Given the widespread use of Google services (such as Google Sheets and Google Forms) by organizations for accounting employee and / or client data, the issue of the legal grounds for processing the personal data of these individuals has been raised.

The general legal basis for processing employee personal data is outlined in paragraph 8 of Article 6 and paragraph 3 of part 2 of Article 8 of the Personal Data Protection Law ( the Law), which does not require the data subject's consent for the processing of their personal data. Specifically, personal data is processed when formalizing employment (or service) relationships, as well as during the employee's (or service provider's) activity, in cases specified by legislation.

As a general rule, obtaining consent is not required when entering into a civil law contract, such as for the provision of services, performance of work, or transfer of property. The legal basis in this case is paragraph 15 of Article 6 of the Law (if the processing concerns general, non-special personal data). Personal data is processed when the operator receives such data based on a contract entered into (or to be entered into) with the data subject, for the purpose of performing the actions specified in that contract.

In January 2025, the National Center for Personal Data Protection (NCPDP) clarified through its official Telegram channel (the publication is available via the link) that when using Google services, the operator conducts a cross-border transfer of personal data and must comply with the requirements of paragraph 1 of Article 9 of the Law.

In the regulator's opinion, ‘it is impossible to determine the specific country to which the cross-border transfer of personal data is occurring. As a result, it cannot be confirmed whether an adequate level of protection for citizens' rights will be ensured.

In this case, the processing of personal data using these services is possible only with the consent of the data subjects, provided that they are informed about the risks associated with the cross-border transfer of their personal data’.

Considering the NCPDP's opinion, we would like to emphasize that when using Google services (or similar services) for managing employee and client data, it is necessary to obtain the consent of the employee or client for the processing of their personal data. This must be done with prior information provided to the respective individuals regarding the risks associated with using services that do not specify the final location of data storage (i.e., cross-border transfer with the potential risk of data being transferred to a country with inadequate protection levels).

Accordingly, when using the relevant accounting forms, the following should be developed:

• A specific Consent form for the processing of personal data using the designated service, and

• A detailed Information Sheet outlining the risks associated with the cross-border transfer of personal data.

Borovtsov & Salei has extensive experience in advising on personal data processing and implementing measures to protect the rights of data subjects. We are ready to assist you with legal support in developing the necessary documents, updating your company’s internal legal acts, reviewing existing contracts with counterparties, identifying risks, and safeguarding your reputation.

'By caring for the happiness of others, we find our own.' (Plato)