Google Cloud & the General Data Protection Regulation (GDPR)

Compliance with the GDPR is a top priority for Google Cloud and our customers. The GDPR aims to strengthen personal data protection in Europe, and impacts the way we all do business. We’re sure you have many questions, and we’re here to help. Google Cloud takes a customer-centric approach on protection, control, and compliance, and we want to be a key facilitator on your GDPR journey.

GOOGLE CLOUD AND THE GDPR WHITEPAPER GOOGLE CLOUD GDPR QUICK REFERENCE GUIDE G SUITE DATA PROTECTION IMPLEMENTATION GUIDE

Visit our GDPR Resource Center 

What is the GDPR?

The GDPR, which went into effect on May 25, 2018, replaced the 1995 EU Data Protection Directive.

The GDPR lays out specific requirements for businesses and organizations who are established in Europe or who serve users in Europe. It:

  • Regulates how businesses can collect, use, and store personal data
  • Builds upon current documentation and reporting requirements to increase accountability
  • Authorizes fines on businesses who fail to meet its requirements

What we’re doing

At Google Cloud, we champion initiatives that prioritize and improve the security and privacy of user data. We’ve made multiple updates to ensure that Google Cloud customers can confidently use our services now that the GDPR is in effect. Partner with Google Cloud and we will support your efforts by:

  1. Committing in our contracts to comply with the GDPR in relation to our processing of customer personal data in all Google Cloud Platform and G Suite services
  2. Offering additional security features that may help you to better protect the personal data that is most sensitive
  3. Giving you the documentation and resources to assist you in your privacy assessment of our services
  4. Continuing to evolve our capabilities as the regulatory landscape changes

G Suite & Google Cloud Platform Commitments to the GDPR

Among other things, data controllers are required to only use data processors that provide sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of the GDPR. When conducting your assessment of G Suite and Google Cloud Platform services, you may want to consider the following:

Expert Knowledge, Reliability & Resources
Data Protection Commitments
Use of Subprocessors
Security of the Services
Data Return & Deletion
Assistance to the Controller
International Data Transfers
Standards & Certifications
Expert Knowledge, Reliability & Resources

Data Protection Expertise

Google employs security and privacy professionals that include some of the world’s foremost experts in information, application, and network security. This expert team is tasked with maintaining the company’s defense systems, developing security review processes, building stronger security infrastructure, and precisely implementing Google’s security policies.

Google also employs an extensive team of lawyers, regulatory compliance experts, and public policy specialists who look after privacy and security compliance for Google Cloud.

These teams work with customers, industry stakeholders, and supervisory authorities to ensure our G Suite and Google Cloud Platform services can help customers meet their compliance needs.

Data Protection Commitments

Data Processing Agreements

Our data processing agreements for G Suite and Google Cloud Platform clearly articulate our privacy commitment to customers. We have evolved these terms over the years based on feedback from our customers and regulators.

More recently, we have specifically updated these terms to reflect the GDPR, and have made these updated available well in advance of the entry into force of the GDPR to facilitate our customers’ compliance assessment and GDPR readiness when using Google Cloud services.

Our customers can enter into these updated data processing terms via the opt in process described here for the G Suite Data Processing Amendment and here for the GCP Data Processing and Security Terms.

Processing According to Instructions

Any data that a customer and its users put into our systems will only be processed in accordance with the customer’s instructions, as described in ourGDPR-updated data processing agreements.

Personnel Confidentiality Commitments

All Google employees are required to sign a confidentiality agreement and complete mandatory confidentiality and privacy trainings, as well as our Code of Conduct training. Google’s Code of Conduct specifically addresses responsibilities and expected behavior with respect to the protection of information.

Use of Subprocessors

Google Group companies directly conduct the majority of data processing activities required to provide the G Suite and Google Cloud Platform services. However, we do engage some third-party vendors to assist in supporting these services. Each vendor goes through a rigorous selection process to ensure it has the required technical expertise and can deliver the appropriate level of security and privacy.

We make information available about Google group subprocessors supporting G Suite and Google Cloud Platform services, as well as third-party subprocessors involved in those services, and we include commitments relating to subprocessors in our data processing agreements.

Security of the Services

According to the GDPR, appropriate technical and organisational measures shall be implemented to ensure a level of security appropriate to the risk.

Google operates a global infrastructure designed to provide state-of-the-art security through the entire information processing lifecycle. This infrastructure is built to provide secure deployment of services, secure storage of data with end-user privacy safeguards, secure communications between services, secure and private communication with customers over the Internet, and safe operation by administrators. G Suite and Google Cloud Platform run on this infrastructure.

We designed the security of our infrastructure in layers that build upon one another, from the physical security of data centers, to the security protections of our hardware and software, to the processes we use to support operational security. This layered protection creates a strong security foundation for everything we do. A detailed discussion of our Infrastructure Security can be found in our Google Infrastructure Security Design Overview Whitepaper.

Availability, Integrity & Resilience

Google designs the components of our platform to be highly redundant. Google’s data centers are geographically distributed to minimize the effects of regional disruptions on global products such as natural disasters and local outages. In the event of hardware, software, or network failure, services are automatically and instantly shifted from one facility to another so that operations can continue without interruption. Our highly redundant infrastructure helps customers protect themselves from data loss.

Testing

Google conducts disaster recovery testing on an annual basis to provide a coordinated venue for infrastructure and application teams to test communication plans, fail-over scenarios, operational transition, and other emergency responses. All teams that participate in the disaster recovery exercise develop testing plans and post mortems which document the results and lessons learned from the tests.

Encryption

Google uses encryption to protect data in transit and at rest. Data in transit to G Suite is protected using HTTPS, which is activated by default for all users. G Suite and Google Cloud Platform services encrypt customer content stored at rest, without any action required from customers, using one or more encryption mechanisms. A detailed discussion of how we encrypt data can be found in our Encryption Whitepaper.

Access Controls

For Google employees, access rights and levels are based on job function and role, using the concepts of least-privilege and need-to-know to match access privileges to defined responsibilities. Requests for additional access follow a formal process that involves a request and an approval from a data or system owner, manager, or other executives, as dictated by Google’s security policies.

Vulnerability Management

We scan for software vulnerabilities using a combination of commercially available and purpose-built in-house tools, intensive automated and manual penetration testing, quality assurance processes, software security reviews, and external audits. We also rely on the broader security research community and greatly value their help identifying vulnerabilities in G Suite, Google Cloud Platform, and other Google products. Our Vulnerability Reward Program encourages researchers to report design and implementation issues that may put customer data at risk.

Product Security: G Suite

G Suite customers can leverage product features and configurations to further protect personal data against unauthorised or unlawful processing:

  • 2-step verification reduces the risk of unauthorized access by asking users for additional proof of identity when signing in. Security key enforcement offers another layer of security for user accounts by requiring a physical key.
  • Suspicious Login Monitoring detects suspicious logins using robust machine learning capabilities.
  • Enhanced email security requires email messages to be signed and encrypted using Secure/Multipurpose Internet Mail Extensions (S/MIME).
  • Data loss prevention protects sensitive information within Gmail and Drive from unauthorized sharing. Learn more in our DLP Whitepaper.
  • Information rights management in Drive allows you to disable downloading, printing, and copying of files from the advanced sharing menu, and to set expiration dates on file access.
  • Mobile device management offers continuous system monitoring and alerts in case of suspicious device activity.
  • Security Center provides you with visibility into external file sharing, spam and malware targeting users within your organization, and metrics to demonstrate your security effectiveness in a single, comprehensive dashboard.
  • Google Vault lets you retain, archive, search, and export your organization's email, Google Drive file content and on-the-record chats for your eDiscovery and compliance needs.

    Third-party application access controls give visibility and control into third-party applications leveraging OAuth for authentication and corporate data access. OAuth access can be disabled at a granular level, and vetted third-party apps can be whitelisted.

To learn more, please visit https://gsuite.google.com/security

Product Security: GCP

GCP customers can leverage product features and configurations to further protect personal data against unauthorised or unlawful processing:

To learn more, please visit https://cloud.google.com/security/

Data Return & Deletion

Administrators can export customer data, via the functionality of the G Suite or Google Cloud Platform services (consult Google Cloud Platform documentation for further information), at any time during the term of the agreement. We have included data export commitments in our data processing terms for several years, and updated them to reflect the GDPR. We are continuously working to enhance the robustness of the data export capabilities and make it even easier to download a copy of your business’ data securely from G Suite and Google Cloud Platform services.

You can also delete customer data, via the functionality of the G Suite or Google Cloud Platform services, at any time. When Google receives a complete deletion instruction from you (such as when an email you have deleted can no longer be recovered from your “trash”), Google will delete the relevant customer data from all of its systems within a maximum period of 180 days unless retention obligations apply.

Assistance to the Controller

Data Subject's Rights

Data controllers can use the G Suite and Google Cloud Platform administrative consoles and services functionality to help access, rectify, restrict the processing of, or delete any data that they and their users put into our systems. This functionality will help them fulfill their obligations to respond to requests from data subjects to exercise their rights under the GDPR.

Data Protection Team

Google has designated a DPO for Google LLC and its subsidiaries, to cover data processing subject to the GDPR, including across Google Ireland Limited’s enterprise products. Keith Enright (Director, Privacy Legal) will serve as Google LLC’s Data Protection Officer. Mr. Enright is based in San Francisco in the U.S.

Where required, Google enterprise products have designated teams to address customer inquiries in relation to data protection. The way to contact these teams is described in the relevant agreement. For G Suite the Cloud Data Protection Team can be contacted by Customer’s Administrators at https://support.google.com/a/contact/googlecloud_dpr (while Administrators are signed in to their Admin Account) and/or by directly by providing a notice to Google as described in the applicable Agreement. For Google Cloud Platform, the Data Protection Team can be contacted at https://support.google.com/cloud/contact/dpo.

Incident Notifications

G Suite and Google Cloud Platform have provided contractual commitments around incident notification for many years. We will continue to promptly inform you of incidents involving your customer data in line with the data incident terms in our GDPR-updated agreements and terms.

International Data Transfers

The GDPR provides for several mechanisms to facilitate transfers of personal data outside of the EU. These mechanisms are aimed at confirming an adequate level of protection or ensuring the implementation of appropriate safeguards when personal data is transferred to a third country.

Appropriate safeguards can be provided for by model contract clauses. An adequate level of protection can be confirmed by adequacy decisions such as the ones that supports the EU-U.S. Privacy Shields.

We contractually commit under our current data processing agreements to maintain a mechanism that facilitates transfers of personal data outside of the EU as required by the GDPR. Google’s certification under the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks includes G Suite and Google Cloud Platform. We have also gained confirmation of compliance from European Data Protection Authorities for our model contract clauses, affirming that our contractual commitments for G Suite and Google Cloud Platform fully meet the requirements to legally frame transfers of personal data from the EU to the rest of the world.

Standards & Certifications

Our customers and regulators expect independent verification of security, privacy, and compliance controls. G Suite and Google Cloud Platform undergo several independent third-party audits on a regular basis to provide this assurance.

ISO 27001 (Information Security Management)

ISO 27001 is one of the most widely recognized, internationally accepted independent security standards. Google has earned ISO 27001 certification for the systems, applications, people, technology, processes, and data centers that make up our shared Common Infrastructure as well as for G Suite and Google Cloud Platform products.

ISO 27017 (Cloud Security)

ISO 27017 is an international standard of practice for information security controls based on ISO/IEC 27002, specifically for Cloud Services. Google has been certified compliant with ISO 27017 for G Suite and Google Cloud Platform.

ISO 27018 (Cloud Privacy)

ISO 27018 is an international standard of practice for protection of personally identifiable information (PII) in Public Cloud Services. Google has been certified compliant with ISO 27018 for G Suite and Google Cloud Platform.

SSAE16 / ISAE 3402 (SOC 2/3)

The American Institute of Certified Public Accountants (AICPA) SOC 2 (Service Organization Controls) and SOC 3 audit framework defines Trust Principles and criteria for security, availability, processing integrity, and confidentiality. Google has both SOC 2 and SOC 3 reports for Google Cloud Platform and G Suite.

What you can do

What are your responsibilities as a customer?

G Suite1 and Google Cloud Platform customers will typically act as the data controller for any personal content they provide to Google via their use of Google Cloud services. The data controller determines the purposes and means of processing personal data. Then there’s the data processor. That’s typically us. As a data processor, Google Cloud processes personal data on behalf of the data controller when the controller is using G Suite or Google Cloud Platform.

What is a data controller?

Data controllers are responsible for implementing appropriate technical and organisational measures to ensure and demonstrate that any data processing is performed in compliance with the GDPR. Controllers’ obligations relate to principles such as lawfulness, fairness and transparency, purpose limitation, data minimisation, and accuracy, as well as fulfilling data subjects’ rights with respect to their data.

You can find guidance related to your responsibilities under the GDPR, by regularly checking your national or lead data protection authority websites and publications by privacy associations such as the International Association of Privacy Professionals (IAPP). We will also ensure that this GDPR page and our GDPR Resource Center are updated with the latest news and updates.

This site is intended to help our customers better understand Google Cloud’s GDPR stance. We recommend that you consult with a legal expert to obtain guidance on the specific requirements applicable to your organization, as this site does not constitute legal advice.

Where should you start?

As a customer of Google Cloud, GDPR should be a part of your data protection compliance strategy. Consider these tips:

  • Familiarize yourself with the provisions of the GDPR
  • Create an updated inventory of personal data that you handle. You can use some of our tools to help identify and classify data.
  • Review your current controls, policies, and processes for managing and protecting data with the GDPR’s requirements. Find the gaps and create a plan to address them.
  • Consider how you can leverage the existing data protection features on Google Cloud as part of your own regulatory compliance framework. Review G Suite or Google Cloud Platform’s third-party audit and certification materials to begin.
  • Review and accept our updated data processing terms via the opt in process described here for the G Suite Data Processing Amendment and here for the GCP Data Processing and Security Terms.
1 G Suite includes G Suite for Business
 and G Suite for Education. 2 We recommend you seek independent legal advice to determine your appropriate national or lead data protection authority.

FAQs

What is the GDPR?
The General Data Protection Regulation is a privacy legislation that replaced the 95/46/EC Directive on Data Protection of 24 October 1995 on May 25, 2018.
Does the GDPR require storage of personal data in the EU?
No. Like the 95/46/EC Directive on Data Protection, the GDPR sets forth certain conditions for the transfer of personal data outside of the EU. Such conditions can be met via mechanisms such as model contract clauses.
How have your terms been updated to reflect the GDPR?
For many years, Google Cloud has offered data processing terms that clearly articulate our privacy and security commitment to customers. While the GDPR is directly applicable to cloud service providers regardless of their contractual commitments in this regard, we have evolved our terms to reflect the GDPR. Our GDPR-updated terms notably reflect the provisions of Article 28 of the GDPR governing the use of a data processor by a cloud customer.
Does the GDPR give customers the right to audit Google Cloud?
Under the GDPR, audit rights must be granted to data controllers in their contracts with data processors. Our updated data processing agreements include audit rights for the benefit of our customers.
What role do third-party ISO 27001, ISO 27017, ISO 27018, and SOC 2/3 reports play in compliance with the GDPR?
Our third-party ISO certifications and SOC 2/3 audit reports can be used by customers to help conduct their risk assessments and help them determine whether appropriate technical and organisational measures are in place.
What other information and resources has Google provided on the GDPR?
Refer to Google’s Businesses and Data website and our GDPR Resource Center