DPIA Google G Suite Enterprise for SLM Rijk | 9 July 2020, with update 12 February 2021
Google currently offers free access to admins to the Play Store for Work, for end-users to download the Device Policy App 9
Lack of control third parties / proces sors
Google only uses subprocessors for In view of the limited set of Customer Personal Data in the personal Customer data that support requests. Google wants to share with subprocessors, and the However, as self-qualified contractual guarantees that controller for the Service Data, Google will comply with the Google gives its Enterprise GDPR, also when using customers no information or subprocessors, the lack of control over the third parties with control over new subprocessors which it may share personal data. for Customer Data can be reassessed as a low risk. The lack of control over Google’s unknown processors or third parties for the Diagnostic Data, Support Data and data in the Feedback form, parties that may each engage other unknown third parties / subprocessors, remains a high risk.
10
No access for data subjects
With regard to the Diagnostic Data Google already makes available for admins, Google commits to create a new individual take-out possibility. Google also commits to provide a better explanation to end-users, by July 2021, when it doesn’t provide access to personal data. For example, Google does not include data if providing a copy of such data would adversely affect the rights and freedoms of others. Also, by design, Google does not provide exact copies of any raw log data, as that might enable a malicious actor to construct attack scenarios that could lead to significant harm.
There is a remaining high risk that Google will not provide the required access to the personal data contained in telemetry and cookie data, as demonstrated in section 2.4 of this DPIA, and assessed in section 15.3. After July 2021, it needs to be assessed whether Google’s arguments are convincing that it cannot identify the user of cookie data, and in other circumstances, can rely on the exceptions in article 23 of the GDPR to not provide access.
Conclusions In sum, the use of Google Workspace as offered under the privacy amendment of the Dutch government, still leads to 8 high risks for the different categories of data subjects involved (not just employees, but all kinds of other data subjects that may interact with the Dutch government). SLM Rijk proceeds by engaging in a prior consultation procedure with the Dutch Data Protection Authority.
p. 162/162
