Partner Information Protection Addendum

Version 7.2

1. General.

  1. Agreement. This Partner Information Protection Addendum (the “PIPA” or the “Addendum”) forms part of any agreement, end user license agreement, statement of work, purchase order, and/or other services agreement(s) between You and Google (collectively the “Agreement”) and incorporates the mandatory terms in this Addendum and the Standard Contractual Clauses (as defined below) to the extent applicable.

  2. Order of Precedence.  To the extent this Addendum conflicts with the Agreement, this Addendum will govern.

  3. Interpretation. All capitalized terms not defined in the Addendum will have the meanings given to them in the Agreement. Any examples in this Addendum are illustrative and not the sole examples of a particular concept.

2. Defined Terms. In this Addendum:

  1. Applicable Data Protection Laws” means privacy, data security, and data protection laws, directives, and regulations in any jurisdiction applicable to the Personal Information Processed for the Services.

  2. Data Controller” has the same meaning as “controller” under the GDPR.

  3. Disclosing Controller” means the Data Controller party that discloses the Personal Information to the other Data Controller party under this Addendum.

  4. GDPR” means (i) the European Union General Data Protection Regulation (EU) 2016/679 on data protection and privacy for all individuals within the European Union (“EU”) and the European Economic Area (“EEA”); (ii) the GDPR as incorporated into United Kingdom (“UK”) law by the Data Protection Act 2018 and amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (each as amended, superseded, or replaced); and (iii) any other applicable data protection laws or regulations modeled on the GDPR.

  5. includes” or “including” means “including but not limited to”.

  6. Personal Information” means (i) any information about an identified or identifiable individual; or (ii) information that is not specifically about an identifiable individual but, when combined with other information, may identify an individual. Personal Information includes names, email addresses, postal addresses, telephone numbers, government identification numbers, financial account numbers, payment card information, credit report information, biometric information, online identifiers (including IP addresses and cookie identifiers), network and hardware identifiers, and geolocation information, and any information that constitutes “personal data” within the meaning of the GDPR.

  7. Process” or “Processing” means to access, create, collect, acquire, receive, record, consult, use, process, alter, store, maintain, retrieve, disclose, or dispose of. Process includes “processing” within the meaning of the GDPR.

  8. reasonable“ means reasonable and appropriate to (i) the size, scope, and complexity of the party’s business; (ii) the nature of the Personal Information being processed; and (iii) the need for privacy, confidentiality, and security of the Personal Information.

  9. Receiving Controller” means the Data Controller party that receives the Personal Information from the other Data Controller party under this Addendum.

  10. Secondary Use” means processing of Personal Information for purposes other than as necessary to fulfill the Agreement and comply with the specific instructions stated in the Agreement.

  11. Services” means any goods or services that You or a Third-Party Provider provide(s) to or for Google under the Agreement, including any statement(s) of work.

  12. Third-Party Provider” means any agent or other third party that a party to this Agreement authorizes to act on its behalf in connection with the Services. “Third-Party Provider” includes any “sub-processor” within the meaning of the GDPR.

  13. You” or “Your” means the party (including any personnel, contractor, or agent acting on behalf of that party) that performs Services for Google or its affiliates under the Agreement.

3. Data Controllers’ Mutual Representations and Warranties. The parties represent and warrant that each:

  1. is an independent controller and third party to the other with respect to the Personal Information and will not Process the Personal Information as joint controllers; and
  2. will individually determine the purposes and means of its Processing of Personal Information received from the Disclosing Controller as described in the Agreement.

4. Data Controllers’ Mutual Obligations. In fulfilling its obligations under the Agreement, each party will comply with Applicable Data Protection Laws, including to the extent applicable:

  1. providing all required notices or obtaining all required consents from individuals before Processing the Personal Information, including before disclosing it to the other party;
  2. providing individuals with rights in connection with Personal Information in a timely manner, including the ability of individuals to: (i) access or receive their Personal Information in an agreed upon format; and (ii) correct, amend, or delete Personal Information where it is inaccurate, or has been Processed in violation of Applicable Data Protection Laws; and
  3. responding to enquiries from data subjects or entities with supervisory or regulatory authority over either party concerning its Processing of Personal Information.

5. Receiving Controller’s Obligations.

  1. Limitation on Secondary Use. Where required by Applicable Data Protection Laws, before Processing Personal Information for any Secondary Use, the Receiving Controller will provide explicit notice to individuals in writing of the Secondary Use and maintain a mechanism enabling individuals to opt out of the Secondary Use at any time.
  2. Safeguards. The Receiving Controller will have in place reasonable technical and organizational measures to protect Personal Information against accidental, unauthorized, or unlawful destruction, loss, alteration, disclosure, or access. The Receiving Controller will ensure that such measures provide a level of security reasonable to the risk represented by the processing and the nature of the data to be protected including:
    1. maintaining reasonable controls to ensure that access to Personal Information will be limited to individuals who have a legitimate need to Process Personal Information under the Agreement;
    2. promptly terminating an individual’s access to Personal Information when such access is no longer required for performance under the Agreement;
    3. using reasonable and secure data transfer methods to transfer any Personal Information across any network other than an internal company network owned and managed by that party;
    4. assuming responsibility for any unauthorized access to Personal Information under the Receiving Controller’s custody or control (or Third-Party Provider(s)’ custody or control); and
    5. providing reasonable ongoing privacy and information protection training and supervision for all personnel (including Third-Party Providers) who Process Personal Information.
  1. Security Incident Response; Statements.

    1. The Receiving Controller will maintain a reasonable incident response program to respond to security incidents. The Receiving Controller will promptly inform the Disclosing Controller if any security incident requires notice to end users.

    2. Except as required by law, the Receiving Controller will not make (or permit any Third-Party Provider under its control to make) any statement concerning the security incident that directly or indirectly references the Disclosing Controller unless the Disclosing Controller provides its written authorization.

  2. Third-Party Providers.  The Receiving Controller will contractually require each Third-­Party Provider that Processes Personal Information to protect the privacy, confidentiality, and security of Personal Information using all reasonable measures as required by this Addendum and Applicable Data Protection Laws. The Receiving Controller will regularly assess its Third-­Party Providers’ compliance with these contractual requirements.
  3. Owned or Managed Systems. To the extent the Receiving Controller accesses the Disclosing Controller’s owned or managed networks, systems, or devices (including APIs, corporate email accounts, equipment, or facilities) to Process the Disclosing Controller’s Personal Information, the Receiving Controller will comply with the Disclosing Controller’s written instructions.
  4. Assessments of Compliance with this Addendum. Within 15 days of the Disclosing Controller’s written request to assess Receiving Controller’s compliance with the Addendum, the Receiving Controller will, as relevant, provide certification, audit reports, or other reports regarding the Receiving Controller’s compliance with the Safeguards and Applicable Standards as defined by the International Organization for Standardization (ISO), International Electrotechnical Commission (IEC), or Statement on Standards for Attestation Engagements (SSAE) and International Standard on Assurance Engagements (ISAE) as published by the American Institute of Certified Public Accountants (AICPA), Payment Card Industry Data Security Standards, and International Auditing and Assurance Standards Board (IAASB), respectively. Examples of acceptable reports on Safeguards include: (1) SOC 1 Type II (based on SSAE 16, 18 or ISAE 3402); (2) SOC 2 Type II (based on SSAE 16, 18 or ISAE 3402); (3) ISO/IEC 27001:2013 certification; and (4) PCI DSS certification.

6. Legal Process. If a court or other government authority legally compels either party to disclose Personal Information, then to the extent permitted by law, the noticed party will promptly inform the other party of the request and reasonably cooperate with that party’s efforts to challenge the disclosure or seek an appropriate protective order.

7. Termination. In addition to the suspension and termination rights in the Agreement, either party may terminate the Agreement or an applicable SOW if it reasonably determines that (a) the other party has failed to cure material noncompliance with the Addendum within a reasonable time; or (b) it needs to do so to comply with Applicable Data Protection Laws.

8. Survival. This Addendum will survive expiration or termination of the Agreement as long as the parties continue to Process the other party’s Personal Information.