R ETENTION PERIODS

In document DPIA on the use of Google G Suite (Enterprise) for Education (pagina 118-122)

Google provides limited public information about the retention periods for the different kinds of personal data it collects and stores.

necessary for the transmission and for traffic management purposes, and that during the period of storage the confidentiality remains guaranteed.”

286 On 20 December 2020, the European Electronic Communications Code (EECC) directive entered into force, with a much broader definition of electronic communication services. Published at URL: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32018L1972&from=EN.

287 European Commission, Proposal for a Regulation on Privacy and Electronic Communications, 10.1.2017 COM(2017) 10 final, URL: https://ec.europa.eu/digital-single-market/en/proposal-eprivacy-regulation

288 On 23 October 2017, the EP adopted the report from rapporteur Birgit Sippel. URL:

https://www.europarl.europa.eu/doceo/document/A-8-2017-0324_EN.html

289 The Council mandate (its agreed integrated text version of the ePrivacy Regulation), 10 February 2021, URL: https://data.consilium.europa.eu/doc/document/ST-6087-2021-INIT/en/pdf.

290 Press release Council of the European Union, Confidentiality of electronic communications: Council agrees its position on ePrivacy rules, 10 February 2021, URL: https://www.consilium.europa.eu/en/press/press- releases/2021/02/10/confidentiality-of-electronic-communications-council-agrees-its-position-on-eprivacy-rules/

10.1 Customer Data

Because of its nature (e.g. content of files, communications), there are no fixed retention periods applicable to Customer Data during the term of the G Suite (Enterprise) for Education agreement.

During the term of the G Suite (Enterprise) for Education agreement, customers may request deletion of Customer Data. Google must comply with such request for a hard delete as soon as reasonably possible and in any event within a maximum period of 180 days. Upon termination of the G Suite (Enterprise) for Education agreement, the customer may request the return of Customer Data or its deletion. Google will equally comply with such a request for a soft delete as soon as reasonably possible and in any event within a maximum period of 180 days.

10.2 Diagnostic Data

10.2.1 Audit logs

Google provides a good overview of the retention periods it applies to the different audit logs that administrators can access, as copied in the table below. Google explains that the retention time for any report or audit log not mentioned in the table, is 6 months.291

However, admins can decide to retain audit logs longer than the default retention periods: the retention period for exported Customer/User usage data through the Reports API is 15 months.

Google audit log or report name Default retention

period

Admin audit log 6 months

Calendar audit log 6 months

Jamboard audit log 6 months

Google+ audit log 6 months

OAuth Token audit log (availability of these logs is dependent on your subscription, such as G Suite (Enterprise) for Education)

6 months Devices audit log (availability of these logs is dependent on your subscription,

such as G Suite (Enterprise) for Education)

6 months

SAML audit log 6 months

Drive audit log (availability of these logs is dependent on your subscription, such as G Suite (Enterprise) for Education)

6 months

Email log search 30 days

Account activity reports 6 months

Security reports 6 months

Groups audit log 6 months

Chat audit log 6 months

Meet audit log 6 months

Voice audit log 6 months

User accounts audit log 6 months

Access Transparency 6 months

Audit data retrieved using the API 6 months

Customer/User usage data retrieved using the API 15 months

Entities usage data retrieved using the API 30 days

291 Google, G Suite Admin help, Data retention and lag times, URL:

https://support.google.com/a/answer/7061566?hl=en

10.2.2 Other Diagnostic Data (telemetry, website data, use of Google Account and Additional Services)

As explained in the sections before, Google processes Diagnostic Data and data relating to Additional Services, the Google Account (unless used in conjunction with a Core Service) and Other related services such as Feedback under its (consumer) Privacy Policy.

Google does not publish a similar table with retention periods for Diagnostic Data other than the audit logs, but instead, refers to its (consumer) Privacy Policy. Google explains that in some cases, personal data are not deleted but anonymised by deleting parts of the data.

“We also take steps to anonymize certain data within set time periods. For example, we anonymize advertising data in server logs by removing part of the IP address after 9 months and cookie information after 18 months.”292

If Google only removes a single octet from the IPv4 addresses, the resulting group of 255 possible end-users may not prove to be anonymous, if for example law enforcement has urgent reasons to detect the identity of a specific person.

In response to questions raised during this DPIA, Google wrote:

“There is no single retention period for Diagnostic Data. The retention period for Diagnostic Data varies per use case. Whilst in general we do not retain Diagnostic Data for longer than 180 days, some Diagnostic Data is retained for shorter periods and other Diagnostic Data is retained for much longer periods (e.g. account deletion events). 293

Google also confirmed that G Suite admins are “not able to customize retention periods for Diagnostic Data (including telemetry and SIEM data).”

Google explained:

“Our technical infrastructure that performs log anonymization and deletion is not designed to have direct access to information identifying the customer. All retention is governed by the retention rule provided by Google engineerings when configuring each multi-tenant log.”

It follows from Google’s response to part A of the DPIA that Google stores Diagnostic Data in a central log repository. Google also explained it distinguishes between temporary and archival logs.

• “Temporary Logs: short term logs which are retained only for a fixed period of time and then deleted

• Personal Logs: longer term logs which are keyed to internal end-user Id and where end-users have control over retention

• Archival Logs: long term anonymous logs and abuse system logs

For Extended Retention Logs, our policy is to anonymize any data containing IP addresses within 9 months of when it was logged, and any other cookie-based data within 18 months unless these logs are maintained in connection with abuse systems (in which case, we may need to retain such data for longer periods).”294

All other information Google provided about its retention periods is marked by Google as confidential.

292 Google general Privacy Policy, Retaining your information, and: How Google retains data we collect, URL:

https://policies.google.com/technologies/retention?hl=en-US

293 From responses provided by representatives of Google to SLM Microsoft Rijk during the course of this DPIA.

294 Idem.

After completion of this report, Google published its Google Cloud Privacy Notice. This notice does not contain any specific retention periods for the Customer Data or for the Diagnostic Data. Google only writes: “We retain Service Data for different periods of time depending on what it is, how we use it, and how you configure your settings. Service Data is deleted or anonymized once it is no longer needed.”295

295 Google, Google Cloud Privacy Notice, 7 December 2020, URL: https://cloud.google.com/terms/cloud-privacy-notice .

Part B. Lawfulness of the data processing

The second part of this DPIA assesses the lawfulness of the data processing. This Part B contains an assessment of the legal grounds for processing (Section 11), the processing of special categories of personal data (Section 12), the principle of purpose limitation (Section 13) an assessment of the necessity and proportionality of the processing (Section 14), and data subject rights (Section 15).

In document DPIA on the use of Google G Suite (Enterprise) for Education (pagina 118-122)