DPIA on the Use of Google G Suite (Enterprise) for Education for the University of Groningen and the Amsterdam University of Applied Sciences
Total Page:16
File Type:pdf, Size:1020Kb
DP DPIA on the use of Google G Suite (Enterprise) for Education For the University of Groningen and the Amsterdam University of Applied Sciences 15 July 2020, update 12 March 2021 Sjoera Nas Floor Terra Updated G Suite for Education DPIA 12 March 2021 clean 0 / 175 Contents SUMMARY ................................................................................................................................... 5 CONCLUSION 12 MARCH 2021 ................................................................................................................... 10 INTRODUCTION ......................................................................................................................... 12 DPIA: WHAT IS IT AND WHY IS IT MANDATORY? ............................................................................................. 12 SCOPE: G SUITE (ENTERPRISE) FOR EDUCATION .............................................................................................. 14 INPUT FROM GOOGLE ................................................................................................................................ 20 OUTLINE DPIA REPORT .............................................................................................................................. 21 PART A. DESCRIPTION OF THE DATA PROCESSING ....................................................................... 23 1. THE PROCESSING OF PERSONAL DATA ............................................................................................ 23 1.1 CUSTOMER DATA ............................................................................................................................ 24 1.3 FUNCTIONAL DATA ........................................................................................................................... 26 1.4 DIFFERENT G SUITE EDITIONS ............................................................................................................. 26 1.5 G SUITE CORE SERVICES, GOOGLE ACCOUNT, SUPPORT SERVICES, ADDITIONAL SERVICES, AND OTHER RELATED SERVICES .................................................................................................................................................. 27 1.6 THE ENROLMENT FRAMEWORK FOR G SUITE (ENTERPRISE) FOR EDUCATION .................................................. 44 2. PERSONAL DATA AND DATA SUBJECTS ........................................................................................... 48 2.1 DEFINITIONS OF DIFFERENT TYPES OF PERSONAL DATA ............................................................................ 48 2.2 DIAGNOSTIC DATA ............................................................................................................................ 52 2.3 OUTGOING TRAFFIC ANALYSIS ............................................................................................................. 56 2.4 RESULTS ACCESS REQUESTS ................................................................................................................ 61 2.5 TYPES OF PERSONAL DATA AND DATA SUBJECTS ..................................................................................... 64 3. DATA PROCESSING CONTROLS ..................................................................................................... 67 3.1 PRIVACY CONTROLS GOOGLE ACCOUNT FOR END -USERS ........................................................................ 68 3.2 PRIVACY CONTROLS ADMINISTRATORS .................................................................................................. 78 4. PURPOSES OF THE PROCESSING ................................................................................................... 83 4.1 PURPOSES AUAS AND UG ................................................................................................................. 83 4.2 PURPOSES GOOGLE .......................................................................................................................... 84 4.3 PURPOSES ADDITIONAL SERVICES AND GOOGLE ACCOUNT, WHEN NOT USED IN A CORE SERVICE................... 92 4.4 SPECIFIC PURPOSES CHROME OS AND THE CHROME BROWSER ................................................................ 95 5. PROCESSOR OR (JOINT) CONTROLLER ............................................................................................ 96 5.1 DEFINITIONS .................................................................................................................................... 96 5.2 DATA PROCESSOR ............................................................................................................................. 97 5.3 DATA CONTROLLER ........................................................................................................................... 98 5.4 JOINT CONTROLLERS ........................................................................................................................ 105 6. INTERESTS IN THE DATA PROCESSING .......................................................................................... 107 6.1 INTERESTS OF THE UNIVERSITIES ........................................................................................................ 107 6.2 INTERESTS OF GOOGLE .................................................................................................................... 108 6.3 JOINT INTERESTS ............................................................................................................................. 109 7. TRANSFER OF PERSONAL DATA OUTSIDE OF THE EEA ...................................................................... 110 8. TECHNIQUES AND METHODS OF THE DATA PROCESSING ................................................................... 114 8.1 ANONYMISATION ........................................................................................................................... 114 Updated G Suite for Education DPIA 12 March 2021 clean 1 / 175 9. ADDITIONAL LEGAL OBLIGATIONS: E-PRIVACY DIRECTIVE ................................................................. 116 10. RETENTION PERIODS ............................................................................................................. 117 10.1 CUSTOMER DATA ......................................................................................................................... 118 10.2 DIAGNOSTIC DATA ........................................................................................................................ 118 PART B. LAWFULNESS OF THE DATA PROCESSING ..................................................................... 121 11. LEGAL GROUNDS ................................................................................................................. 121 11.1 CUSTOMER DATA FROM THE CORE SERVICES, FEATURES AND THE GOOGLE ACCOUNT USED IN THE CORE SERVICES ................................................................................................................................................ 122 11.2 PERSONAL DATA IN ADDITIONAL SERVICES, OTHER RELATED SERVICES, TECHNICAL SUPPORT SERVICES AND ALL DIAGNOSTIC DATA ................................................................................................................................... 129 11.3 GOOGLE’S OWN LEGITIMATE BUSINESS PURPOSES ................................................................................. 132 12. SPECIAL CATEGORIES OF DATA ................................................................................................. 132 12.1 TRANSFER OF SPECIAL, SENSITIVE, SECRET AND CONFIDENTIAL DATA TO THE USA .................................... 133 13. PURPOSE LIMITATION ........................................................................................................... 134 14. NECESSITY AND PROPORTIONALITY ........................................................................................... 136 14.1 THE PRINCIPLE OF PROPORTIONALITY ............................................................................................... 136 14.2 ASSESSMENT OF THE PROPORTIONALITY ........................................................................................... 136 14.3 ASSESSMENT OF THE SUBSIDIARITY .................................................................................................. 139 15. DATA SUBJECT RIGHTS .......................................................................................................... 139 15.1 LEGAL FRAMEWORK AND CONTRACTUAL ARRANGEMENTS BETWEEN UNIVERSITIES AND GOOGLE .............. 140 15.2 RIGHT TO INFORMATION ................................................................................................................ 140 15.3 RIGHT TO ACCESS .......................................................................................................................... 141 15.4 RIGHT OF RECTIFICATION AND ERASURE ............................................................................................ 142 15.5 RIGHT TO OBJECT TO PROFILING ...................................................................................................... 143 15.6 RIGHT TO DATA PORTABILITY .......................................................................................................... 143 15.7 RIGHT TO FILE A COMPLAINT ........................................................................................................... 143 PART C. DISCUSSION AND ASSESSMENT OF THE RISKS .............................................................. 144 16. RISKS ...............................................................................................................................