (see, in particular, FISA 702) in force at the time the ruling was handed down, ruling that they did not guarantee a level of protection substantially equivalent to that of Article 52(1) of the Charter of Fundamental Rights of the European Union (see above, paras. 168-202);


consider that it is confirmed in the "Transparency report on United States national security
as to the identification of the data that can be accessed by the US authorities pursuant to FISA 702 (see above, par. 1, point b), the White Paper of September 2020 contains general indications as to the object of the access requests that can be made by intelligence agencies, so as not to exclude a priori that, besides the e-mail address and the telephone number of the users, they can also refer to IP addresses (see in this respect White Paper of September 2020, cited above, p. 7). To confirm this, it should also be noted that in the 'Transparency report on United States national security requests for user information' (see above) made available by Google on its website, IP addresses appear among the information that can be the subject of access requests under FISA 702 together with other metadata (see in particular the description contained in the section called 'non-content requests under FISA');
requests for user information "made available by Google on its website (available at
following link https://transparencyreport.google.com/user-data/us-national-security?hl=en); report
where the numerical data relating to access requests are reported (which, as expressly therein
reported, may also concern "non-content metadata" such as IP addresses) received from


Google, under FISA 702, at the request of the US National Authorities.
lastly, with respect to the assessment of the suitability of the additional measures adopted in the present case (see above, par. 1, point e), the Company, -in taking into consideration elements other than those contemplated by the EDPB such as: the "economic availability" of Caffeina Media S.r.l, "the costs of implementation" of the technical and organisational measures to be put in place, "the content of the articles and topics (...) of a light-hearted nature and focused on entertainment areas" conveyed by the website www.caffeinamagazine.it (see note of 10 February 2022, p. 10, 15, 16, 17 and 8), substantially based the aforesaid assessment on the "likelihood of the risk of data access by third parties" and on the "seriousness of the possible occurrence of [the aforesaid] risk" (see note of 10 February 2022, p. 24). In this respect, on the other hand, it is reiterated that the Court, in the above-mentioned ruling, did not refer to 'any subjective factor, such as, for example, the likelihood of access' to the personal data transferred (see EDPB and EDPS Joint Opinion 2/2021, cited above, para. 87).


All this dutifully stated, with reference to the claims made by the Company in its own
2.3. Unsuitability of additional measures taken by the controller.
defensive memoirs, it is worth highlighting that:


with regard to the inadequacy of the US legislation (see above, paragraph 1, point a), the Court
Where it is found as a result of the above assessment that the legislation and practices of the third country prevent the data importer from complying with the obligations laid down in the chosen transfer instrument, as found in the present case, exporters must adopt additional measures ensuring a level of protection of personal data substantially equivalent to that provided for by the Regulation (see Recommendation No 1/2020, cited above, paras. 50-57, which sets out the criteria for identifying the measures to be adopted).
of justice was not limited to examining the legal framework in force at the time of the adoption of the


Privacy Shield.  Rather, it took into account the regulatory provisions relating to the programmes
In this regard, with regard to the additional measures of a technical, but also contractual and organisational, nature adopted in the present case, the following should be noted.
(see, in particular, FISA 702) in force at the time of issue of the
ruling, stating that they do not substantially guarantee a level of protection
equivalent to that referred to in Article 52 (1) of the Charter of Fundamental Rights
of the European Union (see sentence cit., points 168-202);


The measures of a technical nature consist in the adoption of data encryption mechanisms, during the transfer between systems (in transit) and when stored in the systems (at rest).
Encryption in transit is adopted when data are transferred between different systems, services or data centres through networks or infrastructures not controlled by the Company (e.g. geographical networks).


relating to the identification of data that can be accessed by
Encryption at rest, on the other hand, concerns user data that are stored on disk drives or in backup drives and is based on the encryption of data using standard algorithms (usually using AES256) and encryption at different levels, starting with encryption at the hardware level, depending on the type of application and specific risks. Access to Google LLC's data centres is protected by 6 levels of physical security measures.
of the US Authorities pursuant to FISA 702 (see above, paragraph 1, point b), in the White Paper
In this regard, it should be noted that, taking into account the indications provided by the EDPB in Recommendation No. 1/2020, the above-mentioned technical measures are not adequate.
of September 2020 contains general indications regarding the subject of the
access requests that can be made by intelligence agencies, such as not to
exclude a priori that, in addition to the e-mail address and telephone number of users, they
may also refer to IP addresses (see in this regard White Paper of September 2020, cit.


page 7).  To confirm this, it should also be noted that in the 'Transparency report on United States
With regard to the data encryption mechanisms highlighted above, they are not sufficient to avoid the risks of access, for national security purposes, to the data transferred from the European Union by the public authorities of the United States, since the encryption techniques adopted provide that the availability of the encryption key is in the hands of Google LLC, which holds it, as importer, by virtue of the need to have the data in plain text in order to carry out processing and provide services. It should also be pointed out that the obligation to allow access, on the part of the US authorities, falls on Google LLC not only with regard to the imported personal data, but also with regard to any cryptographic keys necessary to make them intelligible (see also Recommendation 1/2020, cit., par. 81).
national security requests for user information' (see above) made available by Google
It follows from this that, as long as the encryption key remains at the importer's disposal, the measures taken cannot be considered adequate (see Recommendation 1/2020, cit., para. 95).
on its site, the IP address appears to be included among the information that can
be the subject of an access request pursuant to FISA 702 together with other metadata (see
in particular, the description contained in the section called "non-content requests


under FISA");
This also takes into account certain contractual and organisational measures consisting specifically of the undertaking to:


lastly, with respect to the assessment of the suitability of the additional measures adopted in the case of
verify, in accordance with US law, the legitimacy of each individual request for access to the user data being transferred by the Public Authorities, assessing its proportionality; not grant the same if, after careful evaluation, it is concluded that the conditions under the relevant legislation are not met
species (see above, paragraph 1, point e), the Company, - in taking into consideration elements
other than those contemplated by the EDPB such as: the "economic availability" of Caffeine Media
Srl, "the implementation costs" of the technical and organisational measures to be implemented, "the tenor


articles and themes (...) with a light cut and concentrated on entertainment areas "
promptly notify the person concerned of access requests from the US Public Authorities, unless such disclosure is prohibited by the relevant legislation, informing the person concerned in any case if the above prohibition is lifted
conveyed by the website www.caffeinamagazine.it (see note of 10 February 2022, pages 10, 15,
16, 17 and 8) -, substantially based the aforementioned assessment on the "probability that yes
verify the risk of access to data by third parties "and the" seriousness of the possible
onset of the [aforementioned] risk' (see note of 10 February 2022, page 24).  In this regard, on the other hand, it is reiterated that the Court, in the aforementioned ruling, did not refer to "any
subjective factor, such as, for example, the probability of access 'to the personal data transferred (see


Joint Opinion 2/2021 of the EDPB and the EDPS, cit., Para.  87).
publish a "Transparency Report" containing a summary of requests for access to data received from the US Public Authorities, insofar as such publication is permitted by the relevant legislation;


2.3.  Unsuitability of the additional measures adopted by the data controller.
publish the policy for handling requests for access to user data transferred by US public authorities.


If following the above assessment it is found that the legislation and practices of the country
In this regard, in fact, it should be noted that, as considered by the EDPB, in the absence of appropriate technical measures - a circumstance ascertained in the present case - the contractual and organisational measures indicated above, per se, cannot reduce or prevent the possibilities of access to the data subject to transfer by the US Authorities (see Recommendation 1/2020, cit., par. 53).
thirdly, prevent the importer from complying with the obligations under the transfer instrument
chosen, as found in the present case, exporters must take measures


that substantially guarantee a level of protection of personal data
In the light of the foregoing, therefore, the additional measures adopted in the present case cannot be regarded as adequate with the consequent unlawfulness, pursuant to Articles 44 and 46 of the Regulation, of the relevant transfers of personal data to the United States.
equivalent to that provided for by the Regulation (see Recommendation No. 1/2020, cit., paragraphs 50-
57, which indicates the criteria for identifying the measures to be adopted).
 
In this regard, with regard to additional measures of a technical nature, but also contractual and
organisational structure, adopted in the hypothesis under examination, it is worth noting the following.
 
 
The measures of a technical nature consist in the adoption of data encryption mechanisms, during the
transfer between systems (in transit) and when they are stored in the systems (at rest).
In-transit encryption is adopted where data is transferred between different systems, services or data centres
through networks or infrastructures not controlled by the Company (eg geographic networks).
 
At rest encryption, on the other hand, concerns user data that is stored on disk drives or drives
 
backup and is based on data encryption using standard algorithms (usually via AES256)
and on encryption, at different levels, starting from encryption at the hardware level, based on the type of
application and specific risks.  Access to Google LLC data centres is protected by 6 levels of
physical security measures.
In this regard, it should be noted that, taking into account the indications provided by the EDPB in the Recommendation
 
no 1/2020, the aforementioned technical measures are not adequate.
 
As for the data encryption mechanisms highlighted above, they are not sufficient for
avoid the risks of access, for national security purposes, to data transferred from the European Union from
part of the public authorities of the United States, as the encryption techniques adopted provide
that the availability of the encryption key is in the hands of Google LLC which holds it, as
importer, by virtue of the need to have clear data for processing and
 
provide services.  It is also worth noting that the obligation to allow access by the
US authorities, falls on Google LLC not only with reference to imported personal data, but
also with regard to any cryptographic keys necessary to make them intelligible (see also
Recommendation 1/2020, cit., Par. 81).
From this it follows that as long as the encryption key remains available
 
importer, the measures adopted cannot be considered adequate (see Recommendation 1/2020,
cit., par. 95).
 
This also taking into account some specific contractual and organisational measures
in the commitment to:
 
verify, in accordance with US law, the legitimacy of each individual request for
 
access to user data transferred by public authorities,
evaluating their proportionality; not welcome the same where, following careful
evaluation, it is concluded that the conditions according to the regulations do not exist
reference;
 
promptly notify the interested party of access requests from the Authorities
 
US public, unless such communication is prohibited by relevant legislation,
informing the interested party in any case if the above prohibition is lifted; publish a "Transparency Report" containing a summary of the requests for access to data
received from US public authorities, to the extent such publication
 
is permitted by the relevant legislation;
 
publish the policy for managing requests for access to user data subject to
transfer by US public authorities.
 
In this regard, it is noted that, as considered by the EDPB, in the absence of suitable technical measures
- circumstance ascertained in this case - the contractual and organisational measures indicated above, of
 
per se, cannot reduce or prevent the possibilities of access to the data being transferred by the
by the US authorities (see Recommendation 1/2020, cit., par. 53).
 
In the light of the foregoing, therefore, the additional measures
adopted in the present case cannot be considered adequate with consequent unlawfulness under
pursuant to Articles 44 and 46 of the Regulation, of the relevant transfers of personal data to the
 
United States.


2.4 Accountability of the data controller
2.4 Accountability of the data controller


The controller is required to put in place "appropriate technical and organisational measures to ensure, and
The data controller is required to implement "appropriate technical and organisational measures to ensure, and be able to demonstrate, that processing is carried out in compliance with the [Regulation]" (so-called accountability principle; see Art. 5(2) and Art. 24(1) of the Regulation).
be able to demonstrate that processing is carried out in accordance with the [Regulation]"
(so-called accountability principle; see Art. 5(2) and Art. 24(1) of the Regulation).


It is therefore up to the data controller to decide autonomously on the modalities, guarantees and limits of the processing of personal data in compliance with the relevant legislation on the subject. The Regulation, in fact, strongly emphasises the 'accountability' of the data controller, i.e., the adoption of proactive behaviour such as to demonstrate the concrete adoption of measures aimed at ensuring the application of personal data protection rules (see, in particular, Article 24 of the Regulation).


It is therefore up to the data controller to decide independently on the methods, guarantees and
The implementation of the accountability principle with reference to transfers of data to third countries places the responsibility on the data controller, as exporter, to verify, on a case-by-case basis and, where necessary, in cooperation with the importer in the third country, whether the latter's law or practice affects the effectiveness of the adequate safeguards contained in the transfer instruments referred to in Article 46 of the Regulation.
limits of the processing of personal data in compliance with the relevant legislation. The
Regulation, in fact, strongly emphasises the 'empowerment' of the data controller, i.e,
on the adoption of proactive behaviour such as to demonstrate the concrete adoption of measures
aimed at ensuring the application of the rules on the protection of personal data (see, in


in particular Article 24 of the Regulation).
In such cases, the exporter is obliged to adopt, in application of this principle, additional measures enabling the importer to comply with the obligations laid down in the instrument adopted pursuant to Article 46 of the Regulation; all this in order to ensure that the level of protection of natural persons guaranteed by the Regulation is not undermined (see Article 44 of the Regulation; see in this regard, Recommendation 1/2020, cit., paragraphs 1-5).


The implementation of the accountability principle with regard to data transfers to third countries
For all the reasons set out above, without prejudice to the unsuitability of the additional measures adopted in the present case, Caffeina Media S.r.l.'s argument as to its lack of autonomy with regard to the decisions to be taken on the transfer of data to third countries cannot be accepted (see above, par. 1, points c) and d) above); this considering that the Company, by reason of its role under the data protection rules, is required, as already clarified, to implement, even in the context of cross-border transfers, adequate and effective measures to protect the rights and freedoms of the data subjects and to be able to demonstrate their compliance with the Regulation.
places the responsibility on the controller, as exporter, to verify, on a case-by-case basis and
where necessary, in cooperation with the importer in the third country, whether the law or practice of
of the latter affect the effectiveness of the appropriate safeguards contained in the transfer instruments
transfer instruments referred to in Article 46 of the Regulation.


In the light of the above considerations, in engaging in the conduct described above, Caffeina Media S.r.l. has therefore breached Articles 5(2) and 24 of the Regulation.


In such cases, the exporter is required to take, in application of this principle, additional measures
2.5. Inadequacy of the information provided pursuant to Article 13 of the Regulation.
additional measures enabling the importer to comply with the obligations under the instrument
adopted pursuant to Article 46 of the Regulation; all this in order to ensure that the level of
protection of natural persons guaranteed by the Regulation is not undermined (see Art. 44 of the Regulation; cf
Regulation; see in this respect, Recommendation 1/2020, cit., paragraphs 1-5).


With reference to the information to be provided to the data subject, pursuant to Article 13 of the Regulation, it should be noted that, in the information notice provided to the complainant on the website www.caffeinamagazine.it, at the time of the collection of the data concerning him (see communication of 3 November 2021), some of the elements referred to in Article 13(1)(f) of the Regulation were not indicated.


For all the reasons set out above, without prejudice to the finding that the additional measures
Indeed, in view of the fact that personal data must be 'processed lawfully, fairly and transparently vis-à-vis the data subject' (Art. 5(1)(a) of the Regulation), the data subject's personal data must be 'processed in a lawful, fair and transparent manner'. (a) of the Regulation), the data controller, where a transfer of personal data takes place, is obliged, in compliance with the principle of transparency, to inform the data subject also of 'the intention to transfer personal data to a third country' as well as of 'the existence or absence of a Commission adequacy decision or, in the case of transfers referred to in Article 46 or 47 or in the second subparagraph of Article 49(1), the reference to appropriate or adequate safeguards and the means of obtaining a copy of those safeguards or the place where they have been made available' (Art. 13(1) of the Regulation).
adopted in the present case, the arguments put forward by Caffeina Media Srl as to the lack of autonomy from the
regarding the lack of autonomy of the same with respect to the decisions to be taken on the
transfer of data to third countries (see paragraph 1(c) and (d) above); this in view of the fact that the
Company, by reason of its role under the data protection regulations, is


required, as already clarified, to put in place, even in the context of cross-border transfers
In this regard, in any case, while taking note of the updating on 23 March 2022 of the information to be rendered to users on the website www.caffeinamagazine.it (see note of 10 February 2022, p. 30; see "Cookies Policy" available at https://www.caffeinamagazine.it/cookie-policy/), it should be noted that the model provided at the time by Caffeina Media S.r.l. to the complainant in this case (see communication of 3 November 2021), did not clearly define the elements referred to in Article 13(1)(f) of the Regulation concerning the transfer.
appropriate and effective measures to protect the rights and freedoms of data subjects and to be able to
to demonstrate their compliance with the Regulation.


In the light of the above considerations, in engaging in the conduct described above, Caffeina Media
It follows, therefore, with reference to that model, that Article 5(1)(a) and Article 13(1)(f) of the Regulation have been infringed.
Srl has therefore infringed Articles 5(2) and 24 of the Regulation.


3. Conclusions: declaration of unlawfulness of the processing. Corrective measures under Article 58(2) of the Regulation.


2.5. Inadequacy of the information provided pursuant to Article 13 of the Regulation.With reference to the information that must be provided to the data subject, pursuant to Article 13 of the
For the above-mentioned reasons, the Authority considers that the statements, the documentation and the reconstructions provided by the data controller in the course of the preliminary investigation do not allow to overcome the findings notified by the Office with the opening act of the proceeding and are therefore unsuitable to order the dismissal of the present proceeding, as none of the cases provided for by Article 11 of the Regulation of the Garante no. 1/2019 apply.
Regulation, please note that, in the notice provided to the complainant on the website


www.caffeinamagazine.it, at the time of the collection of the data concerning him (see communication of 3
The processing of personal data carried out by the Company is therefore unlawful, in the terms set out above, in relation to Article 5(1)(a) and (2), Article 13(1)(f), Article 24 and Articles 44 and 46 of the Regulation.
november 2021), some of the elements referred to in Article 13(1)(f) of the
Regulation.


Indeed, in view of the fact that personal data must be 'processed lawfully ,
Infringement of the above provisions entails the application of the administrative sanctions provided for in Article 83(5)(a), (b) and (c) of the Regulation.
fair and transparent to the data subject' (Art. 5(1)(a) of the Regulation), the


data controller, where a transfer of personal data takes place, has an obligation
In this respect, with reference to the elements to be taken into consideration in order to assess whether to impose an administrative fine (Article 83(2) of the Regulation), it should be noted first of all that, in relation to the nature and seriousness of the breach, the processing operations object of the complaint did not concern special categories of personal data.
in compliance with the principle of transparency, to inform the data subject also of
"the 'intention to transfer personal data to a third country' as well as 'the existence or absence of an
adequacy decision by the Commission or, in the case of transfers pursuant to Article 46 or
47, or Article 49(1), second subparagraph, the reference to appropriate safeguards or


appropriate safeguards and the means of obtaining a copy of those safeguards or the place where they have been made available
As regards the subjective element of the infringer, it must be considered that Caffeina Media S.r.l. - in view of the asymmetry of contractual power resulting from the primary market position assumed by Google in the web analytics services sector - mistakenly assumed as appropriate, on the basis of the information provided by Google, the additional measures adopted by the latter without exercising any decision-making power over them.
available' (Art. 13(1) of the Regulation).


In this regard, however, in taking note of the update on 23 March 2022
With regard to the measures adopted by the Company to mitigate the damage suffered by the data subjects, note is also taken of the initiatives taken by the data controller, following the notification pursuant to art. 166, paragraph 5 of the Code, concerning: updating the text of the information on the Company's website; adhering to the "IP-Anonymization" option made available by Google; improving the infrastructure in terms of security; updating the content management system used for the creation and management of the site; analysing the feasibility of implementing an alternative web analytics tool that "will no longer rely exclusively on tracking via cookies and (...) will no longer store the IP addresses of the data subjects" (see minutes of 25 March 2022 and supplementary note of 4 April 2022, p. 2).
of the information to be made available to users at www.caffeinamagazine.it (see note of 10 February
2022, p. 30; see "Cookies Policy" available at https://www.caffeinamagazine.it/cookie-


policy/), it should be noted that the template provided by Caffeina Media Srl to the complainant in the case
Finally, for the purposes of the Authority's assessments, the absence of previous infringements and the loyal cooperation with the Garante during the proceedings are also relevant.
present case (see communication of 3 November 2021), did not clearly define the elements of
article 13(1)(f) of the Regulation concerning the transfer.


It follows, therefore, with reference to that model, that Article 5(1)(a) and
The nature and gravity of the infringement, the culpable nature of the infringement, as well as the further elements referred to above, therefore lead to classify the case under consideration as a 'minor infringement' (see Article 83(2) and recital 148 of the Regulation).
of Article 13(1)(f) of the Regulation.


It is therefore considered that, in the present case, the data controller must be admonished, pursuant to Article 143 of the Code and Article 58(2)(b) of the Regulation, for having carried out processing in breach of Article 5(1)(a) and (2), Article 13(1)(f), Article 24 and Articles 44 and 46 of the Regulation.


3. Conclusion: declaration of unlawfulness of the processing. Corrective measures pursuant to Art. 58,
Lastly, it is noted that the conditions set out in Article 17 of the Garante's Regulation No 1/2019, concerning internal procedures with external relevance, aimed at the performance of the tasks and exercise of the powers entrusted to the Garante, are met.
para. 2 of the Regulation.


For the above reasons, the Authority considers that the statements, documentation and reconstructions
ALL THE FOREGOING THE GUARANTOR:
provided by the data controller in the course of the investigation do not make it possible to overcome the findings
notified by the Office with the act initiating the procedure and that they are therefore unsuitable to order


dismissal of these proceedings, since none of the cases provided for in Article.
a) pursuant to Article 57(1)(f) of the Regulation, declares the unlawfulness of the processing of personal data of users of the website www.caffeinamagazine.it carried out, through Google Analytics, by Caffeina Media S. r.l. with registered office in Rosignano Marittimo (LI), P. I. 13524951004, in breach of Articles 5(1)(a) and (2), 13(1)(f), 24, 44 and 46 of the Regulation;
11 of the Guarantor's Regulation No 1/2019.


The processing of personal data carried out by the Company is therefore unlawful, in the terms
b) pursuant to Article 58(2)(d) of the Regulation, orders Caffeina Media S.r.l. to comply with Chapter V of the Regulation within a period of ninety days from the notification of this measure, the processing of personal data of users of the website www.caffeinamagazine.it carried out by means of Google Analytics, adopting additional appropriate measures
overall indicated above, in relation to Article 5(1)(a) and (2), to Article 13(1)
(f), Article 24, and Articles 44 and 46 of the Regulation.


Violation of the aforementioned provisions entails the application of sanctions
c) pursuant to Article 58(2)(j) of the Regulation, orders the suspension of the flow of the personal data identified above to Google LLC, based in the United States, if Caffeina Media S.r.l. does not comply with the provisions of point b) of this provision within the period laid down therein


article 83(5)(a), (b) and (c) of the Regulation.
d) pursuant to recital 148 and Article 58(2)(b) of the Regulation warns Caffeina Media S.r.l. for having processed personal data in breach of Articles 5(1)(a) and (2), 13(1)(f), 24, 44 and 46 of the Regulation


In this regard, with reference to the elements to be taken into consideration in order to assess whether to
(e) considers that the prerequisites set out in Article 17 of Regulation No 1/2019, concerning internal procedures with external relevance, aimed at the performance of the tasks and the exercise of the powers entrusted to the Supervisor, are met.
imposing an administrative pecuniary sanction (Article 83(2) of the Regulation), it should be noted in
first of all, in relation to the nature and gravity of the infringement, the processing operations
object of dispute did not concern special categories of personal data.


Pursuant to Article 157 of the Code, it requests Caffeina Media S.r.l. to communicate which initiatives have been undertaken in order to implement the provisions of this provision and to provide in any case adequately documented feedback, within the term of ninety days from the date of notification of this decision; failure to do so may result in the application of the administrative pecuniary sanction provided for by Article 83, paragraph 5, letter e) of the Regulation.


As regards the subjective element of the infringer, it must be considered that Caffeina Media
Pursuant to Article 78 of the Regulation, Article 152 of the Code and Article 10 of Legislative Decree no. 150 of 1 September 2011, an appeal against this measure may be lodged with the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the measure itself, or within sixty days if the appellant resides abroad.
Srl - in view of the asymmetry of contractual power resulting from the primary market position
assumed by Google in the field of web analytics services- wrongly assumed as
appropriate, on the basis of the information provided by Google, the additional measures adopted by
the latter without exercising any decision-making power over them.
 
 
With regard to the measures adopted by the Company to mitigate the damage suffered by the persons concerned, we
also takes note of the initiatives taken by the data controller, following the notification pursuant to Article 166, paragraph 5 of the Code, concerning: the updating of the text of the information on the
company's website; adherence to the "IP-Anonymization" option made available by
 
Google; infrastructural improvements in terms of security; the updating of the content
management system used for the creation and management of the site; feasibility analysis of the
implementation of an alternative web analytics tool that 'will no longer rely exclusively on
rely exclusively on tracking via cookies and which (...) will no longer store the IP addresses of the interested
data subjects' (see minutes of 25 March 2022 and supplementary note of 4 April 2022, p. 2).
 
 
Finally, for the purposes of the Authority's assessments, the absence of previous infringements and
the loyal cooperation with the Garante during the proceedings.
 
The nature and seriousness of the infringement, its culpable nature, and the additional
elements mentioned above therefore lead to classify the case in question as a 'minor breach' (see Art. 83
minor infringement' (see Rule 83(2) and Rule 148).
 
 
It is therefore considered that, in the present case, the data controller should be admonished,
pursuant to Article 143 of the Code and Article 58(2)(b) of the Regulation, for having carried out a
processing in breach of Articles 5(1)(a) and (2), 13(1)(f), 24, and
articles 44 and 46 of the Regulation.
 
Lastly, it should be noted that the conditions laid down in Article 17 of the Garante's Regulation no.
 
1/2019, concerning internal procedures having external relevance, aimed at the performance of the
tasks and the exercise of the powers entrusted to the Garante.
 
ALL THE FOREGOING THE GUARANTOR:
 
(a) pursuant to Article 57(1)(f) of the Regulation, declares unlawful the processing of
personal data of users of the website www.caffeinamagazine.it carried out, by means of
 
Google Analytics, by Caffeina Media Srl with registered office in Rosignano Marittimo (LI), PI
13524951004, alleging infringement of Articles 5(1)(a) and (2), 13(1)(f) of Art,
(f), Article 24, and Articles 44 and 46 of the Regulation;
 
b) pursuant to Article 58(2)(d) of the Regulation, orders Caffeina Media Srl to
comply with Chapter V of the Regulation within a period of 90 days from the notification of
this measure, the processing of personal data of users of the site
 
www.caffeinamagazine.it carried out by means of Google Analytics, adopting appropriate
appropriate additional measures;
 
c) pursuant to Article 58(2)(j) of the Regulation, orders the suspension of the flow, towards
Google LLC based in the United States, of the personal data identified above, if Caffeina
Media Srl does not comply with what is established in point b) of this provision within the
 
term provided for therein;
 
d) pursuant to recital 148 and Article 58(2)(b) of the Regulation admonishes
Caffeina Media Srl for having processed personal data in breach of
articles 5(1)(a) and (2), 13(1)(f), 24, 44 and 46 of the Regulation
Regulation;
 
 
e) considers that the requirements of Article 17 of Regulation No 1/2019 are met,
concerning internal procedures with external relevance, aimed at the performance of the
tasks and the exercise of the powers delegated to the Supervisor.
 
Pursuant to 157 of the Code, it requests Caffeina Media Srl to communicate which initiatives
have been undertaken in order to implement the provisions of this
 
provision and, in any event, to provide adequately documented feedback within ninety days from the date of notification of this decision; any failure to do so
any failure to reply may result in the application of the pecuniary administrative sanction provided for in this decision
 
article 83(5)(e) of the Regulation.
 
Pursuant to Art. 78 of the Regulation, Art. 152 of the Code and Art. 10 of Legislative Decree of 1
september 2011, no. 150, an appeal against this measure may be lodged
before the ordinary judicial authority, under penalty of inadmissibility, within thirty days of the
date of communication of the measure itself, or within sixty days if the appellant
 
resides abroad.


Rome, 9 June 2022
Rome, 9 June 2022


PRESIDENT
THE CHAIRMAN
Stanzione
Stanzione
 
  THE REPORTER


Stanzione
THE RAPPORTEUR
Stanzione


  THE SECRETARY GENERAL
THE SECRETARY GENERAL
  Mattei
Mattei
</pre>
</pre>

Latest revision as of 07:01, 20 July 2022

Garante per la protezione dei dati personali - 9782890
LogoIT.png
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 5(1)(a) GDPR
Article 5(2) GDPR
Article 13(1)(f) GDPR
Article 24 GDPR
Article 44 GDPR
Article 46 GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 09.06.2022
Published: 27.06.2022
Fine: n/a
Parties: n/a
National Case Number/Name: 9782890
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Italian
Original Source: GPDP (in IT)
Initial Contributor: MW

Italy's DPA reprimanded a website operator for failing to provide appropriate safeguards for the transfer of personal data to the US through Google Analytics, ordering it to comply with Article 46 GDPR or suspend data transfers to Google LLC.

English Summary

Facts

Following the Schrems II decision, the data subject, represented by noyb – European Center for Digital Rights, complained to the Italian DPA that the controller was sending his personal data to the US without appropriate safeguards required by Article 46 GDPR.

The transfers took place through the use of the Google Analytics web service. The controller operated a news website that used Google Analytics to collect statistcal data on the use of its services. Google Analytics cookies collected data on users' IP address, browser or device, operating system, screen resolution, selected language, date and time of access, and interaction with the website. For users who logged in with their Google account, this information could be associated with other identifiers like email adress, telephone number, gender, date of birth, and profile picture.

Google LLC (based in the US), and later Google Ireland, were responsible for processing the collected information; even after the Google Analytics terms of service were changed to list Google Ireland as processor, Google LLC was still designated as a sub-processor. In response to the DPA's investigation, Google claimed it had adopted technical measures sufficient to safeguard data subjects' rights under the GDPR. These measures consisted of encryption (for which Google LLC held a copy of the encryption key) and a service called "IP-Anonymisation," wherein Google truncated users' IP addresses to hamper identification. This process, however, was actually a form of pseudoanonymisation, because the truncated IP address could be used in combination with the other collected data to re-identify natural persons.

Both Google and the controller also offered that, taking into account the nature of the data and the context in which it was collected, the likelihood of actually being forced to disclose this data to the US government was exceedingly low. This attenuated risk, they argued, meant that less stringent safeguards were sufficient to protect data subjects' rights under the GDPR (the so-called "risk-based approach"). Google claimed that in over 15 years of providing its Google Analytics service, it had never received an access request like the one contemplated in the data subject's complaint.

For its part, the controller deemed the technical measures implemented by Google sufficient. However, the controller also lacked the technical means to verify the implementation of these measures, nor did it have any authority to decide what measures were appropriate or to dictate to Google choices regarding data transfers to third countries.

Holding

The DPA declared unlawful any processing carried out by the controller through the use of Google Analytics. It also clarified that, regardless of any asymmetry in bargaining power or technical resources, the controller is responsible for ensuring that processing is lawful per Articles 5(2) and 24 GDPR (the accountability principle). The controller must decide independently on the methods, guarantees, and limits of processing.

Regarding data transfers to a third country, the DPA rejected the risk-based approach, finding the controller in violation of Articles 44 and 46 GDPR. The low probability of an access request from US authorities did not relieve the controller of its responsibility to guarantee on a case-by-case basis that transfers of personal data to a third country had adequate safeguards. Encryption was an insufficient technical safeguard because Google LLC remained in possession of the relevant encryption key. US authorities could simply compel Google LLC to turn over this key along with the encrypted data.

The DPA also found the controller in violation of Article 13(f) GDPR because its privacy policy did not disclose the intention to transfer personal data to a third country, the lack of an adequacy decision or what safegaurds were in place per Article 46(2) GDPR.

For these violations, the DPA reprimanded the controller and ordered it to comply with the GDPR (specifically Article 46 GDPR) within 90 days or suspend the transfer of data through Google Analytics.

Comment

  • From the 23 June 2022 GPDP press release: "The Italian SA wishes to draw the attention of all the Italian website operators, both public and private, to the unlawfulness of the data transfers to the USA as resulting from the use of GA – partly on account of the many alerts and queries received so far. The Italian SA calls upon all controllers to verify that the use of cookies and other tracking tools on their websites is compliant with data protection law; this applies in particular to Google Analytics and similar services."

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

Measure of 9 June 2022

Register of Measures
No. 224 of 9 June 2022

THE PERSONAL DATA PROTECTION SUPERVISOR

AT TODAY'S MEETING, attended by Prof. Pasquale Stanzione, president, Prof. Ginevra Cerrina Feroni, vice-president, Dr. Agostino Ghiglia and Mr. Guido Scorza, members, and Cons. Fabio Mattei, Secretary General;

HAVING REGARD TO Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter, the "Regulation")

HAVING REGARD TO the Personal Data Protection Code, containing provisions for the adaptation of the national system to Regulation (EU) 2016/679 (Legislative Decree No. 196 of 30 June 2003, as amended by Legislative Decree No. 101 of 10 August 2018, hereinafter, the "Code");

HAVING REGARD to the complaint dated 17 August 2020 filed pursuant to Article 77 of the Regulation by Mr XX against Caffeina Media S.r.l.;

HAVING EXAMINED the documentation on file

HAVING CONSIDERED the observations made by the Secretary General pursuant to Article 15 of the Rules of the Garante No. 1/2000;

BE IT RESOLVED by Prof. Pasquale Stanzione;

WHEREAS

1. The complaint against the company and the preliminary investigation.

In a complaint lodged on 17 August 2020, Mr XX complained that Caffeina Media S.r.l. (hereinafter 'the Company') had transferred to Google LLC, based in the United States, the personal data concerning him processed through the website www.caffeinamagazine.it; this in the absence of the guarantees provided for by Chapter V of the Regulation. 

Within the framework of the preliminary investigation activity launched by the Garante, the Office, by means of notes dated 30 July and 7 December 2021, asked the Company to provide information and clarifications on the facts which were the subject of the complaint.

In its communications of 15 October, 3 November and 22 December 2021, in response to the Office's requests, Caffeina Media S.r.l. stated the following

the ownership of the processing operations carried out through the website www.caffeinamagazine.it is in the hands of the Company; this is in contrast with what was at the time indicated in the model of the information notice, provided on the aforementioned website pursuant to Article 13 of the Regulation, which contained the erroneous reference - now corrected - to Caffeina Media Ltd;

the processing of personal data of users of the www.caffeinamagazine.it website is carried out by the Company by means of the Google Analytics tool (hereinafter also 'GA') in its 'free version' (see note of 15 October 2021, p. 3 and note of 22 December 2021, p. 2)

the Company "has neither visibility of the details of the data collected, nor can it precisely describe the types of data collected" and "has chosen to use [Google Analytics] also because Google claims to process only pseudonymous and cookie-based data"; these are in detail: "(i) cookies, (ii) device/browser data (iii) IP address and (iv) activity on the site" (see note of 15 October 2021, pp. 2 and 3);

Caffeina Media S.r.l. "is bound to the contractual text ["Google Analytics Terms of Service"] approved on the platform (standard text imposed by Google's supplier)" and "as it emerges from the contractual documentation imposed by Google, Google acts as data controller of the data collected through Google Analytics" (see note of 15 October 2021, p. 3)

more specifically, "the contractual counterparty [of the Google Analytics Terms of Service in the version of 31 March 2021] is Google Ireland Limited"; unlike the previous version of the aforementioned "Google Analytics Terms of Service" -dated 17 June 2019- which was signed with Google LLC (see note of 22 December 2021, p. 2). Therefore, "Caffeina Media S.r.l. acts as data controller and, (..) [from May 2021], Google Ireland Limited acts as data processor of the data collected through Google Analytics" (see note of 15 October 2021, p. 7 and note of 22 December 2021, p. 3);

Caffeina Media S.r.l. "does not possess any level of autonomy with regard to the choices relating to the transfer of data to third countries, including the identification of the types of data subject to the aforesaid transfer" (see note of 15 October 2021, p. 7 and note of 22 December 2021, pp. 2 and 4); in particular, this specific processing operation is governed by Article 10 of the 'Google Ads Data Processing Terms', according to which 'Caffeina as data exporter, through Google Ireland Limited, may have carried out data transfer activities to the United States, with Google LLC as data importer'. Moreover, according to the same provision, 'the owner of the website agrees that Google may be supported in its processing activities by other companies in its group and, among the companies mentioned, Google LLC is present, which would act as sub-processor' (see memorandum of 15 October 2021, p. 6 and 7 and memorandum of 22 December 2021, p. 3);

the transfer of the data to Google LLC is carried out by means of the Standard Contractual Clauses that correspond to the model scheme adopted on 5 February 2010 by the European Commission by decision no. 2010/87/EU, as per Google's communication to the Company dated 3 August 2020 (see note of 15 October 2021, p. 7, in particular Annex B "Google Communication 3.08.2020")

such clauses have been supplemented by the additional measures adopted by Google, with respect to which the Company has "no possibility to verify the implementation at a technical level (...), or to give specific instructions on the actual implementation of [the same]" (see note of 22 December 2021, p. 4)

in the context of the services offered through Google Analytics, Caffeina Media S.r.l. has not subscribed to the so-called data sharing option (note of 15 October 2021, p. 5);

with regard to the contested transfer to Google LLC of the data relating to the complainant, Caffeina Media S.r.l. "has no particular autonomy in the use of the tool [Google Analytics], including the possibility of knowing whether the complainant's data have actually been transferred to third countries" (see note of 15 October 2021, p. 6)

with regard to the fulfilments put in place pursuant to Article 13 of the Regulation, Caffeina Media S.r.l. "makes use of the automated service of the company Iubenda s.r.l. for the management of the privacy policy and the cookie policy" (with reference to the model of the policy updated to 5 October 2021, see note of 15 October 2021, p. 9; and with regard to the policy provided to the complainant on 12 August 2020, see communication of 3 November 2021).

On 11 January 2022, the Office notified, pursuant to Article 166(5) of the Code, the alleged violations of the Regulation found with reference to Article 5(1)(a) and (2), Article 13, Article 24 as well as Articles 44 and 46(2)(c) of the Regulation.

On 10 February 2022, the Company sent its defence submissions in which it represented that:

a) the US legislation considered by the Court of Justice of the European Union, in ruling No. C-311/18, of 16 July 2020 (so-called 'Schrems II'), must be subject to a new adequacy assessment by the Data Protection Authorities in view of the regulatory developments that have taken place since the adoption of the Privacy Shield and punctually outlined by the US Government in the White Paper of September 2020 called “Information on U.S. Privacy Safeguards Relevant to SCCs and Other EU Legal Bases for EU-U.S. data Transfers after Schrems II” (see note of 10 February 2022, para. 1, pp. 3-9);

b) with specific reference to the scope of application of Article 702 of the Foreign Intelligence Surveillance Act "it is practically impossible that intelligence agencies can only use an IP address or a cookie -the only data possibly transferred by Caffeina-"; this considering that, taking into account the procedures (so-called targeting procedures) aimed at identifying the data that can be accessed by the US Authorities, the data relating to the e-mail address and telephone number of the users are of main interest for intelligence activities (see note of 10 February 2022, p. 6-7);

c) with regard to the alleged unsuitability of the additional technical measures implemented by Google, the latter had adopted "high standards of (...) security" and "internal procedures (...) subject to various certifications. (...) Moreover, the (...) assessments as to the adequacy of the security measures to be adopted were carried out by the supplier itself, who, after having carried out such analysis, then notified Caffeina itself of the updating of the security measures and of the contractual documentation, precisely following the Schrems II ruling (...). And this in any case in line with the requirements of Article 14 of the new SCC". In any case, with respect to such measures, "Caffeina has neither the means nor the operational or technical possibilities to impose changes to the [aforementioned] security measures on the supplier", as it does not have "any contractual power to enter into commercial dialogues with its counterparty [nor] (...) to interact with the same" (see note of 10 February 2022, p. 10 and 12);

d) "with regard to the contested transfer to Google LLC of the data relating to the complainant, Caffeina Media S.r.l. has no particular autonomy in the use of the tool [Google Analytics]" not having "at a technical level the possibility of knowing whether Mr. XX's personal data have actually been transferred" (see note of 10 February 2022, p. 13)

e) as regards the adequacy of the additional technical measures implemented by Google, Caffeina considered them 'relevant and effective in relation to the nature of the data and the context in which they were collected' as well as the level of risk of the transfer. All this in consideration of the fact that: i) the data processing connected with the transfer in question is part of the context of a daily information site with a 'light slant, focused on entertainment areas'; ii) 'the Company uses the tool only in aggregate and statistical form, never seeing the raw data' and limiting itself to processing pseudonymised data; iii) the level of risk must also be assessed on the basis of the degree of likelihood of the actual occurrence of access by the US public authorities to the data collected through Google Analytics on the site www.caffeinamagazine.it. In this regard, the Company has reported what Google stated in a recent blog post of 19 January 2022 (available at the following address: https://blog.google/around-the-globe/google-europe/its-time-for-a-new-eu-us-data-transfer-framework/), with respect to the circumstance that 'the provider has offered the Google Analytics service for more than 15 years globally and has never received a request such as the one complained of by the complainant' (note of 10 February 2022, p. 10, 17, 18, 26 and 29; see also note of 4 April 2022, p. 5).

On 25 March 2022, during the hearing requested by the Company, the latter, in recalling the above-mentioned memoranda in their entirety, also represented that it had adopted a series of measures of a technical-legal nature relating to: the updating of the text of the information on the Company's website (see, in particular, the "Cookie Policy" available at , in particular, the "Cookie Policy" available at https://www.caffeinamagazine.it/cookie-policy/); the implementation of a new technical structure of the site, achieved by updating to the most recent version of the content management system used by the Company and the migration of the aforesaid site to a new infrastructure that guarantees a higher level of security; the adherence to the so-called "IP-Anonymization" option; the adoption of a new technical structure of the site, which is based on the "Cookie Policy" available at https://www.caffeinamagazine.it/cookie-policy/. d. "IP-Anonymization" option provided by the Google Analytics tool; the start of the implementation of a new web analytics tool, based, inter alia, on the non-use of cookies and the absence of IP tracking (see minutes of 25 March 2022 and explanatory note of 4 April 2022, p. 2).

2. Observations on the data protection legislation relevant to the present case and violations established.

First of all, it should be noted that, unless the act constitutes a more serious offence, anyone who, in proceedings before the Garante, falsely declares or certifies information or circumstances or produces false deeds or documents shall be held liable pursuant to Article 168 of the Code 'False statements to the Garante and interruption of the performance of the Garante's duties or exercise of its powers'.

Having said that, at the outcome of the preliminary investigation and of the examination of the documentation acquired in the course of the same, it was ascertained that the transfers made by Caffeina Media S.r.l. to Google LLC (based in the United States), by means of the Google Analytics tool, were carried out in breach of Articles 44 and 46 of the Regulation. 44 and 46 of the Regulation; it was also found that there had been breaches of Article 5(1)(a) and (2), Article 13(1)(f) and Article 24 of the Regulation, as explained below.

2.1 Transfers of personal data to the United States made through Google Analytics.

Google Analytics is a web analytics tool provided by Google to website operators that enables the latter to analyse detailed statistics on users with a view to optimising the services rendered and monitoring their marketing campaigns.

Caffeina Media S.r.l. uses GA in its free version for the pursuit of purely statistical purposes, i.e. to obtain aggregate information on users' activity within its website. The same acts as data controller and designates Google as data processor, pursuant to Article 28 of the Regulation, on the basis of the 'Google Analytics Terms of Service' and the 'Google Ads Data Processing Terms'.

More specifically, in the case at hand, Google LLC acted as data controller of the data collected through Google Analytics until 30 April 2021 on the basis of the 'Google Analytics Terms of Service' (see note of 22 December 2021, p. 2).

As from 1 May 2021, Google Ireland Limited took over the role of contractual counterparty to the same "Google Analytics Terms of Service" and, pursuant to the aforesaid Terms of Service, it may avail itself of other entities as sub-processors, including Google LLC (see note of 15 October 2021, p. 7 and note of 22 December 2021, p. 3).

With regard to the processing carried out through Google Analytics, it has been noted that Caffeina Media S.r.l. collects, by means of cookies transmitted to the users' browsers, information on how the latter interact with the website, as well as with the individual pages and services offered. More in detail, the data collected consist of: unique online identifiers that allow both the identification of the browser or device of the user visiting the website, and of the website operator itself (through the Google Account ID); address, website name and navigation data; IP address of the device used by the user; information relating to the browser, operating system, screen resolution, selected language, and date and time of the website visit.

In this respect, it is worth pointing out that the IP address constitutes personal data insofar as it makes it possible to identify an electronic communication device, thus indirectly making the data subject identifiable as a user (see Article 29 Working Party, WP 136 - Opinion No 4/2007 on the concept of personal data, of 20 June 2007, p. 16). This is especially so where, as in the present case, the IP is associated with other information relating to the browser used and the date and time of browsing (see recital 30 of the Regulation).

In addition to this, if the website visitor accesses his Google account - which is the case here - the above-mentioned data may be associated with other information in the relevant account, such as the email address (which constitutes the account's user ID), the telephone number and any other personal data, such as gender, date of birth or profile picture.
In this regard, it should be noted that Google, as part of its Google Analytics service, has made available to website operators the option known as 'IP-Anonymization', which entails sending Google Analytics the user's IP address after obscuring the least significant octet (on the basis of this operation, for example, the addresses 122.48.54.0 to 122.48.54.255 would be replaced by 122.48.54.0). In the case at hand, the Company declared that the aforesaid option had not been activated at the date of the filing of the complaint and also represented that it had adhered to the same only afterwards, as part of the adoption of a series of technical-legal measures implemented following the initiation of the proceedings by the Garante, pursuant to Article 166, paragraph 5 of the Code.
On this point, it is worth pointing out, however, that the 'IP-Anonymization' actually consists in a pseudonymisation of the data relating to the user's network address, since the truncation of the last octet does not prevent Google LLC from re-identifying the user, taking into account the overall information held by the same on web users. Moreover, Google LLC itself has the possibility - if the interested party has accessed his Google profile - of associating the IP address with other additional information already in its possession (such as the information contained in the user account). This operation, therefore, despite the activation of 'IP-Anonymisation', still allows for the possible re-identification of the user.
In the light of the above, we therefore point out that the use of GA, by the managers of the websites -such as Caffeina Media S.r.l.- entails the transfer of the personal data of the visitors of the aforesaid sites to Google LLC, based in the United States. Such transfers, insofar as they are made to a third country that does not ensure an adequate level of protection under data protection law (i.e. the United States), must be carried out in compliance with Chapter V of the Regulation.

2.2 The unlawfulness of the transfers following ruling C-311/18, of 16 July 2020, so-called Schrems II.

It is recalled that the Court of Justice of the European Union, in ruling C-311/18, 16 July 2020 (so-called Schrems II), in declaring the invalidity of EU Commission Decision No. 2016/1250 of 12 July 2016 on the adequacy of the protection offered by the EU-US Privacy Shield regime (so-called. Privacy Shield), found that US domestic law (in particular Executive Order 12333 and Section 702 of the Foreign Intelligence Surveillance Act - hereinafter 'FISA 702') contains exemptions to data protection law that exceed the restrictions deemed necessary in a democratic society. This is with particular reference to the provisions allowing public authorities, within the framework of certain national security programmes, to have access without appropriate limitations to the personal data subject to transfer, and to the failure to provide the data subjects with rights that can be enforced before the courts.

In the same judgment, the Court also upheld the validity of Commission Decision 2010/87/EC of 5 February 2010 concerning standard contractual clauses for the transfer of personal data to data controllers established in third countries - clauses adopted by Caffeina in the present case (see paragraph 1 above). At the same time, it pointed out that, in accordance with the principle of accountability, data controllers, in their capacity as data exporters, are in any case required to verify, on a case-by-case basis and, where necessary, in cooperation with the data importer in the third country, whether the latter's law or practice affects the effectiveness of the appropriate safeguards contained in the aforementioned clauses; this is to determine whether the safeguards provided for in the standard contractual clauses can be complied with in practice (Art. 5(2) and Art. 24; see also Recommendation No 1/2020 on measures supplementing the means of transfer to ensure compliance with the EU level of protection of personal data of 18 June 2021, paragraphs 1-5).

In general terms, it is therefore necessary to assess, in concreto, i.e. on the basis of the circumstances of the transfer, whether the instrument chosen by the exporter, among those identified in Article 46 of the Regulation, is effective in the specific case.

Such an examination, as pointed out by the European Data Protection Board - hereinafter 'EDPB' (see Recommendation No 1/2020, cit., p. 4), must 'focus first of all on the third country legislation [and applicable practices] relevant to the transfer [as well as] on the transfer instrument [identified] pursuant to Article 46 of the GDPR]' in order to verify that the aforesaid legislation and practices do not de facto prevent the importer from complying with the obligations laid down by the instrument used. More specifically, the above assessment 'entails the need to determine whether or not the transfer in question falls within the scope of the [above-mentioned legislation]'. It must 'be based on objective factors, irrespective of the likelihood of access to personal data' (see EDPB and EDPS Joint Opinion 2/2021 on the European Commission Implementing Decision on standard contractual clauses for the transfer of personal data to third countries, adopted on 14 January 2021, para. 86).

Relevant for this purpose are the characteristics of the specific transfer carried out, such as: the purposes, the nature of the entities involved, the sector in which the transfer takes place, the categories of personal data transferred, whether the data are stored in the third country or accessed remotely, the format of the data to be transferred, and any subsequent transfers (see Recommendation No 1/2020, cit., para. 33).

The assessment required from the data exporter must therefore focus on the legislation and practices applicable in the third country to the specifically transferred data and involve verification of 'whether or not the public authorities in the third country (...) can attempt to access the data' as well as 'whether or not the public authorities in the third country (...) can access the data through the importer itself or through telecommunication providers or communication channels' (see Recommendation No 1/2020, cit., para. 31).

As regards the aforementioned possibility of access by the US Authorities, it must be borne in mind that it is confirmed by the "Transparency report on United States national security requests for user information" made available by Google on its website (available at the following link https://transparencyreport.google.com/user-data/us-national-security?hl=en); this report contains the numerical data relating to the access requests (which, as expressly indicated therein, may also concern "non-content metadata" such as IP addresses) received by Google, pursuant to FISA 702, at the request of the US national Authorities.

Having said this, with reference to what has been argued by the Company in its defence briefs, it is worth pointing out that

with regard to the inadequacy of the US legislation (see paragraph 1(a) above), the Court of Justice did not limit itself to an examination of the legal framework in force at the time of the adoption of the Privacy Shield. Rather, it took into account the regulatory provisions relating to surveillance programmes (see, in particular, FISA 702) in force at the time the ruling was handed down, ruling that they did not guarantee a level of protection substantially equivalent to that of Article 52(1) of the Charter of Fundamental Rights of the European Union (see above, paras. 168-202);

as to the identification of the data that can be accessed by the US authorities pursuant to FISA 702 (see above, par. 1, point b), the White Paper of September 2020 contains general indications as to the object of the access requests that can be made by intelligence agencies, so as not to exclude a priori that, besides the e-mail address and the telephone number of the users, they can also refer to IP addresses (see in this respect White Paper of September 2020, cited above, p. 7). To confirm this, it should also be noted that in the 'Transparency report on United States national security requests for user information' (see above) made available by Google on its website, IP addresses appear among the information that can be the subject of access requests under FISA 702 together with other metadata (see in particular the description contained in the section called 'non-content requests under FISA');

lastly, with respect to the assessment of the suitability of the additional measures adopted in the present case (see above, par. 1, point e), the Company, -in taking into consideration elements other than those contemplated by the EDPB such as: the "economic availability" of Caffeina Media S.r.l, "the costs of implementation" of the technical and organisational measures to be put in place, "the content of the articles and topics (...) of a light-hearted nature and focused on entertainment areas" conveyed by the website www.caffeinamagazine.it (see note of 10 February 2022, p. 10, 15, 16, 17 and 8), substantially based the aforesaid assessment on the "likelihood of the risk of data access by third parties" and on the "seriousness of the possible occurrence of [the aforesaid] risk" (see note of 10 February 2022, p. 24). In this respect, on the other hand, it is reiterated that the Court, in the above-mentioned ruling, did not refer to 'any subjective factor, such as, for example, the likelihood of access' to the personal data transferred (see EDPB and EDPS Joint Opinion 2/2021, cited above, para. 87).

2.3. Unsuitability of additional measures taken by the controller.

Where it is found as a result of the above assessment that the legislation and practices of the third country prevent the data importer from complying with the obligations laid down in the chosen transfer instrument, as found in the present case, exporters must adopt additional measures ensuring a level of protection of personal data substantially equivalent to that provided for by the Regulation (see Recommendation No 1/2020, cited above, paras. 50-57, which sets out the criteria for identifying the measures to be adopted).

In this regard, with regard to the additional measures of a technical, but also contractual and organisational, nature adopted in the present case, the following should be noted.

The measures of a technical nature consist in the adoption of data encryption mechanisms, during the transfer between systems (in transit) and when stored in the systems (at rest).
Encryption in transit is adopted when data are transferred between different systems, services or data centres through networks or infrastructures not controlled by the Company (e.g. geographical networks).

Encryption at rest, on the other hand, concerns user data that are stored on disk drives or in backup drives and is based on the encryption of data using standard algorithms (usually using AES256) and encryption at different levels, starting with encryption at the hardware level, depending on the type of application and specific risks. Access to Google LLC's data centres is protected by 6 levels of physical security measures.
In this regard, it should be noted that, taking into account the indications provided by the EDPB in Recommendation No. 1/2020, the above-mentioned technical measures are not adequate.

With regard to the data encryption mechanisms highlighted above, they are not sufficient to avoid the risks of access, for national security purposes, to the data transferred from the European Union by the public authorities of the United States, since the encryption techniques adopted provide that the availability of the encryption key is in the hands of Google LLC, which holds it, as importer, by virtue of the need to have the data in plain text in order to carry out processing and provide services. It should also be pointed out that the obligation to allow access, on the part of the US authorities, falls on Google LLC not only with regard to the imported personal data, but also with regard to any cryptographic keys necessary to make them intelligible (see also Recommendation 1/2020, cit., par. 81).
It follows from this that, as long as the encryption key remains at the importer's disposal, the measures taken cannot be considered adequate (see Recommendation 1/2020, cit., para. 95).

This also takes into account certain contractual and organisational measures consisting specifically of the undertaking to:

verify, in accordance with US law, the legitimacy of each individual request for access to the user data being transferred by the Public Authorities, assessing its proportionality; not grant the same if, after careful evaluation, it is concluded that the conditions under the relevant legislation are not met

promptly notify the person concerned of access requests from the US Public Authorities, unless such disclosure is prohibited by the relevant legislation, informing the person concerned in any case if the above prohibition is lifted

publish a "Transparency Report" containing a summary of requests for access to data received from the US Public Authorities, insofar as such publication is permitted by the relevant legislation;

publish the policy for handling requests for access to user data transferred by US public authorities.

In this regard, in fact, it should be noted that, as considered by the EDPB, in the absence of appropriate technical measures - a circumstance ascertained in the present case - the contractual and organisational measures indicated above, per se, cannot reduce or prevent the possibilities of access to the data subject to transfer by the US Authorities (see Recommendation 1/2020, cit., par. 53).

In the light of the foregoing, therefore, the additional measures adopted in the present case cannot be regarded as adequate with the consequent unlawfulness, pursuant to Articles 44 and 46 of the Regulation, of the relevant transfers of personal data to the United States.

2.4 Accountability of the data controller

The data controller is required to implement "appropriate technical and organisational measures to ensure, and be able to demonstrate, that processing is carried out in compliance with the [Regulation]" (so-called accountability principle; see Art. 5(2) and Art. 24(1) of the Regulation).

It is therefore up to the data controller to decide autonomously on the modalities, guarantees and limits of the processing of personal data in compliance with the relevant legislation on the subject. The Regulation, in fact, strongly emphasises the 'accountability' of the data controller, i.e., the adoption of proactive behaviour such as to demonstrate the concrete adoption of measures aimed at ensuring the application of personal data protection rules (see, in particular, Article 24 of the Regulation).

The implementation of the accountability principle with reference to transfers of data to third countries places the responsibility on the data controller, as exporter, to verify, on a case-by-case basis and, where necessary, in cooperation with the importer in the third country, whether the latter's law or practice affects the effectiveness of the adequate safeguards contained in the transfer instruments referred to in Article 46 of the Regulation.

In such cases, the exporter is obliged to adopt, in application of this principle, additional measures enabling the importer to comply with the obligations laid down in the instrument adopted pursuant to Article 46 of the Regulation; all this in order to ensure that the level of protection of natural persons guaranteed by the Regulation is not undermined (see Article 44 of the Regulation; see in this regard, Recommendation 1/2020, cit., paragraphs 1-5).

For all the reasons set out above, without prejudice to the unsuitability of the additional measures adopted in the present case, Caffeina Media S.r.l.'s argument as to its lack of autonomy with regard to the decisions to be taken on the transfer of data to third countries cannot be accepted (see above, par. 1, points c) and d) above); this considering that the Company, by reason of its role under the data protection rules, is required, as already clarified, to implement, even in the context of cross-border transfers, adequate and effective measures to protect the rights and freedoms of the data subjects and to be able to demonstrate their compliance with the Regulation.

In the light of the above considerations, in engaging in the conduct described above, Caffeina Media S.r.l. has therefore breached Articles 5(2) and 24 of the Regulation.

2.5. Inadequacy of the information provided pursuant to Article 13 of the Regulation.

With reference to the information to be provided to the data subject, pursuant to Article 13 of the Regulation, it should be noted that, in the information notice provided to the complainant on the website www.caffeinamagazine.it, at the time of the collection of the data concerning him (see communication of 3 November 2021), some of the elements referred to in Article 13(1)(f) of the Regulation were not indicated.

Indeed, in view of the fact that personal data must be 'processed lawfully, fairly and transparently vis-à-vis the data subject' (Art. 5(1)(a) of the Regulation), the data subject's personal data must be 'processed in a lawful, fair and transparent manner'. (a) of the Regulation), the data controller, where a transfer of personal data takes place, is obliged, in compliance with the principle of transparency, to inform the data subject also of 'the intention to transfer personal data to a third country' as well as of 'the existence or absence of a Commission adequacy decision or, in the case of transfers referred to in Article 46 or 47 or in the second subparagraph of Article 49(1), the reference to appropriate or adequate safeguards and the means of obtaining a copy of those safeguards or the place where they have been made available' (Art. 13(1) of the Regulation).

In this regard, in any case, while taking note of the updating on 23 March 2022 of the information to be rendered to users on the website www.caffeinamagazine.it (see note of 10 February 2022, p. 30; see "Cookies Policy" available at https://www.caffeinamagazine.it/cookie-policy/), it should be noted that the model provided at the time by Caffeina Media S.r.l. to the complainant in this case (see communication of 3 November 2021), did not clearly define the elements referred to in Article 13(1)(f) of the Regulation concerning the transfer.

It follows, therefore, with reference to that model, that Article 5(1)(a) and Article 13(1)(f) of the Regulation have been infringed.

3. Conclusions: declaration of unlawfulness of the processing. Corrective measures under Article 58(2) of the Regulation.

For the above-mentioned reasons, the Authority considers that the statements, the documentation and the reconstructions provided by the data controller in the course of the preliminary investigation do not allow to overcome the findings notified by the Office with the opening act of the proceeding and are therefore unsuitable to order the dismissal of the present proceeding, as none of the cases provided for by Article 11 of the Regulation of the Garante no. 1/2019 apply.

The processing of personal data carried out by the Company is therefore unlawful, in the terms set out above, in relation to Article 5(1)(a) and (2), Article 13(1)(f), Article 24 and Articles 44 and 46 of the Regulation.

Infringement of the above provisions entails the application of the administrative sanctions provided for in Article 83(5)(a), (b) and (c) of the Regulation.

In this respect, with reference to the elements to be taken into consideration in order to assess whether to impose an administrative fine (Article 83(2) of the Regulation), it should be noted first of all that, in relation to the nature and seriousness of the breach, the processing operations object of the complaint did not concern special categories of personal data. 

As regards the subjective element of the infringer, it must be considered that Caffeina Media S.r.l. - in view of the asymmetry of contractual power resulting from the primary market position assumed by Google in the web analytics services sector - mistakenly assumed as appropriate, on the basis of the information provided by Google, the additional measures adopted by the latter without exercising any decision-making power over them.

With regard to the measures adopted by the Company to mitigate the damage suffered by the data subjects, note is also taken of the initiatives taken by the data controller, following the notification pursuant to art. 166, paragraph 5 of the Code, concerning: updating the text of the information on the Company's website; adhering to the "IP-Anonymization" option made available by Google; improving the infrastructure in terms of security; updating the content management system used for the creation and management of the site; analysing the feasibility of implementing an alternative web analytics tool that "will no longer rely exclusively on tracking via cookies and (...) will no longer store the IP addresses of the data subjects" (see minutes of 25 March 2022 and supplementary note of 4 April 2022, p. 2).

Finally, for the purposes of the Authority's assessments, the absence of previous infringements and the loyal cooperation with the Garante during the proceedings are also relevant.

The nature and gravity of the infringement, the culpable nature of the infringement, as well as the further elements referred to above, therefore lead to classify the case under consideration as a 'minor infringement' (see Article 83(2) and recital 148 of the Regulation).

It is therefore considered that, in the present case, the data controller must be admonished, pursuant to Article 143 of the Code and Article 58(2)(b) of the Regulation, for having carried out processing in breach of Article 5(1)(a) and (2), Article 13(1)(f), Article 24 and Articles 44 and 46 of the Regulation.

Lastly, it is noted that the conditions set out in Article 17 of the Garante's Regulation No 1/2019, concerning internal procedures with external relevance, aimed at the performance of the tasks and exercise of the powers entrusted to the Garante, are met.

ALL THE FOREGOING THE GUARANTOR:

a) pursuant to Article 57(1)(f) of the Regulation, declares the unlawfulness of the processing of personal data of users of the website www.caffeinamagazine.it carried out, through Google Analytics, by Caffeina Media S. r.l. with registered office in Rosignano Marittimo (LI), P. I. 13524951004, in breach of Articles 5(1)(a) and (2), 13(1)(f), 24, 44 and 46 of the Regulation;

b) pursuant to Article 58(2)(d) of the Regulation, orders Caffeina Media S.r.l. to comply with Chapter V of the Regulation within a period of ninety days from the notification of this measure, the processing of personal data of users of the website www.caffeinamagazine.it carried out by means of Google Analytics, adopting additional appropriate measures

c) pursuant to Article 58(2)(j) of the Regulation, orders the suspension of the flow of the personal data identified above to Google LLC, based in the United States, if Caffeina Media S.r.l. does not comply with the provisions of point b) of this provision within the period laid down therein

d) pursuant to recital 148 and Article 58(2)(b) of the Regulation warns Caffeina Media S.r.l. for having processed personal data in breach of Articles 5(1)(a) and (2), 13(1)(f), 24, 44 and 46 of the Regulation

(e) considers that the prerequisites set out in Article 17 of Regulation No 1/2019, concerning internal procedures with external relevance, aimed at the performance of the tasks and the exercise of the powers entrusted to the Supervisor, are met.

Pursuant to Article 157 of the Code, it requests Caffeina Media S.r.l. to communicate which initiatives have been undertaken in order to implement the provisions of this provision and to provide in any case adequately documented feedback, within the term of ninety days from the date of notification of this decision; failure to do so may result in the application of the administrative pecuniary sanction provided for by Article 83, paragraph 5, letter e) of the Regulation.

Pursuant to Article 78 of the Regulation, Article 152 of the Code and Article 10 of Legislative Decree no. 150 of 1 September 2011, an appeal against this measure may be lodged with the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the measure itself, or within sixty days if the appellant resides abroad.

Rome, 9 June 2022

THE CHAIRMAN
Stanzione

THE RAPPORTEUR
Stanzione

THE SECRETARY GENERAL
Mattei