Legal frameworks for data transfers

Effective September 30, 2020

Data protection laws vary among countries, with some providing more protection than others. Regardless of where your information is processed, we apply the same protections described in the Privacy Policy. We also comply with certain legal frameworks relating to the transfer of data, such as the European frameworks described below.

The European Commission has determined that certain countries outside of the European Economic Area (EEA) adequately protect personal data. You can review current European Commission adequacy decisions here. To transfer data from the EEA to other countries, such as the United States, we comply with legal frameworks that establish an equivalent level of protection with EU law.

Model contract clauses

The European Commission has approved the use of model contract clauses as a means of ensuring adequate protection when transferring data outside of the EEA. By incorporating model contract clauses into a contract established between the parties transferring data, personal data is considered protected when transferred outside the EEA or the UK to countries which are not covered by an adequacy decision.

We rely on these model contract clauses for data transfers.

Google also offers these model contract clauses for customers of its business services, including Google Workspace, Google Cloud Platform, Google Ads, and other ads and measurement products. Details of Google’s use of model contract clauses for business services can be found at privacy.google.com/businesses.

EU-U.S. and Swiss-U.S. Privacy Shield Frameworks

As described in our Privacy Shield certification, we comply with the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks as set forth by the US Department of Commerce regarding the collection, use and retention of personal information from European Union member countries (including EEA member countries) and the UK as well as Switzerland, respectively. Google, including Google LLC and its wholly-owned US subsidiaries (unless explicitly excluded), has certified that it adheres to the Privacy Shield Principles. Google remains responsible for any of your personal information that is shared under the Onward Transfer Principle with third parties for external processing on our behalf, as described in the “Sharing your information” section. To learn more about the Privacy Shield program, and to view Google’s certification, please visit the Privacy Shield website.

If you have an inquiry regarding our privacy practices in relation to our Privacy Shield certification, we encourage you to contact us. Google is subject to the investigatory and enforcement powers of the US Federal Trade Commission (FTC). You may also refer a complaint to your local data protection authority and we will work with them to resolve your concern. In certain circumstances, the Privacy Shield Framework provides the right to invoke binding arbitration to resolve complaints not resolved by other means, as described in Annex I to the Privacy Shield Principles.

As of July 16, 2020, we no longer rely on the EU-U.S. Privacy Shield to transfer data that originated in the EEA or the UK to the U.S.