Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Google Workspace is a cloud based productivity and collaboration suite by Google, including Gmail, Drive, Docs, Sheets, Meet, and Calendar. It processes personal data, uses cookies for authentication and analytics, and transfers data internationally, requiring GDPR compliance measures such as accepting the Cloud Data Processing Addendum (CDPA) and configuring Standard Contractual Clauses (SCCs).
Google Workspace is the cloud productivity suite operated by Google including Gmail, Drive, Docs, Sheets, Slides, Calendar, Meet, Chat, Forms, Sites and Vault. For EU customers the contractual counterparty is Google Ireland Limited, which acts as both controller (for the administrative customer relationship) and processor (for the customer data stored in the tenant). Google LLC in the United States is the principal sub processor.
Inside the workspace, the authenticated user has Google session and security cookies on google.com and on the workspace domain (SID, HSID, SSID, APISID, SAPISID, OSID, _GRECAPTCHA). When the publisher embeds Google content on a public website (Google Forms, Sites, Maps embed, YouTube, Slides published to the web), the same cookies are dropped on the visitor browser even before consent. This triggers the ePrivacy art. 5(3) obligation to obtain prior consent, and the EDPB decision against the European Parliament (10 January 2022) confirms that public embeds of Google content are within scope.
For the internal use by employees and seats, the lawful basis is the employment contract and the legitimate interest of the controller in running its IT environment. For interactions with external parties (forms, calendar invites, Meet calls with guests), the publisher must rely on consent, performance of a pre contract or legitimate interest depending on the context. The Google Workspace DPA must be signed by the customer; it incorporates the EU Standard Contractual Clauses (module 3) and the supplementary measures notice introduced after Schrems II.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Google LLC has been certified under the EU US Data Privacy Framework since 8 July 2023, which provides an adequacy basis for transfers to the United States. Customers can select the EU as the primary region for data at rest, but transient processing (anti spam, anti malware, telemetry) and back ups can still cross the United States and other regions. The publisher must run a transfer impact assessment, document the use of the supplementary measures (encryption keys, client side encryption with Google Workspace CSE, access transparency logs), and refresh the assessment annually. The Bavarian DPA fined a Bavarian municipality in 2024 for failing to assess the supplementary measures even with DPF in place.
Sign the Google Workspace DPA and accept the EU Standard Contractual Clauses module 3. Enable the EU data region for Workspace and activate Client Side Encryption (CSE) for high risk content. Configure Access Transparency and Access Approvals to keep an audit trail of Google support access. Disable Workspace Labs and additional services (Bard, AI features) when they are not covered by the same DPA. List Google Workspace and its sub processors in your record of processing (GDPR art. 30) and in the privacy notice. Run a DPIA when processing special categories of data (health, legal, HR).
Sovereign or EU based alternatives include Microsoft 365 with EU Data Boundary, BlueMind, Tutanota, Proton Business and the French Onlyoffice DocSpace. For public sector users in France, the SUC and Numérique en Commun S3NS partnership offers Workspace under a French controlled trust mark.
Websites using Google Workspace must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is recommended for Google Workspace deployments that process special category data (HR records, health), high volume customer data, or use AI features such as Gemini. Document data flows, retention, sub processors and Schrems II safeguards.
Sample consent text
Our organisation uses Google Workspace (Gmail, Drive, Docs, Calendar, Meet) operated by Google Ireland Limited as the controller and processor for the EEA. We have signed the Google Workspace Data Processing Addendum and selected the EU data region for data at rest. Some processing operations and back ups may occur in the United States or other Google regions under the EU US Data Privacy Framework and the EU Standard Contractual Clauses. If you contact us through a shared form, calendar or video call, your data is processed under those safeguards. You can request access, rectification and erasure at any time.
Third-party domains contacted
accounts.google.comgoogle.comworkspace.google.comdocs.google.comgoogleusercontent.comdrive.google.comgstatic.comcalendar.google.comaccounts.google.commeet.google.comapis.google.comworkspace.google.commail.google.comchat.google.comadmin.google.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| NID | preferences | 6 months | Stores user preferences such as language and search result display settings across Google services. |
| NID | Third party (.google.com) | 6 months | Stores Google account preferences and security related signals; set whenever an embedded Google Workspace component loads. |
| _Secure-ENID | preferences | 13 months | Remembers user preferences and settings. Serves a similar function to NID with enhanced security attributes. |
| CONSENT | Third party (.google.com) | 13 years (rotation) | Records the user's consent state for Google services across products. |
| SIDCC | security | Session / 1 year | Security cookie used to verify login integrity and protect user authentication data from unauthorised access. |
| SOCS | Third party (.google.com) | 13 months | Stores the user's acknowledgement of Google consent state changes. |
| __Secure-1PSIDCC | security | 1 year | First party security cookie verifying the authenticity of the user session and protecting against CSRF attacks. |
| AEC | Third party (.google.com) | 6 months | Ensures requests within a browser session are made by the user, used as anti abuse signal. |
| ANID | Third party (.google.com) | 13 months | Used by Google to deliver and personalise services for signed in users. |
| SAPISID | authentication | 2 years | Enables Google to identify the signed in user and their associated Google account across Google services and embedded widgets. |
| 1P_JAR | analytics | 1 month | Collects website statistics and tracks conversion rates for Google services and advertising measurement. |
| CONSENT | functionality | 20 years | Stores the user's cookie consent state for Google services, recording whether the user has accepted or declined cookie usage. |
| HSID | security | 2 years | Security cookie used in combination with SID to verify Google account identity and prevent fraudulent use of login credentials. |
This service may collect user data. Ensure GDPR compliance with FlowConsent.
Google Workspace sets several cookies including NID and _Secure_ENID for storing user preferences (6 to 13 months), SIDCC and _Secure_1PSIDCC for login security verification, SAPISID and variants for user identification across Google services, and 1P_JAR for analytics purposes (1 month). When Workspace widgets are embedded on external websites, additional cookies from accounts.google.com, docs.google.com, and apis.google.com domains may also be set.
It depends on the context. For internal organisational use by employees, consent is typically not required as contract performance or legitimate interest serve as the legal basis. However, when Workspace elements such as Google Forms, embedded Docs viewers, or Calendar widgets are placed on public facing websites, prior consent under the ePrivacy Directive is required before setting non essential cookies on visitor browsers. A cookie consent management platform (CMP) should be deployed in these cases.
The legal basis varies by use case. Core productivity functions for employees typically rely on contract performance (Art. 6(1)(b) GDPR) or legitimate interest (Art. 6(1)(f)). Security and fraud prevention activities are covered by legitimate interest. Public facing embeds that set cookies on visitor devices require explicit consent (Art. 6(1)(a)). Organisations should document the applicable legal basis for each processing activity in their Records of Processing Activities.
Yes. Google operates a global data centre infrastructure and may process data in US facilities. To comply with GDPR transfer requirements, Google offers the Cloud Data Processing Addendum (CDPA) which incorporates Standard Contractual Clauses (SCCs). Google is also a certified participant in the EU US Data Privacy Framework. Certain Workspace editions offer a data region feature that keeps covered data at rest within the EU, though metadata and service data may still be processed globally.
A Data Protection Impact Assessment is strongly recommended and may be legally required under Art. 35 GDPR for most Google Workspace deployments. The platform processes large volumes of personal data across email, file storage, calendar, video conferencing, and collaborative documents. Key risk areas include international data transfers, potential employee monitoring through productivity analytics, third party marketplace app integrations, and the breadth of data categories processed. The assessment should cover all Workspace services in use and document the safeguards provided by the CDPA and SCCs.
Start by accepting the Cloud Data Processing Addendum (CDPA) in the Google Admin console under Account > Legal and compliance. Configure appropriate data retention policies and access controls. Register your DPO and supervisory authority details. Review and restrict third party app access via the Workspace Marketplace. Enable audit logging and conduct regular access reviews. For any public facing website embedding Workspace widgets, deploy a cookie consent banner. Conduct a DPIA covering all services used and train all staff on data protection principles including proper use of shared drives and incident reporting.
For organisations seeking to minimise international data transfers, alternatives include Nextcloud (self hosted, open source collaboration suite), Tutanota or ProtonMail (privacy focused email hosted in EU), OnlyOffice (EU hosted document collaboration), and Infomaniak kSuite (Swiss hosted productivity suite). For specific functions, organisations might consider Jitsi Meet for video conferencing or CryptPad for encrypted collaborative documents. Each alternative should be evaluated for its own GDPR compliance posture, data processing agreements, and security certifications.
Your cookie policy should list all cookies set by embedded Google Workspace widgets, including their names, purposes, durations, and the domains they originate from (such as accounts.google.com, docs.google.com, apis.google.com). Specify whether each cookie is strictly necessary or requires consent. Document Google's role as data processor, reference the CDPA and SCCs as the legal framework for data transfers, and provide clear instructions for users to manage or withdraw their cookie consent. The policy should be reviewed and updated whenever you add or remove Workspace integrations from your website.
For internal use no website cookies are set; authentication uses Google account cookies on accounts.google.com. When Workspace components (Forms, Docs, Calendar appointments) are embedded on a public website, Google sets NID, CONSENT, SOCS, ANID and the AEC cookies on google.com and googleusercontent.com.
No consent is required to provide Workspace to your employees, which is justified by your contract with them. Consent is required for any embedded Workspace component on a public website, because the embed sets cookies and loads scripts from Google.
For internal use, contract performance (Art. 6(1)(b) GDPR) and legitimate interest (Art. 6(1)(f) GDPR) cover employees and contractors. For public embeds, consent (Art. 6(1)(a) GDPR + Art. 5(3) ePrivacy Directive).
Yes. Customer data is processed in multiple Google data centres including the United States. Transfers are covered by the EU US Data Privacy Framework adequacy decision (since July 2023) and by EU Standard Contractual Clauses. EU Data Regions allow Enterprise customers to keep most data at rest in Europe.
A DPIA is recommended for deployments processing employee monitoring data, special category data (HR, health, legal), high volume customer data, or AI features such as Gemini. Document data flows, retention, sub processors and Schrems II safeguards.
Sign the DPA, enable EU Data Regions, configure Vault retention, restrict third party app access, enable context aware access, audit admin activity, document Google in your Article 30 record. Block embedded Workspace widgets behind a consent gate on public sites.
Microsoft 365 (US, EU Data Boundary), Zoho Workplace (India/EU options), Tutanota (Germany), Proton Mail/Drive (Switzerland), Nextcloud (Germany, self hosted), OnlyOffice (Latvia/EU), Infomaniak Workspace (Switzerland), Open Xchange (Germany).
List Google as third party for the relevant cookies (NID, CONSENT, SOCS) when the component is embedded. Explain the EU US Data Privacy Framework status. Refer users to Google's privacy policy.