Is Storing (Personal) Data in a Google Spreadsheet GDPR Compliant? #241

New issue

Closed

opened 2025-10-14 16:40:24 -06:00 by navan · 0 comments

navan commented

2025-10-14 16:40:24 -06:00

Owner

Originally created by @nelsonic on 3/29/2018

Google Spreadsheets are a great way of capturing, analysing and sharing data within a team.
Sadly there are several major drawbacks of using GSheets to capture form data:

Data is stored by Google on their Servers in the US.
People ("users") cannot see the (personal) data that they have submitted
People ("users") cannot change or request deletion of their data (i.e. GDPR compliance)
GSheets makes it (too) easy to share (large amounts of) data
GSheets makes it (too) easy to "Make a Copy" of sheet(s) at which point any "control" of the data is lost.
None of these points is communicated to end-users when they are filling in an HTML form.

I think we should add a GDPR "disclaimer" at the Top of the tutorial
advising people to read: https://cloud.google.com/security/gdpr
and understand that they are personally responsible for the safekeeping of any personal data
they collect and store.
And that in addition to the data collection form,
they need a mechanism to allow people to contact them
in order to remove their data from their spreadsheet and any other retrieval systems.
The data collection spreadsheet should be treated with the same (if not more)
respect as your own personal/credit card details.
Don't share it with anyone you would not trust with your own credit card.

*Originally created by @nelsonic on 3/29/2018* Google Spreadsheets are a _great_ way of capturing, analysing and sharing data within a team. Sadly there are _several_ major drawbacks of using GSheets to capture form data: + Data is stored by Google on their Servers in the US. + People ("users") cannot _see_ the (personal) data that they have submitted + People ("users") cannot _change_ or request deletion of their data (_i.e. GDPR compliance_) + GSheets makes it (_too_) easy to share (large amounts of) data + GSheets makes it (_too_) easy to "Make a Copy" of sheet(s) at which point any "control" of the data is lost. _None_ of these points is _communicated_ to end-users when they are filling in an HTML form. I think we should add a GDPR "disclaimer" at the _Top_ of the tutorial advising people to read: https://cloud.google.com/security/gdpr and _understand_ that they are _personally_ responsible for the safekeeping of any personal data they collect and store. And that in _addition_ to the data _collection_ form, they need a mechanism to allow people to contact them in order to _remove_ their data from their spreadsheet and any _other_ retrieval systems. The data collection spreadsheet should be treated with the same (_if not more_) respect as your _own_ personal/credit card details. Don't share it with anyone you would not trust with your own credit card.