DPIA Google G Suite Enterprise for SLM Rijk | 9 July 2020, with update 12 February 2021
account data as processor. Only when end users access Additional Services, such as Search or Youtube, does Google process the Google Account data as data controller. However, at the time of completion of this DPIA, Google’s role as a data processor for the processing of personal data relating to the Google Account Data and the Features was not contractually guaranteed. Furthermore, Google does not act as a data processor for the Diagnostic Data collected about the use of the Core Services, the Features, the Google Account, the Additional Services and related services such as the Feedback form and the enhanced spellchecker in the Chrome browser. Google objects against the analysis of its role as a joint controller with its customers for the Diagnostic Data (including the telemetry and the cookie/website data). This objection is reflected in the DPIA, but did not lead to a different analysis (See Section 5.4 of this DPIA). Purposes Google disagrees with the list of purposes identified in this report, as it considers those purposes to be examples of processing activities, and not purposes. Google states that it only has one purpose for the processing of Customer Data as data processor: “As documented in Section 5.2.1 of the G Suite DPA Google is only contractually permitted to process Customer Personal Data according to the documented instructions of our customer described in that section. This includes an overall instruction to provide the services”. Google refused to provide an exhaustive list of purposes for which it processes the different categories of Diagnostic personal Data on the use of G Suite Enterprise. At the moment of completion of this DPIA, in July 2020, Google committed to drafting a new Enterprise Privacy Notice that will provide explicit and specific purposes for which Google processes personal data that Google collects or generates that are not personal data in Customer Data. On 12 November 2020 Google published a Google Cloud Privacy Notice with a list of purposes.14 Google’s interests in the use of Diagnostic Data for personalised advertising Part A describes that Google permits itself in its (consumer) Privacy Policy to use of Diagnostic Data for advertising purposes. In the technical inspection occurrence of a DoubleClick cookie was observed during the log-in to the G Suite Enterprise Core Services. Google disagrees with the conclusion that Google has an interest in the use of Diagnostic Data for advertising purposes, and clarified that the DoubleClick cookie was a bug which since has been fixed. Outline This assessment follows the structure of the Model Gegevensbeschermingseffectbeoordeling Rijksdienst (PIA) (September 2017).15 This model uses a structure of four main sections, which are reflected here as “parts”. 1. 2. 3. 4.
Description of the factual data processing Assessment of the lawfulness of the data processing Assessment of the risks for data subjects Description of mitigation measures
Google, Google Cloud Privacy Notice, 7 December 2020, URL: https://cloud.google.com/terms/cloud-privacy-notice 15 The Model Data Protection Impact Assessment federal Dutch government (PIA). For an explanation and examples (in Dutch) see: https://www.rijksoverheid.nl/documenten/ rapporten/2017/09/29/modelgegevensbeschermingseffectbeoordeling-rijksdienst-pia 14
p. 15/162