Der Europäische Datenschutzbeauftragter stellt in einer aktuellen Entscheidung (Case 2020-1013) fest, dass EU-Parlament gegen die DSGVO verstößt und hat die Einrichtung aufgefordert, innerhalb 1 Monats die Rechtsverletzungen zu beseitigen. Kern des Anstoßes ist der Einsatz von Google Analytics und des US-Payment-Anbieters Stripes auf der Webseite.
Inhaltlich geht es dabei um eine Webseite des EU-Parlament, auf der Covid-19-Tests bestellt werden konnten. Dort wurde das Analyse-Werkzeug Google Analytics und das Tool des US-Payment-Anbieters Stripes eingesetzt.
Beides verstoße gegen die DSGVO und sei daher rechtswidrig:
"Therefore, the EDPS considers that personal data of visitors to the Parliament’s dedicated website were processed through the abovementioned trackers even if this only happened where users visited the website through a network other than the Parliament’s. For the period between 30 September and 4 November 2020, during which the trackers remained on the website, personal data processed through them were transferred to the US, where both.
Stripe and Google LLC are located. The conclusion that transfers to the US took place is reinforced by the circumstance highlighted by the complainants, according to which, ‘all data collected through Google Analytics is hosted (i.e. stored and further processed) in the USA’. Furthermore, the first version of the Parliament’s data protection notice on the dedicated website referred to the use of Standard Contractual Clauses (SCCs) for the transfers of data outside of the EU, which is what Google refers to in its data protection notice in order to inform of transfers of data from the EU/EEA to non-EU/EEA countries."
"The EUIs must remain in control and take informed decisions when selecting processors and allowing transfers of personal data outside the EEA. The EDPS recalls that absent an adequacy decision for transfers to, among other destinations, the US, controllers and processors may transfer personal data to a third country only if appropriate safeguards are provided, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available29. Such safeguards may be provided in Standard Contractual Clauses (SCCs) or another transfer tool. The transfer tool relied on must ensure that data subjects, whose personal data are transferred to a third country pursuant to that transfer tool, are afforded a level of protection in that third country that is essentially equivalent to that guaranteed within the EU by EU data protection law, read in the light of the Charter.
However, the use of SCCs or another transfer tool (e.g. ad hoc contractual clauses) does not substitute the individual case-by-case assessment that an EUI as a controller must carry out, in accordance with the Schrems II judgement, to determine whether in the context of the specific transfer, the third country of destination affords the transferred data an essentially equivalent level of protection to that in the EU. The EUI, where appropriate in collaboration with the data importer in the third country, must carry out this assessment of the effectiveness of the proposed safeguards before any transfer is made or a suspended transfer is resumed.
Where the essentially equivalent level of protection for the transferred data is not effectively ensured, because the law or practice of the third country impinges on the effectiveness of the appropriate safeguards contained in the used SCCs for transfers or another transfer tool, the EUI must implement contractual, technical and organisational measures to effectively supplement the safeguards in the transfer tool, where necessary together with the data importer ."
Die Beanstandungen betrafen nicht nur diese beiden Punkte, sondern auch die fehlerhafte Ausgestaltung der Cookie-Hinweise und unzureichende Datenschutzinformationen.
Der Europäische Datenschutzbeauftragte hat angeordnet, dass das EU-Parlament innerhalb 1 Monats die Beanstandungen zu beseitigen hat.