Danish DPA issues decision on Google Analytics Data Transfer. GDPR Compliance & Google Analytics: The Danish DPA Weighs In. The plight of Google Analytics in the EU continues as the Danish DPA issued a press release regarding the use of Google Analytics for web analytics on September 21, 2022. Following the earlier opinions issued by the Austrian, French, and Italian DPAs earlier in 2022, the Danes began receiving numerous questions and requests for guidance on the compliant usage of Google Analytics.
Following their analysis, they have come to the conclusion “that you cannot use the tool in its current form without implementing supplementary measures.” What makes this opinion different from the previous EU DPA guidance? And ultimately what does this mean for your business? Let’s dive in! Is the Danish DPA’s guidance any different from previous findings from Austria, France, and Italy? The Danish DPA’s investigation actually comes to the same conclusions as previous guidance released by other EU DPAs. 1. 2. 3. 4. The first evaluation is for encryption. 5. So is Google Analytics “banned”? Danish DPA Follows Suit and Becomes the Latest EU Data Protection Authority to Conclude that the Use of Google Analytics is Unlawful Without Supplementary Measures.
Kelly Hagedorn Partner Cyber, Privacy & Data Innovation, Global Compliance & Regulatory London Kelly Hagedorn supports global clients on legal and regulatory issues involving data privacy regulation and litigation, using her extensive enforcement background to help clients mitigate risk under United Kingdom (UK) and European (EU) data protection laws. She has significant experience helping clients navigate white-collar investigations and international disputes involving major fraud allegations in the growing area of privacy enforcement and litigation.
Kelly was previously named in Global Data Review’s inaugural “40 Under 40” list of the best and brightest upcoming data lawyers. Kelly provides comprehensive regulatory advisory services to clients, including counseling on the General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018. During her career, Kelly has undertaken secondments to the Serious Fraud Office and a major telecommunications company. Schools in Denmark look toward open-source solutions after DPA bans Google Chromebooks - Nextcloud. In the school district or municipality of Helsingør in Denmark, a conflict has arisen over the continuous use of Google Chromebooks despite the ban by the Danish Data Protection Agency (DPA). Danish Data Protection Agency (DPA) bans Google Chromebooks The ban was finalized this summer based on the concerning results of a risk assessment the DPA ordered last year. It proved that children’s data was not kept safe by Google and that the processing of personal data on Chromebooks is an infringement of several articles of the GDPR.
“The Municipality has done a great and skilled work to map how personal data is used in the primary school, but it also sheds some light on the potential data protection issues with the big tech companies’ ways of solving the task.” – Mr. After the DPA’s decision, the Mayor of Helsingør, Benedikte Kiaer, took immediate action by formulating a plan to replace 8,000 Google Chromebooks. IT Professor advises solution Luckily, there is another option. Less expensive bills. Danish DPA renders decision against Google Analytics transfers. Denmark's data protection authority, Datatilsynet, became the latest EU authority to order a halt on the use of Google Analytics for data transfers to the U.S. without supplementary measures. Denmark's decision follows those from Austria, France and Italy, with Dataltilsynet noting the shared view represents "a pan-European attitude among the supervisory authorities" and a "crucial" step toward a harmonized approach.
Datatilsynet advised Danish businesses to "assess whether their possible continued use of the tool is within the framework" of the EU General Data Protection Regulation.Full Story. Datatilsynet (Denmark) - 2021-432-0056 - GDPRhub. Based on the documentation submitted, the DPA found that the processing activities entailed a high risk for the data subjects' rights and freedoms that could not be mitigated, and referred to Article 36(1) GDPR and Article 36(2) GDPR. The DPA ordered the municipality to: Change the data processing agreement with Google so that the DPA's remarks in their 14 July and 18 August decisions to Helsingor municipality, are implemented. This includes, at a minimum, a clarification of where and if Google acts as a sole controller and any uncertainties that may entail that Google acts beyond their role as a processor, see Article 28(3)(a) GDPR.Document that all transfers of personal data to insecure third countries, are in line with the GDPR.Describe all data flows and identify the personal data that are shared with the vendor, and clarify when the vendor acts as a sole or joint controller.
Share your comments here! Share blogs or news articles here! The Danish DPA imposes a ban on the use of Google Workspace in Elsinore municipality. Background information Date of final decision: July 14 2022 (Based on a decision from September 10 2021)Cross-border case or national case: NationalController: Elsinore municipalityLegal Reference: Article 5, 24, 28, 35, 44, 46Decision: Infringement of Article 5 (2) cf.
Article 5 (1), Litra a, Article 24 cf. Article 28 (1), Article 35 (1) and Article 44 cf. Article 46 (1)Key words: Risk assessment, DPIA, DPA, transfers to third countries Summary of the Decision Origin of the case: In a case concerning the use of Google Chromebooks in Elsinore Municipality, the Danish Data Protection Agency expresses serious criticism and bans transfers to third countries and the use of Google Workspace. Key Findings: The Danish Data Protection Agency made a decision in September 2021 where the Municipality of Elsinore was ordered to make a risk assessment of the municipality's processing of personal data in the primary school using Google Chromebooks and Workspace.
Decision: Danish DPA addresses EU, US data agreement. Danish DPA bans Google Workspace use and US transfers. TL;DR: The Danish data protection authority banned a municipality's use of Google Workspace for Education and suspended all US transfers in a landmark decision of July 2022. Listen to the Grumpy GDPR podcast where Miloš and I discussed this decision and, not least, our follow-up episode where Allan Frank from the Danish DPA visited to elaborate on the case, and his revisit after their third decision, upholding the second one. In what’s perhaps the most significant event since the Schrems II ruling, and almost exactly two years later, the Danish data protection authority (DPA) Datatilsynet published a decision relating to the municipality Helsingor and their processing of personal data in the primary and lower secondary school (“folkeskole”).
Note that their decision is for this specific municipality. However, the DPA also writes that many of their conclusions "likely will apply to other municipalities using the same processing setup" and expects them to "take necessary actions". Violations.