G Suite for Education from Google in schools

Date of publication

The data protection officers of the school authorities in Berlin do not like the use of Google's G Suite for Education in schools at all. And for good reason. Because those responsible cannot guarantee that personal data (pbD) will not be further processed and analysed by Google.

EU-US Privacy Shield and ISO certifications only of limited use

Google has signed the EU-US Privacy Shield and has various ISO certifications. Nevertheless, data controllers cannot guarantee that Google will not process personal data for their own purposes, e.g. to improve their services.

Imagine that students store their school reports, CVs, application letters, etc. with Google.

Those responsible, i.e. the school administration, must now take the rap for the fact that Google does not do anything with these pbD. Not even by making the data anonymous.

Because no school administration can guarantee this, such services should only be used in a limited way, if at all. They should only be used if the processing of personal data can be excluded. Furthermore, they can be used if only general information, teaching materials, etc. are processed.

Data protection impact assessment brings light into the darkness

According to Art. 35 GDPR - Data Protection Impact Assessment, data controllers must inform themselves about existing risks or evaluate them. This is impossible when using G Suite for Education from Google to process pbD there in a DSGVO-compliant manner.

Here, the school headmasters should work very closely with the data protection officers. Because each school board has only one data protection officer for each administrative district, who is responsible for as many as 70 schools, cooperation can be a bit awkward. I can only recommend that you keep at it and always be in dialogue.

Privacy by Design

Data protection must already be taken into account in the design of technology, e.g. in the system integration of new servers or services (Art. 25 GDPR - data protection through technology design and through data protection-friendly default settings).

This means that the school management should bring the data protection officer on board as early as the conception of new systems and services. Decisions are often made in good faith without assessing the consequences. I even understand that in part because the expertise is simply lacking. But that's what the data protection officer is there for.


It is better to ask the data protection officer at the education authority before buying technology, software and services. This saves a lot of time, trouble and money.

Profile picture for user DeepL

DeepL is a deep learning company that develops AI systems for languages. The company, based in Cologne, Germany, was founded in 2009 as Linguee, and introduced the first internet search engine for translations. Linguee has answered over 10 billion queries from more than 1 billion users.

Profile picture for user manfred.woeller

Manfred Wöller

Manfred Wöller is a TÜV-certified data protection officer who makes data protection requirements technically feasible as part of the team. He is also a passionate vegan cook who takes care of the physical well-being at community events.