On January 29, 2026, the Danish Data Protection Agency put a temporary stop to a case that began in 2022. 51 municipalities used Google Workspace and Chromebooks in schools. The Data Protection Agency found that the municipalities could not account for who was actually processing the children's personal data. The reason was that Google uses subcontractors (sub-processors) who further process the data, partly outside the EU.
And this was the municipalities' responsibility. As the data controller, you are obligated to know who your data processor further engages—and to ensure that these parties comply with GDPR. It is not enough to sign a Data Processing Agreement with Google or Microsoft. Your agreement must cover the entire chain.
This doesn't just apply to schools. It applies to everyone who uses cloud-based services — and that's almost everyone.
Practical point: Ask your primary cloud provider for a list of sub-processors. Check if any are located outside the EU/EEA. Find out if your data processing agreement covers the onward transfer. It takes 15 minutes to send the email.
Inspired by: Danish Data Protection Agency