Google NotebookLM

Key Documentation & References

Purpose & Context

This overview evaluates Google NotebookLM for GDPR compliance and data privacy in EU business contexts. NotebookLM is an AI-powered research and note-taking assistant that helps users summarize and extract insights from documents and sources.

Target audience: EU-based procurement, legal, compliance, and IT teams evaluating NotebookLM for processing personal or business-sensitive data.

---

🏢 Company & Service Overview

Company: Google LLC (Alphabet Inc.)[1]

Headquarters: Mountain View, California, USA with global infrastructure including EU data centers

Key differentiator: NotebookLM under qualifying Google Workspace / Enterprise routes inherits stronger Google commercial privacy controls, including a no-training commitment for uploaded Workspace user data. Treat consumer and Workspace/Enterprise use separately and verify the applicable Google terms for your account.

Service description:

• AI-powered research and note-taking assistant
• Upload documents (PDFs, Google Docs, web URLs, audio files)
• Generate summaries, insights, and Q&A based on sources
• "Audio Overviews" feature: Podcast-style summaries
• Powered by Google's Gemini AI models

---

📊 Service Tiers Comparison

---

✅ GDPR Compliance Assessment

Strengths

🟢 Explicit No-Training Commitment for Qualifying Workspace/Enterprise Routes

• Workspace/Enterprise NotebookLM data is not used to train generative AI models under Google's commercial privacy documentation
• Google Workspace's current Privacy Hub states that NotebookLM prompts and responses are not retained after the session ends for qualifying Workspace use
• Clear privacy-by-design approach
• Under qualifying Workspace/Enterprise terms, uploads, queries, and responses are not used for model training

🟢 Cloud Data Processing Addendum (CDPA)

• Applies through the relevant Google Workspace / Google Cloud commercial terms when NotebookLM is used under a qualifying Workspace, Education, or Enterprise route
• Do not treat the free consumer route as equivalent to a commercial DPA-backed Workspace deployment
• Standard Google commercial data-processing framework where applicable
• Google commercial data-processing framework where applicable
• Transparent data retention and deletion policies

🟢 Google Cloud Compliance Ecosystem

• SOC 2 Type II certified (NotebookLM Enterprise only)[7]
• ISO 27001 certified (NotebookLM Enterprise only)[7]
• ⚠️ The core Workspace/consumer NotebookLM service does NOT support ISO, SOC, or FedRAMP compliance and is not covered by Google's HIPAA BAA (per Google's Workspace Privacy Hub)
• GDPR-supportive controls when used under the relevant Google commercial terms
• Part of Google Cloud's mature compliance program
• Regular third-party audits

🟢 EU Data Infrastructure

• Google Cloud operates multiple EU data centers
• Data residency options available for Enterprise customers
• Configurable regional storage
• Part of Google's global, compliant infrastructure

🟢 Data Encryption

• Encryption in transit and at rest under Google's Workspace / Cloud security controls
• Industry-standard cryptographic protocols

🟢 User Data Control

• Uploaded materials are stored until the user deletes them under the applicable Google account controls
• Manual deletion available anytime
• Prompts and responses are not retained after session end in qualifying Workspace Privacy Hub context
• Clear data lifecycle management

Transparency & Communication

🟢 Privacy Update (May 2024)

• Clarified consumer feedback review practices
• Addressed community concerns about human review
• Workspace accounts have different, more protective commercial privacy rules
• Demonstrates responsiveness to privacy concerns

Minimal Concerns

⚠️ Workspace Data-Region Settings NOT Enforced for NotebookLM

• Even if Workspace data-region policies are configured, these settings do not apply to NotebookLM processing.
• Regulated organisations should not rely on data-region controls for NotebookLM compliance.
• If EU-only processing is required, verify the exact NotebookLM Enterprise / Workspace route with Google; do not assume Workspace data-region settings cover NotebookLM processing.

🟡 Free Tier Data Residency

• Free users cannot explicitly control data residency
• Data stored on Google’s multi-region infrastructure
• Not a compliance issue but less granular control than Enterprise

🟡 Shared Google Infrastructure

• Uses broader Google Cloud infrastructure
• Inherits any Google-wide considerations
• Subject to Google's privacy policy and terms

---

🔐 Data Protection Framework

Legal Basis

• Google Privacy Policy: Applies to consumer Google services
• NotebookLM-specific privacy rules: Additional protections[1]
• Cloud Data Processing Addendum (CDPA): Applies where NotebookLM is used under qualifying Google Workspace / Google Cloud commercial terms
• Google Cloud Terms: For Enterprise customers
• Privacy update: Consumer and Workspace routes must be assessed separately

Data Processing

• Controller: Google LLC (for consumer accounts) / Customer organisation (for Enterprise)
• Processor role: Google acts as processor for Enterprise customers
• Sub-processors: Google Cloud infrastructure providers
• Transfer mechanism: EU-US Data Privacy Framework (DPF) as Google's primary Alternative Transfer Solution, with Standard Contractual Clauses (SCCs) as the fallback for restricted EU-US transfers
• GDPR basis: CDPA ensures GDPR Article 28 compliance

User Rights (GDPR Articles 15-22)

• Access: Full access to uploaded sources and notebooks
• Rectification: Edit or update sources anytime
• Erasure: Users can manually delete uploaded files and notebooks or export them using Google Takeout under the Workspace Privacy Hub[9]
• Data portability: Download sources (native formats)
• Objection: Contact Google privacy team
• Automated decision-making: Not applicable (user-driven tool)

---

🌍 Infrastructure & Data Residency

Google Cloud Infrastructure

• Global network: 30+ regions worldwide
• EU regions: Multiple data centers in EU (Germany, Belgium, Finland, Netherlands, etc.)
• Data residency: Configurable for Enterprise and Workspace customers
• Redundancy: Multi-zone and multi-region options

NotebookLM-Specific Storage

• Uploaded sources: Follow Google's Cloud Data Processing Addendum deletion framework for qualifying Workspace routes; users can manually delete uploaded files and notebooks[9]
• Saved notes: Stored until user deletion
• Audio overviews: Stored until user deletion
• Queries: Not retained after the session ends under the Google Workspace Privacy Hub retention table
• Model responses: Not retained after the session ends under the Google Workspace Privacy Hub retention table

Enterprise Data Control

• Full admin visibility and control
• Data location policies configurable
• Integration with Google Cloud organisation policies
• Audit logging available

---

📝 Training Data Policy

Crystal Clear: No Training

✅ Official commitment for qualifying Workspace/Enterprise use:

• Workspace/Enterprise NotebookLM uploads, queries, and responses are not used for model training under Google's commercial privacy documentation
• NotebookLM prompts and responses are not retained after the session ends in the Workspace Privacy Hub retention table
• No user data used for AI model improvement
• Applies to qualifying Workspace/Enterprise routes; consumer/free routes should be reviewed separately before business use

✅ What this means:

• Uploaded documents: not used for model training under qualifying Workspace/Enterprise terms
• User prompts/responses: not retained after session end in qualifying Workspace Privacy Hub context and not used for training under qualifying Workspace/Enterprise terms
• AI-generated summaries: not used for training under qualifying Workspace/Enterprise terms
• Audio overviews: same Workspace/Enterprise no-training posture where applicable
• All interactions remain private

✅ Distinction from other Google AI products:

• NotebookLM has stricter privacy than consumer-facing AI tools
• Designed for sensitive research and business use
• Privacy-by-design architecture

---

🔒 Security & Compliance

Security Features

• Encryption in transit and at rest: Covered by Google's Workspace / Cloud security controls
• Access controls: Google account authentication
• SSO/SAML: Available for Workspace/Enterprise (via Google identity)
• Audit logging: Enterprise tier[7]
• DLP (Data Loss Prevention): Via Google Workspace/Cloud policies
• Admin controls: Enterprise tier for organisation management

Compliance Certifications (NotebookLM Enterprise)

✅ Confirmed certifications:[7]

• SOC 2 Type II (Security)
• ISO 27001 (Information Security Management)
• Additional Google Cloud certifications (ISO 27017/27018/27701, SOC 1/3, PCI DSS, BSI C5:2020) inherit to Enterprise tier

🟡 Free/Plus tier:

• Benefits from Google Cloud security posture
• Not independently certified but follows same standards
• CDPA provides the GDPR framework for qualifying commercial routes

Security Incidents

✅ No known security incidents specific to NotebookLM as of June 2026

• Benefits from Google's global security operations
• Part of mature, battle-tested infrastructure
• Google Security Team oversight

---

⚖️ Legal & Regulatory Context

GDPR Alignment

✅ Cloud Data Processing Addendum for qualifying commercial routes

• Major step toward GDPR compliance when NotebookLM is deployed under Google Workspace / Google Cloud commercial terms
• Do not treat free consumer use as equivalent to a Workspace or Enterprise deployment
• Provides clear data processing framework where applicable
• Aligns with GDPR Article 28 requirements
• Ensures transparency and user empowerment

Google Cloud Heritage

• NotebookLM Enterprise part of Google Cloud ecosystem
• Inherits decades of compliance experience
• Regular regulatory audits and certifications
• Proactive engagement with EU regulators

Privacy-First Design

• No training commitment differentiates from consumer AI tools
• Built for sensitive business and research use
• Responsive to privacy feedback

---

💰 Pricing for Business Use

Pricing notes:

• NotebookLM Plus is now a Workspace core service (Feb 2025) - covered by standard Workspace DPA.
• ⚠️ Important: Workspace data-region settings are NOT enforced for NotebookLM even when enabled. Do not rely on data-region controls for NotebookLM in regulated contexts.
• Context-Aware Access (CAA) policies can be applied via Workspace admin to restrict NotebookLM access by device/location.
• NotebookLM Ultra is delivered via Google AI Ultra ($100/month for 20 TB or $200/month, with storage/tier to be verified at checkout); NotebookLM Pro comes with Google AI Pro ($19.99/month) and NotebookLM Plus with Google AI Plus or a qualifying Workspace/Education license. Any first-year promotional discounts on these consumer plans are time-limited (the 2026 New-Year 50% Google AI Pro promotion ended 15 January 2026) - verify current Google offers at checkout.
• Enterprise pricing varies by organisation size and requirements

---

❓ EU Procurement Q&A

Q1: Can we use NotebookLM for processing personal data under GDPR?

A: Yes only under the right route and controls.

• Free tier: ⚠️ Review current consumer terms and avoid sensitive business or client personal data
• Plus / Workspace tier: ✅ Stronger Google Workspace privacy controls where used under a qualifying Workspace account
• Enterprise tier: ✅ Dedicated enterprise controls, but still verify data location, DPA scope, and Workspace/Gemini Enterprise configuration

Recommendation: For sensitive personal data, use Plus or Enterprise tiers for added admin controls and organisational visibility.

Q2: Where is our data stored and processed?

A:

• Storage: Google Cloud infrastructure, multi-region by default
• EU options: Available via NotebookLM Enterprise (Google Cloud) data residency zones; Workspace data-region settings do NOT apply to NotebookLM
• Processing: On Google infrastructure; do not assume EU-only processing unless Google confirms the selected Workspace/Enterprise route covers the workload
• Uploaded sources: Follow Google's Cloud Data Processing Addendum deletion framework for qualifying Workspace routes; users can manually delete uploaded files and notebooks[9]
• Queries/responses: Not retained after the session ends under Google's Workspace Privacy Hub

Q3: Is there a Data Processing Agreement?

A: Yes for qualifying Workspace / Google Cloud commercial routes.

• Covered through the relevant Google Workspace or Google Cloud commercial terms where NotebookLM is enabled for a qualifying account
• Do not assume free consumer or individual Google One routes have the same DPA position as Workspace/Enterprise
• Standard Google commercial data processing terms where applicable
• GDPR Article 28 compliant
• Includes Standard Contractual Clauses (SCCs)

Q4: Will our documents be used to train AI models?

A: Not under qualifying Workspace/Enterprise routes.

• Explicit no-training commitment for Workspace/Enterprise NotebookLM data
• Consumer/free use should not be treated as equivalent to a DPA-backed Workspace or Enterprise deployment
• NotebookLM prompts and responses are not retained after the session ends in Google's Workspace Privacy Hub
• Complete privacy for uploaded sources

Q5: How does NotebookLM compare to ChatGPT for GDPR?

A:

• NotebookLM advantages:
  • ✅ No training on Workspace/Enterprise NotebookLM data
  • ✅ Covered by Workspace agreement/CDPA for qualifying Workspace routes
  • ✅ Part of Google Cloud compliance ecosystem
  • ✅ Prompts/responses not retained after session end in qualifying Workspace context
  • ✅ Built for business/research from day one
• ChatGPT advantages:
  • ✅ More mature enterprise features (longer track record)
  • ✅ ChatGPT Enterprise has comparable compliance
• Verdict: NotebookLM is strongest for GDPR-sensitive use under qualifying Workspace or Enterprise terms; avoid treating the free consumer route as equivalent to a commercial DPA-backed deployment.

Q6: What about human review of data?

A: Depends on account type and enabled features.

• Consumer accounts (free): Limited human review for feedback/abuse only
• Workspace accounts: Stronger privacy protections, no routine human review
• Enterprise accounts: Full organisational control
• Transparent about review practices after community feedback

---

✅ EU Business Rollout Checklist

Before Deployment

• Choose appropriate tier (Plus for teams, Enterprise for large orgs)
• Review applicable Google Workspace / Google Cloud data-processing terms
• Do not rely on Workspace data-region settings for NotebookLM unless Google confirms the selected route covers your workload
• Set up Google Workspace/Cloud organisation (if needed)
• Conduct DPIA if processing special category data
• Review Google Cloud compliance documentation[7]
• Configure admin controls (Enterprise tier)
• Enable audit logging (Enterprise tier)
• Train users on data handling and deletion practices

During Deployment

• Set data upload guidelines (what can/cannot be uploaded)
• Configure SSO (if Workspace/Enterprise)
• Test data deletion (verify sources/notebooks removed)
• Document data flows for GDPR Article 30 records
• Establish retention policy (when to delete notebooks/sources)
• Create user guidance on privacy features

Post-Deployment

• Regular compliance review (quarterly)
• Monitor Google compliance updates (certifications, features)
• User training refresh (annually)
• Audit notebook usage (what data is being uploaded)
• Review and delete old notebooks (data minimisation)
• Stay informed on NotebookLM updates and privacy changes

---

🔄 Recommended Alternatives

If NotebookLM doesn't meet specific requirements:

For Similar AI Note-Taking Tools

1. Microsoft Copilot in OneNote - Microsoft 365 ecosystem, EU data residency
2. Notion AI - DPA-backed business/enterprise options, with EU hosting on eligible enterprise configurations
3. Obsidian with local AI plugins - Full local control, zero cloud dependency

For Document Q&A with Strict EU Requirements

1. Aleph Alpha (Germany) - German AI company, explicit EU sovereignty
2. Mistral AI (France) - French AI, EU-based infrastructure
3. Self-hosted RAG solutions - OpenSource on EU cloud (e.g., Langchain + EU servers)

For Enterprise Document Intelligence

1. Google Vertex AI Search - Full Google Cloud enterprise control
2. Azure OpenAI Service - Microsoft enterprise offering, EU regions
3. AWS Bedrock - Amazon enterprise AI, EU regions available

Note: NotebookLM's combination of Workspace/Enterprise privacy controls and no-training commitments makes it highly competitive for EU use when deployed under the right Google commercial terms.

---

📚 Key Documentation & References

Official NotebookLM Resources

• https://support.google.com/notebooklm/answer/15724963?hl=en - Learn How NotebookLM Protects Your Data (Google Official)
• https://support.google.com/a/answer/15706919 - Generative AI in Google Workspace Privacy Hub
• https://cloud.google.com/terms/data-processing-addendum - Google Cloud Data Processing Addendum
• https://cloud.google.com/terms/data-processing-addendum - Google Cloud Data Processing Addendum

---

Disclaimer

This overview is intended solely as an informative tool. We strongly advise customers to thoroughly review all Data Processing Agreements (DPAs) and privacy documentation before deploying Google NotebookLM in production environments - especially when personal data or sensitive research materials are processed. WAIMAKERS applies this same principle internally; all tools we use have been thoroughly assessed and included in our own privacy and security documentation. Customers should always carefully evaluate the official documentation, terms, and DPAs of each AI provider they use. WAIMAKERS cannot be held legally liable for any mistakes, errors, inaccuracies, or for the accuracy, currency, or completeness of the information in this document; the ultimate responsibility for GDPR compliance rests with the customer.

Prepared and issued by WAIMAKERS B.V. - June 2026.

• https://support.google.com/a/answer/15706919 - Google Workspace Privacy Hub retention and training controls for Gemini and NotebookLM

---

📋 Verdict Summary

Overall GDPR Rating: ✅ Compliant only under qualifying Workspace/Enterprise routes

Best for:

• ✅ Research teams needing document analysis with strong privacy
• ✅ EU businesses requiring a DPA-backed note-taking/AI assistant under Google commercial terms
• ✅ Organisations already using Google Workspace
• ✅ Teams wanting explicit "no training" guarantees
• ✅ Projects requiring document summarisation with documented EU compliance controls
• ✅ Budget-conscious teams already on qualifying Google Workspace routes

Potentially not ideal for:

• ⚠️ Organisations requiring EU-only infrastructure on the free tier (use Enterprise and verify the selected region and limitations)
• ⚠️ Teams needing on-premises deployment (cloud-only service)
• ⚠️ Use cases requiring integration with non-Google ecosystems

Key Decision Factors

Final Recommendation

For EU business use:

1. NotebookLM Plus (Workspace): ✅ Recommended for Google Workspace teams (core service since Feb 2025)
2. NotebookLM Enterprise: ✅ Highly recommended for large organisations and regulated industries
3. NotebookLM Pro ($19.99/mo): ✅ Good for individual power users needing more capacity
4. NotebookLM Ultra ($100/mo for 20 TB or $200/mo, via Google AI Ultra; verify current storage/tier at checkout): ✅ For heavy users needing maximum capacity
5. NotebookLM Free: ⚠️ Use for personal research only unless current terms and risk assessment support the specific business use
6. ⚠️ Reminder: Workspace data-region settings are not enforced for NotebookLM - verify processing location via Enterprise controls.

What Sets NotebookLM Apart

🌟 Unique strengths:

1. Workspace/Enterprise protection - Commercial routes are covered by Google Workspace or Google Cloud terms
2. Explicit no-training commitment - Strong for qualifying Workspace/Enterprise NotebookLM data
3. Prompt/response retention limits - Not retained after session end in qualifying Workspace context
4. Part of Google Cloud - Mature compliance ecosystem
5. Recent privacy responsiveness - May 2024 update shows user feedback matters

Bottom line: NotebookLM is a strong option for EU business use when deployed through qualifying Workspace or Enterprise routes. Do not treat the free consumer route as equivalent to a commercial DPA-backed deployment for sensitive business data.

---

Last updated: June 2026

Next review: September 2026 (quarterly)

Document owner: Wouter van Haaften | WAIMAKERS B.V.