Is G Suite GDPR compliant?

The question is: Does GDPR require you to have your data stored exclusively on premises within the EU? To give you the full answer let's start from the basics terminology.

If you use Google’s G Suite, according to the legislative you are the data controller, Google is a data processor. In every case, you are an exclusive owner of your data. However, there are some differences between the free (consumer) version of Gmail and G Suite in how Google can or cannot use your data, but this is a whole other story.

Let’s cut to the chase. CHAPTER V of GDPR  entitled “Transfers of personal data to third countries or international organisations” in article 45 explains all you need to know regarding data transfers and storing also in G Suite:

“A transfer of personal data to a third country or an international organisation may take place where the Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organisation in question ensures an adequate level of protection. Such a transfer shall not require any specific authorisation."

Other articles of GDPR specify in more detail what the “adequate level of protection” is. It’s a long and boring legal jibber-jabber none of us, regular mortals can really understand, but thank Heavens for our lawyers who can decipher it and translate to a normal human language.

To make a long story short, we learn from this chapter that your data can be physically stored anywhere in the world as long as the place has an equivalent level of protection to GDPR standards.

Now let’s take a look at how Google as a data processor makes sure that G Suite and Google Cloud are compliant with GDPR requirements. Google GDPR resource site https://cloud.google.com/security/gdpr/  “International Data Transfers” section says the following:

“We contractually commit under our current data processing agreements to maintain a mechanism that facilitates transfers of personal data outside of the EU as required by the GDPR. Google’s certification under the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks includes G Suite and Google Cloud Platform. We have also gained confirmation of compliance from European Data Protection Authorities for our model contract clauses, affirming that our contractual commitments for G Suite and Google Cloud Platform fully meet the requirements to legally frame transfers of personal data from the EU to the rest of the world.”

Well said, clear and direct. So the answer to the ultimate question is: YES, G Suite can be GDPR compliant and NO, your data does not have to be physically stored on the servers within the EU to be compliant with the GDPR. So are you covered? This still poses a question. Noticed the phrase “... our model contract clauses ...” in that Google article? Why am I pointing this out? Because you must accept their terms and conditions to be covered. Not sure whether you have already accepted Google’s terms and conditions? Just navigate here for instructions: https://support.google.com/a/answer/2888485

If you need expert assistance reviewing and managing these contractual commitments and ensuring compliance, Revolgy offers specialized Google Workspace implementation and management services to guide your organization through GDPR requirements and optimize your Google Workspace environment.

So finally YES, as soon as you accept these conditions (you might want to consider reviewing them with your favourite lawyer) your G Suite is GDPR compliant.

If for any other reasons (such as internal company requirements for example) you still want to have data located in a particular geographic region (the United States or Europe) it is still possible to do it. G Suite Business; Enterprise and Drive Enterprise editions include a feature that allows you to choose a location where your data is stored. 

If you wish to upgrade your G Suite, we will be more than happy to assist you. Contact us here.

Resources:

Google Cloud GDPR resources: https://cloud.google.com/security/gdpr/
GDPR: https://eur-lex.europa.eu/legal-content/EN/TXT/?qid=1501688126470&uri=CELEX:32016R0679

FAQs

Q1: In the context of G Suite and GDPR, who is considered the “data controller” and who is the “data processor”?

When using G Suite, the customer (your company) is the data controller, and Google acts as the data processor. The customer remains the exclusive owner of the data.  

Q2: Does the GDPR mandate that personal data must be physically stored on servers within the European Union?

No. According to Article 45 of the GDPR as explained in the text, data transfer and storage outside the EU is permissible if the third country or international organization ensures an “adequate level of protection” as determined by the European Commission.  

Q3: What constitutes an “adequate level of protection” for storing data outside the EU under GDPR?

It means the location or organization must provide a level of data protection equivalent to the standards set by GDPR.

Q4: As of November 2018, what measures did Google state it employed to facilitate GDPR-compliant data transfers for G Suite users?

Google stated it used contractual commitments via data processing agreements, maintained certification under the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks, and had its model contract clauses validated by European Data Protection Authorities.  

Q5: Based on these measures, could G Suite be used in a GDPR-compliant manner?

Yes, the text concludes that G Suite can be GDPR compliant.

Q6: What step is essential for a G Suite customer to ensure their G Suite usage falls under Google’s stated GDPR compliance framework?

The customer must accept Google’s terms and conditions, specifically the data processing agreements that include the model contract clauses mentioned.

Q7: Was it possible for G Suite customers to specify a geographic region (like Europe or the US) for their data storage?

Yes, this option was available for customers using G Suite Business, G Suite Enterprise, or G Suite Drive Enterprise editions.

Q8: Why might a company choose a specific data storage location if not strictly required by GDPR for compliance?

Companies might choose a specific location due to their own internal requirements or policies.

Q9: What service did Revolgy offer in relation to G Suite editions?

Revolgy offered assistance to customers looking to upgrade their G Suite edition.

Want to learn more about security?
Check out my other blog post: Who is the real owner of your company’s documents?