This provision requires Google to notify advertisers without undue delay upon becoming aware of a personal data breach affecting advertiser personal data, and to provide information sufficient to support the advertiser's own regulatory notification obligations.
This analysis describes what Google Ads's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This clause establishes the breach notification pipeline from Google as processor to the advertiser as controller. The advertiser remains responsible for evaluating the breach and determining whether and when to notify supervisory authorities and data subjects under GDPR Articles 33 and 34.
Interpretive note: The clause does not specify a fixed timeframe for Google's notification to the advertiser beyond 'without undue delay', which creates operational uncertainty about the timing available to the advertiser to meet its own regulatory notification obligations.
Under this clause, in the event of a personal data breach affecting data processed through Google Ads, Google is required to notify the advertiser so the advertiser can fulfill its own obligations to notify supervisory authorities and, where required, affected individuals.
How other platforms handle this
We retain your personal data for as long as necessary to fulfill the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, or reporting requirements. To determine the appropriate retention period, we consider the amount, nature, and sensitivity of the p...
We may collect certain information automatically when you use our Services, such as your Internet protocol (IP) address, user settings, MAC address, cookie identifiers, mobile carrier, mobile advertising and other unique identifiers, browser or device information, location information (including app...
That is why we are committed to transparency about how we collect, use, and share that information.
Monitoring
Google Ads has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"Google will notify Customer without undue delay after becoming aware of any Personal Data Breach affecting Customer Personal Data, and will provide sufficient information to allow Customer to meet any obligations to report or inform data subjects of the Personal Data Breach under Data Protection Legislation.— Excerpt from Google Ads's Google Ads Data Processing Terms
1) REGULATORY LANDSCAPE: This provision implements the processor breach notification obligation under GDPR Article 33(2), which requires processors to notify controllers without undue delay after becoming aware of a personal data breach. The controller then has a 72-hour window to notify the supervisory authority under GDPR Article 33(1). The relevant enforcement authorities are EU supervisory authorities and, for UK operations, the ICO. 2) GOVERNANCE EXPOSURE: Medium. The 'without undue delay' standard in the clause does not specify a fixed notification timeframe from Google to the advertiser, which may compress the advertiser's 72-hour notification window to supervisory authorities if Google's notification is delayed. Advertisers should assess their incident response procedures to account for this potential timing uncertainty. 3) JURISDICTION FLAGS: EU and UK advertisers face strict 72-hour notification windows from the time they become aware of a reportable breach. Advertisers in US states with breach notification requirements such as California, New York, and Illinois must additionally evaluate whether breaches involving Google Ads data trigger state notification obligations. 4) CONTRACT AND VENDOR IMPLICATIONS: Procurement teams should evaluate whether the agreement specifies a maximum notification timeframe for Google's processor-to-controller notification and, if not, whether this creates operational risk for the advertiser's supervisory authority notification timeline. Incident response plans should include contact procedures for receiving and escalating Google breach notifications. 5) COMPLIANCE CONSIDERATIONS: Compliance teams should establish internal escalation and assessment procedures for Google breach notifications, including criteria for determining whether a breach is reportable to supervisory authorities, the procedure for notifying data subjects where required, and documentation requirements for the breach register maintained under GDPR Article 33(5).
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 10 platforms + same-day alerts. No credit card required.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This clause establishes the breach notification pipeline from Google as processor to the advertiser as controller. The advertiser remains responsible for evaluating the breach and determining whether and when to notify supervisory authorities and data subjects under GDPR Articles 33 and 34.
Under this clause, in the event of a personal data breach affecting data processed through Google Ads, Google is required to notify the advertiser so the advertiser can fulfill its own obligations to notify supervisory authorities and, where required, affected individuals.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Google Ads.