Mervinskiy 516

Page 106

DPIA Google G Suite Enterprise for SLM Rijk | 9 July 2020, with update 12 February 2021

For the avoidance of doubt, the Diagnostic Data streams mentioned above are separate from, and in addition to, Customer Data that end users provide to Google.

8.1

Anonymisation According to the guidance from the Data Protection Authorities in the EU, anonymisation is a complex and dynamic form of data processing. 244 Often, organisations still possess original data, or continue to collect pseudonymised data. As long as there is a realistic possibility to re-identify individuals based on data that are masked, scrubbed from obvious identifiers or otherwise de-identified, such data cannot be considered anonymous and the organisation must still comply with all GDPR requirements with regard to the processing of personal data. Furthermore, the process of anonymization constitutes processing of personal data and is therefore subject to the GDPR. Google provides a public explanation of two of its anonymisation techniques.245 As quoted in Section 1.4.3 of this report, Google applies anonymisation to Diagnostic Data and Customer Data when an Additional Service is included as a ‘Feature’ of a Core Service, such as the use of Maps and Translate. Google did not provide specific information about the anonymisation techniques it applies in this case, and did not show any examples to the researchers. Google provided a general explanation what key techniques it may use to anonymise data. [CONFIDENTIAL] Key techniques used by Google to anonymize data include: • the computation of aggregate values across a population, or the grouping of individuals such that values are shared; • sampling: the computation of aggregate data based on a sample that includes a small portion of the overall population • generalizing the data (see WP216, p. 12 and 16): there are certain data elements that are more easily connected to certain individuals. In order to protect those individuals, Google uses generalization to remove a portion of the data or replace some part of it with a common value. For example, Google may use generalization to replace segments of all area codes or phone numbers with the same sequence of numbers; and adding noise to data (see WP216, p. 12): • differential privacy (see WP216, p. 15) describes a technique for adding mathematical noise to data. With differential privacy, it is difficult to ascertain whether any one individual is part of a data set because the output of a given algorithm will appear the same, regardless of whether any one individual’s information is included or omitted. In most circumstances Google will implement a combination of these techniques to effectively anonymize identifiable end user data. In any case, there is no single method of anonymisation that is effective under all circumstances. When anonymizing data, Google will assess the circumstances on a case-by-case basis (see WP216 p. 24) and develop a method of anonymisation such that the data cannot be attributed, directly or indirectly, to an individual, including consideration of the following factors: Anonymisation Guidelines from the Article 29 Working Party, WP216, Opinion 05-2014 on Anonymisation Techniques, URL: http://ec.europa.eu/justice/Article29/documentation/opinion-recommendation/files/2014/wp216_en.pdf. 245 Google, How google anonymizes data, URL: https://policies.google.com/technologies/anonymization 244

p. 98/162


Turn static files into dynamic content formats.

Create a flipbook

Articles inside

Conclusions

2min
page 170

17.4 Google measures 12 February 2021

19min
pages 161-169

16.3 Summary of risks

2min
pages 155-156

16.2 Assessment of Risks

36min
pages 142-154

15.7 Right to file a complaint

0
page 139

15.3 Right to access

5min
pages 136-137

14.3 Assessment of the subsidiarity

2min
page 134

14.1 The principle of proportionality

2min
page 130

14.2 Assessment of the proportionality

8min
pages 131-133

12.1 Transfer of special, sensitive, secret and confidential data to the USA

5min
pages 128-129

11.3 Google’s own legitimate business purposes

5min
pages 126-127

all Diagnostic Data

5min
pages 124-125

Services

22min
pages 116-123

Part B. Lawfulness of the data processing

2min
page 115

8.1 Anonymisation

15min
pages 106-111

6.3 Joint interests

11min
pages 101-105

6.2 Interests of Google

2min
page 100

6.1 Interests of the Dutch government organisations

2min
page 99

5.2 Data processor

5min
pages 88-89

5.3 Data controller

18min
pages 90-96

5.4 Joint controllers

5min
pages 97-98

4.4 Specific purposes Chrome OS and the Chrome browser

2min
page 86

5.1 Definitions

2min
page 87

4.3 Purposes Additional Services and Google Account, when not used in a Core Service

8min
pages 83-85

4.2 Purposes Google

13min
pages 77-82

4.1 Purposes government organisations

2min
page 76

2.5 Types of personal data and data subjects

7min
pages 60-62

3.2 Privacy controls administrators

7min
pages 70-75

3.1 Privacy controls G Suite account for end users

9min
pages 63-69

2.3 Outgoing traffic analysis

8min
pages 52-55

2.4 Results access requests

10min
pages 56-59

2.2 Diagnostic Data

7min
pages 47-51

Related services that may send Customer Data to Google, such as the Feedback form and the Enhanced Spellchecker in the Chrome browser.

4min
pages 13-15

2.1 Definitions of different types of personal data

7min
pages 44-46

Part A. Description of the data processing

0
page 25

The enrolment framework for G Suite Enterprise

2min
pages 42-43

G Suite Core Services, Google Account, Support Services, Additional Services, and Other related services

23min
pages 28-41

Functional Data

2min
page 27

Introduction

7min
pages 16-18

1 Legal framework and contractual arrangements between government organisations and

4min
pages 23-24
Issuu converts static files into: digital portfolios, online yearbooks, online catalogs, digital photo albums and more. Sign up and create your flipbook.