Google Controller-Controller Data Protection Terms

Google and the counterparty agreeing to these terms (“Customer”) have entered into an agreement for the provision of the Controller Services (as amended from time to time, the “Agreement”).

These Google Controller-Controller Data Protection Terms (“Controller Terms”) are entered into by Google and Customer and supplement the Agreement. These Controller Terms will be effective, and replace any previously applicable terms relating to their subject matter, from the Terms Effective Date.

If you are accepting these Controller Terms on behalf of Customer, you warrant that: (a) you have full legal authority to bind Customer to these Controller Terms; (b) you have read and understand these Controller Terms; and (c) you agree, on behalf of Customer, to these Controller Terms. If you do not have the legal authority to bind Customer, please do not accept these Controller Terms.

1. Introduction

These Controller Terms reflect the parties’ agreement on the processing of Controller Personal Data in connection with the Data Protection Legislation.

2. Definitions and Interpretation

2.1 In these Controller Terms:

Affiliate” means an entity that directly or indirectly controls, is controlled by, or is under common control with, a party.

Controller Data Subject” means a data subject to whom Controller Personal Data relates.

Controller Personal Data” means any personal data that is processed by a party under the Agreement in connection with its provision or use (as applicable) of the Controller Services.

Controller Services” means the Google products or services that incorporate this Agreement by reference in their terms of service or other agreements, including the "Controller Services" listed at privacy.google.com/businesses/gdprservices.

Data Protection Legislation” means, as applicable: (a) the GDPR; and/or (b) the Federal Data Protection Act of 19 June 1992 (Switzerland).

GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

Google” means the Google Entity that is party to the Agreement.

Google Entity” means Google LLC (formerly known as Google Inc.), Google Ireland Limited, or any other Affiliate of Google LLC.

Privacy Shield” means the EU-U.S. Privacy Shield legal framework and the Swiss-U.S. Privacy Shield legal framework.

Terms Effective Date” means, as applicable:

(a) 25 May 2018, if Customer clicked to accept or the parties otherwise agreed to these Controller Terms before or on such date; or

(b) the date on which Customer clicked to accept or the parties otherwise agreed to these Controller Terms, if such date is after 25 May 2018.

2.2 The terms “controller”, “data subject”, “personal data”, “processing” and “processor” as used in these Controller Terms have the meanings given in the GDPR.

2.3 Any examples in these Controller Terms are illustrative and not the sole examples of a particular concept.

2.4 Any reference to a legal framework, statute or other legislative enactment is a reference to it as amended or re-enacted from time to time.

3. Application of these Controller Terms

3.1 Application of Data Protection Legislation. These Controller Terms will only apply to the extent that the Data Protection Legislation applies to the processing of Controller Personal Data.

3.2 Application to Controller Services. These Controller Terms will only apply to the Controller Services for which the parties agreed to these Controller Terms (for example: (a) the Controller Services for which Customer clicked to accept these Controller Terms; or (b) if the Agreement incorporates these Controller Terms by reference, the Controller Services that are the subject of the Agreement).

4. Roles and Restrictions on Processing

4.1 Independent Controllers. Each party:

(a) is an independent controller of Controller Personal Data under the Data Protection Legislation;

(b) will individually determine the purposes and means of its processing of Controller Personal Data; and

(c) will comply with the obligations applicable to it under the Data Protection Legislation regarding the processing of Controller Personal Data.

4.2 Restrictions on Processing. Section 4.1 (Independent Controllers) will not affect any restrictions on either party’s rights to use or otherwise process Controller Personal Data under the Agreement.

5. Data Transfers

5.1 Transfers of Data Out of the European Economic Area and Switzerland. Either party may transfer Controller Personal Data outside the European Economic Area and Switzerland if it complies with the provisions on the transfer of personal data to third countries in the Data Protection Legislation.

5.2 Google’s Privacy Shield Certification. As at the date Customer clicked to accept or the parties otherwise agreed to these Controller Terms, the parent company of the Google group, Google LLC, is certified under Privacy Shield on behalf of itself and its wholly-owned U.S. subsidiaries. This Section 5.2 (Google’s Privacy Shield Certification) constitutes notice in writing from Google to Customer for the purpose of Section 6.1(c).

6. Privacy Shield Onward Transfer Provisions

6.1 Application of Section 6. Sections 6.2 (Use of Data Provider Personal Data) and 6.3 (Protection of Data Provider Personal Data) will only apply to the extent that:

(a) a party (the “Data Recipient”) processes Controller Personal Data that is made available by the other party (the “Data Provider”) in connection with the Agreement (such Controller Personal Data, “Data Provider Personal Data”);

(b) the Data Provider or its Affiliate is certified under Privacy Shield; and

(c) the Data Provider notifies the Data Recipient of such Privacy Shield certification in writing.

6.2 Use of Data Provider Personal Data.

(a) Under the onward transfer principle under Privacy Shield, the Data Recipient will only use Data Provider Personal Data in a manner consistent with the consent provided by the relevant Controller Data Subjects.

(b) To the extent the Data Provider fails to obtain consent from the relevant Controller Data Subjects as required under the Agreement, the Data Recipient will not be in breach of Section 6.2(a) if it uses Data Provider Personal Data consistent with the required consent.

6.3 Protection of Data Provider Personal Data.

(a) The Data Recipient will provide a level of protection for Data Provider Personal Data that is at least equivalent to that required under Privacy Shield.

(b) If the Data Recipient determines that it cannot comply with Section 6.3(a), it will: (i) notify the Data Provider in writing; and (ii) either cease processing the Data Provider Personal Data or take reasonable and appropriate steps to remedy such non-compliance.

7. Liability

If the Agreement is governed by the laws of:

(a) a state of the United States of America, then, notwithstanding anything else in the Agreement, the total liability of either party towards the other party under or in connection with these Controller Terms will be limited to the maximum monetary or payment-based amount at which that party’s liability is capped under the Agreement (for clarity, any exclusion of indemnification claims from the Agreement’s limitation of liability will not apply to indemnification claims under the Agreement relating to the Data Protection Legislation); or

(b) a jurisdiction that is not a state of the United States of America, then the liability of the parties under or in connection with these Controller Terms will be subject to the exclusions and limitations of liability in the Agreement.

8. Priority

8.1 Effect of these Controller Terms. If there is any conflict or inconsistency between the terms of these Controller Terms and the remainder of the Agreement then, subject to Sections 4.2 (Restrictions on Processing) and 8.2 (Processor Terms), the terms of these Controller Terms will govern. Subject to the amendments in these Controller Terms, the Agreement remains in full force and effect.

8.2 Processor Terms. These Controller Terms will not affect any separate terms between Google and Customer reflecting a controller-processor relationship for a service other than the Controller Services.

9. Changes to these Controller Terms

9.1 Changes to Controller Services in Scope. Google may only change the list of potential Controller Services at privacy.google.com/businesses/gdprservices:

(a) to reflect a change to the name of a service;

(b) to add a new service; or

(c) to remove a service where either: (i) all contracts for the provision of that service are terminated; or (ii) Google has Customer’s consent.

9.2 Changes to Controller Terms. Google may change these Controller Terms if the change:

(a) is as described in Section 9.1 (Changes to Controller Services in Scope);

(b) is required to comply with applicable law, applicable regulation, a court order or guidance issued by a governmental regulator or agency; or

(c) does not: (i) seek to alter the categorisation of the parties as independent controllers of Controller Personal Data under the Data Protection Legislation; (ii) expand the scope of, or remove any restrictions on, either party’s rights to use or otherwise process Controller Personal Data; or (iii) have a material adverse impact on Customer, as reasonably determined by Google.

9.3 Notification of Changes. If Google intends to change these Controller Terms under Section 9.2(b) and such change will have a material adverse impact on Customer, as reasonably determined by Google, then Google will use commercially reasonable efforts to inform Customer at least 30 days (or such shorter period as may be required to comply with applicable law, applicable regulation, a court order or guidance issued by a governmental regulator or agency) before the change will take effect. If Customer objects to any such change, Customer may terminate the Agreement by giving written notice to Google within 90 days of being informed by Google of the change.

Google Controller-Controller Data Protection Terms, Version 1.2

25 May 2018