Google Measurement Controller-Controller Data Protection Terms
The Measurement Services customer agreeing to these terms (“Customer”) has entered into an agreement with either Google or a third party reseller (as applicable) for the provision of the Measurement Services (as amended from time to time, the “Agreement”) through which services user interface Customer has enabled the Data Sharing Setting.
These Google Measurement Controller-Controller Data Protection Terms (“Controller Terms”) are entered into by Google and Customer. Where the Agreement is between Customer and Google, these Controller Terms supplement the Agreement. Where the Agreement is between Customer and a third party reseller, these Controller Terms form a separate agreement between Google and Customer.
For the avoidance of doubt, the provision of the Measurement Services is governed by the Agreement. These Controller Terms set out the data protection provisions relating to the Data Sharing Setting only but do not otherwise apply to the provision of the Measurement Services.
Subject to Section 7.2 (Processor Terms), these Controller Terms will be effective, and replace any previously applicable terms relating to their subject matter, from the Terms Effective Date.
If you are accepting these Controller Terms on behalf of Customer, you warrant that: (a) you have full legal authority to bind Customer to these Controller Terms; (b) you have read and understand these Controller Terms; and (c) you agree, on behalf of Customer, to these Controller Terms. If you do not have the legal authority to bind Customer, please do not accept these Controller Terms.
Please do not accept these Controller Terms if you are a reseller. These Controller Terms set out the rights and obligations that apply between users of the Measurement Services and Google.
These Controller Terms reflect the parties’ agreement on the processing of Controller Personal Data pursuant to the Data Sharing Setting.
2. Definitions and Interpretation
In these Controller Terms:
“Affiliate” means an entity that directly or indirectly controls, is controlled by, or is under common control with, a party.
"Confidential Information" means these Controller Terms.
“Controller Data Subject” means a data subject to whom Controller Personal Data relates.
“Controller Personal Data” means any personal data that is processed by a party pursuant to the Data Sharing Setting.
“Data Protection Legislation” means, as applicable: (a) the GDPR; and/or (b) the Federal Data Protection Act of 19 June 1992 (Switzerland).
“Data Sharing Setting” means the data sharing setting which Customer has enabled via the user interface of the Measurement Services and which enables Google and its Affiliates to use personal data for improving Google’s and its Affiliates’ products and services.
“GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
- (a) where a Google Entity is party to the Agreement, that Google Entity.
- (b) where the Agreement is between Customer and a third party reseller and:
- (i) the third party reseller is organised in North America or in another region outside Europe, the Middle East, Africa, Asia and Oceania, Google LLC (formerly known as Google Inc.);
- (ii) the third party reseller is organised in Europe, the Middle East or Africa, Google Ireland Limited; or
- (iii) the third party reseller is organised in Asia and Oceania, Google Asia Pacific Pte. Ltd.
“Google Entity” means Google LLC, Google Ireland Limited or any other Affiliate of Google LLC.
“Measurement Services” means Google Analytics, Google Analytics 360, Google Analytics for Firebase, Google Attribution, Google Attribution 360, Google Optimize or Google Optimize 360, as applicable to the Data Sharing Setting for which the parties agreed to these Controller Terms.
“Privacy Shield” means the EU-U.S. Privacy Shield legal framework and the Swiss-U.S. Privacy Shield legal framework.
“Policies” means the Google End User Consent Policy available at https://www.google.com/about/company/user-consent-policy.html.
“Processor Terms” means:
- (a) where Google is a party to the Agreement, the processor terms available at https://privacy.google.com/businesses/processorterms/; or
- (b) where the Agreement is between Customer and a third party reseller, such terms reflecting a controller-processor relationship (if any) as agreed between the Customer and the third party reseller.
“Terms Effective Date” means, as applicable:
- (a) 25 May 2018, if Customer clicked to accept or the parties otherwise agreed to these Controller Terms before or on such date; or
- (b) the date on which Customer clicked to accept or the parties otherwise agreed to these Controller Terms, if such date is after 25 May 2018.
The terms “controller”, “data subject”, “personal data”, “processing” and “processor” as used in these Controller Terms have the meanings given in the GDPR.
Any examples in these Controller Terms are illustrative and not the sole examples of a particular concept.
Any reference to a legal framework, statute or other legislative enactment is a reference to it as amended or re-enacted from time to time.
3. Application of these Controller Terms
3.1 Application of Data Protection Legislation
These Controller Terms will only apply to the extent that the Data Protection Legislation applies to the processing of Controller Personal Data.
3.2 Application to Data Sharing Setting
These Controller Terms will only apply to the Data Sharing Setting for which the parties agreed to these Controller Terms (for example, the Data Sharing Setting for which Customer clicked to accept these Controller Terms).
These Controller Terms will apply from the Terms Effective Date and continue while Google or Customer processes Controller Personal Data, after which these Controller Terms will automatically terminate.
4. Roles and Restrictions on Processing
4.1 Independent Controllers
- (a) is an independent controller of Controller Personal Data under the Data Protection Legislation;
- (b) will individually determine the purposes and means of its processing of Controller Personal Data; and
- (c) will comply with the obligations applicable to it under the Data Protection Legislation with respect to the processing of Controller Personal Data.
4.2 Restrictions on Processing
Section 4.1 (Independent Controllers) will not affect any restrictions on either party’s rights to use or otherwise process Controller Personal Data under the Agreement.
4.3 End User Consent
Customer will comply with the Policies in relation to the Controller Personal Data shared pursuant to the Data Sharing Setting and at all times will bear the burden of proof in establishing such compliance.
5. Data Transfers
Either party may transfer Controller Personal Data outside the European Economic Area and Switzerland if it complies with the provisions on the transfer of personal data to third countries in the Data Protection Legislation.
If Google is:
- (a) party to the Agreement and the Agreement is governed by the laws of:
- (i) a state of the United States of America, then, notwithstanding anything else in the Agreement, the total liability of either party towards the other party under or in connection with these Controller Terms will be limited to the maximum monetary or payment-based amount at which that party’s liability is capped under the Agreement (for clarity, any exclusion of indemnification claims from the Agreement’s limitation of liability will not apply to indemnification claims under the Agreement relating to the Data Protection Legislation); or
- (ii) a jurisdiction that is not a state of the United States of America, then the liability of the parties under or in connection with these Controller Terms will be subject to the exclusions and limitations of liability in the Agreement; or
- (b) not party to the Agreement, to the extent permitted by applicable law, Google will not be liable for Customer’s lost revenues or indirect, special, incidental, consequential, exemplary or punitive damages, even if Google or its Affiliates have been advised of, knew or should have known that such damages do not satisfy a remedy. Google’s (and its Affiliates’) total cumulative liability to Customer or any other party for any loss or damages resulting from claims, damages or actions arising out of or relating to these Controller Terms will not exceed $500 (USD).
7.1 Effect of these Controller Terms
If Google is party to the Agreement and there is any conflict or inconsistency between the terms of these Controller Terms and the remainder of the Agreement then, subject to Sections 4.2 (Restrictions on Processing) and 8.2 (Processor Terms), the terms of these Controller Terms will govern. Subject to the amendments in these Controller Terms, the Agreement between Google and Customer remains in full force and effect.
7.2 Processor Terms
These Controller Terms will not replace or affect any Processor Terms. For the avoidance of doubt, if Customer is party to the Processor Terms in connection with the Measurement Services, the Processor Terms will continue to apply to the Measurement Services notwithstanding that these Controller Terms apply to Controller Personal Data processed pursuant to the Data Sharing Setting.
8. Changes to these Controller Terms
8.1 Changes to Controller Terms
Google may change these Controller Terms if the change:
- (a) is required to comply with applicable law, applicable regulation, a court order or guidance issued by a governmental regulator or agency; or
- (b) does not: (i) seek to alter the categorisation of the parties as independent controllers of Controller Personal Data under the Data Protection Legislation; (ii) expand the scope of, or remove any restrictions on, either party’s rights to use or otherwise process Controller Personal Data; or (iii) have a material adverse impact on Customer, as reasonably determined by Google.
8.2 Notification of Changes
If Google intends to change these Controller Terms under Section 8.1(a) and such change will have a material adverse impact on Customer, as reasonably determined by Google, then Google will use commercially reasonable efforts to inform Customer at least 30 days (or such shorter period as may be required to comply with applicable law, applicable regulation, a court order or guidance issued by a governmental regulator or agency) before the change will take effect. If Customer objects to any such change, Customer may switch off the Data Sharing Setting.
9. Additional Provisions
This Section 9 (Additional Provisions) will only apply where Google is not party to the Agreement.
Each party will comply with its obligations under these Controller Terms with reasonable skill and care.
Neither party will use or disclose the other party's Confidential Information without the other's prior written consent except for the purpose of exercising its rights or performing its obligations under these Controller Terms or if required by law, regulation or court order; in which case, the party being compelled to disclose Confidential Information will give the other party as much notice as is reasonably practicable prior to disclosing the Confidential Information.
To the fullest extent permitted by applicable law, except as expressly provided for in these Controller Terms, Google makes no other warranty of any kind whether express, implied, statutory or otherwise, including without limitation warranties of merchantability, fitness for a particular use and non-infringement.
Neither party will be liable for failure or delay in performance to the extent caused by circumstances beyond its reasonable control.
If any term (or part of a term) of these Controller Terms is invalid, illegal, or unenforceable, the rest of these Controller Terms will remain in effect.
These Controller Terms will be governed by and construed under the laws of the state of California without reference to its conflict of law principles. In the event of any conflicts between foreign law, rules and regulations, and California law, rules and regulations, California law, rules and regulations will prevail and govern. Each party agrees to submit to the exclusive and personal jurisdiction of the courts located in Santa Clara County, California. The United Nations Convention on Contracts for the International Sale of Goods and the Uniform Computer Information Transactions Act do not apply to these Controller Terms.
All notices of termination or breach must be in English, in writing and addressed to the other party’s Legal Department. The address for notices to Google’s Legal Department is email@example.com. Notice will be treated as given on receipt, as verified by written or automated receipt or by electronic log (as applicable).
No party will be treated as having waived any rights by not exercising (or delaying the exercise of) any rights under these Controller Terms. No party may assign any part of these Controller Terms without the written consent of the other, except to an Affiliate where: (a) the assignee has agreed in writing to be bound by the terms of these Controller Terms; (b) the assigning party remains liable for obligations under these Controller Terms if the assignee defaults on them; (c) in the case of Customer, the assigning party has transferred its Measurement Services account(s) to the assignee; and (d) the assigning party has notified the other party of the assignment. Any other attempt to assign is void.
The parties are independent contractors. These Controller Terms do not create any agency, partnership, or joint venture between the parties. These Controller Terms do not confer any benefits on any third party unless they expressly state that they do.
To the extent permitted by applicable law, these Controller Terms state all terms agreed between the parties. In entering into these Controller Terms no party has relied on, and no party will have any right or remedy based on, any statement, representation or warranty (whether made negligently or innocently), except those expressly stated in these Controller Terms.
Google Measurement Controller-Controller Data Protection Terms, Version 1.0
May 10, 2018