DPIA Google G Suite Enterprise for SLM Rijk | 9 July 2020, with update 12 February 2021
Part B. Lawfulness processing
of
the
data
The second part of this DPIA assesses the lawfulness of the data processing. This Part B contains an assessment of the legal grounds for processing (Section 11), the processing of special categories of personal data (Section 12), the principle of purpose limitation (Section 13) an assessment of the necessity and proportionality of the processing (Section 14), and data subject rights (Section 15).
11.
Legal Grounds To be permissible under the GDPR, processing of personal data must be based on one of the legal grounds mentioned in Article 6 (1) GDPR. Processing covers a wide range of operations performed on personal data, such as the collection, organisation, storage, alteration, retrieval, use, disclosure by transmission, making available, combination, restriction, erasure or destruction. Essentially, for processing to be lawful, the GDPR requires that the data controller bases the processing on the consent of the data subject, or on a legally defined necessity to process personal data. Data processors act on behalf of the data controller, and as such, can rely on the purposes and legal grounds that the data controller has for the processing. The assessment of available legal grounds (sometimes called ‘lawful bases’) is tied closely to the principle of purpose limitation. The EDPB notes that “The identification of the appropriate lawful basis is tied to principles of fairness and purpose limitation. [.] When controllers set out to identify the appropriate legal basis in line with the fairness principle, this will be difficult to achieve if they have not first clearly identified the purposes of processing, or if processing personal data goes beyond what is necessary for the specified purposes.”260 Thus, in order to determine whether a legal ground is available for a specific processing operation, it is necessary to determine for what purpose, or what purposes, the data was or is collected and will be (further) processed. There must be a legal ground for each of these purposes. The appropriate legal ground may depend on Google’s role as joint data controller, or as data processor. Although it may be possible that the processing for specific purposes identified in this DPIA can be based on a legal ground, the lack of purpose limitation makes it impossible to determine whether the data are also processed for other purposes. For example, the transmission of Customer Data to Google for the specific purposes of technically providing a Core Service and keeping a Core Service and the data secure and up to date, might be based on a legal ground such as the performance of a contract between the government organisation and the employee. However, due to the lack of purpose limitation, the transmission of these data is currently based on a broad, non-specific purpose. Without a specific purpose or specific purposes, it is impossible to identify an appropriate legal ground. As further described in the Sections 16 and 17, Google can fix these problems to a certain extent by contractually limiting the processing to clearly defined, specific purposes, and specifically excluding (further) processing for other purposes.
EDPB, Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects version adopted after public consultation, 16 October 2019, URL: https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines22019-processing-personal-data-under-article-61b_en. 260
p. 107/162
