DPIA Google G Suite Enterprise for SLM Rijk | 9 July 2020, with update 12 February 2021
Introduction This report is commissioned by the Microsoft Strategic Vendor Management office (SLM Rijk1) of the Ministry of Justice and Security. This is the first DPIA report from the Dutch government about G Suite Enterprise. Previously, SLM Rijk commissioned and published impact assessments about different Microsoft Office 365 and Windows 10 products and services.2 The full reports with appendices are available in English, with a short summary in Dutch. The DPIA reports have been written by the Dutch privacy consultancy firm Privacy Company.3 DPIA Under the terms of the General Data Protection Regulation (GDPR), an organisation is obliged to carry out a data protection impact assessment (DPIA) under certain circumstances, for instance where it involves large-scale processing of personal data. The assessment is intended to shed light on, among other things, the specific processing activities, the inherent risk to data subjects, and the safeguards applied to mitigate these risks. The purpose of a DPIA is to ensure that any risks attached to the process in question are mapped and assessed, and that adequate safeguards have been implemented to mitigate those risks. A DPIA used to be called PIA, privacy impact assessment. According to the GDPR a DPIA assesses the risks for the rights and freedoms of individuals. Data subjects have a fundamental right to protection of their personal data and some other fundamental freedoms that can be affected by the processing of personal data, such as for example freedom of expression. The right to data protection is therefore broader than the right to privacy. Recital 4 of the GDPR explains: “This Regulation respects all fundamental rights and observes the freedoms and principles recognised in the Charter as enshrined in the Treaties, in particular the respect for private and family life, home and communications, the protection of personal data, freedom of thought, conscience and religion, freedom of expression and information, freedom to conduct a business, the right to an effective remedy and to a fair trial, and cultural, religious and linguistic diversity”. This DPIA follows the structure of the DPIA Model mandatory for all Dutch government organisations.4 Umbrella DPIA versus individual DPIAs Currently, most of the approximately 300.000 employees and workers in the Dutch ministries, parliament, the High Councils of state, the advisory commissions, the police, the fire department and the judiciary, as well as the independent administrative authorities use Microsoft Office 365 software.5 The Google G Suite Enterprise services could be a relevant alternative for Office 365, if the outcome of the DPIA is that there are no residual high risks for data subjects whose data are processed through G Suite Enterprise. SLM is the abbreviation of the Dutch words Strategisch Leveranciersmanagement Microsoft. 2 URL: https://slmmicrosoftrijk.nl/ 3 https://www.privacycompany.eu/ 4 Model Gegevensbeschermingseffectbeoordeling Rijksdienst (PIA) (September 2017). For an explanation and examples (in Dutch) see: https://www.rijksoverheid.nl/documenten/rapporten/2017/09/29/modelgegevensbeschermingseffectbeoordeling-rijksdienst-pia. 5 These organisations can use the future volume licenses that are negotiated by SLM Rijk with Google. 1
p. 8/162
