2.1 In this Data Processing Addendum:
“Additional Product” means a product, service or application provided by Google or a third party that: (a) is not part of the Processor Services; and (b) is accessible for use within the user interface of the Processor Services or is otherwise integrated with the Processor Services.
“Additional Terms for Non-European Data Protection Legislation” means the additional terms referred to in Appendix 3, which reflect the parties’ agreement on the terms governing the processing of certain data in connection with certain Non-European Data Protection Legislation.
“Adequate Country” means:
(a) for data processed subject to the EU GDPR: the EEA, or a country or territory recognized as ensuring adequate data protection under the EU GDPR;
(b) for data processed subject to the UK GDPR: the UK or a country or territory recognized as ensuring adequate data protection under the UK GDPR and the Data Protection Act 2018; and/or
(c) for data processed subject to the Swiss FDPA: Switzerland, or a country or territory that is (i) included in the list of the states whose legislation ensures an adequate level of protection as published by the Swiss Federal Data Protection and Information Commissioner, or (ii) recognized as ensuring adequate data protection by the Swiss Federal Council under the Swiss FDPA, in each case, other than on the basis of an optional data protection framework.
“Alternative Transfer Solution” means a solution, other than SCCs, that enables the lawful transfer of personal data to a third country in accordance with the European Data Protection Legislation, for example a data protection framework recognized as ensuring that participating local entities provide adequate protection.
“Data Incident” means a breach of Google’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Partner Personal Data on systems managed by or otherwise controlled by Google. “Data Incidents” will not include unsuccessful attempts or activities that do not compromise the security of Partner Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.
“Data Subject Tool” means a tool (if any) made available by a Google Entity to data subjects that enables Google to respond directly and in a standardised manner to certain requests from data subjects in relation to Partner Personal Data (for example, online advertising settings or an opt-out browser plugin).
“EEA” means the European Economic Area.
“EU GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
“European Data Protection Legislation” means, as applicable: (a) the GDPR; and/or (b) the Swiss FDPA.
“European Laws” means, as applicable: (a) EU or EU Member State law (if the EU GDPR applies to the processing of Partner Personal Data); and/or (b) the law of the UK or a part of the UK (if the UK GDPR applies to the processing of Partner Personal Data).
“GDPR” means, as applicable: (a) the EU GDPR; and/or (b) the UK GDPR.
“Google” means the Google Entity that is party to the Agreement.
“Google Entity” means Google LLC (formerly known as Google Inc.), Google Ireland Limited, or any other entity that directly or indirectly controls, is controlled by, or is under common control with, Google LLC.
“Instructions” has the meaning given in Section 5.2 (Partner’s Instructions).
“ISO 27001 Certification” means ISO/IEC 27001:2013 certification or a comparable certification for the Processor Services.
“New Subprocessor” has the meaning given in Section 11.1 (Consent to Subprocessor Engagement).
“Non-European Data Protection Legislation” means data protection or privacy laws in force outside the EEA, Switzerland, and the UK.
“Notification Email Address” means the email address (if any) designated by Partner, through the user interface of the Processor Services or such other means provided by Google, to receive certain notifications from Google relating to this Data Processing Addendum.
“Partner Personal Data” means personal data that is processed by Google on behalf of Partner in Google’s provision of the Processor Services.
“Partner SCCs” means the SCCs (Controller-to-Processor), the SCCs (Processor-to-Controller), and/or the SCCs (Processor-to-Processor), as applicable.
“Processor Services” means the applicable services listed at business.safety.google/services.
“SCCs” means the Partner SCCs and/or SCCs (Processor-to-Processor, Google Exporter), as applicable.
“SCCs (Controller-to-Processor)” means the terms at business.safety.google/gdprcontrollerterms/sccs/eu-c2p-dpa.
“SCCs (Processor-to-Controller)” means the terms at business.safety.google/gdprprocessorterms/sccs/p2c.
“SCCs (Processor-to-Processor)” means the terms at business.safety.google/gdprprocessorterms/sccs/eu-p2p-dpa.
“SCCs (Processor-to-Processor, Google Exporter)” means the terms at business.safety.google/gdprprocessorterms/sccs/eu-p2p-intra-group.
“Security Documentation” means the ISO 27001 Certification and any other security certifications or documentation that Google may make available in connection with the Processor Services.
“Security Measures” has the meaning given in Section 7.1.1 (Google’s Security Measures).
“Subprocessors” means third parties authorised under this Data Processing Addendum to have logical access to and process Partner Personal Data in order to provide parts of the Processor Services and any related technical support.
“Supervisory Authority” means, as applicable: (a) a “supervisory authority” as defined in the EU GDPR; and/or (b) the “Commissioner” as defined in the UK GDPR and/or the Swiss FDPA.
“Swiss FDPA” means the Federal Data Protection Act of 19 June 1992 (Switzerland).
“Term” means the period from the Terms Effective Date until the end of Google’s provision of the Processor Services under the Agreement.
“Terms Effective Date” means, as applicable:
(a) 25 May 2018, if Partner clicked to accept or the parties otherwise agreed to this Data Processing Addendum before or on such date; or
(b) the date on which Partner clicked to accept or the parties otherwise agreed to this Data Processing Addendum, if such date is after 25 May 2018.
“UK GDPR” means the EU GDPR as amended and incorporated into UK law under the UK European Union (Withdrawal) Act 2018, and applicable secondary legislation made under that Act.
2.2 The terms “controller”, “data subject”, “personal data”, “processing”, and “processor” as used in this Data Processing Addendum have the meanings given in the GDPR, and the terms “data importer” and “data exporter” have the meanings given in the applicable SCCs.
2.3 The words “include” and “including” mean “including but not limited to”. Any examples in this Data Processing Addendum are illustrative and not the sole examples of a particular concept.
2.4 Any reference to a legal framework, statute or other legislative enactment is a reference to it as amended or re-enacted from time to time.
2.5 To the extent any translated version of this Data Processing Addendum is inconsistent with the English version, the English version will govern.