Google Measurement Controller-Controller Data Protection Terms

The Google Measurement Controller-Controller Data Protection Terms will be updated on January 1, 2023 to include the ‘U.S. State Privacy Laws Controller Addendum’ in ‘Appendix 1: Additional Terms for Non-European Data Protection Legislation’ below. For more information on this update see business.safety.google/usaprivacy/. You can find the terms which apply prior to January 1, 2023 here.

The Measurement Services customer agreeing to these terms (“Customer”) has entered into an agreement with either Google or a third party reseller (as applicable) for the provision of the Measurement Services (as amended from time to time, the “Agreement”) through which services user interface Customer has enabled the Data Sharing Setting.

These Google Measurement Controller-Controller Data Protection Terms (“Controller Terms”) are entered into by Google and Customer. Where the Agreement is between Customer and Google, these Controller Terms supplement the Agreement. Where the Agreement is between Customer and a third party reseller, these Controller Terms form a separate agreement between Google and Customer.

For the avoidance of doubt, the provision of the Measurement Services is governed by the Agreement. These Controller Terms set out the data protection provisions relating to the Data Sharing Setting only but do not otherwise apply to the provision of the Measurement Services.

Subject to Section 8.4 (No Effect on Processor Terms), these Controller Terms will be effective, and replace any previously applicable terms relating to their subject matter, from the Terms Effective Date.

If you are accepting these Controller Terms on behalf of Customer, you warrant that: (a) you have full legal authority to bind Customer to these Controller Terms; (b) you have read and understand these Controller Terms; and (c) you agree, on behalf of Customer, to these Controller Terms. If you do not have the legal authority to bind Customer, please do not accept these Controller Terms.

Please do not accept these Controller Terms if you are a reseller. These Controller Terms set out the rights and obligations that apply between users of the Measurement Services and Google.

1. Introduction

These Controller Terms reflect the parties’ agreement on the processing of Controller Personal Data pursuant to the Data Sharing Setting.

2. Definitions and Interpretation

2.1

In these Controller Terms:

“Additional Terms for Non-European Data Protection Legislation” means the additional terms referred to in Appendix 1, which reflect the parties’ agreement on the terms governing the processing of certain data in connection with certain Non-European Data Protection Legislation.

“Adequate Country” means:

  • (a) for data processed subject to the EU GDPR: the EEA, or a country or territory recognized as ensuring adequate data protection under EU GDPR;
  • (b) for data processed subject to the UK GDPR: the UK or a country or territory recognized as ensuring adequate data protection under the UK GDPR and the Data Protection Act 2018; and/or
  • (c) for data processed subject to the Swiss FDPA: Switzerland, or a country or territory that is (i) included in the list of the states whose legislation ensures adequate data protection as published by the Swiss Federal Data Protection and Information Commissioner, or (ii) recognized as ensuring adequate data protection by the Swiss Federal Council under the Swiss FDPA, in each case, other than on the basis of an optional data protection framework.

“Affiliate” means an entity that directly or indirectly controls, is controlled by, or is under common control with, a party.

“Alternative Transfer Solution” means a solution, other than the Controller SCCs, that enables the lawful transfer of personal data to a third country in accordance with the European Data Protection Legislation, for example a data protection framework recognized as ensuring that participating local entities provide adequate protection.

"Confidential Information" means these Controller Terms.

“Controller Data Subject” means a data subject to whom Controller Personal Data relates.

“Controller Personal Data” means any personal data that is processed by a party pursuant to the Data Sharing Setting.

“Controller SCCs” means the terms at business.safety.google/adscontrollerterms/sccs/c2c.

“Data Sharing Setting” means the data sharing setting which Customer has enabled via the user interface of the Measurement Services and which enables Google and its Affiliates to use personal data for improving Google’s and its Affiliates’ products and services.

“EEA” means European Economic Area.

“End Controller” means, for each party, the ultimate controller of Controller Personal Data.

"EU GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

“European Controller Personal Data” means Controller Personal Data of Controller Data Subjects located in the European Economic Area or Switzerland.

“European Data Protection Legislation” means, as applicable: (a) the GDPR; and/or (b) the Swiss FDPA.

“European Laws” means, as applicable: (a) EU or EU Member State law (if the EU GDPR applies to the processing of Controller Personal Data); and (b) the law of the UK or a part of the UK (if the UK GDPR applies to the processing of Controller Personal Data).

“GDPR” means, as applicable: (a) the EU GDPR; and/or (b) the UK GDPR.

“Google” means:

  • (a) where a Google Entity is party to the Agreement, that Google Entity.
  • (b) where the Agreement is between Customer and a third party reseller and:
    • (i) the third party reseller is organised in North America or in another region outside Europe, the Middle East, Africa, Asia and Oceania, Google LLC (formerly known as Google Inc.);
    • (ii) the third party reseller is organised in Europe, the Middle East or Africa, Google Ireland Limited; or
    • (iii) the third party reseller is organised in Asia and Oceania, Google Asia Pacific Pte. Ltd.

“Google End Controllers” means the End Controllers of Controller Personal Data processed by Google.

“Google Entity” means Google LLC, Google Ireland Limited or any other Affiliate of Google LLC.

“Measurement Services” means Google Analytics, Google Analytics 360, Google Analytics for Firebase, Google Optimize or Google Optimize 360, as applicable to the Data Sharing Setting for which the parties agreed to these Controller Terms.

“Non-European Data Protection Legislation” means data protection or privacy laws in force outside the EEA, Switzerland and the UK.

“Permitted European Transfers” means the processing of Controller Personal Data in, or the transfer of Controller Personal Data to, an Adequate Country.

“Policies” means the Google End User Consent Policy available at https://www.google.com/about/company/user-consent-policy.html.

“Processor Terms” means:

  • (a) where Google is a party to the Agreement, the processor terms available at https://business.safety.google/adsprocessorterms; or
  • (b) where the Agreement is between Customer and a third party reseller, such terms reflecting a controller-processor relationship (if any) as agreed between the Customer and the third party reseller.

“Restricted European Transfers” means transfers of Controller Personal Data which are (a) subject to the European Data Protection Legislation; and (b) are not Permitted European Transfers.

“Swiss FDPA” means the Federal Data Protection Act of 19 June 1992 (Switzerland).

“Terms Effective Date” means, as applicable:

  • (a) 25 May 2018, if Customer clicked to accept or the parties otherwise agreed to these Controller Terms before or on such date; or
  • (b) the date on which Customer clicked to accept or the parties otherwise agreed to these Controller Terms, if such date is after 25 May 2018.

“UK Controller Personal Data” means Controller Personal Data of Controller Data Subjects located in the UK.

“UK GDPR” means the EU GDPR as amended and incorporated into UK law under the UK European Union (Withdrawal) Act 2018, and applicable secondary legislation made under that Act.

2.2

The terms “controller”, “data subject”, “personal data”, “processing” and “processor” as used in these Controller Terms have the meanings given in the GDPR, and the terms “data importer” and “data exporter” have the meanings given in the Controller SCCs.

2.3

Any examples in these Controller Terms are illustrative and not the sole examples of a particular concept.

2.4

Any reference to a legal framework, statute or other legislative enactment is a reference to it as amended or re-enacted from time to time.

2.5

To the extent any translated version of this Agreement is inconsistent with the English version, the English version will govern.

2.6

References in the Controller SCCs to the “Google Ads Controller-Controller Data Protection Terms” shall be deemed to mean the “Google Measurement Controller-Controller Data Protection Terms”.

3. Application of these Controller Terms

3.1 Application of European Data Protection Legislation

These Controller Terms will only apply to the extent that the European Data Protection Legislation applies to the processing of Controller Personal Data.

3.2 Application to Data Sharing Setting

These Controller Terms will only apply to the Data Sharing Setting for which the parties agreed to these Controller Terms (for example, the Data Sharing Setting for which Customer clicked to accept these Controller Terms).

3.3 Duration

These Controller Terms will apply from the Terms Effective Date and continue while Google or Customer processes Controller Personal Data, after which these Controller Terms will automatically terminate.

4. Roles and Restrictions on Processing

4.1 Independent Controllers

Subject to Section 4.4 (End Controllers), each:

  • (a) is an independent controller of Controller Personal Data under the European Data Protection Legislation;
  • (b) will individually determine the purposes and means of its processing of Controller Personal Data; and
  • (c) will comply with the obligations applicable to it under the European Data Protection Legislation regarding the processing of Controller Personal Data.

4.2 Restrictions on Processing

Section 4.1 (Independent Controllers) will not affect any restrictions on either party’s rights to use or otherwise process Controller Personal Data under the Agreement.

4.3 End User Consent

Customer will comply with the Policies in relation to the Controller Personal Data shared pursuant to the Data Sharing Setting and at all times will bear the burden of proof in establishing such compliance.

4.4 End Controllers

Without reducing either party’s obligations under these Controller Terms, each party acknowledges that: (a) the other party’s Affiliates or clients may be End Controllers; and (b) the other party may act as a processor on behalf of its End Controllers. The Google End Controllers are: (i) for European Controller Personal Data processed by Google, Google Ireland Limited; and (ii) for UK Controller Personal Data processed by Google, Google LLC. Each party will ensure that its End Controllers comply with the Controller Terms, including (where applicable) the Controller SCCs.

5. Data Transfers

5.1 Restricted European Transfers

Subject to Section 5.3 (Transfers of UK Controller Personal Data to Google), either party may make Restricted European Transfers if it complies with the provisions on Restricted European Transfers in the European Data Protection Legislation.

5.2 Alternative Transfer Solution

 

  • (a) If Google announces its adoption of an Alternative Transfer Solution for any Restricted European Transfers, then: (i) Google will ensure that such Restricted European Transfers are made in accordance with that Alternative Transfer Solution, and (ii) Sections 5.3 (Transfers of UK Controller Personal Data to Google) to 5.6 (Data Deletion on Termination) will not apply to such Restricted European Transfers.
  • (b) If Google has not adopted, or has informed Customer that Google is no longer adopting, an Alternative Transfer Solution for any Restricted European Transfers, then Section 5.3 will apply to such Restricted European Transfers.

5.3 Transfers of UK Controller Personal Data to Google

To the extent that Customer transfers UK Controller Personal Data to Google, Customer as data exporter will be deemed to have entered into the Controller SCCs with Google LLC (the applicable Google End Controller) as data importer and the transfers will be subject to the Controller SCCs, because Google LLC is established in the USA and such transfers are therefore Restricted European Transfers. For clarity, to the extent Customer transfers European Controller Personal Data to Google, no transfer mechanism under Chapter V of the EU GDPR is required because Google Ireland Limited (the applicable Google End Controller) is established in Ireland and such transfers are therefore Permitted European Transfers.

5.4 Contacting Google; Customer Information

  • (a) Customer may contact Google Ireland Limited and/or Google LLC in connection with the Controller SCCs at https://support.google.com/policies/troubleshooter/9009584 or through such other means as may be provided by Google from time to time.
  • (b) Customer acknowledges that Google is required under the Controller SCCs to record certain information, including (i) the identity and contact details of the data importer (including any contact person with responsibility for data protection); and (ii) the technical and organisational measures implemented by the data importer. Accordingly, Customer will, where requested and as applicable to Customer, provide such information to Google via such means as may be provided by Google, and will ensure that all information provided is kept accurate and up-to-date.

5.5 Responding to Data Subject Enquiries

The applicable data importer will be responsible for responding to enquiries from data subjects and the supervisory authority concerning the processing of applicable Controller Personal Data by the data importer.

5.6 Data Deletion on Termination

To the extent that:

(a) Google LLC acts as data importer and Customer acts as data exporter under the Controller SCCs; and

(b) Customer terminates the Agreement in accordance with Clause 16(c) of the Controller SCCs,

then for the purposes of Clause 16(d) of the Controller SCCs, Customer directs Google to delete Controller Personal Data, and, unless European Laws require storage, Google will facilitate such deletion as soon as is reasonably practicable, to the extent such deletion is reasonably possible (taking into account that Google is an independent controller of such data, as well as the nature and functionality of the Controller Services).

6. Liability

6.1 Liability Cap

If Google is:

  • (a) party to the Agreement and the Agreement is governed by the laws of:
    • (i) a state of the United States of America, then, regardless of anything else in the Agreement, the total liability of either party towards the other party under or in connection with these Controller Terms will be limited to the maximum monetary or payment-based amount at which that party’s liability is capped under the Agreement (and therefore, any exclusion of indemnification claims from the Agreement’s limitation of liability will not apply to indemnification claims under the Agreement relating to the European Data Protection Legislation); or
    • (ii) a jurisdiction that is not a state of the United States of America, then the liability of the parties under or in connection with these Controller Terms will be subject to the exclusions and limitations of liability in the Agreement; or
  • (b) not party to the Agreement, to the extent permitted by applicable law, Google will not be liable for Customer’s lost revenues or indirect, special, incidental, consequential, exemplary or punitive damages, even if Google or its Affiliates have been advised of, knew or should have known that such damages do not satisfy a remedy. Google’s (and its Affiliates’) total cumulative liability to Customer or any other party for any loss or damages resulting from claims, damages or actions arising out of or relating to these Controller Terms will not exceed $500 (USD).

6.2 Liability if the Controller SCCs Apply

If the Controller SCCs apply under Section 5 (Data Transfers), then:

(a) if Google is party to the Agreement, the total combined liability of: (i) Google and Google LLC towards Customer; and (ii) Customer towards Google, Google LLC and Google Ireland Limited; under or in connection with the Agreement and the Controller SCCs combined will be subject to Section 6.1(a) (Liability Cap). Clause 12 of the Controller SCCs will not affect the previous sentence.

(b) if Google is not party to the Agreement, the total combined liability of: (i) Google and Google LLC towards Customer; and (ii) Customer towards Google, Google LLC and Google Ireland Limited; under or in connection with these Controller Terms and the Controller SCCs combined will be subject to Section 6.1(b) (Liability Cap). Clause 12 of the Controller SCCs will not affect the previous sentence.

7. Third Party Beneficiaries

Where Google LLC is not a party to the Agreement but is a party to the Controller SCCs, Google LLC will be a third-party beneficiary of Sections 4.4 (End Controllers), 5.3 (Transfers of Controller Personal Data to Google) to 5.6 (Data Deletion on Termination), and 6.1 (Liability Cap) to 6.2 (Liability if the Controller SCCs Apply). To the extent this Section 7 conflicts or is inconsistent with any other clause in the Agreement, this Section 7 will apply.

8. Effect of Controller Terms

8.1 Order of Precedence

If there is any conflict or inconsistency between the Controller SCCs, the Additional Terms for Non-European Data Protection Legislation, the remainder of these Controller Terms and/or the remainder of the Agreement then, subject to Sections 4.2 (Restrictions on Processing) and 8.4 (No Effect on Processor Terms), the following order of precedence will apply: (a) the Controller SCCs (if applicable); (b) the Additional Terms for Non-European Data Protection Legislation (if applicable); (c) the remainder of these Controller Terms; and (d) the remainder of the Agreement (if applicable). Subject to the amendments in these Controller Terms, the Agreement between Google and Customer remains in full force and effect.

8.2 Additional Commercial Clauses

Sections 5.4 (Contacting Google) to 5.6 (Data Deletion on Termination), and Section 6.2 (Liability if Controller SCCs Apply) are additional commercial clauses relating to the Controller SCCs as permitted by Clause 2(a) (Effect and invariability of the Clauses) of the Controller SCCs.

8.3 No Modification of Controller SCCs

Nothing in the Agreement (including these Controller Terms) is intended to modify or contradict any Controller SCCs or prejudice the fundamental rights or freedoms of data subjects under the European Data Protection Legislation.

8.4 No Effect on Processor Terms

These Controller Terms will not replace or affect any Processor Terms. For the avoidance of doubt, if Customer is party to the Processor Terms in connection with the Measurement Services, the Processor Terms will continue to apply to the Measurement Services notwithstanding that these Controller Terms apply to Controller Personal Data processed pursuant to the Data Sharing Setting.

8.5 Legacy UK SCCs

As of 21 September 2022 or the Agreement’s effective date, whichever is later, the Controller SCCs’ supplementary terms for UK GDPR transfers will apply, and will supersede and terminate any standard contractual clauses approved under the UK GDPR and the Data Protection Act 2018 and previously entered into by Customer and Google (“Legacy UK SCCs”). This Section 8.5 (Legacy UK SCCs) will not affect either party’s rights, or any data subject’s rights, that may have accrued under the Legacy UK SCCs while they were in force.

9. Changes to these Controller Terms

9.1 Changes to Controller Terms

Google may change these Controller Terms if the change:

  • (a) is required to comply with applicable law, applicable regulation, a court order or guidance issued by a governmental regulator or agency, or reflects Google’s adoption of an Alternative Transfer Solution; or
  • (b) does not: (i) otherwise seek to alter the categorisation of the parties as controllers of Controller Personal Data under the European Data Protection Legislation; (ii) expand the scope of, or remove any restrictions on, either party’s rights to use or otherwise process Controller Personal Data; or (iii) have a material adverse impact on Customer, as reasonably determined by Google.

9.2 Notification of Changes

If Google intends to change these Controller Terms under Section 9.1(a) and such change will have a material adverse impact on Customer, as reasonably determined by Google, then Google will use commercially reasonable efforts to inform Customer at least 30 days (or such shorter period as may be required to comply with applicable law, applicable regulation, a court order or guidance issued by a governmental regulator or agency) before the change will take effect. If Customer objects to any such change, Customer may switch off the Data Sharing Setting.

10. Additional Provisions

10.1

This Section 10 (Additional Provisions) will only apply where Google is not party to the Agreement.

10.2

Each party will comply with its obligations under these Controller Terms with reasonable skill and care.

10.3

Neither party will use or disclose the other party's Confidential Information without the other's prior written consent except for the purpose of exercising its rights or performing its obligations under these Controller Terms or if required by law, regulation or court order; in which case, the party being compelled to disclose Confidential Information will give the other party as much notice as is reasonably practicable prior to disclosing the Confidential Information.

10.4

To the fullest extent permitted by applicable law, except as expressly provided for in these Controller Terms, Google makes no other warranty of any kind whether express, implied, statutory or otherwise, including without limitation warranties of merchantability, fitness for a particular use and non-infringement.

10.5

Neither party will be liable for failure or delay in performance to the extent caused by circumstances beyond its reasonable control.

10.6

If any term (or part of a term) of these Controller Terms is invalid, illegal, or unenforceable, the rest of these Controller Terms will remain in effect.

10.7

(a) Except as set forth in section (b) below, these Controller Terms will be governed by and construed under the laws of the state of California without reference to its conflict of law principles. In the event of any conflicts between foreign law, rules and regulations, and California law, rules and regulations, California law, rules and regulations will prevail and govern. Each party agrees to submit to the exclusive and personal jurisdiction of the courts located in Santa Clara County, California. The United Nations Convention on Contracts for the International Sale of Goods and the Uniform Computer Information Transactions Act do not apply to these Controller Terms.

(b) Where the Agreement is between Customer and a third party reseller, and the third party reseller is organised in Europe, the Middle East or Africa, these Controller Terms will be governed by English law. Each party agrees to submit to the exclusive jurisdiction of the English courts in relation to any dispute (whether contractual or non-contractual) arising out of or in connection with these Controller Terms.

(c) In the event the Controller SCCs apply and provide for governing law that differs from the laws outlined in sections (a) and (b) above, the governing law set forth in the Controller SCCs will apply solely with respect to the Controller SCCs.

(d) The United Nations Convention on Contracts for the International Sale of Goods and the Uniform Computer Information Transactions Act do not apply to these Controller Terms.

10.8

All notices of termination or breach must be in English, in writing and addressed to the other party’s Legal Department. The address for notices to Google’s Legal Department is legal-notices@google.com. Notice will be treated as given on receipt, as verified by written or automated receipt or by electronic log (as applicable).

10.9

No party will be treated as having waived any rights by not exercising (or delaying the exercise of) any rights under these Controller Terms. No party may assign any part of these Controller Terms without the written consent of the other, except to an Affiliate where: (a) the assignee has agreed in writing to be bound by the terms of these Controller Terms; (b) the assigning party remains liable for obligations under these Controller Terms if the assignee defaults on them; (c) in the case of Customer, the assigning party has transferred its Measurement Services account(s) to the assignee; and (d) the assigning party has notified the other party of the assignment. Any other attempt to assign is void.

10.10

The parties are independent contractors. These Controller Terms do not create any agency, partnership, or joint venture between the parties. These Controller Terms do not confer any benefits on any third party unless they expressly state that they do.

10.11

To the extent permitted by applicable law, these Controller Terms state all terms agreed between the parties. In entering into these Controller Terms no party has relied on, and no party will have any right or remedy based on, any statement, representation or warranty (whether made negligently or innocently), except those expressly stated in these Controller Terms.

 

Appendix 1: Additional Terms for Non-European Data Protection Legislation

The following Additional Terms for Non-European Data Protection Legislation supplement these Controller Terms:

  • LGPD Controller Addendum to the Google Ads Controller-Controller Data Protection Terms (“LGPD Controller Addendum”)

    For the purposes of these Controller Terms:

    (a) references in the LGPD Controller Addendum to the Google Ads Controller-Controller Data Protection Terms shall be deemed to be references to these Google Measurement Controller-Controller Data Protection Terms; and (b) where Customer has entered into an agreement with a third party reseller for the provision of the Measurement Services then, notwithstanding any contrary provision in the LGPD Controller Addendum, the LGPD Controller Addendum will supplement these Controller Terms that form a separate agreement between Google and Customer and will not affect any agreement between: (i) Google and the third party reseller, or (ii) the third party reseller and Customer.
     
  • U.S. State Privacy Laws Controller Addendum (effective 1 January 2023)

Google Measurement Controller-Controller Data Protection Terms, Version 3.0

 

01 January, 2023

Previous versions

 

21 September, 2022

27 September, 2021

16 August, 2020

12 August, 2020

4 November, 2019

Was this helpful?
How can we improve it?

Need more help?

Sign in for additional support options to quickly solve your issue

Search
Clear search
Close search
Google apps
Main menu
Search Help Center
true
true
true
69256
false
false