DPIA Google G Suite Enterprise for SLM Rijk | 9 July 2020, with update 12 February 2021
processing. Although Google clearly tries to use plain language in its (consumer) Privacy Policy, the wording of the purposes is not explicit, and the explanations accompanying the purposes omit crucial information regarding what personal data will be processed for what specific purposes. At the time of completion of this DPIA, Google did not publish documentation about the contents of the Diagnostic Data it collects on its own cloud servers (other than the audit logs it makes available for admins), nor about the contents of the telemetry data (Diagnostic Data) from ChromeOS, the Chrome browser, Android devices and apps. As a result of the lack of information Google provides to government organisations, they are unable to provide data subjects adequate information about the processing of their personal data. The documentation published by Google also does not meet the standards set by the GDPR with regard to the right to information. First of all, data subjects have a right to information. This means that data controllers must provide people with easily accessible, comprehensible and concise information in clear language about, inter alia, their identity as data controller, the purposes of the data processing, the intended duration of the storage and the rights of data subjects. As has been highlighted in previous sections of this report, Google does not make comprehensible information available to data subjects about the processing of personal in the G Suite Enterprise Core Services. Quite the opposite. The G Suite DPA is the richest source of information, and this legal document requires enhanced close reading capacities. Google has refused to provide a limitative list of purposes for the processing of the Customer Data, insisting it only follows customer instructions. With regard to all the Diagnostic Data, the Google Account Data, the Additional Services and related services such as Feedback, Google also fails to meet the requirements for the quality and accessibility of information about the data processing. Though Google clearly tries to use plain language in its Privacy Policy, the wording of the purposes is never explicit, and the explanations accompanying the purposes omit crucial information what personal data will be processed for what specific purposes. Google does not publish documentation about the contents of the Diagnostic Data it collects on its own cloud servers, or about the contents of the telemetry data from the Chrome OS and browser, and Android devices. As a result, the government organisations, as joint data controllers with Google, are unable to determine whether the processing is lawful in order to adequately inform their employees or students.
15.3
Right to access Data subjects have a right to access their personal data. Upon request, data controllers must inform data subjects whether they are processing personal data about them. If this is the case, data subjects should be provided with a copy of such personal data, together with information about the purposes of processing, recipients to whom the data have been transmitted, the retention period(s), and information about their further rights as data subjects, such as filing a complaint with a Data Protection Authority. As explained in Section 15.1, for data processing that falls in the scope of the G Suite DPA, Google undertakes to redirect access requests to its customers: "If Google’s
p. 128/162
