DPIA Google G Suite Enterprise for SLM Rijk | 9 July 2020, with update 12 February 2021
proactively publish statistics “to help public health officials combat COVID-19.” Google cannot process personal data on the legal ground of public interest, because Google does not carry out any public tasks. Google did not process these location data as processor at the request of government organisations either. Since G Suite Enterprise end users were not made aware of such further processing of their location data prior to enabling this setting, Google cannot base this processing on consent either. 11.2.4
Legitimate interest As explained above, government organisations can currently not rely on any legal ground for the processing of personal data. This includes the legal ground ‘legitimate interest’. As joint controllers with Google, Dutch government organisations may (instruct Google to) process a limited set of innocent Diagnostic Data on the basis of the necessity for their legitimate interest, if the data processing is not necessary to perform a public task. This can be the case for the following purposes: • • • • •
detect and solve new information security risks process the data according to the settings chosen by the administrators use Diagnostic Data to provide Technical Support, when an admin asks for this help keep the service functioning and up-to-date (providing automatic product updates; and determine the account status and ads personalisation preferences [cookies].
Government organisations may also rely on this legal ground for the (limited) use of some Diagnostic Data for (security) analytics, as long as the rights and freedoms of the end users and other data subjects do not prevail over this interest. However, government organisations may not allow further processing of the Diagnostic Data obtained from devices and browsers for any purpose that involves tracking and profiling of end users and end user behaviour. Such a purpose would require consent based on the ePrivacy Directive, and employees are not free to give such consent. As mentioned above for the ground of ‘public interest’, reliance on the legal ground of ‘legitimate interest’ requires adequate purpose limitation. Without a specific purpose or specific purposes, it is impossible to identify an appropriate any legal ground, including ‘legitimate interest’. In sum, as joint controllers for the processing of the personal data in the Additional Services, the Technical Support Services, the Other related services and all Diagnostic Data, nor Google nor the government organisations have a legal basis for the processing under the current circumstances.
11.3
Google’s own legitimate business purposes In some cases, Google processes personal data as an independent data controller, for example for the processing of the number of accounts and sold licenses for annual financial statements, and the sending of invoices. These purposes for the processing need to be clearly defined in the contract with the Dutch government organisations. Google may be ordered to hand over personal data to a law enforcement authority, security agency or secret service. It follows from the G Suite DPA that Google will refer disclosure requests with regard to personal data in Customer Data from the Core Services to the government organisation, unless “the law prohibits Google from doing so on important grounds of public interest”. In those circumstances, Google can act as a data processor. When Google refers disclose requests to its customer,
p. 118/162
