Google provides limited public information about the retention periods for the different kinds of personal data it collects and stores.
necessary for the transmission and for traffic management purposes, and that during the period of storage the confidentiality remains guaranteed.”
286 On 20 December 2020, the European Electronic Communications Code (EECC) directive entered into force, with a much broader definition of electronic communication services. Published at URL: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32018L1972&from=EN.
287 European Commission, Proposal for a Regulation on Privacy and Electronic Communications, 10.1.2017 COM(2017) 10 final, URL: https://ec.europa.eu/digital-single-market/en/proposal-eprivacy-regulation
288 On 23 October 2017, the EP adopted the report from rapporteur Birgit Sippel. URL:
https://www.europarl.europa.eu/doceo/document/A-8-2017-0324_EN.html
289 The Council mandate (its agreed integrated text version of the ePrivacy Regulation), 10 February 2021, URL: https://data.consilium.europa.eu/doc/document/ST-6087-2021-INIT/en/pdf.
290 Press release Council of the European Union, Confidentiality of electronic communications: Council agrees its position on ePrivacy rules, 10 February 2021, URL: https://www.consilium.europa.eu/en/press/press- releases/2021/02/10/confidentiality-of-electronic-communications-council-agrees-its-position-on-eprivacy-rules/
10.1 Customer Data
Because of its nature (e.g. content of files, communications), there are no fixed retention periods applicable to Customer Data during the term of the G Suite (Enterprise) for Education agreement.
During the term of the G Suite (Enterprise) for Education agreement, customers may request deletion of Customer Data. Google must comply with such request for a hard delete as soon as reasonably possible and in any event within a maximum period of 180 days. Upon termination of the G Suite (Enterprise) for Education agreement, the customer may request the return of Customer Data or its deletion. Google will equally comply with such a request for a soft delete as soon as reasonably possible and in any event within a maximum period of 180 days.
10.2 Diagnostic Data
10.2.1 Audit logs
Google provides a good overview of the retention periods it applies to the different audit logs that administrators can access, as copied in the table below. Google explains that the retention time for any report or audit log not mentioned in the table, is 6 months.291
However, admins can decide to retain audit logs longer than the default retention periods: the retention period for exported Customer/User usage data through the Reports API is 15 months.
Google audit log or report name Default retention
period
Admin audit log 6 months
Calendar audit log 6 months
Jamboard audit log 6 months
Google+ audit log 6 months
OAuth Token audit log (availability of these logs is dependent on your subscription, such as G Suite (Enterprise) for Education)
6 months Devices audit log (availability of these logs is dependent on your subscription,
such as G Suite (Enterprise) for Education)
6 months
SAML audit log 6 months
Drive audit log (availability of these logs is dependent on your subscription, such as G Suite (Enterprise) for Education)
6 months
Email log search 30 days
Account activity reports 6 months
Security reports 6 months
Groups audit log 6 months
Chat audit log 6 months
Meet audit log 6 months
Voice audit log 6 months
User accounts audit log 6 months
Access Transparency 6 months
Audit data retrieved using the API 6 months
Customer/User usage data retrieved using the API 15 months
Entities usage data retrieved using the API 30 days
291 Google, G Suite Admin help, Data retention and lag times, URL:
https://support.google.com/a/answer/7061566?hl=en
10.2.2 Other Diagnostic Data (telemetry, website data, use of Google Account and Additional Services)
As explained in the sections before, Google processes Diagnostic Data and data relating to Additional Services, the Google Account (unless used in conjunction with a Core Service) and Other related services such as Feedback under its (consumer) Privacy Policy.
Google does not publish a similar table with retention periods for Diagnostic Data other than the audit logs, but instead, refers to its (consumer) Privacy Policy. Google explains that in some cases, personal data are not deleted but anonymised by deleting parts of the data.
“We also take steps to anonymize certain data within set time periods. For example, we anonymize advertising data in server logs by removing part of the IP address after 9 months and cookie information after 18 months.”292
If Google only removes a single octet from the IPv4 addresses, the resulting group of 255 possible end-users may not prove to be anonymous, if for example law enforcement has urgent reasons to detect the identity of a specific person.
In response to questions raised during this DPIA, Google wrote:
“There is no single retention period for Diagnostic Data. The retention period for Diagnostic Data varies per use case. Whilst in general we do not retain Diagnostic Data for longer than 180 days, some Diagnostic Data is retained for shorter periods and other Diagnostic Data is retained for much longer periods (e.g. account deletion events). 293
Google also confirmed that G Suite admins are “not able to customize retention periods for Diagnostic Data (including telemetry and SIEM data).”
Google explained:
“Our technical infrastructure that performs log anonymization and deletion is not designed to have direct access to information identifying the customer. All retention is governed by the retention rule provided by Google engineerings when configuring each multi-tenant log.”
It follows from Google’s response to part A of the DPIA that Google stores Diagnostic Data in a central log repository. Google also explained it distinguishes between temporary and archival logs.
• “Temporary Logs: short term logs which are retained only for a fixed period of time and then deleted
• Personal Logs: longer term logs which are keyed to internal end-user Id and where end-users have control over retention
• Archival Logs: long term anonymous logs and abuse system logs
For Extended Retention Logs, our policy is to anonymize any data containing IP addresses within 9 months of when it was logged, and any other cookie-based data within 18 months unless these logs are maintained in connection with abuse systems (in which case, we may need to retain such data for longer periods).”294
All other information Google provided about its retention periods is marked by Google as confidential.
292 Google general Privacy Policy, Retaining your information, and: How Google retains data we collect, URL:
https://policies.google.com/technologies/retention?hl=en-US
293 From responses provided by representatives of Google to SLM Microsoft Rijk during the course of this DPIA.
294 Idem.
After completion of this report, Google published its Google Cloud Privacy Notice. This notice does not contain any specific retention periods for the Customer Data or for the Diagnostic Data. Google only writes: “We retain Service Data for different periods of time depending on what it is, how we use it, and how you configure your settings. Service Data is deleted or anonymized once it is no longer needed.”295
295 Google, Google Cloud Privacy Notice, 7 December 2020, URL: https://cloud.google.com/terms/cloud-privacy-notice .
Part B. Lawfulness of the data processing
The second part of this DPIA assesses the lawfulness of the data processing. This Part B contains an assessment of the legal grounds for processing (Section 11), the processing of special categories of personal data (Section 12), the principle of purpose limitation (Section 13) an assessment of the necessity and proportionality of the processing (Section 14), and data subject rights (Section 15).