DPIA Google G Suite Enterprise for SLM Rijk | 9 July 2020, with update 12 February 2021
processes these data in its role as processor, as well as in its role as joint data controller. The technical research in this DPIA shows that Google also collects Customer Data in sentences and words from the Enhanced Spellingchecker in telemetry data from the Chrome browser. Government organisations should therefore take account of the general prohibition on the processing of special categories of personal data from articles 9 and 10 of the GDPR if they are joint controllers with Google. There is no exception for the processing of these personal data by Google for its own 33 purposes. The only general useful exception in Article 9 GDPR is if the data subject has given explicit consent. However, valid consent is not an option as explained in sections 11.1.1 and 11.2.1 of this DPIA. Article 10 of the GDPR completely prohibits the processing of personal data relating to criminal convictions and offences, if not under the control of official authority or when authorized by Union or member law.
12.1
Transfer of special, sensitive, secret and confidential data to the USA In G Suite Enterprise admins can elect to store Customer Data from certain Core Services only in data centres in the European Union. This choice is not available for the Customer Data from other Core Services, the Google Account, the Additional Services, Support Data and any Diagnostic Data. Those data may therefore be stored anywhere where Google maintains facilities. With regard to the transfer of personal data in Customer Data to the USA, customers can accept the SCC, as described in Section 7. At the time of completion of this DPIA report, all other transfers of personal data outside of the EEA generally relied on the EU-US Privacy Shield. The transfer and storage of personal data in the USA carries a risk of unlawful further processing of personal data (i) through interception or silent orders from USA law enforcement authorities, security agencies and secret services, (ii) through rogue administrators at Google and at subprocessors (only for the Technical Support Services), and (iii) by hostile state actors. The likelihood and impact of these risks are assessed in Section 16.2.12 of this report. To mitigate some of these risks, government organisations can create policy rules to prevent that very confidential or state secret data are processed through cloud services. They could also draft a policy to prohibit the use of directly identifying personal or confidential data in file and path names. Google does not offer separate encryption possibilities for data stored in Drive, but customers may apply their own encryption from other companies before uploading sensitive data to Drive.277 In a whitepaper about encryption, Google explains that data on disks and backup media belonging to customers are always encrypted. Google has a distinct approach to encryption for each system, to mitigate the specific security risks. Google automatically encrypts Customer Data stored on disks in the G Suite product family as it is written to disk with a per-chunk encryption key that is associated with a specific Access Control List. This means that different chunks are encrypted with different encryption keys, even if they belong to the same customer. 278 Technically, this works as follows: “Each chunk key is encrypted by another key known as the wrapping key, which is managed by a Google-wide key management In the G Suite Marketplace, different third-party encryption tools are available, URL: https://gsuite.google.com/marketplace/search/encrypt 278 How Google Uses Encryption to Protect Your Data, G Suite Encryption Whitepaper, URL: https://storage.googleapis.com/gfw-touched-accountspdfs/google-encryption-whitepaper-gsuite.pdf 277
p. 120/162
