Google Cloud & the General Data Protection Regulation (GDPR)

Compliance with the GDPR is a top priority for Google Cloud and our customers. The GDPR aims to strengthen personal data protection in Europe, and impacts the way we all do business. We’re sure you have many questions, and we’re here to help. Google Cloud takes a customer-centric approach on protection, control, and compliance, and we want to be a key facilitator on your GDPR journey.

GOOGLE CLOUD AND THE GDPR WHITEPAPER GOOGLE CLOUD GDPR QUICK REFERENCE GUIDE G SUITE DATA PROTECTION IMPLEMENTATION GUIDE

Visit our GDPR Resource Center 

What is the GDPR?

The GDPR, which went into effect on May 25, 2018, replaced the 1995 EU Data Protection Directive.

The GDPR lays out specific requirements for businesses and organizations who are established in Europe or who serve users in Europe. It:

  • Regulates how businesses can collect, use, and store personal data
  • Builds upon current documentation and reporting requirements to increase accountability
  • Authorizes fines on businesses who fail to meet its requirements

What we’re doing

At Google Cloud, we champion initiatives that prioritize and improve the security and privacy of user data. We’ve made multiple updates to ensure that Google Cloud customers can confidently use our services now that the GDPR is in effect. Partner with Google Cloud and we will support your efforts by:

  1. Committing in our contracts to comply with the GDPR in relation to our processing of customer personal data in all Google Cloud Platform and G Suite services
  2. Offering additional security features that may help you to better protect the personal data that is most sensitive
  3. Giving you the documentation and resources to assist you in your privacy assessment of our services
  4. Continuing to evolve our capabilities as the regulatory landscape changes

G Suite & Google Cloud Platform Commitments to the GDPR

Among other things, data controllers are required to only use data processors that provide sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of the GDPR. When conducting your assessment of G Suite and Google Cloud Platform services, you may want to consider the following:

Data Protection Expertise

Google employs security and privacy professionals that include some of the world’s foremost experts in information, application, and network security. This expert team is tasked with maintaining the company’s defense systems, developing security review processes, building stronger security infrastructure, and precisely implementing Google’s security policies.

Google also employs an extensive team of lawyers, regulatory compliance experts, and public policy specialists who look after privacy and security compliance for Google Cloud.

These teams work with customers, industry stakeholders, and supervisory authorities to ensure our G Suite and Google Cloud Platform services can help customers meet their compliance needs.

What you can do

What are your responsibilities as a customer?

G Suite1 and Google Cloud Platform customers will typically act as the data controller for any personal content they provide to Google via their use of Google Cloud services. The data controller determines the purposes and means of processing personal data. Then there’s the data processor. That’s typically us. As a data processor, Google Cloud processes personal data on behalf of the data controller when the controller is using G Suite or Google Cloud Platform.

What is a data controller?

Data controllers are responsible for implementing appropriate technical and organisational measures to ensure and demonstrate that any data processing is performed in compliance with the GDPR. Controllers’ obligations relate to principles such as lawfulness, fairness and transparency, purpose limitation, data minimisation, and accuracy, as well as fulfilling data subjects’ rights with respect to their data.

You can find guidance related to your responsibilities under the GDPR, by regularly checking your national or lead data protection authority websites and publications by privacy associations such as the International Association of Privacy Professionals (IAPP). We will also ensure that this GDPR page and our GDPR Resource Center are updated with the latest news and updates.

This site is intended to help our customers better understand Google Cloud’s GDPR stance. We recommend that you consult with a legal expert to obtain guidance on the specific requirements applicable to your organization, as this site does not constitute legal advice.

Where should you start?

As a customer of Google Cloud, GDPR should be a part of your data protection compliance strategy. Consider these tips:

  • Familiarize yourself with the provisions of the GDPR
  • Create an updated inventory of personal data that you handle. You can use some of our tools to help identify and classify data.
  • Review your current controls, policies, and processes for managing and protecting data with the GDPR’s requirements. Find the gaps and create a plan to address them.
  • Consider how you can leverage the existing data protection features on Google Cloud as part of your own regulatory compliance framework. Review G Suite or Google Cloud Platform’s third-party audit and certification materials to begin.
  • Review and accept our updated data processing terms via the opt in process described here for the G Suite Data Processing Amendment and here for the GCP Data Processing and Security Terms.
1 G Suite includes G Suite for Business and G Suite for Education. 2 We recommend you seek independent legal advice to determine your appropriate national or lead data protection authority.

FAQs

What is the GDPR?
The General Data Protection Regulation is a privacy legislation that replaced the 95/46/EC Directive on Data Protection of 24 October 1995 on May 25, 2018.
Does the GDPR require storage of personal data in the EU?
No. Like the 95/46/EC Directive on Data Protection, the GDPR sets forth certain conditions for the transfer of personal data outside of the EU. Such conditions can be met via mechanisms such as model contract clauses.
How have your terms been updated to reflect the GDPR?
For many years, Google Cloud has offered data processing terms that clearly articulate our privacy and security commitment to customers. While the GDPR is directly applicable to cloud service providers regardless of their contractual commitments in this regard, we have evolved our terms to reflect the GDPR. Our GDPR-updated terms notably reflect the provisions of Article 28 of the GDPR governing the use of a data processor by a cloud customer.
Does the GDPR give customers the right to audit Google Cloud?
Under the GDPR, audit rights must be granted to data controllers in their contracts with data processors. Our updated data processing agreements include audit rights for the benefit of our customers.
What role do third-party ISO/IEC 27001, ISO/IEC 27017, ISO/IEC 27018, and SOC 2/3 reports play in compliance with the GDPR?
Our third-party ISO certifications and SOC 2/3 audit reports can be used by customers to help conduct their risk assessments and help them determine whether appropriate technical and organisational measures are in place.
What other information and resources has Google provided on the GDPR?
Refer to Google’s Businesses and Data website and our GDPR Resource Center