Cloud DPIA Resource Center

At Google, we create trust through transparency. We work not only to protect your data but to demonstrate that protection, and to support your privacy compliance (for example, through the extensive resources available via our Privacy Resource Center). Consistent with these goals, we offer this Cloud DPIA Resource Center to outline the obligations our customers may have under the EU’s General Data Protection Regulation (“EU GDPR”) to conduct data protection impact assessments (“DPIAs”) related to processing they control, and to provide basic information relevant to the initial stage(s) of any DPIAs they need to complete.

Navigating the onerous DPIA requirements under Article 35 of the EU GDPR will involve many factors that only customers, as controllers of Customer Personal Data processed via our Google Workspace (including Google Workspace for Education) and/or Google Cloud services (collectively, “Cloud Services”) - and not Google, as a processor of that data - will be in a position to identify or assess. However, we have assembled the materials in this Resource Center to help familiarize you, if you are a controller of Customer Personal Data, with your obligations under Article 35 related to that data, and with the Cloud Services we provide as your processor.

As you consider your DPIA obligations with respect to Customer Personal Data, you may also want to take account of Google’s processing of Service Data, even though Google is currently¹ the controller of that data. Google discloses the categories of Service Data it processes, the purposes for which it processes Service Data and other relevant information about its Service Data processing in the Google Cloud Privacy Notice to ensure that data subjects (who are often individual users of the Cloud Services) understand how Google processes this data and can exercise their rights.

Using the information provided in this Resource Center as your starting point, you will need to consider carefully how and why your organisation intends to use the Cloud Services, and make sure you understand, in detail, how those services will work in that context. The information provided in this Resource Center is intended to assist you with this step. You will then need to consider other factors, such as: which individuals could be impacted by your intended use of the Cloud Services; exactly how those individuals could be impacted and to what extent (including the potential sensitivity of the data involved); and whether you can use safeguards, security measures or other mechanisms to mitigate any risks you might identify with respect to those individuals. This Resource Center also

¹_{As explained in this blogpost, Google intends to offer new contractual privacy commitments for Service Data that align with the commitments we offer for Customer Data. Google plans to implement these updates - planned for the Cloud Services - beginning in 2023 and in successive phases through 2024.}

contains information relevant to this step. In addition, you may need to review and document all or part of your compliance strategy to ensure you meet all your obligations as a controller of their personal data under the EU GDPR.

Particularly for customers deploying one or more Cloud Services at scale, conducting this analysis can be a complex exercise, requiring extensive due diligence and professional expertise. Be assured that Google is committed to helping you meet your DPIA obligations, to the extent we can do so as your processor, and to supporting your compliant use of our Cloud Services.

To that end, this Resource Center contains:

Key terminology: An explanation of key terminology we use in this Resource Center, including relevant definitions.
Determining whether a DPIA is needed: Information to help you determine whether a DPIA is needed for your use of our Cloud Services.
Preparing a DPIA: Information about our Cloud Services that can help you complete your DPIA, if you determine that one is needed.

Please note that this Resource Center does not reflect a DPIA or other risk assessment conducted by Google with respect to any of the Cloud Services. In addition, this Resource Center does not contain legal advice for any organisation using it, and should not be construed as such. If you have any questions about your legal responsibilities under the EU GDPR or other applicable legislation, including with respect to DPIAs, please seek independent legal advice, as the consequences of breaching the EU GDPR, including your DPIA obligations, can be very serious.

Section 1: Key terminology

In this Resource Center:

when we refer to:
- “CDPA”, we mean our Cloud Data Processing Addendum for Google Cloud and Google Workspace (including Google Workspace for Education);
- “Cloud Services”, we mean Google Workspace (including Google Workspace for Education) and/or Google Cloud services;
- “Cloud Contract”, we mean the terms of service or other agreement between Google and the Customer relating to our Cloud Services;
- “Service Data”, we mean the data defined as such in the Google Cloud Privacy Notice;
we use certain terms that are defined in our Cloud Contracts, specifically:
- “Customer” is defined in the relevant Cloud Contract, and generally means the entity or person that enters into a Cloud Contract;
- “Customer Data”, “End User” and “Term” are defined in the relevant Cloud Contract and, for clarity, “Customer Data” includes any “Customer Personal Data”;
- “Additional Security Controls”, “Customer Personal Data”, “EU GDPR”, “European Data Protection Law”, “European Law”, “Security Measures” and “Subprocessor” are defined in the CDPA;
- “TSS” is defined in the relevant Cloud Contract, and generally means technical support services related to the relevant Cloud Services;
we also use terms that are defined in Article 4 of the EU GDPR, specifically: “controller”, “data subject”, “personal data”, “processing”,“processor” and “supervisory authority”.

Section 2: Determining whether a DPIA is needed

Under Article 35(1) of the EU GDPR, controllers must carry out an assessment (i.e. a DPIA) of the impact of their envisaged processing operations on the protection of personal data “where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons”. The assessment must be carried out “prior to the processing”. A “single assessment may address a set of similar processing operations that present similar high risks”.

Under Article 35(3) of the EU GDPR, a DPIA will, in particular, be required in the case of:

systematic and extensive evaluation of personal aspects relating to natural persons, where that evaluation is based on automated processing, including profiling, and serves as the basis for decisions that produce legal effects concerning the natural person or similarly significantly affect the natural person;
processing on a large scale of: (i) special categories of data referred to in Article 9(1) of the EU GDPR (i.e. personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, or genetic data, biometric data processed for the purpose of uniquely identifying a natural person or data concerning health or a natural person's sex life or sexual orientation); or (ii) personal data relating to criminal convictions and offences referred to in Article 10 of the EU GDPR (i.e. personal data relating to criminal convictions and offenses); or
systematic monitoring of a publicly accessible area on a large scale.

When determining whether a DPIA is needed for any of our Cloud Services, the controller needs to consider these factors, together with any other factors (such as applicable law, regulation and regulatory guidance) relevant in the specific context of the controller’s envisaged implementation and operation of the Cloud Services. That context will be different for each customer, since each customer chooses how to implement and operate the Cloud Services based on their own needs and situation, and which Customer Personal Data to process via those services.

We also recommend that you check to see whether your supervisory authority has issued guidance or mandatory rules on when a DPIA is required, and that you seek independent legal advice when determining whether you need a DPIA in any given case.

Section 3: Preparing a DPIA

Article 35(7) of the EU GDPR requires a DPIA to contain at least:

a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller;
an assessment of the necessity and proportionality of the processing operations in relation to the purposes;
an assessment of the risks to the rights and freedoms of data subjects; and
the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with the EU GDPR, taking into account the rights and legitimate interests of data subjects and other persons concerned.

The table below sets out basic information about our Cloud Services in a format that follows these Article 35(7) criteria. This format also takes into account Appendix 2 of the “Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679” published by the Article 29 Data Protection Working Party (now the European Data Protection Board). The information in this table applies to all Cloud Services unless stated otherwise.

We also recommend that you check to see whether your supervisory authority has issued guidance on how to complete a DPIA, and seek independent legal advice on how best to complete any DPIA that you determine is needed.

DPIA Criteria	Relevant Information about the Cloud Services
A systematic description of the envisaged processing operations
nature, scope and context of processing	If the Customer is the relevant controller of Customer Personal Data, then that Customer is responsible for completing any DPIA required under the EU GDPR. Google will act as the Customer’s processor of Customer Personal Data, processing that data strictly as instructed by the Customer. These roles are described in the CDPA. The Cloud Services cover a wide range of potential uses and are highly configurable: Google Workspace (including Google Workspace for Education) services offer extensive productivity and collaboration tools; and Google Cloud services comprise over 150 cloud computing, data analytics and machine learning products. As a controller of Customer Personal Data processed via the relevant Cloud Services, the Customer is responsible for determining the nature, scope and context of the processing of that data. This will include determining the following, for example: the nature of the Customer Personal Data; the volume and variety of the Customer Personal Data, number of data subjects involved, etc.
categories of personal data processed	As set out in Appendix 1 of the CDPA, the ‘categories of data’ processed via the Cloud Services will encompass any data relating to individuals that is provided to Google, via the Cloud Services, by (or at the direction of) Customer or its End Users, including, in the case of Google Workspace, any data submitted, stored, sent or received via Google Workspace. Depending on the Customer’s envisaged use of the Cloud Services, these categories may include any special categories of personal data, i.e. data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership; genetic data; biometric data (where this is used for identification purposes); or data concerning health, sex life or sexual orientation. Further categories of personal data processed may also be relevant (e.g. identification data, location data, or behavioural preferences), again depending on the Customer’s envisaged use of the Cloud Services.
recipients of the personal data	The Customer, as controller of Customer Personal Data, is responsible for determining the third parties with whom that data is shared. Google, as a processor of that data, is a recipient of it. Google, as processor, also engages Subprocessors authorised by the Customer under the CDPA to perform limited activities in connection with the Cloud Services. The Subprocessors currently engaged by Google are listed here (for Google Workspace, including Google Workspace for Education) and here (for Google Cloud). Google’s commitments For each Subprocessor, Google commits in the CDPA to: ensure that the Subprocessor only accesses and uses Customer Data to the extent required to perform the obligations subcontracted to it, and does so in accordance with the Cloud Contract (including the CDPA); ensure that, if the processing of Customer Personal Data is subject to the EU GDPR (or any other European Data Protection Law), then the data protection obligations described in the CDPA are imposed on the Subprocessor; and provide each Customer with advance notice before a new Subprocessor starts processing any Customer Data, including in this notice the Subprocessor’s name and location, and the activities it will perform. Activities Subprocessors are engaged to perform: TSS; Data Center Operations; and Service Maintenance. Each activity is described in more detail in our Google Workspace Subprocessor list and Google Cloud Subprocessor list. Access to Customer Data Our Google Workspace Subprocessor list and Google Cloud Subprocessor list describe each Subprocessor’s access to Customer Data based on the activity they are engaged to perform for the respective Cloud Services.
period for which the personal data will be stored	As set out in Appendix 1 of the CDPA , Google will process the Customer Data for the Term plus the period from the end of the Term until deletion of all Customer Data by Google in accordance with the CDPA. Google will enable the Customer to delete Customer Data during the Term in a manner consistent with the functionality of the relevant Cloud Services. If the Customer wishes to retain any Customer Data after the end of the Term, it may instruct Google to return that data during the Term, and the Customer instructs Google to delete all remaining Customer Data (including existing copies) from Google’s systems at the end of the Term in accordance with applicable law. After a recovery period of up to 30 days from that date, Google will comply with this instruction as soon as reasonably practicable and within a maximum period of 180 days, unless European Law requires storage. For more information about retention and deletion for: Google Workspace (including Google Workspace for Education), see our help center articles on Delete or remove a user from your organization and Delete your organization's Google Account Google Cloud: See our Data deletion on Google Cloud page. The Customer, as controller of Customer Personal Data, is responsible for copies of that data it may choose to store outside Google’s or its Subprocessors’ systems.
a functional description of the processing operation(s)	The Google Workspace (including Google Workspace for Education) services are productivity and collaboration tools and are described in the Google Workspace Services Summary. For more information about service features, see here for Google Workspace and here for Google Workspace for Education. The Google Cloud services comprise over 150 cloud computing, data analytics and machine learning products and are described in the Google Cloud Services Summary. For more information about service features, see here.
the assets on which personal data rely (hardware, software, networks, people, paper or paper transmission channels)	Google may store and process Customer Data where Google or its Subprocessors maintain facilities. For the Google Workspace (including Google Workspace for Education) services: information about the locations of Google’s facilities is available here; and information about the locations of Subprocessors’ facilities is available here. For the Google Cloud services: information about the locations of Google’s facilities is available here; and information about the locations of Subprocessors’ facilities is available here. More information about relevant infrastructure (including hardware and networks) used in the performance of Cloud Services (including for the processing of Customer Data) is available in our Security Infrastructure Design Overview, as well as: for Google Workspace (including Google Workspace for Education), in the Google Workspace Security whitepaper; and for Google Cloud, in the Google security overview.
compliance with approved codes of conduct is taken into account	Google adheres to the EU GDPR Cloud Code of Conduct (CoC) with respect to the Cloud Services. This CoC is a mechanism for cloud providers to demonstrate how they offer sufficient guarantees to implement appropriate technical and organisational measures as processors under the EU GDPR.
The purposes of the processing, including, where applicable, the legitimate interest pursued by the controller
purposes of the processing	The Customer, as controller of Customer Personal Data, instructs Google to process that data only in accordance with applicable law: to provide, secure, and monitor the Services and TSS; as further specified via the Customer’s use of the relevant Cloud Services and TSS; and as documented in the relevant Cloud Contract, including the CDPA. Google will comply with the Customer’s instructions under the CDPA (unless prohibited by European Law) with respect to such processing.
An assessment of the necessity and proportionality of the processing operations in relation to the purposes
specified, explicit and legitimate purpose	The Customer, as controller of Customer Personal Data, is responsible for complying with the ‘purpose limitation’ principle (under Article 5 of the EU GDPR) with respect to any such data processed via the Cloud Services. As described in the CDPA, the Customer instructs Google to process Customer Personal Data in accordance with the applicable Agreement (including the CDPA) and applicable law only: (a) to provide, secure, and monitor the Services and TSS; and (b) as further specified via (i) the Customer’s use of the Services and TSS and (ii) any other written instructions given by Customer and acknowledged by Google as constituting instructions under the CDPA. Google will comply with the Customer’s instructions under the CDPA (unless prohibited by European Law) with respect to such processing.
lawfulness of processing	The Customer, as controller of Customer Personal Data, is responsible for determining the lawfulness of its processing via the Cloud Services. As described in the CDPA, the Customer instructs Google to process Customer Personal Data in accordance with the applicable Agreement and applicable law only for the purposes specified in the CDPA. Google will comply with the Customer’s instructions under the CDPA (unless prohibited by European Law) with respect to such processing. Both the Customer and Google also commit, in the CDPA, to complying with their respective obligations under the EU GDPR (and any other European Data Protection Law).
adequate, relevant and limited to what is necessary	The Customer, as controller of Customer Personal Data, is responsible for complying with the ‘data minimisation’ principle (under Article 5 of the EU GDPR) when any such data is processed via the Cloud Services. As described in the CDPA, the Customer instructs Google to process Customer Personal Data in accordance with the applicable Agreement (including the CDPA) and applicable law only: (a) to provide, secure, and monitor the Services and TSS; and (b) as further specified via (i) the Customer’s use of the Services and TSS and (ii) any other written instructions given by Customer and acknowledged by Google as constituting instructions under the CDPA. Google will comply with the Customer’s instructions under the CDPA (unless prohibited by European Law) with respect to such processing.
storage limitation	The Customer, as controller of Customer Personal Data, is responsible for complying with the ‘storage limitation’ principle (under Article 5 of the EU GDPR) when any such data is processed via the Cloud Services. Please see the “period for which the personal data will be stored” section above for relevant information about Google’s retention and deletion commitments with respect to the Cloud Services.
information provided to the data subject	The Customer, as controller of Customer Personal Data, is responsible for complying with Articles 12-14 of the EU GDPR when any such data is processed via the Cloud Services.
measures contributing to data subject rights	The Customer, as controller of Customer Personal Data, is responsible under Chapter III of the EU GDPR for responding to requests from data subjects to exercise their rights relating to that data under Chapter III. To help the Customer fulfill these obligations, Google commits in the CDPA to enable the Customer during the Term, in a manner consistent with the functionality of the Cloud Services, to delete, access, rectify and restrict processing of Customer Data (including via the deletion functionality provided by Google) and to export Customer Data. The Customer can use the Admin Console and other functionality of the Cloud Services to access, rectify, restrict the processing of, or delete any Customer Personal Data. Additionally, if during the Term Google’s Cloud Data Protection Team receives a request from a data subject that relates to Customer Personal Data and identifies the Customer, Google will: (a) advise the data subject to submit their request to the Customer; (b) promptly notify the Customer; and (c) not otherwise respond to that data subject’s request without authorization from the Customer. The Customer will be responsible for responding to any such request including, where necessary, by using the functionality of the Cloud Services. Specifically for Google Workspace (including Google Workspace for Education) services, the Google Workspace Data Subject Requests (DSR) Guide provides more information on how a Google Workspace Administrator can use Google Workspace Admin Console features to help the Customer fulfill its obligations to respond to requests from data subjects.
relationships with processor	The CDPA binds Google, as the Customer’s processor of Customer Personal Data, and otherwise reflects the contracting requirements under Article 28 of the EU GDPR.
safeguards surrounding international transfer(s)	The Customer and Google, as controller and processor respectively of Customer Personal Data, are responsible for ensuring that any transfers of such data to third countries comply with the requirements of Chapter V of the EU GDPR. To legitimize any transfers of Customer Personal Data to non-adequate third countries, Google relies on the new EU SCCs, as described in the CDPA and in more detail in our Google Cloud’s Approach to European Standard Contractual Clauses whitepaper. In particular, you may wish to review the section titled “Google Cloud’s Updated Approach to SCCs” to understand which SCC module(s) are applicable with respect to relevant transfers of Customer Personal Data. We also provide information about our technical, legal, and organisational safeguards for Google Workspace (including Google Workspace for Education) in our Safeguards for International Data Transfers with Google Workspace and Workspace for Education whitepaper and our Safeguards for International Data Transfers with Google Cloud whitepaper . These whitepapers include information about United States laws and their applicability to the Cloud Services to help customers with any risk assessments they may need to complete in light of the Court of Justice of the European Union's ruling known as “Schrems II”.
prior consultation with the supervisory authority	The Customer, as controller of Customer Personal Data, is responsible for complying with Article 36 of the EU GDPR with respect to prior consultations with any relevant supervisory authority. To support those consultations, the Customer may refer to any information contained in this Resource Center.
An assessment of the risks to the rights and freedoms of data subjects
origin, nature, particularity and severity of the risks	The Customer, as controller of Customer Personal Data, is responsible for determining and assessing the risks to the rights and freedoms of data subjects in connection with the Customer’s envisaged implementation and operation of the Cloud Services. For more information about privacy and security best practices when implementing and using the Cloud Services, see: Our data protection implementation guides for Google Workspace and Google Workspace for Education Our security best practices center, which contains various security-focused resources for the Cloud Services
The measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data
measures envisaged to treat the risks are determined	The Customer and Google, as controller and processor respectively of Customer Personal Data, are responsible under Article 32 of the EU GDPR for implementing appropriate technical and organisational measures to secure that data, as appropriate to the risks involved. Under the CDPA, the Customer agrees that the relevant Cloud Services, the Security Measures implemented and maintained by Google, the Additional Security Controls and Google’s commitments under the CDPA provide an appropriate level of security in light of those risks. Security measures As described in our Security Infrastructure Design Overview, Google has a global scale technical infrastructure designed to provide security through Google’s entire information processing life cycle. Specifically, this infrastructure is designed to provide secure deployment of the Cloud Services, secure storage of Customer Data, secure communications between services, secure and private communication with customers over the internet, and safe operation by administrators. More information about the specific technical and organisational measures maintained by Google with respect to: Google Workspace (including Google Workspace for Education) is set out in the Google Workspace Security Whitepaper; and Google Cloud is set out in the Google Security Overview. Additional extensive resources concerning Google’s technical and organizational security measures for the Cloud Services are available at our Security Best Practices Center and Privacy Resource Center. Google also offers optional Additional Security Controls to help Cloud Services customers meet their security and compliance needs. These controls are described in the resources available at our Security Best Practices Center and Privacy Resource Center mentioned above. Standards and best practices The Cloud Services regularly undergo independent verification of their security, privacy, and compliance controls, achieving certifications, attestations, and audit reports to demonstrate compliance. Customers can directly access and download various certifications (including ISO 27001, 27017, 27018 and 27701), audit reports (including SOC 1, 2 and 3) and other relevant resources via our Compliance Reports Manager. Additionally, as mentioned above, Google adheres to the EU GDPR Cloud Code of Conduct (CoC) with respect to the Cloud Services. Contractual security commitments Under the CDPA, Google commits to implement and maintain technical and organisational measures to protect Customer Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access. These measures are described in Appendix 2 of the CDPA. Organisational safeguards Our Transparency Report discloses, where permitted by applicable law, the number of requests made by law enforcement agencies and government bodies for Enterprise Cloud customer information. Google will follow the processes described in the Government Requests for Cloud Customer Data whitepaper with respect to any such requests.