Last year, officials in a municipality in Denmark were ordered to conduct a risk assessment on Google’s processing of personal data. Last week, the country’s data protection agency Datatilsynet ruled that Google services used in schools, including Drive, Gmail, and Docs, do “not meet the requirements of the EU’s GDPR data privacy” rules and banned their use in schools.
The data protection agency said that Google’s terms and conditions allow the transfer of data to other countries, yet the GDPR regulations stipulate that data should be stored in data centers within the region.
The ban of Google services also applies to Chromebooks, which are widely used in schools across Denmark. Technically, the ruling applies to schools in the Helsingor municipality. But Datatilsynet said it expects other municipalities “to take relevant steps” in light of its ruling in the Helsingor municipality.
“We know that students and schools expect the technology they use to be legally compliant, responsible, and safe. That’s why for years, Google has invested in privacy best practices and diligent risk assessments, and made our documentation widely available so anyone can see how we help organizations to comply with the GDPR,” a spokesperson for Google told TechCrunch.
“Schools own their own data. We only process their data in accordance with our contracts with them. In Workspace for Education, students’ data is never used for advertising or other commercial purposes. Independent organizations have audited our services, and we keep our practices under constant review to maintain the highest possible standards of safety and compliance.”