Google Cloud & the General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR) is a privacy legislation that replaced the 95/46/EC Directive on Data Protection of 24 October 1995 on May 25, 2018. GDPR lays out specific requirements for businesses and organizations who are established in Europe or who serve users in Europe. It:
- Regulates how businesses can collect, use, and store personal data
- Builds upon current documentation and reporting requirements to increase accountability
- Authorizes fines on businesses who fail to meet its requirements
At Google Cloud, we champion initiatives that prioritize and improve the security and privacy of customer personal data, and want you, as a Google Cloud customer, to feel confident using our services in light of GDPR requirements. If you partner with Google Cloud, we will support your GDPR compliance efforts by:
- Committing in our contracts to comply with the GDPR in relation to our processing of customer personal data in all Google Cloud and Google Workspace services
- Offering additional security features that may help you to better protect the personal data that is most sensitive
- Giving you the documentation and resources to assist you in your privacy assessment of our services
- Continuing to evolve our capabilities as the regulatory landscape changes
Google Workspace & Google Cloud Commitments to the GDPR
Data controllers must use data processors with appropriate technical and organisational measures. When conducting your GDPR assessment of Google Cloud consider the following:
Data Protection Expertise Google employs security and privacy professionals
that include some of the world’s foremost experts in
information, application, and network security. This
expert team is tasked with maintaining the company’s
defense systems, developing security review
processes, building stronger security
infrastructure, and precisely implementing Google’s
security policies. Google also employs an extensive team of lawyers,
regulatory compliance experts, and public policy
specialists who look after privacy and security
compliance for Google Cloud. These teams work with customers, industry
stakeholders, and supervisory authorities to ensure
our Google Workspace and Google Cloud services can
help customers meet their compliance needs.
Data Processing Agreements Our data processing agreements
for Google Workspace and Google Cloud clearly
articulate our privacy commitment to customers. We
have evolved these terms over the years based on
feedback from our customers and regulators. We specifically updated these terms to reflect the
GDPR, and, to facilitate our customers' compliance
assessment and GDPR readiness when using Google
Cloud services. Learn more about
the Google Workspace Data Processing Amendment,
the Google Workspace EU Standard Contract Clauses,
the
Google Cloud Data Processing and Security Terms,
and the
Google Cloud EU Standard Contract Clauses (SCCs).
Our customers can enter into these updated data
processing terms via the opt in process described
for
the Google Workspace Data Processing Amendment
and the
Google Cloud Data Processing and Security Terms.
Processing According to Instructions Any data that a customer and its users put into our
systems will only be processed in accordance with
the customer’s instructions, as described in our
GDPR-updated data processing agreements. Personnel Confidentiality Commitments All Google employees are required to sign a
confidentiality agreement and complete mandatory
confidentiality and privacy trainings, as well as
our Code of Conduct training. Google’s Code of
Conduct specifically addresses responsibilities and
expected behavior with respect to the protection of
information.
Google Group companies directly conduct the
majority of data processing activities required to
provide the Google Workspace and Google Cloud
services. However, we do engage some third-party
vendors to assist in supporting these services. Each
vendor goes through a rigorous selection process to
ensure it has the required technical expertise and
can deliver the appropriate level of security and
privacy. We make information available about Google group
subprocessors
supporting Google Workspace and Google Cloud
services, as well as third-party subprocessors
involved in those services.
See here for
Google Workspace subprocessor details,
and here
for Google Cloud subprocessor details. We also
include commitments relating to subprocessors in our
data processing agreements.
According to the GDPR, appropriate technical and
organisational measures shall be implemented to
ensure a level of security appropriate to the risk.
Google operates a global infrastructure designed to
provide state-of-the-art security through the entire
information processing lifecycle. This
infrastructure is built to provide secure deployment
of services, secure storage of data with end-user
privacy safeguards, secure communications between
services, secure and private communication with
customers over the Internet, and safe operation by
administrators. Google Workspace and Google Cloud
run on this infrastructure. We designed the security of our infrastructure in
layers that build upon one another, from the
physical security of data centers, to the security
protections of our hardware and software, to the
processes we use to support operational security.
This layered protection creates a strong security
foundation for everything we do. A detailed
discussion of our Infrastructure Security can be
found in
Google Infrastructure Security Design Overview Whitepaper.
Availability, Integrity & Resilience
Google designs the components of our platform to be
highly redundant. Google’s data centers are
geographically distributed to minimize the effects
of regional disruptions on global products such as
natural disasters and local outages. In the event of
hardware, software, or network failure, services are
automatically and instantly shifted from one
facility to another so that operations can continue
without interruption. Our highly redundant
infrastructure helps customers protect themselves
from data loss. Equipment Testing and Security Google utilizes barcodes and asset tags to track
the status and location of data center equipment
from acquisition to installation, retirement, and
destruction. If a component fails to pass a
performance test at any point during its lifecycle,
it is removed from inventory and retired. Google
hard drives leverage technologies, such as Full Disk
Encryption (FDE) and drive locking, to protect data
at rest. Disaster Recovery Testing Google conducts disaster recovery testing on an
annual basis to provide a coordinated venue for
infrastructure and application teams to test
communication plans, fail-over scenarios,
operational transition, and other emergency
responses. All teams that participate in the
disaster recovery exercise develop testing plans and
post mortems which document the results and lessons
learned from the tests. Encryption Google uses encryption to protect data in transit
and at rest. Google Workspace data in transit
between regions is protected using HTTPS, which is
activated by default for all users. Google Workspace
and Google Cloud services encrypt customer content
stored at rest, without any action required from
customers, using one or more encryption mechanisms.
A detailed discussion of how we encrypt data can be
found in these resources:
Workspace Encryption Whitepaper,
and Google Cloud Encryption
in transit
and
at rest.
Access Controls For Google employees, access rights and levels are
based on job function and role, using the concepts
of least-privilege and need-to-know to match access
privileges to defined responsibilities. Requests for
additional access follow a formal process that
involves a request and an approval from a data or
system owner, manager, or other executives, as
dictated by Google’s security policies. Data centers
that house Google Cloud systems and infrastructure
components are subject to physical access
restrictions and equipped with 24 x 7 on-site
security personnel, security guards, access badges,
biometric identification mechanisms, physical locks
and video cameras to monitor the interior and
exterior of the facility. Incident Management Google has a dedicated security team responsible
for security and privacy of customer data and
managing security 24 hours a day and 7 days a week
worldwide. Individuals from this team receive
incident-related notifications and are responsible
for helping resolve emergencies 24 x 7. Incident
response policies are in place and procedures for
resolving critical incidents are documented.
Information from these events is used to help
prevent future incidents and can be used as examples
for information security training. Google incident
management processes and response workflows are
documented. Google’s incident management processes
are tested on a regular basis as part of our ISO/IEC
27017, ISO/IEC 27018, ISO/IEC 27001,
PCI-DSS1,
SOC 2 and FedRAMP programs to provide our customers
and regulators with independent verification of our
security, privacy, and compliance controls. More
information on our incident response process can be
found in
our Data incident response process whitepaper.
Vulnerability Management We scan for software vulnerabilities using a
combination of commercially available and
purpose-built in-house tools, intensive automated
and manual penetration testing, quality assurance
processes, software security reviews, and external
audits. We also rely on the broader security
research community and greatly value their help
identifying any vulnerabilities in Google Workspace,
Google Cloud, and other Google products. Our
Vulnerability Reward Program encourages researchers
to report design and implementation issues that may
put customer data at risk. Product Security: Google Workspace Google Workspace customers can leverage product
features and configurations to further protect
personal data against unauthorised or unlawful
processing:
Google Workspace Core Services,
including Gmail, Google Admin Console, Calendar,
Drive, Docs, Keep, Sites, Jamboard, Hangouts, Chat,
Meet, Cloud Search and Google Groups offer
configurable settings to help ensure that your
organization’s data is secured, used, and accessed
according to your unique requirements.
2-step verification reduces
the risk of unauthorized access by asking users for
additional proof of identity when signing
in. Security key enforcement offers
another layer of security for user accounts by
requiring a physical
key. The Advanced Protection Program is
our strongest protection for users at risk of
targeted online attacks.
Suspicious Login Monitoring detects
suspicious logins using robust machine learning
capabilities.
Enhanced email security requires
email messages to be signed and encrypted using
Secure/Multipurpose Internet Mail Extensions
(S/MIME).
Encryption:
Google Workspace customers' data is encrypted when
it's on a disk, stored on backup media, moving over
the Internet, or traveling between data centers.
Data loss prevention (DLP) protects
sensitive information within Gmail and Drive from
unauthorized sharing.
Advanced phishing and malware protection protects
against suspicious attachments and scripts from
untrusted senders, as well as malicious links and
images.
Information rights management
in Drive allows you to disable downloading,
printing, and copying of files from the advanced
sharing menu, and to set expiration dates on file
access.
Endpoint management offers
continuous system monitoring and alerts in case of
suspicious device activity.
Alert Center is
a place to view essential notifications, alerts, and
actions across Google Workspace. Insights around
these potential alerts can help administrators
assess their organization's exposure to security
issues.
Security Center brings
together security analytics, best practice
recommendations and integrated remediation to
protect your organization’s data, devices and users.
It provides you with visibility into external file
sharing, spam and malware targeting users within
your organization, and integrated remediation via
the investigation tool.
Context-aware access can
enforce granular access controls on Google Workspace
apps, based on a user’s identity and context of the
request.
Google Vault lets
you retain, archive, search, and export your
organization's email, Google Drive file content and
on-the-record chats for your eDiscovery and
compliance needs.
App access control
governs access to Google Workspace services using
OAuth 2.0. Organizations can control which
third-party and internal apps can access Google
Workspace data, and find more details about any
third-party apps already in use.
Data Regions
lets you store your covered data in a specific
geographic location by using a data region policy.
Access Transparency lets
you review logs of actions taken by Google staff
when accessing user content. To learn more, please
visit https://workspace.google.com/security
Product Security: Google Cloud Google Cloud customers can leverage product
features and configurations to further protect
personal data against unauthorised or unlawful
processing:
Encryption in transit between regions
is applied by default on Google Cloud to encrypt
requests before transmission and to protect the raw
data using the Transport Layer Security (TLS)
protocol. Once data is transferred to Google Cloud
to be stored, Google Cloud applies
encryption at rest
by default.
2-step verification reduces
the risk of unauthorized access by asking users for
additional proof of identity when signing
in. Security key enforcement
offers another layer of security for user accounts
by requiring a physical key.
Cloud Identity and Access Management (Cloud IAM)
allows you to create and manage fine-grained access
and modification permissions for Google Cloud
resources.
Data Loss Prevention API,
part of Sensitive Data Protection (a family of
services designed to help you discover, classify,
and protect your most sensitive data), helps to
identify and monitor the processing of special
categories of personal data in order to implement
adequate controls.
Cloud Logging and Cloud Monitoring
integrate logging, monitoring, alerting, and anomaly
detection systems into Google Cloud.
Cloud Identity-Aware Proxy
(Cloud IAP) controls access to cloud applications
running on Google Cloud.
Cloud Security Scanner
scans for and detects common vulnerabilities in
Google App Engine applications.
VPC Service Controls
provide perimeter protection for services that store
highly sensitive data to enable service-level data
segmentation.
Cloud KMS and HSM
allow for management of encryption keys and
cryptographic operations from within a cluster of
FIPS 140-2 Level 3 certified Hardware Security
Modules (HSMs). KMS allows customers to use
Google-managed or customer-managed encryption keys
as required to fulfill compliance requirements.
Cloud Security Command Center
allows customers to view and monitor an inventory of
their cloud assets, scan storage systems for
sensitive data, detect common web vulnerabilities,
and review access rights to their critical resources
from a single, centralized dashboard.
Access Approval
requires Google administrators to seek explicit
customer approval before Google can access data. It
works by sending customers an email and/or Cloud
Pub/Sub message with an access request that the
customer is able to approve. Using the information
in the message, customers can use the Google Cloud
console or the Access Approval API to approve the
access. To learn more, please
visit https://cloud.google.com/security/
1 For Google Cloud only.
Administrators can export customer data, via the
functionality of
the Google Workspace
or Google Cloud services (consult
Google Cloud documentation for
further information), at any time during the term of
the agreement. We have included data export
commitments in our data processing terms for several
years, and will continue to work to enhance our data
export capabilities, making it even easier for you
to download a copy of your customer data
from Google Workspace
and Google Cloud services. You can also delete customer data, via the
functionality of the Google Workspace or Google
Cloud services, at any time. When Google receives a
complete deletion instruction from you (such as when
an email you have deleted can no longer be recovered
from your “trash”), Google will delete the relevant
customer data from all of its systems within a
maximum period of 180 days unless retention
obligations apply.
Data Subject's Rights Data controllers can use the Google Workspace and
Google Cloud administrative consoles and services
functionality to help access, rectify, restrict the
processing of, or delete any data that they and
their users put into our systems. This functionality
will help them fulfill their obligations to respond
to requests from data subjects to exercise their
rights under the GDPR. Data Protection Team Google has designated a DPO for Google LLC and its
subsidiaries, to cover data processing subject to
the GDPR, including as part of our Cloud products
and services. Kristie Chon Flynn is Google's Data
Protection Officer. Kristie Chon Flynn is based in
Sunnyvale in the U.S. Where required, Google Cloud products have
designated teams to address customer inquiries in
relation to data protection. The way to contact
these teams is described in the relevant agreement.
For Google Workspace the Cloud Data Protection Team
can be contacted by Customer’s administrators
at https://support.google.com/a/contact/googlecloud_dpr
(while administrators are signed in to their admin
account) and/or directly by providing a notice to
Google as described in the applicable agreement. For
Google Cloud, that team can be contacted at
https://support.google.com/cloud/contact/dpo.
Incident Notifications Google Workspace and Google Cloud have provided
contractual commitments around incident notification
for many years. We will continue to promptly inform
you of incidents involving your customer data in
line with the data incident terms in our current
agreements.
The GDPR provides for several mechanisms to
facilitate transfers of personal data outside of the
EU. These mechanisms are aimed at confirming an
adequate level of protection or ensuring the
implementation of appropriate safeguards when
personal data is transferred to a third country. An adequate level of protection can be confirmed by
adequacy decisions such as the ones that support the
Japanese Act on the Protection of Personal
Information (APPI) and the Swiss Data Protection
Act. Where personal data will be transferred outside of
the EU to third countries not covered by adequacy
decisions, we commit under our data processing
agreements to maintain a mechanism that will
facilitate these transfers as required by the GDPR.
In 2017, we gained confirmation of compliance from
European Data Protection Authorities for our
standard contract clauses, affirming that our
contractual commitments for Google Workspace and
Google Cloud met the requirements to legally frame
transfers of personal data from the EU to the third
countries that do not provide adequate protection.
Our customers and regulators expect independent
verification of security, privacy, and compliance
controls. Google Workspace and Google Cloud undergo
several independent third-party audits on a regular
basis to provide this assurance. ISO/IEC 27001 (Information Security
Management) ISO/IEC 27001 is one of the most widely recognized,
internationally accepted independent security
standards. Google has earned ISO/IEC 27001
certification for the systems, applications, people,
technology, processes, and data centers that make up
our
shared Common Infrastructure
as well as for Google Workspace and Google
Cloud products. You can access these
certificates via
Compliance reports manager.
ISO/IEC 27017 (Cloud Security) ISO/IEC 27017 is an international standard of
practice for information security controls based on
ISO/IEC 27002, specifically for Cloud Services.
Google has been certified compliant with ISO/IEC
27017 for Google Workspace and Google Cloud. You can
access these certificates via
Compliance reports manager.
ISO/IEC 27018 (Cloud Privacy) ISO/IEC 27018 is an international standard of
practice for protection of personally identifiable
information (PII) in Public Cloud Services. Google
has been certified compliant with ISO/IEC 27018 for
Google Workspace and Google Cloud. You can access
these certificates via
Compliance reports manager.
ISO/IEC 27701 (Privacy Information
Management) ISO/IEC 27701 is a global privacy standard that
focuses on the collection and processing of
personally identifiable information (PII). This
standard extends the requirements of ISO/IEC 27001
and ISO/IEC 27002 to include data privacy. We have
received accredited ISO/IEC 27701 certification as a
PII processor for both Google Workspace and Google
Cloud. You can access these certificates via
Compliance reports manager.
SSAE18/ISAE 3402 (SOC 2/3) The American Institute of Certified Public
Accountants (AICPA) SOC 2 (Service Organization
Controls) and SOC 3 audit framework defines Trust
Principles and criteria for security, availability,
processing integrity, and confidentiality. Google
has both SOC 2 and SOC 3 reports for Google
Workspace and Google Cloud. You can access these
certificates via
Compliance reports manager.
Assessing Google Cloud based on Article 28
Article 28 of the GDPR lays out the requirements of a
data processor who processes data on behalf of the data
controller. See how our terms reflect these
requirements.
Google Cloud - Cloud Data Processing Addendum
(CDPA) Definitions |
Section 2.1
Data Security |
Section 7.1.2
Data Security |
Section 7.3.1 (b)
Data Transfers |
Section 10.1
Subprocessors |
Section 11
Third-Party Beneficiary |
Section 14
Google Cloud - EU Standard Contract Clauses
(SCC)
SCCs (EU Controller-to-Processor)
| Annex II, Annex III
SCCs (EU Processor-to-Controller)
| N/A
SCCs (EU Processor-to-Processor)
| Annex II, Annex III
SCCs (EU Processor-to-Processor, Google Exporter)
| Annex II, Annex III
SCCs (UK Controller-to-Processor)
| Clause 1, Clause 3.3, Clause 4 (g) and (i), Clause
5 (i) and (j), Clause 6, Clause 8, Clause 11, Clause
12, Appendix 1, Appendix 2.5 Related content:
Google Cloud Subprocessors
Google Workspace -
Cloud Data Processing Addendum (CDPA)
Definitions |
Section 2.1
Data Security |
Section 7.1.2
Data Security |
Section 7.3.1 (b)
Data Transfers |
Section 10.1
Subprocessors |
Section 11
Third-Party Beneficiary |
Section 14
Security Measures |
Appendix 2.1–2.5
Google Workspace - EU Standard Contract Clauses
(SCC)
SCCs (EU Controller-to-Processor)
| Annex II, Annex III
SCCs (EU Processor-to-Controller)
| N/A
SCCs (EU Processor-to-Processor)
| Annex II, Annex III
SCCs (EU Processor-to-Processor, Google Exporter)
| Annex II, Annex III
SCCs (UK Controller-to-Processor)
| Clause 1, Clause 3.3, Clause 4 (g) and (i), Clause
5 (i) and (j), Clause 6, Clause 8, Clause 11, Clause
12, Appendix 1, Appendix 2.5 Related content:
Google Workspace Subprocessors Agreement
Google Cloud -
Cloud Data Processing Addendum (CDPA)
Entire Data Processing and Security Terms
Google Cloud -
Cloud Data Processing Addendum (CDPA)
Processing of Data |
Section 5.2
Google Cloud - EU Standard Contract Clauses
(SCC) Google Workspace -
Cloud Data Processing Addendum (CDPA)
Section 5.2 |
Processing of Data
Google Workspace - EU Standard Contract Clauses
(SCC) Clause 5 (a) and (b) |
Obligations of the Data Importer
Google Cloud - Google Cloud Terms of
Services Confidential Information |
Section 7
Google Cloud -
Cloud Data Processing Addendum (CDPA)
Data Security |
Section 7.1.2
Data Security |
Section 7.5.3
Personnel Security |
Appendix 2.4
Google Cloud - EU Standard Contract Clauses
(SCC) Obligations of the Data Importer |
Clause 5
Google Workspace - Google Workspace
Agreement Confidential Information |
Section 6
Google Workspace -
Cloud Data Processing Addendum (CDPA)
Data Security |
Section 7.1.2
Data Security |
Section 7.5.3
Personnel Security |
Appendix 2.4
Google Workspace - EU Standard Contract Clauses
(SCC)
Google Cloud -
Cloud Data Processing Addendum (CDPA)
Data Security |
Section 7
Security Measures |
Appendix 2
Google Cloud - EU Standard Contract Clauses
(SCC) Google Workspace -
Cloud Data Processing Addendum (CDPA)
Data Security |
Section 7
Security Measures |
Appendix 2
Google Workspace - EU Standard Contract Clauses
(SCC) Related content:
Google Cloud Security & Compliance Whitepaper
Google Cloud -
Cloud Data Processing Addendum (CDPA)
Data Deletion |
Section 6
Data Subject Rights; Data Export
| Section 9.1
Google Cloud - EU Standard Contract Clauses
(SCC) Google Workspace -
Cloud Data Processing Addendum (CDPA)
Data Deletion |
Section 6
Data Subject Rights; Data Export |
Section 9.1
Google Workspace - EU Standard Contract Clauses
(SCC)
Google Cloud -
Cloud Data Processing Addendum (CDPA) Data Security |
Section 7.4
Related content:
Google Cloud Compliance
Google Workspace -
Cloud Data Processing Addendum (CDPA) Data Security |
Section 7.4
Related content:
Google Cloud Compliance
More from Google Cloud
Relevant Whitepapers
Read our whitepapers relevant to Google Cloud customers who are subject to GDPR
Disclaimer: The content contained herein is correct as of August 2021 and represents the status quo as of the time it was written. Google’s security policies and systems may change going forward, as we continually improve protection for our customers. When referring to Google Workspace, we also refer to Google Workspace for Education. We are bringing Google Workspace to our education and nonprofit customers in the coming months.