The Spanish Data Protection Authority (AEPD) confirms compliance of Google Cloud commitments for international data flows

Millions of organizations use Google Cloud services every day, relying on Google to provide world-class privacy and security protections. Data protection is central to our mission, and we're always looking at ways to facilitate our customers’ compliance journey.

Today we’re pleased to announce that the Spanish Data Protection Agency (“Agencia Española de Protección de Datos” or “AEPD”) has issued a decision confirming that the guarantees established by the contractual commitments provided by Google for the international transfers of data to U.S. connected to its G Suite and Google Cloud Platform (GCP) services are adequate. Therefore, the international transfers to U.S. under such contractual commitments are deemed authorized by the AEPD provided the conditions established by the AEPD’s decision are met.

This authorization benefits all of our G Suite and GCP customers in Spain, who don’t need to pursue it individually. Rather, customers need to opt in to the relevant model contract clauses (via the online processes described on our Help Centers for G Suite and GCP services, respectively) and notify their relevant transfer to the AEPD’s registry. For more details, please see the AEPD’s decision.

The EU’s Data Protection Authorities had already confirmed earlier this year that Google Cloud services’ contractual commitments fully meet the requirements to legally frame transfers of data from the EU to the rest of the world in accordance with the EU Data Protection Directive 95/46/EC.  

This authorization is an important milestone for Google and its Spanish customers, as it reaffirms that the legal protections underpinning G Suite and GCP international data flows meet European and Spanish regulatory requirements. Furthermore, our customers can count on the fact that Google is committed to comply with the General Data Protection Regulation (GDPR) across G Suite and GCP services.