Expert Advice Community

Guest

Data Storage

  Quote
Guest
Serena Created:   Feb 11, 2021 Last commented:   May 04, 2021

Data Storage

Hi, Not sure if anyone can help me with this but I'm doing some preliminary research into the use of Google Suite for Education. Personal data produced by each student is stored on the Google cloud. If these storage facitlies are in a different country outside the EU would GDPR still apply?  Also by gaining parental consent for use of the suite, could the stored data be used for internal  'product development'? - and is this unlawful under GDPR? Thanks for any help 

1 0

Assign topic to the user

Assign

EU GDPR DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

EU GDPR DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Alessandra Nisticò Feb 12, 2021

"Hi, Not sure if anyone can help me with this but I'm doing some preliminary research into the use of Google Suite for Education. Personal data produced by each student is stored on the Google cloud. If these storage facitlies are in a different country outside the EU would GDPR still apply?  

If the educational service is provided by a teacher/school based in the EU the GDPR will apply no matter where the Google server and facilities are located. The same applies if the school is based outside the EU and provides its educational services to EU students. The GDPR will apply. Google Suite for Education and Google Cloud are a data processor, while the controller remains the school (or the teacher if the service is given personally, i.e., teaching a foreign language)

Also by gaining parental consent for use of the suite, could the stored data be used for internal 'product development'? - and is this unlawful under GDPR? Thanks for any help "

If students are minors, you need parental consent and, in the privacy notice, you need to indicate that among the purposes of data processing there will be internal product development.Article 5 GDPR requires that information provided to a data subject are clear and transparent, so please make some example of what you mean for “internal product development” (i.e., with data we can develop new courses or a new book that overcome students’ learning difficulties, etc. which is different from “we will use your children image for promotional purposes”).

Here you can find more information on GDPR extraterritorial effect and on consent.

If you need to understand how to process consent under GDPR, you can consider enrolling in our free online training EU GDPR Foundations Course: https://training.advisera.com/se/eu-gdpr-foundations-course//

Quote
0 0
Guest
Serena Mar 31, 2021

Hi Alessandra, thanks so much for the reply and sorry for my late reply :) You asked what I meant by internal product development. I've been following a case ( now going to appeal) in the US re Google Classrooms and tracking of minors data. In this link https://www.eff.org/document/goo******************************** a senior employee from Google claims to use some of the student's data for product development.I'm trying to find out what this means and in fact whether they can do the same in EU or would GDPR protect us? As for the privacy policies ( there are 3 and none seem to tell me what they do use data for - only what they don't)  they are as clear as mud unfortunately. Grateful for any advice. 

Quote
0 0
Expert
Alessandra Nisticò Apr 01, 2021

Usually "product development" refers to the development of product/services from the controller or the processor. So, if you refer to Google Classroom as a platform it may mean that Google wants to use data collected to develop new features in Google Classroom or some product/services related.

For children data consent must be given by parents but product development may follow under legitimate interest, depending on the kind of data they plan to use (photo? voices? This processing requires consent as a legitimate base), but they might track interaction, how many connection problems happen during a lesson in order to improve their product or fix bugs. If the privacy notice is not clear enough, GDPR allows you to contact their DPO and ask for clarification, they will answer in 30 days.

Quote
2 0
Guest
Serena May 04, 2021

thanks Alessandra - much appreciated. :)

 

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Feb 11, 2021

May 04, 2021

Suggested Topics

Guest user Created:   Jul 29, 2019 EU GDPR
Replies: 1
0 0

Website and data storage

Guest user Created:   Mar 21, 2018 EU GDPR
Replies: 1
0 0

Antivirus protection

Guest user Created:   Nov 21, 2018 EU GDPR
Replies: 1
0 0

EU GDPR controller vs. processor