The Measurement Services customer agreeing to these terms (“Customer”) has entered into an agreement with either Google or a third party reseller (as applicable) for the provision of the Measurement Services (as amended from time to time, the “Agreement”) through which services user interface Customer has enabled the Data Sharing Setting.
These Google Measurement Controller-Controller Data Protection Terms (“Controller Terms”) are entered into by Google and Customer. Where the Agreement is between Customer and Google, these Controller Terms supplement the Agreement. Where the Agreement is between Customer and a third party reseller, these Controller Terms form a separate agreement between Google and Customer.
For the avoidance of doubt, the provision of the Measurement Services is governed by the Agreement. These Controller Terms set out the data protection provisions relating to the Data Sharing Setting only but do not otherwise apply to the provision of the Measurement Services.
Subject to Section 7.2 (Processor Terms), these Controller Terms will be effective, and replace any previously applicable terms relating to their subject matter, from the Terms Effective Date.
If you are accepting these Controller Terms on behalf of Customer, you warrant that: (a) you have full legal authority to bind Customer to these Controller Terms; (b) you have read and understand these Controller Terms; and (c) you agree, on behalf of Customer, to these Controller Terms. If you do not have the legal authority to bind Customer, please do not accept these Controller Terms.
Please do not accept these Controller Terms if you are a reseller. These Controller Terms set out the rights and obligations that apply between users of the Measurement Services and Google.
1. Introduction
These Controller Terms reflect the parties’ agreement on the processing of Controller Personal Data pursuant to the Data Sharing Setting.
2. Definitions and Interpretation
2.1
In these Controller Terms:
“Affiliate” means an entity that directly or indirectly controls, is controlled by, or is under common control with, a party.
"Confidential Information" means these Controller Terms.
“Controller Data Subject” means a data subject to whom Controller Personal Data relates.
“Controller MCCs” means the terms at privacy.google.com/businesses/controllerterms/mccs, which are standard data protection clauses for the transfer of personal data to controllers established in third countries which do not ensure an adequate level of data protection, as described in Article 46 of the EU GDPR.
“Controller Personal Data” means any personal data that is processed by a party pursuant to the Data Sharing Setting.
“Data Protection Legislation” means, as applicable: (a) the GDPR; and/or (b) the Federal Data Protection Act of 19 June 1992 (Switzerland).
“Data Sharing Setting” means the data sharing setting which Customer has enabled via the user interface of the Measurement Services and which enables Google and its Affiliates to use personal data for improving Google’s and its Affiliates’ products and services.
"EU GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
“End Controller” means, for each party, the ultimate controller of Controller Personal Data.
“European Controller Personal Data” means Controller Personal Data of Controller Data Subjects located in the European Economic Area or Switzerland.
“GDPR” means, as applicable: (a) the EU GDPR; and/or (b) the UK GDPR.
“Google” means:
- (a) where a Google Entity is party to the Agreement, that Google Entity.
- (b) where the Agreement is between Customer and a third party reseller and:
- (i) the third party reseller is organised in North America or in another region outside Europe, the Middle East, Africa, Asia and Oceania, Google LLC (formerly known as Google Inc.);
- (ii) the third party reseller is organised in Europe, the Middle East or Africa, Google Ireland Limited; or
- (iii) the third party reseller is organised in Asia and Oceania, Google Asia Pacific Pte. Ltd.
“Google End Controllers” means the End Controllers of Controller Personal Data processed by Google.
“Google Entity” means Google LLC, Google Ireland Limited or any other Affiliate of Google LLC.
“Measurement Services” means Google Analytics, Google Analytics 360, Google Analytics for Firebase, Google Optimize or Google Optimize 360, as applicable to the Data Sharing Setting for which the parties agreed to these Controller Terms.
“Policies” means the Google End User Consent Policy available at https://google.com/about/company/user-consent-policy.html.
“Processor Terms” means:
- (a) where Google is a party to the Agreement, the processor terms available at https://privacy.google.com/businesses/processorterms/; or
- (b) where the Agreement is between Customer and a third party reseller, such terms reflecting a controller-processor relationship (if any) as agreed between the Customer and the third party reseller.
“Terms Effective Date” means, as applicable:
- (a) 25 May 2018, if Customer clicked to accept or the parties otherwise agreed to these Controller Terms before or on such date; or
- (b) the date on which Customer clicked to accept or the parties otherwise agreed to these Controller Terms, if such date is after 25 May 2018.
“UK Controller Personal Data” means Controller Personal Data of Controller Data Subjects located in the UK.
“UK GDPR” means the EU GDPR as amended and incorporated into UK law under the UK European Union (Withdrawal) Act 2018, if in force.
2.2
The terms “controller”, “data subject”, “personal data”, “processing” and “processor” as used in these Controller Terms have the meanings given in the GDPR, and the terms “data importer” and “data exporter” have the meanings given in the Controller MCCs.
2.3
Any examples in these Controller Terms are illustrative and not the sole examples of a particular concept.
2.4
Any reference to a legal framework, statute or other legislative enactment is a reference to it as amended or re-enacted from time to time.
2.5
References in the Controller MCCs to the “Google Ads Controller-Controller Data Protection Terms” shall be deemed to mean the “Google Measurement Controller-Controller Data Protection Terms”.
3. Application of these Controller Terms
3.1 Application of Data Protection Legislation
These Controller Terms will only apply to the extent that the Data Protection Legislation applies to the processing of Controller Personal Data.
3.2 Application to Data Sharing Setting
These Controller Terms will only apply to the Data Sharing Setting for which the parties agreed to these Controller Terms (for example, the Data Sharing Setting for which Customer clicked to accept these Controller Terms).
3.3 Duration
These Controller Terms will apply from the Terms Effective Date and continue while Google or Customer processes Controller Personal Data, after which these Controller Terms will automatically terminate.
4. Roles and Restrictions on Processing
4.1 Independent Controllers
Subject to Section 4.4 (End Controllers), each party:
- (a) is an independent controller of Controller Personal Data under the Data Protection Legislation;
- (b) will individually determine the purposes and means of its processing of Controller Personal Data; and
- (c) will comply with the obligations applicable to it under the Data Protection Legislation with respect to the processing of Controller Personal Data.
4.2 Restrictions on Processing
Section 4.1 (Independent Controllers) will not affect any restrictions on either party’s rights to use or otherwise process Controller Personal Data under the Agreement.
4.3 End User Consent
Customer will comply with the Policies in relation to the Controller Personal Data shared pursuant to the Data Sharing Setting and at all times will bear the burden of proof in establishing such compliance.
4.4 End Controllers
Without reducing either party’s obligations under these Controller Terms, each party acknowledges that: (a) the other party’s Affiliates or clients may be End Controllers; and (b) the other party may act as a processor on behalf of its End Controllers. The Google End Controllers are: (i) for European Controller Personal Data processed by Google, Google Ireland Limited; and (ii) for UK Controller Personal Data processed by Google, Google LLC. Each party will ensure that its End Controllers comply with the Controller Terms, including (where applicable) the Controller MCCs.
5. Data Transfers
5.1 Data Transfers
Either party may transfer Controller Personal Data to third countries if it complies with the provisions on the transfer of personal data to third countries in the Data Protection Legislation.
5.2 Transfers of UK Controller Personal Data to Google
To the extent that Customer transfers UK Controller Personal Data to Google, Customer as data exporter will be deemed to have entered into the Controller MCCs with Google LLC (the applicable Google End Controller) as data importer and the transfers will be subject to the Controller MCCs, because Google LLC is established in the USA and such transfers are therefore to a third country that is not subject to an adequacy decision under the UK GDPR. For clarity, to the extent Customer transfers European Controller Personal Data to Google, the Controller MCCs are not required because Google Ireland Limited (the applicable Google End Controller) is established in Ireland and such transfers are therefore permitted under the Data Protection Legislation.
5.3 Additional Commercial Clauses for the Controller MCCs
Sections 5.4 (Contacting Google) to 5.7 (Third Party Controllers) are additional commercial clauses relating to the Controller MCCs as permitted by Clause VII (Variation of these clauses) of the Controller MCCs. Nothing in Sections 5.4 (Contacting Google) to 5.7 (Third Party Controllers) varies or modifies any rights or obligations of the parties to the Controller MCCs.
5.4 Contacting Google
Customer may contact Google Ireland Limited and/or Google LLC in connection with the Controller MCCs at https://google-support.mirrorblogs.com/policies/troubleshooter/9009584 or through such other means as may be provided by Google from time to time, including for the purposes of:
(a) Clause II(e) of the Controller MCCs, to the extent Google LLC acts as data importer and Customer acts as data exporter under the Controller MCCs; and
(b) requesting an Audit pursuant to Section 5.6 (a) (Reviews, Audits and Certifications of Compliance) below.
5.5 Responding to Data Subject Enquiries
For the purpose of Clause I(d) of the Controller MCCs, the applicable data importer will be responsible for responding to enquiries from data subjects and the authority concerning the processing of applicable Controller Personal Data by the data importer.
5.6 Reviews, Audits and Certifications of Compliance
(a) If the Controller MCCs apply under this Section 5 (Data Transfers), the applicable data importer will allow the applicable data exporter or a third party inspection agent or auditor appointed by the data exporter to conduct a review, audit and/or certification as described in Clause II(g) of the Controller MCCs (“Audit”) in accordance with this Section 5.6 (Reviews, Audits and Certifications of Compliance).
(b) Following receipt by the data importer of a request for an Audit, the data importer and the data exporter will discuss and agree in advance on the reasonable start date, scope and duration of, and security and confidentiality controls applicable to, the Audit.
(c) The data importer may charge a fee (based on the data importer’s reasonable costs) for any Audit. The data importer will provide the data exporter with further details of any applicable fee, and the basis of its calculation, in advance of the Audit. The data exporter will be responsible for any fees charged by any third party inspection agent or auditor appointed by the data exporter to execute the Audit.
(d) The data importer may object to any third party inspection agent or auditor appointed by the data exporter to conduct any Audit if the inspection agent or auditor is, in the data importer’s reasonable opinion, not suitably qualified or independent, a competitor of the data importer or otherwise manifestly unsuitable. Any such objection by the data importer will require the data exporter to appoint another inspection agent or auditor or conduct the Audit itself.
(e) The data importer will not be required either to disclose to the data exporter or its third party inspection agent or auditor, or to allow the data exporter or its third party inspection agent or auditor to access:
(i) any data of any customers of the data importer or any of its Affiliates;
(ii) any internal accounting or financial information of the data importer or any of its Affiliates;
(iii) any trade secret of the data importer or any of its Affiliates;
(iv) any information that, in the data importer’s reasonable opinion, could: (A) compromise the security of any systems or premises of the data importer or any of its Affiliates; or (B) cause the data importer or any Affiliate of the data importer to breach its obligations under the Data Protection Legislation or its security and/or privacy obligations to the data exporter or any third party; or
(v) any information that the data exporter or its third party inspection agent or auditor seeks to access for any reason other than the good faith fullfilment of the data exporter’s obligations under the Data Protection Legislation.
5.7 Third Party Controllers
To the extent Google LLC acts as data importer and Customer acts as data exporter under the Controller MCCs under Section 5.2 (Transfers of UK Controller Personal Data to Google), Google notifies Customer for the purpose of Clause II(i) that UK Controller Personal Data may be transferred to the third party data controllers described in applicable Help Centre articles for the Measurement Services.
6. Liability
6.1 Liability Cap
If Google is:
- (a) party to the Agreement and the Agreement is governed by the laws of:
- (i) a state of the United States of America, then, notwithstanding anything else in the Agreement, the total liability of either party towards the other party under or in connection with these Controller Terms will be limited to the maximum monetary or payment-based amount at which that party’s liability is capped under the Agreement (for clarity, any exclusion of indemnification claims from the Agreement’s limitation of liability will not apply to indemnification claims under the Agreement relating to the Data Protection Legislation); or
- (ii) a jurisdiction that is not a state of the United States of America, then the liability of the parties under or in connection with these Controller Terms will be subject to the exclusions and limitations of liability in the Agreement; or
- (b) not party to the Agreement, to the extent permitted by applicable law, Google will not be liable for Customer’s lost revenues or indirect, special, incidental, consequential, exemplary or punitive damages, even if Google or its Affiliates have been advised of, knew or should have known that such damages do not satisfy a remedy. Google’s (and its Affiliates’) total cumulative liability to Customer or any other party for any loss or damages resulting from claims, damages or actions arising out of or relating to these Controller Terms will not exceed $500 (USD).
6.2 Liability if the Controller MCCs Apply
If the Controller MCCs apply under Section 5 (Data Transfers), then: (a) if Google is party to the Agreement, the total combined liability of: (i) Google and Google LLC towards Customer; and (ii) Customer towards Google, Google LLC and Google Ireland Limited; under or in connection with the Agreement and the Controller MCCs combined will be subject to Section 6.1(a) (Liability Cap). Clause III(a) of the Controller MCCs will not affect the previous sentence.
(b) if Google is not party to the Agreement, the total combined liability of: (i) Google and Google LLC towards Customer; and (ii) Customer towards Google, Google LLC and Google Ireland Limited; under or in connection with these Controller Terms and the Controller MCCs combined will be subject to Section 6.1(b) (Liability Cap). Clause III(a) of the Controller MCCs will not affect the previous sentence.
7. Third Party Beneficiaries
Where Google LLC is not a party to the Agreement but is a party to the Controller MCCs, Google LLC will be a third-party beneficiary of Sections 4.4 (End Controllers), 5.2 (Transfers of UK Controller Personal Data to Google) to 5.7 (Third Party Controllers), and 6.2 (Liability if the Controller MCCs Apply). To the extent this Section 7 conflicts or is inconsistent with any other clause in the Agreement, this Section 7 will apply.
8. Priority
8.1 Effect of these Controller Terms
If Google is party to the Agreement and there is any conflict or inconsistency between the Controller MCCs, the terms of these Controller Terms and the remainder of the Agreement then, subject to Sections 4.2 (Restrictions on Processing) and 8.2 (Processor Terms), the following order of precedence will apply: (a) the Controller MCCs; (b) the remainder of these Controller Terms; and (c) the remainder of the Agreement. Subject to the amendments in these Controller Terms, the Agreement between Google and Customer remains in full force and effect.
8.2 Processor Terms
These Controller Terms will not replace or affect any Processor Terms. For the avoidance of doubt, if Customer is party to the Processor Terms in connection with the Measurement Services, the Processor Terms will continue to apply to the Measurement Services notwithstanding that these Controller Terms apply to Controller Personal Data processed pursuant to the Data Sharing Setting.
9. Changes to these Controller Terms
9.1 Changes to Controller Terms
Google may change these Controller Terms if the change:
- (a) is required to comply with applicable law, applicable regulation, a court order or guidance issued by a governmental regulator or agency; or
- (b) does not: (i) seek to alter the categorisation of the parties as independent controllers of Controller Personal Data under the Data Protection Legislation; (ii) expand the scope of, or remove any restrictions on, either party’s rights to use or otherwise process Controller Personal Data; or (iii) have a material adverse impact on Customer, as reasonably determined by Google.
9.2 Notification of Changes
If Google intends to change these Controller Terms under Section 9.1(a) and such change will have a material adverse impact on Customer, as reasonably determined by Google, then Google will use commercially reasonable efforts to inform Customer at least 30 days (or such shorter period as may be required to comply with applicable law, applicable regulation, a court order or guidance issued by a governmental regulator or agency) before the change will take effect. If Customer objects to any such change, Customer may switch off the Data Sharing Setting.
10. Additional Provisions
10.1
This Section 10 (Additional Provisions) will only apply where Google is not party to the Agreement.
10.2
Each party will comply with its obligations under these Controller Terms with reasonable skill and care.
10.3
Neither party will use or disclose the other party's Confidential Information without the other's prior written consent except for the purpose of exercising its rights or performing its obligations under these Controller Terms or if required by law, regulation or court order; in which case, the party being compelled to disclose Confidential Information will give the other party as much notice as is reasonably practicable prior to disclosing the Confidential Information.
10.4
To the fullest extent permitted by applicable law, except as expressly provided for in these Controller Terms, Google makes no other warranty of any kind whether express, implied, statutory or otherwise, including without limitation warranties of merchantability, fitness for a particular use and non-infringement.
10.5
Neither party will be liable for failure or delay in performance to the extent caused by circumstances beyond its reasonable control.
10.6
If any term (or part of a term) of these Controller Terms is invalid, illegal, or unenforceable, the rest of these Controller Terms will remain in effect.
10.7
(a) Except as set forth in section (b) below, these Controller Terms will be governed by and construed under the laws of the state of California without reference to its conflict of law principles. In the event of any conflicts between foreign law, rules and regulations, and California law, rules and regulations, California law, rules and regulations will prevail and govern. Each party agrees to submit to the exclusive and personal jurisdiction of the courts located in Santa Clara County, California. The United Nations Convention on Contracts for the International Sale of Goods and the Uniform Computer Information Transactions Act do not apply to these Controller Terms.
(b) Where the Agreement is between Customer and a third party reseller, and the third party reseller is organised in Europe, the Middle East or Africa, these Controller Terms will be governed by English law. Each party agrees to submit to the exclusive jurisdiction of the English courts in relation to any dispute (whether contractual or non-contractual) arising out of or in connection with these Controller Terms.
(c) In the event the Controller MCCs apply and provide for governing law that differs from the laws outlined in sections (a) and (b) above, the governing law set forth in the Controller MCCs will apply solely with respect to the Controller MCCs.
(d) The United Nations Convention on Contracts for the International Sale of Goods and the Uniform Computer Information Transactions Act do not apply to these Controller Terms.
10.8
All notices of termination or breach must be in English, in writing and addressed to the other party’s Legal Department. The address for notices to Google’s Legal Department is [email protected]. Notice will be treated as given on receipt, as verified by written or automated receipt or by electronic log (as applicable).
10.9
No party will be treated as having waived any rights by not exercising (or delaying the exercise of) any rights under these Controller Terms. No party may assign any part of these Controller Terms without the written consent of the other, except to an Affiliate where: (a) the assignee has agreed in writing to be bound by the terms of these Controller Terms; (b) the assigning party remains liable for obligations under these Controller Terms if the assignee defaults on them; (c) in the case of Customer, the assigning party has transferred its Measurement Services account(s) to the assignee; and (d) the assigning party has notified the other party of the assignment. Any other attempt to assign is void.
10.10
The parties are independent contractors. These Controller Terms do not create any agency, partnership, or joint venture between the parties. These Controller Terms do not confer any benefits on any third party unless they expressly state that they do.
10.11
To the extent permitted by applicable law, these Controller Terms state all terms agreed between the parties. In entering into these Controller Terms no party has relied on, and no party will have any right or remedy based on, any statement, representation or warranty (whether made negligently or innocently), except those expressly stated in these Controller Terms.
Google Measurement Controller-Controller Data Protection Terms, Version 1.3
August 12, 2020