The General Data Protection Regulation (GDPR) went into effect on May 25, 2018, now replacing the 1995 EU Data Protection Directive. The GDPR lays out specific requirements for businesses and organizations that are established in Europe or who serve users in Europe. It regulates how businesses can collect, use, and store personal data.
Terms & contractual protections Where we act as a processor of personal data, we make available data processing terms, reflecting the controller-processor relationship, where required. Products where Google acts as a processor include:
Ads Data Hub
Google Ads Customer Match
Google Ads Store sales (direct upload)
Google Marketing Platform (including Display & Video 360, Campaign Manager, Search Ads 360, Google Analytics, Tag Manager, Optimize, Data Studio, Attribution, and Google Analytics for Firebase)
Google Cloud Platform
The data processing terms that we offer for the Ads products listed above are available here. More information about the types of personal data in scope for those terms for each Ads product can be found here. Information about Google Cloud Platform and G Suite commitments to the GDPR, including data processing terms, can be found here.
Additionally, for products where Google and the customer each act as independent controllers of personal data, we have updated our agreements or made available terms that reflect that status. These Google products include:
Google Ads (including Shopping and Hotel Ads, but not Google Ads features where we act as a processor of personal data - see above)
Google Ad Manager
Google Customer Reviews
Google Maps APIs
Waze Audio SDK
The controller-controller terms that we offer for the Ads products listed above are available here. We have published additional information on our Help Center to address common questions: Ad Manager, AdSense, and AdMob.
We also offer European Model Contract Clauses to address EU data-transfer requirements for Google Cloud Platform and G Suite. We previously obtained Common Opinions from EU Data Protection Authorities confirming the alignment of our Model Contract Clauses with the Standard Contractual Clauses published by the European Commission.
The Privacy Shield frameworks provided a mechanism to comply with data protection requirements when transferring EEA, UK or Swiss personal data to the United States and onwards. While the Swiss-U.S. Privacy Shield currently remains valid, in light of the recent Court of Justice of the European Union ruling on data transfers, invalidating the EU-U.S.
Privacy Shield, Google will be moving to reliance on Standard Contractual Clauses for relevant data transfers, which, as per the ruling, can continue to be a valid legal mechanism to transfer data under the GDPR. We will share more information about these updates (including timelines) as soon as possible. Standard Contractual Clauses are already offered as a transfer mechanism by Google Cloud.
If your existing contract does not incorporate our Ads data protection terms, please review the product-specific Help Center articles under "Useful links" for more information.
We are committed to having a lawful basis for data transfers in compliance with applicable data protection laws.
We will continue to monitor the evolution of international data-transfer mechanisms under the GDPR, and are committed to having a lawful basis for data transfers in compliance with applicable data protection laws.
Terms & policies: