Introduction

A DPIA is a documented process undertaken by a data controller to describe, assess, and manage the data protection risks of a project and to demonstrate compliance with data protection obligations. In this context, a “project” could be e.g., an outsourcing by an organization which involves the use of Google, or the use of Google Workspace for Education to support teaching, learning and collaboration.

Organizations are only required to complete a DPIA in relation to the personal data they process as a “controller”. This term is defined in the GDPR and essentially means that your organization determines how, and for what purposes, it will process personal data. We recognize that some of our customers may themselves be data processors. However, this Resource Center is intended primarily for those organizations using the Cloud Services as a controller. 

A DPIA should describe:

• How and why you will be processing personal data, and identifying your GDPR lawful basis for that processing.

• Your assessment of the necessity and proportionality of the processing (why you need to process the personal data to achieve your aim). This includes what data processors, such as Google, you are using to support your processing.

• Any potential risks you have identified and the measures you will take to address and mitigate those risks. A DPIA can be an effective way to assess and demonstrate your project’s compliance with data protection principles. 

If you are starting a new project that involves processing of personal data, it is important that you decide early on whether you need a DPIA and familiarize yourself with the process. Conducting a DPIA early can also better help you identify any changes you may need (or choose) to make to your project. If you determine that you need a DPIA, the GDPR requires you to complete it before the personal data processing starts. See Do you need a DPIA?.

A DPIA should also be reviewed on an ongoing basis. If there are any significant changes to how the personal data is processed (e.g., if you decide to use the Cloud Services for new workloads or to process different datasets), you should re-assess the risks and determine whether any additional measures may be needed to address them.

As a data controller, your organization is responsible for determining whether a DPIA is required, and for preparing the DPIA. 

If your organization has a Data Protection Officer (DPO), it is important that you seek their advice when carrying out a DPIA. You may also wish to involve other teams or individuals in your organization with relevant skills and expertise to support the process (such as IT, compliance, or legal teams).

A DPIA can be completed in-house or can be outsourced to an external advisor, but you remain responsible for it.

As a controller, you will need to carry out a DPIA if the personal data processing involved in your project is likely to result in a “high risk” to the rights and freedoms of individuals. Some types of processing are always considered “high risk” and will always require a DPIA. For other types of processing, you will need to carry out an objective assessment of the risks involved. 

The European Data Protection Board has singled out the use of new technologies as one of the factors that can indicate “high risk”, and has issued guidance that many public sector processing operations relying on cloud services are likely to need a DPIA.

For more information, see section "How do you decide if the processing meets the trigger for a DPIA?" below.

The information below should help you with an initial assessment as to whether you need to conduct a DPIA. However, we still recommend that you review any guidance from the data protection authority in your country and seek independent legal advice.  

If you only act as a data processor, you do not need to complete a DPIA - though it can still be a helpful compliance exercise. 

Under the GDPR, some processing activities will always require a DPIA. This will be the case where your project involves one of the following:

• Automated processing of personal data involving a systematic and extensive evaluation of personal aspects of individuals (including any profiling), where that processing informs decisions producing legal (or similarly significant) effects on those individuals.

For example, if you use the Cloud Services to automatedly (e.g. without human intervention) analyze personal data relating to your employees (e.g. their work performance), and this could impact their individual employment conditions or salary, you will likely need a DPIA.

• Large-scale processing of special categories of data, or data regarding criminal convictions or offenses. 

For example, if you use cloud storage to store large datasets of individuals’ health data, such as medical records or clinical test results, you will likely need a DPIA.

• Systematic monitoring of publicly accessible areas on a large scale. In this context, a publicly accessible area would be any area open to any member of the public.

For example, if you intend to integrate your CCTV system with the Cloud Services, such as storing CCTV footage of your office premises in the cloud, you will likely need a DPIA.

Note: Each European data protection authority has set out additional types of processing that will always require a DPIA. You should therefore check the additional requirements in your country. 

The processing described in the section above will always need a DPIA. However, even if your processing does not fall within those categories, you still need to decide whether your processing is likely to result in a “high risk” to the rights and freedoms of individuals.

To make that decision, you must objectively evaluate the risks in your processing. Your assessment must take into account the nature, scope, context, and purposes of the processing. In other words, what you are doing with the personal data and why, and all the surrounding circumstances. 

A DPIA is more likely to be required where the processing involves the use of new technologies. This does not necessarily mean that any and all processing involving new technologies will, by default, require a DPIA. However, if your organization is using innovative technology or novel applications of existing technology then that usage should be considered as part of your assessment. We recommend that customers of the Cloud Services pay special attention to the role that Google Cloud’s technology plays in their processing when preparing their risk assessment.

The European Data Protection Board (EDPB) has produced guidance on determining whether your processing is likely to result in a “high risk”. This guidance includes nine factors that are indicators of a “high risk”:

1. Your processing involves profiling, evaluating, or scoring individuals (e.g., credit reference scoring).

2. You make automated decisions using personal data which have legal or similarly significant effects on individuals (e.g., e-recruiting or refusing an online credit application).

3. You systematically monitor individuals (e.g., CCTV or location tracking).

4. You process special category data or personal data of a highly personal nature (e.g., medical records).

5. You process personal data on a large scale. As ‘large scale’ is not defined in the guidance, this will be a matter for your judgment.

6. You match or combine different datasets (e.g., if you have obtained a separate dataset from a third party to enrich an existing dataset).

7. You process data about vulnerable individuals (e.g., children or patients).

8. You apply new technological or organizational solutions, or you make innovative use of technologies (e.g., Artificial Intelligence).

9. Your processing prevents individuals from exercising a right or using a service or contract (e.g., refusing an individual a loan).

Generally, if your processing meets two or more of these risk factors, you will likely need to conduct a DPIA.

Another factor relevant to your decision is whether your organization is a public body or engages in processing of personal data within the public sector (e.g. government departments, local councils, or municipalities). The EDPB has issued guidance that many public sector processing operations relying on cloud services are likely to result in a “high risk”, e.g., due to the sensitive nature of the data or the scale of the processing.

Some data protection authorities have developed risk assessment tools to help you decide if you need a DPIA, so we strongly recommend checking your authority’s website for guidance.

As the data controller, it is your organization’s responsibility to determine whether a DPIA is necessary and to prepare the DPIA. Google cannot conduct DPIAs on behalf of our customers, but we provide assistance by making available information and other resources that can help you complete the DPIA for your use of the Cloud Services.

A DPIA generally consists of several key phases, which are discussed in more detail in this section:

1. Describing the data processing

2. Assessing necessity and proportionality

3. Describing the risks and how you will manage them

4. Gathering additional input

5. Documenting your conclusions

There is no set format for a DPIA. Some data protection authorities have published templates you can use, or you could use the templates provided by Google Cloud (see How Google supports your DPIA).

Whether you use a template or create your own DPIA format, your DPIA should include:

• How and why your organization will be processing personal data and identifying your GDPR lawful basis (e.g., consent, performance of a contract, or legitimate interests).

• Your assessment of the necessity and proportionality of the processing (why you need to process the personal data to achieve your aim).

• Any potential risks you have identified, and the measures you will take to address and mitigate those risks. This can be an effective way to assess and demonstrate your project’s compliance with data protection principles.

Additionally, regularly monitoring the data processing activities for which your DPIA is conducted, as well as incorporating updates when needed, is a key part of the overall DPIA lifecycle. When a material change affecting the data processing activities occurs, you may wish to review and update the relevant parts of the DPIA accordingly.

1. Describing the data processing

You are expected to offer a functional description of your data processing. When you do this, it may be helpful to ask yourself the following questions:

• What types of personal data will be used in your project (e.g., names, contact information, financial details, emails)?

• Who is the personal data about (also known as data subjects) (e.g., your employees, customers, students)?

• What is the source of the personal data? Will you collect it directly from the individuals, or via a third party? 

• For what purposes will you be using the data? In other words, why are you processing it?

• How will you be using the data? How will you store it? For how long will you keep it?

• Who will have access to the personal data inside your organization?

• Will you share the data with anyone outside your organization?

You could also include a diagram, flow chart, or other visual aids as part of your description. 

2. Assessing necessity and proportionality 

Necessity and proportionality are key principles in European data protection law. To demonstrate the necessity and proportionality of your processing, you are expected to show how you intend to comply with your data protection obligations under the GDPR. Your assessment should show that you have thought about:

• What is your Article 6 GDPR lawful basis for processing this data (e.g., consent, performance of a contract, legitimate interests, or others)? If you are relying on your legitimate interests, you should describe those interests.

• Is the processing necessary to achieve your purpose? Are you satisfied you cannot achieve this purpose without processing the personal data?

• How will you ensure that you do not process more personal data than is needed? Have you considered pseudonymizing or anonymizing the data?

•  How will you tell the individuals concerned that you are processing their personal data and give them the information required under the GDPR (e.g. privacy policies or notices)?

• Are you informing data subjects of their rights regarding your use of their personal data, e.g., to access the personal data or to object to your processing it? For more information about how the Cloud Services support data subjects’ rights, see How Google supports your DPIA. 

• Have you set maximum retention periods for the personal data? How are these justified, and what measures can you take to make sure the data is deleted when it should be?

• What data processors are you using to support your processing? Google Cloud will be one of your data processors, and you should document this in your DPIA. See How Google supports your DPIA for more information about Google and its subprocessors. 

• If you are sharing data with anyone (e.g. external companies or your own subsidiaries) based outside the European Economic Area (or countries with adequacy decisions like the UK), what safeguards do you have in place to protect the data in those third countries? For more information about Google Cloud’s safeguards for data transfers, see How Google supports your DPIA. 

• If the processing complies with a Code of Conduct approved by a data protection authority, you should take this into account. For information about Google’s adherence to the EU Cloud Code of Conduct, see How Google supports your DPIA.

3. Describing the risks and how you will manage them

Your DPIA should identify the risks to the rights and freedoms of individuals which could result from your data processing. 

Identifying these risks is a crucial part of the DPIA: your assessment of the actual impact of the data processing activity. The impact and risks are likely to vary depending on your organization’s activities, the nature of the personal data, and the individuals concerned. 

There are many ways to assess the data protection impact and risks, and the GDPR does not require any particular approach. Some data protection authorities have published materials and tools to help organizations carry out this assessment, which you may find helpful.

Below are some of the elements which are likely to form part of your assessment.

A) What potential risks should you consider?

Your DPIA should consider the negative impacts which could occur as a result of your project. It might help to put yourself in the position of the individuals whose personal data will be processed, and consider what could cause them to worry. 

Examples of potential risks include:

• Surprising or unexpected use of personal data for the individuals.

• Loss of control by individuals over their personal data.

• Discrimination or bias.

• Increased risk of identity theft or fraud.

• Invasion of people’s personal lives.

• Loss of confidentiality.

• Re-identification of pseudonymized data.

• Revealing sensitive information or information about vulnerable individuals (e.g. children).

• Collecting inaccurate information or making inaccurate assumptions about the individual.

In your assessment, you may also want to include your own risks as an organization, such as any risk of reputational damage, regulatory action, or loss of public trust.

Also consider the level of risk, taking into account both the likelihood and severity of the potential harm. For example, a risk may be very serious, but may be very unlikely in practice; on the other hand, a risk may be relatively minor, but have a high probability of occurring. It may be helpful to assign a numerical risk score, or use a red/amber/green ‘traffic light’ approach. 

B) What steps can you take to mitigate the risks?

Once you have assessed the level of risk, you should identify any steps you can take to mitigate those risks. Examples of mitigating steps include:

• Deciding not to collect some of the personal data.

• Pseudonymizing the data.

• Excluding vulnerable individuals from the dataset, where feasible.

• Implementing measures to ensure a level of security that is appropriate to the risk.

• Implementing internal data handling policies for staff.

• Training staff on how to use personal data.

• Taking additional steps to inform individuals about how the organization will be handling their personal data.

• Giving individuals a choice as to how their personal data will be used.

You do not need to entirely eliminate all risks. However, you should be able to reduce the overall risks to an acceptable level, in line with your obligations under the GDPR. When assessing the residual risks, you can take account of your project’s benefits, including benefits for the individuals. If the residual risks remain “high”, you may decide not to continue with the project, or that you need to consult with your data protection authority before proceeding further.

4. Gathering additional input

If your organization has a Data Protection Officer (DPO), it is mandatory under the GDPR for you to seek their advice when preparing a DPIA. You may also find it helpful to speak to other stakeholders in your organization, e.g., IT, compliance or legal teams. 

Depending on the nature of your project and the risks involved, you may also wish to seek input from the individuals whose data you will be processing. This input may take many forms, as appropriate for your project and location, e.g., speaking to your employees to answer any questions or concerns they may have; consulting with the employee representatives in your organization (e.g., a works council or committee, if you have one); or conducting some market research to find out the views of your end users (e.g., your customers if you are a retail organization). 

5. Documenting your conclusions

Once you have completed your assessment, your should record the following in your DPIA:

• The risks of the planned personal data processing that you have identified.

• The measures you will take to mitigate those risks.

• To what extent any residual risks remain, and the level of that residual risk.

• Whether you need to take any additional steps, such as consulting with your data protection authority.

If your DPIA concludes that you have been able to sufficiently mitigate the risks you identified, then you can choose to proceed without consulting your organization’s data protection authority.

However, if you decide that you are not able to reduce the residual risks to an acceptable level and so, based on your assessment, the processing still poses a “high risk”, then you must consult with your data protection authority before you start the processing. Alternatively, you may decide not to proceed with the project. 

We offer two template DPIAs: one for Google Workspace (including Google Workspace for Education) and one for Google Cloud:

• Template DPIA for Google Workspace

• Template DPIA for Google Cloud

These templates may be a useful tool to help you to think about, plan and conduct your DPIA. While they have been designed for use in relation to the Cloud Services, they do not (and cannot) anticipate all possible use cases our customers may have for the Cloud Services and, as such, are generic and should be treated as a suggested starting point. Additionally, the information they contain does not constitute legal advice. Remember that completing a DPIA is your responsibility as a data controller, and it needs to be specific to your planned use case(s) for the Cloud Services.

There is no set format for a DPIA and you can use any approach you choose, provided it complies with regulatory requirements. Some data protection authorities have published their own template DPIAs, so you may also want to have a look at their suggested formats.

To help our customers describe the relevant data processing, you can find below some information about the Cloud Services. You can also find links to additional materials about the Cloud Services which may be helpful in completing this section of your DPIA.

What personal data should your DPIA cover?

Your DPIA should cover any personal data that you process as a controller, and that falls within the definition of “Customer Personal Data” in our Cloud Data Processing Addendum (“CDPA”). 

As set out in Appendix 1 of the CDPA, the categories of personal data processed via the Cloud Services will encompass any data relating to individuals that is provided to Google, via the Cloud Services, by (or at the direction of) Customer or its End Users. 

In practice, this could include:

• Personal details, including any information that identifies the data subject and their personal characteristics, including: name, address, contact details, age, date of birth, sex, and physical description.

• Employment details, including information relating to the employment of the data subject, including employment and career history, recruitment and termination details, attendance records, performance appraisals, training records, and security records.

• Financial details, including information relating to the financial affairs of the data subject, including income, salary, assets and investments, payments, creditworthiness, loans, benefits, grants, insurance details, and pension information.

• Education and training details, including information which relates to the education and any professional training of the data subject, including academic records, qualifications, skills, training records, professional expertise, student and pupil records.

•  Personal details issued as an identifier by a public authority, including passport details, national insurance numbers, identity card numbers, driving license details.

• Family, lifestyle and social circumstances, including any information relating to the family of the data subject and the data subject’s lifestyle and social circumstances, including details of family and other household members, habits, housing, travel details, leisure activities, and membership of charitable or voluntary organizations.

• Any other personal data controlled by your organization.

Depending on your intended use of the Cloud Services, the personal data may include special categories of personal data, i.e. data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership; genetic data; biometric data (where this is used for identification purposes); or data concerning health, sex life, or sexual orientation.

Additional information if Google processes Service Data as your processor

Separate from Google’s processing of Customer Personal Data, Google also processes Service Data when it provides the Cloud Services. Under the Google Cloud Privacy Notice, Service Data is the personal information Google collects or generates during the provision or administration of the Cloud Services, excluding Customer Data. 

Eligible Google Workspace for Education customers can enter into contract terms with Google (called the Google Workspace for Education Service Data Addendum) under which they will be controllers of Service Data, instructing Google as their processor of Service Data, with the exception of limited Service Data processing Google will continue to perform as a controller. Those customers may wish to use the parts of this Resource Center that have the same heading as this sub-section to address the use of Service Data in their DPIAs.

How can you describe the processing involved in your use of the Cloud Services?

When you describe the processing activities, it may help you to read our description of the services and features available as part of the Cloud Services.

• Google Workspace and Google Workspace for Education are productivity and collaboration tools. The services are described in the Google Workspace Services Summary (please navigate to the edition/SKU that is relevant to you). If you need more information about these services, see here for Google Workspace and here for Google Workspace for Education.

• Google Cloud comprises over 150 cloud computing, data analytics, and machine learning products. The services available to Google Cloud customers are described in the Google Cloud Services Summary. If you need more information about these services, see here.

What does using the Cloud Services mean for your data processing purposes?

Your DPIA should describe the purposes for which you (as a controller) instruct your processors to process personal data on your behalf.

Whatever your purposes may be, when you use the Cloud Services you engage Google Cloud to process Customer Personal Data on your behalf (in furtherance of one, or more, of your purposes). As a controller of that data, you instruct Google Cloud (as a processor) to process it in accordance with the applicable Cloud Services agreement (including the CDPA) and applicable law, only for the following purposes:

• To provide, secure, and monitor the Cloud Services and technical support services supplied under your Cloud Services agreement.

• As further specified via your use of the relevant Cloud Services and technical support services, or via any other written instructions given by you under the CDPA and acknowledged by Google as such.

Google will comply with your instructions under the CDPA (unless prohibited by European law) with respect to such processing.

Additional information if Google processes Service Data as your processor

If you are an eligible Google Workspace for Education customer and have chosen to accept the Google Workspace for Education Service Data Addendum, then the instructions Google Cloud (as a processor) will follow with respect to Service Data are set out in that Addendum.

What third parties will have access to personal data in the Cloud Services?

Your DPIA should indicate any third parties you will share personal data with:

• When you use the Cloud Services, you will be sharing Customer Personal Data with the Google contracting entity indicated in the CDPA, which will be a processor of that data. You can check the correct entity here.

• Google Cloud also uses subprocessors to perform limited activities in connection with the Cloud Services, such as technical support services, data center operations, or service maintenance. When you agree to our CDPA, you authorize the appointment of these third parties.

Note: You can find a list of the subprocessors (and information about what activities they perform) for Google Workspace (including Google Workspace for Education) here, and for Google Cloud here.

Where subprocessors are used, Google commits to ensure that:

• Each subprocessor only has access to Customer Data (including Customer Personal Data) within the scope of the limited activities subcontracted to it, and does so in accordance with the Cloud Services agreement between Google and the customer (including the CDPA).

• If the processing of Customer Personal Data is subject to the GDPR (or any other European data protection law), then the data protection obligations described in the CDPA are imposed on subprocessors.

• Our customers are given advance notice before a new subprocessor starts processing any Customer Data (including Customer Personal Data), including the subprocessor’s name and location, and the activities it will perform.

Additional information if Google processes Service Data as your processor

If you are an eligible Google Workspace for Education customer and have chosen to accept the Google Workspace for Education Service Data Addendum, then Google’s Subprocessors for Customer Personal Data will also be Subprocessors of Service Data, and subject to similar commitments for Service Data that are set out in that Addendum.

Where is the data stored and processed?

Given the global nature of our public cloud services, we maintain facilities in all regions (globally) to store and process Customer Data (including Customer Personal Data).

You can find out more information about the locations where Google and its subprocessors maintain facilities:

For Google Workspace (including Google Workspace for Education):

• Google’s facilities

• Subprocessors’ facilities 

For Google Cloud:

•  Google’s facilities

• Subprocessors’ facilities

More information about the infrastructure (e.g., hardware and networks) used for processing Customer Data (including Customer Personal Data) is available in our Security Infrastructure Design Overview, as well as:

• For Google Workspace (including Google Workspace for Education), in the Google Workspace Security whitepaper.

• For Google Cloud, in the Google security overview.

We also recognise that some customers want more choice and control over the location of their Customer Data:

• For Google Cloud: Customers may configure services listed here to store Customer Data at rest in a specific region or multi-region, as listed in the Cloud Locations Page. This commitment is reflected in the “Data Location” Section of the Google Cloud Service Specific Terms. Additionally, customers can also set up an Organization Policy that constrains the physical location of new resources for supported services.

• For Google Workspace (including Google Workspace for Education): Customers on qualifying editions can choose use our Data Regions feature which enables them to select a data region (e.g. Europe) to store their covered Customer Data (including backups) at rest. This feature currently applies to the Google Workspace core services and data set out here (which is reflected in the “Data Regions” Section of the Google Workspace Service Specific Terms).

Additional information if Google processes Service Data as your processor

For eligible Google Workspace for Education customers who have chosen to accept the Google Workspace for Education Service Data Addendum, the applicable information about our ‘Subprocessors’ facilities’ can be found at the relevant link in the Addendum.

How long does Google Cloud keep Customer Data?

Unless our customer deletes it earlier, Google Cloud will process the Customer Data both:

• For the duration of the Term of the CDPA (which will end when the provision of the Cloud Services ends).

• For a period after the end of the Term until the data is deleted. After a recovery period of up to 30 days, Google will delete the data as soon as reasonably practicable and within a maximum of 180 days, unless the law requires storage. If you wish to retain the data after the end of the Term, you can instruct Google to return it to you before the Term ends using built-in functionality, such as data export tools.

You can also delete the Customer Data at any point during the Term using the built-in functionality of the Cloud Services you use. When you use Cloud Services functionality to delete Customer Data, Google will delete the data as soon as reasonably practicable and within a maximum of 180 days, unless the law requires storage.

For more information about retention and deletion:

• For Google Workspace (including Google Workspace for Education), see our help center articles on Delete or remove a user from your organization and Delete your organization's Google Account.

• For Google Cloud, see our Data deletion on Google Cloud page.

Please note that you are responsible for copies of the data that you may choose to store outside Google’s or its subprocessors’ systems.

Additional information if Google processes Service Data as your processor

For eligible Google Workspace for Education customers who have chosen to accept the Google Workspace for Education Service Data Addendum, Google’s retention and deletion commitments with respect to Service Data are set out in that Addendum.

When assessing the necessity and proportionality of your processing, your DPIA will need to cover various aspects of your compliance with data protection principles.

While it is your responsibility as a controller to demonstrate compliance, the safeguards, features, and functionality built into the Cloud Services can support your assessment.

How can Google support your data minimization efforts?

In addition to any technical and organizational measures you have implemented to ensure that you only process the minimum amount of personal data needed to achieve your stated purposes, Google Cloud may make available certain features, functionality and resources that can help reduce the amount of personal data processed in the Cloud Services. See for example our Google Cloud documentation on De-identifying sensitive data and Pseudonymization.

How can Google help you comply with data subject rights?

As a controller of personal data, you are responsible for informing individuals of their rights relating to their personal data (e.g., the rights of access, erasure and portability), and for responding to any requests you receive from individuals exercising those rights.

To help you comply with your obligations, Google will enable you, consistent with the functionality of the Cloud Services, to delete, access, export, rectify, or restrict processing of Customer Data (including Customer Personal Data).

If Google’s Cloud Data Protection Team receives a request from an individual that relates to Customer Personal Data and identifies your organization, Google will advise that individual to submit their request to you. Google will notify you promptly that it has received the request and will not otherwise respond to it without your authorization. 

For Google Workspace (including Google Workspace for Education), the Google Workspace Data Subject Requests (DSR) Guide provides more information on how you can use those services to help you respond to requests from data subjects.

Additional information if Google processes Service Data as your processor

For eligible Google Workspace for Education customers who have chosen to accept the Google Workspace for Education Service Data Addendum, Google also offers the commitments outlined in this section for Service Data that Google processes as a processor.

What safeguards are in place for international data transfers?

Both you (as the controller) and Google (as the processor) are responsible for ensuring that any transfers of Customer Personal Data (and Service Data, for eligible Google Workspace for Education customers who have chosen to accept the Google Workspace for Education Service Data Addendum) to countries outside the European Economic Area (that do not have adequacy decisions) comply with the GDPR’s requirements on data transfers. These are commonly referred to as “third countries”. 

Unless Google has adopted an Alternative Transfer Solution (for example, the EU-U.S. Data Privacy Framework, or “DPF”), then, where data is transferred to a third country, we rely on the EU Commission’s approved Standard Contractual Clauses (SCCs), as described in our Google Cloud’s Approach to European Standard Contractual Clauses whitepaper. In particular, you may wish to review the section of the whitepaper headed “Google Cloud’s Updated Approach to SCCs” to understand which SCC module(s) are applicable with respect to relevant transfers of Customer Personal Data. Our contractual commitments in respect of transfers of Customer Personal Data to third countries are set out in the “Data Processing Locations” Section of the CDPA. 

We also provide additional information about the technical, legal, and organizational safeguards Google has put in place to protect international data transfers:

• For Google Workspace (including Google Workspace for Education), see our Safeguards for International Data Transfers with Google Workspace and Google Workspace for Education whitepaper.

• For Google Cloud, see our Safeguards for International Data Transfers with Google Cloud whitepaper.

These whitepapers include information about United States law and its applicability to the Cloud Services, to help customers with any risk assessments they may need to complete in light of the Court of Justice of the European Union's ruling known as “Schrems II”. 

On the matter of Alternative Transfer Solutions, we welcome the DPF and are working to adopt it for transfers of EU personal data to the U.S. We will inform our customers, as required by the CDPA, when we adopt the DPF as an Alternative Transfer Solution, and we aim to do so in the near future. Once we have adopted the DPF as an Alternative Transfer Solution, we will ensure that the relevant international data transfers are made in accordance with it. 

Does Google comply with an approved Code of Conduct?

Google adheres to the EU GDPR Cloud Code of Conduct with respect to the Cloud Services. 

The Cloud Code of Conduct is a mechanism for cloud providers to demonstrate how they offer sufficient guarantees to implement appropriate technical and organizational measures as processors under the GDPR. See here to find out which Cloud Services are in scope. 

The Cloud Code of Conduct was approved by the Belgian Data Protection Authority on 20 May 2021, based on a positive opinion by the European Data Protection Board. 

Once you have assessed the risks of your processing, your DPIA should explain how you plan to mitigate those risks. This typically means showing that you have put in place technical and organizational measures appropriate to the risks involved, including data security measures.

When you use the Cloud Services, the processing of Customer Data benefits from:

• Industry-leading security measures implemented and maintained by Google.

• Additional security resources, features, functionality and/or controls available to Cloud Services users, which you may use at your option.

• Contractual commitments from Google as to technical, organizational and physical measures. 

Additional information if Google processes Service Data as your processor

For eligible Google Workspace for Education customers who have chosen to accept the Google Workspace for Education Service Data Addendum, this also includes equivalent contractual commitments on security measures for Service Data that Google processes as a processor. 

When you enter into the CDPA, you agree that these measures provide an appropriate level of security in light of the risks involved in your processing.

What security measures does Google maintain for the Cloud Services?

As a cloud innovator, Google understands security in the cloud. We make security a top priority in our operations, and the Cloud Services are designed to deliver better security than many on-premises approaches.

Security drives Google’s organizational structure, culture, training priorities, and hiring processes. It shapes the design of our data centers and the technology that they house. It is central to our everyday operations, and it is prioritized in the way we handle both Customer Data and Service Data. It also influences the certifications and audit reports we maintain.

You can check Google’s Security Infrastructure Design Overview for more information on how our globally scaled technical infrastructure is designed to provide secure deployment of the Cloud Services, secure communications between services, secure and private communication with customers over the internet, and safe operation by administrators.

You can also find more specific information about technical and organizational measures maintained by Google:

• For Google Workspace (including Google Workspace for Education), see the Google Workspace Security Whitepaper. 

• For Google Cloud, see the Google Security Overview and Google Cloud Security Whitepapers. 

Additional resources about Google’s technical and organizational security measures for the Cloud Services are available at our Security Best Practices Center and Privacy Resource Center.

What optional security controls can you apply to your use of the Cloud Services?

Google also offers optional additional security controls to help Cloud Services customers meet their security and compliance needs. These are security resources, features, functionality, and controls that customers may use at their option, including the Admin Console, encryption solutions, logging and monitoring tools, and identity and access management.

You can find more information about how your organization can configure the Cloud Services, features, and functionality:

• For Google Workspace (including Google Workspace for Education), our Data Protection Implementation Guides for Google Workspace and Google Workspace for Education provide information on how customers can use and configure the relevant services and settings.

• For Google Cloud, our Google Cloud Architecture Framework sets out best practices and implementation recommendations, and can help customers design their Google Cloud deployment to match their business needs.

We have other resources available to help you meet your security and compliance needs at our Security Best Practices Center and Privacy Resource Center.

What contractual and other commitments does Google provide?

The CDPA sets out Google’s contractual commitments in respect of Customer Data, including Customer Personal Data. Google commits to (among other things) implement and maintain technical, organizational and physical measures to protect Customer Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access.

These measures are described in more detail in Appendix 2 of the CDPA, and include commitments as to data center and network security, access and site controls, data security, personnel security, and subprocessor security.

Additionally, our Google Cloud Enterprise Privacy Commitments describe, in more general terms, how we help protect the data of customers who use our Cloud Services:

1. You control your data: Customer Data is your data, not Google’s. We only process your data according to your agreement(s).

2. We never use your data for ads targeting: We do not process your Customer Data to create ads profiles or improve Google Ads products.

3. We are transparent about data collection and use: We’re committed to transparency, compliance with regulations like the GDPR, and privacy best practices.

4. We never sell Customer Data or Service Data: We never sell Customer Data or Service Data to third parties.

5. Security and privacy are primary design criteria for all of our products: Prioritizing the privacy of our customers means protecting the data you trust us with. We build the strongest security technologies into our products.

Additional information if Google processes Service Data as your processor

If you are a Google Workspace for Education customer and have chosen to accept the Google Workspace for Education Service Data Addendum, Google’s contractual commitments for Service Data it processes as a processor are set out in that Addendum.

How does Google handle requests from law enforcement agencies?

Google has developed a transparent and thorough process that meets international best practices when it comes to data access requests from law enforcement agencies and governments. Google Cloud provides a response on a case-by-case basis, taking into account different circumstances and informed by legal requirements, customer agreements, and privacy policies. 

The process Google Cloud will follow with respect to any such requests is described in our Government Requests for Cloud Customer Data whitepaper.

Additionally, our Transparency Report discloses, where permitted by applicable law, the number of requests made by law enforcement agencies and government bodies for Enterprise Cloud customer information. 

How does Google Cloud demonstrate compliance?

The Cloud Services regularly undergo independent verification of their security, privacy, and compliance controls, achieving certifications, attestations, and audit reports to demonstrate compliance. Customers can directly access and download various certifications (including ISO 27001, 27017, 27018 and 27701), audit reports (including SOC 1, 2 and 3) and other relevant resources via our Compliance Reports Manager. 

Additionally, and in demonstration of our ongoing commitment to protecting Service Data, we have expanded the scope of our ISO 27001, 27017, 27018 and 27701 certifications to also include Service Data (where we act as a processor of that data), for relevant Google Workspace services. 

Further, as mentioned above, Google adheres to the EU GDPR Cloud Code of Conduct, a mechanism for cloud providers to demonstrate how they offer sufficient guarantees to implement appropriate technical and organizational measures as processors under the GDPR.