2 minute read
Conclusions
9 Lack of control third parties / proces sors
Google currently offers free access to admins to the Play Store for Work, for end-users to download the Device Policy App Google only uses subprocessors for Customer Personal Data in the support requests.
However, as self-qualified controller for the Service Data, Google gives its Enterprise customers no information or control over the third parties with which it may share personal data. In view of the limited set of personal Customer data that Google wants to share with subprocessors, and the contractual guarantees that Google will comply with the GDPR, also when using subprocessors, the lack of control over new subprocessors for Customer Data can be reassessed as a low risk.
The lack of control over Google’s unknown processors or third parties for the Diagnostic Data, Support Data and data in the Feedback form, parties that may each engage other unknown third parties / subprocessors, remains a high risk.
10 No access for data subjects
With regard to the Diagnostic Data Google already makes available for admins, Google commits to create a new individual take-out possibility. Google also commits to provide a better explanation to end-users, by July 2021, when it doesn’t provide access to personal data. For example, Google does not include data if providing a copy of such data would adversely affect the rights and freedoms of others. Also, by design, Google does not provide exact copies of any raw log data, as that might enable a malicious actor to construct attack scenarios that could lead to significant harm. There is a remaining high risk that Google will not provide the required access to the personal data contained in telemetry and cookie data, as demonstrated in section 2.4 of this DPIA, and assessed in section 15.3. After July 2021, it needs to be assessed whether Google’s arguments are convincing that it cannot identify the user of cookie data, and in other circumstances, can rely on the exceptions in article 23 of the GDPR to not provide access.
In sum, the use of Google Workspace as offered under the privacy amendment of the Dutch government, still leads to 8 high risks for the different categories of data subjects involved (not just employees, but all kinds of other data subjects that may interact with the Dutch government).
SLM Rijk proceeds by engaging in a prior consultation procedure with the Dutch Data Protection Authority.