Google Measurement Controller-Controller Data Protection Terms

The Measurement Services customer agreeing to these terms (“Customer”) has entered into an agreement with either Google or a third party reseller (as applicable) for the provision of the Measurement Services (as amended from time to time, the “Agreement”) through which services user interface Customer has enabled the Data Sharing Setting.

These Google Measurement Controller-Controller Data Protection Terms (“Controller Terms”) are entered into by Google and Customer. Where the Agreement is between Customer and Google, these Controller Terms supplement the Agreement. Where the Agreement is between Customer and a third party reseller, these Controller Terms form a separate agreement between Google and Customer.

For the avoidance of doubt, the provision of the Measurement Services is governed by the Agreement. These Controller Terms set out the data protection provisions relating to the Data Sharing Setting only but do not otherwise apply to the provision of the Measurement Services.

Subject to Section 8.4 (No Effect on Processor Terms), these Controller Terms will be effective, and replace any previously applicable terms relating to their subject matter, from the Terms Effective Date.

If you are accepting these Controller Terms on behalf of Customer, you warrant that: (a) you have full legal authority to bind Customer to these Controller Terms; (b) you have read and understand these Controller Terms; and (c) you agree, on behalf of Customer, to these Controller Terms. If you do not have the legal authority to bind Customer, please do not accept these Controller Terms.

Please do not accept these Controller Terms if you are a reseller. These Controller Terms set out the rights and obligations that apply between users of the Measurement Services and Google.

1. Introduction

These Controller Terms reflect the parties’ agreement on the processing of Controller Personal Data pursuant to the Data Sharing Setting.

2. Definitions and Interpretation

2.1

In these Controller Terms:

“Additional Terms for Non-European Data Protection Legislation” means the additional terms referred to in Appendix 1, which reflect the parties’ agreement on the terms governing the processing of certain data in connection with certain Non-European Data Protection Legislation.

“Adequate Country” means:

  • (a) for data processed subject to the EU GDPR: the EEA, or a country or territory that is the subject of an adequacy decision by the Commission under Article 45(1) of the EU GDPR;
  • (b) for data processed subject to the UK GDPR: the UK or a country or territory that is the subject of the adequacy regulations under Article 45(1) of the UK GDPR and Section 17A of the Data Protection Act 2018; and/or
  • (c) for data processed subject to the Swiss FDPA: Switzerland, or a country or territory that (i) is included in the list of the states whose legislation ensures an adequate level of protection as published by the Swiss Federal Data Protection and Information Commissioner, or (ii) is the subject of an adequacy decision by the Swiss Federal Council under the Swiss FDPA.

“Affiliate” means an entity that directly or indirectly controls, is controlled by, or is under common control with, a party.

“Alternative Transfer Solution” means a solution, other than the Controller UK SCCs, that enables the lawful transfer of personal data to a third country in accordance with the European Data Protection Legislation.

"Confidential Information" means these Controller Terms.

“Controller Data Subject” means a data subject to whom Controller Personal Data relates.

“Controller Personal Data” means any personal data that is processed by a party pursuant to the Data Sharing Setting.

“Controller UK SCCs” means the terms at https://business.safety.google/adscontrollerterms/sccs/uk-c2c.

“Data Sharing Setting” means the data sharing setting which Customer has enabled via the user interface of the Measurement Services and which enables Google and its Affiliates to use personal data for improving Google’s and its Affiliates’ products and services.

“EEA” means European Economic Area.

“End Controller” means, for each party, the ultimate controller of Controller Personal Data.

"EU GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

“European Controller Personal Data” means Controller Personal Data of Controller Data Subjects located in the European Economic Area or Switzerland.

“European Data Protection Legislation” means, as applicable: (a) the GDPR; and/or (b) the Swiss FDPA.

“GDPR” means, as applicable: (a) the EU GDPR; and/or (b) the UK GDPR.

“Google” means:

  • (a) where a Google Entity is party to the Agreement, that Google Entity.
  • (b) where the Agreement is between Customer and a third party reseller and:
    • (i) the third party reseller is organised in North America or in another region outside Europe, the Middle East, Africa, Asia and Oceania, Google LLC (formerly known as Google Inc.);
    • (ii) the third party reseller is organised in Europe, the Middle East or Africa, Google Ireland Limited; or
    • (iii) the third party reseller is organised in Asia and Oceania, Google Asia Pacific Pte. Ltd.

“Google End Controllers” means the End Controllers of Controller Personal Data processed by Google.

“Google Entity” means Google LLC, Google Ireland Limited or any other Affiliate of Google LLC.

“Measurement Services” means Google Analytics, Google Analytics 360, Google Analytics for Firebase, Google Optimize or Google Optimize 360, as applicable to the Data Sharing Setting for which the parties agreed to these Controller Terms.

“Non-European Data Protection Legislation” means data protection or privacy laws in force outside the EEA, Switzerland and the UK.

“Permitted Transfers” means the processing of Controller Personal Data in, or the transfer of Controller Personal Data to, an Adequate Country.

“Policies” means the Google End User Consent Policy available at https://www.google.com/about/company/user-consent-policy.html.

“Processor Terms” means:

  • (a) where Google is a party to the Agreement, the processor terms available at https://business.safety.google/adsprocessorterms; or
  • (b) where the Agreement is between Customer and a third party reseller, such terms reflecting a controller-processor relationship (if any) as agreed between the Customer and the third party reseller.

“Restricted Transfers” means transfers of Controller Personal Data which are (a) subject to the European Data Protection Legislation; and (b) are not Permitted Transfers.

“Swiss FDPA” means the Federal Data Protection Act of 19 June 1992 (Switzerland).

“Terms Effective Date” means, as applicable:

  • (a) 25 May 2018, if Customer clicked to accept or the parties otherwise agreed to these Controller Terms before or on such date; or
  • (b) the date on which Customer clicked to accept or the parties otherwise agreed to these Controller Terms, if such date is after 25 May 2018.

“UK Controller Personal Data” means Controller Personal Data of Controller Data Subjects located in the UK.

“UK GDPR” means the EU GDPR as amended and incorporated into UK law under the UK European Union (Withdrawal) Act 2018, and applicable secondary legislation made under that Act.

2.2

The terms “controller”, “data subject”, “personal data”, “processing” and “processor” as used in these Controller Terms have the meanings given in the GDPR, and the terms “data importer” and “data exporter” have the meanings given in the Controller UK SCCs.

2.3

Any examples in these Controller Terms are illustrative and not the sole examples of a particular concept.

2.4

Any reference to a legal framework, statute or other legislative enactment is a reference to it as amended or re-enacted from time to time.

2.5

To the extent any translated version of this Agreement is inconsistent with the English version, the English version will govern.

2.6

References in the Controller UK SCCs to the “Google Ads Controller-Controller Data Protection Terms” shall be deemed to mean the “Google Measurement Controller-Controller Data Protection Terms”.

3. Application of these Controller Terms

3.1 Application of European Data Protection Legislation

These Controller Terms will only apply to the extent that the European Data Protection Legislation applies to the processing of Controller Personal Data.

3.2 Application to Data Sharing Setting

These Controller Terms will only apply to the Data Sharing Setting for which the parties agreed to these Controller Terms (for example, the Data Sharing Setting for which Customer clicked to accept these Controller Terms).

3.3 Duration

These Controller Terms will apply from the Terms Effective Date and continue while Google or Customer processes Controller Personal Data, after which these Controller Terms will automatically terminate.

4. Roles and Restrictions on Processing

4.1 Independent Controllers

Subject to Section 4.4 (End Controllers), each:

  • (a) is an independent controller of Controller Personal Data under the European Data Protection Legislation;
  • (b) will individually determine the purposes and means of its processing of Controller Personal Data; and
  • (c) will comply with the obligations applicable to it under the European Data Protection Legislation regarding the processing of Controller Personal Data.

4.2 Restrictions on Processing

Section 4.1 (Independent Controllers) will not affect any restrictions on either party’s rights to use or otherwise process Controller Personal Data under the Agreement.

4.3 End User Consent

Customer will comply with the Policies in relation to the Controller Personal Data shared pursuant to the Data Sharing Setting and at all times will bear the burden of proof in establishing such compliance.

4.4 End Controllers

Without reducing either party’s obligations under these Controller Terms, each party acknowledges that: (a) the other party’s Affiliates or clients may be End Controllers; and (b) the other party may act as a processor on behalf of its End Controllers. The Google End Controllers are: (i) for European Controller Personal Data processed by Google, Google Ireland Limited; and (ii) for UK Controller Personal Data processed by Google, Google LLC. Each party will ensure that its End Controllers comply with the Controller Terms, including (where applicable) the Controller UK SCCs.

5. Data Transfers

5.1 Restricted Transfers

Subject to Section 5.3 (Transfers of UK Controller Personal Data to Google), either party may make Restricted Transfers if it complies with the provisions on Restricted Transfers in the European Data Protection Legislation.

5.2 Alternative Transfer Solution

If Google announces its adoption of an Alternative Transfer Solution for any Restricted Transfers, then: (a) Google will ensure that such Restricted Transfers are made in accordance with that Alternative Transfer Solution, and (b) Sections 5.3 (Transfers of UK Controller Personal Data to Google) to 5.8 (Third Party Controllers) will not apply to such Restricted Transfers.

5.3 Transfers of UK Controller Personal Data to Google

To the extent that Customer transfers UK Controller Personal Data to Google, Customer as data exporter will be deemed to have entered into the Controller UK SCCs with Google LLC (the applicable Google End Controller) as data importer and the transfers will be subject to the Controller UK SCCs, because Google LLC is established in the USA and such transfers are therefore Restricted Transfers. For clarity, to the extent Customer transfers European Controller Personal Data to Google, no transfer mechanism under Chapter V of the EU GDPR is required because Google Ireland Limited (the applicable Google End Controller) is established in Ireland and such transfers are therefore Permitted Transfers.

5.4 Additional Commercial Clauses for the Controller UK SCCs

Sections 5.5 (Contacting Google) to 5.8 (Third Party Controllers) are additional commercial clauses relating to the Controller UK SCCs as permitted by Clause VII (Variation of these clauses) of the Controller UK SCCs. Nothing in Sections 5.5 (Contacting Google) to 5.8 (Third Party Controllers) varies or modifies any rights or obligations of the parties to the Controller UK SCCs.

5.5 Contacting Google

Customer may contact Google Ireland Limited and/or Google LLC in connection with the Controller UK SCCs at https://support.google.com/policies/troubleshooter/9009584 or through such other means as may be provided by Google from time to time, including for the purposes of requesting an Audit under Section 5.7 (a) (Reviews, Audits and Certifications of Compliance) below, to the extent applicable under the Controller UK SCCs.

5.6 Responding to Data Subject Enquiries

For the purpose of Clause I(d) of the Controller UK SCCs, the applicable data importer will be responsible for responding to enquiries from data subjects and the authority concerning the processing of applicable Controller Personal Data by the data importer.

5.7 Reviews, Audits and Certifications of Compliance

  • (a) If the Controller UK SCCs apply under this Section 5 (Data Transfers), the applicable data importer will allow the applicable data exporter or a third party inspection agent or auditor appointed by the data exporter to conduct a review, audit and/or certification as described in the Controller UK SCCs (“Audit”) in accordance with this Section 5.7 (Reviews, Audits and Certifications of Compliance).
  • (b) Following receipt by the data importer of a request for an Audit, the data importer and the data exporter will discuss and agree in advance on the reasonable start date, scope and duration of, and security and confidentiality controls applicable to, the Audit.
  • (c) The data importer may charge a fee (based on the data importer’s reasonable costs) for any Audit. The data importer will provide the data exporter with further details of any applicable fee, and the basis of its calculation, in advance of the Audit. The data exporter will be responsible for any fees charged by any third party inspection agent or auditor appointed by the data exporter to execute the Audit.
  • (d) The data importer may object to any third party inspection agent or auditor appointed by the data exporter to conduct any Audit if the inspection agent or auditor is, in the data importer’s reasonable opinion, not suitably qualified or independent, a competitor of the data importer or otherwise manifestly unsuitable. Any such objection by the data importer will require the data exporter to appoint another inspection agent or auditor or conduct the Audit itself.
  • (e) The data importer will not be required either to disclose to the data exporter or its third party inspection agent or auditor, or to allow the data exporter or its third party inspection agent or auditor to access:
    • (i) any data of any customers of the data importer or any of its Affiliates;
    • (ii) any internal accounting or financial information of the data importer or any of its Affiliates;
    • (iii) any trade secret of the data importer or any of its Affiliates;
    • (iv) any information that, in the data importer’s reasonable opinion, could: (A) compromise the security of any systems or premises of the data importer or any of its Affiliates; or (B) cause the data importer or any Affiliate of the data importer to breach its obligations under the European Data Protection Legislation or its security and/or privacy obligations to the data exporter or any third party; or
    • (v) any information that the data exporter or its third party inspection agent or auditor seeks to access for any reason other than the good faith fulfillment of the data exporter’s obligations under the European Data Protection Legislation.

5.8 Third Party Controllers

To the extent Google LLC acts as data importer and Customer acts as data exporter under the Controller UK SCCs under Section 5.3 (Transfers of UK Controller Personal Data to Google), Google notifies Customer for the purpose of Clause II(i) of the Controller UK SCCs that UK Controller Personal Data may be transferred to the third party data controllers described in applicable Help Centre articles for the Measurement Services.

6. Liability

6.1 Liability Cap

If Google is:

  • (a) party to the Agreement and the Agreement is governed by the laws of:
    • (i) a state of the United States of America, then, regardless of anything else in the Agreement, the total liability of either party towards the other party under or in connection with these Controller Terms will be limited to the maximum monetary or payment-based amount at which that party’s liability is capped under the Agreement (and therefore, any exclusion of indemnification claims from the Agreement’s limitation of liability will not apply to indemnification claims under the Agreement relating to the European Data Protection Legislation); or
    • (ii) a jurisdiction that is not a state of the United States of America, then the liability of the parties under or in connection with these Controller Terms will be subject to the exclusions and limitations of liability in the Agreement; or
  • (b) not party to the Agreement, to the extent permitted by applicable law, Google will not be liable for Customer’s lost revenues or indirect, special, incidental, consequential, exemplary or punitive damages, even if Google or its Affiliates have been advised of, knew or should have known that such damages do not satisfy a remedy. Google’s (and its Affiliates’) total cumulative liability to Customer or any other party for any loss or damages resulting from claims, damages or actions arising out of or relating to these Controller Terms will not exceed $500 (USD).

6.2 Liability if the Controller UK SCCs Apply

If the Controller UK SCCs apply under Section 5 (Data Transfers), then:

(a) if Google is party to the Agreement, the total combined liability of: (i) Google and Google LLC towards Customer; and (ii) Customer towards Google, Google LLC and Google Ireland Limited; under or in connection with the Agreement and the Controller UK SCCs combined will be subject to Section 6.1(a) (Liability Cap). Clause III(a) of the Controller UK SCCs will not affect the previous sentence.

(b) if Google is not party to the Agreement, the total combined liability of: (i) Google and Google LLC towards Customer; and (ii) Customer towards Google, Google LLC and Google Ireland Limited; under or in connection with these Controller Terms and the Controller UK SCCs combined will be subject to Section 6.1(b) (Liability Cap). Clause III(a) of the Controller UK SCCs will not affect the previous sentence.

7. Third Party Beneficiaries

Where Google LLC is not a party to the Agreement but is a party to the Controller UK SCCs, Google LLC will be a third-party beneficiary of Sections 4.4 (End Controllers), 5.3 (Transfers of UK Controller Personal Data to Google) to 5.8 (Third Party Controllers), and 6.1 (Liability Cap) to 6.2 (Liability if the Controller UK SCCs Apply). To the extent this Section 7 conflicts or is inconsistent with any other clause in the Agreement, this Section 7 will apply.

8. Effect of Controller UK SCCs

8.1 Order of Precedence

If there is any conflict or inconsistency between the Controller UK SCCs, the Additional Terms for Non-European Data Protection Legislation, the remainder of these Controller Terms and/or the remainder of the Agreement then, subject to Sections 4.2 (Restrictions on Processing) and 8.4 (No Effect on Processor Terms), the following order of precedence will apply: (a) the Controller UK SCCs (if applicable); (b) the Additional Terms for Non-European Data Protection Legislation (if applicable); (c) the remainder of these Controller Terms; and (d) the remainder of the Agreement (if applicable). Subject to the amendments in these Controller Terms, the Agreement between Google and Customer remains in full force and effect.

8.2 Additional Commercial Clauses

Sections 5.5 (Contacting Google) to 5.8 (Third Party Controllers), and Section 6.2 (Liability if Controller UK SCCs Apply) are additional commercial clauses as permitted by Clause VII (Variation of these Clauses) of the Controller UK SCCs.

8.3 No Modification of Controller UK SCCs

Nothing in the Agreement (including these Controller Terms) is intended to modify or contradict any Controller UK SCCs or prejudice the fundamental rights or freedoms of data subjects under the European Data Protection Legislation.

8.4 No Effect on Processor Terms

These Controller Terms will not replace or affect any Processor Terms. For the avoidance of doubt, if Customer is party to the Processor Terms in connection with the Measurement Services, the Processor Terms will continue to apply to the Measurement Services notwithstanding that these Controller Terms apply to Controller Personal Data processed pursuant to the Data Sharing Setting.

9. Changes to these Controller Terms

9.1 Changes to Controller Terms

Google may change these Controller Terms if the change:

  • (a) is required to comply with applicable law, applicable regulation, a court order or guidance issued by a governmental regulator or agency, or reflects Google’s adoption of an Alternative Transfer Solution; or
  • (b) does not: (i) seek to alter the categorisation of the parties as independent controllers of Controller Personal Data under the European Data Protection Legislation; (ii) expand the scope of, or remove any restrictions on, either party’s rights to use or otherwise process Controller Personal Data; or (iii) have a material adverse impact on Customer, as reasonably determined by Google.

9.2 Notification of Changes

If Google intends to change these Controller Terms under Section 9.1(a) and such change will have a material adverse impact on Customer, as reasonably determined by Google, then Google will use commercially reasonable efforts to inform Customer at least 30 days (or such shorter period as may be required to comply with applicable law, applicable regulation, a court order or guidance issued by a governmental regulator or agency) before the change will take effect. If Customer objects to any such change, Customer may switch off the Data Sharing Setting.

10. Additional Provisions

10.1

This Section 10 (Additional Provisions) will only apply where Google is not party to the Agreement.

10.2

Each party will comply with its obligations under these Controller Terms with reasonable skill and care.

10.3

Neither party will use or disclose the other party's Confidential Information without the other's prior written consent except for the purpose of exercising its rights or performing its obligations under these Controller Terms or if required by law, regulation or court order; in which case, the party being compelled to disclose Confidential Information will give the other party as much notice as is reasonably practicable prior to disclosing the Confidential Information.

10.4

To the fullest extent permitted by applicable law, except as expressly provided for in these Controller Terms, Google makes no other warranty of any kind whether express, implied, statutory or otherwise, including without limitation warranties of merchantability, fitness for a particular use and non-infringement.

10.5

Neither party will be liable for failure or delay in performance to the extent caused by circumstances beyond its reasonable control.

10.6

If any term (or part of a term) of these Controller Terms is invalid, illegal, or unenforceable, the rest of these Controller Terms will remain in effect.

10.7

(a) Except as set forth in section (b) below, these Controller Terms will be governed by and construed under the laws of the state of California without reference to its conflict of law principles. In the event of any conflicts between foreign law, rules and regulations, and California law, rules and regulations, California law, rules and regulations will prevail and govern. Each party agrees to submit to the exclusive and personal jurisdiction of the courts located in Santa Clara County, California. The United Nations Convention on Contracts for the International Sale of Goods and the Uniform Computer Information Transactions Act do not apply to these Controller Terms.

(b) Where the Agreement is between Customer and a third party reseller, and the third party reseller is organised in Europe, the Middle East or Africa, these Controller Terms will be governed by English law. Each party agrees to submit to the exclusive jurisdiction of the English courts in relation to any dispute (whether contractual or non-contractual) arising out of or in connection with these Controller Terms.

(c) In the event the Controller UK SCCs apply and provide for governing law that differs from the laws outlined in sections (a) and (b) above, the governing law set forth in the Controller UK SCCs will apply solely with respect to the Controller UK SCCs.

(d) The United Nations Convention on Contracts for the International Sale of Goods and the Uniform Computer Information Transactions Act do not apply to these Controller Terms.

10.8

All notices of termination or breach must be in English, in writing and addressed to the other party’s Legal Department. The address for notices to Google’s Legal Department is legal-notices@google.com. Notice will be treated as given on receipt, as verified by written or automated receipt or by electronic log (as applicable).

10.9

No party will be treated as having waived any rights by not exercising (or delaying the exercise of) any rights under these Controller Terms. No party may assign any part of these Controller Terms without the written consent of the other, except to an Affiliate where: (a) the assignee has agreed in writing to be bound by the terms of these Controller Terms; (b) the assigning party remains liable for obligations under these Controller Terms if the assignee defaults on them; (c) in the case of Customer, the assigning party has transferred its Measurement Services account(s) to the assignee; and (d) the assigning party has notified the other party of the assignment. Any other attempt to assign is void.

10.10

The parties are independent contractors. These Controller Terms do not create any agency, partnership, or joint venture between the parties. These Controller Terms do not confer any benefits on any third party unless they expressly state that they do.

10.11

To the extent permitted by applicable law, these Controller Terms state all terms agreed between the parties. In entering into these Controller Terms no party has relied on, and no party will have any right or remedy based on, any statement, representation or warranty (whether made negligently or innocently), except those expressly stated in these Controller Terms.

 

Appendix 1: Additional Terms for Non-European Data Protection Legislation

The following Additional Terms for Non-European Data Protection Legislation supplement these Controller Terms:

For the purposes of these Controller Terms:

(a) references in the LGPD Controller Addendum to the Google Ads Controller-Controller Data Protection Terms shall be deemed to be references to these Google Measurement Controller-Controller Data Protection Terms; and where Customer has entered into an agreement with a third party reseller for the provision of the Measurement Services then, notwithstanding any contrary provision in the LGPD Controller Addendum, the LGPD Controller Addendum will supplement these Controller Terms that form a separate agreement between Google and Customer and will not affect any agreement between: (i) Google and the third party reseller, or (ii) the third party reseller and Customer.

Google Measurement Controller-Controller Data Protection Terms, Version 2.0

 

27 September, 2021

Previous versions

16 August, 2020

12 August, 2020

4 November, 2019

Was this helpful?
How can we improve it?
Search
Clear search
Close search
Google apps
Main menu
Search Help Center
true
69256
false