DPIA Google G Suite Enterprise for SLM Rijk | 9 July 2020, with update 12 February 2021
In the new Google Terms of Service (effective 31 March 2020), Google explains that these consumer terms apply to the data processing as a result of the use of the Additional Services.80 All end users with a Google Account must accept these (consumer) Terms of Service, regardless if they create the account as a consumer or as an employee in the enterprise environment. Google explains that this is because their G Suite credentials may be used to sign into and use consumer services if their IT administrator does not restrict such use.81 Google explains to administrators that they can disable access to the Additional Services if they cannot bind their end users (government employees) to these terms. “If Customer does not wish to enable any Additional Products, or if you are acting on behalf of Customer but do not have the requisite authority to bind Customer to these Additional Product Terms, please disable such Additional Products via the functionality of the Services.”82
2.
Personal data and data subjects The Dutch government DPIA model requires that this section provides a list of the kinds of personal data that will be processed via the Diagnostic Data, and per category of data subjects, what kind of personal data will be processed by the product or service for which the DPIA is conducted. Since this is an umbrella DPIA, this report can only provide an indication of the categories of personal data and data subjects that may be involved in the data processing. As the categories of personal data and data subjects in Customer Data and Support Data are dependent on the data that the customer and its end users provide to Google, this Section focusses on the data that is collected by Google through the use of the services (Diagnostic Data). The section provides arguments why the Diagnostic Data processed by Google about the individual use of the G Suite Core and the tested Additional Services, the Google Account and the telemetry data from the apps and the Chrome browser are personal data. Section 2.3 contains the analysis of outgoing traffic.
2.1
Definitions of different types of personal data
2.1.1
Definitions GDPR Article 4(1) of the GDPR provides the following definition of personal data: 'personal data' means any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.” The concept of processing is defined in Article 4(2) of the GDPR: “’processing' means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.”
Google, updated Terms of Service 31 March 2020: “We added a link to a page of service-specific additional terms that make it easier to find all the terms of use that apply to a particular service.” 81 Google reply to part A of the DPIA. 82 Ibid. 80
p. 36/162