Google Cloud & the General Data Protection Regulation (GDPR)

Compliance with the GDPR is a top priority for Google Cloud and our customers. The GDPR aims to strengthen personal data protection in Europe, and impacts the way we all do business. We’re sure you have many questions, and we’re here to help. Google Cloud takes a customer-centric approach on protection, control, and compliance, and we want to be a key facilitator on your GDPR journey.

GOOGLE WORKSPACE DATA PROTECTION IMPLEMENTATION GUIDE TRUSTING YOUR DATA WITH GOOGLE CLOUD PLATFORM

Visit our GDPR Resource Center 

Disclaimer: The content contained herein is correct as of November 2020 and represents the status quo as of the time it was written. Google’s security policies and systems may change going forward, as we continually improve protection for our customers. When referring to Google Workspace, we also refer to G Suite for Education. We are bringing Google Workspace to our education and nonprofit customers in the coming months.

What is the GDPR?

The GDPR, which went into effect on May 25, 2018, replaced the 1995 EU Data Protection Directive.

The GDPR lays out specific requirements for businesses and organizations who are established in Europe or who serve users in Europe. It:

  • Regulates how businesses can collect, use, and store personal data
  • Builds upon current documentation and reporting requirements to increase accountability
  • Authorizes fines on businesses who fail to meet its requirements

Google Cloud and the GDPR

At Google Cloud, we champion initiatives that prioritize and improve the security and privacy of customer personal data, and want you, as a Google Cloud customer, to feel confident using our services in light of GDPR requirements. If you partner with Google Cloud, we will support your GDPR compliance efforts by:

  1. Committing in our contracts to comply with the GDPR in relation to our processing of customer personal data in all Google Cloud Platform and Google Workspace services
  2. Offering additional security features that may help you to better protect the personal data that is most sensitive
  3. Giving you the documentation and resources to assist you in your privacy assessment of our services
  4. Continuing to evolve our capabilities as the regulatory landscape changes

Google Workspace & Google Cloud Platform Commitments to the GDPR

Among other things, data controllers are required to only use data processors that provide sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of the GDPR. When conducting your assessment of Google Workspace and Google Cloud Platform services, you may want to consider the following:

Data Protection Expertise

Google employs security and privacy professionals that include some of the world’s foremost experts in information, application, and network security. This expert team is tasked with maintaining the company’s defense systems, developing security review processes, building stronger security infrastructure, and precisely implementing Google’s security policies.

Google also employs an extensive team of lawyers, regulatory compliance experts, and public policy specialists who look after privacy and security compliance for Google Cloud.

These teams work with customers, industry stakeholders, and supervisory authorities to ensure our Google Workspace and Google Cloud Platform services can help customers meet their compliance needs.

What you can do

What are your responsibilities as a customer?

Google Workspace1 and Google Cloud Platform customers will typically act as the data controller for any personal content they provide to Google via their use of Google Cloud services. The data controller determines the purposes and means of processing of personal data. Then there’s the data processor. That’s typically us. As a data processor, Google Cloud processes personal data on behalf of the data controller when the controller is using Google Workspace or Google Cloud Platform.

What is a data controller?

Data controllers are responsible, with data processors, for implementing appropriate technical and organisational measures to ensure that any data processing is performed in compliance with the GDPR. Controllers’ additional obligations relate to principles such as lawfulness, fairness and transparency, purpose limitation, data minimisation, and accuracy, as well as fulfilling data subjects’ rights with respect to their data.

You can find guidance related to your responsibilities under the GDPR by regularly checking your national or lead data protection authority's websites and publications from privacy associations such as the International Association of Privacy Professionals (IAPP). We will also update that this GDPR page and our GDPR Resource Center with the latest news and updates.

This site is intended to help our customers better understand Google Cloud’s GDPR stance. We recommend that you consult with a lawyer to obtain guidance on the specific requirements applicable to your organization, as this site does not constitute legal advice.

Where should you start?

If for example you are a Google Cloud customer based in the European Economic Area or the UK, or responsible for processing data relating to EEA or UK data subjects, GDPR should be a part of your data protection compliance strategy. Consider these tips:

  • Familiarize yourself with the provisions of the GDPR
  • Create an updated inventory of personal data that you handle. You can use some of our tools to help identify and classify data.
  • Review your current controls, policies, and processes for managing and protecting data with the GDPR’s requirements. Find the gaps and create a plan to address them.
  • Consider how you can leverage the existing data protection features on Google Cloud as part of your own regulatory compliance framework. Review Google Workspace's or Google Cloud Platform’s third-party audit and certification materials to begin.
  • Review and (if necessary) accept our updated data processing terms via the opt in process described here for the Google Workspace Data Processing Amendment and here for the GCP Data Processing and Security Terms.
1 Google Workspace (formerly G Suite) includes Google Workspace for Teams, Google Workspace Business and G Suite for Education. Some legacy G Suite plans continue to be supported. 2 We recommend you seek independent legal advice to determine your appropriate national or lead data protection authority.

FAQs

What is the GDPR?
The General Data Protection Regulation is a privacy legislation that replaced the 95/46/EC Directive on Data Protection of 24 October 1995 on May 25, 2018.
Does the GDPR require storage of personal data in the EU?
No. Like the 95/46/EC Directive on Data Protection, the GDPR sets out certain conditions for the transfer of personal data outside of the EU. Such conditions can be met via mechanisms such as model contract clauses.
How do your terms reflect the GDPR requirements?
For many years, Google Cloud has offered data processing terms that clearly articulate our privacy and security commitment to customers, and we have evolved those terms to reflect the GDPR. Our GDPR-updated terms notably reflect the provisions of Article 28 of the GDPR governing the use of a data processor by a data controller.
Does the GDPR give customers the right to audit Google Cloud?
Under the GDPR, audit rights must be granted to data controllers in their contracts with data processors. Our updated data processing agreements include audit rights for the benefit of customers who are subject to the GDPR.
What role do third-party ISO/IEC 27001, ISO/IEC 27017, ISO/IEC 27018, ISO/IEC 27701 and SOC 2/3 reports play in compliance with the GDPR?
Our third-party ISO/IEC certifications and SOC 2/3 audit reports can be used by customers to help conduct their risk assessments and help them determine whether appropriate technical and organisational measures are in place. Our ISO/IEC 27701 certification provides greater clarity on privacy-related roles and responsibilities, which can facilitate efforts to comply with privacy regulations, including the GDPR.
Now that Privacy Shield has been invalidated, can I still use Google Cloud and meet GDPR requirements if I handle EU personal data?
While Google will continue to review the impact of the Court of Justice of the European Union (CJEU) case C-311/18 one thing remains unchanged: Google will take appropriate steps to ensure we maintain a high level of privacy protection for EU citizens.
Google Cloud offers Standard Contractual Clauses or Model Contract Clauses (MCCs) to our customers, which will be automatically deemed to apply in the absence of any alternate transfer solution made available by Google.
Regardless of the location of the data, data protection remains a priority for Google. We are certified against recognised international standards such as ISO/IEC 27001, ISO/IEC 27018 and ISO/IEC 27017. The complete listing of Google’s compliance offerings can be found on the compliance resource center located here.
What other information and resources has Google provided on the GDPR?
Refer to Google’s Businesses and Data website and our GDPR Resource Center