top of page
Asset 5_1x.png

Lessons from the Danish Google Chromebook case

  • 6 hours ago
  • 4 min read

In 2026, the Danish Data Protection Authority adopted a new decision concerning municipalities’ use of Google Chromebooks and Google Workspace in public schools.

This decision follows:

  • a 2022 decision imposing a ban on processing for one municipality, and

  • a 2024 decision issuing a binding order (påbud) covering 53 municipalities.

Together, these three decisions form a continuous supervisory line over the same processing setup. This post looks at the facts established across the decisions, the recurring findings, and the practical lessons that follow.


Key takeaways from the Danish Google Chromebook case

  1. A DPIA should have been decisive at the procurement stage

    Across the 2022 ban, the 2024 binding order, and the 2026 decision, the Danish DPA repeatedly identifies structural risks that would have been apparent in a DPIA carried out before procurement and deployment.

    If a DPIA identifies risks that cannot be mitigated without changing provider or architecture, the only effective mitigation is not to procure or deploy the system. A DPIA performed after procurement cannot fix that.

  2. Controller responsibility requires demonstrable, ongoing control

    Being formally designated as “controller” is insufficient. Organisations must be able to show practical influence over:

    • purposes,

    • processing parameters,

    • sub-processor involvement,

    • and changes to processing over time.

    If that influence does not exist, compliance cannot be demonstrated.

  3. Third-country processing is a persistent, unresolved issue

    Each decision identifies processing outside the EU and the lack of verifiable “essentially equivalent” protection as a core compliance obstacle.

  4. Scaling up does not resolve structural compliance problems

    The expansion from one municipality (2022) to 53 municipalities (2024) did not materially change the factual findings repeated again in 2026.


Background

The decisions concern Danish municipalities’ use of Google Chromebooks and Google Workspace for Education in public schools.

The processing involves personal data relating primarily to pupils (children) and school staff. Municipalities act as controllers, while Google acts as processor, relying on additional sub-processors as part of the service delivery.


Findings identified in the decisions

In each of the three decisions, the Danish DPA identifies the following factual deficiencies:

  • Datatilsynet repeatedly notes that municipalities:

    • cannot fully describe or document how personal data is processed nor identify a legal basis,

    • cannot demonstrate effective control over Google’s and sub-processors’ processing operations,

    • depend on technical and contractual configurations determined by the provider.

    This is presented as a failure of controller responsibility, not as a contractual formality.

  • personal data is processed outside the EU without verifiable “essentially equivalent” protection,

  • as a result, municipalities cannot demonstrate compliance with GDPR obligations relating to controller responsibility, processor governance, and international data transfers.

  • The 2026 decision describes extensive efforts by municipalities to:

    • adjust documentation,

    • review contracts,

    • and reassess compliance after deployment.

    Yet the authority still concludes that lawfulness cannot be demonstrated.



How the decisions developed over time

2022 – Ban on processing (single municipality)

In 2022, the DPA examined the Chromebook setup used by one municipality and imposed a ban on processing, based on findings that lawful processing could not be ensured under the existing setup.

2024 – Binding order covering 53 municipalities

In 2024, the scope expanded to 53 municipalities. The DPA issued a binding order (påbud) requiring municipalities to bring the processing into compliance, relying on findings that largely mirrored those from 2022.

2026 – New decision on the same setup

In 2026, the DPA reassessed the same Chromebook and Google Workspace setup. The authority again identified the same core factual issues and concluded that the processing will likely be unlawful under the GDPR.


The role of the DPIA in light of the decisions

One of the clearest practical lessons emerging from the combined reasoning of the 2022, 2024, and 2026 decisions concerns timing.

A DPIA carried out before procurement and before putting the system into operation would have identified:

  • the lack of effective controller control,

  • the dependency on opaque sub-processor chains,

  • and the third-country processing risks inherent in the setup.

At that stage, the relevant mitigation would have been a different procurement decision, rather than post-deployment compliance measures.

Once a system is operational, organisations often lose meaningful room to manoeuvre. Compliance work performed after deployment may reduce risk exposure, but it cannot correct foundational design or procurement choices.


Conclusion

Taken together, the Danish Chromebook decisions from 2022, 2024, and the new 2026 decision provide a detailed factual illustration of how large-scale cloud-based education systems can encounter persistent GDPR compliance challenges.

The cases underline that:

  • DPIAs must inform procurement decisions, and

  • structural deficiencies identified late are difficult to resolve after large-scale deployment.


The Danish Data Protection Agency notes that the entire course of events in this case could – and, in the Agency's opinion, should – have been avoided if the relevant data protection assessments had been carried out, evaluated, and handled before the specific product was purchased, let alone put into use. Furthermore, the Danish Data Protection Agency notes that it is not possible or legal – in relation to data protection rules – to purchase and use a product that processes personal data if it is not possible to clarify the processing of personal data that takes place in the product. This applies regardless of the business indication. If you choose a product where the processing activities and the contractual basis for the processing change frequently, you, as the data controller, must be able to continuously document that the processing, even after the change, is lawful. If this is not possible, the processing must be terminated or otherwise made lawful by changing the product and/or supplier. This complex case, the number of data protection violations, and the work that the municipalities have had to do behind the scenes to legalize their choice and use of the products in question have prompted the Danish Data Protection Agency to urge actors with the same processing scenarios to ensure compliance prior to procurement and commissioning, join forces to draw up common requirements in the procurement phase, common operational configurations in the operational phase, and, in general, consider making use of the possibility under Article 40 of the Data Protection Regulation to draw up and have codes of conduct approved. In future, the Danish Data Protection Agency will take this into account when deciding on sanctions if the principles in this and previous decisions in the case are not followed. This applies in particular to all areas where public and institutional actors in the private sector perform tasks where users are limited in their choice of provider.

Comments

Privacy & digital news FOMO got you puzzled?

Subscribe to my newsletter

Get all of my privacy, digital and AI insights delivered to you weekly, so you don’t need to remember to check my blog. You can unsubscribe at any time.


My newsletter can also include occasional marketing, such as information on my product launches and discounts.


Emails are sent through a processor located outside of the EU. Read more in the Privacy Notice.

It  takes  less  time  to  do  a  thing  right  than  to  explain  why  you  did  it  wrong.


Henry Wadsworth Longfellow

bottom of page