The Chromebook Case 3 Summary Our remarks The Danish DPA reviewed new documentation • When conducting a risk assessment or an impact submitted by Helsingør Municipality following assessment of a particular service, it is essential its decision on July 14, 2022, to prohibit Helsingør for the data controller to evaluate the entire Municipality from using Google Chromebooks for environment in which the service is provided. In the primary school education. case of Helsingør Municipality, it had only assessed how personal data was processed in Workspace A central issue in the case was that the Danish and had not considered how personal data was DPA believed that the use of Chromebooks and processed in the Google Chrome browser or Google Workspace generated personal data that Google used OS (the operating system for Chromebooks). for purposes such as marketing and f application improvement, which went beyond the purposes • When a data processor uses personal data to that Helsingør Municipality had assumed in their risk improve its own applications, it becomes an assessment, impact assessment, and data processing independent data controller for this processing. If agreement with Google. this is done for a public authority, a separate legal basis is required for the transfer of the personal For more information, see the two previous decisions, data, since the personal data is then carried out “Chromebook Case 1: Serious criticism of Helsingør for a purpose that goes beyond the legal basis for Municipality for incomplete risk assessment” and processing to fulfill public authority tasks. “Chromebook Case 2: The Danish Data Protection Agency imposes processing ban on Helsingør • When using contractual measures to mitigate risk Municipality”. with a specific data processor, it is important that the data controller is aware of the types of personal The Danish Data Protection Agency’s data that are being processed and when. In the decision data processing agreement with Google, Helsingør • The Danish DPA concluded that Helsingør Municipality had not contractually protected Municipality’s use of Google Chromebooks and the data that could be derived from the use of Workspace for Education to process personal data Chromebooks and Workspace. As a result, Helsingør was still not in compliance with GDPR. The DPA also Municipality had not minimized the risk of this concluded that the documentation prepared by the processing. municipality on 1 August 2022, did not conform with Please note that this decision was made prior to the Article 35(1) (impact assessment when using new EU Commission’s adoption of the EU-U.S. Data Privacy technologies) and (7) (minimum requirements for Framework. The framework solves the challenges of the impact assessment), as well as Article 36(1) (prior SCHREMS II case and thereby ensures that entities in hearing with the Danish Data Protection Agency). the EU can transfer personal data to entities in the US • The Danish DPA’s prohibition of 14 July 2020 was that comply with the framework without conducting a upheld. TIA. However, general considerations concerning the transfer of personal data to other unsafe third countries still apply. Published: 18-08-2022 Journal number: 2020-431-0061 Tags: 06 Transfers to third countries 123