Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Google Workspace is a cloud based productivity and collaboration suite by Google, including Gmail, Drive, Docs, Sheets, Meet, and Calendar. It processes personal data, uses cookies for authentication and analytics, and transfers data internationally, requiring GDPR compliance measures such as accepting the Cloud Data Processing Addendum (CDPA) and configuring Standard Contractual Clauses (SCCs).
Google Workspace (formerly G Suite) is a cloud based productivity and collaboration platform developed by Google. It includes Gmail, Google Drive, Google Docs, Sheets, Slides, Google Meet, Google Calendar, Google Chat, and administrative tools. Organisations of all sizes use it for email communication, file storage and sharing, real time document collaboration, video conferencing, and scheduling. When embedded widgets such as Google Forms, Google Calendar, or Google Docs viewers are integrated into third party websites, they introduce additional privacy considerations for site operators.
Google Workspace sets various cookies for authentication, session management, security, and user preferences. Key cookies include NID and _Secure_ENID (preference storage, 6 to 13 months), SIDCC and _Secure_1PSIDCC (security cookies verifying login integrity), SAPISID and related variants (enabling Google services to identify the signed in user), and 1P_JAR (analytics and ad related tracking, 1 month). Google also uses local storage and device identifiers for operational purposes. When Workspace widgets are embedded on external sites, additional cookies from domains such as accounts.google.com, docs.google.com, and apis.google.com may be set on visitor browsers.
Google Workspace raises significant GDPR considerations due to the volume and sensitivity of personal data it processes. Google acts as a data processor under the Cloud Data Processing Addendum (CDPA), while the customer organisation remains the data controller. The CDPA incorporates Standard Contractual Clauses (SCCs) to address international data transfers. Organisations must ensure they have activated the CDPA in their Google Admin console under Account > Legal and compliance. The platform holds multiple compliance certifications including ISO 27001, ISO 27017, ISO 27018, ISO 27701, SOC 2/3, and FedRAMP. However, these certifications do not guarantee compliance by themselves: each organisation must configure Workspace appropriately, implement data retention policies, manage access controls, and train staff on GDPR principles.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
The legal basis for processing depends on how Google Workspace is used. For core productivity features used by employees within an organisation, contract performance (Art. 6(1)(b)) or legitimate interest (Art. 6(1)(f)) typically applies. However, when Workspace elements are embedded on public facing websites (Google Forms for data collection, Google Calendar for event booking, Google Docs viewers), explicit consent under Art. 6(1)(a) GDPR and prior consent under the ePrivacy Directive are generally required before setting non essential cookies. Organisations should implement a cookie consent management platform (CMP) to collect, record, and manage visitor consent before loading embedded Workspace widgets.
Google operates a global data centre infrastructure and processes Workspace data in facilities across the United States, Europe, and Asia. For EU based organisations, this means personal data may be transferred outside the EEA. Google addresses this through the CDPA, which includes EU SCCs as the primary transfer mechanism. Eligible Workspace editions also offer a data region policy that allows administrators to keep covered data at rest within the EU. Organisations should evaluate whether their edition supports data regions, confirm the CDPA is activated, and document these safeguards in their Records of Processing Activities (RoPA). Under the EU US Data Privacy Framework, Google LLC is a certified participant, providing an additional layer of adequacy for US transfers.
To achieve GDPR compliance with Google Workspace, organisations should follow these key steps. First, accept the Cloud Data Processing Addendum in the Google Admin console (Account > Legal and compliance). Second, configure data retention policies appropriate to your processing purposes. Third, implement a DPIA covering all Workspace services in use, especially if processing special category data or monitoring employee activity. Fourth, deploy a cookie consent banner on any public facing website that embeds Workspace widgets. Fifth, register your Data Protection Officer and Supervisory Authority details in the Admin console. Sixth, review and restrict third party app access via the Google Workspace Marketplace. Seventh, enable audit logging and regularly review access reports. Finally, train all staff on data protection principles, including proper use of shared drives, appropriate data storage practices, and incident reporting procedures.
Websites using Google Workspace must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is strongly recommended for Google Workspace deployments due to the large scale processing of personal data across email, file storage, calendar, video conferencing, and collaborative documents. Key areas to assess include: scope of personal data processed across all Workspace apps (Gmail content, Drive files, Calendar events, Meet recordings), international data transfers to US and other third country data centers, employee monitoring risks if productivity analytics are enabled, data retention policies and deletion practices, access controls and admin audit logging, third party marketplace app integrations that may access Workspace data, and the adequacy of the Cloud Data Processing Addendum (CDPA) and SCCs for your specific processing activities.
Sample consent text
This site uses Google Workspace services (including embedded Google Docs, Sheets, Forms, and Calendar widgets) that may set cookies and process personal data on Google servers, including servers located outside the European Economic Area. These cookies enable authentication, session management, and service functionality. By accepting, you consent to this data processing. You can withdraw your consent at any time through our cookie settings.
Third-party domains contacted
accounts.google.comdocs.google.comdrive.google.comcalendar.google.commeet.google.comapis.google.comworkspace.google.commail.google.comchat.google.comadmin.google.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| NID | preferences | 6 months | Stores user preferences such as language and search result display settings across Google services. |
| _Secure-ENID | preferences | 13 months | Remembers user preferences and settings. Serves a similar function to NID with enhanced security attributes. |
| SIDCC | security | Session / 1 year | Security cookie used to verify login integrity and protect user authentication data from unauthorised access. |
| __Secure-1PSIDCC | security | 1 year | First party security cookie verifying the authenticity of the user session and protecting against CSRF attacks. |
| SAPISID | authentication | 2 years | Enables Google to identify the signed in user and their associated Google account across Google services and embedded widgets. |
| 1P_JAR | analytics | 1 month | Collects website statistics and tracks conversion rates for Google services and advertising measurement. |
| CONSENT | functionality | 20 years | Stores the user's cookie consent state for Google services, recording whether the user has accepted or declined cookie usage. |
| HSID | security | 2 years | Security cookie used in combination with SID to verify Google account identity and prevent fraudulent use of login credentials. |
This service may collect user data. Ensure GDPR compliance with FlowConsent.
Google Workspace sets several cookies including NID and _Secure_ENID for storing user preferences (6 to 13 months), SIDCC and _Secure_1PSIDCC for login security verification, SAPISID and variants for user identification across Google services, and 1P_JAR for analytics purposes (1 month). When Workspace widgets are embedded on external websites, additional cookies from accounts.google.com, docs.google.com, and apis.google.com domains may also be set.
It depends on the context. For internal organisational use by employees, consent is typically not required as contract performance or legitimate interest serve as the legal basis. However, when Workspace elements such as Google Forms, embedded Docs viewers, or Calendar widgets are placed on public facing websites, prior consent under the ePrivacy Directive is required before setting non essential cookies on visitor browsers. A cookie consent management platform (CMP) should be deployed in these cases.
The legal basis varies by use case. Core productivity functions for employees typically rely on contract performance (Art. 6(1)(b) GDPR) or legitimate interest (Art. 6(1)(f)). Security and fraud prevention activities are covered by legitimate interest. Public facing embeds that set cookies on visitor devices require explicit consent (Art. 6(1)(a)). Organisations should document the applicable legal basis for each processing activity in their Records of Processing Activities.
Yes. Google operates a global data centre infrastructure and may process data in US facilities. To comply with GDPR transfer requirements, Google offers the Cloud Data Processing Addendum (CDPA) which incorporates Standard Contractual Clauses (SCCs). Google is also a certified participant in the EU US Data Privacy Framework. Certain Workspace editions offer a data region feature that keeps covered data at rest within the EU, though metadata and service data may still be processed globally.
A Data Protection Impact Assessment is strongly recommended and may be legally required under Art. 35 GDPR for most Google Workspace deployments. The platform processes large volumes of personal data across email, file storage, calendar, video conferencing, and collaborative documents. Key risk areas include international data transfers, potential employee monitoring through productivity analytics, third party marketplace app integrations, and the breadth of data categories processed. The assessment should cover all Workspace services in use and document the safeguards provided by the CDPA and SCCs.
Start by accepting the Cloud Data Processing Addendum (CDPA) in the Google Admin console under Account > Legal and compliance. Configure appropriate data retention policies and access controls. Register your DPO and supervisory authority details. Review and restrict third party app access via the Workspace Marketplace. Enable audit logging and conduct regular access reviews. For any public facing website embedding Workspace widgets, deploy a cookie consent banner. Conduct a DPIA covering all services used and train all staff on data protection principles including proper use of shared drives and incident reporting.
For organisations seeking to minimise international data transfers, alternatives include Nextcloud (self hosted, open source collaboration suite), Tutanota or ProtonMail (privacy focused email hosted in EU), OnlyOffice (EU hosted document collaboration), and Infomaniak kSuite (Swiss hosted productivity suite). For specific functions, organisations might consider Jitsi Meet for video conferencing or CryptPad for encrypted collaborative documents. Each alternative should be evaluated for its own GDPR compliance posture, data processing agreements, and security certifications.
Your cookie policy should list all cookies set by embedded Google Workspace widgets, including their names, purposes, durations, and the domains they originate from (such as accounts.google.com, docs.google.com, apis.google.com). Specify whether each cookie is strictly necessary or requires consent. Document Google's role as data processor, reference the CDPA and SCCs as the legal framework for data transfers, and provide clear instructions for users to manage or withdraw their cookie consent. The policy should be reviewed and updated whenever you add or remove Workspace integrations from your website.