The Chromebook Case 4 Summary personal data that was transferred to the provider. In July 2022, the Danish DPA imposed a ban on the use The municipality must also clarify whether it acted of Google Workspace in Helsingør Municipality, and in as an independent or shared data controller in August 2022, the DPA upheld the ban. each instance. Additionally, the documentation had to cover the entire technology stack used by Subsequently, the Helsingør Municipality had, in dialog Helsingør Municipality for processing the data. with the Danish DPA, identified several circumstances • The Danish DPA further ordered Helsingør where the use of Google Workspace, etc. was either Municipality to prepare an updated data impact not legal or where the risk to school pupils had not assessment based on all the risks identified by the been sufficiently identified and reduced. In light of this municipality during the documentation process, finding, the Danish DPA temporarily lifted the ban and in the eventuality that there were additional high, issued several orders to the municipality to ensure that non-mitigable risks. The order also included the use of Google Chromebooks and Workspace for consultation with the Danish DPA under GDPR, Education was in compliance with GDPR. Article 36. For more information, see the two previous decisions, • Finally, the Danish DPA ordered Helsingør “Chromebook Case 1: Serious criticism of Helsingør Municipality to submit a final, time-bound plan Municipality for incomplete risk assessment”, for legalizing any processing operations that were “Chromebook Case 2: The Danish Data Protection not able to be legalized before the deadline for the Agency imposes processing ban on Helsingør orders, which was set on 3 November 2022. Municipality” and “Chromebook Case 3: Danish Data Protection Agency upholds ban”. Our remarks The Danish Data Protection Agency’s • If a data impact assessment reveals that a specific residual risk to the rights of the data subjects decision cannot be reduced from a high to a low level, the • The Danish DPA’s prohibition to Helsingør controller has the possibility to consult the Data Municipality on August 18, 2022, was suspended Protection Authority. The DPA can then advise the until November 5, 2022. controller on how to reduce the risk. • The Danish DPA issued an order to Helsingør • If the use of a data processor is unlawful, it may Municipality to amend the in-depth agreement with be necessary to amend the data processing the data processor in such a way that the matters agreement. mentioned in the Agency’s decisions of July 14 and Please note that this decision was made prior to the August 18, 2022, as well as the material submitted EU Commission’s adoption of the EU-U.S. Data Privacy by the municipality on September 1, 2022, which Framework. The framework solves the challenges of the originated from the overall contractual basis with SCHREMS II case and thereby ensures that entities in the supplier, were brought into compliance with the the EU can transfer personal data to entities in the US GDPR. that comply with the framework without conducting a • The Danish DPA further ordered Helsingør TIA. However, general considerations concerning the Municipality to provide a detailed description of transfer of personal data to other unsafe third countries the data flows that took place and to identify the still apply. Published: 08-09-2022 Journal number: 2020-431-0061 Tags: 06 Transfers to third countries 124