Last updated September 24, 2021
Google Workspace and Cloud Identity offer the Data Processing Amendment (DPA), which incorporates standard contract clauses (SCCs), as a means of meeting the security, contracting and data transfer requirements under EU, UK and Swiss data protection laws. For customers with HIPAA compliance needs, Google offers a Business Associate Amendment.
You only need to opt into the Data Processing Amendment (DPA) if your Google Workspace or Cloud Identity agreement does not already incorporate the DPA by reference. If you are unsure whether such agreement already incorporates the DPA by reference, we recommend you opt into the DPA, as it contains important compliance commitments and your opt-in won't make any difference if, in fact, your agreement already incorporates it.
If you’d like to opt in:
-
Sign in to your Google Admin console.
Sign in using an account with super administrator privileges (does not end in @gmail.com).
-
On the Admin console Home page, go to Account
Account settings
Legal and compliance.
- In Security and Privacy Additional Terms, under Data Processing Amendment to Google Workspace and/or Complementary Product (e.g. Cloud Identity) Agreement, click Review and Accept.
- Ensure that you or the appropriate individual within your organization reviews the contract clauses.
- Click I Accept.
Read more about Google’s approach to the General Data Protection Regulation and Google Workspace security and trust.
Step 1: Certify if European data protection law applies
If your billing address is outside Europe, the Middle East, and Africa, and your use of Google Workspace or Cloud Identity is or becomes subject to the EU GDPR, UK GDPR or the Swiss FDPA (as defined in the DPA), you need to certify as such, and identify your competent Supervisory Authority (or Authorities) by following the steps below.
-
Sign in to your Google Admin console.
Sign in using an account with super administrator privileges (does not end in @gmail.com).
-
On the Admin console Home page, go to Account
Account settings
Legal and compliance.
- In Security and Privacy Additional Terms, click Indicate that EU Data Protection Law applies to you.
- Click Certify if Applicable.
- Click Save. If you need to uncertify, click Uncertify.
Step 2. Provide details of your European supervisory authority, DPO and representative
-
Sign in to your Google Admin console.
Sign in using an account with super administrator privileges (does not end in @gmail.com).
-
On the Admin console Home page, go to Account
Account settings
Legal and compliance.
- Under Your Supervisory Authority/ies, identify the applicable authority/ies.
- Click Save.
- Follow the steps to Register DPO or representative for the GDPRwhere applicable for your organization.
For customers with HIPAA compliance needs, Google offers a Business Associate Amendment (BAA).
To review and accept this BAA, you must be signed in to an administrator account for your organization's Google Workspace or Cloud Identity account. Non-administrator Google Workspace or Cloud Identity users or users of the legacy free edition of Google Workspace (sometimes referred to as "Google Apps Standard Edition") cannot review and accept a BAA from Google at this time.
Review and accept the HIPAA Business Associate Amendment
-
Sign in to your Google Admin console.
Sign in using an account with super administrator privileges (does not end in @gmail.com).
-
On the Admin console Home page, go to Account
Account settings
Legal and compliance.
- Go to the Security and Privacy Additional Terms section.
- Click Google Workspace/Cloud Identity HIPAA Business Associate Amendment to review the amendment.
- Click Review and Accept and answer all three questions to confirm that you are a HIPAA covered entity.
- To accept the HIPAA BAA, click OK .