Data subject awarded reparation after unlawful transfer of IP addresses Summary Our remarks The controller, an unnamed German company, • The transfer of personal data, including IP incorporated Google Fonts into their website, resulting addresses to third-party services such as Google in the automatic transmission of the data subject’s Fonts should only be done with the explicit and dynamic IP address to Google’s servers located in the informed consent of the data subject. United States. ° Don’t forget to conduct a TIA (See Mailchimp case The Decision of LG Munich and our Transfer Roadmap whitepaper). LG Munich awarded the data subject 100 EUR in • Controllers should take into consideration the reparations, as it found the data controller in breach of broad interpretation of the term ”damages” in the following violations: GDPR, Article 82(1), which aims to sanction data protection violations and prevent future ones. • The Court found that a dynamic IP address was to be considered as personal data as the controller • The risk of repetition is factually presumed when had an abstract opportunity to identify the data a violation of rights has been established, and subject (GDPR, Article 4(1)). controllers should take active measures to prevent further violations from occurring. • The Court found the transfer of the IP address to Google without the consent of the data subject to Please note that this decision was made prior to the be unlawful (GDPR, Article 6(1)(a)). EU Commission’s adoption of the EU-U.S. Data Privacy Framework. The framework solves the challenges of the • The Court also held that the infringement is not SCHREMS II case and thereby ensures that entities in justified as necessary for the purpose of the the EU can transfer personal data to entities in the US legitimate interests pursued by the controller, that comply with the framework without conducting a since Google Fonts could be used without having a TIA. However, general considerations concerning the connection to Google’s servers (GDPR, Article 6(1)(f). transfer of personal data to other unsafe third countries • The Court held that the term ‘damages’ in GDPR, still apply. Article 82(1) is to be understood broadly, including to prevent future violations in cases of risk of repetition. Published: 20-05-2023 Journal number: 3 O 17493/20 Tags: 06 Transfers to third countries 61