The Chromebook Case 2 Summary decision In September 2021, the Danish DPA issued a decision • The Danish DPA issued a prohibition against the in which Helsingør Municipality was instructed to Municipality of Helsingør from processing personal conduct a new risk assessment of the processing of data using Google Chromebooks and Workspace personal data in primary and lower secondary schools for Education. The prohibition applied until the when using Chromebooks and Workspace Education municipality brought the processing activity into (formerly G Suite). The Danish DPA subsequently compliance with data protection legislation and assessed the content of Helsingør’s Municipality’s new prepared adequate documentation for this. risk assessment and whether the conditions for third- country transfers were met. • Any transfer of personal data to the United States Helsingør Municipality had prepared a TIA, adopted was suspended until Helsingør Municipality could the EU Commission’s standard contractual clauses, demonstrate that the rules in Chapter V of the and conducted a risk assessment regarding the use General Data Protection Regulation on transfers to of Chromebooks and Workspace Education. However, third countries had been complied with. the risk assessment was concluded to be incomplete • The Danish DPA severely criticized the fact that the as it did not address all potential risks, such as the municipality’s processing of personal data had risk of unauthorized access to personal data stored in not been carried out in accordance with GDPR, Chromebooks. Article 5(2) (accountability), cf. Article 5(1)(a) In its risk assessment, Helsingør Municipality (lawfulness, fairness, and transparency), Article acknowledged that Google may breach its contractual 24 (responsibility of the controller), cf. Article 28(1) obligations not to use the personal data for marketing (requirements for data processors), Article 35(1) purposes but assessed that the likelihood of that (impact assessment), and Article 44 (general happening was low. principle for transfers), cf. Article 46(1) (transfers The Municipality also ensured that personal data subject to appropriate safeguards). were only stored in data centers in the EU/EEA but acknowledged that personal data could be transferred Our remarks to third countries in support situations where Google’s US department would have access to the personal data in question. Helsingør Municipality argued that Google could not be subject to surveillance via FISA 702, as the personal data was not transferred by Google LCC, but to Google LCC for use in support services. However, the Danish DPA concluded this argument to be insufficient, as FISA 702 prohibits surveillance of US persons, but not surveillance of foreign individuals. This case relates to: Chromebook Case 1: Serious Criticism of Helsingør Municipality for incomplete risk assessment. Published: 14-07-2022 Journal number: 2020-431-0061 Tags: 06 Transfers to third countries 121 The Danish Data Protection Agency’s