DPIA Google G Suite Enterprise for SLM Rijk | 9 July 2020, with update 12 February 2021
First, Google collects content from Customer Data such as files, emails or chats when a data subject uses a Feature, such as Spelling and Grammar. Second, Google collects content from data that Google obtains as Customer Data such as file and path names of documents in its Diagnostic Data, and snippets of content in telemetry data from the Enhanced Spellchecker. There are multiple risks related to the possible further processing of these Customer Data and content from Customer Data collected through Diagnostic Data by Google. Google permits itself to process personal data in Customer Data for 8 and perhaps 20 purposes. As explained in Section 5.2, Google does not qualify as a data processor for the processing of Customer Data due to the lack of transparency about the purposes, lack of purpose limitation and the fact that Google determines compatible purposes of use. Additionally, Customer Data may be included in Diagnostic Data. Diagnostic Data may contain Confidential Information or organisation data of a potentially sensitive nature, such as files names and subject lines of email, sentences and words if the Spelling and grammar is used, and sensitive or special categories of personal data of all kinds of data subjects. Such Diagnostic Data do not fall within the scope of the G Suite DPA. This means, inter alia, that third parties engaged by Google that receive these data are not authorised as subprocessors, and are not bound by G Suite DPA (and potentially also not by the GDPR). Furthermore, where government organisations and Google are joint controllers for Diagnostic Data that includes (content) data obtained by Google as Customer Data, government organisations generally do not have a legal ground for such processing, because it will mostly not be necessary to process such data. There is a risk that Google may be ordered by a foreign government to hand over Customer Data or Diagnostic Data from Dutch government customers. Google may be prohibited from forwarding such a request to the government organisation and may also be prohibited from even informing the organisations thereof by a gagging order. Customer Data and Diagnostic Data may also be accessed unlawfully by a rogue administrator or hostile state actor. Such access would be in breach of confidentiality requirements and the fundamental right to protection of communication secrecy.
16.2
Assessment of Risks The risks can be grouped in the following categories: 1. Loss of control over the processing of personal data; 2. Loss of confidentiality; 3. Inability to exercise fundamental rights (GDPR data subject rights as well as related rights, such as the fundamental right to send and receive information); 4. Reidentification of pseudonymised data; and 5. Unlawful (further) processing. These risks have to be assessed against the likelihood of their occurrence and the severity of their impact. The UK data protection commission ICO provides the following guidance regarding the assessment of risks: “Harm does not have to be inevitable to qualify as a risk or a high risk. It must be more than remote, but any significant possibility of very serious harm may still be
p. 134/162
