Sanction to the Andalusian Regional Ministry of Education for non-compliance derived from the use of Google Workspace

1. Purpose of the procedure

The DGIFP of the Autonomous Community of Andalusia signed, in November 2020, the first Agreement with Google Ireland Limited for the implementation of G Suite, currently Google Workspace for Education, (hereinafter, GWE) in Andalusian public educational centres.

This Agreement has been the subject of several complaints over the past years, which the Andalusian Council for Transparency and Data Protection (CTPDA) has resolved cumulatively in a resolution (the RPS-2024/074), in which it was denounced, in summary:

• The creation of accounts for both students and teachers automatically, without prior consent.
• Processing of special categories of data without the corresponding justification.
• Lack of specific information to data subjects about the processing.
• Use of Beta services or services under development involving the processing of data for the purposes of big data or analysis of indicators for learning.
• Non-compliance with the data minimisation principle in relation to the capture of audiovisual material, such as videos or images, and their use and storage in the Google cloud.
• The conduct of international transfers as a consequence of Google's large chain of sub-processors and the lack of transparency in relation to the third countries to which data is exported.

2. Issues analysed

After carrying out the relevant investigative work, through the formulation of requests for information to the relevant department, the CTPDA analyses the following issues, in relation to the infringements committed[1]:

1. On the lawfulness of the processing

In relation to processing strictly necessary for the provision of educational and guidance services, the CTPDA understands that the opening of accounts and the processing of student and teacher data may be based on a mission carried out in the public interest or in the exercise of public powers in connection with the educational regulatory framework, fundamentally the 23rd additional provision of Organic Law 2/2006, of 3 May, on Education (hereinafter, "LOE"), without the need to seek consent, when the purpose of the processing is related to the educational purpose.

However, the CTPDA points out that this does not prevent the exercise of rights, and more specifically, the right of objection under Article 21.1 RGPD held by data subjects. In such a case, if the data subject or his or her legal representative, for reasons linked to his or her particular situation, objects to the opening/maintenance of the account, the responsible body should cease the processing of personal data and proceed to close the account, unless it can demonstrate compelling legitimate grounds which override the interests, rights and freedoms of the data subject. In the event that, as a consequence of the exercise of the right of objection with the aforementioned requirements, the closure of the account within the framework of the Agreement is obtained, it is to be expected that the educational administration and the centre will adopt the appropriate technical and organisational measures so that the student does not suffer situations of discrimination or comparative aggravation in the enjoyment of educational and guidance services.

In any event, it should be stressed that data processing not linked to the educational purpose can hardly be legitimised by the said public interest, and could therefore require consent or another basis for legitimisation of those provided for in Article 6 of the GDPR.

2. On the processing of special categories of data

In relation to the possible inclusion in the platform of personal data relating to health, religion or other special categories of data, the CTPDA analyses whether the design and use of the system incorporated sufficient safeguards to minimise such risk.

Although the Convention expressly states that these categories of data are not processed within the scope of GWE, the Council considers that it is unlikely that such processing would not take place and notes that the administration should have taken appropriate technical and organisational measures by design and by default to prevent or reduce the possible incorporation of this type of specially protected data by users.

In this regard, it concludes that there were deficiencies in the effective application of the principle of privacy by design and by default, and therefore, the concurrence of the infringement of Article 25 GDPR, as specific mechanisms had not been implemented to limit this structural risk in a platform of mass use in the educational sphere.

3. On compliance with the duty to provide information

The CTPDA concludes that the Administration failed to comply with the duty to provide information under Article 13 RGPD, as it had not accredited that students, families and teachers received, at the time of the creation or use of the accounts, the complete information required by the regulations on the processing of their personal data.

It recalls that the mere publication of the Agreement or of general information on an institutional website is not considered sufficient to satisfy the standard of transparency required by the GDPR, and therefore the Council considers the infringement to be a breach of the principle of transparency and of Article 13 of the GDPR.

4. On the processing of photographs and audiovisual content

Again, the CTPDA points out that when the capture and use of images and audiovisual content is directly integrated into the educational and guidance activity, it may be covered by the public interest of the body responsible, without the need to seek the consent of the data subjects, provided that the processing is adequate, relevant and limited to what is necessary in accordance with the principle of minimisation.

On the other hand, where the recording or dissemination of images is not strictly for this educational purpose - for example, promotional use, wide dissemination or ancillary purposes - a specific and distinct authorisation is required, which will normally require the informed consent of the data subjects or their legal representatives, together with clear information on the specific purpose and scope of the dissemination, in order for such consent to be considered valid.

According to the CTDPA, the Convention imposes an obligation on the controller to assess whether the images and audiovisual content are "fit for purpose" and "adequate, relevant and limited to what is necessary", which requires translating this assessment into operational rules for the day-to-day running of the centres.

In this regard, the CTPDA attaches particular importance to the need to implement clear protocols on the use of images (what can be stored, for what purpose, who has access, for how long, and in which cases consent must be sought), so that the system works "by default" within the limits of the educational purpose and reduces the risk of inappropriate or excessive use. This lack of effective integration of preventive safeguards is, according to the CTPDA, a further breach of Article 25 GDPR (principle of data protection by design and by default).

5. On international transfers carried out by Google

The CTPDA analyses the regime foreseen in the Convention in relation to the storage and processing of data in global infrastructures of the provider, including the possibility of data being processed in countries outside the European Economic Area. In this regard, it recalls that any international transfer must strictly comply with the requirements set out in Articles 44 to 49 GDPR, either by recourse to an adequacy decision or by the existence of appropriate safeguards (such as standard contractual clauses) applicable to the specific case.

The Council concludes that it was not duly established in the file that the international transfers resulting from the use of the platform were fully compliant with the requirements of the GDPR and that the applicable safeguards in relation to all possible destinations of the data had been adequately documented. Consequently, the infringement of article 44 of the GDPR, classified as very serious in the LOPDGDD, was found to have been committed.

6. Lack of a Register of Processing Activities and absence of a data protection impact assessment.

The CTPDA found, ex officio, an infringement of Article 30 RGPD, on noting that the Register of Processing Activities (RAT) did not include complete information on international data transfers, in breach of the requirements of transparency and documentation inherent to the principle of proactive responsibility. This deficiency is classified as a minor infringement in the LOPDGDD.

On the other hand, also ex officio, the Council declared a breach of Article 35 of the GDPR for not having carried out a data protection impact assessment (DPA) prior to the implementation and generalised use of the platform, despite the fact that there were circumstances that made such an assessment necessary - large-scale processing, mass involvement of minors and intensive use of digital technologies - and that the absence of a DPA constitutes a serious breach of the GDPR, as it prevents the early identification and mitigation of risks to the rights and freedoms of data subjects.

Penalties

As a consequence of the infringements committed, the following sanctions are imposed on the DGIFP:

• To submit to the Council, within 3 months, an action plan including all the measures to be adopted.
• Submit, as soon as possible, documentation accrediting the adoption of technical and organisational measures to limit the risk of users entering special categories of data on the platform.
• Submit a copy of the instructions and protocols for the management of images and audiovisual content on the platform.
• Submit documentary evidence that information on international data transfers has been included in the ARP.
• Submit documentary evidence of the DPI carried out.
• Suspend data flows to establishments of Google and its subcontractors located in third countries for which an adequacy decision has not been issued, except for those for which the guarantees, requirements or exceptions contemplated by the regulations have been complied with and, where appropriate, provide documentary proof of this.

4. Conclusions

The use of tools such as Google Workspace for Education by educational centres requires data controllers to differentiate between processing of personal data that is intrinsically related to the purpose of teaching and guidance - which can generally be protected under the prism of the public interest - and processing that is far removed from this purpose and, therefore, may require the application of a different basis of legitimisation. In any case, they must guarantee the legitimate exercise of the rights recognised by the regulation by the data subjects.

Likewise, the implementation of this type of systems implies the obligation to comply with the rest of the provisions contained in the data protection regulations, especially with regard to the analysis of the necessity, suitability and proportionality of the processing, the guarantee of transparency vis-à-vis data subjects (including that relating to international transfers) and the adoption of the necessary technical and organisational measures that integrate data protection from the design and by default.

Finally, educational establishments should bear in mind that the processing of children's data and, where appropriate, of special categories of data, such as health data, raises the standard of diligence required and may result in the obligation to carry out data protection impact assessments, when the cases provided for in the GDPR occur.