Alphabet DMA Article 6(11) Google Search Data Sharing Preliminary Findings

CASE SUMMARY CASE DMA.100209 - SP - ALPHABET - ARTICLE 6(11) GOOGLE SEARCH DATA SHARING On 5 September 2023, the Commission adopted a decision designating Alphabet as a gatekeeper under the Digital Markets Act (DMA) for a number of its services, including its online search engine Google Search. As a result, Alphabet must comply with the obligations set out in the DMA. Under Article 6(11) of the DMA, Alphabet must share anonymised online search data with third- party search engines under fair, reasonable and non-discriminatory (FRAND) conditions. On 27 January 2026, the Commission opened proceedings pursuant to Article 20(1) of the DMA in view of specifying the measures Alphabet must put in place to effectively comply with its online search data sharing obligations. The purpose of the proceedings is to detail the measures that Alphabet must take, as to achieve effective compliance with the online search data sharing obligation of the DMA. On 16 April 2026, the Commission adopted its preliminary findings setting out the proposed measures that Alphabet should implement to ensure effective online search data sharing with third- party online search engines. Interested third parties are now consulted on these measures, and in particular on their effectiveness, completeness, and implementation timelines. These measures are preliminary and might be adjusted subject to feedback from third parties and Alphabet, as well as further investigative steps. In summary, the proposed measures cover five areas: Eligibility The proposed measures on eligibility specify which third parties are eligible to receive search data under Article 6(11) of the DMA. The proposed measures specify that beneficiaries must operate an online search engine in the EEA to be eligible to receive the search data. This includes AI chatbots that provide online search engine functionalities. Data scope The proposed measures on data scope specify which data Alphabet must share to effectively comply with Article 6(11) of the DMA. The proposed measures specify that the principle of parity guides the scope of the search data that Alphabet must provide. In application of this principle, Alphabet must share all query, view click and ranking data which it collects for the purpose of optimising its search services, subject to the anonymisation requirement. This includes:

• Query data: queries entered by end users into Google Search on any access point, any
  modifications made by end users and Alphabet to initial queries, and any other metadata about the users and their queries.

• View data: all URLs and visual content which are displayed on search engine result pages,
  served to end users in response to their queries and are viewed by them (i.e., they generate an impression), no matter their type, format, structure or tab in which they are included.

• Ranking data: the URL's position on the results page as displayed on the user's device, the
  URL's ordinal position in relation to other URLs presented on the results page and any other information on the URL's relative and absolute position, prominence and visibility on the results page, as displayed on the user's device.

• Click data: all data on user interaction with the results page as displayed on the user's
  device, including the type, timing, order and duration of user actions, or lack thereof. The proposed data scope measures specify that Alphabet must exclude invalid traffic from the shared search data and make available an API or equally effective tool to share the data with third parties, at a frequency on par with Alphabet's own frequency of access to the same data, and for a duration that can reasonably enable third parties to optimise their online search services, which is for at least five years. Anonymisation The proposed anonymisation measures specify how Alphabet must anonymise the search data, taking into account the Joint Guidelines of the Commission and of the European Data Protection Board on the interplay between the DMA and the General Data Protection Regulation (GDPR). 1 The proposed measures consist of technical measures complemented with contractual measures to reduce the likelihood of re-identification of end users that issued the queries as follows:

• Technical measures alter the search data to reduce the likelihood of re-identification of end
  users to a residual level without unnecessarily degrading the quality or usefulness of the search data.

• Contractual measures include a set of administrative, contractual and organisational
  measures that complement the technical measures to further reduce the likelihood of re- identification of end users to an insignificant level. The proposed technical measures require Alphabet to release data daily and to (i) suppress a number of direct identifiers and other identifying attributes from search records (e.g., account identifiers and IP addresses), (ii) suppress long queries and queries that contain rare words and combination of words, (iii) generalise metadata such as location and device type, and (iv) limit session data to queries that are refinements of previous queries. The proposed contractual measures further mitigate the residual risks stemming from data processing by eligible beneficiaries. In substance, they ensure that data recipients are legitimate and have concrete and verified plans to use the data to optimise their online search engine services, and they prohibit beneficiaries from attempting re-identification (e.g., by linking the search dataset with auxiliary datasets), using the dataset outside of the purpose of optimising online search engine services, retaining the data beyond 13 months, and onward sharing of the dataset. The proposed contractual measures also require beneficiaries to protect the integrity and confidentiality of search data from unlawful access by unintended recipients (e.g. by requiring encryption of data at rest

Joint EDPB and Commission guidelines on the interplay between DMA and GDPR, version for public 1 consultation, available at: https://digital-markets-act.ec.europa.eu/document/download/8ba0913f-2778-4a6d-9c58- 10f8c7ead009en?filename=JointCOM-EDPBGLSinterplayDMAGDPRforpublic_consultation.pdf

and in transit). Finally, to verify implementation of the contractual measures, beneficiaries are subject to an independent verification mechanism, consisting of an independent audit prior to accessing the search data and annual monitoring audits to maintain such access. The scope of the assurance engagement and the corresponding assurance objectives are defined by the Commission. Pricing terms The proposed measures on pricing terms specify the remuneration that Alphabet can claim from beneficiaries under the FRAND requirements of Article 6(11) of the DMA. The proposed measures specify that FRAND pricing corresponds to incremental cost-based pricing, where eligible beneficiaries pay only the incremental costs incurred by Alphabet for sharing the search data, plus a reasonable return on capital employed for that purpose. Exceptional circumstances may justify an additional margin. The pricing terms will apply for a period of five years, after which Alphabet may renegotiate terms with beneficiaries. Process for data acquisition and pre-acquisition data testing The proposed measures on process specify how Alphabet must make the data available to beneficiaries under the Article 6(11) of the DMA. The proposed measures specify:

• The testing samples that Alphabet must make available. Alphabet must provide three types
  of testing samples: one small testing sample provided free of charge, a synthetic data sample, and a 5% sample of the search data subject to beneficiaries meeting all conditions for accessing search data.

• The process that Alphabet must follow to review the eligibility of requesting third parties,
  and for refusing, suspending and terminating access to the search data.

• The timeline in which Alphabet must make the search data available in a way that complies
  with the specified measures in the Commission's implementing act. The proposed measures on refusal, suspension, termination and financial penalties aim to ensure that Alphabet can enforce the contractual measures described above while guaranteeing that it does so on FRAND terms.

FOR PUBLIC CONSULTATION IN CASE DMA.100209 - SP - ALPHABET - ARTICLE 6(11)

On 16 April 2026, the Commission adopted its preliminary findings in case DMA.100209 -

SP - Alphabet - Article 6(11), setting out the proposed measures that Alphabet must

implement to ensure effective search data sharing with third-party online search engines. The Commission is consulting interested third parties on these measures, ( ) and in 1 particular on their effectiveness, completeness, and implementation timelines. These measures are preliminary and might be adjusted subject to feedback from third parties and Alphabet as well as further investigative steps. Table of Contents

1. Eligibility .................................................................................................................... 2
2. Data scope and conditions of sharing ...................................................................... 2 2.1. Data scope ......................................................................................................... 2

2.2. Conditions of data sharing ................................................................................. 4

1. Anonymisation ........................................................................................................... 5 3.1. Technical measures ........................................................................................... 5

3.2. Contractual measures......................................................................................... 8

1. FRAND pricing ........................................................................................................ 17
2. Process for Search Dataset acquisition and pre-acquisition data testing ........... 20 5.1. Process and practical arrangements for pre-acquisition data testing ............... 20

5.2. Process for finalising the Search Dataset ........................................................ 22

5.3. Process for finalising the licence agreements for the Search Dataset and

the test data samples ........................................................................................ 22

5.4. Processes for making the Search Dataset available, reviewing eligibility

of requesting third-party OSEs and ensuring continuity of access.................. 22

5.5. Processes for refusing, suspending and terminating access to the Search

Dataset ........................................................................................................... 25

5.6. Process for expedited termination of access in exceptional circumstances .... 28

5.7. Requirement to impose financial penalties in exceptional circumstances ...... 28

5.8. Obligation to inform the Commission and data protection supervisory authorities of decisions refusing, suspending, restoring or terminating access ........................................................................................................... 28

() Pursuant to Article 8(6) of Regulation 2022/1925. 1

1. ELIGIBILITY (1) To meet the requirements of Article 6(11) of Regulation (EU) 2022/1925, Alphabet shall engage with any third-party undertaking that applies for the ranking, query, click and view data in relation to free and paid search generated by end users on its OSEs ("Search Data") as specified in section 2 to determine whether it is eligible to receive them following the process specified in section 5. (2) Alphabet shall share the Search Data with any third-party undertaking providing

online search engines ("OSEs") in the EU and in the EEA, ( ) which meets the 2

definition of an OSE set out in Article 2(5) of Regulation (EU) 2019/1150. Alphabet shall not exclude third-party undertakings, such as undertakings providing AI chatbots with OSE functionalities, to the extent that these undertakings provide an OSE meeting the definition set out in Article 2(5) of Regulation (EU) 2019/1150, even if the OSE is provided as part of a broader service.

1. DATA SCOPE AND CONDITIONS OF SHARING (3) To meet the requirements of Article 6(11) of Regulation (EU) 2022/1925, Alphabet shall give any third-party undertakings providing OSEs access to all the Search Data on par with the data collected by Alphabet for the purpose of optimising its OSE services subject to anonymisation requirements. This parity principle shall determine, for example, the scope of data sharing and the conditions of sharing data with third-party OSEs. 2.1. Data scope

2.1.1. Query data

(4) Alphabet shall share any query input entered by end users into Google Search on any access point, any modifications made by end users and Alphabet to this initial query, and any other metadata about the user and query. (5) It follows that Alphabet shall share at least the following query data: (a) Query input and modification data: (1) Query input as entered by end users (the "initial query"); (2) Query as modified by end users and Alphabet (the "modified query"), including the modifications made through query shortcut chips, autocomplete function, entity results, query suggestions, "see results

about" feature, autocorrect function, and advanced search filters;

(3) Content of query modifiers; (4) Identifier of the type of query modification. (b) Query metadata: (1) Query time stamp; (2) User location; (3) Query language identifier;

() In the EU as of today and in the EEA following the incorporation of Regulation (EU) 2022/1925 into 2 the Agreement on the European Economic Area.

(4) User device identifier, including mobile handsets, desktops and tablets; (5) Indication of the user's access point to Google Search, including for the following access points: browser omnibox on Chrome and third-party browsers, Google Search website, Google Search widget, Google Search application, Google Assistant, Gemini, Google Lens, Circle to Search and Text Search on Android; and (6) Indication of the method of query input, including text, voice and photo requests.

2.1.2. View data

(6) Alphabet shall share any URLs and visual content which are displayed on search

engine results pages ("SERP"), served to end users in response to their queries and

are viewed by them (i.e., they generate an impression), no matter their type, format, structure or tab in which they are included. (7) It follows that Alphabet shall share at least the following view data: (a) Uniform resource locators ("URLs"): (1) All URLs, regardless of their format (e.g., photos, videos, text); (2) All URLs, regardless of their structure (e.g., main URLs, associated URLs); (3) All URLs, regardless of their type (e.g., organic search result URLs, paid search result URLs at the main domain level, including top ad URLs and in-stream URLs, and advanced search result URLs displayed in various search modules); and (4) All URLs, including from the following tabs: "Videos", "Short

Videos", "News", "Forums", "Web", "Books" and "Images".

(b) Link identifiers: (1) Identifier of the type of result format, including text, video and photo; (2) Identifier of the place of result in the SERP's structure, including main and associated URLs; (3) Identifier of the type of tab, including, for example "Web", "Images",

"Videos", "News"; and

(4) Identifier of the result type, including organic search results, identifier of paid search results, identifier of advanced search results, the latter including the identifier of sub-type, for example, "Short Answer",

"Knowledge Panel". 2.1.3. Click data

(8) Alphabet shall share any data on user interaction with the SERP as displayed on the

user's device, with any visual elements displayed on it, including blocks and URLs

and with the pages linked by these URLs, including the type, timing, order and duration of user actions, or lack thereof. (9) It follows that Alphabet shall share at least the following click data, (i) for each URL served on the SERP in response to a user input, only excluding individual paid search results URLs, and (ii) for each block of paid search results presented on the SERP:

(a) Timing, order and duration, or the absence of, clicks and clicks back (i.e. clicks indicating the user's return to the SERP following an earlier click) on the URL/block; (b) The duration a user viewed the given URL/block or the data allowing to infer it, i.e. at least the height and size of the URL/block, its distance from the top of the SERP, the share it occupies of the user's viewport (i.e. the area of the

webpage which is visible on the user's device) and the duration the user

stayed on a given screen view; (c) Timing, order and duration, or the absence of, hovering, scrolling, swipes and expansions of/on the URL/block or the SERP as displayed on the user's device;

2.1.4. Ranking data

(10) For each URL shared under view data, Alphabet shall share the URL's position on

the SERP as displayed on the user's device, the URL's ordinal position in relation to other URLs presented on the SERP and any other information on the URL's

relative and absolute position, prominence and visibility on the SERP, as displayed

on the user's device.

(11) It follows that Alphabet must share at least the following ranking data (i) for each URL shared under view data, only excluding paid search result URLs, and (ii) for each block of paid search results presented on the SERP: (a) Identifier of the position on the SERP in which the URL/block is displayed (e.g., top area, main column, right side column); (b) The ordinal position of the URL/block in relation to other URLs/blocks displayed in the same SERP area and the identification of all other URLs displayed in the same area; (c) Information about the page on which the URL/block was displayed on the

user's device.

2.2. Conditions of data sharing

2.2.1. Search sessions

(12) Alphabet shall share the search session data on par with the data which it itself collects and uses. (13) It follows that Alphabet shall at least group query, click view and ranking data from the same user in the chronological order

2.2.2. Invalid traffic

(14) Alphabet shall exclude invalid traffic, i.e., query, view, click and ranking data, that does not originate from a human user or a genuine user interest, from the Search Data shared with beneficiaries.

2.2.3. Frequency of data sharing

(15) Alphabet shall share Search Data with third parties on par with Alphabet's own frequency of access to the same data.

2.2.4. Method of data sharing

(16) Alphabet shall use the method of sharing that it uses itself internally for sharing the Search Data with third parties to the greatest extent that is technically feasible, and in any case the method of sharing needs to enable effective sharing of Search Data. (17) It follows that Alphabet must share the Search Data via an API. The API sharing method must enable third parties to access only new data, rather than the complete updated dataset every time they use the API.

2.2.5. Duration of data sharing

(18) Alphabet shall offer the Search Data to any third-party undertakings providing OSEs for a duration that can reasonably enable it to optimise its OSE services, which must be at least five years starting from the moment when the Search Data becomes effectively accessible to that specific third party. This is without prejudice to Alphabet being obliged to continue offering the Search Data to any third-party

OSE for the entire duration of Google Search's designation as a core platform

service.

1. ANONYMISATION (19) The Commission's preliminary measures to ensure anonymisation of end users' personal data in the Search Data consist of two components: (a) Technical measures: these measures alter the Search Data to mitigate the risk of re-identification of end users to a residual level (the Search Data after the application of technical measures are referred to as the "Search Dataset"). These measures are outlined in section 3.1. (b) Contractual measures: the contractual measures complement the technical measures and further mitigate the residual risks of re-identification of end users to an insignificant level. These measures are outlined in section 3.2 3.1. Technical measures (20) Alphabet shall share the Search Data daily and at record-level. Each input record shall contain a query text with metadata and shall meet the technical measures to be included in the Search Data. The technical measures consist of the following steps: (21) Attribute suppression. For each record, Alphabet shall remove ((a) to (e)) or replace ((f) and (g)) the following attributes: (a) Any end user identifier, such as Google account identifiers (e.g., account IDs, usernames), whether the user was signed in, and other associated direct identifiers (e.g., IP addresses, device IDs). (b) The precise timestamp of the query. (c) Information about the height and size of modules and results. (d) Information about the distance from each module or result to the top of the SERP. (e) Information about the share each module or result occupies of the user's viewport.

(f) Queries in the form of images shall be replaced with a placeholder query. For queries that combine images and text, only the image shall be replaced with a placeholder query. The text shall not be suppressed. (g) Click back time shall be binned into the following time intervals: 0-10 seconds; 10-25 seconds; 25 seconds - 1 minute; 1 - 3 minutes; 3 - 20 minutes; and more than 20 minutes. (22) Allowlist creation: Alphabet shall generate and update weekly an allowlist of words appearing in search queries from signed-in end users using the past 13 months of EEA search data employing the following procedure: (a) Alphabet shall split the original query text of each search record into entities: (1) Alphabet shall use personal data detectors to detect addresses, names and other forms of well-known identifiers and resolve them to standard formats. (2) Alphabet shall split the rest of the query, which has not been detected as personal data, into words based on whitespace, not counting whitespaces between two digits.

For example, the query "john doe 200 wetstraat brussel 04 12 34 56 78 communications department" could be split into "john doe" (flagged by the full name detector), "200 wetstraat brussel" (flagged by the address detector), "04 12 34 56 78" (flagged by a phone number detector), "communications", and "department" (single words).

(b) For each entity, Alphabet shall count the number of unique signed-in end users who submitted queries containing the entity in the past 13 months in the EEA. (c) Alphabet shall add an entity to an allowlist for five years if the entity is included in queries issued by more than 50 (w) signed-in end users. (23) Length-based thresholds determination: Every week, using data for that past week from both signed-in and signed-out users in the EEA, Alphabet shall compute a length-based character threshold (c) as follows: (a) For each inferred language in which a query text has been issued, find the value of threshold c so that 95% of unique queries with that inferred language in the week concerned have fewer than c characters. (24) Query suppression: Every day, Alphabet shall apply the following procedure on each search record generated by signed-in and signed-out end users in the past 24 hours in the EEA: Alphabet shall remove the entire search record from the Search Data if the modified query (see paragraph (5)(a)(2)) does not meet two conditions: (a) Entity-based threshold: Alphabet shall split the query text into entities (as described in paragraph (22)(a)) and determine whether all entities are in the allowlist. (b) Length-based threshold: Alphabet shall check whether the query text is shorter than the length threshold of c characters (see paragraph (23)) for the

query's associated inferred language.

(25) If the query contains free-text search filters whose contents are not included in the modified query, Alphabet shall check whether the contents of each filter meet the

two thresholds. If the two thresholds are not met, the entire record is removed from the search dataset. If the free-text search filters meet the thresholds, Alphabet shall add the relevant free-text search filters as data fields to the corresponding search record. (26) If the initial query text (see paragraph (5)(a)(1)) is different from the modified query text, Alphabet shall check whether the initial query text meets the two thresholds. If the initial query text does not meet the two thresholds, the initial query text is removed from the search record; otherwise, Alphabet shall add the initial query text as a data field to the corresponding search record. (27) If the SERP contains query refiner text, Alphabet shall check whether the query refiner text meets the two thresholds. If the query refiner text does not meet the two thresholds, the query refiner text is removed from the search record; otherwise, Alphabet shall add the query refiner text as a data field to the corresponding search record. (28) Metadata generalisation: For queries that pass query suppression, Alphabet shall apply metadata generalisation to each search record. The attributes subject to generalisation are the location, inferred language, device type and access point types (see paragraph (5)(b)(5)). (29) Alphabet shall share the location data of the end user as an pair; where country is the country from which a query originates, and s2cell is a bounding box which includes at least 1 000 signed-in users and with a surface area of at least 3km². () 3 (30) Whenever the below metadata generalisation procedure refers to generalising the location, Alphabet shall perform the following procedure on a location pair () to generalise the location by one level: (a) If s2cell is not null, then i be its hierarchy level, and let biggers2cell be the S2 cell that contains s2cell and whose hierarchy level is i - 1. (1) If i is 7 or fewer, return. () 4 (2) If the centre of biggers2_cell is not in country, then return

null>.

(3) Otherwise, return. (b) If s2_cell is null, then return. The location can no longer be generalised; it corresponds to the full EEA. (31) Alphabet shall check whether at least 50 (r) signed-in end users have issued a query with the same metadata attribute values for inferred language, location information, and device type. If such condition is not met, Alphabet shall generalise the metadata attributes in the following sequence until the r-threshold of 50 is met: (a) First, Alphabet shall generalise location by one level at a time, at most twice. (b) Second, Alphabet shall supress the device information and the access point information.

() See https://s2geometry.io/devguide/s2cell_hierarchy.html. 3) An s2cell of level seven corresponds to an area between 3 175km( and 6 530km , see official 4 2 2 documentation https://s2geometry.io/resources/s2cellstatistics.

(c) Third, Alphabet shall generalise the location one level at a time, until it can no longer be generalised. If the r-threshold is still not met at any of the three steps above, meaning that fewer than 50 (r) end users submitted queries with the same inferred language value in the EEA, Alphabet shall remove the query and its corresponding search records from the Search Data. (32) Mini-sessionisation: Alphabet shall group records by ordering all records from the same end user chronologically and adding each search record to the previous group if the following conditions are met: (a) The current search record was generated by one of the following ways: (1) The user clicked on a query refiner (e.g., "Did you mean…" spelling suggestions, query suggestions, query shortcut chips, entity results, etc.) in the previous record's SERP. (2) The user selected the search bar and selected one of the autocomplete suggestions on the previous record's SERP, without manually entering additional information. (3) The user entered a new query into the search box on the previous record's SERP, and the previous record's query text is a substring of the current search record's query text. (33) Alphabet shall tag each search record associated with a group with the same unique random number and provide them in chronological order. The location and device metadata of all records in a mini-session is overridden with the location and device metadata of the last record of this mini-session. (34) Alphabet shall include the search records after the five steps in the Search Data. Alphabet shall include all other data (as defined in section 2.1) unaltered, without applying any additional measures. 3.2. Contractual measures

3.2.1. Roles and responsibilities

(35) Alphabet shall ensure, through contractual arrangements with third-party OSEs accessing the Search Dataset, that Alphabet and the third-party OSE are recognised as independent controllers within the meaning of Article 4(7) of Regulation (EU) 2016/679. (36) Alphabet shall ensure, through contractual arrangements with third-party OSEs accessing the Search Dataset, the following allocation of responsibilities: (a) Alphabet is controller for the processing of end users' personal data carried out to implement the technical measures set out in section 3.1 prior to the sharing or granting access to the Search Dataset; (b) Alphabet ensures that the sharing or granting access to the Search Dataset is carried out in a secure manner, in accordance with Articles 5(1)(f) and 32 of Regulation (EU) 2016/679 and, where applicable, in compliance with the requirements of Chapter V of that Regulation; (c) The third-party OSE accessing the Search Dataset is responsible and liable for the processing of personal data of individuals other than end users forming part of the Search Dataset under Regulation (EU) 2016/679,

including any processing performed by its processors or authorised sub- processors; (d) The third-party OSE accessing the Search Dataset is responsible to ensure that any processors or authorised sub-processors involved in the processing of the Search Dataset are contractually bound to implement all relevant contractual measures set out in sections 3.2.2 and 3.2.3, and that contractual arrangements with such processors or sub-processors explicitly provide independent auditor(s) with the right to verify compliance with these contractual measures in line with the measures in section 3.2.4; (e) The third-party OSE is responsible and liable under Regulation (EU) 2016/679 for any personal data processing resulting from a breach or circumvention of the contractual measures imposed by Alphabet to ensure

anonymisation of end users' personal data, including any processing

performed by its processors or authorised sub-processors, without prejudice to the allocation of responsibility and liability under that Regulation, in particular Article 82 and 83 thereof. (37) Alphabet shall ensure, through contractual arrangements with third-party OSEs accessing the Search Dataset, that it imposes only the contractual measures complementing the technical measures necessary to ensure anonymisation of the Search Dataset set out in sections 3.2.2, 3.2.3 and 3.2.4, without extending control over the third-party OSE's independent processing activities.

3.2.2. Contractual obligations complementing technical measures to ensure anonymisation from the third-party OSEs 'perspective

(38) Prohibitions against re-identification, linking and augmentation: Alphabet shall prohibit the third-party OSE from: (a) Attempting to link the Search Dataset with auxiliary datasets at record level; (b) Re-identifying end users, including by attempting to determine, learn or annotate which records relate to the same end users (i.e. "sessionisation"), beyond any mini-sessionisation provided as part of the Search Dataset; (c) Augmenting, enhancing, or processing the Search Dataset in a manner that reverses, weakens, or circumvents applied technical anonymisation measures, including attempts to infer or reconstruct truncated, generalised, or removed attributes. (39) Access control separation with auxiliary advertising and analytics datasets: Alphabet shall require the third-party OSE to implement technical and organisational measures at the infrastructure level such that access to the Search Dataset is separate from access to auxiliary advertising and analytics datasets where applicable. (40) Purpose limitation: Alphabet shall require the third-party OSE to use the Search Dataset solely for the permitted purpose of optimising or improving OSE services, regardless of whether these services serve results directly to end users or are used for grounding AI chatbot services, including but not limited to, refining retrieval and ranking systems, web crawling and index building, and functionalities such as query analysis, spell-checking, auto-suggestion, and auto-completion, and shall prohibit the third-party OSE from using it for unrelated purposes. (41) Retention duration: Alphabet shall require the third-party OSE to retain the Search Dataset for a period of maximum 13 months.

(42) Prohibition of onward sharing and disclosure: Alphabet shall prohibit third-party OSE from disclosing, sharing, sublicensing, or otherwise making available any ranking, query, click, or view data forming part of the Search Dataset received pursuant to Article 6(11) of Regulation (EU) 2022/1925 to any third party (). 5 (43) Governance and traceability: Alphabet shall require the third-party OSE to implement appropriate and proportionate data governance measures enabling them to identify and document automated processes accessing the Search Dataset, as well as relevant downstream datasets or models that are materially derived from, or demonstrably influenced by the Search Dataset, in a manner sufficient to enable verification that the above prohibitions are complied with and that processing aligns with the permitted purpose. Such a measure shall not extend to processing where the contribution of the Search Dataset is negligible, indirect, or no longer reasonably traceable, provided that appropriate safeguards are in place

3.2.3. Integrity and confidentiality of the Search Dataset to ensure anonymisation against any other person

(44) Alphabet shall require the third-party OSE to implement and maintain the following organisational, administrative and contractual measures, which constitute essential safeguards necessary to protect the integrity and confidentiality of the Search Dataset, including protection against unauthorised or unlawful access, disclosure, alteration or loss, taking into account the risks arising from its processing: (45) Technical protection of the Search Dataset: Alphabet shall require the third-party OSE to ensure that the Search Dataset is encrypted when stored in any system or environment under the third-party OSE's control and is encrypted during transmission between systems and environments, using state-of-the-art encryption appropriate for the sensitivity of the Search Dataset and the risks it is intended to mitigate, including unauthorised access resulting from physical loss or theft of storage media. (46) Access control and access governance measures: Alphabet shall require the third- party OSE to: (a) restrict access to the Search Dataset to personnel authorised by the third-party OSE, as well as to systems, strictly necessary for the permitted purpose of use (see paragraph (40)) (b) to assign access rights to such authorised personnel in accordance with the principles of least privilege ( ) and need-to-know ( ) and to periodically 6 7 review and revoke access rights to the Search Dataset where such access is no longer necessary; (c) to subject authorised personnel with access to the Search Dataset to phishing- resistant multi-factor authentication.

() Third-party online search engines' processors or sub-processors are not considered third parties in 5 this context. () The least-privilege principle means that personnel, systems, or processes are granted only the 6 minimum level of access permissions necessary to perform their assigned functions. () The need-to-know principle means that authorised personnel who have been granted access rights 7 may access data only when required for the performance of their assigned tasks.

(47) Data handling and other protection measures: Alphabet shall require the third- party OSE to prohibit the copying, downloading or local storage of any data from the Search Dataset on authorised personnel-managed devices or workstations. (48) Physical security measures: Alphabet shall require the third-party OSE to implement appropriate physical security measures to protect systems and storage media used to store or process the Search Dataset against unauthorised physical access, removal, or tampering. (49) Logging, monitoring and accountability measures: Alphabet shall require the third- party OSE to: (a) ensure that all access to the Search Dataset is logged, including attribution to individual users or systems and that such logs are protected against unauthorised access, alteration, or tampering, including through appropriate separation of duties; (b) to retain access logs for a period of one year, in order to align with the audit requirement set out in section 5.4.4. (50) Data life cycle management: Alphabet shall require the third-party OSE to ensure that the Search Dataset is securely erased or rendered irrecoverable upon expiry of the 13 months retention period in accordance with recognised industry standards. (51) Data breach reporting: Alphabet shall require the third-party OSE to implement processes to detect, report, and respond to any actual data breach affecting the integrity or confidentiality of the Search Dataset in accordance with Articles 33 and 34 of Regulation (EU) 2016/679. () 8

3.2.4. Independent verification mechanism to ensure the auditability and verifiability of anonymisation overtime

(52) Alphabet shall require third-party OSE seeking access to the Search Dataset to provide an independent reasonable assurance report based on the audit scope and assurance objectives defined throughout this section. 3.2.4.1. General requirements for independent reasonable assurance report (53) Alphabet shall require a third-party OSE seeking access to the Search Dataset, as a condition for obtaining and maintaining such access, to provide Alphabet with an independent assurance report providing reasonable assurance on the suitability and effectiveness of the controls implemented by the third-party OSE (also referred below as "reasonable assurance report") ( ) to demonstrate compliance with the 9

() Article 33 of Regulation (EU) 2016/679 addresses the circumstances which give rise to a 8 "[n]otification of a personal data breach to the supervisory authority" and Article 34 of that

Regulation addresses the specific circumstances where a "[c]ommunication of a personal data breach

to the data subject".

) International Framework for Assurance Engagements issued by the International Auditing and (9 Assurance Standards Board (IAASB), "Reasonable assurance engagements and limited assurance

engagement", paragraphs 14-16: available here:

https://ifacweb.blob.core.windows.net/publicfiles/2024-08/IAASB-2023-2024-Handbook-Volume- 4.pdf#page=46 A reasonable assurance engagement is defined as an assurance engagement in which the practitioner reduces assurance engagement risk to an acceptably low level in the circumstances of the

engagement as the basis for a positive form of expression of the practitioner's conclusion. In practice,

reasonable assurance therefore refers to a high, but not absolute, level of assurance, obtained by

assurance objectives defined by the Commission in section 3.2.4.3 below (first, second, third and fourth assurance objectives). (54) The assurance reports shall be prepared in accordance with ISAE 3000 or an equivalent internationally recognised assurance framework, and shall cover the organisational, technical, and governance measures implemented by the third-party OSE in relation to the access, storage, processing, use, and protection of the Search Dataset received pursuant to Article 6(11) of Regulation (EU) 2022/1925, within the scope and in accordance with the four assurance objectives defined by the Commission in this section. (55) The assurance reports shall be issued by an independent assurance practitioner and shall include a written signed declaration confirming the practitioner's independence and compliance with the ethical requirements applicable under ISAE 3000 or, where applicable, under an equivalent assurance framework, including requirements equivalent to those set out in the International Code of Ethics for Professional Accountants (including International Independence Standards) issued by the International Ethics Standards Board for Accountants (IESBA). (56) As a condition for being granted initial access to the Search Dataset, Alphabet must require the third-party OSE to submit to Alphabet, in accordance with the conditions set out in section 5.4.1, a Level 1 assurance report prepared in accordance with ISAE 3000 or an equivalent internationally recognised assurance framework, providing reasonable assurance on the first and second Commission- defined assurance objectives as well as on the design and suitability of the controls put in place to meet the third and fourth Commission-defined assurance objectives. (57) As a condition for maintaining access to the Search Dataset, Alphabet must require the third-party OSE to submit to Alphabet, on an annual basis and in accordance with the conditions set out in section 5.4.2, a Level 2 assurance report prepared in accordance with ISAE 3000 or an equivalent internationally recognised assurance framework, providing reasonable assurance on the first and second Commission- defined assurance objectives as well as on the operating effectiveness of those controls and covering the Commission-defined assurance objectives. For the purposes of the Level 2 assurance report, the independent assurance practitioner shall assess the operating effectiveness of the controls based on audit testing and sampling drawn from a continuous operating period of not less than 12 months within the reporting period, during which the controls were implemented and operational. (58) Where the third-party OSE has obtained existing independent assurance reports, certifications, or audit reports (for example, ISAE 3000, ISAE 3402, SOC 2, ISO/IEC 27001, or equivalent), the auditor conducting the Level 1 or Level 2

reducing engagement risk to an acceptably low level. This allows the practitioner to express a positive conclusion regarding whether the subject matter meets the applicable criteria. By contrast, a limited assurance engagement is defined as an assurance engagement in which the practitioner reduces assurance engagement risk to a level that is acceptable in the circumstances of the engagement but where that risk is greater than for a reasonable assurance engagement, as the basis for

a negative form of expression of the practitioner's conclusion. Accordingly, limited assurance

provides a lower level of assurance than reasonable assurance, because less extensive procedures are performed and the risk is not reduced to a sufficiently low level to meet reasonable assurance. The practitioner therefore expresses a negative conclusion, typically stating that nothing has come to their attention that causes them to believe the subject matter is materially misstated.

engagement shall take such reports into account, in whole or in part, when performing the engagement. In doing so, the auditor shall ensure that: (a) The scope, period, and assurance criteria of the existing reports demonstrably cover the Commission-defined assurance objectives; (b) The reports cover the systems, environments, and organisational units within scope pursuant to section 3.2.4.2; and (c) Any material gaps between the existing reports and the applicable assurance objectives are addressed through a targeted supplemental reasonable assurance engagement (). 10 (59) The measures Alphabet shall take regarding the submission of Level 1 and Level 2 assurance reports, the formal evaluation of those reports, and any resulting actions (including suspension of access, restoration of access or termination) in cases where the third-party OSE fails to provide a reasonable assurance report are set out in section 5. 3.2.4.2. Audit scope (60) Data scope: the scope of the assurance engagement shall be limited exclusively to the click, query, ranking and view data made available to the third-party OSE pursuant to Article 6(11) of Regulation (EU) 2022/1925 (the Search Dataset), including any datasets, models or outputs directly derived from such the Search Dataset. The assurance engagement shall assess the implementation and effectiveness of measures protecting the Search Dataset, as required under the contractual obligations in sections 3.2.2 and 3.2.3. (61) Organisational scope: the assurance engagement shall cover only those parts of the third-party OSE's organisation that process, access, store, or otherwise handle the Search Dataset, including: (a) the relevant business units, teams, and personnel with authorised access; (b) internal governance, compliance, and oversight functions responsible for ensuring compliance with contractual obligations relating to the use, security, and anonymisation of the Search Dataset; (c) any processors or internal service providers involved in processing the Search Dataset on behalf of the third-party OSE; and (d) where necessary to achieve the assurance objectives organisational units and personnel responsible for planning, budgeting, and allocating resources or financial commitments directly associated with the development, improvement, or optimisation of the search engine using the Search Dataset. (62) Organisational units, systems, or personnel that do not have physical, logical, or administrative access to the Search Dataset or whose financial or resource activities are unrelated to the Search Dataset processing shall be excluded, provided that effective segregation is demonstrably implemented and maintained.

() In this context, the targeted supplemental reasonable assurance engagement means a reasonable 10 assurance engagement, performed in accordance with applicable international assurance standards, that is limited in scope to specific controls or systems and carried out for the purpose of addressing material gaps between existing assurance reports, certifications, or audit reports and the assurance objectives defined by the Commission.

(63) Technical scope: the assurance engagement shall cover all technical systems, environments, and controls used to: (a) access or receive the Search Dataset from Alphabet; (b) store, process, or otherwise handle the Search Dataset, including backup and recovery systems; (c) analyse the Search Dataset or generate outputs, models, or derived datasets based on the Search Dataset; and (d) manage, monitor, and log access to the Search Dataset. (64) This includes, where applicable, cloud-based and on-premises environments, development, testing, and production systems in which the Search Dataset is present, as well as identity and access management systems, network security controls, and monitoring and logging systems relevant to the enforcement of contractual obligations for integrity, confidentiality, and continued anonymisation of the Search Dataset. (65) Where reliance is placed on existing assurance reports, the assurance engagement may be limited to a mapping and gap assessment demonstrating how the controls and findings in such reports apply to the Search Dataset and any directly derived datasets or models. 3.2.4.3. Assurance objectives (66) The assurance engagement shall evaluate whether the third-party OSE satisfies the conditions applicable to the provision and use of the Search Dataset. In particular, the auditor shall assess whether: (a) the third-party OSE is not subject to restrictive measures or other relevant regulatory or judicial decisions that would call into question whether the Search Dataset will be used for the genuine development, improvement, or optimisation of its own OSE services and thus prohibit or materially restrict the provision of the Search Dataset (First assurance objective); (b) the third-party OSE has established credible and documented plans demonstrating that the Search Dataset will be used for the genuine development, improvement, or optimisation of its own OSE services (Second assurance objective); (c) the third-party OSE has implemented effective technical, organisational, and contractual measures to ensure that the Search Dataset is processed in compliance with the contractual obligations set out in section 3.2.2 (Third assurance objective); and (d) the third-party OSE has implemented effective technical, organisational, and contractual measures to protect the integrity and confidentiality of the Search Dataset in compliance with the contractual obligations set out in 3.2.3 (Fourth assurance objective). (67) First, the auditor shall verify whether the third-party OSE is subject to any regulatory or judicial decisions that would prohibit or materially restrict the provision of the Search Dataset. In particular, the auditor shall consider the following: (a) Sanctions and restrictive measures decisions: the auditor shall not provide an assurance report to any third-party OSE which is subject, directly or

indirectly, to any restrictive measures or economic sanctions under Union law. This includes: (1) Designation of the third-party OSE or related persons (including any person or entity controlling the third-party OSE) as a sanctioned entity under the restrictive measures and economic sanctions laws of the Union; or (2) The existence of sanctions or restrictive measures which otherwise prohibit the provision of the Search Dataset or related goods and services to the third-party OSE. (b) Other relevant regulatory and judicial decisions: the auditor may also take into account regulatory or judicial decisions of the Union or its Member States which indicate that the third-party OSE constitutes a threat to cybersecurity, public security or public order. Such decisions may include: (1) Acts made under the investment screening laws of the Union or its Member States, including under Regulation (EU) 2019/452; (2) Any act designating the third-party OSE in question a high-risk supplier under Union law; or (3) Acts made under any other relevant laws for the protection of cybersecurity, public security or public order. (68) Second, the auditor shall verify whether the third-party OSE has established and maintains credible and documented plans, governance arrangements, and resource commitments demonstrating that the Search Dataset accessed pursuant to Article 6(11) will be and/or is used for the genuine development, improvement, or optimisation of its own OSE services, in line with the permitted purpose and without undermining anonymisation measures. This objective is assessed by verifying: (a) documented investment planning and financial commitments, including the existence of formal investment plans, budgets, or strategic programmes approved by senior management that allocate dedicated resources to the development or improvement of the third-party OSE's own search technology, and that clearly identify how, and for which development activities, the Search Dataset accessed pursuant to Article 6(11) of Regulation (EU) 2022/1925 is intended to be used for optimising OSE services. (b) credibility of investment plans, including evidence that planned investments, budgets, or strategic programmes are genuine and realistic in scale, timeframe, and scope relative to the stated development objectives. (c) adequacy of resourcing for implementing or preserving anonymisation-of the Search Dataset. (69) Third, the auditor shall verify that the third-party OSE has implemented effective measures contributing to ensuring anonymisation of the Search Dataset overtime. This objective is assessed by verifying the suitability and effectiveness of technical, organisational, and human controls in the following areas: (a) Ensuring that the Search Dataset is used solely for the permitted purpose of optimising or improving OSE services as specified in paragraph (40) and is not processed for unrelated or secondary purposes.

(b) Preventing, detecting and responding to any attempts, whether intentional or incidental, to: (1) link the Search Dataset with auxiliary datasets at record level; (2) re-identify end users, including by attempting to determine, learn or annotate which records relate to the same end user (i.e.

"sessionisation"), beyond any mini-sessionisation provided as part of

the Search Dataset; or (3) augment, enhance, or process the Search Dataset in a manner that reverses, weakens, or circumvents applied technical anonymisation measures, including attempts to infer or reconstruct generalised, truncated, or removed attributes. ( ) 11 (c) Ensuring that access to the Search Dataset is, where applicable, effectively separated at the infrastructure level from access to auxiliary advertising and analytics datasets. (d) Preventing, detecting and responding to any unauthorised disclosure, sharing, sublicensing, or other making available of the Search Dataset to third parties. (e) Identifying, documenting, and justifying automated processes, systems, and downstream datasets or models that are materially derived from, or are demonstrably influenced by the Search Dataset, in a manner that enables verification that the processing complies with the contractual prohibitions and remains aligned with the permitted purpose. Processing where the contribution of the Search Dataset is negligible, indirect, or no longer reasonably traceable may be excluded, provided that appropriate safeguards are in place. (70) Fourth, the auditor shall verify that the measures implemented by the third-party OSE are designed to protect the integrity and confidentiality of the Search Dataset against unauthorised access, disclosure, alteration, or loss, including in the event of internal misuse or external compromise. This objective is assessed by verifying the suitability and effectiveness of technical, organisational, and human controls in the following areas: (a) Ensuring that the Search Dataset is encrypted when stored or transmitted between systems or environments under the third-party OSE's control, using state-of-the-art encryption appropriate to the sensitivity of the data and the risks it is intended to mitigate, including unauthorised access resulting from physical loss or theft of storage media. (b) Restricting access to the Search Dataset to authorised personnel and systems strictly necessary for the permitted purpose and assigning access rights in accordance with the principles of least privilege and need-to-know, with periodic review and revocation of access rights where access is no longer necessary. (c) Requiring authorised personnel with access to use phishing-resistant multi- factor authentication.

() Data enrichment is permitted if it is limited to transformations that do not increase the risk of re-11 identification.

(d) Prohibiting the copying, downloading, or local storage of the Search Dataset on personnel-managed devices or workstations. (e) Implementing appropriate physical security measures to protect systems and storage media used to store or process the Search Dataset against unauthorised physical access, removal, or tampering. (f) Logging, monitoring, and auditing all access to the Search Dataset, including attribution to individual users or systems, and ensuring that logs are protected against unauthorised access, alteration, or tampering, including through appropriate separation of duties, and retained for a period of one year enabling independent audit. (g) Ensuring that the Search Dataset is securely erased or rendered irrecoverable upon expiry of the 13 months applicable retention period, in accordance with recognised industry standards (h) Ensuring that robust, documented and auditable processes are implemented to detect, assess, report, and respond to actual or suspected data breaches affecting the integrity or confidentiality of the Search Dataset in accordance with Articles 33 and 34 of Regulation (EU) 2016/679.The auditor shall verify that: (1) Appropriate policies, procedures, and controls are established and implemented to ensure the timely detection, escalation, assessment, notification and where required, communication of data breaches within the applicable deadlines; (2) All data breaches are systematically recorded in a breach register, including the facts relating to the breach, its effects, and the remedial actions taken; (3) Sufficient and traceable evidence (including logs, incident reports, communications, and post-incident reviews is retained to allow ex post verification of compliance.

1. FRAND PRICING (71) Alphabet shall provide the Search Data to eligible beneficiaries against a fair, reasonable, and non-discriminatory compensation that reflects the incremental costs incurred by Alphabet for the purpose of making such Search Data available plus a reasonable return, corresponding to a return on the capital employed for that

purpose that shall not exceed Alphabet's weighted average cost of capital.

(72) Alphabet shall not be constrained to a compensation reflecting only incremental cost and a reasonable return (which corresponds to a return on the capital employed for the purpose of the provision of access to Search Data that shall not exceed

Alphabet's weighted average cost of capital) in the event that (i) Alphabet could

demonstrate that it would not be able to cover the costs incurred for collecting the relevant data, including a reasonable return, from its own commercial use of that data, ( ) or (ii) when an eligible beneficiary operates at a very large scale. ( ) In 12 13

() The revenue from Alphabet's commercial use of the data should at least include Google Search 12 revenue, which is defined in this context as any revenue directly or indirectly attributable to the provision, operation, or monetisation of the Google Search service, including revenues generated

these circumstances, Alphabet shall be entitled also to a margin, which however

cannot exceed Alphabet's operating margin, in percentage terms, of its Google

Search business. (73) With regard to eligible beneficiaries that are also designated gatekeepers under Article 3(4) Regulation (EU) 2022/1925 in relation to an online search engine core platform service, Alphabet may deviate from the FRAND compensation specified. In that case, Alphabet shall negotiate, in good faith, and within the limits set out in Article 6(11) of Regulation (EU) 2022/1925, the applicable compensation provided that any resulting terms, taking into account the relevant circumstances, remain FRAND within the meaning of Article 6(11) of Regulation (EU) 2022/1925 and otherwise comply with that provision. (74) Micro, and small and medium-sized enterprises (SMEs), as defined by Article 2 of the Annex to Commission Recommendation 2003/361/EC, ( ) must be exempted 14 from paying more than the incremental costs incurred by Alphabet for the purpose of making Search Data available and a reasonable return on the capital employed for that purpose that shall not exceed Alphabet's weighted average cost of capital, irrespective of whether Alphabet demonstrates its inability to cover the efficiently incurred costs as set out under paragraph (71), above. Whether Alphabet negotiates the compensation with certain eligible beneficiaries in line with paragraphs (72) and (73) above shall be without prejudice to the application of the cost-based calculation methodology in line with paragraph (71), and cost-allocation principles for all other eligible beneficiaries. In particular, the fact that Alphabet negotiates the compensation with certain eligible beneficiaries in line with paragraphs (72) and (73) above shall not affect the cost base or the pro rata allocation parameters applicable to other eligible beneficiaries, which shall be calculated as if all eligible beneficiaries were subject to the incremental cost-based methodology specifying a compensation, which shall reflect the incremental cost incurred for the provision of access to Search Data and a reasonable return on the capital employed for that purpose. (75) The measures specifying FRAND pricing under these proceedings shall apply for a period of five years from the date on which the sharing was initiated, for each distinct beneficiary. After this period, Alphabet may deviate from the FRAND pricing specified in relation to each beneficiary. In that case, Alphabet shall be entitled to negotiate, in good faith, and within the limits set out in Article 6(11) of Regulation (EU) 2022/1925, the applicable compensation with the relevant eligible beneficiary, provided that any resulting terms, taking into account the relevant circumstances, remain FRAND within the meaning of Article 6(11) of Regulation (EU) 2022/1925. ( ) 15

through search advertising, intermediation of search-related traffic, and any other commercial activities deriving value from search queries or search-related user interactions. () Very large scale is being defined in this context as having more than 45 million monthly active end 13 users established or located in the Union and an annual Union turnover equal to or above EUR 7.5 billion in each of the last three financial years, or an average market capitalisation or equivalent fair market value amounted to at least EUR 75 billion in the last financial year, calculated in line with Article 3(2)(a) and (b) of Regulation (EU) 2022/1925. () Commission Recommendation of 6 May 2003 concerning the definition of micro, small and medium-14 sized enterprises, Official Journal L 124, 20/05/2003 P. 0036 - 004 () This means that the resulting pricing terms should allow the beneficiary to obtain effective access to 15 the Search Dataset to be able to optimise its search services without Alphabet maintaining or obtaining an unfair advantage.

(76) Cost items that qualify as being incremental to making the data available to eligible beneficiaries shall include all fixed and variable costs pertaining to the following activities (): 16 (a) Preparing and formatting the dataset with a view to make the dataset available, that is, all costs directly attributable to the data-sharing-specific

further processing of data already stored in Alphabet's databases, in the

absence of the data-sharing provision, including any data-format adaptations, sub-setting or transformations performed with the objective of protecting data subjects, such as anonymisation. (b) Storage, that is, storage costs linked to making the data available to data recipients. Storage costs should only be part of the cost calculation to the extent that the storage environment is used for storing data with a view to making it available to data recipients. (c) Dissemination, that is, costs incurred in the process of electronically transmitting data to eligible beneficiaries, as well as the costs pertaining to the verification and identification of beneficiaries eligible to access the data. (77) For the purpose of determining the compensation, Alphabet may also include a reasonable return on the capital employed for the purpose of making the data

available that shall not exceed Alphabet's weighted average cost of capital.

(78) Only costs that are clearly attributable to making the data available shall qualify for the purpose of determining the compensation. Alphabet shall be able to demonstrate that all incremental cost items are objective, measurable, verifiable and proportionate to the purpose of making the data available. Overhead, sunk costs, or investments in data collection, processing and storage not attributable to making the data available, speculative risks or ordinary business expenses do not qualify for inclusion in the cost base to identify the incremental fixed and variable cost incurred by Alphabet in the process of making the data available to eligible beneficiaries. (79) Incremental cost items that are common to different recipients (such as upfront and overhead costs) shall be appropriately allocated in a reasonable and transparent manner across recipients. The volume of access requests cannot be known in advance and may vary over time. To this effect, Alphabet shall: (a) define reasonable amortisation cycles that spread one-off access-mechanism costs over a reasonable number of years, corresponding to the expected period before the access system would normally require major technical or compliance updates (i.e., useful life); (b) determine the per-recipient share based on a conservative and justified estimate of the expected number of eligible access recipients; (c) periodically review and adjust the allocation parameters to reflect actual uptake, so as to ensure proportionate cost sharing and avoid systematic over- or under-recovery. (80) Any such adjustments shall be implemented in a consistent, verifiable and transparent manner. The allocation method shall avoid placing a disproportionate burden on early recipients compared to later recipients and should not result in discriminatory pricing over time.

() Including common costs arising from making the data available. 16

(81) Alphabet shall also calculate its weighted average cost of capital for the concerned period that will serve for the computation of the reasonable return on the capital employed for the purpose of making the data available. (82) Alphabet shall set up payment arrangements in a manner that allows for effective recovery of all costs incurred by Alphabet in making the data available, while ensuring predictability for beneficiaries. (83) Upon request, Alphabet shall provide information to eligible beneficiaries setting out the basis for the calculation of the compensation in sufficient detail so that eligible beneficiaries are able to assess whether the above-stated requirements are met. Alphabet shall regularly produce, store and, upon request of eligible beneficiaries, provide this information at the appropriate level of granularity to ensure both a sufficient degree of transparency as well as the protection of confidential information. A confidential version of this information shall be stored and provided to the Commission upon request. (84) Alphabet shall attempt to resolve any disagreement on the application of the above- specified calculation methodology directly with beneficiaries in good faith. Should a disagreement on any elements of the compensation persist, Alphabet shall not prevent beneficiaries to raise such disagreement with the Commission. The Commission, where appropriate, will then take any appropriate measure to verify

Alphabet's compliance with the above terms. This provision is without prejudice to

the parties' right to seek judicial recourse.

1. PROCESS FOR SEARCH DATASET ACQUISITION AND PRE-ACQUISITION DATA

TESTING

5.1. Process and practical arrangements for pre-acquisition data testing (85) Alphabet shall give third-party OSEs the opportunity to conduct technical testing on test data samples before they agree to acquire the Search Dataset. (86) Alphabet shall provide three different test data samples to any eligible third-party OSE requesting access to test data samples or the Search Dataset ("requesting third parties"). Each test data sample shall have a different scope in terms of content as well as means and conditions of access. These are: (a) Sample A: Alphabet shall continue to provide a small sample of 1 000 rows (i.e., 58 unique queries) from the Search Dataset; (b) Sample B: Alphabet shall provide a synthetic dataset that requesting third parties may download onto their own servers to conduct technical testing; and (c) Sample C: Alphabet shall provide a large representative sample dataset that requesting third parties may download onto their own servers to conduct technical testing.

5.1.1. Sample A - access arrangements, access conditions and content

(87) Alphabet shall continue to provide a 1 000-row sample (i.e., 58 unique queries) of

the Search Dataset free of charge ("Sample A"). Alphabet must continue to allow

third-party OSEs to download Sample A onto their own servers free of charge. (88) Alphabet may impose a contractual restriction preventing the third-party OSE from sharing Sample A with any other person or undertaking. Alphabet must otherwise

make Sample A available under the same conditions it makes the small Alphabet sample available.

5.1.2. Sample B - access arrangements, access conditions and content

(89) Alphabet shall prepare a synthetic dataset of 10 million representative artificially generated unique queries (also often called "synthetic" queries) and metadata

("Sample B") and provide this to any third-party OSE that requests it. Alphabet

shall comply with any request from a third-party OSE that the copy of Sample B it receives contain a particular number of queries and associated metadata, up to a maximum of 10 million individual queries. (90) Alphabet shall allow third-party OSEs to download Sample B onto their own servers. Alphabet may impose a contractual restriction preventing the third-party OSE from sharing Sample B with any other person or undertaking. Alphabet shall only provide Sample B to third-party OSEs that are eligible to receive the Search Dataset. (91) Alphabet shall not make access to Sample B conditional on the third-party OSE in question providing any assurance report specified in section 3.2.4 or undergoing an audit associated with this assurance report. Alphabet may only grant Sample B to a third-party OSE that it has deemed a third-party OSE eligible to receive the Search Dataset in accordance with section 0. (92) Alphabet shall explain, in a clear and transparent manner, the method by which it produced Sample B. Alphabet shall ensure that Sample B is a faithful representation of the real Search Dataset to which technical measures specified in section 3.1 have been applied. This means, among other things, that Sample B shall: (a) Accurately resemble the real Search Dataset in content and form; (b) Faithfully reflect the relationship between queries and metadata; (c) Include all the data fields specified in section 2; and (d) Have the technical measures specified in section 3.1 applied in the same way they would be applied to the real Search Dataset. (93) Alphabet may limit the time during which requesting third party OSEs may retain Sample B. This retention period must be a period of at least three months from the date on which Sample B was first made available to that requesting third party. (94) Alphabet may charge requesting third parties a fee for accessing Sample B. This fee shall be calculated using the method specified in section 4.

5.1.3. Sample C - access arrangements, access conditions and content

(95) Alphabet shall provide a sample of 5% of the final Search Dataset selected from queries occurring in no less than one month and no more than one year ("Sample C") (with the exact period to be specified by the third-party OSE requesting Sample C). (96) Alphabet shall provide Sample C once the Search Dataset is finalised in accordance with section 5.2 and all conditions for the sharing of the Search Dataset set out in sections 0, 3.2 and 5.4.1 and have been met. Alphabet shall require third-party OSEs to apply the retention period specified in section 3.2.2 to Sample C.

(97) Alphabet may charge third-party OSEs a fee for accessing Sample C. This fee shall be calculated using the method specified in section 4. (98) Alphabet shall comply with any requests from any third-party OSE that all queries in the Sample C dataset it accesses: (a) Come from a particular Member State of the Union; (b) Be in a particular language or languages; or (c) Take place within a particular period of no less than one month. 5.2. Process for finalising the Search Dataset (99) Alphabet shall finalise the Search Dataset as soon as possible and no later than three months after the Commission's adoption of an implementing act under Article 8(2) of Regulation (EU) 2022/1925 in these specification proceedings. Alphabet shall notify the Commission as soon as it has finalised the Search Dataset. This notification shall describe the actions Alphabet has taken to implement the measures specified in sections 2.1, 2.2 and 3.1. 5.3. Process for finalising the licence agreements for the Search Dataset and the test data samples (100) Alphabet shall prepare a template licence agreement for the sharing of the Search Dataset with third-party OSEs, implementing all applicable provisions of the measures specified, within two months of the Commission's adoption of an implementing act under Article 8(2) of Regulation (EU) 2022/1925 in these specification proceedings. (101) Alphabet shall also prepare template licence agreements for sharing Sample A, Sample B and Sample C within two months of the Commission's adoption of an implementing act under Article 8(2) of Regulation (EU) 2022/1925 in these specification proceedings. (102) Within one working day of finalising the template licence agreements, Alphabet shall also share a copy of each template licence agreement with any requesting third party and the Commission. (103) The Search Dataset and Sample C template licence agreements shall allow a third- party OSE to specify that all queries forming part of the Search Dataset or Sample C dataset it receives come from a particular Union Member State or Member States, be in a particular language or take place within a period of no less than one month. (104) Alphabet may only impose conditions for sharing the Search Dataset or test data samples that are FRAND. These conditions shall not impede in any way the effectiveness of the measures specified in an implementing act adopted under Article 8(2) of Regulation (EU) 2022/1925 in these specification proceedings. 5.4. Processes for making the Search Dataset available, reviewing eligibility of requesting third-party OSEs and ensuring continuity of access

5.4.1. Process for providing Search Dataset(s) and reviewing eligibility of requesting third parties

(105) Alphabet shall engage with any requesting third party to determine whether it is eligible to receive the Search Dataset.

(106) Alphabet shall put in place a structured, adequately documented process setting out how it will receive, acknowledge, assess and respond to requests for the Search Dataset and test data samples. (107) To this end, Alphabet shall provide a publicly accessible webpage containing up- to-date information including: (a) A clear explanation of Alphabet's obligations under Article 6(11) of Regulation (EU) 2022/1925 specified in an implementing act adopted under Article 8(2) of that Regulation in these specification proceedings; and (b) Clear and detailed information on how to contact Alphabet with a view to submitting a request for the Search Dataset. (108) Alphabet shall reply to any expressions of interest in acquiring the Search Dataset within one week. This reply shall contain at least the following information: (a) A request form with clear and detailed information the requesting third party is to provide in order to enable Alphabet to assess whether the requesting third party qualifies as a third-party OSE eligible to receive the Search Dataset under section 0; (b) A description of the Search Dataset and test data samples; (c) Clear and detailed information regarding: (1) Process for assessing eligibility; (2) The requirement to submit the Level 1 reasonable assurance report as a condition for being granted initial access to the Search Dataset, and the requirement to submit the Level 2 reasonable assurance report as a condition for maintaining access to the Search Dataset in accordance with the conditions specified in section 5.4.2; and (3) Processes for granting access to, ensuring continuity of access to, refusing access to, suspending access to and terminating access to the Search Dataset; and (d) Copies of the template licence agreements in respect of the Search Dataset, Sample A, Sample B and Sample C. (109) Information Alphabet requests under point (a) shall be strictly necessary to assess whether the requesting third party qualifies as a third-party OSE eligible to receive the Search Dataset under section 0. Alphabet's requests for information shall be reasonable and not unduly onerous. Alphabet shall not request any information that could qualify as business secrets or be competitively sensitive information. (110) Alphabet shall require the submission of a Level 1 assurance report consisting solely of a non-confidential version containing the assurance conclusions of the qualified independent assurance practitioner and confirming that reasonable assurance has been obtained for each of the four assurance objectives defined in section 3.2.4.3. (111) Alphabet shall limit its verification of the Level 1 assurance report to confirming the submission of the report and its formal completeness, meaning that the report is issued by a qualified independent assurance practitioner and contains the assurance conclusions for each of the four assurance objectives defined in section 3.2.4.3 in the prescribed non-confidential format. Alphabet shall not reassess the substance or

scope of the assurance conclusions expressed by the qualified independent assurance practitioner. Within two weeks of receiving the Level 1 reasonable assurance report (in the case of the Search Dataset and Sample C) and signed licence agreement (in respect of the Search Dataset and all test data samples), Alphabet shall either: (a) Provide the Search Dataset or test data sample in question to the requesting third party; or (b) Send the requesting third party a decision rejecting the report in accordance with section 5.5.1. (112) Alphabet shall inform the Commission of any request it receives within one week from receipt.

5.4.2. Submission of Level 2 assurance reports to maintain access to the Search Dataset

(113) As a condition for maintaining access to the Search Dataset, Alphabet shall require the third-party OSE to submit to Alphabet, on an annual basis, the Level 2 assurance report in accordance with the conditions specified in section 3.2.4: (a) For the first Level 2 assurance report, within 15 months of the date the third- party OSE first received access to the Search Dataset; (b) For all subsequent Level 2 assurance reports, within 12 months of the date on which the previous Level 2 assurance report was submitted. (114) The Level 2 assurance report shall consist solely of a non-confidential version containing the assurance conclusions of the qualified independent assurance practitioner confirming that reasonable assurance has been obtained in relation to each of the four assurance objectives defined in section 3.2.4.3. (115) Alphabet shall limit its verification to confirming the submission of the report and its formal completeness, meaning that the report is issued by a qualified independent assurance practitioner and contains the assurance conclusions for each of the four assurance objectives defined in section 3.2.4.3 in the prescribed non- confidential format. Alphabet shall not reassess the substance or scope of the assurance conclusions expressed by the qualified independent assurance practitioner. (116) Failure to submit a Level 2 assurance report within the applicable time limits, or failure of the submitted report to confirm that reasonable assurance has been obtained (where the independent assurance practitioner issues a "limited assurance" conclusion), shall lead to a suspension decision and/or a termination decision in accordance with sections 5.5.2.1 and 5.5.3.

5.4.3. Prior notification of a change of control and submission of Level 1 reasonable assurance reports to ensure continuity of access following a change of control

(117) Alphabet shall require written notification from the third-party OSE of any intended change of control over the third-party OSE (including acquisitions of joint control or sole control or changes in the quality of control) within 10 days after it becomes public or at least 30 days prior to the change taking effect, whichever is earlier. Alphabet shall transmit the notification to the Commission upon receipt. (118) Alphabet shall require the notification to identify the natural or legal person(s) acquiring control of the third-party OSE. If this information is not publicly available and is commercially sensitive, Alphabet shall require the third-party OSE

to notify the Commission directly and share a non-confidential version of the notification with Alphabet. (119) Following a change of control, Alphabet shall ensure that the third-party OSE continues to receive access to the Search Dataset immediately after the third-party

OSE and the person or persons acquiring control (together the "merging parties")

submit a new Level 1 reasonable assurance report that takes the change of control into account. (120) Alphabet may only suspend access to the Search Dataset following a change of control of a third-party OSE in accordance with the conditions set out in section 5.5.2.1.

5.4.4. Submission of Level 2 reasonable assurance reports to ensure continuity of access following the commencement of insolvency proceedings

(121) Alphabet shall require written notification from the third-party OSE of any insolvency proceedings initiated against it within one week of the initiation of those proceedings. Alphabet shall transmit the notification to the Commission upon receipt. (122) Alphabet shall require the notification to identify the jurisdiction and court in which proceedings were brought and briefly describe the circumstances precipitating the proceedings. If this information is not publicly available and is commercially sensitive, Alphabet shall require the third-party OSE to notify the Commission directly and share a non-confidential version of the notification with Alphabet. (123) Following the initiation of insolvency proceedings, Alphabet shall ensure that the third-party OSE continues to receive access to the Search Dataset immediately after the third-party OSE submits a Level 2 reasonable assurance report that takes the insolvency proceedings into account. (124) Alphabet may only suspend access to the Search Dataset following initiation of insolvency proceedings in accordance with the conditions set out in section 5.5.2.1. 5.5. Processes for refusing, suspending and terminating access to the Search Dataset

5.5.1. Refusal decisions

(125) If Alphabet decides either: (a) To deny a requesting third party access to the Search Dataset; or (b) To deny a requesting third party access to a test data sample, it shall send the requesting third party a written notification refusing access to the

Search Dataset (the "refusal decision") by the applicable deadline set out in

section 5.4.1. (126) The refusal decision shall include at least the following: (a) Reasoning: an explanation of the grounds for the refusal decision; (b) Rebutting evidence: an explanation of the evidence the requesting third party shall provide to rebut the refusal decision; and (c) Contact: who the requesting third party can contact and how if it has any questions on the refusal decision.

5.5.2. Suspension of access

5.5.2.1. Measures for suspension (127) Alphabet shall suspend an individual third-party OSE's access to the Search Dataset in the following circumstances: (a) Failure to submit a Level 1 reasonable assurance report in the case of a change of control: the merging parties fail to submit a Level 1 reasonable assurance report before the change of control takes effect; (b) Failure to notify a change of control: the merging parties fail to notify a change of control within 10 days after it becomes public or at least 30 days prior to the change taking effect (whichever is earlier) in accordance with section 5.4.3. (c) Failure to submit a Level 2 reasonable assurance report on time: the third-party OSE does not submit a Level 2 reasonable assurance report within the time limit specified in section 5.4.2 (or submits a Level 2 report concluding limited assurance); or (d) Insolvency: insolvency proceedings in respect of the third-party OSE are opened. (128) Alphabet shall notify the third-party OSE in writing no more than three days after

the suspension ("suspension decision"). The suspension decision shall contain at

least the following: (a) Reasoning: a clear and detailed explanation of the grounds for the suspension; (b) Effects: a description of the legal and operational consequences of the suspension; (c) Remediation: a clear and detailed explanation of the evidence the third-party OSE shall provide to restore its access to the Search Dataset; and (d) Alphabet's obligation to terminate: the conditions under which Alphabet shall terminate access to the Search Dataset specified in section 5.5.3. 5.5.2.2. Measures for restoration of access to the Search Dataset (129) Alphabet shall reverse a suspension and restore the third-party OSE's access to the Search Dataset as soon as technically possible once the third-party OSE has remedied the circumstances that triggered the suspension or has otherwise demonstrated that those circumstances no longer apply, in accordance with the conditions set out below. (130) In particular, Alphabet shall restore access to the Search Dataset in the following circumstances: (a) Failure to submit a Level 1 reasonable assurance report in the case of a change of control: where the merging parties submit a Level 1 assurance report concluding reasonable assurance; (b) Failure to notify a change of control: where the merging parties notify the change of control to Alphabet; (c) Failure to submit a Level 2 reasonable assurance report on time: where the third-party OSE submits to Alphabet a Level 2 reasonable assurance report in accordance with section 5.4.1;

(d) Submission of a Level 2 assurance report concluding limited assurance: where the third-party OSE submits to Alphabet a supplemental reasonable assurance report confirming that reasonable assurance has now been obtained for the assurance objectives previously assessed as limited; and (e) Insolvency: where the third-party OSE provides an updated Level 2 reasonable assurance report which takes any relevant changes to the third-

party OSE's business that relate to the insolvency proceedings into account. 5.5.3. Termination decisions

(131) Alphabet shall decide to permanently terminate an individual third-party OSE's access to the Search Dataset ("termination measure") in the below specified circumstances. (132) Alphabet shall issue a termination measure if a third-party OSE (or the merging parties, if applicable) fails to provide the evidence of remediation specified in section 5.5.2.2 within three months of receiving the suspension decision specified in section 5.5.2.1. (133) Within five working days after it has terminated access, Alphabet shall send the third-party OSE a decision which includes at least the following: (a) Reasoning: a detailed explanation of the grounds for the termination decision; and (b) Effects: a detailed explanation of the legal consequences of the termination decision. (134) Upon issuing the termination decision, and unless a supervisory authority has opened an investigation or taken formal investigative steps under Regulation (EU) 2016/679 against the third-party OSE that require the retention of the Search Dataset as evidence, Alphabet shall take all necessary contractual measures to ensure: (a) That the party subject to the termination decision: (1) Erases all of the Search Dataset under its control; and (2) Does not further process or share the Search Dataset; and (b) That any other third party to whom the party subject to the termination decision disclosed (whether intentionally or not) the Search Dataset: (1) Erases all of the Search Dataset under its control; and (2) Does not further process or share the Search Dataset. (135) Alphabet shall take all necessary steps to ensure these contractual measures are enforced. (136) Alphabet shall allow third-party OSEs that have been subject to a termination measure to re-apply for access to the Search Dataset. Alphabet shall treat any such subsequent application for the Search Dataset as if it were an application from a new requesting third party.

5.6. Process for expedited termination of access in exceptional circumstances (137) Alphabet may decide to issue termination decisions in exceptional circumstances without following the procedures and time limits specified in sections 5.5.2 and 5.5.3 ("expedited termination decisions"). (138) Alphabet may only issue an expedited termination decision where it becomes aware of an urgent risk of serious and irreparable damage to the anonymisation of

end users' personal data.

(139) The expedited termination decision shall include at least the following: (a) Reasoning: a detailed explanation of the grounds for the expedited termination decision including all evidence demonstrating an urgent risk of

serious and irreparable damage to the anonymisation of end users' personal

data; and (b) Effects: a detailed explanation of the legal consequences of the termination decision or expedited termination decision. 5.7. Requirement to impose financial penalties in exceptional circumstances (140) Alphabet shall impose strictly necessary and proportionate financial penalties on a third-party OSE in the following instances: (a) A third-party OSE fails to notify a change of control in accordance with section 5.4.3; (b) A third-party OSE fails to notify the commencement of insolvency proceedings against it in accordance with section 5.4.4; (c) A third-party OSE fails to notify Alphabet that it has received a limited assurance report; (d) A third-party OSE fails to comply with the necessary contractual measures imposing erasure of the Search Dataset as per section 5.5.3 or (e) A third-party OSE provides materially false information to Alphabet in connection with the independent verification mechanism specified at Section 3.2.4. (141) Alphabet shall not impose financial penalties on third-party OSEs in relation to their processing of the Search Dataset. 5.8. Obligation to inform the Commission and data protection supervisory authorities of decisions refusing, suspending, restoring or terminating access (142) Alphabet shall share a copy of any refusal, suspension or termination decision with the Commission at the same time it shares any such refusal, suspension or termination decision with the third-party OSE in question. (143) Alphabet shall also share a copy of any suspension or termination decision with the lead supervisory authority at the same time it shares any such suspension or termination decision with the third-party OSE in question. "Lead supervisory

authority" means the lead supervisory authority of the third-party OSE as defined

in Regulation (EU) 2016/679. (144) Alphabet shall inform the Commission and the lead supervisory authority within five working days of any restoration of access to the Search Dataset following a suspension. It shall also provide the reasons for which it has restored access to the Search Dataset.

(145) Alphabet shall notify the Commission and the Lead supervisory authority of the third-party OSE of its intention to issue an expedited termination decision at least three working days before it intends to issue such expedited termination decision to the third-party OSE in question. In its notification, Alphabet shall clearly explain the reasons for its expedited termination decision and provide supporting evidence. ***