For additional resources refer to Google Cloud's Privacy Resource Center

Google Cloud & the General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR) is a privacy legislation that replaced the 95/46/EC Directive on Data Protection of 24 October 1995 on May 25, 2018. GDPR lays out specific requirements for businesses and organizations who are established in Europe or who serve users in Europe. It:

  • Regulates how businesses can collect, use, and store personal data
  • Builds upon current documentation and reporting requirements to increase accountability
  • Authorizes fines on businesses who fail to meet its requirements

At Google Cloud, we champion initiatives that prioritize and improve the security and privacy of customer personal data, and want you, as a Google Cloud customer, to feel confident using our services in light of GDPR requirements. If you partner with Google Cloud, we will support your GDPR compliance efforts by:

  1. Committing in our contracts to comply with the GDPR in relation to our processing of customer personal data in all Google Cloud and Google Workspace services
  2. Offering additional security features that may help you to better protect the personal data that is most sensitive
  3. Giving you the documentation and resources to assist you in your privacy assessment of our services
  4. Continuing to evolve our capabilities as the regulatory landscape changes

Google Workspace & Google Cloud Commitments to the GDPR

Data controllers must use data processors with appropriate technical and organizational measures. When conducting your GDPR assessment of Google Cloud consider the following:

EXPERT KNOWLEDGE, RELIABILITY & RESOURCES

Data Protection Expertise

Google employs security and privacy professionals that include some of the world’s foremost experts in information, application, and network security. This expert team is tasked with maintaining the company’s defense systems, developing security review processes, building stronger security infrastructure, and precisely implementing Google’s security policies.

Google also employs an extensive team of lawyers, regulatory compliance experts, and public policy specialists who look after privacy and security compliance for Google Cloud.

These teams work with customers, industry stakeholders, and supervisory authorities to ensure our Google Workspace and Google Cloud services can help customers meet their compliance needs.

Data Processing Agreements

Our data processing agreements for Google Workspace and Google Cloud clearly articulate our privacy commitment to customers. We have evolved these terms over the years based on feedback from our customers and regulators.

We specifically updated these terms to reflect the GDPR, and, to facilitate our customers' compliance assessment and GDPR readiness when using Google Cloud services. Learn more about the Google Workspace Data Processing Amendment, the Google Workspace EU Standard Contract Clauses, the Google Cloud Data Processing and Security Terms, and the Google Cloud EU Standard Contract Clauses (SCCs).

Our customers can enter into these updated data processing terms via the opt in process described for the Google Workspace Data Processing Amendment and the Google Cloud Data Processing and Security Terms.

Processing According to Instructions

Any data that a customer and its users put into our systems will only be processed in accordance with the customer’s instructions, as described in our GDPR-updated data processing agreements.

Personnel Confidentiality Commitments

All Google employees are required to sign a confidentiality agreement and complete mandatory confidentiality and privacy trainings, as well as our Code of Conduct training. Google’s Code of Conduct specifically addresses responsibilities and expected behavior with respect to the protection of information.

Google Group companies directly conduct the majority of data processing activities required to provide the Google Workspace and Google Cloud services. However, we do engage some third-party vendors to assist in supporting these services. Each vendor goes through a rigorous selection process to ensure it has the required technical expertise and can deliver the appropriate level of security and privacy.

We make information available about Google group subprocessors supporting Google Workspace and Google Cloud services, as well as third-party subprocessors involved in those services. See here for Google Workspace subprocessor details, and here for Google Cloud subprocessor details. We also include commitments relating to subprocessors in our data processing agreements.

According to the GDPR, appropriate technical and organizational measures shall be implemented to ensure a level of security appropriate to the risk.

Google operates a global infrastructure designed to provide state-of-the-art security through the entire information processing lifecycle. This infrastructure is built to provide secure deployment of services, secure storage of data with end-user privacy safeguards, secure communications between services, secure and private communication with customers over the Internet, and safe operation by administrators. Google Workspace and Google Cloud run on this infrastructure.

We designed the security of our infrastructure in layers that build upon one another, from the physical security of data centers, to the security protections of our hardware and software, to the processes we use to support operational security. This layered protection creates a strong security foundation for everything we do. A detailed discussion of our Infrastructure Security can be found in Google Infrastructure Security Design Overview Whitepaper.

Availability, Integrity & Resilience

Google designs the components of our platform to be highly redundant. Google’s data centers are geographically distributed to minimize the effects of regional disruptions on global products such as natural disasters and local outages. In the event of hardware, software, or network failure, services are automatically and instantly shifted from one facility to another so that operations can continue without interruption. Our highly redundant infrastructure helps customers protect themselves from data loss.

Equipment Testing and Security

Google utilizes barcodes and asset tags to track the status and location of data center equipment from acquisition to installation, retirement, and destruction. If a component fails to pass a performance test at any point during its lifecycle, it is removed from inventory and retired. Google hard drives leverage technologies, such as Full Disk Encryption (FDE) and drive locking, to protect data at rest.

Disaster Recovery Testing

Google conducts disaster recovery testing on an annual basis to provide a coordinated venue for infrastructure and application teams to test communication plans, fail-over scenarios, operational transition, and other emergency responses. All teams that participate in the disaster recovery exercise develop testing plans and post mortems which document the results and lessons learned from the tests.

Encryption

Google uses encryption to protect data in transit and at rest. Google Workspace data in transit between regions is protected using HTTPS, which is activated by default for all users. Google Workspace and Google Cloud services encrypt customer content stored at rest, without any action required from customers, using on