The data protection officers of the school authorities in Berlin do not like the use of Google's G Suite for Education in schools at all. And for good reason. Because those responsible cannot guarantee that personal data (pbD) will not be further processed and analysed by Google.
EU-US Privacy Shield and ISO certifications only of limited use
Google has signed the EU-US Privacy Shield and has various ISO certifications. Nevertheless, data controllers cannot guarantee that Google will not process personal data for their own purposes, e.g. to improve their services.
Imagine that students store their school reports, CVs, application letters, etc. with Google.
Those responsible, i.e. the school administration, must now take the rap for the fact that Google does not do anything with these pbD. Not even by making the data anonymous.
Because no school administration can guarantee this, such services should only be used in a limited way, if at all. They should only be used if the processing of personal data can be excluded. Furthermore, they can be used if only general information, teaching materials, etc. are processed.
Data protection impact assessment brings light into the darkness
According to Art. 35 GDPR - Data Protection Impact Assessment, data controllers must inform themselves about existing risks or evaluate them. This is impossible when using G Suite for Education from Google to process pbD there in a DSGVO-compliant manner.
Here, the school headmasters should work very closely with the data protection officers. Because each school board has only one data protection officer for each administrative district, who is responsible for as many as 70 schools, cooperation can be a bit awkward. I can only recommend that you keep at it and always be in dialogue.
Privacy by Design
Data protection must already be taken into account in the design of technology, e.g. in the system integration of new servers or services (Art. 25 GDPR - data protection through technology design and through data protection-friendly default settings).
This means that the school management should bring the data protection officer on board as early as the conception of new systems and services. Decisions are often made in good faith without assessing the consequences. I even understand that in part because the expertise is simply lacking. But that's what the data protection officer is there for.
It is better to ask the data protection officer at the education authority before buying technology, software and services. This saves a lot of time, trouble and money.