Mervinskiy 516

Page 44

DPIA Google G Suite Enterprise for SLM Rijk | 9 July 2020, with update 12 February 2021

In the new Google Terms of Service (effective 31 March 2020), Google explains that these consumer terms apply to the data processing as a result of the use of the Additional Services.80 All end users with a Google Account must accept these (consumer) Terms of Service, regardless if they create the account as a consumer or as an employee in the enterprise environment. Google explains that this is because their G Suite credentials may be used to sign into and use consumer services if their IT administrator does not restrict such use.81 Google explains to administrators that they can disable access to the Additional Services if they cannot bind their end users (government employees) to these terms. “If Customer does not wish to enable any Additional Products, or if you are acting on behalf of Customer but do not have the requisite authority to bind Customer to these Additional Product Terms, please disable such Additional Products via the functionality of the Services.”82

2.

Personal data and data subjects The Dutch government DPIA model requires that this section provides a list of the kinds of personal data that will be processed via the Diagnostic Data, and per category of data subjects, what kind of personal data will be processed by the product or service for which the DPIA is conducted. Since this is an umbrella DPIA, this report can only provide an indication of the categories of personal data and data subjects that may be involved in the data processing. As the categories of personal data and data subjects in Customer Data and Support Data are dependent on the data that the customer and its end users provide to Google, this Section focusses on the data that is collected by Google through the use of the services (Diagnostic Data). The section provides arguments why the Diagnostic Data processed by Google about the individual use of the G Suite Core and the tested Additional Services, the Google Account and the telemetry data from the apps and the Chrome browser are personal data. Section 2.3 contains the analysis of outgoing traffic.

2.1

Definitions of different types of personal data

2.1.1

Definitions GDPR Article 4(1) of the GDPR provides the following definition of personal data: 'personal data' means any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.” The concept of processing is defined in Article 4(2) of the GDPR: “’processing' means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.”

Google, updated Terms of Service 31 March 2020: “We added a link to a page of service-specific additional terms that make it easier to find all the terms of use that apply to a particular service.” 81 Google reply to part A of the DPIA. 82 Ibid. 80

p. 36/162


Turn static files into dynamic content formats.

Create a flipbook

Articles inside

Conclusions

2min
page 170

17.4 Google measures 12 February 2021

19min
pages 161-169

16.3 Summary of risks

2min
pages 155-156

16.2 Assessment of Risks

36min
pages 142-154

15.7 Right to file a complaint

0
page 139

15.3 Right to access

5min
pages 136-137

14.3 Assessment of the subsidiarity

2min
page 134

14.1 The principle of proportionality

2min
page 130

14.2 Assessment of the proportionality

8min
pages 131-133

12.1 Transfer of special, sensitive, secret and confidential data to the USA

5min
pages 128-129

11.3 Google’s own legitimate business purposes

5min
pages 126-127

all Diagnostic Data

5min
pages 124-125

Services

22min
pages 116-123

Part B. Lawfulness of the data processing

2min
page 115

8.1 Anonymisation

15min
pages 106-111

6.3 Joint interests

11min
pages 101-105

6.2 Interests of Google

2min
page 100

6.1 Interests of the Dutch government organisations

2min
page 99

5.2 Data processor

5min
pages 88-89

5.3 Data controller

18min
pages 90-96

5.4 Joint controllers

5min
pages 97-98

4.4 Specific purposes Chrome OS and the Chrome browser

2min
page 86

5.1 Definitions

2min
page 87

4.3 Purposes Additional Services and Google Account, when not used in a Core Service

8min
pages 83-85

4.2 Purposes Google

13min
pages 77-82

4.1 Purposes government organisations

2min
page 76

2.5 Types of personal data and data subjects

7min
pages 60-62

3.2 Privacy controls administrators

7min
pages 70-75

3.1 Privacy controls G Suite account for end users

9min
pages 63-69

2.3 Outgoing traffic analysis

8min
pages 52-55

2.4 Results access requests

10min
pages 56-59

2.2 Diagnostic Data

7min
pages 47-51

Related services that may send Customer Data to Google, such as the Feedback form and the Enhanced Spellchecker in the Chrome browser.

4min
pages 13-15

2.1 Definitions of different types of personal data

7min
pages 44-46

Part A. Description of the data processing

0
page 25

The enrolment framework for G Suite Enterprise

2min
pages 42-43

G Suite Core Services, Google Account, Support Services, Additional Services, and Other related services

23min
pages 28-41

Functional Data

2min
page 27

Introduction

7min
pages 16-18

1 Legal framework and contractual arrangements between government organisations and

4min
pages 23-24
Issuu converts static files into: digital portfolios, online yearbooks, online catalogs, digital photo albums and more. Sign up and create your flipbook.