Google Cloud Privacy Notice
Effective Date: December 14, 2022
This Google Cloud Privacy Notice describes how we collect and process your personal information in relation to Google Workspace (including Google Workspace for Education), Google Cloud Platform, Cloud Identity (when sold separately) and Implementation Services (together, “Cloud Services”).
We offer Cloud Services to our customers either directly or via our authorized partners. Where we refer to our customers in this notice, we also mean our partners and their customers.
If European Union (EU), UK or Swiss data protection law applies to the processing of Service Data relating to you, you can review the ‘EU Privacy Standards and GDPR’ section below to learn more about your rights and Google’s compliance with these laws.
Google processes Customer Data, Partner Data and Service Data to provide Cloud Services. This Privacy Notice applies solely to Service Data and does not apply to Customer Data or Partner Data. We explain what we mean by “Service Data” below.
Customer Data and Partner Data are defined in the agreement(s) with our customers covering Cloud Services and represent the data that you and our customers provide for processing in Cloud Services. For more information about how we process Customer Data and Partner Data, see our Cloud Data Processing Addendum (Customers) and Cloud Data Processing Addendum (Partners).
Service Data is the personal information Google collects or generates during the provision and administration of the Cloud Services and related technical support, excluding any Customer Data and Partner Data.
Service Data consists of:
- Account information. We collect the data you provide when creating an account for Cloud Services or entering into a contract with us (credentials, names, contact details and job titles).
- Cloud payments and transactions. We keep reasonable business records of charges, payments, and billing details and issues.
- Cloud settings and configurations. We record your configuration and settings, including resource identifiers and attributes, and service and security settings for data and other resources.
- Technical and operational details of your usage of Cloud Services. We collect information about usage, operational status, software errors and crash reports, authentication credentials, quality and performance metrics, and other technical details necessary for us to operate and maintain Cloud Services and related software. This information includes device identifiers, identifiers from cookies or tokens, and IP addresses.
- Your direct communications. We keep records of your communications and interactions with us and our partners (for example, when you provide feedback, ask questions or seek technical support).
Google processes Service Data for the following purposes:
- Provide Cloud Services you request. We use Service Data primarily to deliver the Cloud Services that you and our customers request. This includes processing Service Data as needed to conduct checks before extending credit to certain customers, to bill for the Cloud Services used, to ensure those services are delivered or working as intended, to detect and avoid outages or other technical problems, and to secure your data and services.
- Make recommendations to optimize use of Cloud Services. We use Service Data to provide you and our customers with recommendations (for example, suggesting ways to better secure your account or data, reduce service charges or improve performance, or optimize your configurations), and providing information about new or related products and features. We also evaluate your responses to our recommendations.
- Maintain and improve Cloud Services. We evaluate Service Data to help us improve the performance and functionality of Cloud Services. As we improve Cloud Services for you, this will improve them for our customers, and vice versa.
- Provide and improve other services you request. We use Service Data to deliver and improve other services that you and our customers request, including Google or third-party services that are enabled via the Cloud Services, administrative consoles, application programming interfaces (APIs) or command line interfaces (CLIs), or the Google Cloud Platform Marketplace or Google Workspace Marketplace.
- Assist you. We use Service Data to provide technical support for Cloud Services that you and our customers request, and to assess whether we have met your needs. We also use Service Data to improve our technical support, inform you and our customers about updates to Cloud Services and send other notifications.
- Protect you, our users, customers, the public, and Google. We use Service Data to detect, prevent and respond to fraud, abuse, security risks, and technical issues that could harm you, other users, our customers, the public, or Google. This helps make our services safer, more reliable, and more secure.
- Comply with legal obligations. We use Service Data to comply with our legal obligations (for example, where we’re responding to legal process or an enforceable governmental request, or meeting our financial record-keeping obligations).
To achieve these processing purposes, we use algorithms to recognize patterns in Service Data, manual review of Service Data (such as when you interact directly with our billing or support teams), aggregation or anonymization of Service Data to eliminate personal information, and combination of Service Data with information from other Google products and services. We also use Service Data for internal reporting and analysis of applicable product and business operations.
We maintain data centers around the world, and provide Google Workspace (including Google Workspace for Education) and Cloud Identity (when sold separately) from these locations, and Google Cloud Platform from these locations.
Service Data may be processed on servers located outside of the country where our users and customers are located because Service Data is typically processed by centralized or regionalized operations like billing, support, and security.
Regardless of where Service Data is processed, we apply the same protections described in this Privacy Notice. When transferring Service Data outside of the European Economic Area, we comply with certain legal frameworks.
We build Cloud Services with strong security features to protect your data. The insights we gain from providing our services help us detect and automatically block security threats from ever reaching you.
We work hard to protect the Service Data we hold from unauthorized access, alteration, disclosure, or destruction, including by:
- Encrypting Service Data at rest and while in transit between our facilities.
- Regularly reviewing our Service Data collection, storage, and processing practices, including our physical security measures, to prevent unauthorized access to our systems; and
- Restricting access to Service Data to Google employees, contractors, and agents who need it in order to process Service Data for us. Anyone with this access is subject to strict contractual confidentiality obligations and may be disciplined or terminated if they fail to meet these obligations.
We instruct our affiliates to process Service Data for the purposes listed under “Why We Process Service Data” above, in compliance with this Privacy Notice and appropriate confidentiality and security measures.
We do not share Service Data with companies, organizations, or individuals outside of Google except in the following cases:
- When you procure third-party services
We share Service Data outside of Google when you or our customer choose(s) to procure a third-party service through Google Cloud Platform, the Google Cloud Platform Marketplace or the Google Workspace Marketplace, or use a third-party application that requests access to your Service Data.
- With your consent
We’ll share Service Data outside of Google where we have obtained your consent.
- With your administrators and authorized resellers
When you use Cloud Services, your administrator and resellers authorized to manage your or your organization’s account will have access to certain Service Data. For example, they may be able to:
- View account and billing information, activity and statistics
- Change your account password
- Suspend or terminate your account access
- Access your account information in order to satisfy applicable law, regulation, legal process, or enforceable governmental request
- Restrict your ability to delete or edit your information or your privacy settings
- For external processing
We do not sell your Service Data to any third parties.
We share Service Data with trusted third party providers to process it for us as we instruct them and in compliance with this Privacy Notice and appropriate confidentiality and security measures. In particular, we share Service Data with our third party providers when you request technical support services (we share the information you provide in the support ticket) and professional services (we share your contact details to enable communication and collaboration).
- For legal reasons
We share Service Data outside of Google when we have a good-faith belief that access to, or disclosure that Service Data is reasonably necessary to:
- Comply with applicable law, regulation, legal process, or enforceable governmental request. We share information about the number and type of requests we receive from governments in our Transparency Report.
- Enforce applicable agreements, including investigation of potential violations.
- Detect, prevent, or otherwise address fraud, security, or technical issues.
- Protect against harm to the rights, property or safety of Google, our customers, users, and the public as required or permitted by law.
If Google is involved in a reorganization, merger, acquisition, or sale of assets, we’ll continue to ensure the confidentiality of Service Data and give affected users notice before Service Data becomes subject to a different privacy policy.
Your organization may allow you to access and export your data in order to back it up or transfer it to a service outside of Google. Some Google Cloud Services enable you to directly access and download the data you have stored in the services. As further described in our Google Workspace Data Subject Requests Guide, you or your organization may use various tools to access, control, and export your data.
You and your organization’s administrator can access several types of Service Data directly from Google Cloud, including your account information, billing contact information, payment and transaction information, as well as product and communication settings and configurations.
If you’re otherwise unable to access your Service Data, you can always request it here.
We retain Service Data for different periods of time depending on the type of data, how we use it, and how you configure your settings. When we no longer need Service Data, we delete or anonymize it.
For each type of Service Data and processing operation, we set retention timeframes based on the purposes for which we process it, and ensure that the Service Data is kept for no longer than necessary. We retain most types of Service Data for a set period of up to 180 days (the exact number depends on the specific type of data). However, some Service Data may be kept for longer periods where there is a business need. We generally have longer retention periods (which can be over a year) for Service Data that is kept for the following purposes:
- Security, fraud and abuse prevention. We retain Service Data when it is necessary to protect against fraudulent attempts to gain access to user accounts, or to investigate violations of applicable Cloud Services agreements. Usually, the Service Data retained where there is reason to suspect fraud or abuse would include device identifiers, identifiers from cookies or tokens, and IP addresses, as well as log data about usage of the Cloud Services.
- Complying with legal or regulatory requirements. We retain Service Data when required by an enforceable legal process, such as when Google receives a lawful subpoena.
- Complying with tax, accounting or financial requirements. When Google processes a payment for you, or when you make a payment to Google, we retain Service Data about those transactions (including billing information), typically for a minimum of five years, as required for tax or accounting purposes, or to comply with applicable financial regulations.
At the end of the applicable retention period, we follow detailed protocols to make sure that the Service Data is securely and completely deleted from our active systems (the servers Google uses to run applications and store data) or retained only in anonymized form. After completion of these steps, copies of Service Data will remain for a limited period in our encrypted backup systems (which we maintain to protect Service Data from accidental or malicious deletion and for outage and disaster recovery purposes), before being overwritten by new backup copies.
Your Google Account is your connection to all Google products and services, not just Cloud Services. When you choose to use Google products and services outside of Cloud Services, the Google Privacy Policy describes how your personal information (including your Google Account profile information) is collected and used. You and your administrator can control which other Google services you may use while logged into a Google Account managed by your organization.
If you interact with Cloud Services using a Google Account managed by your organization, then your personal information may be subject to your organization’s privacy policies and processes, and you should direct privacy inquiries to your organization.
Exercising your data protection rights
If European Union (EU), UK or Swiss data protection law applies to the processing of Service Data relating to you, you have certain rights, including the rights to access, correct, delete and export your Service Data, and to object to or request that we restrict processing of your Service Data.
Google Cloud EMEA Ltd will be the data controller responsible for your Service Data However, where our customer has entered into an agreement covering Cloud Services with a different Google affiliate, that affiliate will be the data controller responsible for processing your Service Data in connection with billing for the Cloud Services only.
If you want to exercise your data protection rights with regard to Service Data we process in accordance with this Privacy Notice, and you are not able to do so via the tools available to you or your organization’s administrator, you can contact Google via our Privacy Help Center.
You can always contact your local data protection authority if you have concerns regarding your rights under local law.
Our grounds for processing your Service Data
When we process Service Data for the purposes described in this Privacy Notice (see "Why We Process Service Data” above), we rely on the following legal grounds:
Purpose |
Types of Service Data Processed |
Legal Grounds |
Provide Cloud Services you request. |
The following types of Service Data, as necessary for the purpose:
|
Where necessary for our legitimate interests in fulfilling the contractual obligations which we owe to our customer to provide the Cloud Services. |
Make recommendations to optimize use of Cloud Services. |
The following types of Service Data, as necessary for the purpose:
|
When we’re pursuing legitimate interests in offering the best service we can, and ensuring our customers know how to get the most out of our services. In some cases we will seek your consent to send you marketing communications. |
Maintain and improve Cloud Services. |
The following types of Service Data, as necessary for the purpose:
|
Where necessary for our legitimate interests in offering the best Cloud Services we can, and continuing to improve the Cloud Services to meet our customers’ needs. |
Provide and improve other services you request. |
The following types of Service Data, as necessary for the purpose:
|
Where necessary for our legitimate interests in fulfilling the contractual obligations we owe to our customer to provide the Cloud Services, and where necessary for our legitimate interests in offering the best services we can, and continuing to improve the Cloud Services to meet our customers’ needs. |
Assist you. |
The following types of Service Data, as necessary for the purpose:
|
Where necessary for our legitimate interests in fulfilling the contractual obligations we owe to our customer to provide the Cloud Services. |
Protect you, our users, customers, the public, and Google. |
The following types of Service Data, as necessary for the purpose:
|
Where necessary for Google’s legitimate interest to protect against harm to the rights, property and safety of Google, and where necessary for Google’s and third parties’ legitimate interests to protect against harm to our users, our customers and the public, including criminal acts and rights violations. |
Comply with legal obligations. |
Depending on the specific legal obligations, the following types of Service Data:
|
When we have a legal obligation to do so. For example, where we’re responding to legal process or an enforceable governmental request, or retaining information relating to your purchases and communications to meet our record-keeping obligations. |
If Brazilian data protection law applies to the processing of Service Data, you have certain rights, including the rights to access, correct, delete or export your Service Data, as well as to object to or request that we restrict processing of Service Data. You also have the right to object to the processing of Service Data or to export Service Data to another service.
For users based in Brazil, the data controller responsible for Service Data we collect for Google Workspace and Google Workspace for Education is Google LLC, and the data controller responsible for Service Data we collect for Google Cloud Platform is Cloud Brasil Computação e Serviços de Dados Ltda. If you want to exercise your data protection rights with regard to Service Data we process in accordance with this Privacy Notice and are not able to do so via the tools available to you or your organization’s administrator, you can always contact Google via our Privacy Help Center. And you can contact your data protection authority if you have concerns regarding your rights under Brazilian law.
In addition to the purposes and grounds described in this Privacy Notice, we may process Service Data on the following legal grounds:
- Where necessary for the performance of a
contract with you
We may process your information where necessary for us to enter into a contract with you or to comply with our contractual commitments to you.
- When we’re complying with legal
obligations
We’ll process your information when we have a legal obligation to do so.
- When we’re pursuing legitimate
interests
We may process Service Data based on our legitimate interests and those of third parties while applying appropriate safeguards that protect your privacy. This means that we process your information in the interests of providing Cloud Services you request; making recommendations to optimize use of Cloud Services; maintaining and improving Cloud Services; providing and improving other services you request; assisting you; and protecting against harm to the rights, property or safety of Google, our users, our customers, and the public, as required or permitted by law.
Some U.S. state privacy laws like the California Consumer Privacy Act (CCPA) and Virginia Consumer Data Protection Act (VCDPA) require specific disclosures for state residents.
This Privacy Notice is designed to help you understand how Google handles Service Data:
-
We explain the categories of Service Data Google collects and the sources of that Service Data in Service Data We Collect.
-
We explain how Google uses Service Data in Why We Process Service Data.
-
We explain when Google may share information in How We Share Service Data. Google does not sell your Service Data to any third parties. Google also does not “share” your personal information as that term is defined in the CCPA.
-
We explain how Google retains Service Data in Retention and Deletion of Service Data.
State laws like the CCPA and VCDPA also provide the right to request information about how Google collects, uses, and discloses Service Data. And they give you the right to access and correct Service Data, and to request that Google delete that Service Data.
We provide the information and tools described in Access to Service Data so you can exercise these rights. When you use them, we’ll validate your request by verifying your identity (for example, by confirming that you’re signed in to your Google Account).
If you have questions or requests related to your rights under the CCPA or VCDPA, you (or your authorized agent) can also contact Google. And if you disagree with the decision on your request, you can ask Google to reconsider it by responding to the team’s email.
The CCPA requires a description of Service Data practices using specific categories. This table uses these categories to organize the information in this Privacy Notice.
Categories of Service Data we collect | Business purposes for which Service Data may be used or disclosed | Parties with whom Service Data may be shared |
---|---|---|
Identifiers and similar information such as your credentials, name, phone number, address, and job titles, as well as unique identifiers tied to the browser, application, or device you’re using. Demographic information, such as your preferred language and age. Commercial information such as records of charges, payments, and billing details and issues. Technical and operational details of your usage of Cloud Services, such as information about your usage, operational status, software errors and crash reports, authentication credentials, quality and performance metrics, and other technical details necessary for us to operate and maintain Cloud Services and related software. This includes device identifiers, identifiers from cookies or tokens, and IP addresses. Location data, as may be determined by GPS or IP address, depending in part on your device and account settings. Audio, electronic, visual and similar information, such as audio recordings of your calls with our technical support providers. Inferences drawn from the above, like aggregated performance metrics for a new product feature to determine product strategy. |
Google processes Service Data for the following purposes: Protecting against security threats, abuse, and illegal activity. Google uses and may disclose Service Data to detect, prevent and respond to fraud, abuse, security risks, and for protecting against other malicious, deceptive, fraudulent, or illegal activity. For example, to protect our services, Google may receive or disclose information about IP addresses that malicious actors have compromised. Auditing and measurement. Google uses Service Data for analytics and measurement to understand how our services are used, and to provide you and our customers with recommendations and tips. We may disclose non-personally identifiable information publicly and with partners, including for auditing purposes. Maintaining our services. Google uses Service Data to provide Cloud Services and related technical support, and other services you request, and ensure they are working as intended, such as tracking outages or troubleshooting bugs and other issues that you report to us. Product development. Google uses Service Data to improve Cloud Services and other services you request, and to develop new products, features and technologies that benefit our users and customers. Use of service providers. Google shares Service Data with service providers to perform services on our behalf, in compliance with this Privacy Notice and other appropriate confidentiality and security measures. For example, we may rely on service providers to help provide technical support. Legal reasons. Google also uses Service Data to satisfy applicable laws or regulations, and discloses information in response to legal process or enforceable government requests, including to law enforcement. We provide information about the number and type of requests we receive from governments in our Transparency Report. |
We do not share Service Data with companies, organizations, or individuals outside of Google except in the following cases: When you procure third-party services. We share Service Data outside of Google when you or our customers choose(s) to procure a third-party service through Google Cloud Platform, the Google Cloud Platform Marketplace or the Google Workspace Marketplace, or use a third-party application that requests access to your Service Data. With your consent. We’ll share Service Data outside of Google when we have obtained your consent. With your administrators and authorized resellers. When you use Cloud Services, your administrator and resellers authorized to manage your or your organization’s account will have access to certain Service Data. For external processing. We share Service Data with trusted third party providers to process it for us as we instruct them and in compliance with this Privacy Notice and appropriate confidentiality and security measures. In particular, we share Service Data with our third party providers when you request technical support services (we share the information you provide in the support ticket) and professional services (we share your contact details to enable communication and collaboration). For legal reasons. We share Service Data outside of Google when we have a good-faith belief that access to disclosure of that Service Data is reasonably necessary to:
|
If Korean data protection law applies to the processing of your Service Data, we provide the following additional information for users of Cloud Services residing in Korea.
Items of personal information collected. When you use our Cloud Services, the following Service Data is collected: (i) data you provide when creating an account for Cloud Services or entering into a contract with us (credentials, names, contact details and job titles), (ii) business records of charges, payments, billing details and issues; credit card info and connecting info, (iii) configuration and settings, including resource identifiers and attributes, and service and security settings, (iv) usage, operational status, software errors and crash reports, authentication credentials, quality and performance metrics, and other technical details, device identifiers, identifiers from cookies or tokens, and IP addresses, (v) your communications and interactions with us and our partners, and feedback, each as further described here.
The above personal information may be transmitted to our data centers located abroad through our network for the purposes listed below and stored for the retention period below.
We may use cookies (small text files placed on the user's device) and similar technologies for a variety of purposes, including user preferences or settings, authentication information, or analysis. Most web browsers accept cookies automatically, but provide controls that allow you to block or delete cookies.
Purpose of collection and use of personal information. Google collects and uses Service Data (i) to provide Cloud Services you request, (ii) to make recommendations to optimize use of Cloud Services, (iii) to maintain and improve Cloud Services, (iv) to provide and improve other services you request (v) to assist you, (vi) to protect you, our users, customers, the public and Google, and (vii) to comply with legal obligations, each as further described here.
Retention period of personal information. Service Data is deleted or anonymized once it is no longer needed for the purposes described above. For each type of data and operation, we set retention timeframes based on the purpose for its collection, and ensure it is kept for no longer than necessary.
Deletion of personal information. If the retention period expires or you request deletion, Google will faithfully endeavor to delete such Service Data unless there is a legal obligation that requires processing or another lawful basis for retaining the Service Data. When we receive a request to delete personal information, the retention period of the archive copy expires, and then Google's archiving system has a mechanism to overwrite the expired data. In some cases, it may be necessary to store some data for a variety of other reasons, such as complying with legal obligations.
Consignment of personal information processing. We provide information to affiliates (listed here for Google Cloud Platform, and here for Google Workspace and Google Workspace for Education), partners and other trusted businesses or persons to process it for us, based on our instructions and in compliance with this Privacy Notice and other appropriate confidentiality and security measures.
Google has contracts with the third-party service providers listed below to provide Cloud Services to Korean residents. The contracts impose obligations on those companies to prohibit the processing of Service Data other than for the purposes we specify, to return or destroy Service Data after the end of processing, and to implement processes to ensure those companies comply with these obligations.
Third-party vendor | Role | Note |
---|---|---|
EPAM Systems Japan G.K. Webhelp Malaysia Sdn. Bhd TELUS International Philippines, Inc. Infosys Limited. |
Customer Support for Cloud Services | In order for Google to provide Cloud Services to Korean residents, these companies can process Service Data remotely from abroad during the retention period described above. |
Toss Payments Co., Ltd. (Korean Company) | Payment and notification services | |
Korea Mobile Certification Inc (Korean Company) |
Identity verification service | |
D-Agent (Korean company) |
Local representative for user's privacy inquiries |
Legal minors. Our basic policy is not to collect personal information of Korean residents under the age of 14. If you are Korean residents under the age of 14, you may use Cloud Services only with the consent of a parent or legal representative.
Safety measures for personal information. Google takes the administrative, technical and physical measures described in the "How We Secure Service Data" section above to ensure the safety of Service Data.
Contact Information. If you have any questions about the Google Cloud Privacy Notice or privacy practices, please contact our Google privacy team (Email: googlekrsupport@google.com). For local representatives under Personal Information Protection Act and the Act on Promotion of Information and Communication Network Utilization and Information Protection, please see below:
- Name and Representative: D-Agent Co., Ltd. (CEO Byung-gun An)
- Address and Contact Information: #1116, Platinum Building, Gwanghwamun 28, Saemunan-ro 5-ga-gil, Jongno-gu, Seoul, 02-737-0346, google_da_kr@dagent.co.kr
If Japanese data protection law (the Act on the Protection of Personal Information, “APPI”) applies to the processing of your Service Data, we provide the following additional information for users of Cloud Services residing in Japan.
Controller of Service Data. Any Service Data provided to or gathered by Google is controlled primarily by Google LLC, located at 1600 Amphitheatre Parkway Mountain View, CA 94043 United States, representative is Sundar Pichai, CEO.
Purpose of collection and use of personal information. Google collects and uses Services Data for the purposes set out here and here.
Measures undertaken to protect retained personal information.
Establishment of general policy
Google establishes and publishes this Privacy Notice outlining our general policy relating to Service Data.
Establishment of internal policy relating to handling of personal data
Google establishes internal policies about handling measures and persons in charge and their responsibility etc. with regard to the acquisition, utilization, records, provision, deletion etc. of personal data.
Internal organization as security control action
Google has large security and privacy teams responsible for developing, implementing, and reviewing internal personal data handling processes. Google employees are trained to report suspected incidents involving personal data, which may be done through various channels such as through dedicated email addresses or digital platforms. A dedicated team assesses reported incidents, and as appropriate a coordinated team is assigned to manage the overall incident, including liaising with Legal and the product team as part of the investigation and response. The team on-call for an incident is assigned on a daily rotation. Incident responses may follow either a standard or an expedited route, depending on the severity and priority assigned to the incident.
Personnel measures as security control action
Google conducts periodical training for its employees about matters to consider when handling personal data.
Physical measures as security control action
Google takes measures to prevent unauthorized persons from accessing personal data in any situation and to prevent theft or loss of devices and electronic media for handling personal data.
Technical measures as security control action
Please see here and here for further information on the security measures undertaken to secure, retain and delete Service Data.
Research of external environment
Data protection laws vary among countries, with some providing more protection than others. Google has established a personal information protection system to ensure your information is accorded protections equivalent to APPI, as described in the Privacy Notice. Regardless of where your information is processed, Google applies the same personal information protection measures globally. We also comply with certain legal frameworks relating to the transfer of data, such as the European frameworks. For more detail, please see Data transfer frameworks. Further, with regard to the location of our data centers storing Service Data, please see here. There may be cases where Google entrusts the processing of information to subprocessors or its subsidiaries or affiliates. With regard to the location of Google’s offices including subsidiaries and affiliates, please see Google’s Office Locations. With regard to the location of subprocessors, please see here.
Contact information. For any inquiries or requests about your Service Data related rights under applicable law, please email appi-inquiries-external@google.com.
We may update this Privacy Notice from time to time. We will not make any significant changes without notifying you in advance by posting a prominent notice on this page describing the changes or by sending you a direct communication. We encourage you to regularly review this Privacy Notice, and we will always indicate the date the last changes were published.