DPIA Google G Suite Enterprise for SLM Rijk | 9 July 2020, with update 12 February 2021
Article 4(8) of the GDPR defines a processor as: “a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.” A subprocessor is a subcontractor engaged by a processor that assists in the processing of personal data on behalf of a data controller. Article 28 GDPR sets out various obligations of processors towards the controllers for whom they process data. Article 28(3) GDPR contains specific obligations for the processor. Such obligations include only processing personal data in accordance with documented instructions from the data controller and cooperating with audits by a data controller. Article 28(4) GDPR stipulates that a data processor may use subprocessors to perform specific tasks for the data controller, but only with the prior authorisation of the data controller. When data protection roles are assessed, the formal contractual division of roles is not leading nor decisive. The actual role of a party must primarily be determined on the basis of factual circumstances.
5.2
Data processor
5.2.1
Personal data in Customer Data in the Core Services Pursuant to the G Suite DPA, Google considers itself to be a data processor for the processing of ‘Customer Personal Data’: “If European Data Protection Law applies to the processing of Customer Personal Data: (…) b. Google is a processor of that Customer Personal Data under European Data Protection Law”190 It follows from the definitions of the G Suite DPA that this data processor role is limited to the Core Services. The G Suite DPA contains the following instructions given by the data controller (the government organisation) for the processing of personal data in Customer Data from the Core Services: “Customer instructs Google to process Customer Personal Data only in accordance with applicable law: (a) to provide the Services and TSS; (b) as further specified via Customer’s and End Users’ use of the Services (including the Admin Console and other functionality of the Services) and TSS; (c) as documented in the form of the applicable Agreement, including this Data Processing Amendment; and (d) as further documented in any other written instructions given by Customer and acknowledged by Google as constituting instructions for purposes of this Data Processing Amendment.”191 As quoted above, the G Suite DPA includes the non-limitative general purpose of ‘providing the Service and TSS’. Google insists it only follows documented instructions from its customers. This purpose is not specific and explicit enough to enable government organisations to comply with their obligation to only process personal data for specific and explicit purposes. As explained in Section 4, the G Suite DPA, public documentation, responses from Google and the technical findings from this DPIA result in the identification of 6 specific purposes for the processing of personal data in Customer Data. These 190 191
Google G Suite DPA, Section 5.1.1. Clause 5.2.1 G Suite DPA.
p. 80/162
