2.1 In this Data Processing Addendum:
“Affiliate” means an entity that directly or indirectly controls, is controlled by, or is under common control with, a party.
“Customer Personal Data” means personal data that is processed by Google on behalf of Customer in Google’s provision of the Processor Services.
“Data Incident” means a breach of Google’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Customer Personal Data on systems managed by or otherwise controlled by Google. “Data Incidents” will not include unsuccessful attempts or activities that do not compromise the security of Customer Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.
“Data Protection Legislation” means, as applicable: (a) the GDPR; and/or (b) the Federal Data Protection Act of 19 June 1992 (Switzerland).
“Data Subject Tool” means a tool (if any) made available by a Google Entity to data subjects that enables Google to respond directly and in a standardised manner to certain requests from data subjects in relation to Customer Personal Data (for example, online advertising settings or an opt-out browser plugin).
“EEA” means the European Economic Area.
“EU GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
“European or National Laws” means, as applicable: (a) EU or EU Member State law (if the EU GDPR applies to the processing of Customer Personal Data); and/or (b) the law of the UK or a part of the UK (if the UK GDPR applies to the processing of Customer Personal Data).
“GDPR” means, as applicable: (a) the EU GDPR; and/or (b) the UK GDPR.
“Google” means the Google Entity that is party to the Agreement.
“Google Affiliate Subprocessors” has the meaning given in Section 11.1 (Consent to Subprocessor Engagement).
“Google Entity” means Google LLC (formerly known as Google Inc.), Google Ireland Limited or any other Affiliate of Google LLC.
“ISO 27001 Certification” means ISO/IEC 27001:2013 certification or a comparable certification for the Processor Services.
“Notification Email Address” means the email address (if any) designated by Customer, via the user interface of the Processor Services or such other means provided by Google, to receive certain notifications from Google relating to this Data Processing Addendum.
“Privacy Shield” means the EU-U.S. Privacy Shield legal framework, the Swiss-U.S. Privacy Shield legal framework, and any equivalent legal framework that may apply between the UK and the United States.
“Processor Services” means the applicable services listed at privacy.google.com/businesses/gdprservices.
“Security Documentation” means the ISO 27001 Certification and/or any other security certifications or documentation that Google may make available in respect of the Processor Services.
“Security Measures” has the meaning given in Section 7.1.1 (Google’s Security Measures).
“Subprocessors” means third parties authorised under this Data Processing Addendum to have logical access to and process Customer Personal Data in order to provide parts of the Processor Services and any related technical support.
“Supervisory Authority” means, as applicable: (a) a “supervisory authority” as defined in the EU GDPR; and/or (b) the “Commissioner” as defined in the UK GDPR.
“Term” means the period from the Terms Effective Date until the end of Google’s provision of the Processor Services under the Agreement.
“Terms Effective Date” means, as applicable:
(a) 25 May 2018, if Customer clicked to accept or the parties otherwise agreed to this Data Processing Addendum before or on such date; or
(b) the date on which Customer clicked to accept or the parties otherwise agreed to this Data Processing Addendum, if such date is after 25 May 2018
“Third Party Subprocessors” has the meaning given in Section 11.1 (Consent to Subprocessor Engagement).
“UK GDPR” means the EU GDPR as amended and incorporated into UK law under the UK European Union (Withdrawal) Act 2018, if in force.
2.2 The terms “controller”, “data subject”, “personal data”, “processing”, and “processor” as used in this Data Processing Addendum have the meanings given in the GDPR.
2.3 Any phrase introduced by the terms “including”, “include” or any similar expression will be construed as illustrative and will not limit the sense of the words preceding those terms. Any examples in this Data Processing Addendum are illustrative and not the sole examples of a particular concept.
2.4 Any reference to a legal framework, statute or other legislative enactment is a reference to it as amended or re-enacted from time to time.