This is an archived version of our Legal Frameworks For Data Transfers. View the current version or all past versions.

Legal frameworks for data transfers

Effective 1 September 2023

We maintain servers around the world and your information may be processed on servers located outside the country where you live. Data protection laws vary among countries, with some providing more protection than others. Regardless of where your information is processed, we apply the same protections described in the privacy policy. We also comply with certain legal frameworks relating to the transfer of data, such as the frameworks described below.

Adequacy decisions

The European Commission has determined that certain countries outside the European Economic Area (EEA) adequately protect personal information, which means that data can be transferred from the European Union (EU) and Norway, Liechtenstein and Iceland to those countries. The UK and Switzerland have adopted similar adequacy mechanisms. We rely on the following adequacy mechanisms:

EU–US and Swiss–US Data Privacy Frameworks

As described in our Data Privacy Framework certification, we comply with the EU–US and Swiss–US Data Privacy Frameworks (DPF) and the UK Extension to the EU–US DPF as set forth by the US Department of Commerce regarding the collection, use and retention of personal information from the EEA, Switzerland and the UK, respectively. Google LLC (and its wholly owned US subsidiaries unless explicitly excluded) has certified that it adheres to the DPF Principles. Google remains responsible for any of your personal information that is shared under the Onward Transfer principle with third parties for external processing on our behalf, as described in the ‘Sharing your information’ section of our privacy policy. To learn more about the DPF, and to view Google’s certification, please visit the DPF website.

If you have an enquiry regarding our privacy practices in relation to our DPF certification, we encourage you to contact us. Google is subject to the investigatory and enforcement powers of the US Federal Trade Commission. You may also refer a complaint to your local data protection authority and we will work with them to resolve your concern. In certain circumstances, the DPF provides the right to invoke binding arbitration to resolve complaints not resolved by other means, as described in Annex I to the DPF Principles.

We currently do not rely on the Swiss–US DPF and the UK Extension to the EU–US DPF to transfer personal information to the US.

Standard contractual clauses

Standard contractual clauses (SCCs) are written commitments between parties that can be used as a ground for data transfers from the EEA to third countries by providing appropriate data protection safeguards. SCCs have been approved by the European Commission and cannot be modified by the parties using them (you can see the SCCs adopted by the European Commission here, here and here). Such clauses have also been approved for transfers of data to countries outside the UK and Switzerland. We rely on SCCs for our data transfers where required and in instances where they are not covered by an adequacy decision. If you want to obtain a copy of the SCCs, you can contact us.

Google may also incorporate SCCs into contracts with customers of its business services, including Google Workspace, Google Cloud Platform, Google Ads and other ads and measurement products. Learn more at privacy.google.com/businesses.

Google apps
Main menu