DPIA Google G Suite Enterprise for SLM Rijk | 9 July 2020, with update 12 February 2021
4.2
Purposes Google As will be analysed in Section 5, Google considers itself to be a data processor for the processing of personal data in Customer Data from the Core Services, the Features, the Google Account (to the extent used in conjunction with a Core Service) and the Technical Support Services. Section 4.2.1 discusses the purposes described in the G Suite DPA, the data processing agreement between the government organisation and Google and purposes identified by Privacy Company on the basis of the G Suite DPA, other Google documentation, responses from Google and technical findings of this DPIA. Google considers itself to be an independent data controller for the processing of personal data actively provided by end users in (a) the Additional Services, (b) the Google Account (to the extent not used in conjunction with a Core Service) and (c) Feedback and possible Other related services. Google also considers itself to be an independent data controller for the processing of all Diagnostic Data, including about the use of the Core Services and about the use of the Technical Support Services. At the time of completion of this DPIA, Google only described the purposes of its processing of personal data as a data controller in its (consumer) Privacy Policy.159 These purposes are discussed in Sections 4.2.2.
4.2.1
Purposes personal data in Core Services, Features and the Google Account when used in conjunction with the Core Services The G Suite DPA contains the following descriptions of the purposes for which personal data in Customer Data from the Core Services are processed: “Google will process Customer Personal Data for the purposes of providing the Services and TSS to Customer in accordance with the Data Processing Amendment.”160 “Customer instructs Google to process Customer Personal Data only in accordance with applicable law: • to provide the Services and TSS) • as further specified via Customer’s and End Users’ use of the Services (including the Admin Console and other functionality of the Services) and TSS; • as documented in the form of the applicable Agreement, including this Data Processing Amendment; and • as further documented in any other written instructions given by Customer and acknowledged by Google as constituting instructions for purposes of this Data Processing Amendment.”161 • “For clarity, Google will not process Customer Personal Data for Advertising purposes or serve Advertising in the Services.”162 In the context of this DPIA, Privacy Company asked Google to specify what ‘providing the Services and TSS’ constitutes. Google did not provide any further description other than: “according to the documented instructions of our customer as a data controller, which are set out in the section of the DPA entitled “Customer’s Instructions”.
159
On 12 November 2020 Google published a Google Cloud Privacy Notice with a list of purposes. Google, URL: https://cloud.google.com/terms/cloud-privacy-notice 160 Appendix 1 G Suite DPA. 161 Clause 5.2.1 G Suite DPA. 162 Clause 5.2.2 G Suite DPA.
p. 69/162
