More than half of Denmark’s municipalities warned over Google data violations

Published: 12 February 2026
Last updated: 12 February 2026
denmark half warned
Image by Cybernews.

The Danish privacy regulator Datatilsynet has reprimanded 51 Danish municipalities for using Google’s products in primary schools.

Specifically, this concerns Google Chromebooks and Google Workspace for Education.

Dozens of Danish municipalities use Google products in primary education. In this situation, the municipalities are the data controllers, and Google is the data processor.

ADVERTISEMENT

In turn, Google uses a chain of sub-processors: businesses hired by Google to handle the personal data of its clients. However, these firms are located outside of the EU. That means that municipalities must demonstrate that any such transfers maintain a level of protection equivalent to that provided within the European Economic Area (EEA).

Without such safeguards, data flows could be considered unlawful.

Google Workspace 2
Image by Shutterstock.

Two years ago, Datatilsynet asked the European Data Protection Board (EDPB) about the data controller’s obligations when using data processors and sub-processors outside the EU. The EDPB stated that the controller must have a complete overview of all processors and sub-processors, their roles, locations, and compliance with GDPR rules, including rules on international data exchange.

The Danish privacy and data protection authority found that the municipalities, in their role as data controllers, did not comply with GDPR obligations.

jurgita justinasv Izabelė Pukėnaitė vilius Ernestas Naprys Gintaras Radauskas
Don't miss our latest stories on Google News. Add us as your Preferred Source on Google
Follow us

For example, the municipalities failed to verify whether the sub-processors Google works with comply with the processing agreement, particularly regarding the transfer of data to third countries. According to the regulator, contractual obligations don’t suffice for data transfers to unsafe countries.

Therefore, the processing of personal data by primary schools does not comply with rules dictated by Europe’s privacy laws.

ADVERTISEMENT

In addition, Datatilsynet claims that municipalities are likely to violate the GDPR if they use Google products that are not configured correctly. The privacy supervisor also strongly criticizes the processing of personal data by municipalities when using Google products for teaching in primary education.

The municipalities involved don’t get sanctioned by the privacy regulator, but they are reminded that they must have sufficient resources and clarity in their data processing arrangements, especially when service terms change or evolve.

Unlock more exclusive Cybernews content on YouTube.

Share
Post
Share
Share
Share
More from Cybernews
World’s leading mathematicians ridicule AI hype in high-IQ declaration
Democrats are far more worried than Republicans that AI will take jobs, new poll finds
Companies using Fable 5 beware: it’s collecting your data, and there are no exceptions
Europe’s tech revolution feels like Soviet déjà vu
New York demands advertisers use “synthetic performer” label or else
The surprising way Elon Musk is powering your next holiday flight
ADVERTISEMENT
Leave a Reply

Your email address will not be published. Required fields are markedmarked