Legal frameworks for data transfers
Effective February 10, 2022
The European Commission has determined that certain countries outside of the European Economic Area (EEA) adequately protect personal data, which means that data can be transferred from the European Union (EU) and Norway, Liechtenstein, and Iceland to that third country without any further safeguard being necessary. The UK and Switzerland have approved similar adequacy decisions. We rely on the following adequacy decisions in some cases:
Standard contractual clauses
Standard contractual clauses (SCCs) are written commitments between parties that can be used as a ground for data transfers from the EU to third countries by providing appropriate data protection safeguards. SCCs have been approved by the European Commission and can’t be modified by the parties using them (you can see the SCCs adopted by the European Commission here, here, and here). Such clauses have also been approved for transfers of data to countries outside the UK and Switzerland. We rely on SCCs for our data transfers where required. If you want to obtain a copy of the SCCs, you can contact us.
Google also incorporates SCCs into contracts with customers of its business services, including Google Workspace, Google Cloud Platform, Google Ads, and other ads and measurement products. Learn more at privacy.google.com/businesses.
EU-U.S. and Swiss-U.S. Privacy Shield Frameworks
As described in our Privacy Shield certification, we comply with the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks as set forth by the US Department of Commerce regarding the collection, use and retention of personal information from European Union member countries (including EEA member countries) and the UK as well as Switzerland, respectively. Google, including Google LLC and its wholly-owned US subsidiaries (unless explicitly excluded), has certified that it adheres to the Privacy Shield Principles. Google remains responsible for any of your personal information that is shared under the Onward Transfer Principle with third parties for external processing on our behalf, as described in the “Sharing your information” section. To learn more about the Privacy Shield program, and to view Google’s certification, please visit the Privacy Shield website.
If you have an inquiry regarding our privacy practices in relation to our Privacy Shield certification, we encourage you to contact us. Google is subject to the investigatory and enforcement powers of the US Federal Trade Commission (FTC). You may also refer a complaint to your local data protection authority and we will work with them to resolve your concern. In certain circumstances, the Privacy Shield Framework provides the right to invoke binding arbitration to resolve complaints not resolved by other means, as described in Annex I to the Privacy Shield Principles.
As of July 16, 2020, we no longer rely on the EU-U.S. Privacy Shield to transfer data that originated in the EEA or the UK to the U.S.