Garante invalidates use of Google Analytics for #SchremsII violation.
(1) Use of GA by the managers of the websites involves the transfer of the personal data of visitors to Google LLC based in the United States and must comply with Chapter V GDPR.
- IP address constitutes personal data to the extent that it allows the identification of an electronic communication device, thus making the data subject indirectly identifiable as a user.
- All this above all where, as in the present case, the IP is associated with other information relating to the browser used, the date and time of navigation.
- If the visitor to the website logs into his / her Google account this data may be associated with other information present in the relevant account, such as the email address (which constitutes the user ID of the account), the telephone number and any other personal data including gender, date of birth or profile picture.
- "IP-Anonymization" actually consists of a pseudonymisation of the data relating to the user's network address, as the truncation of the last octet does not prevent Google LLC to re-identify the user himself, taking into account the overall information held by the same relating to web users. Furthermore, Google LLC has the possibility - if the interested party has accessed his / her Google profile - to associate the IP address with other additional information already in its possession (such as the information contained in the user account ). This operation, therefore, despite the activation of the "IP-Anonymization", still allows the possible re-identification of the user.
(2) The supplemental measures adopted in this case cannot be considered adequate with consequent illegality of the transfer
- As long as the encryption key remains available to the importer, Encryption cannot be considered an adequate supplemental measure.
- In the absence of suitable technical measures contractual and organizational measures, in themselves, cannot reduce or prevent the possibility of accessing data. subject to transfer by the US authorities.
(3) The controller is liable for issues re cross border transfers.
- The controller must implement "adequate technical and organizational measures to guarantee, and be able to demonstrate, that the processing is carried out in accordance with GDPR.
- It is up to the controller to decide autonomously the methods, guarantees and limits of the processing of personal data
- The application of the accountability principle with reference to data transfers to third countries places the responsibility on the owner, as exporter, of verifying, case by case and, where necessary, in collaboration with the importer in the third country , if the law or the practice of the latter affect the effectiveness of the adequate guarantees contained in the transfer instruments referred to in Article 46 GDPR.
- Arguments by a data controller regarding the lack of autonomy of the same with respect to the decisions to be taken regarding the transfer of data cannot be accepted.
In compliance with the principle of transparency, you have to inform the interested parties of: "the intention to transfer personal data to a third country" as well as "the existence or the absence of an adequacy decision by the Commission or, in the case of transfers referred to in Article 46 or 47, or the second subparagraph of Article 49 (1), the reference to appropriate or appropriate safeguards and the means to obtain a copy of such guarantees or the place where they were made available
- Caffeina Media Srl must comply with Chapter V of the Regulations within the term of ninety days.
- Without this compliance- the data flows to Google LLC are suspended
- Garante issues a warning to Caffeina Media
- Caffeina Media must communicate which initiatives have been undertaken in order to implement the provisions of the decision and in any case to provide adequately documented feedback, within ninety days.
