Data Storage

"Hi, Not sure if anyone can help me with this but I'm doing some preliminary research into the use of Google Suite for Education. Personal data produced by each student is stored on the Google cloud. If these storage facitlies are in a different country outside the EU would GDPR still apply?  

If the educational service is provided by a teacher/school based in the EU the GDPR will apply no matter where the Google server and facilities are located. The same applies if the school is based outside the EU and provides its educational services to EU students. The GDPR will apply. Google Suite for Education and Google Cloud are a data processor, while the controller remains the school (or the teacher if the service is given personally, i.e., teaching a foreign language)

Also by gaining parental consent for use of the suite, could the stored data be used for internal 'product development'? - and is this unlawful under GDPR? Thanks for any help "

If students are minors, you need parental consent and, in the privacy notice, you need to indicate that among the purposes of data processing there will be internal product development.Article 5 GDPR requires that information provided to a data subject are clear and transparent, so please make some example of what you mean for “internal product development” (i.e., with data we can develop new courses or a new book that overcome students’ learning difficulties, etc. which is different from “we will use your children image for promotional purposes”).

Here you can find more information on GDPR extraterritorial effect and on consent.

• What is the EU GDPR and why is it applicable to the whole world? https://advisera.com/eugdpracademy/knowledgebase/what-is-the-eu-gdpr-and-why-is-it-applicable-to-the-whole-world/
• Is consent needed? Six legal bases to process data according to GDPR https://advisera.com/eugdpracademy/knowledgebase/is-consent-needed-six-legal-bases-to-process-data-according-to-gdpr/
• Four main questions for obtaining and managing data subjects’ consent under GDPR: https://advisera.com/eugdpracademy/knowledgebase/four-main-questions-for-obtaining-and-managing-data-subjects-consent-under-gdpr/
• Everything you need to know about the GDPR Privacy Notice: https://advisera.com/articles/gdpr-privacy-notice-6-key-elements-to-include/

If you need to understand how to process consent under GDPR, you can consider enrolling in our free online training EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

Hi Alessandra, thanks so much for the reply and sorry for my late reply :) You asked what I meant by internal product development. I've been following a case ( now going to appeal) in the US re Google Classrooms and tracking of minors data. In this link https://www.eff.org/document/goo******************************** a senior employee from Google claims to use some of the student's data for product development.I'm trying to find out what this means and in fact whether they can do the same in EU or would GDPR protect us? As for the privacy policies ( there are 3 and none seem to tell me what they do use data for - only what they don't)  they are as clear as mud unfortunately. Grateful for any advice. 

Usually "product development" refers to the development of product/services from the controller or the processor. So, if you refer to Google Classroom as a platform it may mean that Google wants to use data collected to develop new features in Google Classroom or some product/services related.

For children data consent must be given by parents but product development may follow under legitimate interest, depending on the kind of data they plan to use (photo? voices? This processing requires consent as a legitimate base), but they might track interaction, how many connection problems happen during a lesson in order to improve their product or fix bugs. If the privacy notice is not clear enough, GDPR allows you to contact their DPO and ask for clarification, they will answer in 30 days.

thanks Alessandra - much appreciated. :)