The Chromebook Case 1 Summary Our remarks Helsingør Municipality provided Google Chromebooks • If you process personal data about children, to its school pupils giving them access to the G-suite you must be extra careful to ensure that your software package, which required the creation of a legal basis for processing is in order, as children school account with Google. To create these accounts have special protection under the General Data the pupils’ full names, schools, and grade levels were Protection Regulation. In this case, the Danish DPA transferred to Google, which also made the full names concluded that the legal basis for processing of of pupils with name and address protection available personal data under The Public Schools Act was not to Google products such as YouTube, of which the sufficient. Therefore, Helsingør Municipality should municipality was unaware. have either obtained consent from the pupils or A control panel was used to manage which programs their parents or ensured that no unnecessary pupils could access and how their information was personal data was shared with G-Suite. shared with Google. The Chromebooks with G-Suite were distributed based • It is not GDPR-compliant to label login credentials on the Public Schools Act so that the municipality did on computers, as the controller does not ensure an not consider it necessary to obtain consent from the adequate level of security by doing so. pupils’ parents. The case was initiated following two complaints to the • If different functionalities of a program package Danish DPA that Helsingør Municipality had created involve different processing activities and personal Google accounts for pupils without parental consent. In data flows, these functionalities must be risk addition, the complainants pointed out that the pupils’ assessed separately. As a rule, in situations where login details were pasted on the laptops, leaving them the personal data of children are processed in vulnerable to unauthorized access. complex technology, this will pose a high risk to The Danish Data Protection Agency’s the data subject. When sharing personal data decision with Google features, the risk assessment should consider that Google’s business model includes • The Danish DPA seriously criticized that the collecting personal data and using it for marketing processing of personal data by the Helsingør purposes. Municipality was not in accordance with the General Data Protection Regulation. • At the same time, attention must be paid to a • The Danish DPA issued a warning to Helsingør possible transfer to a third country when using municipality stating that using G-Suite’s add-on Google applications. Specifically, the Helsingør programs without carrying out a data protection municipality had entered into a data processing impact assessment would be a clear violation of agreement that ensured that data did not leave the the GDPR. EU/EEA. Therefore, the Danish DPA did not address • If the risk assessments showed a high risk to the the issue of third-country transfers. rights and freedoms of data subjects, and the risks had not been reduced to a level below high, the DPA would notify the municipality of a temporary restriction on processing operations. Published: 10-09-2021, Journal number: 2020-431-0061 Tags: 01 Legal basis for processing and principles for processing 120