The Danish data protection authority ('Datatilsynet') published, on 18 August 2022, its decision in Case No. 2020-431-0061, in which it found the Municipality of Helsingør in violation of Articles 35(1), 35(7), and 36(1) of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), following a review of the extensive material that the Municipality had sent to the Datatilsynet on 1 August 2022. 

Background to the decision 

In particular, the Datatilsynet specified that the decision relates to its decision of 14 July 2022, according to which the Municipality had sent information, including a revised risk assessment to the Datatilsynet. In this regard, the Datatilsynet stated that the Municipality had sent the information to demonstrate that its processing activities are in accordance with the GDPR.

Findings of the Datatilsynet 

Notably, the Datatilsynet stated that after its review of the material submitted by the Municipality, it found that the Municipality's processing of personal data using Google Workspace for education is still not in compliance with the GDPR. More specifically, the Datatilsynet noted that the risks that the Municipality had identified have not been sufficiently reduced, and several of its processes still involve a high risk for data subjects. Additionally, the Datatilsynet noted that the Municipality's risk assessment does not meet the content requirements for a Data Protection Impact Assessment ('DPIA') pursuant to Articles 35(1), 35(7) and 36(1) of the GDPR. Furthermore, the Datatilsynet specified that the Municipality had not assessed the risks arising from its contract with the supplier itself, and other publicly known risks in connection with the use of the technology they have chosen. 

Outcomes

Ultimately, the Datatilsynet found that the Municipality was in breach of the aforementioned provisions of the GDPR and as such upheld its ban of 14 July 2022, against the Municipality's use of Google Workspace. Notably, the Datatilsynet specified that the ban applies until the Municipality brings its processing activities in line with the GDPR and carries out a DPIA that meets the content and implementation requirements of the same pursuant to Articles 35 and 36 of the GDPR. 

You can read the press release here and the decision here, both only available in Danish. 

UPDATE (30 August 2022) 

Datatilsynet announces meetings with municipalities to discuss legal use of Chromebooks

The Datatilsynet announced, on 19 August 2022, that it had met with municipalities, including the Municipality of Helsingør, to discuss a plan for municipalities' lawful use of Chromebooks and noted that the parties aim to work together effectively towards finding a solution. 

You can read the press release, only available in Danish, here.

UPDATE (12 September 2022) 

Denmark: Datatilsynet temporarily lifts ban on use of Google Workspace by Municipalities

The Danish data protection authority ('Datatilsynet') published, on 8 September 2022, its decision in Case No. 2020-431-0061, in which it temporarily suspended the ban on the use of Google Workspace previously imposed on the Municipality of Helsingør and ordered the same to bring its practices in line with the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR').

Background to the decision

In particular, the Datatilsynet stated that following the Municipality's identification of a number of conditions where use of Google Workspace had not been lawful, or had amounted to high risk to school pupils, it has lifted the ban it had imposed on such use on 18 August 2022, until 5 November 2022, and has given the Municipality a number of orders to comply with. In this regard, the Datatilsynet specified that the permanent use of Google Workspace is conditional on the Municipality's compliance with the Datatilsynet's orders in the time period specified. 

Findings of the Datatilsynet

Notably, the Datatilsynet found that in identifying risks in connection to the use of Google Workspace, the Municipality should ensure such risks are addressed rapidly. In this regard, the Datatilsynet specified a number of orders to bring the Municipality's processing activities in line with the requirements of the GDPR, which include:

• bringing the existing agreement with the data processor in line with the GDPR, which includes, as a minimum, clarifying areas where the processor acts as an independent data controller, the features of the processing the Municipality no longer uses, and ambiguities in the contract that create uncertainty about the data processor's actions in relation to Article 28(3)(a) of the GDPR;
• describing the data flows that take place and identifying the personal data that is passed on to the supplier/processor, clarifying when the latter acts as an independent or joint data controller and including documentation of the technology used for the treatment;
• drawing up an updated Data Protection Impact Assessment ('DPIA') based on the risks the Municipality has identified, as well as consulting the Datatilsynet should it transpire that high risks that cannot be mitigated arise arise; and
• presenting a final time-bound plan for the legalising data processing activities before the deadline for the orders (3 November 2022).

Additionally, the Datatilsynet specified that the same order in connection with the use of Google Workspace had been made with respect to the Municipality of Aarhus.

Outcomes

Ultimately, the Datatilsynet had lifted the ban on the use of Google Workspace temporarily and stated that the Municipality has until 3 November 2022 to comply with the orders it has issued. In this regard, the Datatilsynet specified that it expects to receive documentation for compliance with said orders by the Municipality before the set date, i.e. 3 November 2022.

You can read the press release here, the Municipality of Helsingør deicion here, and the Municipality of Aarhus here, all only available in Danish.