IMY (Sweden) - IMY-2023-1647: Difference between revisions
No edit summary |
No edit summary |
||
Line 68: | Line 68: | ||
In 2014 a different entity in Östersund (the regional Council of Jämtland County) conducted an impact assesment on google apps in education and determined that it could be used. In 2020, The Childrens and Education Board of the muncipality of Östersund decided to integrate Google Workspace into their own systems and schools but did not conduct an impact assesment, believing that the 2014 assesment was sufficient. | In 2014 a different entity in Östersund (the regional Council of Jämtland County) conducted an impact assesment on google apps in education and determined that it could be used. In 2020, The Childrens and Education Board of the muncipality of Östersund decided to integrate Google Workspace into their own systems and schools but did not conduct an impact assesment, believing that the 2014 assesment was sufficient. | ||
It was only after the integration of Google Workspace into both their own systems and schools that the Board initated an impact assesment. This process has been ongoing for three years. The Board wrote to the DPA and explained that parts of the impact assesment had been reported and acted upon. For example, policy documents have been established, training courses developed and storage restrictions implemented. They also noted that the impact assessment has so far revealed the same concerns as the 2014 report. The only question was whether using Google Workspace required the transfer of personal data to a third country (a nation outside the EU/EEA). | It was only after the integration of Google Workspace into both their own systems and schools in 2020 that the Board initated an impact assesment. This process has been ongoing for three years and was still not completed by the time of the DPA's investigation. The Board wrote to the DPA and explained that parts of the ongoing impact assesment had been reported and acted upon. For example, policy documents have been established, training courses developed and storage restrictions implemented. They also noted that the impact assessment has so far revealed the same concerns as the 2014 report. The only question that remained was whether using Google Workspace required the transfer of personal data to a third country (a nation outside the EU/EEA). | ||
=== Holding === | === Holding === | ||
The DPA | The question for the DPA was whether there was an obligation to carry out an impact assesment before the Board started processing personal data in 2020. | ||
The DPA's investigation confirmed that the Board did not carry out an impact assesment before Google Workspace was used in 2020 and that the work to carry out an impact assesment has not yet been completed. | |||
The DPA cited Rectial 75 and 76 GDPR which, in combination, state that when data processing involves children and a large number of data subjects it is considered high risk processing. Article 35(1) GDPR states that impact assesments are necessary when processing is likely to result in high risk. Moreover, Article 35(4) GDPR requires DPA's to draw up and publish a list of the types of processing operations subject to the requirements of impact assesements. Critera 5 and 7 of the Swedish DPA's list were met as the processing was carried out on children and for a large number of data subjects. | |||
The Swedish DPA did not believe that the Board's actions after 2020 provided mitigating circumstances that would reduce the size of a potential fine. This was due to the fact that the Board should have established and implemented these measures prior to the use of the service, not after. | |||
Against this background, the DPA found the Board to have breached its obligation under Article 35(1) GDPR and fined it 300,000 SEK (around €26,524) . | |||
== Comment == | == Comment == |
Revision as of 14:47, 5 December 2023
IMY - IMY-2023-1647 | |
---|---|
Authority: | IMY (Sweden) |
Jurisdiction: | Sweden |
Relevant Law: | Article 35(1) GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | |
Published: | |
Fine: | 300,000 SEK |
Parties: | n/a |
National Case Number/Name: | IMY-2023-1647 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Swedish |
Original Source: | IMY-2023-1647 (in SV) |
Initial Contributor: | sh |
The Swedish DPA fined Östersund's Childrens and Education Board 300,000 SEK (around €26,524) for breaching Article 35(1) GDPR. The Board failed to conduct a data protection impact assesment prior to using Google Workspace for Education in schools.
English Summary
Facts
Östersund has twenty-four schools that use Google Workspace since 2020. It is employed for communicating, teaching, and assigning and turning in homework. Google Workspace processes the personal data of 1,303 employees and 5,945 students, including names, email addresses, and class and group memberships. The Childrens and Education Board of the muncipality of Östersund holds itself out as the data controller for the processing of personal data when the schools use Google Workspace.
In 2014 a different entity in Östersund (the regional Council of Jämtland County) conducted an impact assesment on google apps in education and determined that it could be used. In 2020, The Childrens and Education Board of the muncipality of Östersund decided to integrate Google Workspace into their own systems and schools but did not conduct an impact assesment, believing that the 2014 assesment was sufficient.
It was only after the integration of Google Workspace into both their own systems and schools in 2020 that the Board initated an impact assesment. This process has been ongoing for three years and was still not completed by the time of the DPA's investigation. The Board wrote to the DPA and explained that parts of the ongoing impact assesment had been reported and acted upon. For example, policy documents have been established, training courses developed and storage restrictions implemented. They also noted that the impact assessment has so far revealed the same concerns as the 2014 report. The only question that remained was whether using Google Workspace required the transfer of personal data to a third country (a nation outside the EU/EEA).
Holding
The question for the DPA was whether there was an obligation to carry out an impact assesment before the Board started processing personal data in 2020.
The DPA's investigation confirmed that the Board did not carry out an impact assesment before Google Workspace was used in 2020 and that the work to carry out an impact assesment has not yet been completed.
The DPA cited Rectial 75 and 76 GDPR which, in combination, state that when data processing involves children and a large number of data subjects it is considered high risk processing. Article 35(1) GDPR states that impact assesments are necessary when processing is likely to result in high risk. Moreover, Article 35(4) GDPR requires DPA's to draw up and publish a list of the types of processing operations subject to the requirements of impact assesements. Critera 5 and 7 of the Swedish DPA's list were met as the processing was carried out on children and for a large number of data subjects.
The Swedish DPA did not believe that the Board's actions after 2020 provided mitigating circumstances that would reduce the size of a potential fine. This was due to the fact that the Board should have established and implemented these measures prior to the use of the service, not after.
Against this background, the DPA found the Board to have breached its obligation under Article 35(1) GDPR and fined it 300,000 SEK (around €26,524) .
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Swedish original. Please refer to the Swedish original for more details.