DPIA Google G Suite Enterprise for SLM Rijk | 9 July 2020, with update 12 February 2021
Google Account As explained in Section 1.4.2, end users have to create a Google Account in order to use the G Suite Enterprise services. In principle, Google processes data relating to a Google Account (as a data controller) under its (consumer) Privacy Policy. However, Google explained that when a Google Account is used to access a Core Service, the processing is subject to the G Suite DPA, rather than the (consumer) Privacy Policy: “We consider Google Accounts to primarily serve as engineering infrastructure by which an end user authenticates and gains access to whatever services the end user is allowed to access by virtue of its relationship with Google. Google Account is processed in the same way as Core Service data when its functionality is used in conjunction with Core Services (to which the G Suite DPA, rather than the Google Privacy Policy would apply).”88 Support Data As described in Section 1.4.4, G Suite includes technical support services relating to the Core Services (Technical Support Services).89 Google refers to the data it obtains in connection with the Technical Support Services as Support Data. In the Technical Support Services Guidelines (TSS Guidelines), Google defines Support Data as ‘account details and the information that Customer provides to Google for the purpose of obtaining TSS under these Guidelines, including requests for support and the details provided to Google about the specific support issue.’ According to the TSS Guidelines, Google collects and processes Support Data for the purpose of providing the support services described in these Guidelines and maintaining the Services.90 Google does not provide additional information.
2.2
Diagnostic Data As explained in Section 1.2, Google collects Diagnostic Data in multiple ways. Sections 2.2 to 2.4 discuss how Privacy Company obtained access to Diagnostic Data in the context of this DPIA and contains an overview of the content of such Diagnostic Data. Though Google provides extensive documentation about the existence and contents of the logs that it makes available for administrators, there is very little public documentation about other Diagnostic Data Google collects, such as telemetry data, or other data Google collects on its servers about the use of G Suite Enterprise applications.
2.2.1
Audit logs and visual reports Google stores Diagnostic Data about the use of its cloud services in log files. Googles makes some of these logs available for admins in so-called audit logs. There is no public documentation what logs Google collects in system generated logs, and what data it makes available for admins. The audit logs provide some information about the Diagnostic Data Google collects. Another source of information used for this report, is traffic interception from the installed apps. This will be discussed below, in Section 2.3.
Google reply to part A of the DPIA. As well as services identified as ‘Other Services’ in the G Suite Services Summary and services described in the Complementary Product Services provided under a separate agreement. These services are out of scope of this DPIA. 90 Clause 6.4 G Suite Technical Support Services Guidelines. 88 89
p. 39/162
