Legal frameworks for data transfers
Effective 1 September 2023
The European Commission has determined that certain countries outside the European Economic Area (EEA) adequately protect personal information, which means that data can be transferred from the European Union (EU) and Norway, Liechtenstein and Iceland to those countries. The UK and Switzerland have adopted similar adequacy mechanisms. We rely on the following adequacy mechanisms:
EU–US and Swiss–US Data Privacy Frameworks
If you have an enquiry regarding our privacy practices in relation to our DPF certification, we encourage you to contact us. Google is subject to the investigatory and enforcement powers of the US Federal Trade Commission. You may also refer a complaint to your local data protection authority and we will work with them to resolve your concern. In certain circumstances, the DPF provides the right to invoke binding arbitration to resolve complaints not resolved by other means, as described in Annex I to the DPF Principles.
We currently do not rely on the Swiss–US DPF and the UK Extension to the EU–US DPF to transfer personal information to the US.
Standard contractual clauses
Standard contractual clauses (SCCs) are written commitments between parties that can be used as a ground for data transfers from the EEA to third countries by providing appropriate data protection safeguards. SCCs have been approved by the European Commission and cannot be modified by the parties using them (you can see the SCCs adopted by the European Commission here, here and here). Such clauses have also been approved for transfers of data to countries outside the UK and Switzerland. We rely on SCCs for our data transfers where required and in instances where they are not covered by an adequacy decision. If you want to obtain a copy of the SCCs, you can contact us.
Google may also incorporate SCCs into contracts with customers of its business services, including Google Workspace, Google Cloud Platform, Google Ads and other ads and measurement products. Learn more at privacy.google.com/businesses.