5 minute read
5.2 Data processor
Article 4(8) of the GDPR defines a processor as: “a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.” A subprocessor is a subcontractor engaged by a processor that assists in the processing of personal data on behalf of a data controller.
Article 28 GDPR sets out various obligations of processors towards the controllers for whom they process data. Article 28(3) GDPR contains specific obligations for the processor. Such obligations include only processing personal data in accordance with documented instructions from the data controller and cooperating with audits by a data controller. Article 28(4) GDPR stipulates that a data processor may use subprocessors to perform specific tasks for the data controller, but only with the prior authorisation of the data controller.
Advertisement
When data protection roles are assessed, the formal contractual division of roles is not leading nor decisive. The actual role of a party must primarily be determined on the basis of factual circumstances.
5.2 Data processor
5.2.1 Personal data in Customer Data in the Core Services Pursuant to the G Suite DPA, Google considers itself to be a data processor for the processing of ‘Customer Personal Data’: “If European Data Protection Law applies to the processing of Customer Personal Data: (…) b. Google is a processor of that Customer Personal Data under European Data Protection Law”190
It follows from the definitions of the G Suite DPA that this data processor role is limited to the Core Services.
The G Suite DPA contains the following instructions given by the data controller (the government organisation) for the processing of personal data in Customer Data from the Core Services:
“Customer instructs Google to process Customer Personal Data only in accordance with applicable law: (a) to provide the Services and TSS; (b) as further specified via Customer’s and End Users’ use of the Services (including the Admin Console and other functionality of the Services) and TSS; (c) as documented in the form of the applicable Agreement, including this Data Processing Amendment; and (d) as further documented in any other written instructions given by Customer and acknowledged by Google as constituting instructions for purposes of this Data Processing Amendment.”191
As quoted above, the G Suite DPA includes the non-limitative general purpose of ‘providing the Service and TSS’. Google insists it only follows documented instructions from its customers. This purpose is not specific and explicit enough to enable government organisations to comply with their obligation to only process personal data for specific and explicit purposes.
As explained in Section 4, the G Suite DPA, public documentation, responses from Google and the technical findings from this DPIA result in the identification of 6 specific purposes for the processing of personal data in Customer Data. These
190 Google G Suite DPA, Section 5.1.1. 191 Clause 5.2.1 G Suite DPA.
purposes are however not enumerated in the G Suite DPA and therefore not part of the government organisation’s documented instructions. Google seemingly considers these purposes to be compatible with the purpose of ‘providing the Services and the Technical Support Services’.
Data controllers must determine the purposes of processing in a data processor agreement with the data processor. Data processors may only process personal data on behalf of the data controller. 192 Therefore, Google as a data processor may not determine what purposes are compatible with the main purpose of technically delivering the G Suite service, or keeping it secure. Regardless of the contractual arrangement, if Google does determine any (compatible) purposes of processing, it acts a data controller and not as a data processor.
As detailed in Section 4.2, Google does not offer an exhaustive list of specific and explicit purposes for which Google as a data processor necessarily has to process personal data. Google only excludes a specific purpose, and promises not to process Customer Personal Data for Advertising purposes or serve Advertising in the (Core) Services.”193
This DPIA shows that Google factually processes personal data for purposes that are not specifically and explicitly enumerated as part of the documented instructions of the data controller. Though data processors are legally required to take adequate security measures to protect the data of all customers, such a liberty to determine purposes of the processing is not available for purposes such as scanning the contents of communications to proactively detect unlawful content. Google however, seems to deem such purposes compatible with the catch-all purpose of providing the service.
By determining the (compatible) purposes of processing, Google steps outside of its role as data processor. In the absence of any explicit and specific purpose in the documented instructions, Google factually acts as a data controller for personal data in Customer Data in the Core Services, but not as an independent data controller.
5.2.2 Features, and the Google Account used in conjunction with the Core Services During the course of this DPIA, Google explained that it processed personal data in Customer Data from the Google Account and from the Features Spelling and Grammar, Translate and Explore in the same way as Customer Data from the Core Services. In reply to this DPIA, Google explained that it also considers the use of Google Maps a Core Service product feature, when it is embedded in Calendar. That implies the use of this functionality is also covered by the G Suite DPA.
Google’s assurances with regard to the personal data in Customer Data from the Google Account when used in conjunction with the Features need to be contractually formalised and documented. However, even if the Google Account (when used in conjunction with the Core Services) and the Features would be included under the current G Suite DPA, Google would still not qualify as a data processor. As explained above, by determining the (compatible) purposes of processing, Google steps outside of its role as data processor, and in the absence of any explicit and specific purpose in the documented instructions, Google factually acts as a data controller
192 Article 28(3) GDPR. 193 Idem, Section 5.2.2, last sentence. Based on the technical research, factually Google does not seem to process the Customer Data for advertising purposes, with the exception of one bug (a DoubleClick cookie that was accidentally set through a YouTube video when logging in to the Core Service Drive). This bug shows how complicated it is, even for Google itself, to offer a tracking free version of its services.