Last updated September 20, 2022
Google Workspace and Cloud Identity offer the Cloud Data Processing Addendum (CDPA) (previously called the Data Processing Amendment or DPA), which incorporates standard contract clauses (SCCs), as a means of meeting the security, contracting and data transfer requirements under EU, UK and Swiss data protection laws. For customers with HIPAA compliance needs, Google offers a Business Associate Amendment.
You only need to opt in to the Cloud Data Processing Addendum (CDPA) if your Google Workspace or Cloud Identity agreement does not already incorporate the CDPA (or the DPA) by reference. If you are unsure whether such agreement already incorporates the CDPA (or the DPA) by reference, we recommend you opt in to the CDPA, as it contains important compliance commitments and your opt-in won't make any difference if, in fact, your agreement already incorporates it (or the DPA).
If you’d like to opt in:
-
Sign in to your Google Admin console.
Sign in using an account with super administrator privileges (does not end in @gmail.com).
-
In the Admin console, go to Menu AccountAccount settingsLegal and compliance.
- In Security and Privacy Additional Terms, under Cloud Data Processing Addendum to Google Workspace or Cloud Identity Agreement, click Review and Accept.
- Ensure that you or the appropriate individual within your organization reviews the contract clauses.
- Click I Accept.
Read more about Google’s approach to the General Data Protection Regulation and Google Workspace security and trust.
Step 1: Certify if European data protection law applies
If your billing address is outside Europe, the Middle East, and Africa, and your use of Google Workspace or Cloud Identity is or becomes subject to the EU GDPR, UK GDPR or the Swiss FDPA (each as defined in the Cloud Data Processing Addendum (CDPA), previously called the Data Processing Amendment), you need to certify as such, and identify your competent Supervisory Authority (or Authorities) by following the steps below.
-
Sign in to your Google Admin console.
Sign in using an account with super administrator privileges (does not end in @gmail.com).
-
In the Admin console, go to Menu AccountAccount settingsLegal and compliance.
- In Security and Privacy Additional Terms, click Indicate that EU Data Protection Law applies to you.
- Click Certify if Applicable.
- Click Save. If you need to uncertify, click Uncertify.
Step 2. Provide details of your European supervisory authority, DPO and representative
-
Sign in to your Google Admin console.
Sign in using an account with super administrator privileges (does not end in @gmail.com).
-
In the Admin console, go to Menu AccountAccount settingsLegal and compliance.
- Under Your Supervisory Authority/ies, identify the applicable authority/ies.
- Click Save.
- Follow the steps to Register DPO or representative for the GDPR where applicable for your organization.
For customers with HIPAA compliance needs, Google offers a Business Associate Amendment (BAA).
To review and accept this BAA, you must be signed in to an administrator account for your organization's Google Workspace or Cloud Identity account. Non-administrator Google Workspace or Cloud Identity users or users of the legacy free edition of Google Workspace (sometimes referred to as "Google Apps Standard Edition") cannot review and accept a BAA from Google at this time.
Review and accept the HIPAA Business Associate Amendment
-
Sign in to your Google Admin console.
Sign in using an account with super administrator privileges (does not end in @gmail.com).
-
In the Admin console, go to Menu AccountAccount settingsLegal and compliance.
- Go to the Security and Privacy Additional Terms section.
- Click Google Workspace/Cloud Identity HIPAA Business Associate Amendment to review the amendment.
- Click Review and Accept and answer all three questions to confirm that you are a HIPAA covered entity.
- To accept the HIPAA BAA, click OK .