Short answer: Gemini is not GDPR compliant by default — but "Gemini" is three very different products with three very different GDPR postures. Consumer Gemini (gemini.google.com) has no Data Processing Addendum, may retain and human-review prompts, and is not suitable for processing EU personal data on behalf of an employer. Google Workspace Gemini — the version bundled into Gmail, Docs, Meet, and the Workspace admin console — comes with Google's standard Workspace DPA, Standard Contractual Clauses, and EU data residency options for stored data. Vertex AI Gemini, the API used to build enterprise AI products, provides the strongest posture: full enterprise DPA, zero-retention options, EU-only inference for eligible workloads, and the broadest contractual protections. This guide explains what each tier means under the GDPR in 2026, where the risks sit, and the control stack that holds up under a supervisory-authority audit.

The three Gemini tiers and why they matter for GDPR

The most common mistake European controllers make is treating "Gemini" as a single product. Google offers what are effectively three separate products sharing the same underlying models:

Consumer Gemini (gemini.google.com, Google app) — a B2C product. Users sign in with personal Google accounts. Google's consumer Terms of Service apply, not an enterprise DPA. Prompts may be retained and reviewed by Google staff for quality and safety purposes unless the user opts out. Not covered by an enterprise data-processing agreement. Not suitable for processing personal data of EU data subjects on behalf of an employer.

Google Workspace Gemini — the Gemini features built into Gmail, Google Docs, Google Sheets, Google Meet transcription, and the Workspace admin experience. Covered by Google's standard Workspace Data Processing Addendum, which has been reviewed by the EDPB and incorporates the 2021 Standard Contractual Clauses. EU data residency for stored data (email, documents, Drive) is available via the Workspace data-residency commitment, although AI inference for Gemini may involve Google's global infrastructure even when stored data is EU-resident.

Vertex AI Gemini — the API-first product for developers and enterprises building AI-powered applications. This tier provides the most complete GDPR posture: a full enterprise DPA with GDPR-specific schedules, zero-data-retention options, EU-only inference on eligible Vertex AI workloads, and granular sub-processor controls.

Gemini tier-by-tier GDPR posture (2026)

| Tier | DPA available? | Default training | EU data residency | Sub-processors disclosed | Best for | | --- | --- | --- | --- | --- | --- | | Consumer Gemini | No | May be used for training/quality | No | Limited | Personal use only | | Workspace Gemini | Yes — Google Workspace DPA | Excluded for Workspace customers | Partial (stored data; inference may vary) | Yes | Teams already on Workspace | | Vertex AI Gemini | Yes — Google Cloud / Vertex DPA | Excluded by default | EU-only inference available | Yes | AI product development |

The tier distinction is especially important because many organisations assume Workspace's DPA coverage extends to personal Gemini accounts employees open with their corporate Google credentials on a personal browser. It does not. A personal Google account is a consumer account, and Google's enterprise DPA does not extend to it regardless of what email address is used.

Google's GDPR history and its implications

Google has faced some of the largest and most substantive GDPR enforcement actions in Europe. Relevant history for 2026 deployments:

The CNIL (France) issued landmark fines against Google in 2019 and 2022 for consent and transparency violations relating to advertising personalisation on Android devices.
The Irish DPC, which is Google's lead supervisory authority under GDPR's one-stop-shop mechanism (Google's EU establishment is in Ireland), has issued multiple decisions and is the primary enforcement channel for complaints about Google's AI practices.
EDPB opinion on generative AI (May 2024) and subsequent guidance established that EU supervisory authorities take a strict view of purpose limitation and transparency for AI systems, specifically calling out large-scale processing of personal data for model training.

For deployers, the practical implication of Google's enforcement history is straightforward: Google's enterprise tiers have been substantially shaped by regulatory engagement and have robust DPA infrastructure. Consumer tiers remain higher risk not because Google's practices are unusual, but because they are explicitly designed for a different legal relationship.

What goes wrong in European Gemini deployments

The patterns of failure are consistent across Google Workspace organisations:

Employees open personal Gemini accounts at work. The most common breach pattern. An employee opens gemini.google.com, signs in with a personal Gmail account, and pastes a client email to summarise it. The employer has no DPA with Google for that account. The client's personal data is now processed under consumer terms with no Article 28 agreement. This is an Article 28 breach in a single prompt.
Workspace Gemini enabled without confirming residency scope. An IT administrator enables Workspace Gemini for the organisation, assuming Google's EU data residency commitment covers AI inference. For stored Workspace data (emails, documents), EU residency is available. For Gemini AI inference, Google's architecture has evolved, and administrators should verify current inference routing in their Workspace admin console and DPA schedule rather than assuming full EU containment.
Vertex AI projects without DPA review. Engineering teams create Vertex AI projects using organisational credentials and build AI features that process customer data. The enterprise DPA is available but requires the controller to identify and sign the GDPR schedule — it is not automatically applied to all API usage under an organisational account.
No DPIA for Workspace Gemini rollout. Enabling Gemini across a Workspace organisation is a material change in processing. Article 35 requires a DPIA when processing is likely to result in high risk. The CNIL, ICO, and Garante have each published guidance treating organisation-wide generative AI rollout as DPIA-triggering. A blanket "Gemini is part of our Workspace subscription, which has a DPA" does not substitute for a DPIA evaluating the specific use cases, data categories, and residual risks.
Special-category data in Google Workspace Gemini. Gemini in Gmail can see email content. Gemini in Meet can transcribe conversations. If those emails or conversations involve health data, trade-union membership, or other Article 9 special-category data, the controller needs an Article 9(2) basis for the AI processing — not just for the original storage in Workspace.

The control stack for a defensible deployment

Contract layer

For Workspace Gemini: Confirm the Google Workspace Data Processing Addendum is in effect (it is generally standard for Workspace Business and Enterprise subscriptions, but verify). Review the AI-specific addendum Google has published as Gemini features have expanded. Check sub-processor disclosures in the Workspace admin console. Confirm which DPA schedule covers Gemini specifically.

For Vertex AI Gemini: Sign the Google Cloud Data Processing Addendum with the applicable GDPR schedule. Confirm the zero-retention option for prompts and responses if the workload warrants it. Review sub-processor list and data-flow documentation for the specific regions you use.

For both: Standard Contractual Clauses are incorporated by Google's DPAs and can be relied upon for EU-to-US transfers. Supplement with EDPB Recommendations 01/2020 supplementary measures as appropriate.

Tier-and-settings layer

Disable or restrict consumer Gemini access across managed devices. Google Workspace admin controls allow blocking personal Google account access on organisational devices — extending this to prevent gemini.google.com access under personal accounts is the most direct control.
Confirm training exclusion for Workspace and Vertex workloads in admin settings.
Enable EU data residency for stored Workspace data and document which Gemini inference flows are covered by that commitment.
For Vertex: configure zero-data-retention where available and appropriate.
Review and configure the Gemini app admin settings in the Workspace console — which Gemini features are enabled, which data sources they can access (Drive, email), and what audit logging is active.

Data-minimisation layer

The transfer risk is most directly addressed by minimising personal data in the prompt. A local-first browser extension that detects personal identifiers — names, email addresses, account numbers, health terms — in the browser and replaces them with reversible tokens before submission addresses the Article 32 pseudonymisation obligation and provides the supplementary measure referenced in EDPB Recommendations 01/2020. For Vertex AI applications, this pseudonymisation step belongs in the application layer before the API call is made.

Governance layer

Article 30 register updated for each Gemini tier in use, with lawful basis, recipients (Google Ireland Limited), transfer mechanism, retention period.
DPIA completed for high-risk uses and refreshed when the Gemini feature set materially changes (which has happened frequently as Workspace Gemini has expanded).
Transparency notices updated to identify Gemini as an AI tool, Google as a recipient, and the transfer mechanism.
Data subject rights procedure documented for Gemini processing — how do you respond to an erasure request when the data subject's information was included in a Gmail summary, a Meet transcript, or a Vertex AI prompt?

EU AI Act overlay

Google is a General-Purpose AI (GPAI) provider under the EU AI Act, and Gemini's family of models carries GPAI obligations from August 2025: transparency about training data, technical documentation, model evaluation, and serious-incident reporting. Deployers using Workspace Gemini or Vertex AI should verify Google's GPAI compliance documentation in their vendor risk management process.

For high-risk uses (employment tools, credit screening, educational scoring, law enforcement support), the Annex III obligations apply to the deployer. Using Vertex AI Gemini to power an employment-decision tool or a credit-assessment system places the controller in the high-risk deployer category with obligations for risk management, human oversight, technical documentation, and post-market monitoring.

Google Workspace Gemini features that summarise HR records, generate performance-review templates, or assist in hiring decisions sit at the boundary of the high-risk classification. Deployers should document whether each use case falls within or outside Annex III before the August 2026 deadline when high-risk obligations become enforceable.

Frequently asked questions

Is Google Workspace Gemini GDPR compliant?

Workspace Gemini has the required contractual infrastructure — DPA, SCCs, sub-processor disclosure — and excludes training on Workspace customer data by default. The deployer is still responsible for lawful basis, transparency, DPIA where required, data subject rights, and Article 32 measures. The EU data residency picture for AI inference is evolving; verify the current Workspace admin console settings and DPA schedules rather than relying on general Google Cloud residency documentation. Workspace Gemini under a current DPA, with a completed DPIA and appropriate access controls, is a defensible deployment.

Can EU teams use consumer Gemini for work?

No. Consumer Gemini (gemini.google.com or the Google app with a personal account) is not covered by an enterprise DPA and is not suitable for processing personal data of EU data subjects on behalf of an employer. Employers should block consumer Gemini access on managed devices and provide a sanctioned alternative (Workspace Gemini or Vertex AI).

Does Google use Workspace Gemini prompts to train its models?

No, according to Google's current Workspace DPA and product documentation. Workspace customer data is not used to train Google's general-purpose models. Vertex AI prompts are similarly excluded by default. Consumer Gemini may use conversation data for quality improvement unless the user opts out. These defaults can change, so verify against the current DPA schedule at the time of your DPIA.

Do we need a DPIA before enabling Gemini in Google Workspace?

Almost certainly yes for organisation-wide rollout involving personal data. Supervisory authorities in France (CNIL), the UK (ICO), Italy (Garante), and the EDPB collectively have treated systematic generative AI deployment as DPIA-triggering. The DPIA should evaluate the specific Gemini features enabled, the categories of personal data accessible to them (email content, calendar, Drive documents), the lawful basis, the transfer mechanism, and residual risks.

What is the GDPR position on Gemini's ability to access our Google Drive and Gmail?

When Gemini in Workspace accesses Gmail or Drive to answer a query, that access is a processing activity under the GDPR. The controller's lawful basis for storing that data (most commonly legitimate interest or contract performance) extends to AI-assisted access, provided the access is consistent with the purpose for which the data was collected and disclosed in the privacy notice. The issue arises when the AI access creates new processing purposes — for example, using email patterns to infer employee behaviour — that were not disclosed to data subjects.

The bottom line

Gemini's GDPR story in 2026 is a tale of three products. Consumer Gemini is not suitable for EU personal-data processing in a business context. Workspace Gemini is the right default for organisations already on Google Workspace — the DPA and SCCs are in place, training exclusion applies, and the admin controls are maturing. Vertex AI Gemini provides the strongest posture for custom AI development with EU data.

In all three cases, the international transfer to Google's US infrastructure is unavoidable — Google does not currently offer EU-only Gemini inference for all workloads. The answer is not to avoid Google's AI stack; it is to pseudonymise personal data before it reaches the model, document the transfer mechanism, and complete the governance steps that make the posture auditable.

Is Gemini GDPR Compliant? A 2026 Guide for European Teams