(a) “APPI” means the Japan Act on the Protection of Personal Information, Act No. 57 (including as amended by the 2022 Amended Act on the Protection of Personal Information).
(b) “Applicable Data Protection Laws” means all privacy, data security, and data protection laws, directives, regulations, or rules in any jurisdiction applicable to the Personal Information or De-identified Data Processed for the Services, including the APPI, GDPR, LGPD, HIPAA, GLBA, and U.S. State Data Protection Laws.
(c) “Applicable Standard Contractual Clauses” means the European Commission’s standard contractual clauses, which are standard data protection clauses for the transfer of personal data to third countries that do not ensure an adequate level of data protection, as described in Article 46 of the EU GDPR including the Controller-Processor SCCs or Controller-Controller SCCs.
(d) “Applicable Standards” includes government standards, industry standards, codes of practice, guidance from Regulators, and best practices applicable to Your Processing of Personal Information for the Services, including Data Transfer Solutions and the Payment Card Industry Data Security Standards (“PCI DSS”).
(e) “Controller-Controller SCCs” means the terms at https://business.safety.google/gdprcontrollerterms/sccs/eu-c2c.
(f) “Controller-Processor SCCs” means the terms at https://business.safety.google/gdprcontrollerterms/sccs/eu-c2p-ipa.
(g) “Data Controller” means the legal entity or party to the Agreement that determines the purposes and means of Processing Personal Information. Data Controller also means “controller” as defined by Applicable Data Protection Laws, and “business” as defined by the CCPA.
(h) “Data Processor” means the legal entity or party to the Agreement that Processes Personal Information on behalf of a Data Controller. Data Processor also means “processor”, “contractor”, or “service provider” within the meaning of Applicable Data Protection Laws.
(i) “Data Transfer Solution” means a solution that enables the lawful transfer of Personal Information to a third country in accordance with the GDPR or other Applicable Data Protection Laws, including the EU-U.S. Data Privacy Framework, UK Extension to EU-U.S. Data Privacy Framework, Swiss-U.S. Data Privacy Framework (collectively, the “Data Privacy Framework”), or another valid data protection framework recognized as providing adequate protection under GDPR or other Applicable Data Protection Laws.
(j) “De-identified Data” means “de-identified data” or “deidentified data” as defined by U.S. State Data Protection Laws.
(k) “GDPR” means (i) the European Union General Data Protection Regulation (EU) 2016/679 (the “EU GDPR”) on data protection and privacy for all individuals within the European Union (“EU”) and the European Economic Area (“EEA”), including all applicable EU Member State and EEA country laws implementing the EU GDPR; (ii) the EU GDPR as incorporated into United Kingdom (“UK”) law by the Data Protection Act 2018 and amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (“UK GDPR”); and (iii) the Federal Data Protection Act of 19 June 1992 (Switzerland) (each as amended, superseded, or replaced).
(l) “GLBA” means the Gramm-Leach-Bliley Act, Pub. L. No. 106-102, 113 Stat. 1338, 15 U.S.C. §§ 6801-08, 6821-27 (1999).
(m) “Google” means the Google Entity that is party to the Agreement.
(o) “Google Entity” means Google LLC (formerly known as Google Inc.), Google Ireland Limited, or another affiliate of Google LLC.
(p) “includes” or “including” means “including but not limited to”.
(q) “individual” or “individuals” mean natural persons who can be any natural person to whom any Personal Information relates, including “data subjects” and “consumers”, as defined by Applicable Data Protection Laws.
(r) “LGPD” means Brazilian Law 13,709 for the protection of personal data.
(s) “MVSP” means the business controls, application design controls, application implementation controls, and operational controls as set forth in the most recent version of the Minimum Viable Secure Product (the “MVSP”) available at (https://mvsp.dev/mvsp.en/index.html).
(t) “Personal Information” means any information about an individual or information that is not specifically about an individual but, when combined with other information, may identify an individual or any other information that constitutes “personal data” or “personal information” within the meaning of Applicable Data Protection Laws and, without limitation, includes names, email addresses, postal addresses, telephone numbers, government identification numbers, financial account numbers, payment card information, credit report information, biometric information, online identifiers (including IP addresses and cookie identifiers), network and hardware identifiers, and geolocation information, and that is Processed in connection with the Services.
(u) “Process” or “Processing” will have the meaning provided under Applicable Data Protection Laws relevant to Personal Information, and where such definition is not specified, will have the meaning provided under the EU GDPR.
(v) “Protected Information” means Personal Information, De-identified Data, or any confidential information (as marked by the parties or defined in the Agreement as Confidential Information) that You or a Third Party Provider may Process in performing Services. Personal Information and Protected Information does not include the parties’ phone numbers, email addresses, or other reasonably limited information used solely to facilitate the parties’ communications for administration of the Agreement.
(w) “reasonable” means reasonable and appropriate to (i) the size, scope, and complexity of Your business; (ii) the nature of Protected Information being Processed; and (iii) the need for privacy, confidentiality, and security of Protected Information.
(x) “Regulator” or “Regulatory” means an entity with supervisory or regulatory authority over Google under Applicable Data Protection Laws.
(y) “Safeguards” means the technical, organizational, administrative, and physical controls described in Section 5 (Safeguards), Section 6 (Encryption Requirements), Section 7 (Use of Google Networks, Systems, or Devices), Section 8.3 (Your Continuous Self-Assessment), Section 9.1 (Security Incident Response Program), and Section 11 (PCI Compliance).
(z) “Secondary Use” means any Processing of Personal Information for purposes other than as necessary to fulfill Your business purpose (as defined by Applicable Data Protection Laws) and obligations set forth in the Agreement, including: (i) Processing Personal Information for purposes other than specified in the Services; (ii) Processing Personal Information in combination with any Personal Information that You Process outside of the Services; (iii) Processing Personal Information in any manner that would constitute a sale, targeted advertising, or cross-context behavioral advertising of Personal Information as defined by Applicable Data Protection Laws, or (iv) Processing Personal Information outside of the direct business relationship between You and Google.
(aa) “Security Incident” means actual or reasonable degree of certainty of unauthorized use, destruction, loss, control, alteration, acquisition, exfiltration, theft, retention, disclosure of, or access to, Protected Information for which You are responsible. Security Incidents do not include unsuccessful access attempts or attacks that do not compromise the confidentiality, integrity, or availability of Protected Information, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.
(bb) “Services” means any goods or services that You or a Third Party Provider provide(s) to or for Google under the Agreement.
(cc) “Supplemental Supplier and Partner Security Standards” means the obligations, standards, and requirements set forth at http://g.co/partner-security.
(dd) “Third Party Provider” means any parent company, subsidiary, agent, contractor, processor, service provider, sub-contractor, sub-processor, or other third party You authorize to act on Your behalf in connection with the Processing of Personal Information intended for the Services. “Third Party Provider” includes “subprocessor” within the meaning of the Applicable Standard Contractual Clauses.
(ee) “U.S. State Data Protection Laws” means all privacy, data security and data protection laws, regulations or rules in the United States applicable to the Personal Information Processed for the Services, including (i) Virginia’s Consumer Data Protection Act, Va. Code Ann. § 59.1-575 et seq.; (ii) the Colorado Privacy Act, Colo. Rev. Stat. § 6-1-1301 et seq. together with all implementing regulations; (iii) Connecticut’s Act Concerning Data Privacy and Online Monitoring, Pub. Act No. 22015; (iv) the Utah Consumer Privacy Act, Utah Code Ann. § 13-61-101 et seq.; and (v) the California Consumer Privacy Act of 2018 (as amended, including as amended by the California Privacy Rights Act of 2020) together with all implementing regulations (the “CCPA”).
(ff) “You” or “Your” means the party (including any personnel, contractor, or agent acting on behalf of such party) that performs Services for Google or its affiliates under the Agreement. References to “You” and “Your” herein include any Third Party Providers.