Google Controller-Controller Data Protection Terms

Google and the other party agreeing to these terms (“Partner”) have entered into an agreement for the provision of the Controller Services (as amended from time to time, the “Agreement”).

These Google Controller-Controller Data Protection Terms (including the appendix, “Controller Terms”) are entered into by Google and Partner and supplement the Agreement. These Controller Terms will be effective, and replace any previously applicable terms relating to their subject matter, from the Terms Effective Date.

If you are accepting these Controller Terms on behalf of Partner, you warrant that: (a) you have full legal authority to bind Partner to these Controller Terms; (b) you have read and understand these Controller Terms; and (c) you agree, on behalf of Partner, to these Controller Terms. If you do not have the legal authority to bind Partner, please do not accept these Controller Terms.

1. Introduction

These Controller Terms reflect the parties’ agreement on the processing of Controller Personal Data.

2. Definitions and Interpretation

2.1 In these Controller Terms:

Additional Terms” means the additional terms referred to in Appendix 1, which reflect the parties’ agreement on the terms governing the processing of Controller Personal Data in connection with certain Applicable Data Protection Legislation.

Affiliate” means an entity that directly or indirectly controls, is controlled by, or is under common control with, a party.

Applicable Data Protection Legislation” means, as applicable to the processing of Controller Personal Data, any national, federal, EU, state, provincial or other privacy, data security or data protection law or regulation, including European Data Protection Legislation, the LGPD and US State Privacy Laws.

Controller Data Subject” means a data subject to whom Controller Personal Data relates.

Controller Personal Data” means personal data that is processed by a party under the Agreement in connection with its provision or use (as applicable) of the Controller Services.

Controller Services” means the Google products or services that incorporate these Controller Terms by reference in their terms of service or other agreements, including the “Controller Services” listed at business.safety.google/services.

End Controller” means, for each party, the ultimate controller of Controller Personal Data.

EU GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

European Data Protection Legislation” means, as applicable: (a) the GDPR; and/or (b) the Swiss FDPA.

GDPR” means, as applicable: (a) the EU GDPR; and/or (b) the UK GDPR.

Google” means the Google Entity that is party to the Agreement.

Google Entity” means Google LLC, Google Ireland Limited or any other Affiliate of Google LLC.

LGPD” means the Brazilian General Data Protection Law (Lei Geral de Proteção de Dados Pessoais).

Swiss FDPA” means, as applicable, the Federal Data Protection Act of 19 June 1992 (Switzerland) (with the Ordinance to the Federal Data Protection Act of 14 June 1993), or the revised Federal Data Protection Act of 25 September 2020 (with the Ordinance to the Federal Data Protection Act of 31 August 2022).

Terms Effective Date” means the date on which Partner clicked to accept or the parties otherwise agreed to these Controller Terms.

UK GDPR” means the EU GDPR as amended and incorporated into UK law under the UK European Union (Withdrawal) Act 2018, and applicable secondary legislation made under that Act.

US State Privacy Laws” means US privacy, data security, and data protection laws and regulations applicable to the personal information processed by a party under the Agreement, including without limitation (i) the California Consumer Privacy Act of 2018 (including as amended by the California Privacy Rights Act of 2020) together with all implementing regulations (“CCPA") (ii) Virginia’s Consumer Data Protection Act, Va. Code Ann. § 59.1-575 et seq.; and (iii) the Colorado Privacy Act, Colo. Rev. Stat. § 6-1-1301 et seq. together with all implementing regulations; (iv) Connecticut’s Act Concerning Data Privacy and Online Monitoring, Pub. Act No. 22015; and (v) the Utah Consumer Privacy Act, Utah Code Ann. § 13-61-101 et seq.

2.2 The terms “controller”, “data subject”, “personal data”, “processing” and “processor” as used in these Controller Terms have the meanings given by either (a) Applicable Data Protection Legislation; or (b) absent any such meaning or law, the GDPR.

2.3 The words “include” and “including” mean “including but not limited to”. Any examples in these Controller Terms are illustrative and not the sole examples of a particular concept.

2.4 Any reference to a legal framework, statute or other legislative enactment is a reference to it as amended or re-enacted from time to time.

2.5 To the extent any translated version of these Controller Terms is inconsistent with the English version, the English version will govern.

3. Application of these Controller Terms

3.1 General. These Controller Terms will only apply to the Controller Services for which the parties agreed to these Controller Terms, for example: (a) the Controller Services for which Partner clicked to accept these Controller Terms; or (b) if the Agreement incorporates these Controller Terms by reference, the Controller Services that are the subject of the Agreement.

3.2 Incorporation of Additional Terms. The Additional Terms supplement these Controller Terms.

4. Roles and Restrictions on Processing

4.1 Independent Controllers. Subject to Section 4.3 (End Controllers), each party:

(a) is an independent controller of Controller Personal Data;

(b) will individually determine the purposes and means of its processing of Controller Personal Data; and

(c) will comply with the obligations applicable to it under the Applicable Data Protection Legislation regarding the processing of Controller Personal Data.

4.2 Restrictions on Processing. Section 4.1 (Independent Controllers) will not affect any restrictions on either party’s rights to use or otherwise process Controller Personal Data under the Agreement.

4.3 End Controllers. Without reducing either party’s obligations under these Controller Terms, each party acknowledges that: (a) the other party’s Affiliates or clients may be End Controllers; and (b) the other party may act as a processor on behalf of its End Controllers. Each party will ensure that its End Controllers comply with the Controller Terms.

4.4 Transparency. Partner acknowledges Google has published information about how Google uses information from sites, apps or other properties that use its services at https://policies.google.com/technologies/partner-sites. Without prejudice to its obligations under Section 4.1(c), Partner may link to that page to provide Controller Data Subjects with information about Google's processing of Controller Personal Data.

5. Liability

If the Agreement is governed by the laws of:

(a) a state of the United States of America, then, regardless of anything else in the Agreement, the total liability of either party towards the other party under or in connection with these Controller Terms will be limited to the maximum monetary or payment-based amount at which that party’s liability is capped under the Agreement (and therefore, any exclusion of indemnification claims from the Agreement’s limitation of liability will not apply to indemnification claims under the Agreement relating to the Applicable Data Protection Legislation); or

(b)a jurisdiction that is not a state of the United States of America, then the liability of the parties under or in connection with these Controller Terms will be subject to the exclusions and limitations of liability in the Agreement.

6. Effect of Controller Terms

6.1 Order of Precedence. If there is any conflict or inconsistency between the Additional Terms, the remainder of these Controller Terms and/or the remainder of the Agreement then, subject to Sections 4.2 (Restrictions on Processing) and 6.2 (No Effect on Processor Terms), the following order of precedence will apply:

(a) the Additional Terms (if applicable);

(b) the remainder of these Controller Terms; and

(c) the remainder of the Agreement.

6.2 No Effect on Processor Terms. These Controller Terms will not affect any separate terms between Google and Partner reflecting a controller-processor, processor-processor or processor-controller relationship for a service other than the Controller Services.

7. Changes to these Controller Terms

7.1 Changes to URLs. From time to time, Google may change any URL referenced in these Controller Terms and the content at any such URL, except that Google may only change the list of potential Controller Services at business.safety.google/services:

(a) to reflect a change to the name of a service;

(b) to add a new service; or

(c) to remove a service (or a feature of a service) where either: (i) all contracts for the provision of that service are terminated; (ii) Google has Partner’s consent; or (iii) the service, or a certain feature of the service, has been recategorised as a processor service.

7.2 Changes to Controller Terms. Google may change these Controller Terms if the change:

(a) is as described in Section 7.1 (Changes to URLs);

(b) reflects a change in the name or form of a legal entity;

(c) is required to comply with applicable law, applicable regulation, a court order or guidance issued by a governmental regulator or agency, or reflects Google’s adoption of a Data Transfer Solution (as defined in Appendix 1, Part A); or

(d) does not otherwise: (i) seek to alter the categorisation of the parties as controllers of Controller Personal Data under Applicable Data Protection Legislation; (ii) expand the scope of, or remove any restrictions on, either party’s rights to use or otherwise process (x) in the case of the Additional Terms, the data in scope of the Additional Terms or (y) in the case of the remainder of these Controller Terms, Controller Personal Data; or (iii) have a material adverse impact on Partner, as reasonably determined by Google.

7.3 Notification of Changes. If Google intends to change these Controller Terms under Section 7.2(c) and such change will have a material adverse impact on Partner, as reasonably determined by Google, then Google will use commercially reasonable efforts to inform Partner at least 30 days (or such shorter period as may be required to comply with applicable law, applicable regulation, a court order or guidance issued by a governmental regulator or agency) before the change will take effect. If Partner objects to any such change, Partner may terminate the Agreement by giving written notice to Google within 90 days of being informed by Google of the change.

Appendix 1: Additional Terms for Applicable Data Protection Legislation

PART A - ADDITIONAL TERMS FOR EUROPEAN DATA PROTECTION LEGISLATION

1. Introduction

This Appendix 1, Part A will only apply to the extent that the European Data Protection Legislation applies to the processing of Controller Personal Data.

2. Definitions

2.1 In this Appendix 1, Part A:

Adequate Country” means:

(a) for data processed subject to the EU GDPR: the EEA, or a country or territory recognized as ensuring adequate data protection under the EU GDPR;

(b) for data processed subject to the UK GDPR: the UK, or a country or territory recognized as ensuring adequate protection under the UK GDPR and the Data Protection Act 2018; and/or

(c) for data processed subject to the Swiss FDPA: Switzerland, or a country or territory that is: (i) included in the list of the states whose legislation ensures adequate protection as published by the Swiss Federal Data Protection and Information Commissioner, or (ii) recognized as ensuring adequate protection by the Swiss Federal Council under the Swiss FDPA,

in each case, other than on the basis of an optional data protection framework.

Controller SCCs” means the terms at https://business.safety.google/gdprcontrollerterms/sccs/eu-c2c/.

Data Transfer Solution” means a solution that enables the lawful transfer of personal data to a third country in accordance with European Data Protection Legislation, including the EU-US Data Privacy Framework, UK Extension to EU-US Data Privacy Framework, Swiss-US Data Privacy Framework (collectively, the “Data Privacy Framework”), or another valid data protection framework recognized as providing adequate protection under Applicable Data Protection Legislation.

EEA” means the European Economic Area.

European Controller Personal Data” means Controller Personal Data of Controller Data Subjects located in the EEA or Switzerland.

European Laws” means, as applicable: (a) EU or EU Member State law (if the EU GDPR applies to the processing of Controller Personal Data); (b) the law of the UK or a part of the UK (if the UK GDPR applies to the processing of Controller Personal Data); and (c) the law of Switzerland (if the Swiss FDPA applies to the processing of Controller Personal Data).

Google End Controllers” means the End Controllers of Controller Personal Data processed by Google.

Permitted European Transfers” means the processing of Controller Personal Data in, or the transfer of Controller Personal Data to, an Adequate Country.

Restricted European Transfer(s)” means transfer(s) of Controller Personal Data that are: (a) subject to the European Data Protection Legislation; and (b) not Permitted European Transfers.

UK Controller Personal Data” means Controller Personal Data of Controller Data Subjects located in the UK.

2.2The terms “data importer” and “data exporter” have the meanings given in the Controller SCCs.

3. End Controllers

The Google End Controllers are: (i) for European Controller Personal Data processed by Google, Google Ireland Limited, and where the Agreement is with a different Google Affiliate, that Affiliate will be the Google End Controller responsible for processing European Controller Personal Data in connection with billing for the Controller Services only (collectively, the “European End Controllers”); and (ii) for UK Controller Personal Data processed by Google, Google LLC. Each party will ensure that its End Controllers comply with the Controller SCCs, where applicable.

4. Data Transfers

4.1 Restricted European Transfers. Either party may make Restricted European Transfers if it complies with the provisions on Restricted European Transfers in the European Data Protection Legislation.

4.2 Data Transfer Solution.

(a) If Google has adopted a Data Transfer Solution for any Restricted European Transfers, then: (i) Google will ensure that such Restricted European Transfers are made in accordance with the applicable Data Transfer Solution; and (ii) paragraph 5 (Controller SCCs) of this Appendix 1, Part A will not apply to such Restricted European Transfers.

(b) If Google has not adopted, or informs Partner that Google is no longer adopting, a Data Transfer Solution for any Restricted European Transfers, then paragraph 5 (Controller SCCs) of this Appendix 1, Part A will apply to such Restricted European Transfers.

4.3 Onward Transfer Provisions.

(a) Application of Paragraph 4.3. Paragraphs 4.3(b) (Use of Data Provider Personal Data) and 4.3(c) (Protection of Data Provider Personal Data) of this Appendix 1, Part A will only apply to the extent that:

(i)a party (the “Data Recipient”) processes Controller Personal Data that is made available by the other party (the “Data Provider”) in connection with the Agreement (such Controller Personal Data, “Data Provider Personal Data”);

(ii) the Data Provider or its Affiliate is certified under a Data Transfer Solution; and

(iii) the Data Provider notifies the Data Recipient of such Data Transfer Solution certification in writing.

(b)Use of Data Provider Personal Data.

(i) To the extent that an applicable Data Transfer Solution includes an onward transfer principle, then pursuant to such onward transfer principle under the relevant Data Transfer Solution, the Data Recipient will only use Data Provider Personal Data for limited and specified purposes consistent with the consent provided by the relevant Controller Data Subjects.

(ii)To the extent the Data Provider fails to obtain consent from the relevant Controller Data Subjects as required under the Agreement, the Data Recipient will not be in breach of paragraph 4.3(b)(i) of this Appendix 1, Part A if it uses Data Provider Personal Data consistent with the required consent.

(c)Protection of Data Provider Personal Data.

(i)The Data Recipient will provide a level of protection for Data Provider Personal Data that is at least equivalent to that required under the Agreement and applicable Data Transfer Solution.

(ii) If the Data Recipient determines that it cannot comply with paragraph 4.3(c)(i), it will: (A) notify the Data Provider in writing; and (B) either cease processing the Data Provider Personal Data or take reasonable and appropriate steps to remedy such non-compliance.

(d)Data Transfer Solution Adoption and Certification. Information about Google and/or its Affiliates’ adoption of, or certification under, any Data Transfer Solutions can be found at https://policies.google.com/privacy/frameworks. The parties acknowledge that Google has certified under the Data Privacy Framework on behalf of itself and certain wholly-owned US subsidiaries. Google’s certification is available at https://www.dataprivacyframework.gov. The Data Privacy Framework will apply to any Restricted European Transfer to a certified Google entity in the US. This paragraph 4.3(d) (Data Transfer Solution Adoption and Certification) constitutes notice in writing of Google and or its Affiliates’ current certifications as at the Terms Effective Date for the purpose of paragraph 4.3(a)(iii) of this Appendix 1, Part A .

5. Controller SCCs

5.1 Transfers of European Controller Personal Data to Partner. To the extent that:

(a) Google transfers European Controller Personal Data to Partner; and

(b) the transfer is a Restricted European Transfer, Partner as data importer will be deemed to have entered into the Controller SCCs with Google Ireland Limited (the applicable Google End Controller) as data exporter, unless otherwise specified in the Agreement and the transfers will be subject to the Controller SCCs.

5.2 Transfers of UK Controller Personal Data to Partner. To the extent that:

(a) Google transfers UK Controller Personal Data to Partner; and

(b) the transfer is a Restricted European Transfer,

Partner as data importer will be deemed to have entered into the Controller SCCs with Google LLC (the applicable Google End Controller) as data exporter and the transfers will be subject to the Controller SCCs.

5.3 Transfers of European Controller Personal Data to Google. The parties acknowledge that to the extent Partner transfers European Controller Personal Data to Google, the Controller SCCs are not required because the address of Google Ireland Limited (the applicable Google End Controller) is in an Adequate Country and such transfers are Permitted European Transfers. This does not affect Google’s obligations under paragraph 4.1 (Restricted European Transfers) of this Appendix 1, Part A.

5.4Transfers of UK Controller Personal Data to Google. To the extent that Partner transfers UK Controller Personal Data to Google, Partner as data exporter will be deemed to have entered into the Controller SCCs with Google LLC (the applicable Google End Controller) as data importer and the transfers will be subject to the Controller SCCs, because Google LLC’s address is not in an Adequate Country.

5.5 Contacting Google; Partner Information.

(a) Partner may contact Google Ireland Limited and/or Google LLC in connection with the Controller SCCs at legal-notices@google.com or through such other means as may be provided by Google from time to time.

(b) Partner acknowledges that Google is required under the Controller SCCs to record certain information, including (i) the identity and contact details of the data importer (including any contact person with responsibility for data protection); and (ii) the technical and organisational measures implemented by the data importer. Accordingly, Partner will, where requested and as applicable to Partner, provide such information to Google via such means as may be provided by Google, and will ensure that all information provided is kept accurate and up-to-date.

5.6Responding to Data Subject Enquiries. The applicable data importer will be responsible for responding to enquiries from data subjects and the supervisory authority concerning the processing of applicable Controller Personal Data by the data importer.

5.7Data Deletion on Termination. To the extent that:

(a) Google LLC acts as data importer and Partner acts as data exporter under the Controller SCCs; and

(b) Partner terminates the Agreement in accordance with Clause 16(c) of the Controller SCCs, then for the purposes of Clause 16(d) of the Controller SCCs, Partner directs Google to delete Controller Personal Data, and, unless European Laws require storage, Google will facilitate such deletion as soon as is reasonably practicable, to the extent such deletion is reasonably possible (taking into account that Google is an independent Controller of such data, as well as the nature and functionality of the Controller Services).

6.Liability if Controller SCCs Apply.

If Controller SCCs apply under paragraph 5 (Controller SCCs) of this Appendix 1, Part A, then the total combined liability of:

(a) Google, Google LLC and Google Ireland Limited towards Partner; and

(b) Partner towards Google, Google LLC and Google Ireland Limited,

under or in connection with the Agreement and the Controller SCCs combined will be subject to Section 5 (Liability). Clause 12 of the Controller SCCs will not affect the previous sentence.

7.Third-Party Beneficiaries

If a party’s Affiliate is a party to the applicable Controller SCCs in accordance with paragraph 5 (Controller SCCs) of this Appendix 1, Part A, that Affiliate, , will be a third-party beneficiary of Section 4.3 (End Controllers) and paragraphs 3 (Google End Controllers), 5 (Controller SCCs) and 6 (Liability if Controller SCCs Apply) of this Appendix 1, Part A. To the extent this paragraph 7 (Third-Party Beneficiaries) conflicts or is inconsistent with any other clause in the Agreement, this paragraph 7 (Third-Party Beneficiaries) will apply.

8. Precedence

8.1 If there is any conflict or inconsistency between the Controller SCCs, this Appendix 1, Part A, the remainder of these Controller Terms and/or the remainder of the Agreement, then the Controller SCCs will prevail.

8.2Additional Commercial Clauses. Subject to the amendments in these Controller Terms, the Agreement remains in full force and effect. Paragraphs 5.5 (Contacting Google) to 5.7 (Data Deletion on Termination), and paragraph 6 (Liability if Controller SCCs Apply) of this Appendix 1, Part A are additional commercial clauses relating to the Controller SCCs as permitted by Clause 2(a) (Effect and invariability of the Clauses) of the Controller SCCs.

8.3No Modification of Controller SCCs. Nothing in the Agreement (including these Controller Terms) is intended to modify or contradict any Controller SCCs or prejudice the fundamental rights or freedoms of data subjects under the European Data Protection Legislation.

PART B - ADDITIONAL TERMS FOR US STATE PRIVACY LAWS

1. Introduction

Google and Partner have entered into the Google Controller-Controller Data Protection Terms (“Controller Terms”), which supplement the Agreement. This Appendix 1, Part B reflects the parties’ agreement on the processing of personal information and Deidentified Data (as defined below) pursuant to the Agreement in connection with the US State Privacy Laws, and is effective solely to the extent each US State Privacy Law applies.

2. Additional Definitions and Interpretation.

In this Appendix 1, Part B:

(a)Deidentified Data” means data information that is “deidentified” (as that term is defined by the CCPA) and “de-identified data” (as defined by other US State Privacy Laws), when disclosed by one party to the other.

(b) the terms “business”, “consumer”, “personal information”, “sale(s)”, “sell”, and “share” as used in this Appendix 1, Part B have the meanings given in the US State Privacy Laws.

3. Mutual Terms.

Each party:

3.1 Will not sell any personal information that it obtains from the other party in connection with the Agreement;

3.2 Each party, with respect to personal information received from the other party, will comply as an independent business or controller under US State Privacy Laws, and will be solely liable for such compliance;

3.3 Will comply with the requirements for processing Deidentified Data set out in US State Privacy Laws with respect to any Deidentified Data it receives from the other party pursuant to the Agreement; and

3.4 Acknowledges that, to the extent Google discloses personal information to Partner pursuant to the Agreement, Google intends to disclose personal information to Partner only under an applicable exception to “sale” and “sharing,” each as defined by US State Privacy Laws.

4. Google’s CCPA Obligations.

4.1 If Partner sells or shares personal information to Google that is subject to the CCPA, Google will:

(a) Process the personal information only for the limited purposes specified in the Agreement, unless otherwise permitted by the CCPA;

(b) Permit Partner, upon reasonable request, to take reasonable and appropriate steps to ensure that Google uses the personal information in a manner consistent with a business’ obligations under the CCPA by requesting that Google attest to its compliance with this paragraph 4.1 of this Appendix 1, Part B. Following any such request, Google will promptly provide that attestation or notice about why it cannot provide it;

(c) Notify Partner if Google makes a determination that it can no longer meet its obligations under the CCPA. This paragraph 4.1(c) of this Appendix 1, Part B does not reduce either party’s rights and obligations elsewhere in the Agreement;

(d) If Partner reasonably believes that Google is processing personal information in an unauthorized manner, Partner has the right to notify Google of such belief via the methods described at legal@google.com, and the parties will work together in good faith to remediate the allegedly violative processing activities, if necessary; and

(e)Google will comply with applicable obligations under CCPA and will provide the same level of privacy protection as is required by CCPA.

5. Changes to this Appendix 1, Part B.

In addition to Section 7 (Changes to these Controller Terms) of the Controller Terms, as applicable, Google may change this Appendix 1, Part B without notice if the change (a) is based on applicable law, applicable regulation, a court order, or guidance issued by a governmental regulator or agency or (b) does not have a material adverse impact on Partner under the US State Privacy Laws, as reasonably determined by Google.

Google Controller-Controller Data Protection Terms, Version 7.0

1 September 2023

Previous Versions