Google doesn't mention having a DPO but has a privacy dedicated help center which contact is available on its website: https://support.google.com/policies/answer/9581826?hl=en&visit_id=637842217867882507-4117401368&rd=1
Abralytics doesn't mention having a DPO or GDPR correspondent and doesn’t display a privacy dedicated contact channel.
Regarding cloud & website: https://policies.google.com/privacy
This policy however covers a broad scope that includes various Google applications and services (including Analytics), that makes it difficult to apprehend for both controllers and data subjects.
Regarding website and cloud: https://www.abralytics.com/privacy
Besides, it doesn’t provide sufficient information to data subjects regarding Article 13 and 14 of the GDPR (data retention periods, legal basis, etc.).
Google has cloud servers all over the world but (except for the US) doesn’t specify in which countries.
Data is hosted in the EU but Abralytics doesn’t specify in which country, nor which external cloud provider it uses and what is its nationality.
Personal data is transferred outside the European Union whether this transfers are based on Adequacy decisions of the European Commission or Standard contractual clauses (SCCs).
However, SCCs have been deemed insufficient when transferring personal data to US servers by the European Court of Justice. This entails the necessity for complementary data protection measures. However, the French Data Protection Authority (CNIL) has considered complementary measures put in place by Google (User ID pseudonymisation, IP addresses anonymisation, etc.) not efficient enough for data protection against intelligence agencies.
Data is deemed not transferred outside the EU, but that information needs to be verified (cloud provider and its nationality are unknown).
Subcontractors are subjects to written agreements substantially similar to Google’s DPA: https://business.safety.google/intl/en/adsprocessorterms/
Google has made public its list of subprocessors:
Before onboarding subprocessors, Google conducts an audit of the security and privacy practices of subprocessors to ensure they provide a level of security and privacy appropriate to their access to data and the scope of the services they are engaged to provide.
30 days prior to modifying the list of subprocessors, the controller will be notified by email and is able to object by terminating the contract.
Abralytics doesn’t mention any subcontractors nor its process to contract with them.
If Google becomes aware of a Data Incident, Google will notify controllers promptly and without undue delay; and promptly take reasonable steps to minimise harm and secure personal data. Google will deliver its notification by email, phone call or an in-person meeting.
Abralytics doesn’t mention directly notifying controllers of a data breach in a determined delay, nor providing assistance to controllers to notify the breach to the Supervisory authority.
Rights of deletion and portability can be fulfilled by the controllers directly through the SaaS.
If Google receives a request from a data subject, controllers authorize Google to answer directly to the data subject’s request or to advise the data subject to submit their request to the appropriate controller.
Google commits to assist controllers in fulfilling their obligations to respond to requests for exercising the data subject’s rights.
Abralytics doesn’t mention providing assistance to controllers in case of a data subject's right request.
Google assists controllers in ensuring compliance with their obligations in respect of DPIAs and prior consultation.
Abralytics doesn’t specify having conducted DPIAs or providing assistance to controllers if needed.
Google ensures all persons authorised to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
Abralytics doesn't mention employee training or submission to NDAs.
Google has obtained and maintained an ISO 27001 certification, for which a security policy is necessary.
Abralytics doesn’t mention having a security policy.
Cloud security relying on Google Cloud (on-site security operations, formal physical access procedures, CCTV, biometric controls, etc.)
Backup redundancy, code review, business continuity plan, data encryption, intrusion detection controls, incident monitoring, employee security trainings, user authentication (strong passwords, 2-factor authentication), authorization management, data pseudonymisation (user ID).
Abralytics doesn’t mention having a security policy.
Data encryption in transit (HTTPS) and at rest (AES256).
Data encryption is never mentioned.
Access to data by employees, contractors, and subcontractors is limited by strict access controls (authentication procedures, SSL, and security logs), restricting access only to authorized users.
Abralytics doesn’t mention any specific restrictions of access to personal data.
Google shares personal data between its multiple service platforms (Adsense, etc.).
Concerning third parties, Google states it will not use or disclose any confidential information belonging to controllers without their prior written consent, except to fulfill its obligations under this Agreement or as required by law, regulation or court order.
Abralytics doesn’t sell any data. Controllers stay owners of personal data.
NO, by default Google collects cookies and therefore visitors’ consent is necessary.
YES, Abralytics doesn’t collect cookies.
YES, even though Google offers an anonymisation option for IP addresses that can be activated by controllers, other personal data is still transferred on US servers by default (user ID, cookies).
Also, Google publishes a Transparency Report which is a list of demands based on FISA made by intelligence agencies:
NO, data is stored in the EU and anonymized (therefore no more considered personal).