Garante per la protezione dei dati personali (Italy) - 9782890

Garante per la protezione dei dati personali - 9782890

Authority:	Garante per la protezione dei dati personali (Italy)
Jurisdiction:	Italy
Relevant Law:	Article 5(1)(a) GDPR Article 5(2) GDPR Article 13(1)(f) GDPR Article 24 GDPR Article 44 GDPR Article 46 GDPR
Type:	Complaint
Outcome:	Upheld
Started:
Decided:	09.06.2022
Published:	27.06.2022
Fine:	n/a
Parties:	n/a
National Case Number/Name:	9782890
European Case Law Identifier:	n/a
Appeal:	Unknown
Original Language(s):	Italian
Original Source:	GPDP (in IT)
Initial Contributor:	MW

Italy's DPA reprimanded a website operator for failing to provide appropriate safeguards for the transfer of personal data to the US through Google Analytics, ordering it to comply with Article 46 GDPR or suspend data transfers to Google LLC.

English Summary

Facts

The controller operated a news website that collected user information through the use of Google Analytics. The data subject complained to the DPA the controller, through the use of Google Analytics cookies, was sending his personal data to the US absent the guarantees provided for in Chapter V GDPR. Through the use of Google Analytics cookies, the controller tracked users' interaction with its website and collected unique online identifiers that allowed the identification of users' browser or device, operating system, screen resolution, selected language, and date and time of access. If the user logged into their Google account, the data could then be associated with other information, like email address, telephone number, gender, date of birth, and profile picture. As part of a service called "IP-Anonymisation," Google truncated part of users' IP addresses. The DPA noted that this was actually pseudoanonymisation, because the truncated IP address could be used in combination with the other collected data to re-identify natural persons. Google LLC, and later Google Ireland, were responsible for processing the collected information. Even after the Google Analytics service's terms were changed to list Google Ireland as processor, Google LLC was still designated in the Google Analytics Terms of Service as sub-processor. Google claimed that it had adopted technical measures sufficient to safeguard data subjects' rights under the GDPR, consisting of encryption of personal data. It also argued that, taking into account the nature of the data and the context in which it was collected, the likelihood of actually being forced to disclose this data to the US government was exceedingly low. Google claimed that in over 15 years of providing its Google Analytics service, it had never received an access request like the one contemplated in the data subject's complaint. For its part, the controller deemed the technical measures implemented by Google sufficient protection considering the nature of the data, the context in which they were collected, and the risk of access (the so-called "risk-based approach"). However, the controller did not have the technical means to verify the implementation of these measures, nor did it have any authority to decide what measures were appropriate or to dictate to Google choices regarding data transfers to third countries.

Holding

The DPA declared unlawful the processing carried out by the controller through the use of Google Analytics. It also clarified that, regardless of any asymmetry in bargaining power or technical resources, the controller is responsible for ensuring on a case-by-case basis that processing is lawful per Articles 5(2) and 24 GDPR (the accountability principle). The controller must decide independently on the methods, guarantees, and limits of processing. Regarding data transfers to a third country, the DPA rejected the risk-based approach, finding the controller in violation of Articles 44 and 46 GDPR. The low probability of an access request from US authorities did relieve the controller of its responsibility to ensure adequate safeguards on personal data being transferred to a third country. Encryption was an insufficient technical safeguard because Google LLC remained in possession of the relevant encryption key. US authorities could simply compel Google LLC to turn over this key along with the encrypted data. The DPA also found the controller in violation of Article 13(f) GDPR, because its privacy policy failed to disclose the intention to transfer personal data to a third country, the lack of an adequacy decision, or reference to the appropriate safeguards referred to in Article 46(2) GDPR. For these violations, the DPA reprimanded the controller and ordered it to comply with the GDPR (specifically Chapter V) within 90 days or suspend the transfer of data to Google LLC.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

Provision of 9 June 2022 [9782890]



		SEE ALSO PRESS RELEASE OF 23 JUNE 2022

												  [web doc. no. 9782890]

Provision of 9 June 2022

											 Record of measures
											   no 224 of 9 June 2022


THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stanzione, president, the
prof.ssa Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and the lawyer Guido Scorza,
components and the cons.  Fabio Mattei, general secretary;

GIVEN the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016
(hereinafter, the "Regulations");


GIVEN the Code regarding the protection of personal data, containing provisions for the adaptation
of the national law to Regulation (EU) 2016/679 (Legislative Decree 30 June 2003, n. 196, as
amended by Legislative Decree 10 August 2018, n. 101, hereinafter the "Code");

GIVEN the complaint of 17 August 2020 presented pursuant to art. 77 of the Regulations by Mr. XX
against Caffeina Media Srl;

EXAMINED the documentation in deeds;


GIVEN the observations made by the secretary general pursuant to art. 15 of the regulation of
Guarantor No. 1/2000;

RAPPORTEUR prof. Pasquale Stanzione;

				WHEREAS

1. The complaint against the company and the preliminary investigation.

With a complaint presented on August 17, 2020, Mr. XX complained that Caffeina Media Srl

(hereinafter 'the Company'), would have transferred the data to Google LLC, based in the United States
personal data concerning him processed through the website www.caffeinamagazine.it; that in
absence of the guarantees provided for by Chapter V of the Regulation.

As part of the investigation launched by the Guarantor, the Office, with notes of 30 July and 7
December 2021, asked the Company to provide information and clarifications on the facts concerned

complaint.

With the communications of October 15, November 3 and December 22 2021, in giving feedback
to the requests of the Office, Caffeina Media Srl stated the following: the ownership of the treatments put in place through the website www.caffeinamagazine.it is
to society; this unlike what was previously indicated in the information model, made available

on the aforementioned website pursuant to art. 13 of the Regulation, which contained the erroneous
reference - now adjusted - to Caffeina Media Ltd;

the processing of personal data of users of the site www.caffeinamagazine.it is placed in
be from the Company through the Google Analytics tool (hereinafter also
"GA") in its "free version" (see note of October 15, 2021, page 3 and note of 22

December 2021, p. 2);

the Company "has neither visibility of the details of the data collected, nor can it precisely
describe the types "and" chose to use [Google Analytics] also because Google
claims to only process pseudonymous and cookie-based data'; in detail: '(i)
cookies, (ii) data relating to the device / browser (iii) IP address and (iv) activity on the site "(see note of

October 15, 2021, pp. 2 and 3);

Caffeina Media Srl "is bound by the contractual text [" Google Analytics Terms of Service "]
approved in the platform (standard text imposed by the Google supplier) "and" as it emerges
from the contractual documentation imposed by Google, Google acts as
responsible for the processing of data collected through Google Analytics "(see note of 15 October

2021, p. 3);

more specifically, "the contractual counterpart [of the Google Analytics Terms of Service in the
version dated March 31, 2021] is Google Ireland Limited "; unlike the version
precedent of the aforementioned 'Google Analytics Terms of Service' - dated June 17, 2019 - which is
signed with Google LLC (see note of 22 December 2021, page 2).  Therefore, "Caffeine

Media Srl acts as data controller and, (..) [from May 2021], Google
Ireland Limited acts as the data controller of the data collected through
Google Analytics' (see note of October 15, 2021, page 7 and note of December 22, 2021, page 3);

Caffeina Media Srl "does not have any level of autonomy regarding the choices related to
data transfers to third countries, including the identification of the types of data object

of the aforementioned transfer" (see note of October 15, 2021, page 7 and note of December 22, 2021,
pp. 2 and 4); in particular, this specific processing operation is governed by art. 10
of the "Google Ads Data Processing Terms" under which "Caffeine as an exporter
of the data, through Google Ireland Limited, may have carried out activities of
data transfer to the United States, with Google LLC as data importer'.
Furthermore, pursuant to the same provision, "the owner of the website agrees

so that Google can be supported in the processing activities by other companies of the
its group and, among the companies indicated, there is Google LLC, which would act as
sub-processor" (see note of 15 October 2021, pages 6 and 7 and note of 22
December 2021, p. 3);

the transfer of data to Google LLC is carried out through the Clauses

standard contractual arrangements that correspond to the standard scheme adopted on February 5, 2010 by
European Commission with decision no. 2010/87 / UE, as per communication made by
Google to the Company on 3 August 2020 (see note of 15 October 2021, page 7, in particular
Annex B "Google Communication 3.08.2020");

these clauses have been supplemented by the additional measures adopted by Google, with respect to

which the Company has "no possibility of verifying the implementation at a technical level (...),
or to issue specific instructions on the effective implementation of [the same]" (see note
of 22 December 2021, p. 4); as part of the services offered through Google Analytics, Caffeina Media Srl has not joined
to the data sharing option, the so-called data sharing option (note of 15 October 2021, p.

5);

in relation to the disputed transfer to Google LLC of the data relating to the complainant,
Caffeina Media Srl "has no particular autonomy in the use of the [Google
Analytics], including the ability to know if the complainant's data was actually
transferred to third countries" (see note of 15 October 2021, page 6);


in relation to the obligations put in place pursuant to art. 13 of the Regulation,
Caffeina Media Srl "uses the automatic service of the company Iubenda srl for the
management of the privacy and cookie information "(with reference to the model of
information updated on 5 October 2021, v. note of October 15, 2021, p. 9; and in this regard
to the information provided to the complainant on 12 August 2020, v. communication of November 3

2021).

On 11 January 2022 the Office notified, pursuant to art. 166, paragraph 5, of the Code, the alleged
violations of the Regulation found with reference to art. 5, par. 1, lett. a), and par. 2, in art. 13,
to art. 24 as well as art. 44 and 46, par. 2, lett. c), of the Regulation.

On 10 February 2022 the Company sent its defence writings in which it represented that:


a) the US legislation taken into consideration by the Court of Justice of the
Europea, in its ruling no.  C-311/18, dated July 16, 2020 (so-called "Schrems II"), must be
subject to a new assessment of adequacy by the Protection Authorities of
data in consideration of the regulatory developments that occurred after the adoption of the
Privacy Shield and promptly outlined by the US government in the White Paper of

September 2020 called "Information on US Privacy Safeguards Relevant to SCCs and
Other EU Legal Bases for EU-US data Transfers after Schrems II" (see note dated 10 February
2022, para. 1, pp. 3-9);

b) with specific reference to the scope of application of art. 702 of the Foreign Intelligence
Surveillance Act "it is virtually impossible for intelligence agencies to use
only an IP address or a cookie - the only data possibly transferred by Caffeina - "; that is

considering that, taking into account the procedures (so-called targeting procedures) times
identification of data that can be accessed by the Authorities
address data are of primary interest for intelligence activities
e-mail and telephone number of users (see note of 10 February 2022, pages 6-7);

c) regarding the disputed unsuitability of the additional measures of a technical nature

implemented by Google, the latter has adopted "high standards of (...) security" and
"internal procedures (...) subject to various certifications.  (...) Moreover, the (...) evaluations about
the adequacy of the security measures to be adopted have been carried out by the supplier himself,
who, after having carried out this analysis, then warned the same Caffeine
of the updating of the security measures and of the contractual documentation, precisely a

continuation of the Schrems II pronunciation (...).  And this in any case in line with the requirements of art.
14 of the new SCC".  However, with respect to these measures, 'Caffeine has neither the means nor the
operational or technical possibilities for imposing changes to the [aforementioned] measures on the supplier
security", not having" any bargaining force to enter into dialogues
commercial with its counterpart [nor] (...) to interact with the same "(see note of 10

February 2022, pp. 10 and 12);

d) 'with regard to the disputed transfer to Google LLC of the data relating to the complainant,
Caffeina Media Srl does not have particular autonomy in the use of the [Google Analytics] tool "not having" at a technical level the possibility of knowing whether the data
personal of Mr. XX were transferred "(see note of 10 February 2022, p.

13);

(e) as regards the adequacy of the additional technical measures implemented by
Google, Caffeina deemed them "relevant and effective in relation to the nature of the data and the
context in which they were collected 'as well as the risk level of the transfer.  All
this in consideration of the fact that: i) the processing of data connected to the transfer in

examination is part of a daily information site with a "light cut,
concentrated on entertainment areas"; ii) "the Company uses the instrument only in form
aggregate and statistical, never seeing the raw data "and limiting itself to processing data
pseudonymised; iii) the level of risk must also be assessed on the basis of the degree of
probability of the actual occurrence of access by public authorities

to the data collected through Google Analytics on the website www.caffeinamagazine.it.  To the
in this regard, the Company reported what Google stated in a recent blog post by
last 19 January 2022 (available at the following address: https://blog.google/around-the-
globe / google-europe / its-time-for-a-new-eu-us-data-transfer-framework /), compared to
circumstance that 'the supplier has offered the Google Analytics service for over 15 years

globally and has never received a request like the one complained by the complainant'
(note of 10 February 2022, pages 10, 17,18, 26 and 29; see also integrative note of 4 April
2022, p. 5).

On 25 March 2022, during the hearing requested by the Company, the latter, in
recalling the aforementioned briefs in full, he also represented that he had adopted a

series of technical-legal measures, relating to: updating the text of the information
present on the Company's website (see, in particular, "Cookie Policy" available at the address
https://www.caffeinamagazine.it/cookie-policy/); the implementation of a new technical structure
of the site, created by updating to the most recent version of content management
system used by the Company and the migration of the aforementioned site on a new infrastructure that

guarantees a higher level of safety; adherence to the so-called "IP-Anonymisation" option envisaged
from the Google Analytics tool; the start of the implementation of a new web tool
analytics, based, among other things, on the non-use of cookies and the absence of IP tracking
(see minutes of March 25, 2022 and explanatory notes of April 4, 2022, page 2).

2. Observations on the legislation on the protection of personal data relevant in the
case in point and ascertained violations.


First of all it is represented that, unless the fact constitutes a more serious crime, anyone, in a
proceeding before the Guarantor, falsely declares or certifies news or circumstances or produces documents
or false documents are liable pursuant to art. 168 of the Code "Falsehood in declarations to the
Guarantor and interruption of the execution of the duties or the exercise of the powers of the Guarantor".

All this dutifully stated, at the outcome of the preliminary investigation and examination of the documentation

acquired during the same, it was ascertained that the transfers made by Caffeina Media
Srl to Google LLC (based in the United States), through the Google tool
Analytics, have been put in place in violation of articles 44 and 46 of the Regulation; It is detected,
furthermore, that the violations of art. 5, par. 1, lett. a) and par. 2, of the art. 13, par. 1, lett. f), and
of the art. 24, of the Regulation, as explained below.


2.1 The transfers of personal data to the United States made through Google
Analytics.

Google Analytics is a web analytics tool provided by Google to website managers who
allows the latter to analyse detailed statistics on users in order to optimise the services rendered and to monitor their marketing campaigns.

Caffeina Media Srl uses GA in its free version for the pursuit of purposes

purely statistics or aimed at obtaining aggregate information on user activity
within its website.  The same acts as data controller and designates
Google responsible, pursuant to art. 28 of the Regulation, on the basis of "Google Analytics
Terms of Service "and the" Google Ads Data Processing Terms ".

More specifically, in the case in question, Google LLC has held, until 30 April 2021, the role of

responsible for the processing of data collected through Google Analytics upon subscription
of the "Google Analytics Terms of Service" (see note dated 22 December 2021, page 2).

As of 1 May 2021, "Google
Analytics Terms of Service", Google Ireland Limited which, pursuant to the aforementioned terms of service,
may use other subjects, as sub-processors, including Google LLC (v.

note of October 15, 2021, p. 7 and note of 22 December 2021, p. 3).

As regards the processing carried out through Google Analytics, it was found that
Caffeina Media Srl collects information in
order of the methods of interaction of the latter with the website, as well as with the individual pages and
with the services offered.  More specifically, the data collected consist of: unique online identifiers that

allow both the identification of the browser or device of the user visiting the website, and
the site manager himself (through the Google account ID); address, website name and data of
navigation; IP address of the device used by the user; information relating to the browser, al
operating system, screen resolution, selected language, as well as date and time
of the visit to the website.


In this regard, it should be noted that the IP address constitutes personal data to the extent that
allows to identify an electronic communication device, thus making
indirectly identifiable the interested party as a user (see Group pursuant to art. 29, WP 136 - Opinion
no 4/2007 on the concept of personal data, of 20 June 2007, p. 16).  All this especially where,
as in the present case, the IP is associated with other information relating to the browser used, to the

date and time of navigation (see recital 30 of the Regulation).

In addition, if the website visitor logs in to their account
Google account -circumstances occurring in the hypothesis under examination-, the data indicated above may be
associated with other information in the relevant account, such as the email address (which constitutes
the user ID of the account), the telephone number and any other personal data including gender, the
date of birth or profile picture.

In this regard, it is represented that Google, as part of the Google Analytics service, has put a
available to the website operators the option called "IP-Anonymisation" which involves sending
to Google Analytics of the user's IP address after obscuring the less significant octet
(based on this operation, for example, the addresses from 122.48.54.0 to 122.48.54.255 would be
replaced by 122.48.54.0).  In the present case, the Company has declared that the aforementioned option, at the

date of the filing of the complaint, had not been activated and also represented to have
joined it only later, as part of the adoption of a series of technical measures
legal implemented following the initiation of the procedure, by the Guarantor, pursuant to
of the art. 166, paragraph 5 of the Code.
On this point, however, it is worth highlighting right now that "IP-Anonymisation" actually consists of a

pseudonymisation of the data relating to the user's network address, as the truncation
of the last octet does not prevent Google LLC from re-identifying the user himself, taking into account
of the overall information held by the same relating to web users.  Subsists,
furthermore, on Google LLC the possibility if the interested party has carried out
access to their Google profile to associate the IP address with other additional information already in their possession (such as information contained in the user account).  This operation, therefore,
despite the activation of 'IP-Anonymization', it still allows the possible re-

user identification.
In light of the overall findings, it should therefore be noted that the use of GA, by
of website managers such as Caffeina Media Srl involves the transfer of personal data of
visitors of the aforementioned sites to Google LLC based in the United States.  Such transfers, in that
carried out to a third country that does not guarantee an adequate level of protection pursuant to

data protection legislation (i.e. the United States), must be in place in compliance
to Chapter V of the Regulations.

2.2 The unlawfulness of transfers following ruling C-311/18, of 16 July 2020, cd
Schrems II.

It is recalled that the Court of Justice of the European Union, with ruling C-311/18, dated 16

July 2020 (so-called Schrems II), in declaring the EU Commission decision n.
2016/1250 of 12 July 2016, on the adequacy of the protection offered by the EU shield regime
USA for privacy (so-called Privacy Shield), found that the domestic law of the United States (in
in particular, the Executive Order 12333 and art. 702 of the Foreign Intelligence Surveillance Act - di
hereinafter 'FISA 702') entails exceptions to the data protection legislation that exceeds

restrictions deemed necessary in a democratic society.  All this with particular reference
the provisions that allow public authorities, within the framework of certain programmes
national security, to access without adequate limitations to the personal data subject to
transfer, as well as the failure to provide for the rights of the interested parties, which can be enforced in
judicial seat.


The Court, with the same ruling, also reaffirmed the validity of decision no. 2010/87 / EC
of the Commission of 5 February 2010 concerning the standard contractual clauses for the
transfer of personal data to managers established in third countries - clauses adopted by Caffeina
in the present case (see paragraph 1 above).  At the same time, he pointed out that, based on the principle of
accountability, the data controllers, as exporters, are in any case required to verify,

case by case and, where necessary, in collaboration with the importer in the third country, if the law or
the practice of the latter affect the effectiveness of the adequate guarantees contained in the aforementioned clauses
clauses; this in order to determine whether the guarantees provided for by the standard contractual clauses can
be respected in practice (Article 5, paragraph 2, and Article 24; see also Recommendation No. 1/2020
relating to the measures that integrate the transfer tools in order to ensure compliance with the
Personal Data Protection Level of the EU, of 18 June 2021, paragraphs 1-5).


In general terms, it is therefore necessary to evaluate, in practice, that is, on the basis of the circumstances of the
transfer, if the instrument chosen by the exporter, among those identified by art. 46 of
Regulation, is effective in the specific case.

This examination, as noted by the European Data Protection Board - hereinafter "EDPB" (see
Recommendation No. 1/2020, cit., P. 4), must "focus first of all on the legislation of

third country [and applicable practices] relevant [i] to the transfer [as well as] the instrument of
transfer [identified] pursuant to article 46 of the RGPD "in order to verify that the aforementioned
legislation and the aforementioned practices do not in fact prevent the importer's compliance with
of the obligations established by the instrument used.  More specifically, the above evaluation
"Involves the need to determine whether or not the transfer in question falls within the scope of

application of the [aforementioned legislation] ".  It must "be based on objective factors,
regardless of the likelihood of access to personal data' (see Joint Opinion 2/2021
of the EDPB and the EDPS on the European Commission Implementing Decision on
standard contractual clauses for the transfer of personal data to third countries, adopted on 14
January 2021, par. 86).The characteristics of the specific transfer carried out are relevant for this purpose, such as: the purposes, the
nature of the subjects involved, the sector in which the transfer takes place, the categories of personal data

transferred, the fact that the data are stored in the third country or accessed remotely, the
format of the data to be transferred and any subsequent transfers (see Recommendation no.
1/2020, cit., Par. 33).

The assessment required of the exporter, therefore, must focus on legislation and practices
applicable, in the third country, to the data specifically transferred and entail the verification of the

"Possibility or not, for the public authorities of the third country (...) to attempt to access the data"
as well as the "ability or not, for the public authorities of the third country (...) to access the data
through the importer himself or through telecommunications providers or channels
communication' (see Recommendation No. 1/2020, cit., par. 31).

With regard to the aforementioned possibility of access, by the US authorities, however, it is necessary

consider that it is confirmed in the "Transparency report on United States national security
requests for user information "made available by Google on its website (available at
following link https://transparencyreport.google.com/user-data/us-national-security?hl=en); report
where the numerical data relating to access requests are reported (which, as expressly therein
reported, may also concern "non-content metadata" such as IP addresses) received from

Google, under FISA 702, at the request of the US National Authorities.

All this dutifully stated, with reference to the claims made by the Company in its own
defensive memoirs, it is worth highlighting that:

with regard to the inadequacy of the US legislation (see above, paragraph 1, point a), the Court
of justice was not limited to examining the legal framework in force at the time of the adoption of the

Privacy Shield.  Rather, it took into account the regulatory provisions relating to the programmes
(see, in particular, FISA 702) in force at the time of issue of the
ruling, stating that they do not substantially guarantee a level of protection
equivalent to that referred to in Article 52 (1) of the Charter of Fundamental Rights
of the European Union (see sentence cit., points 168-202);


relating to the identification of data that can be accessed by
of the US Authorities pursuant to FISA 702 (see above, paragraph 1, point b), in the White Paper
of September 2020 contains general indications regarding the subject of the
access requests that can be made by intelligence agencies, such as not to
exclude a priori that, in addition to the e-mail address and telephone number of users, they
may also refer to IP addresses (see in this regard White Paper of September 2020, cit.

page 7).  To confirm this, it should also be noted that in the 'Transparency report on United States
national security requests for user information' (see above) made available by Google
on its site, the IP address appears to be included among the information that can
be the subject of an access request pursuant to FISA 702 together with other metadata (see
in particular, the description contained in the section called "non-content requests

under FISA");

lastly, with respect to the assessment of the suitability of the additional measures adopted in the case of
species (see above, paragraph 1, point e), the Company, - in taking into consideration elements
other than those contemplated by the EDPB such as: the "economic availability" of Caffeine Media
Srl, "the implementation costs" of the technical and organisational measures to be implemented, "the tenor

articles and themes (...) with a light cut and concentrated on entertainment areas "
conveyed by the website www.caffeinamagazine.it (see note of 10 February 2022, pages 10, 15,
16, 17 and 8) -, substantially based the aforementioned assessment on the "probability that yes
verify the risk of access to data by third parties "and the" seriousness of the possible
onset of the [aforementioned] risk' (see note of 10 February 2022, page 24).  In this regard, on the other hand, it is reiterated that the Court, in the aforementioned ruling, did not refer to "any
subjective factor, such as, for example, the probability of access 'to the personal data transferred (see

Joint Opinion 2/2021 of the EDPB and the EDPS, cit., Para.  87).

2.3.  Unsuitability of the additional measures adopted by the data controller.

If following the above assessment it is found that the legislation and practices of the country
thirdly, prevent the importer from complying with the obligations under the transfer instrument
chosen, as found in the present case, exporters must take measures

that substantially guarantee a level of protection of personal data
equivalent to that provided for by the Regulation (see Recommendation No. 1/2020, cit., paragraphs 50-
57, which indicates the criteria for identifying the measures to be adopted).

In this regard, with regard to additional measures of a technical nature, but also contractual and
organisational structure, adopted in the hypothesis under examination, it is worth noting the following.


The measures of a technical nature consist in the adoption of data encryption mechanisms, during the
transfer between systems (in transit) and when they are stored in the systems (at rest).
In-transit encryption is adopted where data is transferred between different systems, services or data centres
through networks or infrastructures not controlled by the Company (eg geographic networks).

At rest encryption, on the other hand, concerns user data that is stored on disk drives or drives

backup and is based on data encryption using standard algorithms (usually via AES256)
and on encryption, at different levels, starting from encryption at the hardware level, based on the type of
application and specific risks.  Access to Google LLC data centres is protected by 6 levels of
physical security measures.
In this regard, it should be noted that, taking into account the indications provided by the EDPB in the Recommendation

no 1/2020, the aforementioned technical measures are not adequate.

As for the data encryption mechanisms highlighted above, they are not sufficient for
avoid the risks of access, for national security purposes, to data transferred from the European Union from
part of the public authorities of the United States, as the encryption techniques adopted provide
that the availability of the encryption key is in the hands of Google LLC which holds it, as
importer, by virtue of the need to have clear data for processing and

provide services.  It is also worth noting that the obligation to allow access by the
US authorities, falls on Google LLC not only with reference to imported personal data, but
also with regard to any cryptographic keys necessary to make them intelligible (see also
Recommendation 1/2020, cit., Par. 81).
From this it follows that as long as the encryption key remains available

importer, the measures adopted cannot be considered adequate (see Recommendation 1/2020,
cit., par. 95).

This also taking into account some specific contractual and organisational measures
in the commitment to:

verify, in accordance with US law, the legitimacy of each individual request for

access to user data transferred by public authorities,
evaluating their proportionality; not welcome the same where, following careful
evaluation, it is concluded that the conditions according to the regulations do not exist
reference;

promptly notify the interested party of access requests from the Authorities

US public, unless such communication is prohibited by relevant legislation,
informing the interested party in any case if the above prohibition is lifted; publish a "Transparency Report" containing a summary of the requests for access to data
received from US public authorities, to the extent such publication

is permitted by the relevant legislation;

publish the policy for managing requests for access to user data subject to
transfer by US public authorities.

In this regard, it is noted that, as considered by the EDPB, in the absence of suitable technical measures
- circumstance ascertained in this case - the contractual and organisational measures indicated above, of

per se, cannot reduce or prevent the possibilities of access to the data being transferred by the
by the US authorities (see Recommendation 1/2020, cit., par. 53).

In the light of the foregoing, therefore, the additional measures
adopted in the present case cannot be considered adequate with consequent unlawfulness under
pursuant to Articles 44 and 46 of the Regulation, of the relevant transfers of personal data to the

United States.

2.4 Accountability of the data controller

The controller is required to put in place "appropriate technical and organisational measures to ensure, and
be able to demonstrate that processing is carried out in accordance with the [Regulation]"
(so-called accountability principle; see Art. 5(2) and Art. 24(1) of the Regulation).


It is therefore up to the data controller to decide independently on the methods, guarantees and
limits of the processing of personal data in compliance with the relevant legislation. The
Regulation, in fact, strongly emphasises the 'empowerment' of the data controller, i.e,
on the adoption of proactive behaviour such as to demonstrate the concrete adoption of measures
aimed at ensuring the application of the rules on the protection of personal data (see, in

in particular Article 24 of the Regulation).

The implementation of the accountability principle with regard to data transfers to third countries
places the responsibility on the controller, as exporter, to verify, on a case-by-case basis and
where necessary, in cooperation with the importer in the third country, whether the law or practice of
of the latter affect the effectiveness of the appropriate safeguards contained in the transfer instruments
transfer instruments referred to in Article 46 of the Regulation.


In such cases, the exporter is required to take, in application of this principle, additional measures
additional measures enabling the importer to comply with the obligations under the instrument
adopted pursuant to Article 46 of the Regulation; all this in order to ensure that the level of
protection of natural persons guaranteed by the Regulation is not undermined (see Art. 44 of the Regulation; cf
Regulation; see in this respect, Recommendation 1/2020, cit., paragraphs 1-5).


For all the reasons set out above, without prejudice to the finding that the additional measures
adopted in the present case, the arguments put forward by Caffeina Media Srl as to the lack of autonomy from the
regarding the lack of autonomy of the same with respect to the decisions to be taken on the
transfer of data to third countries (see paragraph 1(c) and (d) above); this in view of the fact that the
Company, by reason of its role under the data protection regulations, is

required, as already clarified, to put in place, even in the context of cross-border transfers
appropriate and effective measures to protect the rights and freedoms of data subjects and to be able to
to demonstrate their compliance with the Regulation.

In the light of the above considerations, in engaging in the conduct described above, Caffeina Media
Srl has therefore infringed Articles 5(2) and 24 of the Regulation.


2.5. Inadequacy of the information provided pursuant to Article 13 of the Regulation.With reference to the information that must be provided to the data subject, pursuant to Article 13 of the
Regulation, please note that, in the notice provided to the complainant on the website

www.caffeinamagazine.it, at the time of the collection of the data concerning him (see communication of 3
november 2021), some of the elements referred to in Article 13(1)(f) of the
Regulation.

Indeed, in view of the fact that personal data must be 'processed lawfully ,
fair and transparent to the data subject' (Art. 5(1)(a) of the Regulation), the

data controller, where a transfer of personal data takes place, has an obligation
in compliance with the principle of transparency, to inform the data subject also of
"the 'intention to transfer personal data to a third country' as well as 'the existence or absence of an
adequacy decision by the Commission or, in the case of transfers pursuant to Article 46 or
47, or Article 49(1), second subparagraph, the reference to appropriate safeguards or

appropriate safeguards and the means of obtaining a copy of those safeguards or the place where they have been made available
available' (Art. 13(1) of the Regulation).

In this regard, however, in taking note of the update on 23 March 2022
of the information to be made available to users at www.caffeinamagazine.it (see note of 10 February
2022, p. 30; see "Cookies Policy" available at https://www.caffeinamagazine.it/cookie-

policy/), it should be noted that the template provided by Caffeina Media Srl to the complainant in the case
present case (see communication of 3 November 2021), did not clearly define the elements of
article 13(1)(f) of the Regulation concerning the transfer.

It follows, therefore, with reference to that model, that Article 5(1)(a) and
of Article 13(1)(f) of the Regulation.


3. Conclusion: declaration of unlawfulness of the processing. Corrective measures pursuant to Art. 58,
para. 2 of the Regulation.

For the above reasons, the Authority considers that the statements, documentation and reconstructions
provided by the data controller in the course of the investigation do not make it possible to overcome the findings
notified by the Office with the act initiating the procedure and that they are therefore unsuitable to order

dismissal of these proceedings, since none of the cases provided for in Article.
11 of the Guarantor's Regulation No 1/2019.

The processing of personal data carried out by the Company is therefore unlawful, in the terms
overall indicated above, in relation to Article 5(1)(a) and (2), to Article 13(1)
(f), Article 24, and Articles 44 and 46 of the Regulation.

Violation of the aforementioned provisions entails the application of sanctions

article 83(5)(a), (b) and (c) of the Regulation.

In this regard, with reference to the elements to be taken into consideration in order to assess whether to
imposing an administrative pecuniary sanction (Article 83(2) of the Regulation), it should be noted in
first of all, in relation to the nature and gravity of the infringement, the processing operations
object of dispute did not concern special categories of personal data.


As regards the subjective element of the infringer, it must be considered that Caffeina Media
Srl - in view of the asymmetry of contractual power resulting from the primary market position
assumed by Google in the field of web analytics services- wrongly assumed as
appropriate, on the basis of the information provided by Google, the additional measures adopted by
the latter without exercising any decision-making power over them.


With regard to the measures adopted by the Company to mitigate the damage suffered by the persons concerned, we
also takes note of the initiatives taken by the data controller, following the notification pursuant to Article 166, paragraph 5 of the Code, concerning: the updating of the text of the information on the
company's website; adherence to the "IP-Anonymization" option made available by

Google; infrastructural improvements in terms of security; the updating of the content
management system used for the creation and management of the site; feasibility analysis of the
implementation of an alternative web analytics tool that 'will no longer rely exclusively on
rely exclusively on tracking via cookies and which (...) will no longer store the IP addresses of the interested
data subjects' (see minutes of 25 March 2022 and supplementary note of 4 April 2022, p. 2).


Finally, for the purposes of the Authority's assessments, the absence of previous infringements and
the loyal cooperation with the Garante during the proceedings.

The nature and seriousness of the infringement, its culpable nature, and the additional
elements mentioned above therefore lead to classify the case in question as a 'minor breach' (see Art. 83
minor infringement' (see Rule 83(2) and Rule 148).


It is therefore considered that, in the present case, the data controller should be admonished,
pursuant to Article 143 of the Code and Article 58(2)(b) of the Regulation, for having carried out a
processing in breach of Articles 5(1)(a) and (2), 13(1)(f), 24, and
articles 44 and 46 of the Regulation.

Lastly, it should be noted that the conditions laid down in Article 17 of the Garante's Regulation no.

1/2019, concerning internal procedures having external relevance, aimed at the performance of the
tasks and the exercise of the powers entrusted to the Garante.

	 ALL THE FOREGOING THE GUARANTOR:

(a) pursuant to Article 57(1)(f) of the Regulation, declares unlawful the processing of
personal data of users of the website www.caffeinamagazine.it carried out, by means of

Google Analytics, by Caffeina Media Srl with registered office in Rosignano Marittimo (LI), PI
13524951004, alleging infringement of Articles 5(1)(a) and (2), 13(1)(f) of Art,
(f), Article 24, and Articles 44 and 46 of the Regulation;

b) pursuant to Article 58(2)(d) of the Regulation, orders Caffeina Media Srl to
comply with Chapter V of the Regulation within a period of 90 days from the notification of
this measure, the processing of personal data of users of the site

www.caffeinamagazine.it carried out by means of Google Analytics, adopting appropriate
appropriate additional measures;

c) pursuant to Article 58(2)(j) of the Regulation, orders the suspension of the flow, towards
Google LLC based in the United States, of the personal data identified above, if Caffeina
Media Srl does not comply with what is established in point b) of this provision within the

term provided for therein;

d) pursuant to recital 148 and Article 58(2)(b) of the Regulation admonishes
Caffeina Media Srl for having processed personal data in breach of
articles 5(1)(a) and (2), 13(1)(f), 24, 44 and 46 of the Regulation
Regulation;


e) considers that the requirements of Article 17 of Regulation No 1/2019 are met,
concerning internal procedures with external relevance, aimed at the performance of the
tasks and the exercise of the powers delegated to the Supervisor.

Pursuant to 157 of the Code, it requests Caffeina Media Srl to communicate which initiatives
have been undertaken in order to implement the provisions of this

provision and, in any event, to provide adequately documented feedback within ninety days from the date of notification of this decision; any failure to do so
any failure to reply may result in the application of the pecuniary administrative sanction provided for in this decision

article 83(5)(e) of the Regulation.

Pursuant to Art. 78 of the Regulation, Art. 152 of the Code and Art. 10 of Legislative Decree of 1
september 2011, no. 150, an appeal against this measure may be lodged
before the ordinary judicial authority, under penalty of inadmissibility, within thirty days of the
date of communication of the measure itself, or within sixty days if the appellant

resides abroad.

Rome, 9 June 2022

													 PRESIDENT
															Stanzione

													  THE REPORTER

															Stanzione

									   THE SECRETARY GENERAL
															   Mattei