Google Forms and Data Protection – What Belongs in the Privacy Policy

If a website operator uses Google Forms, it typically processes the visitor's IP address, browser and device information, Google cookies as well as the answers entered into the form for the purpose of providing the embedded form, on the basis of a third-party content consent (Art. 6(1)(a) GDPR in conjunction with Sec. 25(1) TDDDG). This page explains which data Google processes according to publicly available provider information and what website operators need to include in their privacy policy.

A. Purpose and Function of Google Forms

Google Forms is an online tool for creating forms and surveys that can be used both with a private (free) Google account and as part of Google Workspace (paid, business). In Workspace, Google Forms is listed as a so-called "Core Service", that is, part of the main services alongside Gmail, Docs and Drive.

For website operators, the most relevant feature is the iFrame embed in their own website. In the Forms editor, an HTML snippet can be generated under "Send" via the <> icon, which is essentially an <iframe src="https://docs.google.com/forms/d/e/[FormID]/viewform?embedded=true" ...>. When the embedding website is loaded, the visitor's browser fetches the form directly from docs.google.com. In this process, HTTP headers (IP address, user agent, referer, any existing Google cookies) are transferred to the provider's servers. In addition, it is possible to share the form solely via direct link (docs.google.com/forms/d/e/.../viewform); in that case, there is no embed in the operator's own website.

This page focuses on the practically more common iFrame embed in the operator's own website.

B. Mandatory Disclosures in the Privacy Policy when Using Google Forms

In addition to general information about the controller, the rights of data subjects and the supervisory authority, the GDPR requires the following specific disclosures regarding the use of tools in a privacy policy:

• the purposes of the processing (Art. 13(1)(c) GDPR),
• the legal bases of the processing (Art. 13(1)(c) GDPR),
• where processing is based on a balancing of interests, additionally the specific legitimate interests pursued (Art. 13(1)(d) GDPR),
• the recipients or categories of recipients (Art. 13(1)(e) GDPR),
• whether the data is transferred to an unsafe third country outside the EU/EEA and on what basis (Art. 13(1)(f) GDPR),
• the storage period or the criteria used to determine it (Art. 13(2)(a) GDPR),
• and – if data is not collected directly from the data subject – additionally the categories of personal data processed (Art. 14(1)(d) GDPR).

The following sections classify these mandatory disclosures for the use of Google Forms.

In practice, it has become common to add a separate text template for each individual tool – including Google Forms – to the privacy policy. This approach is, in our view, not mandatory and regularly leads to long, repetitive and hard-to-maintain privacy policies. This contradicts the transparency requirement of Art. 12(1) GDPR, which calls for a "concise, transparent, intelligible and easily accessible form". A more appropriate approach is a topic-oriented structure: processing operations are described across topic blocks (server operation, third-party content, newsletter, tracking, sales …); the specifically used providers such as Google are then listed in an annex of recipients.

C. Provider of Google Forms

According to publicly available provider information, the contractual partner for German website operators is:

• Google Ireland Limited
• Address: Gordon House, Barrow Street, Dublin 4, Ireland
• Country of establishment: Ireland (EEA)
• Privacy Policy: https://policies.google.com/privacy
• Cookie information: https://policies.google.com/technologies/cookies
• Cloud Data Processing Addendum (DPA): https://cloud.google.com/terms/data-processing-addendum

The group structure is relevant: parent and technical operating company is Google LLC (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA). Data flows to the USA are therefore regularly present. According to publicly available information, Google LLC is certified under the EU-U.S. Data Privacy Framework (Participant ID 5780); the current status is available at https://www.dataprivacyframework.gov/s/participant-search.

Important differentiation – private account vs. Workspace:

• If Google Forms is used via a free private Google account, the website operator does not conclude a data processing agreement with Google. Google then processes the data under the terms of the general Google Privacy Policy and regularly acts as an independent controller for its own purposes (e.g. security and product improvement). This setup is to be viewed critically from a data protection perspective.
• If Google Forms is used via Google Workspace, the Cloud Data Processing Addendum (CDPA) automatically applies, under which Google acts as a processor for customer data of the Core Services (which include Forms).

D. Data Processing with Google Forms – Step by Step

E. Data Collected by Google Forms

When a Google Forms form is embedded via iFrame, Google, according to publicly available information, processes in particular the following data categories: technical connection data (IP address, user agent, timestamp, referer), cookies from the .google.com domain (e.g. NID for preferences and possibly ad personalisation; SID/HSID for authentication of logged-in users), browser and device information as well as the answers entered into the form – i.e. depending on configuration, name, email address, free text, selections, uploaded files.

When the option "collect verified email addresses" or "limit to one response" is activated, Google Forms enforces a login by the visitor; in that case, the Google account ID is additionally transferred to the provider and to the form creator.

This data can be classified into the following standardised data categories:

• Web server log data: in particular IP address, date, time, URL of the requested content (embed endpoint), referer URL of the embedding page, status code, transferred data volume.
• Device data: device type, operating system, screen size and resolution.
• Browser information: browser name and version.
• Coarse location data: location at city/municipality level derived from the IP address.
• User content: all content entered into the form by the visitor – answers, selections, uploaded files.
• User account data: when login options are used, the Google account identifier of the visitor.
• Click paths and interaction data: navigation within multi-page forms, click and scroll behaviour within the iFrame.
• Conversion events: the submission of a form as a success event defined for the website operator.

F. Purposes of Use for the Website Operator When Using Google Forms

The website operator regularly uses Google Forms to provide a form for data capture, e.g. for registrations, applications, surveys, orders, feedback forms or support requests. In addition, the data collected is used to evaluate the answers, process the requests and, where applicable, for internal control and improvement purposes.

These purposes can be classified into the following standardised categories of purposes of use:

• Function provision: delivery and operability of the embedded Google Forms form (display, input validation, submission logic), error detection and prevention.
• Contract performance: use of the form data for contract initiation or execution, where the form aims at concluding a contract (e.g. booking, order).
• Security and abuse prevention: spam and bot protection, detection of abusive entries.
• Communication: use of the contact details entered in the form to respond to the user's request or for further correspondence.
• General product improvement: evaluation of aggregated answers to optimise internal processes or the web offering.

When used via a private Google account, additional processing by Google itself comes into consideration (e.g. for security, product improvement or personalisation purposes).

G. Legal Bases for the Use of Google Forms

Google Forms falls into the tool category of third-party content (an embedded form from an external provider); due to cookies set by Google and the login mechanisms, authentication and tracking components are added in many configurations.

The following legal bases come into consideration for the use of Google Forms:

• Consent (Art. 6(1)(a) GDPR in conjunction with Sec. 25(1) TDDDG) as a third-party content consent: Since the iFrame embed transfers connection data to Google when the page is loaded and Google sets or reads out Google cookies, obtaining consent via a consent banner is regularly the more legally robust option. A common solution is a two-click approach in which the iFrame is only loaded after active consent.
• Contract performance (Art. 6(1)(b) GDPR): where the form serves the conclusion or initiation of a specific contract between the website operator and the user.
• Legitimate interests (Art. 6(1)(f) GDPR): with the specific interests pursued in function provision and efficiency. This basis is conceivable for purely functional embeds, but should be carefully balanced on a case-by-case basis due to the cookies set by Google and the third-country transfer.

The applicable legal basis depends on the specific use case and configuration and is to be assessed by the website operator on a case-by-case basis. When used with a private Google account, the contractual basis required for processor processing under Art. 28 GDPR is missing; in this constellation, the processing of personal data of website visitors via Google Forms is problematic.

H. Special Features and Notes Regarding Google Forms

• DPA/CDPA: Within the framework of Google Workspace, the Cloud Data Processing Addendum applies automatically; a separate DPA is generally not required. When used via a private Google account, no DPA exists; the processing of personal data of third parties via this variant is critical from a data protection perspective.
• Third-country transfer: According to provider information, a transfer to the USA takes place. According to publicly available information, Google LLC is certified under the EU-U.S. Data Privacy Framework (Participant ID 5780); the current status is available at https://www.dataprivacyframework.gov/s/participant-search. In addition, Google states that it bases transfers on Standard Contractual Clauses.
• No self-hosted variant: A local installation or a dedicated EU hosting mode for Google Forms is not available according to publicly available provider information.
• Cookie behaviour: Google sets or reads cookies from the .google.com domain (e.g. NID, for logged-in users SID/HSID). These cookies are visible across all Google services. According to Sec. 25(1) TDDDG, consent is required before setting/reading them, unless the cookies are strictly necessary for providing the service.
• Login options: Options such as "collect verified email addresses" or "limit to one response" enforce a Google login of the visitor and lead to the transfer of the Google account ID. These options should only be used where this is factually necessary and addressed in the privacy policy.
• Settings for the website operator: Mandatory fields, access restrictions and the login options mentioned can be configured in the Forms backend. Deactivating Google's own cookie/tracking behaviour with the iFrame embed is not provided.
• Settings for the website visitor: The embed can be denied via the consent banner of the embedding website (in particular two-click solution); in addition, browser cookie settings and ad settings at https://adssettings.google.com/authenticated are available.
• Joint Controller Agreement: An explicit joint controller agreement under Art. 26 GDPR does not exist for Google Forms. The legal classification of the iFrame embed (processor processing in the Workspace context or independent controllership of Google with private use) is debated in the literature; a two-click solution with consent practically addresses the risks.

I. Frequently Asked Questions on Google Forms and Data Protection

J. Conclusion on Google Forms and Notes for the Privacy Policy

Google Forms is a widely used third-party tool for online forms that is embedded into other websites via iFrame. When the page is loaded, connection data is transferred to Google's servers and Google cookies are set or read; data flows to the USA are regularly present. Website operators must therefore determine a legal basis, address cookie setting via a consent banner and present the processing transparently in the privacy policy. With Workspace use, the CDPA applies as a DPA; with private accounts, an appropriate contractual basis is missing.

From the perspective of the privacy policy, it makes little sense to include a separate text template for Google Forms. Such tool-specific text blocks make privacy policies long, confusing, hard to maintain and contradict the transparency requirement of Art. 12(1) GDPR, which requires information in a concise, transparent, intelligible and easily accessible form.

The more appropriate approach is a structured, topic-oriented one that explains tools across topic blocks (server operation, third-party content, newsletter, tracking, sales …) and refers to individual providers such as Google in the annex of recipients. This is the methodology of the matterius generator.

This article serves general information purposes regarding Google Forms and does not replace legal advice in individual cases. As of: 6 May 2026.

K. Curator of this Page

Authorship

This knowledge article is provided by matterius GmbH. matterius is not a law firm and does not provide legal advice.

matterius is editorially accompanied by Dr. Thomas Helbing, a German-based lawyer specialised as Fachanwalt für IT-Recht (certified specialist for IT law) in Munich.

Dr. Helbing has been continuously recognised by Handelsblatt since 2020 through to today (2026) as one of "Germany's best lawyers" in the fields of IT law and data protection law.

According to Kanzleimonitor.de (editions 2024–2026), he ranks among the leading lawyers for data protection and IT law and is listed in the Top 100 lawyers in Germany. Kanzleimonitor is regarded as a particularly meaningful market study, as it is based exclusively on personal recommendations from in-house counsel.

Dr. Helbing has many years of advisory experience in data protection and IT law and advises clients of all sizes — from startups to high-growth SaaS companies and unicorns through to international corporations.

His professional background covers the full spectrum of practice in IT and technology law. He began his career at an international major law firm, subsequently gained in-house experience at a DAX corporation, and is himself an entrepreneur and founder of several digital projects. He also has hands-on programming experience, allowing him to understand technical systems, software architectures, and digital business models not only from a legal but also from a technical perspective.

For many years his clients have included technology companies and SaaS providers, leading German research institutions, and a systemically important German major bank. His advisory focus lies in particular in the areas of GDPR compliance, the data economy, SaaS, AI regulation, and IT contract law.

More about Dr. Helbing: www.thomashelbing.com