We are committed to complying with applicable data protection laws

Where we act as a processor of personal data, we make available data processing terms, reflecting the controller-processor relationship, where required. Products where Google acts as a processor include:

• Ads Data Hub
• Google Ads Customer Match
• Google Ads Store sales (direct upload)
• Android Enterprise
• Google Marketing Platform (including Display & Video 360, Campaign Manager, Search Ads 360, Google Analytics, Tag Manager, Optimize, Data Studio, Attribution, and Google Analytics for Firebase)
• Google Cloud Platform
• G Suite

The data processing terms that we offer for the Ads products listed above are available here. More information about the types of personal data in scope for those terms for each Ads product can be found here. Information about Google Cloud Platform and G Suite commitments to the GDPR, including data processing terms, can be found here.

Additionally, for products where Google and the customer each act as independent controllers of personal data, we have updated our agreements or made available terms that reflect that status. These Google products include:

• Google AdMob
• Google AdSense
• Google Ads (including Shopping and Hotel Ads, but not Google Ads features where we act as a processor of personal data - see above)
• Google Ad Manager
• Google Customer Reviews
• Google Maps APIs
• Waze Audio SDK

The controller-controller terms that we offer for the Ads products listed above are available here. We have published additional information on our Help Center to address common questions: Ad Manager, AdSense, and AdMob.

We also offer European Model Contract Clauses to address EU data-transfer requirements for Google Cloud Platform and G Suite. We previously obtained Common Opinions from EU Data Protection Authorities confirming the alignment of our Model Contract Clauses with the Standard Contractual Clauses published by the European Commission.

We offer a Business Associate Agreement addressing requirements under the U.S. Health Insurance Portability and Accountability Act (HIPAA) for certain products within Google Cloud Platform and G Suite.

Publishers and advertisers who use our advertising and measurement products globally must comply with our EU User Consent Policy, and are required to collect consent from EEA users for personalized ads and use of cookies/local storage on their sites and apps. So if you're a publisher or advertiser using Google advertising and measurement services, you'll need to take steps to make sure users' preferences are respected to meet the requirements of Policy.

As a marketer we know you need to select products that are compliant and use personal data in ways that are compliant. We are committed to complying with the GDPR and would encourage you to check in on compliance plans within your own organization. Key areas to think about:

• How does your organization ensure user transparency and control around data use? Do you explain to your users the types of data you collect and for what purposes?
• Are you sure that your organization has the right consents in place where these are needed under the GDPR and (if applicable) the Google EU User Consent Policy? Do you have all of the relevant consents across your ad supply chain?
• Does your organization have the right systems to record user preferences and consents?
• How will you show to regulators and partners that you meet the principles of the GDPR and are an accountable organization?

We are well placed to meet the security requirements of the GDPR. Our services are backed by robust, state-of-the-art technical and organizational safeguards, dedicated security and privacy teams, and our program is reviewed annually by third-party auditors.

We will promptly inform you of incidents involving your customer data in line with the data incident terms in our agreements with you. We maintain and continue to invest in advanced threat detection and avoidance technologies, as well as a rigorous 24/7 incident management program to help you identify and respond to security or privacy events without delay and with available information.

We provide transparency about how data is used in our ads products. We ask users for permission to use data to personalize ads and provides transparency into how the data is used in real time via “Why This Ad?” We provide detailed explanations on how we use data on privacy.google.com and in our Privacy Policy. We also provide transparency to users on what data Google saves about them in their Google Account, where users can view and manage their data, privacy, and security settings. Users can go to their ad settings to control the use of data for ads personalization and for all ads shown by Google, including on our Google Marketing Platform products. In light of GDPR and as part of our continued commitment to giving users controls to manage their privacy, we have updated our account creation experience to give users more options on what data they choose to save in their account.

We continue to offer a range of international data-transfer mechanisms and we are certified under the EU - U.S. and Swiss - U.S. Privacy Shield frameworks, which are a legal mechanism to enable the transfer of personal data from the EEA and Switzerland to the US, where certified organizations guarantee to provide a level of protection in line with EU data protection law. We also offer EU-approved Model Contract Clauses for some services.

We will, in addition, continue to monitor the evolution of international data-transfer mechanisms under the GDPR, and are committed to having a lawful basis for data transfers in compliance with applicable data protection laws.

We already have processes to build privacy into our products from the very earliest stages, and we are continually evolving our practices, including Data Protection Impact Assessments, to meet worldwide requirements including those in the GDPR around Privacy by Design and Privacy by Default.

Learn more about how Google is committed to GDPR compliance across G Suite and Google Cloud Platform services.

Terms & policies:

• Ads Controller Terms
• Ads Processor Terms
• Breakdown of Google’s Controller and Processor Ads Products
• Advertising & Cookies
• EU User Consent Policy
• Help with the EU user consent policy

Tools to help publishers comply with the GDPR:

• Ad Manager
• AdMob
• AdSense

Tools to help advertisers comply with the GDPR:

• Display & Video 360
• Campaign Manager
• Search Ads 360

Resources:

• Cookie Choices.org

We’ve updated our ads data retention policies and we’re making changes to our products to unify retention practices.

ISO 27001 is one of the most widely recognized, internationally accepted independent security standards. Google has earned ISO 27001 certification for the systems, applications, people, technology, processes, and data centers serving Google Cloud Platform, G Suite, Google Analytics, Google Analytics 360, Tag Manager 360, Optimize 360, Attribution 360, Audience Center 360, Data Studio, DoubleClick for Publishers, Adwords Customer Match, DoubleClick Digital Marketing and Android Recognition Service (certification pending).

ISO 27017 is an international standard of practice for information security controls based on ISO/IEC 27002, specifically for cloud services.

Google has been certified compliant with ISO 27017 for Google Cloud Platform products and G Suite.

ISO 27018 is an international standard of practice for protection of personally identifiable information (PII) in public cloud services.

Google has been certified compliant with ISO 27018 for Google Cloud Platform products and G Suite.

The American Institute of Certified Public Accountants (AICPA) SOC 2 (Service Organization Controls) and SOC 3 audit framework defines Trust Principles and Criteria for security, availability, processing integrity, and confidentiality.

Google has both SOC 2 and SOC 3 reports for Google Cloud Platform and G Suite. You can download our SOC 3 report. We also have SOC 1 Type 2 for AdWords, AdSense, DoubleClick Campaign Manager, DoubleClick for Publishers, and DoubleClick Ad Exchange, available to customers under NDA.

The Privacy Shield Frameworks are designed to provide a mechanism to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States in support of transatlantic commerce. We adhere to the EU-US and Swiss-US Privacy Shield Frameworks (view certification).

FedRAMP is a program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services used by the U.S. federal government. Google maintains a FedRAMP Authorization to Operate (ATO) for G Suite and Google App Engine.

The Payment Card Industry Data Security Standard (PCI DSS) is a set of technical and operational requirements for entities that store, process, or transmit payment card data. The following Google services have been reviewed by an independent Qualified Security Assessor and determined to be compliant with the current version of PCI DSS: Android Pay, Google App Engine, Google Compute Engine, Google Cloud Storage, Google Cloud Datastore, Google Cloud SQL, Google BigQuery, Google Cloud Dataproc, Google Cloud Dataflow, Google Container Engine, Google Container Registry, Google Cloud Bigtable.