Datatilsynet (Denmark) - 2020-431-0061 (Helsingor decision no. 4)
Datatilsynet - 2020-431-0061 (Helsingor decision no. 4) | |
---|---|
Authority: | Datatilsynet (Denmark) |
Jurisdiction: | Denmark |
Relevant Law: | Article 28(3)(a) GDPR Article 36 GDPR Article 36(1) GDPR Article 36(2) GDPR Article 58(2)(d) GDPR |
Type: | Investigation |
Outcome: | Other Outcome |
Started: | |
Decided: | |
Published: | 08.09.2022 |
Fine: | n/a |
Parties: | Helsingor Municipality |
National Case Number/Name: | 2020-431-0061 (Helsingor decision no. 4) |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Danish |
Original Source: | Datatilsynet (in DA) |
Initial Contributor: | Rie Aleksandra Walle |
The Danish DPA temporarily suspended its processing ban against Helsingor municipality for the use of Google Chromebooks and Workspace for Education until 5 November 2022 and, amongst other things, ordered them to change their data processing agreement with Google.
English Summary
Facts
This is the Danish DPA's fourth decision in the case relating to Helsingor municipality's processing of personal data in primary and lower secondary school. Helsingor municipality, the controller, has been using Google Chromebooks and Workspace for Education in violation of several GDPR requirements, as detailed in the first decision of September 2021, the second decision of 14 July 2022 and the third decision of 18 August 2022.
Following the third decision, the municipality submitted more documentation and also requested a consultation with the DPA as per Article 36 GDPR.
Holding
The DPA temporarily suspended its processing ban against Helsingor municipality until 5 November 2022, and also ordered the municipality to:
- Change the data processing agreement with Google so that the DPA's remarks in their 14 July and 18 August decisions, are implemented. This includes, at a minimum, a clarification of where and if Google acts as a sole controller and any uncertainties that may entail that Google acts beyond their role as a processor, see Article 28(3)(a) GDPR.
- Document that all transfers of personal data to insecure third countries, are in line with the GDPR.
- Describe all data flows and identify the personal data that are shared with the vendor, and clarify when the vendor acts as a sole or joint controller. This documentation must include the whole technology stack used by the municipality (for this processing activity).
- Update their data protection impact assessment based on all identified risks.
- Consult the DPA if the DPIA shows any high risks the municipality is not able to mitigate.
- If any processing activities are still not in line with the GDPR before the DPA's deadline 3 November 2022, present a final plan for bringing them in line with the GDPR.
Comment
Share your comments here!
Further Resources
The DPA employee who wrote the decisions has discussed the case (in English) on the Grumpy GDPR podcast episode "School is Cancelled".
English Machine Translation of the Decision
The decision below is a machine translation of the Danish original. Please refer to the Danish original for more details.
Chromebooks: The Norwegian Data Protection Authority suspends the ban and orders legalization Date: 08-09-2022 Decision Public authorities Order Reported breach of personal data security Children Basic principles Transfer to third countries Risk assessment and impact analysis Processing security In the case of the use of Google Workspace in Helsingør Municipality, the Danish Data Protection Authority has now suspended the current ban, but has also issued an order to legalize the use. A corresponding order has been given to Aarhus Municipality. Journal number: 2020-431-0061 Summary In July, the Danish Data Protection Authority banned the use of Google Workspace in Helsingør Municipality, and in August the Danish Data Protection Authority upheld the ban. In the subsequent dialogue with the Norwegian Data Protection Authority, Helsingør Municipality has now identified a number of conditions where the use of Google Workspace etc. has either not been legal, or where the risk to school pupils has not been sufficiently identified and reduced. On the basis of this recognition - and the finding of similar conditions in several other municipalities' processing - the Data Protection Authority has decided to suspend the ban for a short period and given the municipality a number of orders to legalize the use. In practice, this means that the students in Helsingør - during this period - can resume using Google Workspace, but that the permanent use of the products is conditional on the municipality handling a number of significant outstanding issues in relation to contracts, technology and documentation. "When we make the choice to suspend the ban, it is because the municipality has now recognized and described the problems that must be legalized. There has been reasonable clarity about what remains to be done - and therefore we are now giving the municipality two months to get manage it together with its suppliers," explains Allan Frank, lawyer and IT security specialist at the Norwegian Data Protection Authority. Same process in Aarhus Municipality In addition to the order to Helsingør Municipality, the Data Protection Authority has also issued a similar order to Aarhus Municipality. This is based on the fact that Aarhus Municipality (like Helsingør Municipality) has established that some of the processing of school children's personal data that they have carried out so far has not been carried out legally, and that they have not identified and limited the risks for those students. Therefore, a similar legalization process has now also been initiated in Aarhus Municipality. The National Association of Municipalities has informed the Data Protection Authority that, on behalf of a further number of municipalities, they expect to send similar inquiries about legalizing the use of Google Workspace and similar services. The Norwegian Data Protection Authority expects to impose the same requirements on other municipalities that carry out similar processing. Legal background The Danish Data Protection Authority expects all data controllers – before new processing of personal data begins, or when existing processing changes the risk profile – to assess whether the programs, services and suppliers used to process the personal data can actually be used legally. In addition to this, it is a requirement under the GDPR that no processing of personal data with high, unreduced risks is initiated without the supervision being informed about these and having had the opportunity to exercise the powers that follow from the GDPR. The assessment and recognition that certain services or supplier agreements lead to illegal processing of personal data or high risks that cannot be reduced is a necessary prerequisite for being able to get the supplier to change the terms and services in question, change the processing activities or ultimately opt out of the supplier if he is unwilling or unable to deliver a service that can be used legally. Based on the material from Helsingør Municipality and Aarhus Municipality, the Danish Data Protection Authority has found that the municipalities have processes that have not been carried out legally, and that they have not sufficiently identified and limited the risks for students and teachers. The Danish Data Protection Authority has notified Aarhus Municipality and Helsingør Municipality of an order that the contract entered into with the data processor and the technology supplier must be amended and clarified on a number of points. The municipalities have also been ordered to identify additional risks regarding data points and data containing personal data that are passed on to the technology supplier for its own purposes. This order also includes a shutdown of functionality in the technology used, which results in the unauthorized disclosure of personal data. These orders are set with deadlines of two months, and the municipalities have been notified that the Danish Data Protection Authority intends to prohibit the way in which the processing activities in question are carried out, if the municipalities cannot get the supplier to change the conditions in question. Decision 1. Decision The Danish Data Protection Authority's ban on Helsingør Municipality from 18 August 2022 is suspended until 5 November 2022. The Data Protection Authority notifies Helsingør Municipality of an order to have the existing agreement with the data processor changed in such a way that the conditions mentioned in the Authority's decisions of 14 July and 18 August 2022, as well as the material sent by Helsingør Municipality on 1 . September 2022, and which derives from the overall basis of the agreement with the supplier, is brought into line with the data protection regulation. This includes, as a minimum, a clarification of the places where the "data processor" acts as an independent data controller, as well as for what purposes, the support situations that the municipality no longer uses, and ambiguities in the contract text that create uncertainty about the data processor's actions in addition to the rule in the article of the data protection regulation 28, subsection 3, letter a. In addition, all intended transfers to unsafe third countries must documentably comply with the data protection regulation. The Danish Data Protection Authority further informs Helsingør Municipality of an order to describe the data flows that take place and identify the personal data that is passed on to the supplier, and makes it clear when the latter acts as an independent or shared data controller. The documentation must include the entire technology stack that Helsingør Municipality uses for the treatment. The Danish Data Protection Authority further orders Helsingør Municipality to draw up an updated impact analysis based on all the risks that the municipality has identified during the documentation process, if it turns out that - in addition to those for which the Article 36 procedure has now been requested - there are additional high, not mitigable high risks, the order also includes consultation with the Danish Data Protection Authority pursuant to Article 36. Finally, the Data Protection Authority orders Helsingør Municipality to present a final time-bound plan for the legalization of any processing that could not be legalized before the deadline for the orders, which is set for 3 November 2022. The Data Protection Authority expects to receive documentation for compliance with the orders before the set date. The orders have been notified in accordance with the data protection regulation, article 58, subsection 2, letter d. Failure to comply with an order can - unless a higher penalty is due - be punished with a fine or imprisonment for up to 6 months, cf. section 41, subsection of the Data Protection Act. 2, No. 4. If the Municipality of Helsingør meets the conditions of the ban of 18 August 2022 before 5 November 2022, the Danish Data Protection Authority can, after reviewing documentation for this, lift the ban. 2. Case presentation On 18 August, the Danish Data Protection Authority decided, among other things, that Helsingør Municipality's processing of personal data using Google Chromebooks and Workspace for Education was not in accordance with the data protection regulation. On that basis, the Danish Data Protection Authority upheld the Danish Data Protection Authority's ban of 14 July 2022. However, the ban was changed so that the Danish Data Protection Authority notified Helsingør Municipality of a ban on processing personal data using Google Chromebooks and Workspace for Education. The ban applies until the municipality of Helsingør has brought the processing activity in line with the data protection regulation as stated in the Danish Data Protection Authority's decision of 14 July 2022, and until the municipality has carried out a data protection impact analysis that meets the requirements for content and process for its implementation, which are found in the regulation's Articles 35 and 36. For treatments where prior consultation with the Data Protection Authority is required pursuant to Article 36 of the Data Protection Regulation, the prohibition applies until the Authority has issued an opinion pursuant to Article 36, subsection 2, and Helsingør Municipality has taken the necessary measures on the basis of the Danish Data Protection Authority's opinion, or until the Danish Data Protection Authority permits the processing at a time before the opinion is available. The ban took effect immediately. 3. Helsingør Municipality's comments By e-mail on 1 September 2022, Helsingør municipality has sent a request for a consultation with the Danish Data Protection Authority. The hearing has the following wording: "The basis for the consultation In the Data Protection Authority's decision of 14 July 2022 vis-à-vis Helsingør Municipality, the Data Protection Authority imposed a general ban on Helsingør Municipality's processing of personal data via Google Chromebooks and Google Workspace for Education Standard ("the Services"), until Helsingør Municipality prepared a consequence analysis for the processing of personal data as prescribed and defined in the Danish Data Protection Authority's decision section 4.2 and 4.3. Against this background, Helsingør Municipality sent the requested impact analysis. However, in its decision of 18 August 2022, the Danish Data Protection Authority concludes that Helsingør Municipality, in connection with the preparation of this impact analysis, should have conducted a prior consultation with the Danish Data Protection Authority, cf. the data protection regulation, article 36, subsection 1. In the decision, the Danish Data Protection Authority bases this assessment on the fact that the measures that Helsingør Municipality has taken with regard to the disclosure of personal data to Google, as well as a number of other identified risks related to the processing of personal data via the Services, are not suitable to address these conditions. Helsingør Municipality acknowledges that there are currently no sufficient technical, contractual or organizational measures in place to mitigate these residual high risks related to the students' rights and freedoms. The Municipality of Helsingør thus wishes to consult with the present letter the Danish Data Protection Authority as prescribed in the data protection regulation, article 36, subsection 1 with a view to receiving the Data Protection Authority's written advice, cf. the data protection regulation's article 36, subsection 2. Fulfillment of the formal requirements In relation to the formal requirements stated in the data protection regulation, article 36, subsection 3, Helsingør Municipality notes the following: Helsingør Municipality is the data controller for the processing of personal data carried out via the Services and Google Ireland Limited is the data processor. However, Google Ireland Limited can act as data controller for "service data" and this problem is, among other things, subject of the present hearing, as the disclosure relates to school pupils' personal data. The aim is to use a digital learning platform based on Google Chromebooks with Workspace for Education Standard. The platform enables the sharing of documents between students and teachers and generally enables collaboration within the class and across classes. The municipalities are obliged to make digital learning tools and learning platforms available to the students at the schools. Access to digital learning resources is necessary to be able to meet the targets for the subjects in the primary school. Part of the primary school leaving exams and national tests are conducted digitally. The municipalities are obliged to make digital aids available to students with special needs, including dyslexic students. In relation to measures and guarantees to protect the rights and freedoms of the data subjects, Helsingør Municipality refers to (i) attached Annex 1 and the guarantees and implemented measures described therein, as well as (ii) the previously sent impact analysis related to the Services and the related annexes. The data protection advisor is Bech-Bruun Advokatpartnerselskab, Langelinie Allé 35, 2100 Copenhagen Ø. The impact analysis, prepared in collaboration with the municipality's data protection advisor, has already been sent to the Norwegian Data Protection Authority. Helsingør Municipality will of course forward additional information and documents that the Data Protection Authority may request. The Danish Data Protection Authority's advice For use by the Danish Data Protection Authority's advice as prescribed in the data protection regulation, article 36, subsection 2, the Municipality of Helsingør attaches as appendix 1 to this prior consultation letter, a list of all data protection legal risks identified by Google in relation to the Services. The Danish Data Protection Authority has previously received this list, but the list has partly been updated and updated corresponding to what was stated in the Danish Data Protection Authority's e-mail of 18 August 2022, partly updated and adapted to Danish conditions. The list also indicates the residual data protection risks related to the Services, which are currently too high and which are therefore the subject of the present consultation. The Danish Data Protection Authority has further requested that the following matters be additionally included as an addendum to the Article 36 process: Which Service Data the municipality will pass on to Google, for which Google will continue to be data responsible in relation to the "Planned future" and for what purposes this Service Data will be used. Yesterday, the municipality requested Google to contribute to the clarification of these questions. However, this could not be achieved before sending this letter, and the municipality can therefore instead state the following about the next steps: The municipality, together with Google, will clarify with Google within the next 14 days whether the above can be answered immediately. If this is not the case, the municipality will ensure that the question can be answered no later than 14 days before the completion of an updated impact analysis for the use of the Services, see details below. This above risk and the risks listed in Appendix 1 hereby constitute the total data protection risks covered by this consultation. *** Helsingør Municipality requests that, on the basis of this consultation letter, the Danish Data Protection Authority lifts the ban on using the Services, on the condition that Helsingør Municipality complies with the conditions laid down by the Danish Data Protection Authority for lifting the ban, including the preparation and sending of an updated impact analysis for the use of the Services with an expected completion time of 2-3 months from d.d.” The submitted consultation request was also accompanied by a table containing the high unmitigated risks, which are essentially consistent with the impact assessment carried out in the Netherlands. [Here part of the documentation is omitted] 4. Reason for the Data Protection Authority's decision The Danish Data Protection Authority finds, in accordance with Helsingør Municipality's own comments in the request of 1 September 2022, that the processing in question poses a high risk to the rights of the data subjects, which cannot be reduced cf. the data protection regulation, article 36, subsection 1. The Danish Data Protection Authority finds that several of the treatments themselves are not in accordance with the data protection regulation, and that other treatments have not been sufficiently identified or the risk has been limited to the necessary extent. The Norwegian Data Protection Authority therefore notes that the conditions for the Danish Data Protection Authority's advice pursuant to Article 36, subsection 2, is present. The Danish Data Protection Authority also states that for those treatments that have not been sufficiently identified, or that have had the risk limited to the necessary extent, rapid legalization must take place. The Norwegian Data Protection Authority considers that it is necessary to ensure the necessary progress in such legalization. The supervisory authority has therefore decided on the outstanding points to issue a number of orders with a shorter deadline in accordance with the data protection regulation, article 58, subsection 2, letter d. In addition, the Danish Data Protection Authority has attached importance to creating the possibility that Helsingør Municipality, together with other data responsible municipalities that process personal data similar to Helsingør Municipality's, can collectively go to the data processor and the supplier and obtain a final legal solution that covers all . Against this background, the Danish Data Protection Authority states: The Danish Data Protection Authority's ban on Helsingør Municipality from 18 August 2022 is suspended until 5 November 2022. The Data Protection Authority notifies Helsingør Municipality of an order to have the existing agreement with the data processor changed in such a way that the conditions mentioned in the Authority's decisions of 14 July and 18 August 2022, as well as the material sent by Helsingør Municipality on 1 . September 2022, and which derives from the overall basis of the agreement with the supplier, is brought into line with the data protection regulation. This includes, as a minimum, a clarification of the places where the "data processor" acts as an independent data controller, as well as for what purposes, the support situations that the municipality no longer uses, and ambiguities in the contract text that create uncertainty about the data processor's actions in addition to the rule in the article of the data protection regulation 28, subsection 3, letter a. In addition, all intended transfers to unsafe third countries must documentably comply with the data protection regulation. The Danish Data Protection Authority further informs Helsingør Municipality of an order to describe the data flows that take place and identify the personal data that is passed on to the supplier, and makes it clear when the latter acts as an independent or shared data controller. The documentation must include the entire technology stack that Helsingør Municipality uses for the treatment. The Danish Data Protection Authority further orders Helsingør Municipality to draw up an updated impact analysis based on all the risks that the municipality has identified during the documentation process, if it turns out that - in addition to those for which the Article 36 procedure has now been requested - there are additional high, not mitigable high risks, the order also includes consultation with the Danish Data Protection Authority pursuant to Article 36. Finally, the Data Protection Authority orders Helsingør Municipality to present a final time-bound plan for the legalization of any processing that could not be legalized before the deadline for the orders, which is set for 3 November 2022. The Data Protection Authority expects to receive documentation for compliance with the orders before the set date. The orders have been notified in accordance with the data protection regulation, article 58, subsection 2, letter d. Failure to comply with an order can - unless a higher penalty is due - be punished with a fine or imprisonment for up to 6 months, cf. section 41, subsection of the Data Protection Act. 2, No. 4. If the Municipality of Helsingør meets the conditions of the ban of 18 August 2022 before 5 November 2022, the Danish Data Protection Authority can, after reviewing documentation for this, lift the ban. The Norwegian Data Protection Authority also reserves the right to use additional powers pursuant to Article 58, subsection of the Data Protection Regulation. 2, for conditions described in the previous decisions, when Helsingør Municipality has presented final documentation which fully explains the legality of the processing and risks for the rights and freedoms of the data subjects. In addition, the above-mentioned conditions may also be subject to sanctions under Section 41 of the Data Protection Act.