Google was fined by the AEPD and ordered to come into compliance after  GDPR violations relating to Lumen Project data transfers. 

The AEPD has issued a decision in the case against Google LLC, which states that the company has committed two very serious GDPR violations. The Spanish Data Protection Agency decided to impose a fine of 10 million euros on Google LLC, for sharing data with third parties without a legal basis to do so, and for infringing upon citizens’ right to erasure. This case concerned the transfer of requests regarding the removal of content from Google’s various products and platforms, such as Google search and YouTube, to a third party, called the ‘Lumen Project’.

User data was being unlawfully transferred to a third party, the Lumen Project, when customers requested that their data be erased. 

When users requested that their information be deleted, thereby exercising their right to erasure, they were required to fill out a form and consent to their information being shared with the third party. This process violated both articles 6 and 17 of the GDPR. According to the AEPD’s statement, this transfer of data by Google LLC to the Lumen Project is imposed on users who, when filling its forms to exercise their right to erasure, were not given the choice to opt out of sharing this data. As a result, Google cannot possibly obtain valid consent for the  transfer of that user data via that process. In addition, Google’s privacy policy made no mention of the processing of personal data of users, nor the transfer of that data to the Lumen Project among the purposes. The system through which users are able to exercise their right to erasure was designed by Google LLC, and it led the user through various pages to complete their request. Part of this process required the user to fill a form, consenting to the  transfer of their data, including their identification, email address, and other information, to a third party. 

As a result of this infringement, Google was fined and ordered to come into compliance. 

 The AEPD explained in its decision that, once the request for removal of content has been submitted and the right has been met, meaning the deletion of personal data has been agreed upon, “there is no possibility of subsequent processing of the same, as is the communication that Google LLC makes to the Lumen Project. Google was hit with a fine for €10 million for the two infractions and is also expected to delete all the personal data that has been the subject of a request for the right to erasure, which was transferred to the Lumen Project. The company is also expected to urge the Lumen Project to delete, and cease the use of, the personal data that it has received. 

Does your company have all of the mandated safeguards in place to ensure the safety of the personal data you collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.