Mervinskiy 516

Page 116

DPIA Google G Suite Enterprise for SLM Rijk | 9 July 2020, with update 12 February 2021

In the current circumstances the analysis of the legal grounds results in the conclusion that no legal grounds apply for any data processing. This Section addresses four of the different possible legal grounds for the different purposes of the processing, in short: consent, contract with the data subject, public interest and legitimate interest. The legal ground of vital interest is not discussed, since nor Google nor Dutch government organisations have a vital (lifesaving) interest in processing personal data via G Suite Enterprise. Additionally, though Dutch government organisations may have to process digital information and communicate per e-mail, there is no legal obligation to use G Suite Enterprise. Section 11.1 below describes the legal grounds government organisations may have for the processing of personal data in Customer Data from the Core Services, the Features and the Google Account when used in conjunction with the Core Services. This section distinguishes between Google’s intended role as data processor, and Google’s factual role as joint controller with the government organisations. Section 11.2 describes the legal grounds for the processing of Customer Data from the Additional Services, the Technical Support Services, the Other Related Services and all Diagnostic Data. This section is based on the analysis that government organisations and Google currently act as joint controllers for these personal data. This means the government organisations must have a legal ground for each purpose for which Google processes these personal data. Section 11.3 briefly describes the legal grounds for Google to process limited personal data about customers as an independent data controller. This can be the case if Google uses contact and license data to send invoices, or when Google has to comply with a legal request from a law enforcement authority and is prohibited (with a gagging order) from forwarding this request to its customer.

11.1

Customer Data from the Core Services, Features and the Google Account used in the Core Services As detailed in Section 4.2 of this report, Google does not offer an exhaustive list of specific and explicit purposes for which Google as a data processor necessarily has to process personal data in the Customer Data in the Core Services. Google claims it only acts on the ‘documented instructions’ of its customers. This DPIA shows that Google factually processes the personal data in the Customer Data in the Core Services for at least 8, and possibly 20 purposes. These purposes are not specifically and explicitly enumerated as part of the documented instructions of the data controller. Google seems to deem these other purposes compatible with the catch-all purpose. As will be analysed in more detail in Section 13 of this report, the processing of personal data in the context of the G Suite Enterprise services currently does not comply with the principle of purpose limitation. Even if Google contractually guarantees its role as data processor for the personal data processed through the Features and Google Account when used in conjunction with a Core Service,261 the same lack of purpose limitation applies. Without a specific purpose or specific purposes, it is impossible for government organisations to identify any appropriate legal ground. If Google would indeed be a data processor, Google would be able to rely on the purposes and legal grounds for processing of the government organization. However, as explained in the Sections 5.2 and 5.4, Google does not qualify as a data processor. 261

See Sections 1.4.2 and 1.4.3 of this report.

p. 108/162


Turn static files into dynamic content formats.

Create a flipbook

Articles inside

Conclusions

2min
page 170

17.4 Google measures 12 February 2021

19min
pages 161-169

16.3 Summary of risks

2min
pages 155-156

16.2 Assessment of Risks

36min
pages 142-154

15.7 Right to file a complaint

0
page 139

15.3 Right to access

5min
pages 136-137

14.3 Assessment of the subsidiarity

2min
page 134

14.1 The principle of proportionality

2min
page 130

14.2 Assessment of the proportionality

8min
pages 131-133

12.1 Transfer of special, sensitive, secret and confidential data to the USA

5min
pages 128-129

11.3 Google’s own legitimate business purposes

5min
pages 126-127

all Diagnostic Data

5min
pages 124-125

Services

22min
pages 116-123

Part B. Lawfulness of the data processing

2min
page 115

8.1 Anonymisation

15min
pages 106-111

6.3 Joint interests

11min
pages 101-105

6.2 Interests of Google

2min
page 100

6.1 Interests of the Dutch government organisations

2min
page 99

5.2 Data processor

5min
pages 88-89

5.3 Data controller

18min
pages 90-96

5.4 Joint controllers

5min
pages 97-98

4.4 Specific purposes Chrome OS and the Chrome browser

2min
page 86

5.1 Definitions

2min
page 87

4.3 Purposes Additional Services and Google Account, when not used in a Core Service

8min
pages 83-85

4.2 Purposes Google

13min
pages 77-82

4.1 Purposes government organisations

2min
page 76

2.5 Types of personal data and data subjects

7min
pages 60-62

3.2 Privacy controls administrators

7min
pages 70-75

3.1 Privacy controls G Suite account for end users

9min
pages 63-69

2.3 Outgoing traffic analysis

8min
pages 52-55

2.4 Results access requests

10min
pages 56-59

2.2 Diagnostic Data

7min
pages 47-51

Related services that may send Customer Data to Google, such as the Feedback form and the Enhanced Spellchecker in the Chrome browser.

4min
pages 13-15

2.1 Definitions of different types of personal data

7min
pages 44-46

Part A. Description of the data processing

0
page 25

The enrolment framework for G Suite Enterprise

2min
pages 42-43

G Suite Core Services, Google Account, Support Services, Additional Services, and Other related services

23min
pages 28-41

Functional Data

2min
page 27

Introduction

7min
pages 16-18

1 Legal framework and contractual arrangements between government organisations and

4min
pages 23-24
Issuu converts static files into: digital portfolios, online yearbooks, online catalogs, digital photo albums and more. Sign up and create your flipbook.