Background information
- Date of final decision: July 14 2022 (Based on a decision from September 10 2021)
- Cross-border case or national case: National
- Controller: Elsinore municipality
- Legal Reference: Article 5, 24, 28, 35, 44, 46
- Decision: Infringement of Article 5 (2) cf. Article 5 (1), Litra a, Article 24 cf. Article 28 (1), Article 35 (1) and Article 44 cf. Article 46 (1)
- Key words: Risk assessment, DPIA, DPA, transfers to third countries
Summary of the Decision
Origin of the case:
In a case concerning the use of Google Chromebooks in Elsinore Municipality, the Danish Data Protection Agency expresses serious criticism and bans transfers to third countries and the use of Google Workspace.
Key Findings:
The Danish Data Protection Agency made a decision in September 2021 where the Municipality of Elsinore was ordered to make a risk assessment of the municipality's processing of personal data in the primary school using Google Chromebooks and Workspace.
Based on the documentation and assessment of the risk for the data subjects which the Municipality of Elsinore has prepared, the Danish DPA has now found that the processing does not meet the requirements of the GDPR on several points.
"The Municipality has done a great and skilled work to map how personal data is used in the primary school, but it also sheds some light on the potential data protection issues with the big tech companies' ways of solving the task," says IT security specialist and lawyer at the Danish DPA, Mr. Allan Frank.
The Danish DPA finds that the municipality as controller has not assessed some specific risks in relation to the data processor construction as to the processing activities the controller is allowed to do as a public authority. In addition, the data processor agreement (DPA) states that information can be transferred to third countries in situations for technical support without the required level of security and protection.
Decision:
In light of the decision from September 2021, the Danish DPA has now made a new decision. It contains, among other things:
- A suspension of the Municipality of Elsinore’s data processing where information is transferred to third countries without the necessary level of protection.
- A general ban on processing of personal data with Google Workspace until adequate documentation and impact assessment has been carried out and until the processing operations have been brought into line with the GDPR.
- Serious criticism of the municipality's processing of personal data.
The Danish Data Protection Agency notes that many of the specific conclusions in this decision probably will apply to other Danish municipalities that use the same data processor construction as the one this case on the Municipality of Elsinore revolves around. The Danish DPA expects these municipalities to take relevant steps based on this decision - even though the authority is currently finalizing a number of cases concerning other municipalities.
For further information: decision in national language
The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.