Millions of organizations use Google Cloud services every day, relying on Google to provide world-class privacy and security protections. Data protection is central to our mission, and we're always looking at ways to facilitate our customers’ compliance journey.

Today we’re pleased to announce that the Spanish Data Protection Agency (“Agencia Española de Protección de Datos” or “AEPD”) has issued a decision confirming that the guarantees established by the contractual commitments provided by Google for the international transfers of data to U.S. connected to its G Suite and Google Cloud Platform (GCP) services are adequate. Therefore, the international transfers to U.S. under such contractual commitments are deemed authorized by the AEPD provided the conditions established by the AEPD’s decision are met.

This authorization benefits all of our G Suite and GCP customers in Spain, who don’t need to pursue it individually. Rather, customers need to opt in to the relevant model contract clauses (via the online processes described on our Help Centers for G Suite and GCP services, respectively) and notify their relevant transfer to the AEPD’s registry. For more details, please see the AEPD’s decision.

The EU’s Data Protection Authorities had already confirmed earlier this year that Google Cloud services’ contractual commitments fully meet the requirements to legally frame transfers of data from the EU to the rest of the world in accordance with the EU Data Protection Directive 95/46/EC.  

This authorization is an important milestone for Google and its Spanish customers, as it reaffirms that the legal protections underpinning G Suite and GCP international data flows meet European and Spanish regulatory requirements. Furthermore, our customers can count on the fact that Google is committed to comply with the General Data Protection Regulation (GDPR) across G Suite and Google Cloud Platform services.

What does this mean for our customers in the Spanish jurisdiction?

G Suite and GCP customers may benefit from a simplified process with regard to international data transfers via our services provided the conditions established by the AEPD’s decision are met.

What are the key aspects of the authorization from the Spanish data protection authority?

Customers in the Spanish jurisdiction can benefit from the authorization as long as the international transfer of personal data remains in the scope of the authorization. You can read the full authorization here. Customers will still be required to notify the AEPD and may need to comply with additional legal requirements. Please consult a lawyer to obtain legal advice specifically applicable to your business circumstances.

How can customers make use of Google’s authorization?

Customers must sign a contract. The contractual arrangements shall include the Data Processing Amendment (DPA) for G Suite / Data Processing and Security Terms (DPST) for GCP and the EU Model Contractual Clauses (MCCs). Our customers can enter into the applicable relevant model contract clauses via the online processes described here for G Suite services and here for GCP services.