Is Google Forms GDPR compliant?

If you are using Google Forms to process the personal data of UK or EEA (European Economic Area) based citizens then you may be wondering if Google Forms is GDPR compliant?

This is a good question to be asking, as poor GDPR compliance can lead to a fine, of up to 4% of your turnover or €20 million euros under EU GDPR or up to 4% of your turnover or £17.5 million pounds under UK GDPR.

Unfortunately, there is no black and white answer. 

This is due to the fact that GDPR does not concern merely the service that is being used to process data, it also depends hugely on the organisation that is processing data, what data they are processing and for what purposes.

Google Forms can be GDPR compliant, but only if a number of GDPR compliant procedures are put in place. 

In this article we’ll explore some of the things you may want to think about when using Google Forms. We’ll assume that you are using Google Forms to collect personal data. If you are unclear what counts as personal data under GDPR, here is a quick definition:

Personal data is data that relates to an identified or identifiable individual. In other words, data that relates to a human. (Confused? Read our full breakdown of what counts as personal data under GDPR).

GDPR will apply to 95% of Google Forms use cases. The exception may be if you are using Google Forms for an entirely anonymous project, or for an internal work project where no personal data is collected at all.

Now, let’s look at some of the GDPR compliance issues you will come across when using Google Forms.

Note: The UK GDPR and EU GDPR are technically different laws. As of the time of writing, there are no significant differences between the two laws so we will refer solely to GDPR throughout the article for brevity.

Providing transparency information – meeting your transparency requirements under the accountability principle

Google Forms does not prompt for or include transparency information by default. 

Transparency information includes things like:

  • notices explaining your purposes of data collection and processing
  • Privacy policies
  • Cookie policies

Under GDPR you must be transparent about what data you collect and why you collect it. Typically this information is provided in a privacy policy. It is good practice to remind people to review your privacy policy, it is best practice to make these links clear and to add them at the point of data collection. In a Google Form this information could be included in the introductory section which describes the form. You do not need to display your full privacy policy within the form, it is acceptable to link to further more detailed information. However you should not force users of the form to dig deep into documents that are rarely read or accessed in order to find out what will happen to the data they are providing in the form. You should ideally provide a summary of the purposes by which you are processing data and how the data subject (the person completing the form) can exercise their rights under GDPR.

Hiding any of this information can land you in trouble with the supervisory authorities who enforce GDPR. Particularly if the purposes for which you are processing data are not what would be reasonably expected by the person completing the form. 

Google Forms will allow you or your staff to create and publish a form without adding this information in. So to stay compliant with GDPR you need to take steps to ensure this does not happen.

What you should do

  • Make sure you include a clear link to your privacy policy in the form.
  • Add a short descriptive explanation of what the data collected will be used for. Invite the person completing the form to read your privacy policy for more information. Make sure that your privacy policy covers the data processing you will be doing with Google Forms.
  • Example:
    • We are collecting sign-ups for the tennis tournament with this form. The data you provide will be used to process your application, to inform you whether your application was successful and to facilitate your participation in the tennis tournament if successful. Your data will be processed in accordance with our privacy policy.
    • Note: Make sure you link to your privacy policy.
    • Note: If it is not clear who “we” is, for example you have not identified your organisation’s name earlier in the form then you should identify the name of the organisation that will be processing the personal data from this form.
    • Note: The information you provide must be clear, using as much plain english as possible. You can further improve the information you provide by disclosing how long the data provided will be stored for.

Collecting personal data – establishing a lawful basis for processing

Google Forms is very flexible, it allows you to collect many types of personal data easily. 

For example a cake shop may create an order form in Google forms to collect:

  • A name
  • Home address
  • Mobile number
  • Email address
  • Dietary requirements
  • Details of an event

GDPR requires you to establish a legal basis for each piece of personal data that you collect. 

The legal basis can be:

  1. Consent: clear consent has been given for you to process the personal data for a specific purpose.
  2. Contract: the processing is necessary to fulfil a contract you have or because an individual has asked you to take specific steps before entering into a contract.
  3. Legal obligation: the processing is necessary for you to comply with the law
  4. Vital interests: the processing is necessary to protect someone’s life.
  5. Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
  6. Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.

You will most likely be relying on:

  • Contract
  • Legitimate interests
  • Consent

Google Forms doesn’t require you to specify your legal basis when creating a form. So you need to make sure that you’ve established your legal basis for processing the personal data before you start collecting data with your form. 

What you should do

  • You may already cover the types of personal data that you wish to collect and the legal basis by which you will process them in your privacy policy or internal GDPR documentation. You can review these documents first to check if you’ve already got it covered.
  • If not, you will need to establish the legal basis under which you are collecting each piece of data. You can document this in a simple table format, like in the following example:
Data Type Legal basis for processing
Name Contract – we require this to process the cake order and issue the invoice.
Home address Contract – we require this to deliver the cake.
Email address for marketing newsletter Consent – customers can provide this if they wish to join the email newsletter, it is optional.
  • If you are unsure which legal basis applies you should consult with a GDPR expert before you start the data collection.

Storage of personal data after collection – storage retention

Google Forms automatically stores the data collected. This data effectively sits in your Google Drive storage allowance. 

Under the Storage Limitation principle of GDPR you must not keep data for longer than you need it.

The data collected by Google Forms will be kept indefinitely unless you have a retention policy in place set by your Google Workspace admin.

What you should do

  • Set an appropriate retention period for the data collected in each Google Form you create.
  • If you are only using the form on a temporary basis, set a date to delete the data. 
  • If you are using the form on a continual basis and are transferring the data collected to another system then you should set a deletion schedule. For example, “every 2nd Monday check that all new responses are transferred into the CRM, then delete all Google Forms responses”
  • Take care to ensure that data is correctly deleted. Google Forms data can automatically export to a separate Google Sheets document, it can also be forwarded automatically by email on submission. If you decide that the data must be deleted, you should check that data is also removed from these sources.

Location of Google Forms servers – restricted transfers

Google Forms data can be stored on multiple servers across multiple regions. Unless you subscribe to an enterprise version of Google Workspace and have set your data storage preferences it is likely that the personal data you collect via Google Forms will be stored outside of the UK and EEA (European Economic Area). 

Under GDPR, data transfers to restricted countries require a transfer mechanism. For the UK GDPR this means transfers outside of the UK to countries without existing adequacy decisions. For the EU GDPR this means transfers outside of the EEA without existing adequacy decisions. 

What you should do

  • If you have access to the premium features of the enterprise version of Google Workspace then you should check if you can set your data storage location within either the UK or EEA. This may mitigate the issue fully.
  • Most people will not have access to these features, as they are not typically included at the time of writing in the Business Standard, Business Starter or Business Plus packages. In this case you will need to take steps to make this restricted transfer compliant under GDPR.
  • You will need to risk assess the transfer and determine the appropriate legal mechanism for which to transfer data.
    • The most appropriate transfer mechanism is likely to be SCCs (Standard Contractual Clauses). These are a set of documents signed by both parties that outline what data protection mechanisms are in place. 
    • To put these in place with Google, you should visit the admin panel. Navigate to Account settings > Legal & compliance. Scroll down the list, you will come across a section with GDPR documents. You can then view the DPA and record your acceptance. You can also add in details of your supervisory authority if you are based within the UK or EEA. If you are unsure who your supervisory authority is you can use our supervisory authority directory.
  • You should regularly review this restricted data transfer and check that the mechanism in place is adequate.
  • You should disclose details of this restricted data transfer in your privacy policy and seek consent if appropriate before making the transfer.

Sharing of form – data breach

Google Forms has many collaboration features which make it easy to share the form with other individuals. You may intend to share the form with another person for the purposes of collaboration, however this can also lead to inadvertently sharing all the data from the form responses.

Sharing data with people who are not authorised to view that data would be considered as a data breach under GDPR. Data breaches can lead to enforcement action and in some cases require you to report details of the breach to regulatory authorities.

For this reason you should take extra care when using the sharing features of Google forms.

What you should do

  • Make sure staff using Google Forms are aware of how the sharing and collaboration settings work on Google Forms. 
  • Review who has access to your Google Forms regularly, ensure that people who have the right of access have a legitimate purpose for being able to access the data.
  • Setup warnings or blocks if appropriate for sharing Google Forms to Google Workspace users outside of your domain/organisation. You can set these from the admin panel of Google Workspace. 
  • If you are in charge of data privacy at your organisation, you should review external sharing feature usage regularly via the Google Workspace admin panel.

Conclusion

Google Forms allows anyone in your organisation to collect personal data, which can be a great way to move all sorts of projects on quickly, from customer feedback gathering exercises to recruitment drives. However with this ease of use, come great risks. It’s easy for people within your organisation to overlook the compliance risks associated with any new data collection exercise. If you are using Google Forms within your organisation, make sure that everyone allowed to use the product for personal data collection has received at least some foundation GDPR training. IT managers and data privacy managers should also be working together to set retention policies and administrator alerts which prevent the product being misused without their knowledge. You may also wish to consider setting some Google Forms templates for internal and external facing forms, which prompt creators to remember to add links to your privacy policies and to explain the purposes for processing within the form.

This article cannot be considered exhaustive as the use cases for this product are unlimited. Still, we hope this helped you consider some of the implications with GDPR compliance when using Google Forms. If you liked this article please consider subscribing to our newsletter or trying some of our training courses.