Privacy Compliance When Using Google Forms

Privacy Compliance When Using Google Forms

Google Forms is a survey management software included in the web-based Google Docs Editor suite offered by Google. The app allows users to create and edit surveys online while collaborating with other users in real-time. Google Forms is currently an extremely popular application for collecting and storing data collected from participants for organizing events or surveys. However, as popular as it is, the issue of privacy and protection of the data, including personal data, collected via Google Forms, has yet to be adequately reviewed. This article aims to provide a general view and practices on how to use Google Forms while respecting the privacy of participants.

1. Can Google Forms be used to collect personal data?

Yes. There are no regulations prohibiting the use of Google Forms to collect and process personal data. On the other hand, there are also no official guidance from any competent authority regarding its use. As such, the user will have to ensure the privacy and protection of personal data via settings and designs of the Google Forms.

2. What is the personal data processing role of Google?

In this case, Google will act as the data processor while the user will act as the data controller for following reasons:

1. Google only stores the data and does not access the data unless there is consent from the user of required by applicable law[1]. As such, Google will not know what data is stored in the Google Forms submissions, and could not know whether it is personal data or not;
2. Google does not instruct the user to collect any data. The Google Forms are designed by the user to collect the data for the purposes of the user with no influence from Google;
3. Google does not decide who to share the personal data with or when to delete the data.

This shows that the user has control over the essential means of the processing such as whose data to collect, what data to collect, who the data will be shared with, how long the data will be stored, etc. Google, similar to a Cloud service provider, only supplies the means to store the data and as such, as such, regarding the storage of the data, Google will be the data processor.

However, if Google processes the data for any purpose of its own, such as spam filtering, virus detection, malware protection, it shall be considered a personal data controller to the extent of such processing.

3. Issues to take note when using Google Forms to collect personal data?

• Design of Google Forms

As the user acts as the personal data controller, he/she will be responsible for the personal data of participants collected via the Google Forms. As such, the user will have to design the questions and notices on the Google Forms in a way that provides the participants with the information required by applicable regulations and obtain their valid consent for the processing to be performed by the user. The privacy compliance element and the validity of the processing will be based on how the Google Forms is designed, as such, the user should be extra careful.

• Engagement with Google

As Google acts as the data processor in this scenario, there must be an agreement regarding the data processing between Google and the user. This could be found in the forms of the Terms and Conditions of Google[2]. It is important that the user be aware of these terms and to be able to present them in case of any disputes to demonstrate compliance with the applicable privacy and data protection laws. This could be difficult since Google hosts a huge quantity of services with long and complicated terms and conditions which often prompt the user to skip over them.

Also, while the user acts as the data controller and Google the processor, Google has many privacy and file-sharing settings that could affect how the data is processed and where it is stored. Navigating all of these settings could be difficult and time-consuming for the user and is often overlooked.

Furthermore, as Google is a data processor, as per the transparency principle, the data subject should also be informed of this fact. This could be done via a privacy notice within the Google Forms itself.

4. What are the best practices when using Google Forms to collect personal data?

• Obtaining consent

Aside from the data collection fields, the Google form should also include a field for collecting the consent of the participants for personal data processing. This field should be able to demonstrate valid consent, such as under the EU’s GDPR, by being:

• Freely given: the consent should be obtained without any coercion or any negative consequences being imposed on the participants for not providing the data;
• Specific: the purposes of processing the data must be informed to the participants in a clear and detailed manner, and the participants must be able to choose the ones they agree to;
• Informed: the participants must be informed of the information regarding the processing to ensure they understand what they are consenting to. Such information could include: the controller’s identity; the purpose of each of the processing operations for which consent is sought; what (type of) data will be collected and used; the existence of the right to withdraw consent; information about the use of the data for automated decision-making where relevant; and the possible risks of data transfers due to the absence of an adequacy decision and appropriate safeguards;[3]
• Umabiguous indication of the data subject’s agreement to the processing of his/her personal data: the consent must be expressed via a clear and affirmative action. To ensure strong consent, the user could require the participants to write a statement to express their consent or tick a box next to a statement of consent.

The Google Forms should also be designed so that if the user does not provide consent, the form cannot be submitted. This could be done by designating the consent tick box as a mandatory field that must be ticked before the form can be submitted. This ensures that the personal data will only be collected after obtaining the consent of the data subject. However, the user must not pre-tick the box since it would constitute invalid consent.[4] The participants must tick the box themselves to ensure affirmative consent.

• Privacy Notice

Also on the Google Forms, the user should include a Privacy Notice in order to comply with obligations regarding notification of the processing activities to the participants. The information to be provided shall comply with the applicable data protection legislation.

A good method of doing this is by employing a layered notice in which the important information on the processing is conveyed to the participants in a clear and concise manner via a short summary/notice. A link to a fully detailed version of the privacy notice with more information should be provided for participants who are interested. This allows for a user-friendly notice while also giving participants the option to explore in detail how their personal data will be processed.

PrivacyCompliance prides itself on its team of experts having achieved numerous internationally recognized certifications such as CIPM, CIPP/E, CISA, CISM, CRISC®, ISO27001 Lead Auditor, etc. With tried-and-tested knowledge and capacity, PrivacyCompliance is confident in being able to provide in-depth and comprehensive solutions on personal data compliance and protection.

[1] Google, ‘Understand the basics of privacy in Google Docs, Sheets, & Slides’ <https://support.google.com/docs/answer/10381817?hl=en#:~:text=The%20content%20you%20save%20on,are%20required%20to%20by%20law.> accessed 28 May 2024.

[2] Google, ‘Terms of Service’ (22 May 2024) < https://policies.google.com/terms?hl=en-US> accessed 28 May 2024.

[3] EDPB, ‘Guidelines 05/2020 on consent under Regulation 2016/679’ (4 May 2020) < https://www.edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_202005_consent_en.pdf> accessed 28 may 2024.

[4] For more details, check out the Case CJEU – C-73/7 – Planet 49.