Aarhus municipality – Violation Found (Denmark, 2022)

Following the Danish DPA's (Datatilsynet) decisions (from September 2021 as well as July and August 2022) related to Helsingor municipality's processing of personal data using Google products and services, Aarhus municipality reassessed their risk assessment during August 2022. On 1 September, they sent the DPA a request for consultation as per Article 36 GDPR along with the relevant documentation, as they were using the same processing setup (Google, Google Chromebooks, Google Workspace for Education). Based on the documentation submitted, the DPA found that the processing activities entailed a high risk for the data subjects' rights and freedoms that could not be mitigated, and referred to Article 36(1) GDPR and Article 36(2) GDPR. The DPA ordered the municipality to: * Change the data processing agreement with Google so that the DPA's remarks in their 14 July and 18 August decisions to Helsingor municipality, are implemented. This includes, at a minimum, a clarification of where and if Google acts as a sole controller and any uncertainties that may entail that Google acts beyond their role as a processor, see Article 28(3)(a) GDPR. * Document that all transfers of personal data to insecure third countries, are in line with the GDPR. * Describe all data flows and identify the personal data that are shared with the vendor, and clarify when the vendor acts as a sole or joint controller. This documentation must include the whole technology stack used by the municipality (for this processing activity). * Update their data protection impact assessment based on all identified risks. * Consult the DPA if the DPIA shows any high risks the municipality is not able to mitigate. * If any processing activities are still not in line with the GDPR before the DPA's deadline 3 November 2022, present a final plan for bringing them in line with the GDPR.