Google Cloud & the General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR) is a privacy legislation that replaced the 95/46/EC Directive on Data Protection of 24 October 1995 on May 25, 2018. GDPR lays out specific requirements for businesses and organizations who are established in Europe or who serve users in Europe. It:
- Regulates how businesses can collect, use, and store personal data
- Builds upon current documentation and reporting requirements to increase accountability
- Authorizes fines on businesses who fail to meet its requirements
At Google Cloud, we champion initiatives that prioritize and improve the security and privacy of customer personal data, and want you, as a Google Cloud customer, to feel confident using our services in light of GDPR requirements. If you partner with Google Cloud, we will support your GDPR compliance efforts by:
- Committing in our contracts to comply with the GDPR in relation to our processing of customer personal data in all Google Cloud Platform and Google Workspace services
- Offering additional security features that may help you to better protect the personal data that is most sensitive
- Giving you the documentation and resources to assist you in your privacy assessment of our services
- Continuing to evolve our capabilities as the regulatory landscape changes
Answers to Frequently Asked Questions about Google Cloud and GDPR
Does the GDPR require storage of personal data in the EU?
No. Like the 95/46/EC Directive on Data Protection, the GDPR sets out certain conditions for the transfer of personal data outside of the EU. Such conditions can be met via mechanisms such as standard contract clauses.
How do your terms reflect the GDPR requirements?
For many years, Google Cloud has offered data processing terms that clearly articulate our privacy and security commitment to customers, and we have evolved those terms to reflect the GDPR. Our GDPR-updated terms notably reflect the provisions of Article 28 of the GDPR governing the use of a data processor by a data controller.
Does the GDPR give customers the right to audit Google Cloud?
Under the GDPR, audit rights must be granted to data controllers in their contracts with data processors. Our updated data processing agreements include audit rights for the benefit of customers who are subject to the GDPR.
What role do third-party ISO/IEC 27001, ISO/IEC 27017, ISO/IEC 27018, ISO/IEC 27701 and SOC 2/3 reports play in compliance with the GDPR?
Our third-party ISO/IEC certifications and SOC 2/3 audit reports can be used by customers to help conduct their risk assessments and help them determine whether appropriate technical and organisational measures are in place. Our ISO/IEC 27701 certification provides greater clarity on privacy-related roles and responsibilities, which can facilitate efforts to comply with privacy regulations, including the GDPR.
How does Google Cloud support International Data Transfers in the Cloud?
The GDPR provides for several mechanisms to facilitate transfers of personal data outside of the EU. These mechanisms are aimed at confirming an adequate level of protection or ensuring the implementation of appropriate safeguards when personal data is transferred to a third country.
An adequate level of protection can be confirmed by adequacy decisions such as the ones that support the Japanese Act on the Protection of Personal Information (APPI) and the Swiss Data Protection Act.
Where personal data will be transferred outside of the EU to third countries not covered by adequacy decisions, we commit under our data processing agreements to maintain a mechanism that will facilitate these transfers as required by the GDPR. In 2017, we gained confirmation of compliance from European Data Protection Authorities for our standard contract clauses, affirming that our contractual commitments for Google Workspace and Google Cloud Platform met the requirements to legally frame transfers of personal data from the EU to the third countries that do not provide adequate protection.
Now that Privacy Shield has been invalidated, can I still use Google Cloud and meet GDPR requirements if I handle EU personal data?
While Google will continue to review the impact of the Court of Justice of the European Union (CJEU) case C-311/18 one thing remains unchanged: Google will take appropriate steps to ensure we maintain a high level of privacy protection for EU citizens.
Google Cloud offers Standard Contractual Clauses (SCCs) to our customers, which will be automatically deemed to apply in the absence of any alternate transfer solution made available by Google. Regardless of the location of the data, data protection remains a priority for Google. See the Safeguards for International Data Transfers with Google Cloud Whitepaper for more information.
We are certified against recognised international standards such as ISO/IEC 27001, ISO/IEC 27018 and ISO/IEC 27017. The complete listing of Google’s compliance offerings can be found on the compliance resource center.
What other information and resources has Google provided on the GDPR?
Where can I find other European Privacy Resources?
Disclaimer: The content contained herein is correct as of August 2021 and represents the status quo as of the time it was written. Google’s security policies and systems may change going forward, as we continually improve protection for our customers. When referring to Google Workspace, we also refer to Google Workspace for Education. We are bringing Google Workspace to our education and nonprofit customers in the coming months.