Suggested audience: All Hwb users and stakeholders.

One of the key benefits of schools using Hwb and its associated tools, is the level of due diligence that is undertaken by the Welsh Government to ensure digital services are fit for purpose and compliant. 

Our contracts contain robust data protection provisions which comply with the requirements of Article 28 of the General Data Processing Regulations (GDPR).  For the education services with Microsoft and Google, we have ensured that the Security and Privacy Additional Terms contracts, such as EU Model Contract Clauses, have been reviewed and accepted.

Digital Service

Data location

Hwb website (


360 degree safe Cymru




Microsoft Office 365


Azure AD - United Kingdom

Exchange - United Kingdom 

SharePoint - United Kingdom - Cardiff

OneDrive - United Kingdom - Cardiff

Skype for Business - United Kingdom

Microsoft Teams - United Kingdom

OneNote - United Kingdom - Cardiff

Google G Suite for Education*


* Welsh Government has opted into the enhanced Google data processing amendment and model contract clauses as a means of meeting the adequacy and security requirements of the EU data protection directive. Model contract clauses were created specifically by the European Commission to permit the transfer of personal data from Europe. Please refer to this link for further information on Google for Education privacy and security.

The basis on which the UK will leave the EU has still to be decided.

The Government has made clear that the General Data Protection Regulation (GDPR) will be absorbed into UK law at the point of exit, so there will be no substantive change to the rules that most organisations need to follow.

But organisations that rely on the transfers of personal data between the UK and the European Economic Area (EEA) may be affected.

Personal information has been able to flow freely between organisations in the UK and European Union without any specific measures. That’s because there is a common set of rules - the GDPR.

But this two-way free flow of personal information will no longer be the case if the UK leaves the EU without a withdrawal agreement that specifically provides for the continued flow of personal data.

In this event, the Government has already made clear its intention to permit data to flow from the UK to EEA countries. But transfers of personal information from the EEA to the UK will be affected.

The Information Commissioners Office has produced guidance and tools to assist organisations understand and mitigate the issue. More information can be found here:

Data protection if there is no Brexit deal

Data protection and Brexit ICO advice for organisations

How will personal data continue to flow after Brexit

The following table summarises some relevant governance aspects applicable to Google G Suite for Education and Microsoft Office 365.


G Suite for Education

Office 365

Data Protection – Model Clauses

Data Protection – Privacy Shield

National Cyber Security Centre (NCSC) Cloud Security Controls

Compliance asserted for all controls

Previously Pan Government Accredited

Cloud Security Alliance

Security, Trust and Assurance Registry (STAR) Attestation

STAR Self-Assessment


Expiry 13 April 2021

Expiry 18 January 2022


Expiry 13 April 2021

Expiry 18 January 2022


Expiry 13 April 2021

Expiry 18 January 2022