Legal frameworks for data transfers

Effective May 25, 2018

Data protection laws vary among countries, with some providing more protection than others. Regardless of where your information is processed, we apply the same protections described in the Privacy Policy. We also comply with certain legal frameworks relating to the transfer of data, such as the European frameworks described below.

The European Commission has determined that certain countries outside of the European Economic Area (EEA) adequately protect personal data. You can review current European Commission adequacy decisions here. To transfer data from the EEA to other countries, such as the United States, we comply with legal frameworks that establish an equivalent level of protection with EU law.

EU-US and Swiss-US Privacy Shield frameworks

As described in our Privacy Shield certification, we comply with the EU-US and Swiss-US Privacy Shield Frameworks as set forth by the US Department of Commerce regarding the collection, use and retention of personal information from European Union member countries and Switzerland, respectively. Google, including Google LLC and its wholly-owned US subsidiaries, has certified that it adheres to the Privacy Shield Principles. Google remains responsible for any of your personal information that is shared under the Onward Transfer Principle with third parties for external processing on our behalf, as described in the “Sharing your information” section. To learn more about the Privacy Shield program, and to view Google’s certification, please visit the Privacy Shield website.

If you have an inquiry regarding our privacy practices in relation to our Privacy Shield certification, we encourage you to contact us. Google is subject to the investigatory and enforcement powers of the US Federal Trade Commission (FTC). You may also refer a complaint to your local data protection authority and we will work with them to resolve your concern. In certain circumstances, the Privacy Shield Framework provides the right to invoke binding arbitration to resolve complaints not resolved by other means, as described in Annex I to the Privacy Shield Principles.

Model contract clauses

The European Commission has approved the use of model contract clauses as a means of ensuring adequate protection when transferring data outside of the EEA. By incorporating model contract clauses into a contract established between the parties transferring data, personal data can be protected when transferred outside the EEA to countries which have not been deemed by the European Commission to adequately protect personal data.

Google offers these model contract clauses for customers of its business services, including GSuite and Google Cloud Platform. Details of Google’s use of model contract clauses can be found at privacy.google.com/businesses.