GDPR and Google Cloud | Google Cloud (original) (raw)

FAQ

Answers to Frequently Asked Questions about Google Cloud and GDPR

No. Like the 95/46/EC Directive on Data Protection, the GDPR sets out certain conditions for the transfer of personal data outside of the EU. Such conditions can be met via mechanisms such as standard contract clauses.

For many years, Google Cloud has offered data processing terms that clearly articulate our privacy and security commitment to customers, and we have evolved those terms to reflect the GDPR. Our GDPR-updated terms notably reflect the provisions of Article 28 of the GDPR governing the use of a data processor by a data controller.

Under the GDPR, audit rights must be granted to data controllers in their contracts with data processors. Our updated data processing agreements include audit rights for the benefit of customers who are subject to the GDPR.

Our third-party ISO/IEC certifications and SOC 2/3 audit reports can be used by customers to help conduct their risk assessments and help them determine whether appropriate technical and organizational measures are in place. Our ISO/IEC 27701 certification provides greater clarity on privacy-related roles and responsibilities, which can facilitate efforts to comply with privacy regulations, including the GDPR.

How does Google Cloud support International Data Transfers in the Cloud?

The GDPR provides for several mechanisms to facilitate transfers of personal data outside of the EU. These mechanisms are aimed at confirming an adequate level of protection or ensuring the implementation of appropriate safeguards when personal data is transferred to a third country.

An adequate level of protection can be confirmed by adequacy decisions such as the ones that support the Japanese Act on the Protection of Personal Information (APPI) and the Swiss Data Protection Act.

Where personal data will be transferred outside of the EU to third countries not covered by adequacy decisions, we commit under our data processing agreements to maintain a mechanism that will facilitate these transfers as required by the GDPR. In 2017, we gained confirmation of compliance from European Data Protection Authorities for our standard contract clauses, affirming that our contractual commitments for Google Workspace and Google Cloud met the requirements to legally frame transfers of personal data from the EU to the third countries that do not provide adequate protection.

While Google will continue to review the impact of the Court of Justice of the European Union (CJEU) case C-311/18 one thing remains unchanged: Google will take appropriate steps to ensure we maintain a high level of privacy protection for EU citizens.

Google Cloud offers Standard Contractual Clauses (SCCs) to our customers, which will be automatically deemed to apply in the absence of any alternate transfer solution made available by Google. Regardless of the location of the data, data protection remains a priority for Google. See the Safeguards for International Data Transfers with Google Cloud Whitepaper for more information.

We are certified against recognised international standards such as ISO/IEC 27001, ISO/IEC 27018 and ISO/IEC 27017. The complete listing of Google’s compliance offerings can be found on the compliance resource center.

Where can I find other European Privacy Resources?

Disclaimer: The content contained herein is correct as of August 2021 and represents the status quo as of the time it was written. Google’s security policies and systems may change going forward, as we continually improve protection for our customers. When referring to Google Workspace, we also refer to Google Workspace for Education. We are bringing Google Workspace to our education and nonprofit customers in the coming months.