The Danish DPA bans the use of Google Workspace
ON THIS PAGE
Google Workspace for Education is a service, widely used in schools and other education communities. It is a convenient collection of Google services that are designed to help schools communicate, share, record, and streamline education content, keeping it safe and secure.
The Danish DPA bans the use of Google Workspace and Chromebooks
The General Data Protection Regulation (GDPR) is a data privacy law that protects the online privacy of users in Europe. It regulates the collection and processing of users' personal data and places limitations on what businesses and organizations can do with the sensitive personal data that they collect.
The GDPR violations lead to fines. In 2021-2022, big tech companies like Google, Amazon, and WhatsApp were charged huge fines for breaching the GDPR.
Recently, the use of Google Analytics was outlawed by data protection authorities of Austria, France, Italy, and Denmark for not complying with the GDPR due to international data transfers.
The European Court of Justice announced that the EU – US Privacy Shield became invalid on 16 July 2020. As a result of that decision, Google Analytics with its current settings can't ensure an adequate level of data protection in the US.
On July 14, 2022, the Danish DPA imposed a ban on the use of Google Workspace and Chromebooks in Helsingør municipality in Denmark. The Danish DPA, Datatilsynet, has been looking into Google Workspace GDPR compliance in Helsingør, better known in English as Elsinore, Municipality, particularly in primary schools, since 2020. The investigation started with a complaint in 2019 by a parent concerned that their child had opened a Youtube account under their own name via a school Chromebook. After the investigation, the Danish DPA ordered Helsingør to stop using any processing of data by Google Cloud which is transmitted to the US, and issued a general ban on the use of the SaaS suite, until the Google Workspace GDPR compliance issues were resolved. The Datatilsynet also ruled the local authority cannot use the search and advertising services of Google, including Gmail, Google Docs, and Chromebooks. The decision is based on international data transfers to third countries.
Theoretically, any use of products and services which transfer data from the EU to the US is in breach of GDPR after the invalidation of the EU – US Privacy Shield. But in practice, the use continues, with EU users relying on accepted Data Processing Amendments (DPA). The EU and US are currently working on a new Trans-Atlantic Data Privacy Framework, to replace the invalidated Privacy Shield agreement.
This is the first case when a data protection authority bans the use of Google Workspace. It should be noted that the Datatilsynet decision seems to ban the use of Google Workspaces in general by local authorities, even though the case itself was focused on the use of Google products in education. This latest ruling could have broader consequences, given the fact that it is the first ban of such a kind on Google Workspace due to the GDPR breach.
Is Google Workspace for Education GDPR Compliant?
Google Workspace for Education is designed to help schools communicate, share, record, and streamline education content, keeping it safe and secure. Google makes efforts to develop and modify its services to be GDPR compliant.
The users' personal data could be processed only after the users are informed about it and they give a cookie consent to use cookies for the collection and processing of their personal data. So, after all these GDPR compliance commitments of Google, is Google Workspace for Education actually GDPR compliant?
Google Workplace for Education offers its users Model Contract Clauses and the Data Processing Amendment to comply with the GDPR. Until now, Google Workspace for Education could be used in compliance with GDPR. Google's Data Processing Amendment is designed to meet the security requirements of the GDPR and model contract clauses were created specifically by the European Commission to permit the transfer of users' personal data from Europe to the US. However, on July 14, 2022, the Danish DPA imposed a ban on the use of Google Workspace in Helsingør municipality in Denmark due to data transfers to third countries. This is the first time when such a decision regarding the Google Workspace for Education compliance with the GDPR was issued.
Please note, that customers of Google services take the responsibility for establishing and maintaining GDPR compliance.
How to Make Google Workspace for Education GDPR Compliant?
To make Google Workspace for Education GDPR compliant, you have to:
- Review and accept the Data Processing Amendment.
- Review and accept the Model Contract Clauses.
- Update your cookie consent notification and Privacy Policy.
Data Processing Amendment
Google’s Data Processing Agreement sets up Google to act as a processor of the personal data that is collected and stored via Google Workspace for Education services. Under the agreement, the customer serves as the controller of such personal data by determining the purposes and means of processing personal data. Google, acting as a processor, processes personal data on the customer’s behalf and under the customer’s instructions.
Customers of Google services take the responsibility for establishing and maintaining GDPR compliance.
To review and accept the Data Processing Amendment, perform the following steps:
- Log in to your Google Admin interface.
- Go to Account, then Account Settings, and then to Legal and compliance from the Admin Home Page.
- In Security and Privacy Additional Terms, check Review and Accept. Choose between the EU Model Contract clauses for the Google Workspace for Education or Cloud Identity.
- Choose I Accept and finish.
After you signed the Data Processing Amendment agreement, appoint a responsible person in your organization to look after the contract provisions.
Model Contract Clauses
Model Contract Clauses are a part of the Data Processing Amendment and mean “standard data protection clauses for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection, as described in Article 46 of the EU GDPR and set out at https://workspace.google.com/terms/mcc_terms.html. „
To review and accept the Model Contract Clauses, perform the following steps:
- Log in to your Google Admin interface.
- Go to Account, then Account Settings, and then to Legal and compliance from the Admin Home Page.
- In Security and Privacy Additional Terms, under Data Processing Amendment to Google Workspace or/and any other complementary product, find the option Review and Accept.
- Choose I Accept and finish.
Once again, appoint a responsible person in your organization to go over the contract provisions.
Cookie Consent notification and Privacy Policy
Customers of Google services, not Google itself, take the responsibility for establishing and maintaining GDPR compliance. To be GDPR compliant while using Google Workspace for Education, update your cookie consent notification and Privacy Policy. Clearly inform your website users about how you use their personal data, for what reasons, and that their data is sent to third countries for data processing under the Data Processing Amendment.
Need to be GDPR compliant? Choose CookieScript Consent Management Platform, and we will take care of your website's GDPR and other privacy law compliance issues!
Frequently Asked Questions
Is Google Workspace for Education GDPR compliant?
Until 2022, Google Workspace for Education could be used in compliance with GDPR. However, on July 14, 2022, the Danish DPA imposed a ban on the use of Google Workspace in Helsingør municipality in Denmark due to data transfers to third countries. Follow CookieScript privacy laws to know if the decision will be followed by other countries DPA.
How to make Google Workspace for Education GDPR compliant?
To make Google Workspace for Education GDPR compliant, you have to review and accept the Data Processing Amendment and the Model Contract Clauses. Keep in mind that customers of Google services, not Google itself, take the responsibility for establishing and maintaining GDPR compliance. Choose CookieScript, and we will take care of your website GDPR and other privacy law compliance issues!
How does GDPR affect Google?
In 2022, the use of Google Analytics was outlawed by data protection authorities of Austria, France, Italy, and Denmark for not complying with the GDPR due to international data transfers. In July 2022, the Danish DPA banned the use of Google Workspace for Education. To be GDPR compliant, inform your website users about how you use their personal data, for what reasons, and that their data is sent to third countries for data processing under the Data Processing Amendment.
Is it possible to configure Google Workspace in such a way that personal data is not sent to the US?
No, at the moment such a possibility is not present. All data collected through Google Workspace, Google Analytics, or other Google services are processed and stored in the United States. Use CookieScript, and we will take care of your website's GDPR compliance issues!