Summary of Changes to the Google Cloud Platform Data Processing and Security Terms and Service Specific Terms

This document summarizes the principal changes made to the Google Cloud Platform Data Processing and Security Terms and Service Specific Terms on December 16, 2015.

Google Cloud Platform Data Processing and Security Terms

  • New 1st paragraph above terms - clarifying when the updated terms go into effect
  • 1st paragraph - clarified the Customer and Google entity subject to the terms and clarified that these Data Processing and Security Terms (“Terms”) supersede Data Processing and Security Terms previously entered into between the parties (and, for legacy offline Google Ireland Limited Google Cloud Platform (“GCP”) customers, these terms supersede the “Privacy” Clause in their GCP License Agreement).
  • 2nd paragraph - defined the “Terms Effective Date”
  • 3rd paragraph - added representation and warranty from person who accepts the Data Processing and Security Terms separately from the Google Cloud Platform License Agreement that the person has legal authority to bind the applicable Customer entity to the Terms, has read and understood the Terms, and agrees to the Terms on behalf of the applicable Customer party
  • Section 1 - simplified language
  • Section 2 - clarified “Additional Products” definition
  • Section 2 - omitted “Ads” definition
  • Section 2 - added “Agreement” definition
  • Section 2 - updated “Data Incident” definition
  • Section 2 - added new “Data Protection Legislation” definition replacing “National Data Protection Legislation” definition
  • Section 2 - added EEA definition.
  • Section 2 - clarified “Google Group” definition
  • Section 2 - clarified “Instructions” definition
  • Section 2 - added new definition for “Model Contract Clauses” or “MCCs”
  • Section 2 - changed “Safe Harbor Privacy Principles” definition to “Safe Harbor Certification” and updated definition accordingly
  • Section 2 - updated “Security Measures” definition
  • Section 2 - clarified “Subprocessors” definition
  • Section 2 - added definition for “Third Party Auditor”
  • Section 2.2 - clarified that “data importer” and “data exporter” are defined in the MCCs
  • Section 3 - added start and end date for the Terms to be effective
  • Section 4 - clarified that the Data Protection Legislation may apply to processing of Customer Personal Data
  • Section 5.1 - clarified respective roles and responsibilities of “Customer” as controller of Customer Personal Data and Google as data processor of that data. Also clarified that if a Customer Affiliate is the applicable controller, Customer represents and warrants that Customer is authorized to give Google Instructions, to act on behalf of that Affiliate in relation to the applicable Customer Personal Data, and to bind the Affiliate to the Terms.
  • Section 5.2 - clarified limits on scope of processing of Customer Personal Data
  • Section 5.3 - simplified provision
  • Section 6.1 - updated, clarified, and expanded provision; clarified that Customer is solely responsible for its use of the Services, including securing its account authentication credentials and that Google has no obligation to protect Customer Data that Customer elects to store or transfer outside of Google’s and its Subprocessors’ systems
  • Section 6.3 - updated Google obligations around “Data Incidents” and clarified what is (and is not) included under that definition; added Customer obligation to maintain current contact information
  • Section 6.4(a) - omitted termination as sole and exclusive remedy for Customer
  • Section 6.4(b) - changed reference from SSAE Audit Report to SOC 2 report, clarified that report will be produced by Third Party Auditor, omitted termination as sole and exclusive remedy for Customer and simplified language in this section
  • Section 6.4(c) - added provision on SOC 3 report
  • Section 6.5.1 - specified the security documentation Google will make available for review by Customer
  • Section 6.5.2 - added provision regarding audit rights for Customer (or Customer Affiliate) who has entered into Google Cloud Platform MCCs
  • Section 6.5.3 - added further business terms pertaining to review of SOC 2 report and exercise of audit rights under Google Cloud Platform MCCs
  • Section 7 - clarified that Google will delete Customer-Deleted Data within a maximum of 180 days unless applicable legislation or legal process prevents that; and added provision about deletion of Customer-Deleted Data following expiry or termination of the Agreement (or, if applicable, following expiry of any post-termination period)
  • Section 8 - clarified section
  • Section 9 - updated contact information for Data Privacy Office for Google Cloud Platform
  • Section 10.1 - clarified that Customer may select where certain Customer Data will be stored and Google will store it there in accordance with the Service Specific Terms; clarified that if a Data Location Selection is not covered by the Service Specific Terms (or such a selection is not made by Customer), Google may store and process the relevant data anywhere Google or its Subprocessors maintain facilities
  • Section 10.2 - specified that if storage and processing involves transfer of Customer Personal Data out of the EEA and Data Protection Legislation applies to those transfers Google will ensure Google Inc. maintains its Safe Harbor Certification (and that the transfers are made in accordance with that certification), and/or ensure that Google Inc. enters into MCCs (and that the transfers are made in accordance with those Clauses), and/or adopt an alternative solution that achieves compliance with the terms of the Directive (and ensure the transfers are made in accordance with that solution)
  • Section 10.3 - changed references from remaining enrolled in Safe Harbor to maintaining Safe Harbor Certification
  • Section 10.4 - added Google will make available to Customer information about the countries in which data centers used to store Customer Personal Data are located.
  • Section 11.1 - moved language from another section noting that Google may engage Subprocessor to provide limited parts of the Services
  • Section 11.2 - clarified that Google will ensure Subprocessors only access and use Customer Data in accordance with Section 10.1 of the Data Processing and Security Terms and the Agreement and that they’ll be bound by written agreements requiring at least the level of data protection required by the following, as applicable to transfers of Customer Personal Data out of the EEA: (i) any Google Inc. Safe Harbor Certification, (ii) MCCs between Customer and Google Inc., and/or (iii) any alternative compliance solution adopted by Google
  • Section 11.3 - added that if MCCs have been entered into by the parties, Customer (or an authorized Customer Affiliate) consent to Google Inc. subcontracting the processing of Customer Data in accordance with those MCCs
  • Section 11.4 - shifted this language from earlier section, updated defined terms, and cross-referenced to Google Data Privacy Office contact information in Section 9
  • Section 11.5 - added that if MCCs have been entered into by the parties, Google will inform Customer at least 15 days before appointing any new Third Party Subprocessor and if Customer objects, Customer may as its sole and exclusive remedy, terminate the GCP License Agreement on written notice to Google w/in 30 days of being informed of such appointment
  • Section 12 - added that if Google Inc. and Customer (or an authorized Customer Affiliate) have entered into MCCs, then (subject to the remaining liability terms under the Agreement) the total combined liability of Google and its Affiliates (on the one hand) and Customer and its Affiliates (on the other hand) under or in connection with the Agreement and all those MCCs combined will be limited to the maximum payment-based liability set out in the Agreement
  • Section 13 - added that if Google Inc. isn’t a party to the Agreement it will be a third party beneficiary to Section 6.5 (Auditing Security Compliance), Section 11.3 (Consent to Subprocessing), and Section 12 (Liability Cap) of the Data Processing and Security Terms
  • Section 14 - clarified that notwithstanding anything to the contrary in the Agreement, if there’s a conflict between these Terms and the remaining terms of the Agreement, these Terms govern
  • Appendix 1 - simplified descriptions of categories of personal data and data subjects
  • Appendix 2 - added that Google may update or modify the Security Measures provided that doing so does not result in the degradation of the overall security of the Services
  • Appendix 2 - Section 2(a) - added that data center surveillance records are retained for up to 30 days based on activity
  • Appendix 2 - Section 2(b) - added that Google’s infrastructure security personnel are also responsible for review of the Services
  • Appendix 2 - Section 5 - clarified that Subprocessors are required to enter into appropriate security, confidentiality, and privacy contract terms subject to Section 11.2 (Subprocessing Restrictions) of the Terms

Service Specific Terms

  • Section 1.1 - deleted “permanently, at rest,”; deleted last sentence specifying that if neither of these choices is selected the relevant core data may be stored in any country in which Google or its agents maintain facilities (as that’s covered in the main Terms of Service).
  • Section 1.3 - changed “End User” to “Customer End User”; deleted last sentence specifying that the relevant core data may be processed and stored in any country in which Google or its agents maintain facilities (as that’s covered in the main Terms of Service)
  • Section 2.1 - same comment as Section 1.1
  • Section 2.3 - same comment as Section 1.3
  • Section 3.1 - same comment as Section 1.1
  • Section 3.3 - same comment as Section 1.3
  • Section 4.1 - same comment as Section 1.1
  • Section 4.3 - same comment as Section 1.3
  • Section 7.1 - same comment as Section 1.1
  • Section 7.3 - same comment as Section 1.3
  • Section 11.1 - same comment as Section 1.1
  • Section 11.3 - same comment as Section 1.3
  • Section 13.1 - changed “End Users” to “Customer End Users”
  • Section 14.3 - changed “End Users authorized by Customer” to “those authorized by Customer”; changed “End Users” to “Customer End Users”; added new “(c) General Google Account Information”
  • Section 14.4 - same comment as Section 14.3
  • Section 14.5 - changed “End Users authorized by Customer” to “those authorized by Customer”; added exclusion for General Google Account Information
  • Section 14.6 - same comment as Section 14.5
  • Section 14.7 - same comment as Section 14.5
  • Section 14.8 - same comment as Section 14.3
  • Section 14.10 - added new definition for “General Google Account Information” (having moved that language from the “Customer Data” definition in the main Terms of Service)
Was this page helpful? Let us know how we did: