2.1 In these Data Processing Terms:
“Additional Product” means a product, service or application provided by Google or a third party that: (a) is not part of the Processor Services; and (b) is accessible for use within the user interface of the Processor Services or is otherwise integrated with the Processor Services.
“Additional Terms for Non-European Data Protection Legislation” means the additional terms referred to in Appendix 3, which reflect the parties’ agreement on the terms governing the processing of certain data in connection with certain Non-European Data Protection Legislation.
“Adequate Country” means:
(a) for data processed subject to the EU GDPR: the EEA, or a country or territory recognized as ensuring adequate data protection under the EU GDPR;
(b) for data processed subject to the UK GDPR: the UK, or a country or territory recognized as ensuring adequate data protection under the UK GDPR and the Data Protection Act 2018; and/or
(c) for data processed subject to the Swiss FDPA: Switzerland, or a country or territory that is: (i) included in the list of the states whose legislation ensures adequate protection as published by the Swiss Federal Data Protection and Information Commissioner, or (ii) recognized as ensuring adequate data protection by the Swiss Federal Council under the Swiss FDPA, in each case, other than on the basis of an optional data protection framework.
“Alternative Transfer Solution” means a solution, other than SCCs, that enables the lawful transfer of personal data to a third country in accordance with the European Data Protection Legislation, for example a data protection framework recognized as ensuring that participating local entities provide adequate protection.
“Customer Personal Data” means personal data that is processed by Google on behalf of Customer in Google’s provision of the Processor Services.
“Customer SCCs” means the SCCs (Controller-to-Processor), the SCCs (Processor-to-Controller), and/or the SCCs (Processor-to-Processor), as applicable.
“Data Incident” means a breach of Google’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Customer Personal Data on systems managed by or otherwise controlled by Google. “Data Incidents” will not include unsuccessful attempts or activities that do not compromise the security of Customer Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.
“Data Subject Tool” means a tool (if any) made available by a Google Entity to data subjects that enables Google to respond directly and in a standardised manner to certain requests from data subjects in relation to Customer Personal Data (for example, online advertising settings or an opt-out browser plugin).
“EEA” means the European Economic Area.
“EU GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
“European Data Protection Legislation” means, as applicable: (a) the GDPR; and/or (b) the Swiss FDPA.
“European Laws” means, as applicable: (a) EU or EU Member State law (if the EU GDPR applies to the processing of Customer Personal Data); and (b) the law of the UK or a part of the UK (if the UK GDPR applies to the processing of Customer Personal Data).
“GDPR” means, as applicable: (a) the EU GDPR; and/or (b) the UK GDPR.
“Google” means the Google Entity that is party to the Agreement.
“Google Entity” means Google LLC (formerly known as Google Inc.), Google Ireland Limited or any other entity that directly or indirectly controls, is controlled by, or is under common control with, Google LLC.
“Instructions” has the meaning given in Section 5.2 (Customer’s Instructions).
“ISO 27001 Certification” means ISO/IEC 27001:2013 certification or a comparable certification for the Processor Services.
“New Subprocessor” has the meaning given in Section 11.1 (Consent to Subprocessor Engagement).
“Non-European Data Protection Legislation” means data protection or privacy laws in force outside the EEA, Switzerland and the UK.
“Notification Email Address” means the email address designated by Customer, via the user interface of the Processor Services or such other means provided by Google, to receive certain notifications from Google relating to these Data Processing Terms.
“Processor Services” means the applicable services listed at business.safety.google/adsservices.
“SCCs“ means the Customer SCCs and/or SCCs (Processor-to-Processor, Google Exporter), as applicable.
“SCCs (Controller-to-Processor)” means the terms at business.safety.google/adsprocessorterms/sccs/c2p.
“SCCs (Processor-to-Controller)” means the terms at business.safety.google/adsprocessorterms/sccs/p2c.
“SCCs (Processor-to-Processor)” means the terms at business.safety.google/adsprocessorterms/sccs/p2p.
“SCCs (Processor-to-Processor, Google Exporter)” means the terms at business.safety.google/adsprocessorterms/sccs/p2p-intra-group.
“Security Documentation” means the certificate issued for the ISO 27001 Certification and any other security certifications or documentation that Google may make available in respect of the Processor Services.
“Security Measures” has the meaning given in Section 7.1.1 (Google’s Security Measures).
“Subprocessors” means third parties authorised under these Data Processing Terms to have logical access to and process Customer Personal Data in order to provide parts of the Processor Services and any related technical support.
“Supervisory Authority” means, as applicable: (a) a “supervisory authority” as defined in the EU GDPR; and/or (b) the “Commissioner” as defined in the UK GDPR and/or the Swiss FDPA.
“Swiss FDPA” means the Federal Data Protection Act of 19 June 1992 (Switzerland).
“Term” means the period from the Terms Effective Date until the end of Google’s provision of the Processor Services under the Agreement.
“Terms Effective Date” means, as applicable:
(a) 25 May 2018, if Customer clicked to accept or the parties otherwise agreed to these Data Processing Terms before or on such date; or
(b) the date on which Customer clicked to accept or the parties otherwise agreed to these Data Processing Terms, if such date is after 25 May 2018.
“UK GDPR” means the EU GDPR as amended and incorporated into UK law under the UK European Union (Withdrawal) Act 2018, and applicable secondary legislation made under that Act.
2.2 The terms “controller”, “data subject”, “personal data”, “processing” and “processor” as used in these Data Processing Terms have the meanings given in the GDPR, and the terms “data importer” and “data exporter” have the meanings given in the applicable SCCs.
2.3 The words “include” and “including” mean “including but not limited to”. Any examples in these Data Processing Terms are illustrative and not the sole examples of a particular concept.
2.4 Any reference to a legal framework, statute or other legislative enactment is a reference to it as amended or re-enacted from time to time.
2.5 To the extent any translated version of these Data Processing Terms is inconsistent with the English version, the English version will govern.