GCP Data Processor Agreement

The Data Protection Agreement, DPA, (named "Data Processing and Security Terms" by Google) for Google Cloud Platform is part of the Business agreement between NAV and Google Irland Limited.

This Business agreement (NAV internal link) is an offline variant which governs our use of the Google Cloud Platform Services. The offline terms uses the online terms as a base, but extend the online terms with for instance English law as the governing law (not US law) and 60 days (not 30) for NAV to object to changes in the terms.

When updating the risk assessments for your application, read the Beslutningsnotat Google avtale (NAV internal link). This document contains NAVs risks related to GCP and privacy/GDPR, and the risks most highly associated with information security in the Google Cloud platform in general (in addition the services NAV use in GCP has their own risk assessments).

NAV has, based on the Schrems II verdict that invalidated The EU-US Privacy Shield transfer mechanism, decided that all cloud services and all storage of data in cloud services shall take place in the EU / EEA. Apart from this, DPA with Google is still valid. Note that any use of Google Support that requires Support staff to access production data will need to be cleared with the NAV CIO in advance.

The Online data processing terms (DPA) can be found here.