The Google Ads Data Controller-Controller Terms will be updated on January 1, 2023 by replacing the CCPA Service Provider Addendum. You can preview the ‘U.S. State Privacy Laws Controller Addendum’ in ‘Appendix 1: Additional Terms for Non-European Data Protection Legislation’ below. For more information on this update see business.safety.google/usaprivacy/

Google Ads Controller-Controller Data Protection Terms

Google and the counterparty agreeing to these terms (“Customer“) have entered into an agreement for the provision of the Controller Services (as amended from time to time, the “Agreement”).

These Google Ads Controller-Controller Data Protection Terms (including the appendix, “Controller Terms”) are entered into by Google and Customer and supplement the Agreement. These Controller Terms will be effective, and replace any previously applicable terms relating to their subject matter, from the Terms Effective Date.

If you are accepting these Controller Terms on behalf of Customer, you warrant that: (a) you have full legal authority to bind Customer to these Controller Terms; (b) you have read and understand these Controller Terms; and (c) you agree, on behalf of Customer, to these Controller Terms. If you do not have the legal authority to bind Customer, please do not accept these Controller Terms.

1. Introduction

These Controller Terms reflect the parties’ agreement on the processing of certain data in connection with the European Data Protection Legislation and certain Non-European Data Protection Legislation.

2. Definitions and Interpretation

2.1 In these Controller Terms:

Additional Terms for Non-European Data Protection Legislation” means the additional terms referred to in Appendix 1, which reflect the parties’ agreement on the terms governing the processing of certain data in connection with certain Non-European Data Protection Legislation.

Adequate Country” means:

(a) for data processed subject to the EU GDPR: the EEA, or a country or territory recognized as ensuring adequate data protection under the EU GDPR;

(b) for data processed subject to the UK GDPR: the UK, or a country or territory recognized as ensuring adequate data protection under the UK GDPR and the Data Protection Act 2018; and/or

(c) for data processed subject to the Swiss FDPA: Switzerland, or a country or territory that is: (i) included in the list of the states whose legislation ensures adequate data protection as published by the Swiss Federal Data Protection and Information Commissioner, or (ii) recognized as ensuring adequate data protection by the Swiss Federal Council under the Swiss FDPA,

in each case, other than on the basis of an optional data protection framework.

Affiliate” means an entity that directly or indirectly controls, is controlled by, or is under common control with, a party.

Alternative Transfer Solution” means a solution, other than the Controller SCCs, that enables the lawful transfer of personal data to a third country in accordance with the European Data Protection Legislation, for example a data protection framework recognized as ensuring that participating local entities provide adequate protection.

Controller Data Subject” means a data subject to whom Controller Personal Data relates.

Controller Personal Data” means any personal data that is processed by a party under the Agreement in connection with its provision or use (as applicable) of the Controller Services.

Controller SCCs” means the terms at business.safety.google/adscontrollerterms/sccs/c2c.

Controller Services” means the applicable services listed at business.safety.google/adsservices.

EEA” means the European Economic Area.

End Controller” means, for each party, the ultimate controller of Controller Personal Data.

EU GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

European Controller Personal Data” means Controller Personal Data of Controller Data Subjects located in the EEA or Switzerland.

European Data Protection Legislation” means, as applicable: (a) the GDPR; and/or (b) the Swiss FDPA.

European Laws” means, as applicable: (a) EU or EU Member State law (if the EU GDPR applies to the processing of Controller Personal Data); and (b) the law of the UK or a part of the UK (if the UK GDPR applies to the processing of Controller Personal Data).

GDPR” means, as applicable: (a) the EU GDPR; and/or (b) the UK GDPR.

Google” means the Google Entity that is party to the Agreement.

Google End Controllers” means the End Controllers of Controller Personal Data processed by Google.

Google Entity” means Google LLC (formerly known as Google Inc.), Google Ireland Limited or any other Affiliate of Google LLC.

Non-European Data Protection Legislation” means data protection or privacy laws in force outside the EEA, Switzerland, and the UK.

Permitted European Transfers” means the processing of Controller Personal Data in, or the transfer of Controller Personal Data to, an Adequate Country.

Restricted European Transfer(s)” means transfer(s) of Controller Personal Data that are: (a) subject to the European Data Protection Legislation; and (b) not Permitted European Transfers.

Swiss FDPA” means the Federal Data Protection Act of 19 June 1992 (Switzerland).

Terms Effective Date” means, as applicable:

(a) 25 May 2018, if Customer clicked to accept or the parties otherwise agreed to these Controller Terms before or on such date; or

(b) the date on which Customer clicked to accept or the parties otherwise agreed to these Controller Terms, if such date is after 25 May 2018.

UK Controller Personal Data” means Controller Personal Data of Controller Data Subjects located in the UK.

UK GDPR” means the EU GDPR as amended and incorporated into UK law under the UK European Union (Withdrawal) Act 2018, and applicable secondary legislation made under that Act.

2.2 The terms “controller”, “data subject”, “personal data”, “processing” and “processor” as used in these Controller Terms have the meanings given in the GDPR, and the terms “data importer” and “data exporter” have the meanings given in the Controller SCCs.

2.3 The words “include” and “including” mean “including but not limited to”. Any examples in these Controller Terms are illustrative and not the sole examples of a particular concept.

2.4 Any reference to a legal framework, statute or other legislative enactment is a reference to it as amended or re-enacted from time to time.

2.5 To the extent any translated version of these Controller Terms is inconsistent with the English version, the English version will govern.

3. Application of these Controller Terms

3.1 Application of European Data Protection Legislation. Sections 4 (Roles and Restrictions on Processing) to 6 (Controller SCCs) (inclusive) will only apply to the extent that the European Data Protection Legislation applies to the processing of Controller Personal Data.

3.2 Application to Controller Services. These Controller Terms will only apply to the Controller Services for which the parties agreed to these Controller Terms, for example: (a) the Controller Services for which Customer clicked to accept these Controller Terms; or (b) if the Agreement incorporates these Controller Terms by reference, the Controller Services that are the subject of the Agreement.

3.3 Incorporation of Additional Terms for Non-European Data Protection Legislation. The Additional Terms for Non-European Data Protection Legislation supplement these Controller Terms.

4. Roles and Restrictions on Processing

4.1 Independent Controllers. Subject to Section 4.3 (End Controllers), each party:

(a) is an independent controller of Controller Personal Data under the European Data Protection Legislation;

(b) will individually determine the purposes and means of its processing of Controller Personal Data; and

(c) will comply with the obligations applicable to it under the European Data Protection Legislation regarding the processing of Controller Personal Data.

4.2 Restrictions on Processing. Section 4.1 (Independent Controllers) will not affect any restrictions on either party’s rights to use or otherwise process Controller Personal Data under the Agreement.

4.3 End Controllers. Without reducing either party’s obligations under these Controller Terms, each party acknowledges that: (a) the other party’s Affiliates or clients may be End Controllers; and (b) the other party may act as a processor on behalf of its End Controllers. The Google End Controllers are: (i) for European Controller Personal Data processed by Google, Google Ireland Limited; and (ii) for UK Controller Personal Data processed by Google, Google LLC. Each party will ensure that its End Controllers comply with the Controller Terms, including (where applicable) the Controller SCCs.

5. Data Transfers

5.1 Restricted European Transfers. Either party may make Restricted European Transfers if it complies with the provisions on Restricted European Transfers in the European Data Protection Legislation.

5.2 Alternative Transfer Solution.

(a) If Google announces its adoption of an Alternative Transfer Solution for any Restricted European Transfers, then: (i) Google will ensure that such Restricted European Transfers are made in accordance with that Alternative Transfer Solution; and (ii) Section 6 (Controller SCCs) will not apply to such Restricted European Transfers.

(b) If Google has not adopted, or has informed Customer that Google is no longer adopting, an Alternative Transfer Solution for any Restricted European Transfers, then Section 6 (Controller SCCs) will apply to such Restricted European Transfers.

6. Controller SCCs

6.1 Transfers of European Controller Personal Data to Customer. To the extent that:

(a) Google transfers European Controller Personal Data to Customer; and

(b) the transfer is a Restricted European Transfer,

Customer as data importer will be deemed to have entered into the Controller SCCs with Google Ireland Limited (the applicable Google End Controller) as data exporter and the transfers will be subject to the Controller SCCs.

6.2 Transfers of UK Controller Personal Data to Customer. To the extent that:

(a) Google transfers UK Controller Personal Data to Customer; and

(b) the transfer is a Restricted European Transfer,

Customer as data importer will be deemed to have entered into the Controller SCCs with Google LLC (the applicable Google End Controller) as data exporter and the transfers will be subject to the Controller SCCs.

6.3 Transfers of European Controller Personal Data to Google. The parties acknowledge that to the extent Customer transfers European Controller Personal Data to Google, the Controller SCCs are not required because the address of Google Ireland Limited (the applicable Google End Controller) is in an Adequate Country and such transfers are Permitted European Transfers. This does not affect Google’s obligations under Section 5.1 (Restricted European Transfers).

6.4 Transfers of UK Controller Personal Data to Google. To the extent that Customer transfers UK Controller Personal Data to Google, Customer as data exporter will be deemed to have entered into the Controller SCCs with Google LLC (the applicable Google End Controller) as data importer and the transfers will be subject to the Controller SCCs, because Google LLC’s address is not in an Adequate Country.

6.5 Contacting Google; Customer Information.

(a) Customer may contact Google Ireland Limited and/or Google LLC in connection with the Controller SCCs at https://support.google.com/policies/troubleshooter/9009584 or through such other means as may be provided by Google from time to time.

(b) Customer acknowledges that Google is required under the Controller SCCs to record certain information, including (i) the identity and contact details of the data importer (including any contact person with responsibility for data protection); and (ii) the technical and organisational measures implemented by the data importer. Accordingly, Customer will, where requested and as applicable to Customer, provide such information to Google via such means as may be provided by Google, and will ensure that all information provided is kept accurate and up-to-date.

6.6 Responding to Data Subject Enquiries. The applicable data importer will be responsible for responding to enquiries from data subjects and the supervisory authority concerning the processing of applicable Controller Personal Data by the data importer.

6.7 Data Deletion on Termination. To the extent that:

(a) Google LLC acts as data importer and Customer acts as data exporter under the Controller SCCs; and

(b) Customer terminates the Agreement in accordance with Clause 16(c) of the Controller SCCs, then for the purposes of Clause 16(d) of the Controller SCCs, Customer directs Google to delete Controller Personal Data, and, unless European Laws require storage, Google will facilitate such deletion as soon as is reasonably practicable, to the extent such deletion is reasonably possible (taking into account that Google is an independent controller of such data, as well as the nature and functionality of the Controller Services).

7. Liability

7.1 Liability Cap. If the Agreement is governed by the laws of:

(a) a state of the United States of America, then, regardless of anything else in the Agreement, the total liability of either party towards the other party under or in connection with these Controller Terms will be limited to the maximum monetary or payment-based amount at which that party’s liability is capped under the Agreement (and therefore, any exclusion of indemnification claims from the Agreement’s limitation of liability will not apply to indemnification claims under the Agreement relating to the European Data Protection Legislation or the Non-European Data Protection Legislation); or

(b) a jurisdiction that is not a state of the United States of America, then the liability of the parties under or in connection with these Controller Terms will be subject to the exclusions and limitations of liability in the Agreement.

7.2 Liability if Controller SCCs Apply. If Controller SCCs apply under Section 6 (Controller SCCs), then the total combined liability of:

(a) Google, Google LLC and Google Ireland Limited towards Customer; and

(b) Customer towards Google, Google LLC and Google Ireland Limited,

under or in connection with the Agreement and the Controller SCCs combined will be subject to Section 7.1 (Liability Cap). Clause 12 of the Controller SCCs will not affect the previous sentence.

8. Third-Party Beneficiaries

Where Google LLC and/or Google Ireland Limited are not a party to the Agreement but are a party to the applicable Controller SCCs in accordance with Section 6 (Controller SCCs), Google LLC and/or Google Ireland Limited (as applicable) will be a third-party beneficiary of Sections 4.3 (End Controllers), 6 (Controller SCCs), and 7.2 (Liability if Controller SCCs Apply). To the extent this Section 8 (Third-Party Beneficiaries) conflicts or is inconsistent with any other clause in the Agreement, this Section 8 (Third-Party Beneficiaries) will apply.

9. Effect of Controller Terms

9.1 Order of Precedence. If there is any conflict or inconsistency between the applicable Controller SCCs, the Additional Terms for Non-European Data Protection Legislation, the remainder of these Controller Terms and/or the remainder of the Agreement then, subject to Sections 4.2 (Restrictions on Processing) and 9.4 (No Effect on Processor Terms), the following order of precedence will apply:

(a) the Controller SCCs (if applicable);

(b) the Additional Terms for Non-European Data Protection Legislation (if applicable);

(c) the remainder of these Controller Terms; and

(d) the remainder of the Agreement.

9.2 Additional Commercial Clauses. Subject to the amendments in these Controller Terms, the Agreement remains in full force and effect. Sections 6.5 (Contacting Google) to 6.7 (Data Deletion on Termination), and Section 7.2 (Liability if Controller SCCs Apply) are additional commercial clauses relating to the Controller SCCs as permitted by Clause 2(a) (Effect and invariability of the Clauses) of the Controller SCCs.

9.3 No Modification of Controller SCCs. Nothing in the Agreement (including these Controller Terms) is intended to modify or contradict any Controller SCCs or prejudice the fundamental rights or freedoms of data subjects under the European Data Protection Legislation.

9.4 No Effect on Processor Terms. These Controller Terms will not affect any separate terms between Google and Customer reflecting a controller-processor, processor-processor or processor-controller relationship for a service other than the Controller Services.

9.5 Legacy UK SCCs. As of 21 September 2022 or the Agreement’s effective date, whichever is later, the Controller SCCs’ supplementary terms for UK GDPR transfers will apply, and will supersede and terminate any standard contractual clauses approved under the UK GDPR and the Data Protection Act 2018 and previously entered into by Customer and Google (“Legacy UK SCCs”). This Section 9.5 (Legacy UK SCCs) will not affect either party’s rights, or any data subject’s rights, that may have accrued under the Legacy UK SCCs while they were in force.

10. Changes to these Controller Terms

10.1 Changes to Controller Services in Scope. Google may only change the list of potential Controller Services at business.safety.google/adsservices:

(a) to reflect a change to the name of a service;

(b) to add a new service; or

(c) to remove a service (or a feature of a service) where either: (i) all contracts for the provision of that service are terminated; (ii) Google has Customer’s consent; or (iii) the service, or a certain feature of the service, has been recategorised as a processor service.

10.2 Changes to Controller Terms. Google may change these Controller Terms if the change:

(a) is as described in Section 10.1 (Changes to Controller Services in Scope);

(b) is required to comply with applicable law, applicable regulation, a court order or guidance issued by a governmental regulator or agency, or reflects Google’s adoption of an Alternative Transfer Solution; or

(c) does not otherwise: (i) seek to alter the categorisation of the parties as controllers of Controller Personal Data under the European Data Protection Legislation; (ii) expand the scope of, or remove any restrictions on, either party’s rights to use or otherwise process (x) in the case of the Additional Terms for Non-European Data Protection Legislation, the data in scope of the Additional Terms for Non-European Data Protection Legislation or (y) in the case of the remainder of these Controller Terms, Controller Personal Data; or (iii) have a material adverse impact on Customer, as reasonably determined by Google.

10.3 Notification of Changes. If Google intends to change these Controller Terms under Section 10.2(b) and such change will have a material adverse impact on Customer, as reasonably determined by Google, then Google will use commercially reasonable efforts to inform Customer at least 30 days (or such shorter period as may be required to comply with applicable law, applicable regulation, a court order or guidance issued by a governmental regulator or agency) before the change will take effect. If Customer objects to any such change, Customer may terminate the Agreement by giving written notice to Google within 90 days of being informed by Google of the change.

Appendix 1: Additional Terms for Non-European Data Protection Legislation

The following Additional Terms for Non-European Data Protection Legislation supplement these Controller Terms:

Google Ads Controller-Controller Data Protection Terms, Version 4.0

21 September 2022

Previous Versions