According to an European Data Protection Board (EDPB) news release, the Danish DPA has imposed a ban on the use of Google Workspace in Elsinore municipality. In the case at hand, the municipality was requested to make a risk assessment of the municipality’s processing of personal data in the primary school using Google Chromebooks and Workspace. Based on the information received, the DPA found the municipality not in compliance with the GDPR requirements on a number of occasions. Particularly, the municipality would not have assessed some risks as data controller over data processing. Additionally, a violation of the GDPR would be in the fact that the data processor agreement (DPA) states that information can be transferred to third countries in situations for technical support without the required level of security and protection. The decision is expected to be applied to other municipalities finding themselves in similar circumstances.
Find the EDPB release here and the decision, in Danish, here.