DPIA Google G Suite Enterprise for SLM Rijk | 9 July 2020, with update 12 February 2021
Privacy unfriendly default settings
Where possible, change default settings until Google has implemented adequate privacy friendly settings
Turn Off Ads Personalization Turn Off access to Additional Services Change the default setting of the Chrome browser and in the Marketplace to prevent access by default [by third parties] to Customer Data. Provide exhaustive and comprehensible information what the data protection consequences are if end users or administrators opt-in to privacy unfriendly settings Allow admins to centrally prevent any opt-in from employees
One Google Account
Advise end users not to sign in with multiple Google Accounts simultaneously
Shield or protect against spill-over from enterprise to consumer environment (and vice versa)
If the Chrome browser is permitted: prohibit end users from signing in with a Google Account different from the enterprise domain
Prevent any data processing via the Google Play Store beyond authorised data processor purposes
Lack of control subprocessors
Provide clear warnings to end users when they leave the protected enterprise environment
Amend contract to provide guarantees about processing of underwater links from Core Services to Additional Services such as Translate and Maps Amend contract to include meaningful control for customer to object against subprocessors of personal data, whether included in Customer Data, data relating to the Google Account, Support Data and Diagnostic Data or otherwise processed by Google Become data processor for the processing of personal data in Customer Data and Diagnostic Data from the Core Services, the Features, the Additional Services, the Technical Support Services, the Google Account, Other related services that may send Customer Data to Google, such as Feedback and the Enhanced Spellcheck in the Chrome browser and only engage authorised subprocessors
No access for data subjects
Inform employees about access to the data in the available admin log files When available, use other tools
p. 5/162
Honour data subject access rights, including with respect to all personal data in Diagnostic Data [collected through the Core Services, the Additional Services, the Features, the Google Account, the Technical Support Services and Other related services such as Feedback and the Enhanced Spellcheck in the Chrome browser. Develop tools to allow data subjects access to personal data when they are collected.
