DPIA Google G Suite Enterprise for SLM Rijk | 9 July 2020, with update 12 February 2021
purposes are quoted between brackets, to indicate they only apply to the Diagnostic Data. 1. 2. 3. 4. 5. 6. 7. 8.
9.
10.
11. 12.
Help end users share content by suggesting recipients from their contacts; Maintaining the service by tracking outages; Provide recommendations For example, Security Check-up provides security tips adapted to how you use Google products; Provide personalised content, for example based on information like apps you’ve already installed (…) to suggest new apps you might like; Customizing our services to provide you with a better end user experience, provide customised search results; Optimize product design, For example, we analyze data about your visits to our sites to do things like optimize product design; Communicate with you to interact with you directly. For example, we may send you a notification if we detect suspicious activity;181 Improve the reliability of our services. We use automated systems that analyze your content to provide you with things like customized search results, [personalized ads], or other features tailored to how you use our services; Use cookies for many purposes. We use them, for example, to remember your safe search preferences, [to make the ads you see more relevant to you’], to count how many visitors we receive to a page, to help you sign up for our services, to protect your data, or to remember your ad settings.182; To allow specific partners to collect information from your browser or device for [advertising] and measurement purposes using their own cookies or similar technologies; When necessary for legitimate business or legal purposes such as financial record-keeping; Other purposes not covered in the Privacy Policy, we’ll ask for your consent.
In sum, this DPIA identifies 6 purposes for which Google processes personal data in Customer Data and 10, sometimes different, purposes for which Google processes Diagnostic Data from the Core Services. Given the lack of transparency about what Google qualifies as ‘Provide the Services and TSS’, it cannot be excluded that Google processes personal data and Diagnostic Data from the Core Services for 12 other purposes. For the avoidance of doubt, the purposes listed in this Section 4 only describe the factual findings of this DPIA. The assessment of whether these purposes are specific and explicit is made in Section 13. 4.3
Purposes Additional Services and Google Account, when not used in a Core Service The processing of personal data in connection with Additional Services is explicitly excluded from the scope of the G Suite DPA. Google explains that its consumer Terms of Service and its (consumer) Privacy Policy apply to such processing: “For clarity, this Data Processing Amendment does not apply to the processing of personal data in connection with the provision of any Additional Products installed or used by Customer, including personal data transmitted to or from such Additional Products. Customer may use the functionality of the Services to enable or disable
According to Google, this relates to the use of contact data. It is still included in this list because it is plausible that Google will use Diagnostic Data to detect suspicious activity. 182 Google, How Google uses cookies, URL: https://policies.google.com/technologies/cookies?hl=en 181
p. 75/162
