Abstract
The US company Google Inc. offers a variety of Internet applications for many areas of everyday life. Whether a detailed search engine, e-mail service, voice over IP, route planner or data search on your own computer – almost every Internet user privately enlists one or more Google services. Academic institutions as well increasingly rely on the use of Google services. From an employer's point of view the use of these services becomes critical when the employees independently decide to use Google products instead of the applications provided by the employer. This procedure – though workable – involves numerous risks and legal problems. Internal data are transmitted unsupervised to an external company which is located outside Europe on top of that. Google's Terms of Service provide for granting extensive rights of utilisation, which, in a academic environment, can lead to problems associated with rights of dissemination. Not least there are infringements of confidentiality of labour-law and of security regulations of the institution.
Notes
http://www.google.com/intl/en/corporate/ (last accessed 22 June 2009).
German translation of ‘google’.
http://www.welt.de/webwelt/article235996/Nie_mehr_googeln.html (last accessed 22 June 2009).
For example, under German law according to Section 50, paragraph 1, in conjunction with Section 8, paragraph 2, No. 2 of the German Trademark Act.
http://mail.google.com/mail/help/intl/en/privacy.html (last accessed 22 June 2009).
http://groups-beta.google.com/googlegroups/privacy.html (last accessed 22 June 2009).
http://www.google.com/privacypolicy.html (last accessed 22 June 2009).
The prevailing controversy whether IP addresses are personal data or not is left out here. In Germany there are two different views: (1) pro personal data: county court Berlin-Mitte, 27 March 2007 – reference 5 C 314/06, maintained by the district court Berlin, 6 September 2007 – reference 23 S 3/07; and (2) contra personal data: county court Munich, 30 September 2008 – reference 133 C 5677/08.
If the provider is located within the EU, a contract for commissioned data processing would be possible. In such a case the controller remains liable for the processing of personal data. The controller must carefully choose a processor providing sufficient guarantees in respect of the technical security measures and organisational measures governing the processing to be carried out. The controller furthermore must ensure compliance of the processor with those measures. The processor just holds a ‘auxiliary function’ in comparison with the controller. Relevant is the detail of the contentual requirements.