One-Time Data Processing Addendum for Google Cloud Platform Professional Services

This One-Time Data Processing Addendum for Google Cloud Platform Professional Services, including the appendices (the “Terms”), will be effective and replace any previously applicable data processing and security terms for professional services involving the Google Cloud Platform as from the Terms Effective Date (as defined below). These Terms supplement the Agreement.

2.1 Unless otherwise defined in these Terms, capitalized terms defined in the Agreement apply to these Terms. In addition, in these Terms:

• Account means Customer’s Google Cloud Platform account.
• Adequate Country means: (a) for data processed subject to the EU GDPR: the EEA, or a country or territory that is the subject of an adequacy decision by the Commission under Article 45(1) of the EU GDPR;
• (b) for data processed subject to the UK GDPR: the UK or a country or territory that is the subject of the adequacy regulations under Article 45(1) of the UK GDPR and Section 17A of the Data Protection Act 2018; and/or
• (c) for data processed subject to the Swiss FDPA: Switzerland, or a country or territory that (i) is included in the list of the states whose legislation ensures an adequate level of protection as published by the Swiss Federal Data Protection and Information Commissioner, or (ii) is the subject of an adequacy decision by the Swiss Federal Council under the Swiss FDPA.
• CDPA means the Cloud Data Processing Addendum (available at https://cloud.google.com/terms/data-processing-addendum).
• Customer Data means “Customer Data” as defined in Customer’s Google Cloud Platform Agreement that is (a) provided by or on behalf of Customer via a Customer-controlled Google Cloud Platform account specifically in order for Customer to receive the Services under the Agreement and (2) that is processed by Google Personnel performing Services under the Agreement.
• Customer Personal Data means the personal data contained within the Customer Data, including any special categories of personal data defined under European Data Protection Law.
• Data Incident means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data while processed by Google Personnel or Subprocessors under the Agreement.
• EEA means the European Economic Area.
• EU GDPR means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
• European Data Protection Law means, as applicable: (a) the GDPR; and/or (b) the Swiss FDPA.
• European Law means, as applicable: (a) EU or EU Member State law (if the EU GDPR applies to the processing of Customer Personal Data); and (b) the law of the UK or a part of the UK (if the UK GDPR applies to the processing of Customer Personal Data).
• GDPR means, as applicable: (a) the EU GDPR; and/or (b) the UK GDPR.
• Google Cloud Platform Agreement means an effective agreement between Customer and Google governing Customer’s use of the Google Cloud Platform, which includes the CDPA.
• Instructions has the meaning given in Section 5.2.1 (Customer’s Instructions).
• Non-European Data Protection Law means data protection or privacy laws in force outside the EEA, Switzerland and the UK.
• Security Measures has the meaning given in Section 7.1.1 (Google Security Measures).
• Services means advisory and implementation services described in an Order Form, including a Statement of Work.
• Subprocessor means a third party authorized as another processor under Section 11 (Subprocessors) to have access to and process Customer Personal Data to provide parts of the Services.
• Swiss FDPA means the Federal Data Protection Act of 19 June 1992 (Switzerland).
• Term means the period from the Terms Effective Date until Google’s completion of the Services.
• Terms Effective Date means the date on which Customer accepted, or the parties otherwise agreed to, these Terms.
• UK GDPR means the EU GDPR as amended and incorporated into UK law under the UK European Union (Withdrawal) Act 2018, and applicable secondary legislation made under that Act.

2.2 The terms “personal data”, “data subject”, “processing”, “controller”, “processor” and “supervisory authority” as used in these Terms have the meanings given in the GDPR, irrespective of whether European Data Protection Law or Non-European Data Protection Law applies.

Regardless of whether the Agreement has terminated or expired, these Terms will remain in effect until, and automatically expire when Google deletes all Customer Personal Data in Customer’s Google Cloud Platform Account.

4.1 Application of European Law. The parties acknowledge that European Data Protection Law will apply to the processing of Customer Personal Data if, for example:

• the processing is carried out in the context of the activities of an establishment of Customer in the territory of the EEA or the UK; and/or
• the Customer Personal Data is personal data relating to data subjects who are in the EEA or the UK and the processing relates to the offering to them of goods or services in the EEA or the UK or the monitoring of their behavior in the EEA or the UK.

4.2 Application of Non-European Law. The parties acknowledge that Non-European Data Protection Law may also apply to the processing of Customer Personal Data.

4.3 Application of Terms. Except to the extent these Terms state otherwise, these Terms will apply irrespective of whether European Data Protection Law or Non-European Data Protection Law applies to the processing of Customer Personal Data.

5.1 Roles and Regulatory Compliance; Authorization.

5.1.1 Processor and Controller Responsibilities. If European Data Protection Law applies to the processing of Customer Personal Data:

• the subject matter and details of the processing are described in Appendix 1;
• Google is a processor of that Customer Personal Data under European Data Protection Law;
• Customer is a controller or processor, as applicable, of that Customer Personal Data under European Data Protection Law; and
• each party will comply with the obligations applicable to it under European Data Protection Law with respect to the processing of that Customer Personal Data.

5.1.2 Authorization by Third Party Controller. If European Data Protection Law applies to the processing of Customer Personal Data and Customer is a processor:

(a) Customer warrants on an ongoing basis that the relevant controller has authorized: (i) the Instructions, (ii) Customer’s appointment of Google as another processor, and (iii) Google’s engagement of Subprocessors as described in Section 11 (Subprocessors);

(b) Customer will immediately forward to the relevant controller any notice provided by Google under Sections 5.2.3 (Instruction Notifications), 7.2.1 (Incident Notification) or 11.4 (Opportunity to Object to Subprocessor Changes) or that refers to any SCCs (as defined in the CDPA); and

(c) Customer may make available to the relevant controller any information made available by Google under Section 11.2 (Information about Subprocessors).

5.1.3 Responsibilities under Non-European Law. If Non-European Data Protection Law applies to either party’s processing of Customer Personal Data, the relevant party will comply with any obligations applicable to it under that law with respect to the processing of that Customer Personal Data.

5.2 Scope of Processing.

5.2.1 Customer’s Instructions. Customer instructs Google to process Customer Personal Data only: (a) when accessing such data in Customer’s Google Cloud Platform Account and, for clarity, Google may not process any Customer Personal Data outside such Account; (b) in accordance with applicable law; (c) to provide the Services; (d) as documented in the form of the Agreement, including an applicable Order Form, Statement of Work, and these Terms; and (e) as further documented in any other written instructions given by Customer and acknowledged by Google as constituting instructions for purposes of these Terms (collectively, the “Instructions”).

5.2.2 Google Compliance with Instructions. Google will comply with the Instructions unless prohibited by European Law.

5.2.3 Instruction Notifications. Google will immediately notify Customer if, in Google’s opinion: (a) European Law prohibits Google from complying with an Instruction; (b) an Instruction does not comply with European Data Protection Law; or (c) Google is otherwise unable to comply with an Instruction, in each case unless such notice is prohibited by European Law. This Section does not reduce either party’s rights and obligations elsewhere in the Agreement. 

Taking into account the nature of the processing of Customer Personal Data under these Terms, the parties’ respective rights and obligations with respect to deletion of Customer Personal Data are addressed in the CDPA.

7.1 Google Security Measures, Controls and Assistance.

7.1.1 Google Security Measures. Taking into account the nature of the processing of Customer Personal Data under these Terms, Google will implement and maintain technical and organizational measures to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access as described in Appendix 2 (the "Security Measures").

7.1.2 Access and Compliance. Google will: (a) authorize its employees, contractors and Subprocessors to access Customer Personal Data only as strictly necessary to comply with the Instructions; (b) take appropriate steps to ensure compliance with the Security Measures by its employees, contractors, and Subprocessors to the extent applicable to their scope of performance, and (c) ensure that all persons authorized to process Customer Personal Data are under an obligation of confidentiality.

7.1.3 Google Security Assistance. Taking into account the nature of the processing of Customer Personal Data under these Terms, Customer’s security obligations and Google’s assistance with such obligations under the GDPR are addressed separately in the CDPA.

7.2 Data Incidents.

7.2.1 Incident Notification. Google will notify Customer promptly and without undue delay after becoming aware of a Data Incident; and promptly take reasonable steps to minimize harm and secure Customer Personal Data.

7.2.2 Details of Data Incident. Google’s notification of a Data Incident will describe: the nature of the Data Incident including the Customer resources impacted; the measures Google has taken, or plans to take, to address the Data Incident and mitigate its potential risk; the measures, if any, Google recommends that Customer take to address the Data Incident; and details of a contact point where more information can be obtained. If it is not possible to provide all such information at the same time, Google’s initial notification will contain the information then available and further information will be provided without undue delay as it becomes available.

7.2.3 Delivery of Notification. Notification(s) of any Data Incident(s) will be delivered to the Notification Email Address.

7.2.4 No Assessment of Customer Data by Google. Google has no obligation to assess Customer Data to identify information subject to any specific legal requirements.

7.2.5 No Acknowledgement of Fault by Google. Google’s notification of or response to a Data Incident under this Section 7.2 (Data Incidents) will not be construed as an acknowledgement by Google of any fault or liability with respect to the Data Incident.

7.3 Customer’s Security Responsibilities and Assessment.

7.3.1 Customer’s Security Responsibilities. Without prejudice to Google’s obligations under Sections 7.1 (Google Security Measures, Controls and Assistance) and 7.2 (Data Incidents) and elsewhere in the Agreement, Customer is responsible for its use of the Services. Customer’s responsibilities under this Section 7.3.1 (Customer’s Security Responsibilities) include, without limitation:

a. using the Services to ensure a level of security appropriate to the risk to the Customer Personal Data;

b. administering, managing access to and securing the account authentication credentials, systems, software, networks and devices that Customer uses to receive, or authorizes to be accessed by Google Personnel to provide, the Services; 

c. backing up its Customer Data as appropriate; 

d. providing Google with appropriate notice before providing Google with access to Customer Personal Data; 

e. minimizing the amount of Customer Personal Data provided by or on behalf of Customer to Google; and

f. to the extent access to Customer Personal Data is within Customer’s control, terminating Google’s access to Customer Personal Data when Google has completed the Services.

7.3.2 Customer’s Security Assessment. Customer agrees that the Services, Security Measures implemented and maintained by Google and Google’s commitments under this Section 7 (Data Security), and Section 11 (Subprocessors) provide a level of security appropriate to the risk to the Customer Data (taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing of Customer Personal Data as well as the risks to individuals).

7.4 Security Certifications and Reports. Taking into account the nature of the processing of Customer Personal Data under these Terms, Google’s security certifications with respect to the Google Cloud Platform environment are addressed separately in the CDPA.

7.5 Reviews and Audits of Compliance. Taking into account the nature of the processing of Customer Personal Data under the Agreement, Customer’s audit rights with respect to Customer Personal Data are addressed in the CDPA.

Google will (taking into account the nature of the processing and the information available to Google) assist Customer in ensuring compliance with its (or, where Customer is a processor, the relevant controller’s) obligations under Articles 35 and 36 of the GDPR, by:

a. providing the “Security Documentation” as defined and described in the CDPA with respect to Customer Personal Data; and

b. providing the information contained in the Agreement (including these Terms).

c. if subsections (a) and (b) above are insufficient for Customer (or the relevant controller) to comply with such obligations, upon Customer’s request, providing Customer with additional reasonable cooperation and assistance.

9.1 Access; Rectification; Restricted Processing; Portability. Taking into account the nature of the processing of Customer Personal Data under these Terms, Customer’s ability to access, rectify and restrict processing of Customer Personal Data is addressed in the CDPA.

9.2 Data Subject Requests. Taking into account the nature of the processing of Customer Personal Data under the Agreement, Google will assist Customer in fulfilling its obligations under Chapter III of the GDPR to respond to requests for exercising the data subject’s rights as described in the CDPA.

10.1 Transfers of Data Out of the EEA. Section 10 (Data Transfers) of the CDPA, including any SCCs or Alternative Transfer Solution applied or adopted under Section 10.2 (Restricted European Transfers) of the CDPA and any obligations of Customer under Section 10.3 (Certification by Non-EMEA Customers) of the CDPA, will also apply in relation to the processing and transfer of Customer Personal Data under these Terms, except that Customer's termination right under Section 10.5 (Termination) of the CDPA will, for purposes of these Terms, entitle Customer to terminate the "Agreement" defined in these Terms.

11.1 Consent to Subprocessor Engagement. Customer specifically authorizes the engagement as Subprocessors of: (a) any third party entity listed as a subcontractor in an applicable Order Form, Statement of Work, or other confirmation provided to Customer before commencement of Services; and (b) all other Google Affiliates from time to time. In addition, without prejudice to Section 11.4 (Opportunity to Object to Subprocessor Changes), Customer generally authorizes the engagement as Subprocessors of any other third parties (“New Subprocessor(s)”).  

11.2 Information about Subprocessors. Information about Subprocessors, including their functions and locations, will be made available to Customer at Customer’s request.  

11.3 Requirements for Subprocessor Engagement. Before engaging any Subprocessor, Google will ensure that the Subprocessor’s security and privacy practices are assessed to verify that the Subprocessor provides a level of security and privacy appropriate to the data it will access and the services it will provide. In addition, when engaging any Subprocessor, Google will:

a. ensure via a written contract that:

i. the Subprocessor only accesses and uses Customer Personal Data as required to perform the obligations subcontracted to it and in accordance with the Agreement (including these Terms); and

ii. if the GDPR applies to the processing of Customer Personal Data, data protection obligations equivalent to those referred to in Article 28(3) of the GDPR are imposed on the Subprocessor; and

b. remain fully liable for all obligations subcontracted to, and all acts and omissions of, the Subprocessor.

11.4 Opportunity to Object to Subprocessor Changes.

a. When any New Google Subprocessor is engaged during the Term, Google will notify Customer of the engagement of the New Google Subprocessor before the New Google Subprocessor processes Customer Personal Data. 

b. Customer may object to the New Google Subprocessor and request a change of Personnel in accordance with the Agreement. The parties will work in good faith to determine a satisfactory alternative.

12.1 Google Cloud’s Data Protection Team. Google Cloud’s Data Protection Team will provide prompt and reasonable assistance with any Customer queries related to processing of Customer Personal Data under the Agreement and can be contacted at https://support.google.com/cloud/contact/dpo (and/or via such other means as Google may provide from time to time).

12.2 Google’s Processing Records. Google will keep appropriate documentation of its processing activities as required by the GDPR. To the extent the GDPR requires Google to collect and maintain records of certain information relating to Customer, Customer will supply such information to Google, and give Google timely notice of any changes to such information to ensure that Google’s records remain accurate and up-to-date. Google may make any such information available to the supervisory authorities if required by the GDPR.

12.3 Controller Requests. During the Term, if Google’s Cloud Data Protection Team receives a request or instruction from a third party purporting to be a controller of Customer Personal Data, Google will advise the third party to contact Customer.

13.1 Precedence. To the extent of any conflict or inconsistency between:

a. these Terms and the remainder of the Agreement, these Terms will prevail; and

b. any Customer SCCs (as defined in the CDPA) and the Agreement (including these Terms), the Customer SCCs will prevail.

13.2 No Modification of SCCs. Nothing in the Agreement (including these Terms) is intended to modify or contradict any SCCs or prejudice the fundamental rights or freedoms of data subjects under European Data Protection Law.

Subject Matter

Google’s provision of the Services to Customer as described in the Implementation Services Agreement.

Duration of the Processing

The Term plus the period from the expiry of the Term until deletion of all Customer Data by Google in accordance with the Terms.

Nature and Purpose of the Processing

Google will process Customer Personal Data for the purpose of providing the Services in accordance with these Terms.

Categories of Data

Data relating to individuals provided to Google by (or at the direction of) Customer to receive the Services.

Data Subjects

Data subjects include the individuals about whom data is provided to Google by (or at the direction of) Customer to receive the Services.

1. Google Cloud Platform. Google will only access and process Customer Personal Data provided by or on behalf of Customer to Google via a Customer controlled Google Cloud Platform environment. Customer’s use of the Google Cloud Platform is governed by Customer’s Google Cloud Platform Agreement, including any security measures applicable to the platform. 

2. Data Access Processes and Policies – Access Policy. Google’s data access processes and policies are designed to prevent unauthorized persons and/or systems from gaining access to systems used to process personal data. Google (i) only allows persons to access data they are authorized to access; and (ii) ensures that personal data cannot be read, copied, altered or removed without authorization during processing and use. The granting or modification of access rights is based on Customer’s provision of end user access to its Account. Details regarding workflow tools that maintain audit records of changes and system access logs are addressed in the Google Cloud Platform Agreement.

3. Personnel Security. Google personnel are required to conduct themselves in a manner consistent with the company’s guidelines regarding confidentiality, business ethics, appropriate usage, and professional standards. Google conducts reasonably appropriate background checks to the extent legally permissible and in accordance with applicable local labor law and statutory regulations.

Personnel are required to execute a confidentiality agreement and must acknowledge receipt of, and compliance with, Google’s confidentiality and privacy policies. Personnel are provided with security training. Personnel handling Customer Personal Data are required to complete additional requirements appropriate to their role (e.g., certifications). Google’s personnel will not process Customer Personal Data without authorization.

4. Additional Security Measures. Google and Customer may agree to additional security measures in the applicable Order Form, including any attached SOW, for the Services.