DPIA Google G Suite Enterprise for SLM Rijk | 9 July 2020, with update 12 February 2021
and purpose limitation, Google currently does not qualify as data processor for the processing of any of the personal data it collects in and about the use of G Suite Enterprise. As explained in this DPIA, Google and the government organisations are joint controllers, but they cannot successfully claim any legal ground for the processing, as required in Article 6 of the GDPR. Until Google becomes a data processor, not only for the personal data in Customer Data, but also for the personal data in Diagnostic Data and other data described in this report such as personal data relating to the Google Account, government organisations are advised not to use G Suite Enterprise.
17.4
Google measures 12 February 2021 SLM Rijk provided Google with the DPIA findings upon completion of this DPIA. Between August and January 2020, SLM Rijk and Google discussed measures to mitigate the ten high data protection risks. Google announced or already implemented several technical and organisational measures to mitigate high risks, especially with regard to Customer Data. In a privacy amendment on the framework contract, Google agrees to only process the Customer Data for three authorised purposes. In December 2020 Google published extensive information about its different services and privacy settings in the Google Workspace Data Protection Implementation Guide. Google has clarified that it performs all data processing of the Enterprise Account Data and use of the Features, when used in the Core Workspace Services, exclusively in a role as data processor, for the three authorised purposes. The negotiated privacy amendment prohibits Google from processing Customer Personal Data and/or Service Data for Advertising purposes or for profiling, data analytics and market research. Google has taken extra measures to prevent spill-over of personal data from the enterprise to the consumer environment. When an employee accesses an Additional Service such as Google Search with a work account, Google ensures that the employee is automatically logged-out. Google also grants the Dutch government an effective audit right to verify compliance with the agreed processing. Unfortunately, only two of the 10 high risks have (yet) been completely mitigated through the negotiated privacy amendment and additional improvement measures taken or announced by Google. The risks with regard to the use of one Google account in the work and consumer context, and with regard to privacy unfriendly default settings, have been or can be effectively mitigated. Google does not expressly commit to only process Customer Personal Data when proportionate, while processing for the three authorised purposes is logical for Diagnostic Data and Support Data, but not for the processing of Customer Personal Data. Google does not want to become a data processor for the different kinds of Diagnostic Data on the individual use of the Workspace services, or for the Support Data when a customer files a Support Request (different from giving a Support employee live access to personal data), or for information provided through the Feedback form. Google does not acknowledge its role as joint controller either for these types of data processing. Google does not follow the recommended measures to include Chrome Enterprise in its Google Workplace offering, or include a separate ‘data processor’ Chrome browser on Android devices and Chromebooks (where installing another browser is not a realistic option). It is up to the data protection authority to assess whether Google’s arguments are convincing that it can operate as an independent data controller for the Diagnostic Data, the Support Data, the Feedback data and data collected via the use of the Chrome browser.
p. 153/162
