Danish Municipalities – Order (Denmark, 2026)

The case concerned the use of Google Chromebooks and Google Workspace for Education by 51 Danish municipalities in primary and lower secondary schools. The municipalities acted as controllers, while Google Cloud EMEA Limited (Ireland) acted as the primary data processor and Google relied on a complex chain of sub-processors. Background Given the sensitivity of the processing and the complexity of the processing chain, the Danish Data Protection Authority (Datatilsynet) initiated an extensive supervisory investigation known as the “Chromebook Case Complex.” This decision forms part of that investigation and concerns the use of Google software in schools, focusing on whether the data controllers adequately understood and fulfilled their responsibilities when engaging Google as a processor, including identifying the relevant sub-processors and ensuring their compliance with applicable data protection rules. In July 2024, Datatilsynet informed KL ([https://www.kl.dk/ Kommunernes Landsforening]), the national association of municipalities, acting as representative for the controllers, that it would seek an opinion from the European Data Protection Board (EDPB) on the obligations of data controllers when using processors and sub-processors, particularly regarding documentation of processing structures. [https://www.edpb.europa.eu/system/files/2024-10/edpb_opinion_202422_relianceonprocessors-sub-processors_en.pdf The EDPB opinion of October 2024] clarified that controllers must maintain a complete and documented overview of all processors and sub-processors, their roles, locations, and compliance with GDPR requirements, including rules on international data transfers. Information requests and documentation submitted by KL. Between January and June 2025, Datatilsynet repeatedly requested KL to submit documentation on behalf of the controllers, including lists of all processors and sub-processors, descriptions of their processing activities, their geographical loca