DPIA Google G Suite Enterprise for SLM Rijk | 9 July 2020, with update 12 February 2021
services and the ads delivered by Google) that the description offers no insight what processing Google does and does not permit itself to do under this purpose. Based on the current contractual terms, Google may process Diagnostic Data collected about the use of the Core Services (including the Features), the Additional Services, the Technical Support Services and the Other related services, as well as the content from the Additional Services, use of the Google Account outside of the Core Services, for all 33 purposes mentioned in its (consumer) Privacy Policy. These purposes generally aim at serving Google’s own commercial interests. Google’s long list of purposes in its role as data controller seems designed to maximise Google’s liberty to process the personal data for new purposes and in new services. This allows Google to dynamically add (sub)purposes, or stop collecting Diagnostic Data for certain purposes. Without informing or asking consent from its end users, Google can change the telemetry and website data it collects. Google does not publish any documentation about the contents of the telemetry and website data it processes, other than an opaque description in its (consumer) Privacy Policy, and a list of telemetry events in a highly specialised source for Android developers. Google has not created any privacy controls to block or minimise the telemetry data, not for the data subjects, nor for admins. This lack of transparency makes it impossible for admins and end users to verify Google’s privacy statements. As data controller, Google does not publish any information about the parties with which it cooperates in the provision of its consumer services, except for a list of Google affiliates (group companies) included in the (consumer) Privacy Policy.281 In its (consumer) Privacy Policy (which currently applies to the Google Account when not used in the Core Services, the Technical Support Services, the Additional Services, the Other related services, as well as all Diagnostic Data, Google writes that it may provide personal data “to our affiliates and other trusted businesses or persons to process it for us, based on our instructions and in compliance with our Privacy Policy and any other appropriate confidentiality and security measures. For example, we use service providers to help us with customer support.”282 The fact that Google gives instructions to third parties (other trusted businesses) to process in compliance with (all 33 purposes of) the (consumer) Privacy Policy and appropriate confidentiality and security measures does not mean that Google has a (sub)processor agreement with these parties as referred to in Article 28 of the GDPR. In sum, in the absence of an exhaustive list of specified and explicit purposes and the uncertainty about the amount of sub purposes Google may add, the collection of personal data through the G Suite Enterprise services does not comply with the principle of purpose limitation. As a result, government organisations cannot trust that Google will only process the personal data from G Suite Enterprise for legitimate purposes.
14.
Necessity and proportionality
14.1
The principle of proportionality The concept of necessity is made up of two related principles, namely proportionality and subsidiarity. Personal data which are processed must be necessary for the purpose pursued by the processing activity. Proportionality means the invasion of privacy and the protection of the personal data of the data subjects is proportionate Google, Affiliates providing business services in the EU, URL: https://privacy.google.com/businesses/affiliates/?hl=en_US 282 Google (consumer) Privacy Policy, ‘For external processing’. 281
p. 122/162
