|2023-03-17 · NEW: Appunta · Stampa · pdf|
Facebook login e Facebook Pixel Tracker dichiarati non compliant dal Garante Austriaco
appeal proceedings (as explicitly stated in the decision of the Federal Administrative Court of 20 May
2021, Zl. W214 222 6349-1/12E; implicitly the decision of the Administrative Court of 23 February
2021, Ra 2019/04/0054, in which it dealt with the determination of a past violation of the obligation to
maintain secrecy without addressing the lack of jurisdiction of the public authority).
There are no factual reasons for not exercising the declaratory competence pursuant to Art. 58 para. 6
DSGVO in conjunction with Art. 58 para. 6 DSGVO.
§ Article 24(2)(5) of the GDPR and Article 24(5) of the GDPR cannot also be used to establish a
violation of Article 44 of the GDPR, since in the present case, too, a violation of the law in the past -
namely data transfers to the USA on 12 August 2020 - is complained about and the right to complain
pursuant to Article 24(1) of the GDPR - as well as Article 77(1) of the GDPR - is generally linked to a
violation of the GDPR.
If the decision in an appeal procedure could only contain instructions pursuant to Article 58(2) of the
GDPR, there would be no room for Article 24(2)(5) and Article 24(5) of the GDPR.
As far as the first respondent in its statement of 18 October 2022 refers to Section 24 (6) of the FADP
and states that the alleged violation of the law has been remedied, it must be countered by the case
law of the Federal Administrative Court, according to which the possibility to subsequently remedy a
violation of the law pursuant to Section 24 (6) leg. cit. is not possible in the case of violations that have
already been committed (and can no longer be remedied) (cf. the decision of the Federal
Administrative Court of 29 June 2022, no. W245 2232755-1).
Thus, the data protection authority has the competence to make a determination in the present
D.4. Re point 1
The data protection authority suspended the proceedings in question by decision of 2 October 2020,
no. D155.028, 2020-0.527.429. D155.028, 2020-0.527.429.
Since ex officio decisions from which no right has accrued to anyone can be revoked or amended
both by the authority that issued the decision and, in the exercise of the supervisory right, by the
relevant higher authority, and no right to non-decision accrues to a party to the proceedings as a
result of a stay of proceedings, the above-mentioned decision of 2 October 2020 was also amenable
to a remedy pursuant to section 68(2) AVG.
D.5. Re point 2
a) On the term "personal data
According to the legal definition of Art. 4 No. 1 GDPR, "personal data means any information relating
to an identified or identifiable natural person (hereinafter referred to as 'data subject')".
identifiable means a natural person who can be identified, directly or indirectly, in particular by
reference to an identifier such as a name, an identification number, location data, an online identifier
or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or
social identity of that natural person".
As can be seen from the findings of fact (see C.8), the first respondent - as operator of the website -
implemented Facebook Business Tools on its website. As a result of this implementation - i.e.
information of the complainant's terminal device was transmitted to the servers of the second
respondent (see C.9):
• IP address;
• User agent;
• Mobile operating system and browser;
• Information about the host server (i.e. the website that contains the login feature);
• Date and time of the website visit;
• Language of the content (i.e. the language of the audience for which the website in question is
• Locale (i.e. usually the country code that refers to the Content-Language field in the HTTP
header, e.g. "en-US" versus "en-GB");
• HTTP Referrer (i.e. the URL of the page the person is on);
• Viewport data (i.e. the screen resolution of the device display);
• User ID;
• Cached Access Tokens;
• Standard HTTP Request Headers not already listed; and
• Stored values in FB cookies.
The data protection authority has already stated the following regarding the "Google Analytics" tool in
its non-rk decision of 22 April 2022, GZ: 2022-0.298.191 (available at www.dsb.gv.at):
"In the opinion of the data protection authority, there is already an interference with the fundamental right to
data protection pursuant to Art. 8 EU-GRC as well as § 1 DSG if certain authorities take measures - in
this case the assignment of such identification numbers - in order to individualise website visitors in
A standard of "identifiability" to the effect that it must be immediately possible to associate such
identification numbers also with a certain "face" of a natural person - i.e. in particular with the name of
the complainant - is not required (cf. in this regard already
the former Art. 29 Working Party's Opinion 4/2007, WP 136, 01248/07/DE on the concept of
"personal data" p. 16 f; cf. the supervisory authorities' guidance for telemedia providers from March
2019, p. 15).
Such an interpretation is supported by recital 26 of the GDPR, according to which the question of
whether a natural person is identifiable takes into account "[...] any means reasonably likely to be used by
the controller or by any other person to identify the natural person, directly or indirectly, such as singling
out". Singling out" is understood to mean "picking out from a crowd" (cf.
https://www.duden.de/rechtschreibung/aussondern, queried on 18 March 2022), which is in line with
the above considerations on individualisation of website visitors.
At this point, it should be noted that the European Data Protection Supervisor (EDPS) also takes the
view that "segregation" by marking a terminal device is to be considered as personal data. In his decision
of 5 January 2022, Ref. No. 2020-1013, against the European Parliament, the EDPS stated the
"Tracking cookies, such as the Stripe and the Google analytics cookies, are considered personal data,
even if the traditional identity parameters of the tracked users are unknown or have been deleted by
the tracker after collection. All records containing identifiers that can be used to single out users, are
considered as personal data under the Regulation and must be treated and protected as such." (p. 13,
original in English and with further references).
"[...] Tracking cookies such as the Stripe and Google Analytics Cookies are considered personal data,
even if the traditional identity parameters of the tracked users are unknown or have been deleted by
the tracker after collection. All data sets that contain identifiers that can be used to single out users
are considered personal data under the Regulation and must be treated and protected as such"
(translation by the DPA).
It is true that the EDPS has to apply Regulation (EU) 2018/1725, which applies to data processing by
Union institutions, bodies, offices and agencies. However, since Article 3(1) of Regulation (EU)
2018/1725 corresponds to the definition of Article 4(1) of the GDPR, these considerations can be
readily applied to the case at hand."
These considerations can be applied to the case at hand:
As a result of the implementation of Facebook Business Tools, cookies were set up on
end device of the complainant were set, which contain a unique, randomly generated value (see
C.11). This makes it possible to individualise the complainant's terminal device and record the
complainant's surfing behaviour in order to display suitable personalised advertising (see C.3).
Irrespective of this, at least Meta Ireland had the possibilityto link the data itreceiveddue to the
implementation of Facebook Business Tools on complainant's Facebookaccount.
It is clear from the Facebook Business Tools
It is not necessary that the first respondent alone must be able to establish a personal link, i.e. that all
information necessary for identification is with the first respondent (cf. ECJ judgments of 20 December
2017, C-434/16, para. 31, as well as of 19 October 2016, C-582/14,
margin note 43).
These remarks are also covered in Fashion ID. In the dg. decision, the ECJ also assumed that the
integration of a Facebook "Like" button on a website - irrespective of whether the button is also
clicked - triggers a processing of personal data (see the ECJ judgment of 29 July 2018, C-40/17 para
80). From the ECJ's perspective, it was therefore not necessary for the dg. Website operator must be
able to establish the personal reference.
"Like" button as well as Facebook Login and Facebook Pixel are part of the Facebook Business Tools
Thus, the information listed in the findings of fact under C.10. (at least in combination) is personal
data according to Art. 4 Z 1 DSGVO.
b) Distribution of roles
i) Respondent to the first complaint
As already explained, the first respondent as website operator took the decisionimplement Facebook
Business Tools on its website at the time relevant to the complaint. Specifically, it inserted a
In its statement of 7 March 2022, the first respondent explained that Facebook Pixel was
implementedtracking purposes and Face Login was implemented tosimplify the login processfor
premium customers on first respondent also explained that Facebook Pixel was
In doing so, the first respondent decided on the "purposes and means" of the data processing in
connection with the tool, which is why it is to be regarded as the controller within the meaning of
Article 4(7) of the GDPR.
ii) Second respondent
Despite extensive investigative proceedings - for example, an oral hearing of the second respondent
took place on 16 May 2022 - the data protection authority does not currently have sufficient
indications to qualify the second respondent as a data controller for the data processing in question.
In accordance with the data processing conditions (see C.6), the data protection authority therefore
assumes that the second respondent (then Facebook Inc.) was used as a processor within the
meaning of Article 28 (2) of the GDPR in the context of the data processing in question on 12 August
The question of whether the data access possibilities of US intelligence services change anything
about the role of the second respondent is addressed below.
c) Scope of Chapter V GDPR
According to Art. 44 of the GDPR, any "[...] transfer of personal data which have already been
or to be processed after their transfer to a third country or an international organisation [...] shall only be
allowed if the controller and the processor comply with the conditions laid down in this Chapter and also
with the other provisions of this Regulation, including any onward transfer of personal data from that
third country or international organisation to another third country or international organisation. All the
provisions of this Chapter shall be applied in order to ensure that the level of protection of natural
persons ensured by this Regulation is not undermined.".
The first respondent is based in Austria and is the data controller for the operation of the website.
Furthermore, the first respondent has disclosed personal data of the complainant by proactively
implementing Facebook Business Tools on its website and, as a result of this implementation, has
on its website and, as a result of this implementation
inter alia, a data transfer to the second respondent (registered office: USA) took place (see also
EDSA Guidelines 5/2021 as amended on 14 February 2023 FN 15: "Finally, it should be noted that
personal data disclosed via Cookies are not considered as being disclosed directly by the data
subject, but rather as
a transmission by the operator of the website that the data subject is visiting").
It can be left open whether personal data of the complainant were transferred directly to the second
respondent or only in a second step after they had been processed by Meta Ireland:
Pursuant to Article 28 (1) of the GDPR, the first respondent is obliged to cooperate only with
processors that offer sufficient guarantees that the data processing will be carried out in compliance
with the requirements of the GDPR ("selection fault").
According to the established case law of the Federal Administrative Court, the processor is the
"extended arm" of the controller and the commissioned processing is to be seen as part of the
processing by the controller itself (see the decision of the Federal Administrative Court of 20 October
2021, Zl. W211 2231475-1; also explicitly EDSA Guidelines 5/2021 as amended on 14 February
2023, margin no. 19, last sentence).
In the case at hand, the first respondent accepted Meta Ireland's data processing terms and
conditions for Facebook Business Tools and, in accordance with Article 28(2) o f t h e GDPR,
consented to Meta Ireland using the second respondent (then Facebook Inc.) as a so-called "data
(see C.6: "[...] You hereby authorise Facebook to engage Facebook Inc. [and other Facebook
companies] as its sub-processor(s)").
d) Set of rules of Chapter V GDPR
Subsequently, it must be examined whether the data transfers to the USA that are the subject of the
complaint took place in accordance with the provisions of Chapter V of the GDPR.
Chapter V of the Regulation provides for three (protection) instruments to ensure the adequate level
of protection required by Art. 44 GDPR for data transfers to a third country or an international
- Adequacy decision (Art. 45 GDPR);
- Appropriate safeguards (Art. 46 GDPR);
- Exceptions for certain cases (Art. 49 GDPR).
e) Adequacy decision
As can be seen from the findings of fact (see C.6 and C.7), the respondents invoked the EU-US
adequacy decision ("Privacy Shield") for the data transfer on 12 August 2020.
However, the ECJ has already pronounced on 16 July 2020, C-311/18, that the EU-US Adequacy
Decision does not ensure an adequate level of protection for individuals due to the relevant US law
and the implementation of regulatory surveillance programmes - based, inter alia, on Section 702 of
FISA and E.O. 12333 in conjunction with PPD-28 - do not ensure an adequate level of protection for
individuals (ibid. para. 180 et seq.) and has declared the EU-US adequacy decision invalid - without
upholding its effect (ibid. para. 201 et seq.).
According to the DPA, the Second Respondent also qualifies as an electronic communications service
provider within the meaning of 50 U.S.Code § 1881(b)(4) and is thus subject to surveillance by U.S.
intelligence agencies under 50 U.S.Code § 1881a ("FISA 702").
Accordingly, the second respondent has the obligation to notify the US authorities under 50 U.S. Code
§ Section 1881a to provide personal data. The Meta Group's transparency report (see C.12) shows
that the US secret authorities regularly make such requests.
(ii) appropriate guarantees
As can be seen from the findings of fact (see C.7), the Facebook contract addendum (including the
conclusion of standard data protection clauses) was only implemented after 12 August 2020.
ii) Exceptions for certain cases
The respondents did not rely on Art. 49 GDPR at any point in the investigation procedure.
From the perspective of the data protection authority, no facts of Art. 49 GDPR are fulfilled and, in
particular, no consent pursuant to Art. 49 (1) lit. a leg. cit. was obtained (cf. the ECJ ruling of 27
October 2022, C-129/21 para. 81 et seq. on the burden of proof of a controller in this regard).
The data transfers at issue on 12 August 2020 were not covered by any of the instruments of Art. 45
et seq. of the GDPR.
Therefore, a violation of Art. 44 of the GDPR had to be established according to the ruling.
D.6. Re point 3
a) Concerning grievance A)
It must be examined whether the second respondent (as data importer) is also subject to the
obligations standardised in Chapter V of the Regulation.
Based on the EDSA Guidelines 5/2021 as amended on 14 February 2023, it should be noted that a
"transfer to a third country or an international organisation" within the meaning of Art. 44 GDPR only
exists if, inter alia, the controller or processor (data exporter), by transfer or otherwise, transfers
personal data which are the subject of this
processing is disclosed to another controller, a joint controller or a processor (data importer) (ibid. para.
This requirement does not apply to the second respondent in the present case, as it (as data importer)
does not disclose the complainant's personal data, but (only) receives it.
It is true that the data protection authority does not overlook the fact that a data transfer necessarily
presupposes a recipient and that the second respondent is part of the data transfer (at least from a
technical point of view). However, it must be countered that the data protection responsibility in a
processing operation can nevertheless be "shared" (from a legal point of view), i.e. there can be a
different degree of responsibility depending on the phase of the processing operation (cf. the EDSA
Guidelines 7/2020 on the concept of controllers and processors, margin no. 63 et seqq).
In the opinion of the data protection authority, there is therefore no violation of Article 44 of the GDPR
by the second respondent.
b) Re grievance B)
Finally, a violation of Art. 5 et seq, Art. 28, and Art. 29 of the GDPR by the second respondent must
be examined. In this regard, the complainant argues that the second respondent processed his data
contrary to the instructions and requests of the first respondent.
The following is to be countered:
The data protection principles and the requirements for the lawfulness of data processing pursuant to
Art. 5 et seq. of the GDPR are, according to the explicit wording of Art. 5 para. 2 leg. cit. an obligation
of the controller.
However, in the opinion of the data protection authority, the (mere) possibility that the second
respondent becomes the addressee of enquiries by the US security authorities does not automatically
lead to its responsibility under Article 28 (10) of the GDPR. Such a broad interpretation of Article 28
(10) of the GDPR seems too expansive.
Moreover, a violation of Art. 28 and Art. 29 GDPR cannot be asserted as a subjective right insofar as
the cited provisions (only) regulate the relationship between the controller and the processor and a
violation by the processor is attributable to the controller (cf. again the decision of the BVwG of 20
October 2021, Zl. W211 2231475-1).
However, these remarks do not play a role for headnote 2, since in the context of a violation of Art. 44
GDPR, the success of the complaint is already fulfilled if personal data are transferred to the USA
without a protection instrument.
The decision was therefore in accordance with the ruling.
R E C O R D I N G M E A S U R E S
An appeal against this decision may be filed in writing with the Federal Administrative Court within
four weeks after service. The appeal must be lodged with the data protection authority and must
- the designation of the contested decision (GZ, subject)
- the designation of the authority against which proceedings have been brought,
- the grounds on which the allegation of illegality is based,
- the request and
- contain the information necessary to assess whether the complaint has been filed in time.
The data protection authority has the option of either amending its decision within two months by
means of a preliminary appeal decision or submitting the appeal with the files of the proceedings
to the Federal Administrative Court.
The appeal against this decision is subject to a fee. The fixed fee for a corresponding submission
including enclosures is 30 euros. The fee is to be paid to the account of the Tax Office Austria,
stating the purpose of use.
The fee must always be transferred electronically using the function "Finanzamtszahlung". The
Austrian Tax Office - Special Responsibilities Department must be indicated or selected as the
recipient (IBAN: AT83 0100 0000 0550 4109, BIC: BUNDATWW). Furthermore, the tax number/levy
account number 10 999/9102, the levy type "EEE complaint fee", the date of the notice as the period
and the amount are to be indicated.
If the e-banking system of your credit institution does not have the "tax office payment" function, the
eps procedure in FinanzOnline can be used. An electronic transfer can only be dispensed with if no e-
banking system has been used so far (even if the taxpayer has an internet connection). In this case,
the payment must be made by payment order, whereby attention must be paid to the correct
allocation. Further information is available from the tax office and in the manual "Electronic payment
and notification for payment of self-assessment levies".
The payment of the fee shall be proven to the data protection authority upon submission of the
complaint by means of a payment voucher to be attached to the submission or a printout showing that
a payment order has been issued. If the fee is not paid or not paid in full, the competent tax office
shall be notified.
A timely and admissible appeal to the Federal Administrative Court has a suspensive effect. The
suspensive effect may have been excluded in the ruling of the decision or may be excluded by a
6 March 2023
For the head of the data protection authority:
Signatory serialNumber=1831845058,CN=Data Protection Authority,C=AT
Information on the verification of the electronic seal or electronic signature
can be found at: https://www.signaturpruefung.gv.at
Information on how to check the printout can be found at:
Note This document has been officially signed.