For additional resources refer to Google Cloud's Privacy Resource Center

Google Cloud & the General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR) is a privacy legislation that replaced the 95/46/EC Directive on Data Protection of 24 October 1995 on May 25, 2018. GDPR lays out specific requirements for businesses and organizations who are established in Europe or who serve users in Europe. It:

  • Regulates how businesses can collect, use, and store personal data
  • Builds upon current documentation and reporting requirements to increase accountability
  • Authorizes fines on businesses who fail to meet its requirements

At Google Cloud, we champion initiatives that prioritize and improve the security and privacy of customer personal data, and want you, as a Google Cloud customer, to feel confident using our services in light of GDPR requirements. If you partner with Google Cloud, we will support your GDPR compliance efforts by:

  1. Committing in our contracts to comply with the GDPR in relation to our processing of customer personal data in all Google Cloud and Google Workspace services
  2. Offering additional security features that may help you to better protect the personal data that is most sensitive
  3. Giving you the documentation and resources to assist you in your privacy assessment of our services
  4. Continuing to evolve our capabilities as the regulatory landscape changes

Google Workspace & Google Cloud Commitments to the GDPR

Data controllers must use data processors with appropriate technical and organizational measures. When conducting your GDPR assessment of Google Cloud consider the following:

EXPERT KNOWLEDGE, RELIABILITY & RESOURCES

Data Protection Expertise

Google employs security and privacy professionals that include some of the world’s foremost experts in information, application, and network security. This expert team is tasked with maintaining the company’s defense systems, developing security review processes, building stronger security infrastructure, and precisely implementing Google’s security policies.

Google also employs an extensive team of lawyers, regulatory compliance experts, and public policy specialists who look after privacy and security compliance for Google Cloud.

These teams work with customers, industry stakeholders, and supervisory authorities to ensure our Google Workspace and Google Cloud services can help customers meet their compliance needs.

Data Processing Agreements

Our data processing agreements for Google Workspace and Google Cloud clearly articulate our privacy commitment to customers. We have evolved these terms over the years based on feedback from our customers and regulators.

We specifically updated these terms to reflect the GDPR, and, to facilitate our customers' compliance assessment and GDPR readiness when using Google Cloud services. Learn more about the Google Workspace Data Processing Amendment, the Google Workspace EU Standard Contract Clauses, the Google Cloud Data Processing and Security Terms, and the Google Cloud EU Standard Contract Clauses (SCCs).

Our customers can enter into these updated data processing terms via the opt in process described for the Google Workspace Data Processing Amendment and the Google Cloud Data Processing and Security Terms.

Processing According to Instructions

Any data that a customer and its users put into our systems will only be processed in accordance with the customer’s instructions, as described in our GDPR-updated data processing agreements.

Personnel Confidentiality Commitments

All Google employees are required to sign a confidentiality agreement and complete mandatory confidentiality and privacy trainings, as well as our Code of Conduct training. Google’s Code of Conduct specifically addresses responsibilities and expected behavior with respect to the protection of information.

Google Group companies directly conduct the majority of data processing activities required to provide the Google Workspace and Google Cloud services. However, we do engage some third-party vendors to assist in supporting these services. Each vendor goes through a rigorous selection process to ensure it has the required technical expertise and can deliver the appropriate level of security and privacy.

We make information available about Google group subprocessors supporting Google Workspace and Google Cloud services, as well as third-party subprocessors involved in those services. See here for Google Workspace subprocessor details, and here for Google Cloud subprocessor details. We also include commitments relating to subprocessors in our data processing agreements.

According to the GDPR, appropriate technical and organizational measures shall be implemented to ensure a level of security appropriate to the risk.

Google operates a global infrastructure designed to provide state-of-the-art security through the entire information processing lifecycle. This infrastructure is built to provide secure deployment of services, secure storage of data with end-user privacy safeguards, secure communications between services, secure and private communication with customers over the Internet, and safe operation by administrators. Google Workspace and Google Cloud run on this infrastructure.

We designed the security of our infrastructure in layers that build upon one another, from the physical security of data centers, to the security protections of our hardware and software, to the processes we use to support operational security. This layered protection creates a strong security foundation for everything we do. A detailed discussion of our Infrastructure Security can be found in Google Infrastructure Security Design Overview Whitepaper.

Availability, Integrity & Resilience

Google designs the components of our platform to be highly redundant. Google’s data centers are geographically distributed to minimize the effects of regional disruptions on global products such as natural disasters and local outages. In the event of hardware, software, or network failure, services are automatically and instantly shifted from one facility to another so that operations can continue without interruption. Our highly redundant infrastructure helps customers protect themselves from data loss.

Equipment Testing and Security

Google utilizes barcodes and asset tags to track the status and location of data center equipment from acquisition to installation, retirement, and destruction. If a component fails to pass a performance test at any point during its lifecycle, it is removed from inventory and retired. Google hard drives leverage technologies, such as Full Disk Encryption (FDE) and drive locking, to protect data at rest.

Disaster Recovery Testing

Google conducts disaster recovery testing on an annual basis to provide a coordinated venue for infrastructure and application teams to test communication plans, fail-over scenarios, operational transition, and other emergency responses. All teams that participate in the disaster recovery exercise develop testing plans and post mortems which document the results and lessons learned from the tests.

Encryption

Google uses encryption to protect data in transit and at rest. Google Workspace data in transit between regions is protected using HTTPS, which is activated by default for all users. Google Workspace and Google Cloud services encrypt customer content stored at rest, without any action required from customers, using one or more encryption mechanisms. A detailed discussion of how we encrypt data can be found in these resources: Workspace Encryption Whitepaper, and Google Cloud Encryption in transit and at rest.

Access Controls

For Google employees, access rights and levels are based on job function and role, using the concepts of least-privilege and need-to-know to match access privileges to defined responsibilities. Requests for additional access follow a formal process that involves a request and an approval from a data or system owner, manager, or other executives, as dictated by Google’s security policies. Data centers that house Google Cloud systems and infrastructure components are subject to physical access restrictions and equipped with 24 x 7 on-site security personnel, security guards, access badges, biometric identification mechanisms, physical locks and video cameras to monitor the interior and exterior of the facility.

Incident Management

Google has a dedicated security team responsible for security and privacy of customer data and managing security 24 hours a day and 7 days a week worldwide. Individuals from this team receive incident-related notifications and are responsible for helping resolve emergencies 24 x 7. Incident response policies are in place and procedures for resolving critical incidents are documented. Information from these events is used to help prevent future incidents and can be used as examples for information security training. Google incident management processes and response workflows are documented. Google’s incident management processes are tested on a regular basis as part of our ISO/IEC 27017, ISO/IEC 27018, ISO/IEC 27001, PCI-DSS1, SOC 2 and FedRAMP programs to provide our customers and regulators with independent verification of our security, privacy, and compliance controls. More information on our incident response process can be found in our Data incident response process whitepaper.

Vulnerability Management

We scan for software vulnerabilities using a combination of commercially available and purpose-built in-house tools, intensive automated and manual penetration testing, quality assurance processes, software security reviews, and external audits. We also rely on the broader security research community and greatly value their help identifying any vulnerabilities in Google Workspace, Google Cloud, and other Google products. Our Vulnerability Reward Program encourages researchers to report design and implementation issues that may put customer data at risk.

Product Security: Google Workspace

Google Workspace customers can leverage product features and configurations to further protect personal data against unauthorized or unlawful processing:

Google Workspace Core Services, including Gmail, Google Admin Console, Calendar, Drive, Docs, Keep, Sites, Jamboard, Hangouts, Chat, Meet, Cloud Search and Google Groups offer configurable settings to help ensure that your organization’s data is secured, used, and accessed according to your unique requirements. 2-step verification reduces the risk of unauthorized access by asking users for additional proof of identity when signing in. Security key enforcement offers another layer of security for user accounts by requiring a physical key. The Advanced Protection Program is our strongest protection for users at risk of targeted online attacks. Suspicious Login Monitoring detects suspicious logins using robust machine learning capabilities. Enhanced email security requires email messages to be signed and encrypted using Secure/Multipurpose Internet Mail Extensions (S/MIME). Encryption: Google Workspace customers' data is encrypted when it's on a disk, stored on backup media, moving over the Internet, or traveling between data centers. Data loss prevention (DLP) protects sensitive information within Gmail and Drive from unauthorized sharing. Advanced phishing and malware protection protects against suspicious attachments and scripts from untrusted senders, as well as malicious links and images. Information rights management in Drive allows you to disable downloading, printing, and copying of files from the advanced sharing menu, and to set expiration dates on file access. Endpoint management offers continuous system monitoring and alerts in case of suspicious device activity. Alert Center is a place to view essential notifications, alerts, and actions across Google Workspace. Insights around these potential alerts can help administrators assess their organization's exposure to security issues. Security Center brings together security analytics, best practice recommendations and integrated remediation to protect your organization’s data, devices and users. It provides you with visibility into external file sharing, spam and malware targeting users within your organization, and integrated remediation via the investigation tool. Context-aware access can enforce granular access controls on Google Workspace apps, based on a user’s identity and context of the request. Google Vault lets you retain, archive, search, and export your organization's email, Google Drive file content and on-the-record chats for your eDiscovery and compliance needs. App access control governs access to Google Workspace services using OAuth 2.0. Organizations can control which third-party and internal apps can access Google Workspace data, and find more details about any third-party apps already in use. Data Regions lets you store your covered data in a specific geographic location by using a data region policy. Access Transparency lets you review logs of actions taken by Google staff when accessing user content.

To learn more, please visit https://workspace.google.com/security

Product Security: Google Cloud

Google Cloud customers can leverage product features and configurations to further protect personal data against unauthorised or unlawful processing:

Encryption in transit between regions is applied by default on Google Cloud to encrypt requests before transmission and to protect the raw data using the Transport Layer Security (TLS) protocol. Once data is transferred to Google Cloud to be stored, Google Cloud applies encryption at rest by default. 2-step verification reduces the risk of unauthorized access by asking users for additional proof of identity when signing in. Security key enforcement offers another layer of security for user accounts by requiring a physical key. Cloud Identity and Access Management (Cloud IAM) allows you to create and manage fine-grained access and modification permissions for Google Cloud resources. Data Loss Prevention API, part of Sensitive Data Protection (a family of services designed to help you discover, classify, and protect your most sensitive data), helps to identify and monitor the processing of special categories of personal data in order to implement adequate controls. Cloud Logging and Cloud Monitoring integrate logging, monitoring, alerting, and anomaly detection systems into Google Cloud. Cloud Identity-Aware Proxy (Cloud IAP) controls access to cloud applications running on Google Cloud. Cloud Security Scanner scans for and detects common vulnerabilities in Google App Engine applications. VPC Service Controls provide perimeter protection for services that store highly sensitive data to enable service-level data segmentation. Cloud KMS and HSM allow for management of encryption keys and cryptographic operations from within a cluster of FIPS 140-2 Level 3 certified Hardware Security Modules (HSMs). KMS allows customers to use Google-managed or customer-managed encryption keys as required to fulfill compliance requirements. Cloud Security Command Center allows customers to view and monitor an inventory of their cloud assets, scan storage systems for sensitive data, detect common web vulnerabilities, and review access rights to their critical resources from a single, centralized dashboard. Access Approval requires Google administrators to seek explicit customer approval before Google can access data. It works by sending customers an email and/or Cloud Pub/Sub message with an access request that the customer is able to approve. Using the information in the message, customers can use the Google Cloud console or the Access Approval API to approve the access.

To learn more, please visit https://cloud.google.com/security/

1 For Google Cloud only.

Administrators can export customer data, via the functionality of the Google Workspace or Google Cloud services (consult Google Cloud documentation for further information), at any time during the term of the agreement. We have included data export commitments in our data processing terms for several years, and will continue to work to enhance our data export capabilities, making it even easier for you to download a copy of your customer data from Google Workspace and Google Cloud services.

You can also delete customer data, via the functionality of the Google Workspace or Google Cloud services, at any time. When Google receives a complete deletion instruction from you (such as when an email you have deleted can no longer be recovered from your “trash”), Google will delete the relevant customer data from all of its systems within a maximum period of 180 days unless retention obligations apply.

Data Subject's Rights

Data controllers can use the Google Workspace and Google Cloud administrative consoles and services functionality to help access, rectify, restrict the processing of, or delete any data that they and their users put into our systems. This functionality will help them fulfill their obligations to respond to requests from data subjects to exercise their rights under the GDPR.

Data Protection Team

Google has designated a DPO for Google LLC and its subsidiaries, to cover data processing subject to the GDPR, including as part of our Cloud products and services. Kristie Chon Flynn is Google's Data Protection Officer. Kristie Chon Flynn is based in Sunnyvale in the U.S.

Where required, Google Cloud products have designated teams to address customer inquiries in relation to data protection. The way to contact these teams is described in the relevant agreement. For Google Workspace the Cloud Data Protection Team can be contacted by Customer’s administrators at https://support.google.com/a/contact/googlecloud_dpr (while administrators are signed in to their admin account) and/or directly by providing a notice to Google as described in the applicable agreement. For Google Cloud, that team can be contacted at https://support.google.com/cloud/contact/dpo.

Incident Notifications

Google Workspace and Google Cloud have provided contractual commitments around incident notification for many years. We will continue to promptly inform you of incidents involving your customer data in line with the data incident terms in our current agreements.

The GDPR provides for several mechanisms to facilitate transfers of personal data outside of the EU. These mechanisms are aimed at confirming an adequate level of protection or ensuring the implementation of appropriate safeguards when personal data is transferred to a third country.

An adequate level of protection can be confirmed by adequacy decisions such as the ones that support the Japanese Act on the Protection of Personal Information (APPI) and the Swiss Data Protection Act.

Where personal data will be transferred outside of the EU to third countries not covered by adequacy decisions, we commit under our data processing agreements to maintain a mechanism that will facilitate these transfers as required by the GDPR. In 2017, we gained confirmation of compliance from European Data Protection Authorities for our standard contract clauses, affirming that our contractual commitments for Google Workspace and Google Cloud met the requirements to legally frame transfers of personal data from the EU to the third countries that do not provide adequate protection.

Our customers and regulators expect independent verification of security, privacy, and compliance controls. Google Workspace and Google Cloud undergo several independent third-party audits on a regular basis to provide this assurance.

ISO/IEC 27001 (Information Security Management)

ISO/IEC 27001 is one of the most widely recognized, internationally accepted independent security standards. Google has earned ISO/IEC 27001 certification for the systems, applications, people, technology, processes, and data centers that make up our shared Common Infrastructure as well as for Google Workspace and Google Cloud products. You can access these certificates via Compliance reports manager.

ISO/IEC 27017 (Cloud Security)

ISO/IEC 27017 is an international standard of practice for information security controls based on ISO/IEC 27002, specifically for Cloud Services. Google has been certified compliant with ISO/IEC 27017 for Google Workspace and Google Cloud. You can access these certificates via Compliance reports manager.

ISO/IEC 27018 (Cloud Privacy)

ISO/IEC 27018 is an international standard of practice for protection of personally identifiable information (PII) in Public Cloud Services. Google has been certified compliant with ISO/IEC 27018 for Google Workspace and Google Cloud. You can access these certificates via Compliance reports manager.

ISO/IEC 27701 (Privacy Information Management)

ISO/IEC 27701 is a global privacy standard that focuses on the collection and processing of personally identifiable information (PII). This standard extends the requirements of ISO/IEC 27001 and ISO/IEC 27002 to include data privacy. We have received accredited ISO/IEC 27701 certification as a PII processor for both Google Workspace and Google Cloud. You can access these certificates via Compliance reports manager.

SSAE18/ISAE 3402 (SOC 2/3)

The American Institute of Certified Public Accountants (AICPA) SOC 2 (Service Organization Controls) and SOC 3 audit framework defines Trust Principles and criteria for security, availability, processing integrity, and confidentiality. Google has both SOC 2 and SOC 3 reports for Google Workspace and Google Cloud. You can access these certificates via Compliance reports manager.

Assessing Google Cloud based on Article 28

Article 28 of the GDPR lays out the requirements of a data processor who processes data on behalf of the data controller. See how our terms reflect these requirements.

Use of Subprocessors

Google Cloud - Cloud Data Processing Addendum (CDPA)

Definitions | Section 2.1

Data Security | Section 7.1.2

Data Security | Section 7.3.1 (b)

Data Transfers | Section 10.1

Subprocessors | Section 11

Third-Party Beneficiary | Section 14

Appendix 2.1–2.5

Google Cloud - EU Standard Contract Clauses (SCC)

SCCs (EU Controller-to-Processor) | Annex II, Annex III

SCCs (EU Processor-to-Controller) | N/A

SCCs (EU Processor-to-Processor) | Annex II, Annex III

SCCs (EU Processor-to-Processor, Google Exporter) | Annex II, Annex III

SCCs (UK Controller-to-Processor) | Clause 1, Clause 3.3, Clause 4 (g) and (i), Clause 5 (i) and (j), Clause 6, Clause 8, Clause 11, Clause 12, Appendix 1, Appendix 2.5

Related content: Google Cloud Subprocessors

Google Workspace - Cloud Data Processing Addendum (CDPA)

Definitions | Section 2.1

Data Security | Section 7.1.2

Data Security | Section 7.3.1 (b)

Data Transfers | Section 10.1

Subprocessors | Section 11

Third-Party Beneficiary | Section 14

Security Measures | Appendix 2.1–2.5

Google Workspace - EU Standard Contract Clauses (SCC)

SCCs (EU Controller-to-Processor) | Annex II, Annex III

SCCs (EU Processor-to-Controller) | N/A

SCCs (EU Processor-to-Processor) | Annex II, Annex III

SCCs (EU Processor-to-Processor, Google Exporter) | Annex II, Annex III

SCCs (UK Controller-to-Processor) | Clause 1, Clause 3.3, Clause 4 (g) and (i), Clause 5 (i) and (j), Clause 6, Clause 8, Clause 11, Clause 12, Appendix 1, Appendix 2.5

Related content: Google Workspace Subprocessors Agreement

Google Cloud - Cloud Data Processing Addendum (CDPA)

Entire Data Processing and Security Terms

Google Workspace - Cloud Data Processing Addendum (CDPA)

Entire Data Processing Terms

Google Cloud - Cloud Data Processing Addendum (CDPA)

Processing of Data | Section 5.2

Google Cloud - EU Standard Contract Clauses (SCC)

SCCs

Google Workspace - Cloud Data Processing Addendum (CDPA)

Section 5.2 | Processing of Data

Google Workspace - EU Standard Contract Clauses (SCC)

Clause 5 (a) and (b) | Obligations of the Data Importer

Google Cloud - Google Cloud Terms of Services

Confidential Information | Section 7

Google Cloud - Cloud Data Processing Addendum (CDPA)

Data Security | Section 7.1.2

Data Security | Section 7.5.3

Personnel Security | Appendix 2.4

Google Cloud - EU Standard Contract Clauses (SCC)

Obligations of the Data Importer | Clause 5

Google Workspace - Google Workspace Agreement

Confidential Information | Section 6

Google Workspace - Cloud Data Processing Addendum (CDPA)

Data Security | Section 7.1.2

Data Security | Section 7.5.3

Personnel Security | Appendix 2.4

Google Workspace - EU Standard Contract Clauses (SCC)

SCCs

Google Cloud - Cloud Data Processing Addendum (CDPA)

Data Security | Section 7

Security Measures | Appendix 2

Google Cloud - EU Standard Contract Clauses (SCC)

SCCs

Google Workspace - Cloud Data Processing Addendum (CDPA)

Data Security | Section 7

Security Measures | Appendix 2

Google Workspace - EU Standard Contract Clauses (SCC)

SCCs

Related content: Google Cloud Security & Compliance Whitepaper

Google Cloud - Cloud Data Processing Addendum (CDPA)

Impact Assessments and Consultations | Section 8

Google Workspace - Cloud Data Processing Addendum (CDPA)

Impact Assessments and Consultations | Section 8

Google Cloud - Cloud Data Processing Addendum (CDPA)

Data Deletion | Section 6

Data Subject Rights; Data Export | Section 9.1

Google Cloud - EU Standard Contract Clauses (SCC)

SCCs

Google Workspace - Cloud Data Processing Addendum (CDPA)

Data Deletion | Section 6

Data Subject Rights; Data Export | Section 9.1

Google Workspace - EU Standard Contract Clauses (SCC)

SCCs 

Google Cloud - Cloud Data Processing Addendum (CDPA)

Data Security | Section 7.4

Related content: Google Cloud Compliance

Google Workspace - Cloud Data Processing Addendum (CDPA)

Data Security | Section 7.4

Related content: Google Cloud Compliance

FAQ

Answers to Frequently Asked Questions about Google Cloud and GDPR

Does the GDPR require storage of personal data in the EU?

No. Like the 95/46/EC Directive on Data Protection, the GDPR sets out certain conditions for the transfer of personal data outside of the EU. Such conditions can be met via mechanisms such as standard contract clauses.

How do your terms reflect the GDPR requirements?

For many years, Google Cloud has offered data processing terms that clearly articulate our privacy and security commitment to customers, and we have evolved those terms to reflect the GDPR. Our GDPR-updated terms notably reflect the provisions of Article 28 of the GDPR governing the use of a data processor by a data controller.

Does the GDPR give customers the right to audit Google Cloud?

Under the GDPR, audit rights must be granted to data controllers in their contracts with data processors. Our updated data processing agreements include audit rights for the benefit of customers who are subject to the GDPR.

What role do third-party ISO/IEC 27001, ISO/IEC 27017, ISO/IEC 27018, ISO/IEC 27701 and SOC 2/3 reports play in compliance with the GDPR?

Our third-party ISO/IEC certifications and SOC 2/3 audit reports can be used by customers to help conduct their risk assessments and help them determine whether appropriate technical and organizational measures are in place. Our ISO/IEC 27701 certification provides greater clarity on privacy-related roles and responsibilities, which can facilitate efforts to comply with privacy regulations, including the GDPR.

How does Google Cloud support International Data Transfers in the Cloud?

The GDPR provides for several mechanisms to facilitate transfers of personal data outside of the EU. These mechanisms are aimed at confirming an adequate level of protection or ensuring the implementation of appropriate safeguards when personal data is transferred to a third country.

An adequate level of protection can be confirmed by adequacy decisions such as the ones that support the Japanese Act on the Protection of Personal Information (APPI) and the Swiss Data Protection Act.

Where personal data will be transferred outside of the EU to third countries not covered by adequacy decisions, we commit under our data processing agreements to maintain a mechanism that will facilitate these transfers as required by the GDPR. In 2017, we gained confirmation of compliance from European Data Protection Authorities for our standard contract clauses, affirming that our contractual commitments for Google Workspace and Google Cloud met the requirements to legally frame transfers of personal data from the EU to the third countries that do not provide adequate protection.

Now that Privacy Shield has been invalidated, can I still use Google Cloud and meet GDPR requirements if I handle EU personal data?

While Google will continue to review the impact of the Court of Justice of the European Union (CJEU) case C-311/18 one thing remains unchanged: Google will take appropriate steps to ensure we maintain a high level of privacy protection for EU citizens.

Google Cloud offers Standard Contractual Clauses (SCCs) to our customers, which will be automatically deemed to apply in the absence of any alternate transfer solution made available by Google. Regardless of the location of the data, data protection remains a priority for Google. See the Safeguards for International Data Transfers with Google Cloud Whitepaper for more information.

We are certified against recognised international standards such as ISO/IEC 27001ISO/IEC 27018 and ISO/IEC 27017. The complete listing of Google’s compliance offerings can be found on the compliance resource center.

What other information and resources has Google provided on the GDPR?

Refer to Google’s Cloud's Privacy Resource Center and Google's Businesses and Data website.

Where can I find other European Privacy Resources?


Disclaimer: The content contained herein is correct as of August 2021 and represents the status quo as of the time it was written. Google’s security policies and systems may change going forward, as we continually improve protection for our customers. When referring to Google Workspace, we also refer to Google Workspace for Education. We are bringing Google Workspace to our education and nonprofit customers in the coming months.

Take the next step

Start building on Google Cloud with $300 in free credits and 20+ always free products.