DPIA Google G Suite Enterprise for SLM Rijk | 9 July 2020, with update 12 February 2021
5.4
Joint controllers Government organisations that use G Suite Enterprise software have a legitimate expectation that Google solely acts as a data processor for the personal data that Google processes through and about the use of G Suite Enterprise. However, in practice they enable Google to collect and process various personal data as a data controller for Google’s own purposes. As outlined in Sections 5.2 and 5.3.1 to 5.3.7 above, Google qualifies as a data controller for: 1. 2. 3. 4. 5. 6. 7.
The Customer Data in the Core Services and content data in the Additional Services; the Google Account (both when used in the Core Services and in the Additional Services); the Diagnostic Data of the Core Services and the Additional Services; personal data processed through Feedback; some of the Support Data (not being personal data in Customer Data); the engagement of new subprocessors; and the disclosure of personal data to law enforcement, security agencies, and secret services in case Google is prohibited from redirecting the authorities to the customer.
However, Google cannot be qualified as an independent data controller for the processing with respect to the personal data listed in 1 to 7 above. According to three judgments of the European Court of Justice parties can factually become joint controllers.216 That is even the case if the roles are unevenly distributed, or if the customer does not have access to the personal data processed by the supplier of the service. This can be the case if (i) the supplier processes the data for its own purposes, and (ii) this processing can only be performed (inextricable link) because the customer enables this data processing by selecting this supplier. This enabling of processing by the supplier is clearly the case for the Google Account Data, the Diagnostic Data (including the website and telemetry data) and the Support Data. By engaging Google as a data processor for G Suite Enterprise, government organisations enable Google to collect personal data that Google otherwise would not be able to process. Google operates under the incorrect assumption that it has the discretion to process personal data obtained through use of G Suite Enterprise as an independent data controller for purposes that have not been authorised by the government organisation. Google does so by simply referring to its (consumer) Privacy Policy and limiting all data protection guarantees to the personal data in Customer Data. This is wrong. As enumerated in Section 4.3, in its role as data controller Google contractually permits itself to process personal data for at least 33 purposes. Many of these of purposes are not specific or explicit. If Google wants to offer functionality or process personal data that are strongly linked to the use of G Suite Enterprise as independent data controller, such processing and such functionalities should be disabled by default. The controls to enable these European Court of Justice, C-40/17, 29 July 2019, Fashion ID GmbH & Co. KG v Verbraucherzentrale NRW eV, ECLI:EU:C:2019:629, C210/16, 5 June 2018, Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein versus Wirtschaftsakademie Schleswig-Holstein GmbH, ECLI:EU:C:2018:388. See in particular par. 38-43. Also see: C-25/17, 10 July 2018, Tietosuojavaltuutettu versus Jehovah’s Witnesses — Religious Community, ECLI:EU:C:2018:551, par. 66-69. 216
p. 89/162
