Version September 22, 2020
The Looker Platform can provide benefits with regard to GDPR compliance.
Looker works closely with many data-driven organizations within the EEA and supports GDPR compliance in three ways: Architecture, Product and Company readiness.
Looker is a Data Processor to its customers, which are the Data Controller. Looker includes data ethics considerations into its privacy program and policy framework.
Architecture. Looker offers a simpler, transparent architecture for data processing which reduces data sprawl, and can support compliance with GDPR requirements - while providing modern data delivery capabilities and crucial insights to drive business success.
The Looker Platform creates a single, governed location for users to access their data sources. Looker gives administrators control over who’s accessing data, which services are and how long it’s cached for. The Looker Platform leaves control of your data where it belongs, in your hands.
Product. The Looker data platform provides numerous product administration and features to assist with data management, setup, and processes to help you meet GDPR data security and privacy requirements.
Company. Looker’s data security and privacy programs are designed to have in place company policies, controls and processes that are appropriate to the type of personal data and data processing, and operate effectively.
For more information about how Looker can assist your company with maintaining compliance with GDPR and other global data privacy laws, see our GDPR product compliance section: https://looker.com/product/gdpr-compliance-solutions
What mechanisms does Looker use to transfer personal Data?
Looker and our subprocessors and vendors primarily store information collected from you within the European Economic Area and the United States. To facilitate our global operations, we transfer using applicable, approved information transfer mechanisms, such as EU Standard Contractual Clauses (SCCs). Standard Contractual Clauses (SCCs), (aka EU Model Contract Clauses (MCCs) were developed by the European Commission to provide organizations with a mechanism to comply with data protection requirements when transferring personal data from the EU to third countries or third parties. Looker provides online versions of the Looker MCCs by reference in the Looker DPST for customers that have agreed to the Google CMA and Looker Services Schedule. Looker provides an offline version of the SCCs and the Looker Data Protection Agreement (DPA) for customers that have agreed to the Looker MSLA.
Where can I find Looker’s Data Processing Terms (DPST)?
Customers or prospects that have agreed to the Google CMA and Looker Services Schedule may find the Looker Data Processing Terms here: https://looker.com/trust-center/legal/customers/dpst and the Looker MCCs here: https://looker.com/trust-center/legal/customers/mcc. If the EU’s General Data Protection Regulation or equivalent legislation in Switzerland or the UK (collectively, the GDPR) applies to your use of Looker, the updated Looker DPST will now deem the Looker MCCs to apply automatically. If the GDPR does not apply to your use of Looker, these changes have no practical impact.
Customers that have agreed to the Looker MSLA, may have an offline or negotiated version of the Looker DPA and the Standard Contractual Clauses.
What do I need to do if I’ve been informed of an updated Looker DPST or DPA?
Please review the updated Looker DPST. If you are not the right person to review the updated DPST or this notice, please forward this notice to the appropriate contact for your organization, such as your legal or compliance team. Customers with a negotiated Looker DPST should contact firstname.lastname@example.org for assistance.
Customers that are subject to the GDPR and have agreed to the Looker MSLA will need to execute a new DPA that includes the SCCs if the SCCs were not previously entered into along with the DPA.
Where can I find a list of Looker’s vendors and subprocessors?
These vendors deliver the Looker Platform in compliance with GDPR Articles 28 or 29.
Subprocessors for customers that signed the Looker MSLA:
Subprocessors for customers that signed the Google CMA:
What is Looker’s status with regard to its participation in the Privacy Shield program?
Looker initially certified to the U.S. Department of Commerce in June 2018, and renewed it’s certification in June 2019 and June 2020. Although the European Court of Justice (CJEU) has invalidated the EU-U.S. Privacy Shield Framework, the U.S. Department of Commerce continues to administer and enforce the Privacy Shield program.
What personal data does Looker as a data processor, collect and store, and for what purposes?
Looker, as a Data Processor, holds two classes of data: information about Looker Users and the customer data necessary to answer users’ queries.
- Information about Looker Users includes end-user login/registration account information for Looker Users plus metadata about their usage of Looker.
- Metadata is used to facilitate product improvements, customer support and license auditing.
- Login information is controlled by customers directly as it is entered on their Looker instance and they can delete their Looker Users’ (i.e. their employees’) information at any time.
- We retain basic user account information, which includes contact information used to send product updates, relevant marketing, training and events based on the users’ contact preferences.
- Customer data necessary to answer users’ queries is data retained in the Looker cache, fetched in response to Looker User queries of their database that is connected to Looker.
- This data is encrypted and stored by Looker for a maximum of 30 days or 2GB of data—whichever occurs first. Customers may take additional steps to reduce the amount of time that query results are held in cache.
Where does Looker host my customer data?
Looker-hosted instances are hosted in the Google Cloud Platform (GCP), Amazon Web Services (AWS) or Microsoft Azure. By default, Looker instances are hosted in the GCP U.S. (Virginia) region, but at the customer’s request, we can host in various other regions. The customer data in your databases is not extracted by Looker. Customers can also host their own Looker instance on their servers.
Has Looker evaluated its security policies, management, and controls to meet GDPR?
Our data security program is designed to ensure that the policies, controls and processes are appropriate to the type of personal data and data processing collected.
You can find our security policy here:
Information on our approach to GDPR compliance is here:
What security certifications does Looker have?
Depending upon the hosting platform, Looker has a SOC 2 Type 2, ISO27001, HIPAA and PCI-DSS.
How long does Looker retain customer data? Will Looker delete customer data when requested?
As a customer of Looker, you remain in control of your data and data about your users. When you remove users from your Looker instance, their data will be removed from Looker’s databases within 30 days. If you wish to delete a Looker user’s account data, our Data Engineering team has a process to permanently anonymize the data. If you would like Looker to delete your customer data or Looker user account detail, please send an email to email@example.com.
As a Looker User, may I opt out of Looker Communications?
Yes. We retain basic Looker User contact information to communicate with our customers and their users about product and security updates, relevant marketing, training and events. Looker users may manage their communication preferences at our subscription center here.
Has Looker appointed a Data Protection Officer (DPO)?
Contact our DPO at firstname.lastname@example.org.
Need more assistance?
If you have further questions, contact Looker’s Data Protection Team at email@example.com.
EU Region Headquarters
Looker Data Sciences Ireland Limited
John O'Keeffe, VP, EMEA
5 Harcourt Rd, Saint Kevin's
Dublin, D02 FW64, Ireland
Corporate Headquarters (U.S.)
Looker Data Sciences, Inc.
101 Church Street, 4th Floor, Santa Cruz, CA 95060