Google Calendar Embed and Data Protection – What Belongs in the Privacy Policy

If a website operator uses Google Calendar Embed or Google Appointment Schedules, they typically process web server log data, device data, browser information, coarse location data and – when a booking is made – user content and conversion events in order to embed calendar content and offer online appointment booking. The legal basis is regularly a third-party content consent, since the embedded content is loaded directly from Google servers. The following page explains the data flows triggered by Google Calendar and which mandatory disclosures result for the privacy policy.

A. Purpose and Functionality of Google Calendar Embed

Google Calendar is Google's online calendar service. For website operators, two integration features are primarily relevant, both of which embed content from Google servers directly into the operator's website:

1. Google Calendar Embed: Using an embed snippet (<iframe src="https://calendar.google.com/calendar/embed?src=..."), a publicly shared Google Calendar is integrated as a calendar view into the operator's website. Visitors see appointments, week or month views, and can add the calendar to their own Google Calendar.
2. Google Appointment Schedules (booking): Using a Google-provided booking link or iframe (typical paths under calendar.app.google or calendar.google.com/calendar/u/0/appointments/...), website visitors can book appointments with the website operator. The booking form itself runs on Google's domain.

This page focuses on the website embedding of these two functions. Other features of Google Calendar – such as internal calendar use by employees, synchronisation with end devices, or calendar-wide invitations sent by email – are not covered here and are subject to a separate legal assessment.

What is technically common to both integrations: when the embedding page is loaded, a connection from the visitor's device to Google servers is established directly. Google therefore receives data without the website operator actively forwarding it.

B. Mandatory Information in the Privacy Policy When Using Google Calendar

The GDPR requires the privacy policy – in addition to general information about the website operator, the rights of the data subject and the supervisory authority – to contain the following information specifically with regard to tools such as Google Calendar: the purposes of processing (Art. 13(1)(c) GDPR), the legal bases (Art. 13(1)(c) GDPR), where processing is based on a balance of interests, the legitimate interests pursued (Art. 13(1)(d) GDPR), the recipients or categories of recipients (Art. 13(1)(e) GDPR), information about transfers to insecure third countries and the safeguards (Art. 13(1)(f) GDPR), and the storage period or the criteria for determining it (Art. 13(2)(a) GDPR). Where data are not collected directly from the data subject, the categories of personal data processed must additionally be stated (Art. 14(1)(d) GDPR).

These mandatory disclosures are broken down for Google Calendar Embed and Appointment Schedules in the following sections.

In practice, it has become common to cover every individual tool with its own lawyer-drafted text block in the privacy policy. This "text-block-per-tool" approach produces lengthy, repetitive and hard-to-maintain privacy policies and tends to undermine the transparency requirement of Art. 12(1) GDPR. A more appropriate approach is a topic-oriented approach that describes processing operations across categories (server operation, third-party content, newsletter, tracking, sales, etc.) and merely lists the specific service providers used – including Google Calendar – in an Annex of recipients. This is precisely the approach taken by the matterius generator.

C. Provider of Google Calendar

According to Google's publicly available information, the contracting party for website operators in the European Economic Area is, as a rule:

• Google Ireland Limited
• Gordon House, Barrow Street, Dublin 4, Ireland
• Country of establishment: Ireland (EU)

The parent and group company is Google LLC, headquartered in Mountain View, California, USA. A data transfer to the USA is regularly to be assumed when using Google services. According to the publicly available entries on the EU-US Data Privacy Framework (participant list), Google LLC is certified under the EU-U.S. Data Privacy Framework (DPF); the website operator should verify the certification status before deployment. As an additional safeguard, Google's data processing terms provide for Standard Contractual Clauses (SCCs) under Art. 46 GDPR for third-country transfers.

Google's overall privacy policy is available at https://policies.google.com/privacy. Information on embedding Google Calendar is provided by the Google Calendar Help under https://support.google.com/calendar/answer/41207.

D. Data Processing in Google Calendar – Step by Step

E. Data Collected Through Google Calendar Embed

When using Google Calendar Embed and Appointment Schedules, according to Google's publicly available information the following data are processed in particular: IP address, date and time of the request, requested URL, referrer, user-agent (browser, operating system, device), coarse location at city or region level, cookies or similar identifiers, for signed-in Google users the link to their Google account, and – in the case of bookings via Appointment Schedules – the booking details entered by the user (e.g. name, email, reason for booking, free notes) and the fact that a booking was made (conversion event).

These data fall into the following standardised data categories:

• Web server log data: data the web server receives with each request, e.g. IP address, date, time, URL of the requested content, referrer, browser, operating system and device information, and status codes.
• Click paths: with Appointment Schedules, in particular booking steps visited, time slots selected, and button clicks within the booking form.
• Device data: information about the end device, e.g. device type, operating system, screen resolution and touch support.
• Browser information: browser name, browser version and any installed extensions.
• Coarse location data: approximate location at city or region level derived from the IP address.
• User account data: for visitors signed into their Google account, in particular their user identifier and identifiers linked to that account.
• User content: with Appointment Schedules, the content entered into the booking form (name, email, phone, booking subject, notes, any further required or optional fields).
• Conversion events: in particular the successful booking of an appointment via Appointment Schedules.

In addition, cookies or similar identifiers may be set on or read from the visitor's device by Google.

F. Purposes for Using Google Calendar

The website operator uses Google Calendar Embed primarily to present appointments, events or office hours transparently, and Appointment Schedules to offer website visitors a convenient online booking option. The data processed serve primarily the provision of the calendar view or booking form and the handling of the actual appointment.

The purposes typically pursued fall into the following standardised categories:

• Provision of functionality: delivery and display of the embedded Google Calendar and provision of the Appointment Schedules booking form, including error detection and error prevention.
• Contract performance: preparation, performance and settlement of the appointment booked via Appointment Schedules (e.g. consultation, office hour, service appointment) including related communication.
• Security and abuse prevention: detecting, preventing and ending attacks, bot bookings and other misuse, spam and fraud prevention.
• Communication: confirmation, reminder, rescheduling or cancellation of appointments to the user.
• General product improvement: anonymised analysis of typical usage patterns to improve the website operator's booking offering.
• Compliance with retention obligations and enforcement of rights: insofar as bookings have a contractual element (e.g. paid appointments).

Further-reaching purposes, such as user-individual marketing or ad serving, are pursued by Google for its own account and advertising products according to Google's own statements in its data protection terms; those processing operations fall within Google's responsibility as an independent controller.

G. Legal Bases for Google Calendar

In a first step, Google Calendar Embed is to be assigned to the tool category third-party content (embedded content via iframe); Appointment Schedules adds the function of appointment booking.

In a second step, the following legal bases typically come into consideration:

• Third-party content consent (Art. 6(1)(a) GDPR in conjunction with Sec. 25(1) TDDDG): Because the iframe directly triggers connections to Google servers and Google regularly sets cookies or accesses the end device in this context, consent of the website visitor – typically implemented as a functional or third-party content consent in the consent banner – regularly comes into consideration.
• Contract performance (Art. 6(1)(b) GDPR): Where Appointment Schedules is used to book an appointment that serves the initiation or performance of a contract, Art. 6(1)(b) GDPR can additionally apply to the booking data.
• Legitimate interests (Art. 6(1)(f) GDPR): For non-tracking-related aspects (e.g. security and abuse prevention, simple and reliable provision of the function), a legitimate interest in provision of functionality, security, abuse prevention, efficiency may come into consideration. For pure third-party content involving access to the end device, however, this basis is often insufficient under Sec. 25(1) TDDDG.
• Marketing consent (Art. 6(1)(a) GDPR): Insofar as signed-in Google users generate data that Google uses for user-individual marketing, an additional consent comes into consideration.

Which legal basis applies depends materially on whether the website operator loads the iframe immediately or only after consent ("two-click solution"), how the consent banner is configured, and whether there is a contractual link. The classification is to be reviewed in the individual case by the website operator.

H. Specifics and Notes on Google Calendar

• Google's independent controllership: According to publicly available information, for the data processing operations associated with the embed and Appointment Schedules booking, Google typically acts as an independent controller. A joint-controllership constellation (Art. 26 GDPR) is not excluded and should be reviewed by the website operator – in particular for the display and booking phase on the operator's website. Unlike with Meta business tools, Google – according to publicly available information – does not publish a dedicated joint-controller addendum for Calendar Embed/Appointment Schedules; an independent legal assessment is therefore advisable.
• Third-country transfer / DPF: Google transfers data to the USA. According to entries available on the DPF participant list, Google LLC is certified under the EU-U.S. Data Privacy Framework; in addition, Standard Contractual Clauses are provided for in Google's data protection terms. Status and scope must be verified before deployment: https://www.dataprivacyframework.gov/s/participant-search.
• DPA: For the embedding of a public calendar or a public booking link via standard Google accounts, no data processing agreement is typically concluded with Google, as Google acts as an independent controller in this context. If Appointment Schedules is used as part of a Google Workspace contract, the Workspace data processing terms (Cloud Data Processing Addendum) apply and are then authoritative.
• Naming recipients in the annex: Google Ireland Limited (and, related to it, Google LLC) should be listed in the privacy policy – or, under the topic-oriented approach, in the recipients annex – as recipient of the personal data.
• Settings for the website operator: Before embedding, it is advisable to check whether the calendar really needs to be made public, whether personal appointment content (third-party names, contact details) appears in the public calendar, and whether Appointment Schedules only requests the necessary mandatory fields in the booking form (data minimisation under Art. 5(1)(c) GDPR).
• Opt-out at the Google level: Website visitors can manage their Google advertising and personalisation settings at https://myadcenter.google.com/ and https://myaccount.google.com/data-and-privacy.
• Consent management: Since the iframe triggers third-party connections, it should only be loaded after consent ("two-click solution" or comparable consent pattern).

I. FAQ on Google Calendar and Data Protection

J. Conclusion on Google Calendar and Call to Action

Google Calendar Embed and Appointment Schedules are classic third-party content: the iframe is loaded directly from Google servers, transmitting IP address, device and browser data, and possibly cookies and account data, to Google – and thus also to Google LLC in the USA. With Appointment Schedules, booking inputs (user content) and the conversion event of a successful booking are added. The legal basis is regularly a third-party content consent; where the booking has a contractual link, Art. 6(1)(b) GDPR comes into play. Google typically acts as an independent controller; whether a joint-controllership constellation arises in the individual case must be assessed separately.

For the privacy policy, it is of little use to single out Google Calendar with its own lawyer-drafted text block. Such blocks are repetitive, inflate the privacy policy and tend to undermine the transparency requirement of Art. 12(1) GDPR. A structured, topic-oriented approach is recommended: third-party content and appointment booking are explained across the board, and the recipients annex lists Google Ireland Limited (with Google LLC as the related US entity) as the specific service provider used. This is precisely the methodology pursued by the matterius generator.

K. Curator of This Page

Authorship

This knowledge article is provided by matterius GmbH. matterius is not a law firm and does not provide legal advice.

matterius is editorially accompanied by Dr. Thomas Helbing, a German-based lawyer specialised as Fachanwalt für IT-Recht (certified specialist for IT law) in Munich.

Dr. Helbing has been continuously recognised by Handelsblatt since 2020 through to today (2026) as one of "Germany's best lawyers" in the fields of IT law and data protection law.

According to Kanzleimonitor.de (editions 2024–2026), he ranks among the leading lawyers for data protection and IT law and is listed in the Top 100 lawyers in Germany. Kanzleimonitor is regarded as a particularly meaningful market study, as it is based exclusively on personal recommendations from in-house counsel.

Dr. Helbing has many years of advisory experience in data protection and IT law and advises clients of all sizes — from startups to high-growth SaaS companies and unicorns through to international corporations.

His professional background covers the full spectrum of practice in IT and technology law. He began his career at an international major law firm, subsequently gained in-house experience at a DAX corporation, and is himself an entrepreneur and founder of several digital projects. He also has hands-on programming experience, allowing him to understand technical systems, software architectures, and digital business models not only from a legal but also from a technical perspective.

For many years his clients have included technology companies and SaaS providers, leading German research institutions, and a systemically important German major bank. His advisory focus lies in particular in the areas of GDPR compliance, the data economy, SaaS, AI regulation, and IT contract law.

More about Dr. Helbing: www.thomashelbing.com