Datatilsynet (Denmark) – 2025-431-0053

9 February 2026

Xz:

{{DPAdecisionBOX

|Case_Number_Name=2025-431-0053
|ECLI=

|Original_Source_Name_1=Datatilsynet
|Original_Source_Link_1=https://www.datatilsynet.dk/afgoerelser/afgoerelser/2026/jan/datatilsynet-giver-51-kommuner-alvorlig-kritik-i-chromebook-sag
|Original_Source_Language_1=Danish
|Original_Source_Language__Code_1=DA
|Original_Source_Name_2=
|Original_Source_Link_2=
|Original_Source_Language_2=
|Original_Source_Language__Code_2=

|EU_Law_Name_1=
|EU_Law_Link_1=
|EU_Law_Name_2=
|EU_Law_Link_2=

|National_Law_Name_1=
|National_Law_Link_1=
|National_Law_Name_2=
|National_Law_Link_2=

|Appeal_To_Body=
|Appeal_To_Case_Number_Name=
|Appeal_To_Status=
|Appeal_To_Link=

|Initial_Contributor=xz
|
}}

The DPA issued a reprimand to 51 municipalities and simultaneously warned them regarding their use of Google’s products in primary and lower secondary schools. In particular, the DPA found that the municipalities had not adequately demonstrated how personal data processed outside the EU is provided with an adequate level of protection.

== English Summary ==

=== Facts ===
The case concerned the use of Google Chromebooks and Google Workspace for Education by 51 Danish municipalities in primary and lower secondary schools. The municipalities acted as controllers, while Google Cloud EMEA Limited (Ireland) acted as the primary data processor and Google relied on a complex chain of sub-processors.

====== ”’Background”’ ======
Given the sensitivity of the processing and the complexity of the processing chain, the Danish Data Protection Authority (Datatilsynet) initiated an extensive supervisory investigation known as the “Chromebook Case Complex.” This decision forms part of that investigation and concerns the use of Google software in schools, focusing on whether the data controllers adequately understood and fulfilled their responsibilities when engaging Google as a processor, including identifying the relevant sub-processors and ensuring their compliance with applicable data protection rules.

In July 2024, Datatilsynet informed KL, acting as representative for the controllers, that it would seek an opinion from the European Data Protection Board (EDPB) on the obligations of data controllers when using processors and sub-processors, particularly regarding documentation of processing structures.

[https://www.edpb.europa.eu/system/files/2024-10/edpb_opinion_202422_relianceonprocessors-sub-processors_en.pdf The EDPB opinion of October 2024] clarified that controllers must maintain a complete and documented overview of all processors and sub-processors, their roles, locations, and compliance with GDPR requirements, including rules on international data transfers.

====== ”’Information requests and documentation submitted by KL.”’ ======
Between January and June 2025, Datatilsynet repeatedly requested KL to submit documentation on behalf of the controllers, including lists of all processors and sub-processors, descriptions of their processing activities, their geographical locations, and evidence of the controllers’ assessments of legality and compliance. KL submitted preliminary and supplementary responses explaining that Google Cloud EMEA Limited was the main processor, that third-party sub-processors including both Google Group entities and third-party providers, located within the EU/EEA and in several third countries, including the United States, India, Mexico, Taiwan, Australia, Canada, Singapore, Brazil, Hong Kong, and Japan. KL further described technical and organisational measures such as “Data Regions EU”, limiting certain processing to the EU/EEA, and “Access Approvals”, restricting sub-processor access to personal data.

====== ”’Focus on sub-processors outside the EU/EEA”’ ======
As the final step of its supervision, and following the [https://www.edpb.europa.eu/system/files/2024-10/edpb_opinion_202422_relianceonprocessors-sub-processors_en.pdf EDPB opinion], Datatilsynet specifically focused on the use of sub-processors located outside the EU/EEA. The Authority examined whether the controllers had adequately assessed and documented the legal basis for the processing carried out by those sub-processors, including whether onward transfers ensured a level of protection essentially equivalent to that guaranteed in the EU/EEA, in light of the [[CJEU – C-311/18 – Facebook Ireland and Schrems|Schrems II judgment]] and the four European essential guarantees.

=== Holding ===
Datatilsynet concluded that the controllers failed to fully comply with GDPR requirements.

While the data processing agreement with Google documented the obligations of Google and its sub-processors, the controllers did not demonstrate that they had verified or would verify that sub-processors adhered to these obligations, particularly regarding onward transfers to third countries. The Datatilsynet emphasized that third-country transfers require an assessment of whether the four European essential guarantees are effectively ensured, and that contractual obligations alone do not suffice for unsafe countries such as India, Mexico, Taiwan, and others.

Datatilsynet held that the controllers’ processing of personal data did not meet the requirements of [[Article 5 GDPR#2|Article 5(2) GDPR]], [[Article 5 GDPR|5(1)(a) GDPR]] and [[Article 5 GDPR|(f)]] GDPR, [[Article 24 GDPR|24 GDPR]], and [[Article 28 GDPR|28(1)]] GDPR and [[Article 28 GDPR|(4)]] GDPR.

On this basis, the Datatilsynet expressed serious criticism of the 51 controllers and warned them that their practices likely violate Article [[Article 6 GDPR|6(1)]] [[Article 6 GDPR|GDPR]] and [[Article 28 GDPR|Article 28(1)]] GDPR if the controllers had not configured Google’s services according to the conditional and functional requirements specified by KL, including restrictions on the transfer of personal data to sub-processors in third countries lacking an essentially equivalent level of protection.

== Comment ==
”Share your comments here!”

== Further Resources ==
”Share blogs or news articles here!”

== English Machine Translation of the Decision ==
The decision below is a machine translation of the Danish original. Please refer to the Danish original for more details.

<pre>
Skip main navigation

The Danish Data Protection Authority gives 51 municipalities serious criticism in Chromebook case

Date: 29-01-2026

Decision Public authorities Serious criticism Reported breach of personal data security Processing security Children Basic principles Data processor

The Danish Data Protection Authority issues serious criticism and at the same time warns the municipalities in relation to how they use Google’s products in primary schools.

Case number: 2025-431-0053.

Summary

The Danish Data Protection Authority has made a decision in the so-called Chromebook case regarding 51 municipalities’ use of Google’s products for teaching in primary schools. The Danish Data Protection Authority issues serious criticism and warns the municipalities about their setup of the programs in question and about the use of sub-processors outside the EU.

The Danish Data Protection Authority has, among other things, followed up on an opinion from the European Data Protection Board (EDPB) from October 2024 on the data controller’s obligations when using data processors – as a final link in the supervisory body’s large case complex about a number of municipalities’ use of Google Workspace for Education and Google Chrome Education for teaching purposes in Danish primary schools – and examined the municipalities’ handling of the responsibilities that come with the use of Google as a data processor.

The data controller’s responsibilities when using data processors and sub-processors

The EDPB’s opinion from October 2024 deals, among other things, with the extent to which the data controller must be able to identify its data processors, and the extent to which the data controller must verify and document that any sub-processors are subject to the same data protection obligations as the primary data processor.

The opinion also addresses the data controller’s documentation obligation in situations where a data processor within the EU/EEA transfers personal data to a (sub)processor in a third country – including subsequent onward transfers.

Focus on the use of sub-processors outside the EU

In the case, the Danish Data Protection Authority has focused on the use of sub-processors outside the EU that the municipalities’ data processor, Google, uses. In this connection, the Danish Data Protection Authority has examined the municipalities’ considerations and documentation for the legalization of the processing of personal data that takes place at these sub-processors.

Main points in the Danish Data Protection Authority’s decision

In its decision, the Danish Data Protection Authority has emphasized the following main points:

The Danish Data Protection Authority expresses serious criticism of the municipalities’ processing of personal data when using Google’s products for teaching in primary schools. The Danish Data Protection Authority warns the municipalities that it will likely be in violation of the Data Protection Regulation if the municipalities have not configured their setup of the programs in question in accordance with the prerequisite and functional requirements set out by the Danish Data Protection Agency. The Danish Data Protection Authority warns municipalities that it is likely to be in breach of the General Data Protection Regulation to appoint a data processor for processing of personal data where further processing takes place in a third country if a level of protection that is essentially equivalent to the level of protection in the EU/EEA cannot be ensured.

Requirements for clear processing structures and ongoing legalisation

In addition, the Danish Data Protection Authority states that as a data controller you cannot legally use products that contain unclear processing structures.

The Danish Data Protection Authority also stresses that the data controller must have access to the necessary resources to ensure the lawful processing of personal data, including in situations where a selected product or the contractual basis for the product changes.

Decision

Processing of personal data using Google Chromebooks and Workspace for Education

The Danish Data Protection Authority hereby returns to the case, where on 10 July 2024 the Authority informed KL that a final assessment of the sub-processor chain in the municipalities’ use of Google products would be made on the basis of the European Data Protection Board’s (hereinafter EDPB) opinion on, among other things, the scope of the data controller’s documentation obligation for the data processor’s use of sub-processors.

In the decision, the Danish Data Protection Authority has only addressed the assessment of the sub-processor chain in the municipalities’ use of Google Chromebooks and Workspace for Education.

On 28 January 2025, KL notified the Danish Data Protection Agency that KL represents the following 51 municipalities in the case (referred to in the case as the municipalities):

Albertslund Municipality Allerød Municipality Ballerup Municipality Brøndby Municipality Dragør Municipality Egedal Municipality Fanø Municipality Favrskov Municipality Faxe Municipality Fredericia Municipality Faaborg-Midtfyn Municipality Glostrup Municipality Greve Municipality Gribskov Municipality Haderslev Municipality Hedensted Municipality Helsingør Municipality Herlev Municipality Hjørring Municipality Holbæk Municipality Horsens Municipality Hvidovre Municipality Hørsholm Municipality Ishøj Municipality Jammerbugt Municipality Langeland Municipality Læsø Municipality Mariagerfjord Municipality Middelfart Municipality Nordfyns Municipality Næstved Municipality Odder Municipality Odense Municipality Randers Municipality Rebild Municipality Samsø Municipality Silkeborg Municipality Slagelse Municipality Solrød Municipality Sorø Municipality Svendborg Municipality Syddjurs Municipality Thisted Municipality Tønder Municipality Tårnby Municipality Vejen Municipality Vejle Municipality Vordingborg Municipality Vesthimmerlands Municipality Aalborg Municipality Aarhus Municipality

1. Decision

The Danish Data Protection Agency finds that the 51 municipalities’ processing of personal data does not has been carried out in accordance with Article 5(2) of the General Data Protection Regulation, cf. Article 5(1)(a), and Article 24, cf. Article 28(1) and (4).

On this basis, the Danish Data Protection Authority must, pursuant to Article 58(2)(b) of the General Data Protection Regulation, issue serious criticism of the 51 municipalities.

Furthermore, the Danish Data Protection Authority must, pursuant to Article 58(2)(a) of the General Data Protection Regulation, warn the 51 municipalities that it will likely be in breach of Article 6(1) of the General Data Protection Regulation, cf. Article 6(3), if they have not configured their setup of the programmes in question in accordance with the prerequisite and functional requirements that KL has specified, partly in connection with the previous cases in this complex and partly in connection with the present case.

In addition, the Danish Data Protection Authority must, pursuant to Article 58(2)(b) of the General Data Protection Regulation, 2, letter a, warn the 51 municipalities that it is likely to be in breach of Article 28(1) of the General Data Protection Regulation to appoint a data processor for processing personal data where this information is further processed by a sub-processor in a third country where a level of protection that is essentially equivalent to the level of protection in the EU/EEA cannot be ensured.

Below is a detailed review of the case and a justification for the Danish Data Protection Authority’s decision.

2. Presentation of the case

On 10 July 2024, the Danish Data Protection Authority wrote to KL in the so-called “Chromebook case complex”. The letter stated that the Danish Data Protection Authority had decided to contact the EDPB to obtain an opinion on, among other things, the scope of documentation for data processor structures, including the relationship to sub-processors. Furthermore, the letter stated that the Danish Data Protection Authority would make a final assessment of the sub-processor chain in the municipalities’ use of Google products once the EDPB’s opinion was available.

On 4 April 2024, the Danish Data Protection Authority requested an opinion from the EDPB pursuant to Article 64(2) of the General Data Protection Regulation regarding, among other things, the scope of documentation for data processing structures, including the relationship with sub-processors.

The EDPB’s opinion was published on 9 October 2024[1].

With reference to this and to the Danish Data Protection Authority’s other comments in the letter of 10 July 2024 on the requirements incumbent on the individual municipality as data controller, the Danish Data Protection Authority asked the Danish Data Protection Agency on 27 January 2025 whether the Danish Data Protection Agency was preparing a joint response for the municipalities.

On 28 January 2025, the Danish Data Protection Agency informed the Danish Data Protection Agency that the Danish Data Protection Agency would continue to answer questions from the Danish Data Protection Agency on behalf of the municipalities concerned.

On 30 April 2025, the Danish Data Protection Agency sent an initial hearing to KL. The Danish Data Protection Agency requested to receive a list of all data processors used in the processing of personal data in connection with the municipalities’ use of Google products for educational purposes.

The Danish Data Protection Agency also requested KL to indicate all sub-processors used, at which locations personal data is processed on behalf of the municipalities, and – to the extent necessary – documentation of the considerations the municipalities have made in relation to the lawfulness thereof.

In addition, the Danish Data Protection Agency requested that a corresponding list be attached for any

disclosures to other independent data controllers.

On 21 May 2025, KL sent a response to the Danish Data Protection Agency’s hearing. In addition, KL sent a list of the 51 municipalities for which KL is a party representative.

Based on the material submitted, the Danish Data Protection Agency requested KL on 4 June 2025 for a supplementary statement in the case.

KL issued a supplementary statement in the case on 6 June 2025, which stated, among other things, that KL was still awaiting answers from Google on some outstanding questions in relation to the sub-processors for Google Chrome Education Upgrade.

KL sent answers to the outstanding questions on 23 June 2025.

2.1. KL’s comments

2.1.1. List of data processors

KL has stated that Google Cloud EMEA Limited is the data processor in connection with the municipalities’ use of Google Workspace for Education and Google Chrome Education.

2.1.2. List of sub-processors

KL has submitted a number of annexes with lists of Google’s sub-processors for Google Workspace for Education and Chrome Education Upgrade. In the submitted material, Google’s sub-processors are divided into Third Party Subprocessors and Google Group Subprocessors, respectively.

2.1.2.1. Third Party Subprocessors

According to the Danish Data Protection Agency, “Third Party Subprocessors” do not have access to “Customer Data” stored or processed by Google unless the customer – which in this case will be the individual municipality – expressly chooses to share “Customer Data” in connection with a support case.

KL has further stated that KL has recommended that the municipalities introduce an organizational measure in the form of procedures that ensure that employees who request support do not share personal data.

KL has stated that “Provided that this recommendation is followed, no data processing will take place by any of the listed Third Party Subprocessors.”

2.1.2.2. Google Group Subprocessors

2.1.2.2.1. Google Workspace for Education

KL has stated that sub-processors for Google Workspace for Education are used for “Data Center operations”, “Service Maintenance” and “TSS (Customer Initiated Support)”.

According to KL, the municipalities use the technical measure “Data Regions” in connection with the processing of personal data at “Data Center Operations”. The measure “Data Regions” implies that the processing of personal data is limited to a specific region. KL has stated that the municipalities only use services that are covered by “Data Regions EU”, which means that personal data is not processed outside the EU/EEA.

KL has further stated that not all services are covered by this measure. According to KL, there will therefore still be a limited amount of data that will be processed outside the EU/EEA. KL has stated that the processing of personal data in connection with “Data Center Operations” will be the storage of personal data.

Furthermore, KL has stated that sub-processors for Google Workspace for Education have limited access to “Customer Data” with regard to “Service Maintenance” and “TSS”. KL has noted in this regard that “Access Approvals” have been introduced for these processes, which means that the sub-processor can only access “Customer Data” if the customer grants them access.

KL has recommended that the municipalities use “Access Approvals” and develop procedures for when Google should have access to personal data.

According to KL, this is a limited amount of personal data that is not covered by “Access Approvals”. The municipalities cannot therefore ensure with this measure that personal data is not processed outside the EU/EEA.

KL has therefore stated that all sub-data processors listed in KL’s supplementary statement of 23 June 2025 in the annexes with the titles “Appendix 36 Municipally relevant sub-data processors Google Workspace – UPDATED JUNE 2025” and “Appendix 37 Municipally relevant sub-data processors Google Chrome”, process information on behalf of the municipalities.

2.1.2.2.2. Chrome Education Upgrade

KL has stated that sub-data processors for Chrome Education Upgrade are used for “IT Facility Management”, “Service Support” and “Technical Support Service/TSS”.

It also appears from KL’s consultation response that KL has been in dialogue with Google about whether the technical measures in the form of “Data Regions” and “Access Approvals” can also be used in connection with Google Chrome Education Upgrade. This is not the case, which is why all of Google Group’s sub-processors are relevant.

According to KL, it is therefore not possible for the municipalities to ensure that personal data is only processed within the EU/EEA.

2.1.3. Locations

KL has submitted lists stating the locations of the sub-processors. The lists appear from KL’s supplementary statement of 23 June 2025 in the annexes entitled “Appendix 36 Municipally relevant sub-processors Google Workspace – UPDATED JUNE 2025” and “Appendix 37 Municipally relevant sub-processors Google Chrome”.

2.1.4. Legality

KL has stated that personal data is transferred from the municipalities to Google Cloud EMEA located in Ireland. Google Cloud EMEA will then transfer personal data to Google LLC located in the USA. The personal data will then be transferred to Google Group’s sub-processors.

KL has stated:

“[…] that when the municipalities assess Google as a data processor pursuant to Article

28(1), the municipalities must also consider whether Google sufficiently takes into account an assessment of the level of data protection in the countries to which Google transfers data when selecting sub-processors.”

Furthermore, KL has stated that:

“The municipalities have entered into a data processing agreement with Google, which also regulates Google’s use of sub-processors. It is apparent from the “Cloud Data Processing Addendum”, among other things, that Google enters into written contracts with all sub-processors, and ensures that the sub-processor only has access to Customer Data to the extent necessary to fulfill the obligations in the contract. Google also states, cf. appendix 35 of the case, that the same obligations to which Google is subject in the data processing agreement with the municipalities pursuant to the Cloud Data Processing Addendum (appendix 9 of the case) will be transferred to the sub-processor.”

and

“Google has additionally confirmed that – as part of the selection process described in appendices 11 and 12 – they address a number of aspects to ensure that the sub-processor has the necessary technical expertise and capacity and can provide the right level of security and protection of personal data, including national data protection legislation.”

It is KL’s assessment that “the specified data processors provide the necessary guarantees and that the municipalities have verified this to a sufficient extent.”

It is also KL’s assessment:

“[…] that the adequacy decision is valid and that Google LLC is on the list of companies registered under the Data Privacy Framework. KL has also determined that the transfers fall within the scope of the adequacy decision.”

2.1.5. List of disclosures to other independent data controllers

KL has stated that any disclosures to other independent data controllers only take place in accordance with the “Google Workspace for Education Terms of Service” and the “Chrome Enterprise Agreement”.

3. Legal basis

According to Article 5(1)(a) of the General Data Protection Regulation, personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject. This also follows from Article 5(1)(a) of the Regulation. 1, letter f, that personal data shall be processed in a manner that ensures adequate security for the personal data concerned, including protection against unauthorized or unlawful processing. In addition, according to Article 5, paragraph 2 of the General Data Protection Regulation, data controllers are responsible for and must be able to demonstrate that paragraph 1 is complied with.

Processing of personal data is only lawful if one of the conditions mentioned in Article 6, paragraph 1 of the General Data Protection Regulation is met. If the processing is based on Article 6, paragraph 1, letter c or letter e of the Regulation, the basis for processing must be stated in Union law or the national law of the Member State to which the data controller is subject, cf. Article 6, paragraph 3.

It is also clear from Article 24, paragraph 1 of the General Data Protection Regulation that the data controller must implement appropriate technical and organizational measures to ensure and to be able to demonstrate that the processing of personal data is in accordance with the provisions of the General Data Protection Regulation. This shall be done taking into account the nature, scope, context and purposes of the processing. The measures shall be reviewed and updated where necessary.

In addition, Article 28(1) to (5) of the GDPR provides the following regarding processors:

Where processing is to be carried out on behalf of a controller, the controller shall only use processors who can provide the necessary guarantees that they will implement appropriate technical and organisational measures in such a way that the processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject. The processor shall not use another processor without the prior specific or general written consent of the controller. In the event of general written consent, the processor shall inform the controller of any planned changes concerning the addition or replacement of other processors, thereby giving the controller the opportunity to object to such changes. The processing by a processor shall be governed by a contract or another legal instrument in accordance with Union or Member State law, binding on the processor with respect to the controller, which specifies the subject matter and duration of the processing, the nature and purposes of the processing, the types of personal data and the categories of data subjects, and the obligations and rights of the controller. This contract or other legal instrument shall provide in particular that the processor: may process personal data only on documented instructions from the controller, including as regards the transfer of personal data to a third country or an international organisation, unless required by Union or Member State law to which the processor is subject; in that case, the processor shall inform the controller of this legal requirement prior to processing, unless the relevant law prohibits such notification for reasons of important public interest; ensure that the persons authorised to process the personal data have undertaken a confidentiality obligation or are subject to an appropriate statutory obligation of professional secrecy; implement all measures required under Article 32; meet the conditions referred to in paragraph 1; 2 and 4, to make use of another processor, taking into account the nature of the processing, where possible, by means of appropriate technical and organisational measures, to assist the controller in fulfilling the controller’s obligation to respond to requests for the exercise of data subjects’ rights as set out in Chapter III; 32 to 36, taking into account the nature of the processing and the information available to the processor, at the controller’s choice, erase or return all personal data to the controller after the services relating to the processing have ceased and delete existing copies, unless Union law or the national law of the Member States requires the retention of the personal data; 4. make all information necessary to demonstrate compliance with the requirements of this Article available to the controller and allow for and contribute to audits, including inspections, carried out by the controller or another auditor authorised by the controller.

With regard to point (h) of the first subparagraph, the processor shall immediately inform the controller if, in its opinion, an instruction infringes this Regulation or data protection provisions in other Union or Member State law.

Where a processor uses another processor to carry out specific processing activities on behalf of the controller, that other processor shall be subject to the same data protection obligations as those laid down in the contract or other legal instrument between the controller and the processor referred to in paragraph 3, by means of a contract or other legal instrument in accordance with Union or Member State law, providing in particular the necessary guarantees that they will implement appropriate technical and organisational measures in such a way that the processing will meet the requirements of this Regulation. If that other processor fails to comply with its data protection obligations, the original processor shall remain fully liable to the controller for the performance of that other processor’s obligations. A data processor’s compliance with an approved code of conduct as referred to in Article 40 or an approved certification mechanism as referred to in Article 42 may be used as an element to demonstrate the necessary guarantees as referred to in paragraphs 1 and 4 of this Article.

4. Reasons for the decision of the Danish Data Protection Authority

This decision has been made on the basis of the annexes and the information that has been part of the case since 23 June 2025 – after receipt of the municipalities’ final opinion and on the basis of the data processing agreement referred to as the Cloud Data Processing Addendum (dated 21 August 2025) (hereinafter the data processing agreement).

4.1. Documentation of lawfulness

It follows from Article 5(2) of the Data Protection Regulation that the data controller is responsible for and must be able to demonstrate that Article 5(1) of the Data Protection Regulation on the principles for the processing of personal data is complied with.

In continuation of this, it follows from Article 24(1) of the General Data Protection Regulation that:

“Taking into account the nature, scope, context and purposes of the processing operations and the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that the processing is in compliance with this Regulation. Those measures shall be reviewed and updated where necessary.”

4.2. Substantive lawfulness of the processing operations

4.2.1. Data processing agreement

According to Article 28(1) of the General Data Protection Regulation, the controller may only use data processors who can provide the necessary guarantees that the processing of personal data will comply with data protection law.

Furthermore, a data processor’s processing must be governed by a contract or another legal document in accordance with EU law or the national law of the Member States, which is binding on the data processor with respect to the data controller and which sets out the subject matter and duration of the processing, the nature and purposes of the processing, the type of personal data and the categories of data subjects, as well as the obligations and rights of the data controller, cf. Article 28(3), first sentence of the Regulation.

Google Cloud EMEA Limited (hereinafter Google) is the data processor in connection with the municipalities’ use of Google Workspace for Education and Google Chrome Education.

The data processor structure is regulated in the data processing agreement concluded between the municipalities and Google, and the use of sub-processors is regulated in Section 11 of the data processing agreement.

On this basis, the Danish Data Protection Authority finds that the submitted material – taken as a whole – provides such a description of the processing scenario and the sub-processors used that the requirements listed in Art. 28(3) of the Regulation are met. 3 can be observed and complied with.

This decision does not take a further position on the content of the data processing agreement. In this context, reference is made instead to the Danish Data Protection Authority’s previous decisions in this case complex, including the cases with case number 2020-431-0061.

4.2.2. Sub-processors

It follows from Article 28(4) of the General Data Protection Regulation that if a sub-processor is used, the sub-processor must be subject to the same data protection obligations as those stipulated between the data controller and the data processor.

The data controller is not obliged to systematically request copies of the sub-processor agreements in order to demonstrate that the data processor’s guarantees have been passed on to the sub-contractor. However, the data controller must be satisfied that the requirements have been passed on to the sub-contractors and this must be documented.

If the data controller becomes aware that a (sub)processor is acting outside the original instructions, or the processing design otherwise gives rise to this, the data controller should request the documentation and a copy of the agreement in the specific case.

In its Opinion 22/2024 on certain obligations arising from the dependence on data processor(s) and sub-processor(s), the EDPB has, among other things, required that the data controller must have a complete overview of which data processors process personal data on behalf of the data controller.

This means that the data controller must have an overview of all possible data processors and additional sub-processors in the supply chain that process personal data on behalf of the data controller.

According to the opinion of the EDPB, the obligation means that the data controller must have the location and an authorized way to contact all sub-processors, as well as a description of the processing activities and a clear delimitation of the sub-processors’ responsibilities. Furthermore, the data controller must be able to present this documentation at any time.

KL has stated that the municipalities’ documentation appears from KL’s supplementary opinion of 23 June 2025 in the annexes with the titles “Appendix 36 Municipally relevant sub-processors Google Workspace – UPDATED JUNE 2025” and “Appendix 37 Municipally relevant sub-processors Google Chrome”, where all of Google’s relevant sub-processors are listed.

This appears, among other things, of the data processing agreement between the municipalities and Google, that:

”11.3 Requirements for Subprocessor Engagement. When engaging any Subprocessor, Google will:

ensure a written contract that: the Subprocessor only accesses and uses Customer Data to the extent required to perform the obligations subcontracted to it, and does so in accordance with the applicable Agreement (including this Addendum); and if required under Applicable Privacy Laws, the data protection obligations described in this Addendum are imposed on the Subprocessor (as may be further described in Appendix 3 (Specific Privacy Laws)); and remain fully liable for all obligations subcontracted to, and all acts and omissions of, the Subprocessor.”

On this basis, the Danish Data Protection Authority finds that the requirements for Google are immediately sufficiently continued in the contracts with the subprocessors that Google chooses to use in connection with the processing of personal information on behalf of the municipalities.

The Danish Data Protection Authority attaches particular importance to the fact that it follows from the data processing agreement that if Google chooses to make use of sub-processors, the sub-processors are obliged to only process information to the extent necessary to perform the obligations arising from the contract. The sub-processors are also obliged to ensure that the processing of personal data must be carried out in accordance with the conditions arising from the data processing agreement.

In addition, the Danish Data Protection Authority has emphasised that Google will be fully responsible for all processing that the sub-processors carry out on behalf of the municipalities, cf. the principle in Article 28(4), last indent of the General Data Protection Regulation.

However, the Danish Data Protection Authority notes that the municipalities have not stated whether the municipalities have checked that the requirements are actually complied with by the sub-processors, or how the municipalities as data controllers intend to check this.

In this connection, it follows, among other things, of the EDPB’s opinion, that:

“[…] the controller’s obligation to verify whether the (sub-)processors present sufficient guarantees to implement the measures determined by the controller should apply regardless of the risk to the rights and freedoms of data subjects.

However, the extent of such verification will in practice vary depending on the nature of these organisational and technical measures determined by the controller based on, among other criteria, the risk associated with the processing.”

Taking into account the information processed on behalf of the municipalities and the risk the processing poses to the rights and freedoms of data subjects, it is the Danish Data Protection Authority’s assessment that the municipalities should indicate in the documentation how and with what intensity they will verify and control that the requirements are actually carried out in the contracts with the sub-processors and that they are complied with by the sub-processors.

In this context, the Danish Data Protection Authority assumes that the municipalities have the option of requesting a copy of Google’s contracts with the sub-processors, at least for the part that concerns the further processing that has been delegated to the sub-processor.

The Danish Data Protection Authority further notes that the data controller is obliged to request a copy of contracts or other relevant documentation from data processors and sub-processors if the data controller becomes aware of something problematic or otherwise finds it necessary.

4.2.3. Third country transfers

If the processing of personal data in question takes place, or is intended in the contractual basis to take place, by employing a data processor or sub-processor that processes personal data for the data controller, outside the EU/EEA, this will be a transfer of personal data to a third country.

Such a transfer will be covered by Chapter V of the General Data Protection Regulation on transfers of personal data to third countries or international organisations, under which a number of conditions apply to the processing.

The data controller must, among other things, have a transfer basis to legalise the transfer. The assessment of which transfer basis is most suitable in the given situation varies depending on who the data controller is, which country the personal data is to be transferred to and how quickly the transfer basis is to be used, etc.

The data controller must therefore first and foremost map out which countries the personal data is to be transferred to.

4.2.3.1. Locations

The Danish Data Protection Authority assumes that personal data is transferred from the data processor Google Cloud EMEA Limited in Ireland to the sub-processor Google LLC in the USA. From there, personal data is transferred to the other specified sub-processors.

The Danish Data Protection Authority – in accordance with what was stated by KL in the statement of 23 June 2025 and the annexes with the titles “Annex 36 Municipally relevant sub-data processors Google Workspace – UPDATED JUNE 2025” and “Annex 37 Municipally relevant sub-data processors Google Chrome” – assumes that the sub-data processors listed in the agreement process personal data on behalf of the municipalities.

On this basis, the Danish Data Protection Authority notes that the sub-data processors process personal data both in the EU/EEA, safe third countries and several unsafe third countries, including India, Mexico and Taiwan.

4.2.3.2. Transfer basis in relation to the USA

According to Article 45(1) of the General Data Protection Regulation 1, personal data may be transferred to a third country or an international organisation if the EU Commission has determined that the third country, a territory or one or more specific sectors within that third country, or the international organisation in question has an adequate level of protection.

If a cloud provider makes transfers on the basis of an adequacy decision, the Danish Data Protection Authority is of the opinion that the data controller must still be able to demonstrate that 1) the adequacy decision is valid and that 2) the transfer is covered by the scope of the adequacy decision.

The EU Commission has adopted an adequacy decision on the so-called EU-U.S. Data Privacy Framework (DPF). However, the adequacy decision can only be used as a basis for transfer when personal data is transferred to organisations that have certified themselves under the DPF with the US Department of Commerce.

KL has stated that personal data from Google is transferred to Google LLC on the basis of the DPF. Furthermore, KL has stated that Google LLC is certified under the DPF and that the transfers are covered by the scope of the adequacy decision.

On this basis, the Danish Data Protection Authority finds that the municipalities have provided a sufficient transfer basis for transfers of personal data from Google to Google LLC by using the DPF.

4.1.2.3. Transfer basis in relation to onward transfers to sub-processors

It appears from the DPF that if a data processor and/or a sub-processor in a safe third country transfers personal data on behalf of the data controller, the data controller is generally not obliged to verify the lawfulness of the rules that apply in the third country or international organisation to this data processor’s and/or sub-processor’s onward transfers of personal data received within the framework of an adequacy decision. This situation will be addressed in the adequacy assessment.[2]

Furthermore, the DPF states that the level of protection of personal data transferred from the Union to organisations in the United States must not be undermined by onward transfers of such data to a recipient in the United States or another third country.[3] Onward transfers may only take place i) for limited and specified purposes, ii) on the basis of an agreement between the organisation under the EU-US data protection framework and the third party in question (or a similar arrangement within a group) and iii) only if this agreement ensures that the third party ensures the same level of protection as the principles of the General Data Protection Regulation.

The Danish Data Protection Authority finds that onward transfers to sub-processors can therefore, as a general rule, take place on the basis of the DPF.

However, considering that the DPF, as mentioned above, states that the level of protection of personal data transferred from the Union to organizations in the United States must not be undermined by the onward transfer of such data to a recipient in the United States or another third country, the Danish Data Protection Authority finds it necessary to examine which countries data are actually transferred to and the adequacy of the level of protection in these third countries.

The Danish Data Protection Authority notes that in this context, the European essential guarantees will form part of the assessment to be carried out to determine whether a third country provides protection that is essentially equivalent to that guaranteed in the EU.[4]

The four European essential safeguards follow from the Schrems II judgment[5], paragraph 188, and are as follows:

“effective administrative and judicial review for data subjects whose personal data are transferred”. In this regard, recital 104 of the GDPR highlights that the third country “should […] ensure effective independent data protection supervision and […] establish cooperation mechanisms with the data protection authorities of the Member States”, and specifies that “data subjects should have effective and enforceable rights and access to effective administrative and judicial review”.

In order to ensure an adequate level of protection, municipalities must therefore ensure that the safeguards are reflected in the contacts that Google enters into with the sub-processors. Furthermore, it is essential to assess whether a contractual basis alone will provide protection that is essentially equivalent to that in the EU/EEA.

KL has stated that Google’s contracts with the sub-processors subject them to the same obligations as Google is subject to in the data processing agreement with the municipalities. KL has also stated that the guarantees provided under the DPF are continued in the contracts with the sub-processors.

However, in the opinion of the Danish Data Protection Authority, this finding will not necessarily be sufficient in itself to ensure a level of protection for personal data that is essentially equivalent to that within the EU/EEA if (onward) transfers occur to unsafe third countries.

The data controller is obliged to assess the conditions in the recipient country prior to the transfer in order to determine whether the chosen transfer basis can also in practice ensure an adequate level of protection for the transferred data in accordance with the four European essential guarantees. This could be done after an assessment of the effectiveness of the chosen transfer basis, e.g. in the form of a transfer impact assessment (TIA).

The Danish Data Protection Authority notes that the municipalities have not immediately carried out a further assessment of the onward transfers to the sub-processors.

The Danish Data Protection Authority finds that the following countries in the sub-processor chain should have been subject to an investigation before the municipalities entered into the contract with Google:

Australia Chile Canada, as it is not stated whether the sub-processor is covered by the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA) India Mexico Singapore Taiwan Brazil[6] Hong Kong Japan, as it is not stated whether the sub-processor is covered by the Japanese Act on the Protection of Personal Information (APPI)

The Danish Data Protection Authority points out that there are no formal requirements for how such an investigation should be carried out or how the documentation should appear. However, it is important that the assessment considers whether the four essential guarantees are met and whether the tool used for the transfer actually ensures that the rights of the data subject are protected in a manner that is equivalent to the legal situation in the EU/EEA.

Reports have been prepared for several countries, for example the assessments in report EDPS/2019/02-13[7] and the two reports with no. 022-0716[8]. The results of the analysis are not necessarily accurate today, but provide indications for the countries in question. Although these analyses are more detailed than necessary in most processing scenarios, elements of them can nevertheless serve as inspiration for the considerations that one must make as a data controller.

Furthermore, it follows from the EDPB Opinion 22/204 on certain obligations deriving from the dependence of the data processor(s) and sub-processor(s) that:

“If personal data transferred by a (sub)processor (on behalf of the data controller) on the basis of an adequacy decision are subject to an onward transfer from that third country, the level of protection guaranteed to natural persons under the GDPR for such onward transfer should also not be undermined. In this respect, any adequacy decision taken by the European Commission pursuant to Article 45(2)(a) of the GDPR covers, inter alia, third country rules on onward transfers. Accordingly, under Article 44 of the GDPR, the data controller is not obliged to verify these requirements itself.

As regards the data controller’s obligation under Article 28(1) of the GDPR, this means that the data controller must ensure that the (sub)processor also provides the “necessary guarantees” in connection with onward transfers carried out by a (sub)processor from a country that ensures an adequate level of protection.”[9]

The data controller is thus obliged to ensure – and be able to document – that a subcontractor complies with the relevant rules and has ensured that the level of protection is not undermined by the onward transfer.

In order to ensure this, it is necessary to establish the following about the nature of the adequacy assessments. This is based solely on the EU Commission’s assessment of the conditions in the specific recipient country and may also be limited to processing by specific actors or processing scenarios. For onward transfers outside the so-called “safe third country” in question, this is anchored in a contract between the (sub)processor in the safe third country and the sub-processor in the country to which the onward transfer is made.

The EDPB therefore published, in continuation of the Schrems II judgment mentioned above, a recommendation 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data.

It is against this background that the Danish Data Protection Authority is of the opinion that onward transfers of personal data to a country with what the EDPB in the aforementioned recommendation calls “problematic legislation” cannot take place without supplementary measures, as long as such onward transfer is based solely on a contract between the (sub)processor in the safe third country and the sub-processor in the unsafe third country. This is because the contract cannot decisively regulate the actions of the person in power in the unsafe third country.

The Danish Data Protection Authority notes that the municipalities have not documented whether this is the case.

The Danish Data Protection Authority acknowledges that the municipalities have examined the data processing agreement with Google and the requirements placed on sub-processors therein when entering into the contract. The Danish Data Protection Authority is aware that KL has received confirmation from Google that a thorough screening of the sub-processors that Google assumes is carried out, and that the municipalities have the opportunity to continuously follow up on whether sub-processors meet their obligations. This can be done by reviewing reports that Google undertakes to make available.

However, the Danish Data Protection Authority cannot establish that a review of the reports on sub-processors has actually been carried out.

Against this background and after an overall assessment of the processing activities described contractually, in combination with the documentation submitted to the Danish Data Protection Authority, the municipalities’ processing of personal data has not, in the opinion of the Danish Data Protection Authority, been carried out in accordance with Article 5(2) of the General Data Protection Regulation, cf. Article 5(1)(a), and Article 24, cf. Article 28(1) and (4).

Against this background, the Danish Data Protection Authority must, pursuant to Article 58(1)(a) of the General Data Protection Regulation, 2, letter b, express serious criticism of the 51 municipalities.

In making this decision, the Danish Data Protection Authority has assumed that the 51 municipalities have configured their setup of the programs in question in accordance with the prerequisite and functional requirements that KL has specified, partly in connection with the previous cases in this case complex and partly as stated in this case. These settings are, among other things, set to exclude services with processing that is not authorized, especially in relation to the disclosure of personal data to third parties.

Pursuant to Article 58, paragraph 2, letter a of the Data Protection Regulation, the Danish Data Protection Authority must warn the 51 municipalities that it will likely be in violation of Article 6, paragraph 1 of the Data Protection Regulation, cf. Article 6, paragraph 3, if they have not configured their setup of the programs in question in accordance with the prerequisite and functional requirements that KL has specified, partly in connection with the previous cases in this case complex and partly as stated in this case.

Pursuant to Article 58(2)(a) of the General Data Protection Regulation, the Danish Data Protection Authority must also warn the 51 municipalities that it is likely to be in breach of Article 28(1) of the General Data Protection Regulation to appoint a data processor to process personal data where this data is further processed by a sub-processor in a third country where a level of protection that is essentially equivalent to the level of protection in the EU/EEA cannot be ensured.

It is noted that in relation to the Danish Data Protection Authority’s use of its powers as a supervisory authority, this decision places particular emphasis on the previous sanctioning of the various violations found, the clarification that has now been made by the EDPB’s opinion 22/2024 and the municipalities’ general cooperation in clarifying the matter.

5. Concluding remarks

The Danish Data Protection Authority notes that the entire process in this case complex could – and in the Authority’s opinion should – have been avoided if the relevant data protection assessments had been made, evaluated and handled before the specific product had been acquired, let alone put into use.

Furthermore, the Danish Data Protection Authority must note that it is not possible and legal – in relation to data protection regulations – to purchase and put into use a product that processes personal data if clarity cannot be created about the processing of personal data that takes place in the product. This applies regardless of the business indication.

If you choose a product where processing activities and the contractual basis on which the processing takes place change frequently, you as a data controller must be able to – continuously – document that the processing, even after the change, is carried out lawfully. If this is not possible, the processing must be able to be terminated or otherwise made lawful by changing product and/or supplier.

This case complex, the number of data protection law violations and the work that the municipalities – on the back burner – have had to do to legalize their choice and use of the products in question, prompts the Danish Data Protection Authority to urge that actors with the same processing scenarios, in order to ensure compliance before acquisition and commissioning, join forces to draw up common requirements in the acquisition phase, common operational configurations in the operational phase and, in general, consider making use of the possibility of drawing up and having codes of conduct approved under Article 40 of the General Data Protection Regulation.

In the future, the Danish Data Protection Authority will attach importance to the choice of sanctions if the principles in this and the previous decisions in the case complex are not followed. In particular in all areas where the public sector and institutional actors in the private sector perform tasks where users are limited in their choice of provider.

The Danish Data Protection Authority hereby considers the case closed and will not take any further action in the case.

[1] Opinion 22/2024 on certain obligations arising from the dependence on data processor(s) and sub-processor(s)

[2] See Article 45(2)(a) GDPR and Commission Implementing Decision (EU) 2023/1795 of 10 July 2023 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on an adequate level of protection for personal data under the EU-US data protection framework, Section 2.2.6.

[3] Ibid..

[4] Reference is made in this connection to the EDPB’s Recommendations 02/2020 on the European substantive safeguards for surveillance measures, page 5, paragraph 8

[5] CJEU C 311/2018 of 16 July 2020

[6] It is noted that with the adoption of the EU Commission’s adequacy decision on 26 January 2026, Brazil has now been assessed as a safe third country. However, at the time the municipalities entered into the contract with Google, Brazil was an unsafe third country.

[7] legalstudy_on_government_access_0.pdf

[8] study_on_government_access_to_data_in_third_countries_17042023_mexico_and_turkiye_final_report_milieu_redacted.pdf and study_on_government_access_to_data_in_third_countries_17042023_brazil_final_report_milieu_redacted.pdf

[9] EDPB Opinion 22/2024 on certain obligations arising from the dependence of data processor(s) and sub-processor(s), points 94 and 95

Denmark Data Protection Authority

Carl Jacobsens Vej 35
2500 Valby
Tel. 33 19 32 00
dt@datatilsynet.dk

About us

About the Danish Data Protection AgencyPressHomepagePrivacy PolicyAccessibility Statement

Shortcuts

GDPR GuidelinesComplaint to the Danish Data Protection AgencyCall usNewsletterThe National Whistleblower Scheme

Datatilsynet on LinkedIn

The Danish Data Protection Agency gives 51 municipalities serious criticism in the Chromebook case

Date: 29-01-2026

Decision Public authorities Serious criticism Reported breach of personal data security Processing security Children Basic principles Data processor

The Danish Data Protection Agency expresses serious criticism and at the same time warns the municipalities in relation to how they use Google’s products in primary schools.

Case number: 2025-431-0053.

Summary
The Danish Data Protection Agency has made a decision in the so-called Chromebook case regarding 51 municipalities’ use of Google’s products for teaching in primary schools. The Danish Data Protection Authority issues serious criticism and warns the municipalities about their setup of the programs in question and about the use of sub-processors outside the EU.

The Danish Data Protection Authority has, among other things, followed up on an opinion from the European Data Protection Board (EDPB) from October 2024 on the data controller’s obligations when using data processors – as the final link in the supervisory body’s large case complex about a number of municipalities’ use of Google Workspace for Education and Google Chrome Education for teaching purposes in Danish primary schools – examined the municipalities’ handling of the responsibilities that come with the use of Google as a data processor.

The data controller’s responsibilities when using data processors and sub-processors

Focus on the use of sub-processors outside the EU

Main points in the Danish Data Protection Authority’s decision

In its decision, the Danish Data Protection Authority has emphasized the following main points:

The Danish Data Protection Authority expresses serious criticism of the municipalities’ processing of personal data when using Google’s products for teaching in primary schools. The Danish Data Protection Authority warns the municipalities that it will likely be in violation of the Data Protection Regulation if the municipalities have not configured their setup of the programs in question in accordance with the prerequisite and functional requirements set out by the Danish Data Protection Agency. The Danish Data Protection Authority is warning municipalities that it will likely be in breach of the General Data Protection Regulation to appoint a data processor for processing of personal data where further processing takes place in a third country if a level of protection that is essentially equivalent to the level of protection in the EU/EEA cannot be ensured.

Requirements for clear processing structures and ongoing legalization

In addition, the Danish Data Protection Authority states that as a data controller, you cannot legally use products that contain unclear processing structures.

The Danish Data Protection Authority also emphasizes that the data controller must have access to the necessary resources to ensure the lawful processing of personal data, including in situations where a selected product or the contractual basis for the product changes.

Decision

Processing of personal data when using Google Chromebooks and Workspace for Education

The Danish Data Protection Authority hereby returns to the case, where on 10 July 2024 the Danish Data Protection Authority informed KL that a final assessment of the sub-processor chain in the municipalities’ use of Google products would be made on the basis of the European Data Protection Board’s (hereinafter EDPB) opinion on, among other things, the scope of the data controller’s documentation obligation for the data processor’s use of sub-processors.

In its decision, the Danish Data Protection Agency has only addressed the assessment of the sub-data processor chain in the municipalities’ use of Google Chromebooks and Workspace for Education.

On 28 January 2025, KL notified the Danish Data Protection Agency that KL represents the following 51 municipalities in the case (referred to in the case as the municipalities):

1. Decision

On this basis, the Danish Data Protection Authority must, pursuant to Article 58(2)(b) of the General Data Protection Regulation, issue serious criticism of the 51 municipalities.

Below is a detailed review of the case and a justification for the Danish Data Protection Authority’s decision.

2. Presentation of the case

The EDPB’s opinion was published on 9 October 2024[1].

In addition, the Danish Data Protection Agency requested that a corresponding list be attached for any

disclosures to other independent data controllers.

On 21 May 2025, KL sent a response to the Danish Data Protection Agency’s hearing. In addition, KL sent a list of the 51 municipalities for which KL is a party representative.

Based on the material submitted, the Danish Data Protection Agency requested KL on 4 June 2025 for a supplementary statement in the case.

KL sent answers to the outstanding questions on 23 June 2025.

2.1. KL’s comments

2.1.1. List of data processors

KL has stated that Google Cloud EMEA Limited is the data processor in connection with the municipalities’ use of Google Workspace for Education and Google Chrome Education.

2.1.2. List of sub-processors

2.1.2.1. Third Party Subprocessors

According to KL, “Third Party Subprocessors” do not have access to “Customer Data” stored or processed by Google, unless the customer – which in this case will be the individual municipality – explicitly chooses to share “Customer Data” in connection with a support case.

KL has further stated that KL has recommended that the municipalities introduce an organizational measure in the form of procedures that ensure that employees requesting support do not share personal data.

KL has stated that “Provided that this recommendation is followed, no data processing will take place by any of the listed Third Party Subprocessors.”

2.1.2.2. Google Group Subprocessors

2.1.2.2.1. Google Workspace for Education

KL has stated that subprocessors for Google Workspace for Education are used for “Data Center operations”, “Service Maintenance” and “TSS (Customer Initiated Support)”.

According to KL, the municipalities use the technical measure “Data Regions” in connection with the processing of personal data at “Data Center Operations”. The measure “Data Regions” means that the processing of personal data is limited to a specific region. KL has stated that the municipalities only use services that are covered by “Data Regions EU”, which means that personal data is not processed outside the EU/EEA.

Furthermore, KL has stated that sub-processors for Google Workspace for Education have limited access to “Customer Data” with regard to “Service Maintenance” and “TSS”. KL has noted that “Access Approvals” have been introduced for these processing operations, which means that the sub-data processor can only access “Customer Data” if the customer grants them access.

KL has recommended that the municipalities use “Access Approvals” and also develop procedures for when Google should have access to personal data.

According to KL, there is a limited amount of personal data that is not covered by “Access Approvals”. The municipalities cannot therefore ensure with this measure that personal data is not processed outside the EU/EEA.

KL has therefore stated that all sub-data processors listed in KL’s supplementary statement of 23 June 2025 in the annexes entitled “Appendix 36 Municipally relevant sub-data processors Google Workspace – UPDATED JUNE 2025” and “Appendix 37 Municipally relevant sub-data processors Google Chrome” process information on behalf of the municipalities.

2.1.2.2.2. Chrome Education Upgrade

KL has stated that sub-processors for Chrome Education Upgrade are used for “IT Facility Management”, “Service Support” and “Technical Support Service/TSS”.

According to KL, it is therefore not possible for the municipalities to ensure that personal data is only processed within the EU/EEA.

2.1.3. Locations

KL has submitted lists indicating the locations of the sub-processors. The lists appear from KL’s supplementary statement of 23 June 2025 in the annexes entitled “Appendix 36 Municipally relevant sub-processors Google Workspace – UPDATED JUNE 2025” and “Appendix 37 Municipally relevant sub-processors Google Chrome”.

2.1.4. Legality

KL has stated that personal data is transferred from the municipalities to Google Cloud EMEA located in Ireland. Google Cloud EMEA then transfers personal data to Google LLC located in the USA. The personal data will then be transferred to Google Group’s sub-processors.

KL has stated:

“[…] that when the municipalities assess Google as a data processor pursuant to Article

Furthermore, KL has stated that:

“The municipalities have entered into a data processing agreement with Google, which also regulates Google’s use of sub-processors. It is apparent from the “Cloud Data Processing Addendum” that Google enters into written contracts with all sub-processors and ensures that the sub-processor only has access to Customer Data to the extent necessary to fulfill the obligations in the contract. Google also states, cf. appendix 35 of the case, that the same obligations to which Google is subject in the data processing agreement with the municipalities pursuant to the Cloud Data Processing Addendum (appendix 9 of the case) will be transferred to the sub-processor.”

and

“Google has further confirmed that, as part of the selection process described in Annexes 11 and 12, they consider a number of aspects to ensure that the sub-processor has the necessary technical expertise and capacity and can provide the appropriate level of security and protection of personal data, including national data protection legislation.”

It is KL’s assessment that “the specified data processors provide the necessary guarantees and that the municipalities have verified this to an adequate extent.”

It is further KL’s assessment:

2.1.5. List of disclosures to other independent data controllers

KL has stated that any disclosures to other independent data controllers will only take place in accordance with the “Google Workspace for Education Terms of Service” and the “Chrome Enterprise Agreement”.

3. Legal basis

According to Article 5(1)(a) of the General Data Protection Regulation, personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject. It also follows from Article 5(1)(f) of the Regulation that personal data must be processed in a manner that ensures adequate security for the personal data in question, including protection against unauthorized or unlawful processing. In addition, according to Article 5(2) of the General Data Protection Regulation, data controllers are responsible for and must be able to demonstrate that paragraph 1 is complied with.

Processing of personal data is only lawful if one of the conditions mentioned in Article 6(1) of the General Data Protection Regulation is met. If the processing is based on Article 6(1) of the Regulation, 1, letter c or letter e, the basis for processing must be set out in Union law or in the national law of the Member State to which the data controller is subject, cf. Article 6, paragraph 3.

It is also clear from Article 24, paragraph 1 of the Data Protection Regulation that the data controller must implement appropriate technical and organisational measures to ensure and to be able to demonstrate that the processing of personal data is in accordance with the provisions of the Data Protection Regulation. This must be done taking into account the nature, scope, context and purposes of the processing. The measures must be reviewed and updated if necessary.

In addition, Article 28, paragraphs 1-5 of the Data Protection Regulation states the following regarding data processors:

If processing is to be carried out on behalf of a data controller, the data controller shall only use data processors who can provide the necessary guarantees that they will implement appropriate technical and organisational measures in such a way that the processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject. The processor shall not use another processor without the prior specific or general written consent of the controller. In the event of general written consent, the processor shall inform the controller of any planned changes concerning the addition or replacement of other processors, thereby giving the controller the opportunity to object to such changes. The processing by a processor shall be governed by a contract or another legal instrument in accordance with Union or Member State law, binding on the processor with respect to the controller, which specifies the subject matter and duration of the processing, the nature and purposes of the processing, the types of personal data and the categories of data subjects, and the obligations and rights of the controller. This contract or other legal instrument shall provide in particular that the processor: may process personal data only on documented instructions from the controller, including as regards the transfer of personal data to a third country or an international organisation, unless required by Union or Member State law to which the processor is subject; in that case, the processor shall inform the controller of this legal requirement prior to processing, unless the relevant law prohibits such notification for reasons of important public interest; ensure that the persons authorised to process the personal data have undertaken a confidentiality obligation or are subject to an appropriate statutory obligation of professional secrecy; implement all measures required under Article 32; meet the conditions referred to in paragraph 1; 2 and 4, to make use of another processor, taking into account the nature of the processing, where possible, by means of appropriate technical and organisational measures, to assist the controller in fulfilling the controller’s obligation to respond to requests for the exercise of data subjects’ rights as set out in Chapter III; assist the controller in ensuring compliance with the obligations under Articles 32 to 36, taking into account the nature of the processing and the information available to the processor, at the controller’s choice; erase or return all personal data to the controller after the services relating to the processing have ceased and delete existing copies, unless Union law or the national law of the Member States requires the retention of the personal data; make all information necessary to demonstrate compliance with the requirements of this Article available to the controller and allow for and contribute to audits, including inspections, carried out by the controller or another auditor authorised by the controller.

As regards point (h) of the first subparagraph, the processor shall immediately inform the controller if, in its opinion, an instruction infringes this Regulation or data protection provisions in other Union or Member State law.

Where a processor uses another processor to carry out specific processing activities on behalf of the controller, that other processor shall be subject to the same data protection obligations as those laid down in the contract or other legal instrument between the controller and the processor referred to in paragraph 3, by means of a contract or other legal instrument in accordance with Union or Member State law, which shall in particular provide the necessary guarantees that they will implement appropriate technical and organisational measures in such a way that the processing will meet the requirements of this Regulation. If that other processor fails to comply with its data protection obligations, the original processor shall remain fully liable to the controller for the performance of that other processor’s obligations. A data processor’s compliance with an approved code of conduct as referred to in Article 40 or an approved certification mechanism as referred to in Article 42 may be used as an element to demonstrate the necessary guarantees as referred to in paragraphs 1 and 4 of this Article.

4. Reasons for the decision of the Danish Data Protection Authority

4.1. Documentation of lawfulness

In continuation of this, it follows from Article 24(1) of the General Data Protection Regulation that:

4.2. Substantive lawfulness of the processing operations

4.2.1. Data processing agreement

Furthermore, the processing of a data processor must be governed by a contract or another legal document in accordance with EU law or the national law of the Member States, which is binding on the data processor with regard to the data controller and which sets out the subject matter and duration of the processing, the nature and purposes of the processing, the type of personal data and the categories of data subjects, as well as the obligations and rights of the data controller, cf. Article 28(3), first sentence, of the Regulation.

Google Cloud EMEA Limited (hereinafter Google) is the data processor in connection with the municipalities’ use of Google Workspace for Education and Google Chrome Education.

4.2.2. Sub-processors

It follows from Article 28, paragraph 4 of the General Data Protection Regulation that if a sub-processor is used, the sub-processor must be subject to the same data protection obligations as those stipulated between the data controller and the data processor.

This appears, among other things, of the data processing agreement between the municipalities and Google, that:

”11.3 Requirements for Subprocessor Engagement. When engaging any Subprocessor, Google will:

In this connection, it follows, among other things, of the EDPB’s opinion, that:

4.2.3. Third country transfers

The data controller must therefore first and foremost map out which countries the personal data is to be transferred to.

4.2.3.1. Locations

4.2.3.2. Transfer basis in relation to the USA

On this basis, the Danish Data Protection Authority finds that the municipalities have provided an adequate transfer basis for transfers of personal data from Google to Google LLC by using the DPF.

4.1.2.3. Transfer basis in relation to onward transfers to sub-processors

The DPF states that if a data processor and/or a sub-processor in a safe third country transfers personal data on behalf of the data controller, the data controller is generally not obliged to verify the lawfulness of the rules that apply in the third country or international organisation to this data processor’s and/or sub-processor’s onward transfers of personal data received within the framework of an adequacy decision. This situation will be addressed in the adequacy assessment.[2]

The Danish Data Protection Authority finds that onward transfers to sub-processors can therefore, as a general rule, take place on the basis of the DPF.

The four European essential safeguards follow from the Schrems II judgment[5], paragraph 188, and are as follows:

The Danish Data Protection Authority notes that the municipalities have not immediately carried out a further assessment of the onward transfers to the sub-processors.

Furthermore, it follows from the EDPB Opinion 22/204 on certain obligations deriving from the dependence of the data processor(s) and sub-processor(s) that:

It is against this background that the Danish Data Protection Authority is of the opinion that onward transfers of personal data to a country with what the EDPB in the aforementioned recommendation calls “problematic legislation” cannot take place without supplementary measures, as long as such onward transfer is based solely on a contract between the (sub)data processor in the safe third country and the sub-data processor in the unsafe third country. This is because the contract cannot decisively regulate the actions of the person in power in the unsafe third country.

The Danish Data Protection Authority notes that the municipalities have not documented whether this is the case.

The Danish Data Protection Authority acknowledges that the municipalities have examined the data processing agreement with Google and the requirements placed on sub-data processors therein when entering into the contract. The Danish Data Protection Authority is aware that KL has received confirmation from Google that a thorough screening of the sub-processors that Google assumes is carried out, and that the municipalities have the opportunity to continuously follow up on whether sub-processors meet their obligations. This can be done by reviewing reports that Google undertakes to make available.

However, the Danish Data Protection Authority cannot establish that a review of the reports on sub-processors has actually been carried out.

In making this decision, the Data Protection Authority has assumed that the 51 municipalities have configured their setup of the programs in question in accordance with the prerequisite and functional requirements that KL has specified, partly in connection with the previous cases in this case complex and partly what has been stated in this case. These settings are, among other things, set to exclude services with processing that is not authorized, especially in relation to the disclosure of personal data to third parties.

The Danish Data Protection Authority must, pursuant to Article 58(2)(a) of the General Data Protection Regulation, warn the 51 municipalities that it is likely to be in breach of Article 6(1) of the General Data Protection Regulation, cf. Article 6(3), if they have not configured their setup of the relevant programs in accordance with the prerequisite and functional requirements specified by the Danish Local Authority in connection with the previous cases in this case complex and in connection with this case.

The Danish Data Protection Authority must, pursuant to Article 58(2)(a) of the General Data Protection Regulation, also warn the 51 municipalities that it is likely to be in breach of Article 28(1) of the General Data Protection Regulation to appoint a data processor to process personal data where this data is further processed by a sub-processor in a third country where a level of protection that is essentially equivalent to the level of protection in the EU/EEA cannot be ensured.

It is noted that in relation to the Danish Data Protection Authority’s use of its powers as a supervisory authority, this decision has placed particular emphasis on the previous sanctioning of the various violations found, the clarification that has now been made by the EDPB’s opinion 22/2024 and the municipalities’ general cooperation in clarifying the case.

5. Concluding remarks

The Danish Data Protection Authority notes that the entire process in this case complex could – and in the opinion of the Danish Data Protection Authority – should have been avoided if the relevant data protection law assessments had been made, evaluated and handled before the specific product had been acquired, let alone put into use.

Furthermore, the Danish Data Protection Authority must note that it is not possible and legal – in relation to the data protection law rules – to purchase and put into use a product that processes personal data if clarity cannot be created about the processing of personal data that takes place in the product. This applies regardless of the business indication.

This complex of cases, the number of data protection law violations and the work that the municipalities – on the back burner – have had to do to make their choice and use of the products in question legal, leads the Danish Data Protection Authority to encourage actors with the same processing scenarios, in order to ensure compliance before acquisition and commissioning, to come together to draw up common requirements in the acquisition phase, common operational configurations in the operational phase and, in general, to consider making use of the possibility of drawing up and having codes of conduct approved under Article 40 of the General Data Protection Regulation.

The Danish Data Protection Authority will in future attach importance to the choice of sanctions if the principles in this and the previous decisions in the case complex are not followed. In particular in all areas where the public and institutional actors in the private sector perform tasks where users are limited in their choice of provider.

The Danish Data Protection Authority hereby considers the case closed and will not take any further action in the case.

[1] Opinion 22/2024 on certain obligations arising from the dependence on data processor(s) and sub-data processor(s)

[2] See Article 45(1) of the General Data Protection Regulation. 2, letter a and the EU Commission Implementing Decision (EU) 2023/1795 of 10 July 2023 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate level of protection of personal data under the EU-US Data Protection Framework, section 2.2.6.

[3] Ibid..

[4] Reference is made in this regard to the EDPB Recommendations 02/2020 on the European essential safeguards for surveillance measures, page 5, section 8

[5] CJEU C 311/2018 of 16 July 2020

[7] legalstudy_on_government_access_0.pdf

[9] EDPB Opinion 22/2024 on certain obligations arising from the reliance on data processor(s) and sub-processor(s), paragraphs 94 and 95

</pre>

OVG Saarlouis – 2 A 165/24

FTC Reminds Data Brokers of Their Obligations to Comply with PADFAA