Providing our EU Education customers’ with data transfer protections to support privacy assessments

Recently, Datatilsynet (the Danish Data Protection Authority) issued a ruling emphasizing the importance of conducting proper due diligence before implementing cloud services. We agree due diligence is an important step for customers since privacy assessments and outcomes can vary significantly based on the way customers have configured their system. Although this ruling is limited to Helsingør Municipality, it may be of interest to other Danish controllers. To be clear, the ruling does not apply to Google directly or to other customers, nor does it prohibit use of Google Workspace for Education or Chromebooks in Denmark. It serves as a reminder that customers should conduct a thorough assessment of their systems.

Our commitment

Google is committed to helping our Education customers meet their data protection obligations — notably the requirements of the General Data Protection Regulation (GDPR) — by offering helpful products and tools, building robust privacy and security protections into our services and contracts, and maintaining certifications and audit reports. 

We support our customers in three key ways.

1. We provide the tools they need to conduct meaningful privacy assessments.

2. We enable them to manage their own data.

3. We take supplementary measures to secure the transfer of personal data.

Supporting privacy assessments

It is critically important for each cloud services customer to conduct a meaningful risk assessment of potential cloud providers, to confirm that a given provider can meet the customer’s particular needs and provide appropriate protection for the customer’s data. This is of special importance—and in many cases legally required—when it comes to privacy. The Google Privacy Resource Center, describes how we protect the privacy of Google Cloud Platform and Google Workspace customers and shares useful resources for customers.

Our Compliance Resource Center lists all of the certifications and independent third-party compliance attestations we make available to help our cloud customers assess our products.  For example, we offer ISO/IEC certifications (ISO/IEC 27001, 27017, 27701, 27018) as well as our SOC 2 and SOC 3 Audit Reports for Google Workspace for Education. Equally, the Chrome Education Upgrade has been audited and received ISO/IEC 27001, 27017, 27018 and SOC 1 Audit Reports. 

Education customers may also refer to the Google Workspace for Education Implementation Guide for helpful tips on how to configure their Google Workspace for Education instance, or engage a trusted partner from Google's global partner network for help with an assessment of their security needs and setup. 

Processing customer data only under customers’ instructions

Our customers' data is theirs, not Google’s. We only process customer data in accordance with our contracts with customers.

For users in primary and secondary schools, Google does not use any user personal information (or any information associated with a Google Workspace for Education Account) to target advertising, whether in Google Workspace Core Services (such as Gmail or Calendar), Chrome Education Upgrade, or other Google services accessed while using a Google Workspace for Education account.

Additional services (like YouTube, Maps, and Blogger) that are designed for consumer users can also be used with Google Workspace for Education accounts by users in primary and secondary (K-12) schools, but only if the school’s domain administrator allows access for educational purposes. 

Supplementary measures to secure transfer of personal data 

Google Cloud relies on EU Standard Contractual Clauses as described in Section 10 of the Data Processing Amendment as the lawful basis for transfers of customer personal data to countries outside the European Economic Area that have not been approved by the European Commission as ensuring adequate data protection. We published a whitepaper describing our approach to implementing these clauses, and details of our supplementary measures, to facilitate any transfer impact assessments undertaken by our customers. Google also welcomes the agreement by the European Commission and U.S. Government on a new Trans-Atlantic Data Privacy Framework, and looks forward to offering the protection of that new framework to customers, once it is implemented.

In addition, Client-side encryption is an important technical control from Sovereign Controls for Google Workspace that limits a cloud provider’s access to customer data. Google Workspace for Education already uses the latest cryptographic standards to encrypt all data at rest and in transit between our facilities. The European Data Protection Board recommendations include encryption as part of the supplementary measures to protect data. Google Workspace is leading the way on such measures with our Client-side encryption feature offered for key services that allows customers to continue benefiting from the powerful innovations of Google Cloud while retaining complete confidentiality and control over their data.

Google Workspace’s unique approach to client-side encryption provides our customers with authoritative privacy control over their data through encryption keys that they can hold on site, within a nation’s borders, or within any other boundary they define. Google never has access to the keys or key holders, which means the data is indecipherable to us and we have no technical ability to access it. Similarly, users can set a passphrase to encrypt their Chrome sync data so that Google cannot access or read it. Even without a passphrase, synced data is always encrypted in transit. 

We are committed to continue developing products and features that meet the needs of students and educators, and ensure that their data is secure and their own.  

For more information, see https://edu.google.com/why-google/privacy-security/frequently-asked-questions.