DPIA Google G Suite Enterprise for SLM Rijk | 9 July 2020, with update 12 February 2021
In the current circumstances the analysis of the legal grounds results in the conclusion that no legal grounds apply for any data processing. This Section addresses four of the different possible legal grounds for the different purposes of the processing, in short: consent, contract with the data subject, public interest and legitimate interest. The legal ground of vital interest is not discussed, since nor Google nor Dutch government organisations have a vital (lifesaving) interest in processing personal data via G Suite Enterprise. Additionally, though Dutch government organisations may have to process digital information and communicate per e-mail, there is no legal obligation to use G Suite Enterprise. Section 11.1 below describes the legal grounds government organisations may have for the processing of personal data in Customer Data from the Core Services, the Features and the Google Account when used in conjunction with the Core Services. This section distinguishes between Google’s intended role as data processor, and Google’s factual role as joint controller with the government organisations. Section 11.2 describes the legal grounds for the processing of Customer Data from the Additional Services, the Technical Support Services, the Other Related Services and all Diagnostic Data. This section is based on the analysis that government organisations and Google currently act as joint controllers for these personal data. This means the government organisations must have a legal ground for each purpose for which Google processes these personal data. Section 11.3 briefly describes the legal grounds for Google to process limited personal data about customers as an independent data controller. This can be the case if Google uses contact and license data to send invoices, or when Google has to comply with a legal request from a law enforcement authority and is prohibited (with a gagging order) from forwarding this request to its customer.
11.1
Customer Data from the Core Services, Features and the Google Account used in the Core Services As detailed in Section 4.2 of this report, Google does not offer an exhaustive list of specific and explicit purposes for which Google as a data processor necessarily has to process personal data in the Customer Data in the Core Services. Google claims it only acts on the ‘documented instructions’ of its customers. This DPIA shows that Google factually processes the personal data in the Customer Data in the Core Services for at least 8, and possibly 20 purposes. These purposes are not specifically and explicitly enumerated as part of the documented instructions of the data controller. Google seems to deem these other purposes compatible with the catch-all purpose. As will be analysed in more detail in Section 13 of this report, the processing of personal data in the context of the G Suite Enterprise services currently does not comply with the principle of purpose limitation. Even if Google contractually guarantees its role as data processor for the personal data processed through the Features and Google Account when used in conjunction with a Core Service,261 the same lack of purpose limitation applies. Without a specific purpose or specific purposes, it is impossible for government organisations to identify any appropriate legal ground. If Google would indeed be a data processor, Google would be able to rely on the purposes and legal grounds for processing of the government organization. However, as explained in the Sections 5.2 and 5.4, Google does not qualify as a data processor. 261
See Sections 1.4.2 and 1.4.3 of this report.
p. 108/162