DPIA Google G Suite Enterprise for SLM Rijk | 9 July 2020, with update 12 February 2021
data relate to. Google was not willing to let the researchers provide additional information enabling their identification.
2.5
Types of personal data and data subjects As emphasized above, this DPIA cannot provide the required limitative overview of the different categories of personal data that will be processed in the context of G Suite Enterprise. However, this report aims to provide assistance to the government organisations about these categories, to help them decide about the actual installation and settings based on an inventory of the categories of personal data that are factually processed in their specific organisation. As the categories of personal data and data subjects in Customer Data and Support Data are dependent on the data that the customer and its end users provide to Google, this section focusses on the data that are collected by Google through the use of the services (Diagnostic Data).
2.5.1
Categories of personal data Generally speaking, end user can process all kinds of personal data with G Suite Enterprise. The different services can be used for many different purposes by many different organisations. Absent a comprehensive documentation and publicly available policy rules governing the types of data that can be stored by Google as Diagnostic Data, it is prudent to assume that the G Suite Diagnostic Data may include all categories of personal data. Some types of data require extra attention due to their sensitive nature. Classified Information Depending on the capacity in which Dutch government employees work, they may process confidential government information or state secrets (Classified Information). The Dutch government defines four classes of Classified Information, ranging from confidential within a department to top secret.126 Classified Information is not a separate category of data in the GDPR or other legislation concerning personal data. However, information processed by the government that is qualified as Classified Information, regardless of whether it qualifies as personal data, must be protected by special safeguards. The processing of this information may also have a privacy impact if such information relates to a specific individual. If the personal data of a government employee, such as his G Suite email address at the domain of his employer, or unique device identifier, reveals that this person works with Classified Information, the impact on the private life of this employee may be higher than if that employee would only process ‘regular’ personal data. Unauthorised use of Classified Information could for example lead to a higher risk of being targeted for social engineering, spear phishing and/or blackmailing. Google acknowledges that there may be spill-over from an employee’s ‘private’ Google Account to his enterprise Google Account. “When you’re signed in with more than 1 Google Account at the same time, ads may be based on ad settings for your default account. Your default account is usually the account you signed in with first.” 127
Amongst others, the categories of classified information are defined in the Voorschrift Informatiebeveiliging Rijksdienst – Bijzondere Informatie (VIR-BI). 127 Google, Control the ads you see, URL: https://support.google.com/ads/answer/2662856 126
p. 52/162
