More than just purposes
"... This means that Google may only process this data about the individual use of the services for the purposes approved by the schools."
Under the GDPR a processor is more restricted than merely to specific "purposes". It's subject to a contract with the controller that specifies "the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller".[GDPR Article 28.3]
That means the data controller has (not surprisingly) total control over all aspects of the processing. Unfortunately, being defined as a data processor makes almost all behemoth data slurpers' business model entirely inoperable as different data controllers will have differing expectations and requirements, necessitating individually negotiated contracts with each data controller.
It's strictly not lawful under the legislation for a data processor to specify the processing - they can negotiate it with the data controller, but the data controller must be the approving party to the contract.
Biting the hand that feeds IT
