Google Workspace earns Dutch government's stamp of approval

Editor's note: This post was originally published on the Google Workspace blog.

At Google, we are committed to the privacy and security of our customers and to fostering trust in our cloud technologies. We regularly engage with customers, privacy regulators, and policymakers around the globe to understand evolving expectations and to adapt our products accordingly. 

On July 5, 2023, the Dutch Ministry of Education affirmed to the Dutch Parliament that Google has delivered on the commitments it made as part of the data protection impact assessment (DPIA), conducted by the Dutch government and education sector representatives. This means that public sector entities and educational institutions in the Netherlands can continue to use Google Workspace and Google Workspace for Education with renewed confidence.

For the past three years, Google has worked closely with the Dutch government and education sector representatives to support their DPIA of Google Workspace, Google Workspace for Education, and ChromeOS under the General Data Protection Regulation (GDPR). In line with their cloud strategy, the Dutch government conducted this DPIA to diversify their choice of cloud providers.  

While our services have always upheld high standards for privacy and supported GDPR compliance, we invested significant time and resources throughout the DPIA to address the outlined recommendations, demonstrating our commitment to the process and our customers. As part of the DPIA, we implemented enhancements that can provide Dutch public sector and education customers with further clarity regarding the data processing roles of the parties, and greater transparency and assurance regarding Google’s processing of service data.¹

These improvements will benefit our broader global customer base. As a result of the DPIA engagement, we announced our intention to offer new contractual commitments for service data, and will begin to make those commitments available later this year. Additionally, we have expanded our ISO 27001, 27017, 27018 and 27701 certifications for Google Workspace to address service data, so that our customers can have peace of mind knowing that our privacy controls for this data have been verified by independent auditors.

In parallel, following a DPIA on Chrome services, a data processor mode for managed ChromeOS devices will become available in the Netherlands this August, before expanding to other markets. A managed ChromeOS device is typically a Chromebook used in a school or enterprise setting, that is managed by an IT admin. The new ChromeOS data processor mode will give customers greater insight into, and control over, data processed by Google.

More broadly, we remain committed to helping customers navigate their DPIA processes, and have developed comprehensive resources to help them conduct their DPIAs.  

^{Service Data is defined in the Google Cloud Privacy Notice as the personal information Google collects or generates during the provision and administration of the Cloud Services, excluding any Customer Data and Partner Data}.