Fitbit and the counterparty agreeing to these terms (“Customer”) have entered into an agreement for the provision of the Controller Services (as amended from time to time, the “Agreement”).

These Fitbit Health Solutions Controller-Controller Data Protection Terms (“Controller Terms”) are entered into by Fitbit and Customer and supplement the Agreement.  These Controller Terms will be effective, and replace any previously applicable terms relating to their subject matter, from the Terms Effective Date.  

If you are accepting these Controller Terms on behalf of Customer, you warrant that: (a) you have full legal authority to bind Customer to these Controller Terms; (b) you have read and understand these Controller Terms; and (c) you agree, on behalf of Customer, to these Controller Terms.  If you do not have the legal authority to bind Customer, please do not accept these Controller Terms. 

1. Introduction

These Controller Terms reflect the parties’ agreement on the processing of Controller Personal Data in connection with the European Data Protection Legislation and Non-European Data Protection Legislation, as applicable.

2. Definitions and Interpretation

2.1 In these Controller Terms:

“Additional Terms for Non-European Data Protection Legislation” means the additional terms referred to in Appendix 1, which reflect the parties’ agreement on the terms governing the processing of certain data in connection with Non-European Data Protection Legislation, as applicable.

“Affiliate” means an entity that directly or indirectly controls, is controlled by, or is under common control with, a party.

“Controller Data Subject” means a data subject to whom Controller Personal Data relates.

“Controller Personal Data” means any personal data that is processed by a party under the Agreement in connection with its provision or use (as applicable) of the Controller Services. 

“Controller Services” the Fitbit Health Solutions described in the applicable Fitbit Health Solutions Client Terms.

“EU GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC. 

“European Controller Personal Data” means Controller Personal Data of Controller Data Subjects located in the EEA or Switzerland.

“End Controller” means, for each party, the ultimate controller of Controller Personal Data.

“European Data Protection Legislation” means, as applicable: (a) the GDPR; and/or (b) the Federal Data Protection Act of 19 June 1992 (Switzerland).

“GDPR” means, as applicable: (a) the EU GDPR; and/or (b) the UK GDPR.

“Fitbit” means the Fitbit Entity that is party to the Agreement. 

“Fitbit End Controllers” means the End Controllers of Controller Personal Data processed by Fitbit.

“Fitbit Entity” means Fitbit LLC (formerly known as Fitbit, Inc.), Fitbit International Limited, or any other Affiliate of Google LLC.

“Non-European Data Protection Legislation” means data protection or privacy laws in force outside the EEA, Switzerland, and the UK.

“Standard Contractual Clauses” means either the EU Controller-Controller SCCs or the UK Controller-Controller SCCs (as applicable) as shown at privacy.google.com/businesses/gdprcontrollerterms/sccs (subject to the amendments reflected in Appendix 2 to these Controller Terms), which are standard data protection terms for the transfer of personal data to controllers established in third countries that do not ensure an adequate level of data protection, as described in Article 46 of the EU GDPR.  All references to ‘Google’ in the link contained in this definition and in the Standard Contractual Clauses are replaced with ‘Fitbit’.

“Terms Effective Date” means the date on which Customer clicked to accept or the parties otherwise agreed to these Controller Terms. 

“UK Controller Personal Data” means Controller Personal Data of Controller Data Subjects located in the UK.

“UK GDPR” means the EU GDPR as amended and incorporated into UK law under the UK European Union (Withdrawal) Act 2018, if in force.

2.2 The terms “controller”, “data subject”, “personal data”, “processing” and “processor” as used in these Controller Terms have the meanings given in the GDPR, and the terms “data importer” and “data exporter” have the meanings given in the Standard Contractual Clauses.

2.3 Any examples in these Controller Terms are illustrative and not the sole examples of a particular concept.

2.4 Any reference to a legal framework, statute or other legislative enactment is a reference to it as amended or re-enacted from time to time.

3. Application of these Controller Terms

3.1 Application of European Data Protection Legislation.  Sections 4 (Roles and Restrictions on Processing) through 6 (Standard Contractual Clauses) (inclusive) will only apply to the extent that the European Data Protection Legislation applies to the processing of Controller Personal Data.

3.2 Application to Controller Services.  These Controller Terms will only apply to the Controller Services for which the parties agreed to these Controller Terms (for example: (a) the Controller Services for which Customer clicked to accept these Controller Terms; or (b) if the Agreement incorporates these Controller Terms by reference, the Controller Services that are the subject of the Agreement). 

3.3 Incorporation of Additional Terms for Non-European Data Protection Legislation. The Additional Terms for Non-European Data Protection Legislation supplement these Controller Terms.

4. Roles and Restrictions on Processing

4.1 Independent Controllers.  Subject to Section 4.3 (End Controllers), each party:

(a) is an independent controller of Controller Personal Data under the European Data Protection Legislation;

(b) will individually determine the purposes and means of its processing of Controller Personal Data; and 

(c) will comply with the obligations applicable to it under the European Data Protection Legislation regarding the processing of Controller Personal Data.  

4.2 Restrictions on Processing.  Section 4.1 (Independent Controllers) will not affect any restrictions on either party’s rights to use or otherwise process Controller Personal Data under the Agreement.

4.3 End Controllers.  Without reducing either party’s obligations under these Controller Terms, each party acknowledges that: (a) the other party’s Affiliates or clients may be End Controllers; and (b) the other party may act as a processor on behalf of its End Controllers.  Fitbit International Limited, an Irish company, is the Fitbit End Controller for data subjects living in the EEA, UK, or Switzerland.  Each party will ensure that its End Controllers comply with the Controller Terms, including (where applicable) the Standard Contractual Clauses.

5. Data Transfers

Either party may transfer Controller Personal Data to third countries if it complies with the provisions on the transfer of personal data to third countries in the European Data Protection Legislation.

6.     Standard Contractual Clauses

6.1   Transfers of European Controller Personal Data to Customer.  To the extent that:

(a) Fitbit transfers European Controller Personal Data to Customer; and

(b) Customer is established in a third country that is not subject to an adequacy decision under the European Data Protection Legislation,

Customer as data importer will be deemed to have entered into the Standard Contractual Clauses with Fitbit International Limited (the applicable Fitbit End Controller) as data exporter and the transfers will be subject to the Standard Contractual Clauses.

6.2   Transfers of UK Controller Personal Data to Customer.  To the extent that:

(a)    Fitbit transfers UK Controller Personal Data to Customer; and

(b)    Customer is established in a third country that is not subject to an adequacy decision under the UK GDPR,

Customer as data importer will be deemed to have entered into the Standard Contractual Clauses with Fitbit International Limited (the applicable Fitbit End Controller) as data exporter and the transfers will be subject to the Standard Contractual Clauses.

6.3   Transfers of European or UK Controller Personal Data to Fitbit.  The parties acknowledge that to the extent Customer transfers European Controller Personal Data to Fitbit, the Standard Contractual Clauses are not required because Fitbit International Limited (the applicable Fitbit End Controller) is established in Ireland and such transfers are therefore permitted under the European Data Protection Legislation.  This does not affect Fitbit’s obligations under Section 5 (Data Transfers).

6.4   Additional Commercial Clauses for the Standard Contractual Clauses.  Sections 6.5 (Contacting Fitbit) to 6.7 (Reviews, Audits and Certifications of Compliance) are additional commercial clauses relating to the Standard Contractual Clauses as permitted by Clause VII (Variation of these clauses) of the Standard Contractual Clauses.  Nothing in Sections 6.5 (Contacting Fitbit) to 6.7 (Reviews, Audits and Certifications of Compliance) varies or modifies any rights or obligations of the parties to the Standard Contractual Clauses.

6.5   Contacting Fitbit.  Customer may contact Fitbit International Limited in connection with the Standard Contractual Clauses at legal-notices@google.com or through such other means as may be provided by Fitbit from time to time, including for the purposes of requesting an Audit under Section 6.7(a) below.

6.6   Responding to Data Subject Enquiries.  For the purpose of Clause I(d) of the Standard Contractual Clauses, the applicable data importer will be responsible for responding to enquiries from data subjects and the authority concerning the processing of applicable Controller Personal Data by the data importer.

6.7   Reviews, Audits and Certifications of Compliance. 

(a) If the Standard Contractual Clauses apply under this Section 6 (Standard Contractual Clauses), the applicable data importer will allow the applicable data exporter or a third-party inspection agent or auditor appointed by the data exporter to request reasonable certification or conduct a reasonable review or audit as described in Clause II(g) of the Standard Contractual Clauses (“Audit”), in accordance with this Section 6.7 (Reviews, Audits and Certifications of Compliance).

(b) Following receipt by the data importer of a request for an Audit, the data importer and the data exporter will discuss and agree in advance on the scope and rules of the Audit, including reasonable: start date, scope and duration, use of security certifications, cost allocation and reimbursement schedule, and security and confidentiality controls. The Audit will be conducted by mutually-agreed Audit members with a strict need-to-know and who have no conflicts-of-interest. The Audit will not require any party to disclose trade secrets, internal financial information, customer data, data protected from disclosure by applicable law (including the GDPR), or out-of-scope information.

7. Liability

7.1 Liability Cap. If the Agreement is governed by the laws of:

(a) a state of the United States of America, then, regardless of anything else in the Agreement, the total liability of either party towards the other party under or in connection with these Controller Terms will be limited to the maximum monetary or payment-based amount at which that party’s liability is capped under the Agreement (and therefore any exclusion of indemnification claims from the Agreement’s limitation of liability will not apply to indemnification claims under the Agreement relating to the European Data Protection Legislation); or

(b) a jurisdiction that is not a state of the United States of America, then the liability of the parties under or in connection with these Controller Terms will be subject to the exclusions and limitations of liability in the Agreement.  

7.2   Liability if the Standard Contractual Clauses Apply.  If the Standard Contractual Clauses apply under Section 6 (Standard Contractual Clauses), then the total combined liability of each party and its Affiliates towards the other party and its Affiliates under or in connection with the Agreement and the Standard Contractual Clauses combined will be subject to Section 7.1 (Liability Cap).  Clause III(a) of the Standard Contractual Clauses will not affect the previous sentence.

8. Third-Party Beneficiaries

If a party’s Affiliate is a party to the Standard Contractual Clauses that apply under Section 6 (Standard Contractual Clauses), then that Affiliate will be a third-party beneficiary of Sections 4.3 (End Controllers), 6 (Standard Contractual Clauses), and 7.2 (Liability if the Standard Contractual Clauses Apply). To the extent this Section 8 (Third-Party Beneficiaries) conflicts or is inconsistent with any other clause in the Agreement, this Section 8 (Third-Party Beneficiaries) will apply.

9. Priority

9.1 Effect of these Controller Terms.  If there is any conflict or inconsistency between the Standard Contractual Clauses, the Additional Terms for Non-European Data Protection Legislation,  and these Controller Terms and/or the remainder of the Agreement then, subject to Sections 4.2 (Restrictions on Processing) and 9.2 (Processor Terms), the following order of precedence will apply:

(a) the Standard Contractual Clauses;

(b) the Additional Terms for Non-European Data Protection Legislation;

(c) the remainder of these Controller Terms; and

(d) the remainder of the Agreement. 

If this Agreement (including any Addendum) is translated into any other language, and the translated text conflicts or is inconsistent with the English text, the English text will govern.

Subject to the amendments in these Controller Terms, the Agreement remains in full force and effect.

9.2 Processor Terms.  These Controller Terms will not affect any separate terms between Fitbit and Customer reflecting a controller-processor relationship for a service other than the Controller Services.

10. Changes to these Controller Terms

10.1 Changes to Controller Services in Scope.  Fitbit may only change the list of potential Controller Services at https://enterprise.fitbit.com/client-terms/.

(a) to reflect a change to the name of a service; 

(b) to add a new service; or 

(c) to remove a service where either: (i) all contracts for the provision of that service are terminated; or (ii) Fitbit has Customer’s consent.

10.2 Changes to Controller Terms.  Fitbit may change these Controller Terms if the change: 

(a) is as described in Section 10.1 (Changes to Controller Services in Scope);

(b) is required to comply with applicable law, applicable regulation, a court order, or guidance issued by a governmental regulator or agency; or

(c) does not: (i) seek to alter the categorisation of the parties as independent controllers of Controller Personal Data under the European Data Protection Legislation; (ii) expand the scope of, or remove any restrictions on, either party’s rights to use or otherwise process Controller Personal Data; or (iii) have a material adverse impact on Customer, as reasonably determined by Fitbit.

10.3 Notification of Changes.  If Fitbit intends to change these Controller Terms under Section 10.2(b) and such change will have a material adverse impact on Customer, as reasonably determined by Fitbit, then Fitbit will use commercially reasonable efforts to inform Customer at least 30 days (or such shorter period as may be required to comply with applicable law, applicable regulation, a court order or guidance issued by a governmental regulator or agency) before the change will take effect.  If Customer objects to any such change, Customer may terminate the Agreement by giving written notice to Fitbit within 90 days of being informed by Fitbit of the change.

Appendix 1: Additional Terms for Non-European Data Protection Legislation

The following Additional Terms for Non-European Data Protection Legislation supplement these Controller Terms.  All references to ‘Google’ in the links below are replaced with ‘Fitbit’:

• CCPA Addendum at privacy.google.com/businesses/gdprcontrollerterms/ccpa (dated 27 August 2020)

• LGPD Controller Addendum at privacy.google.com/businesses/gdprcontrollerterms/lgpd (dated 27 August 2020)

Appendix 2: Amendments to the Standard Contractual Clauses

For the purpose of these Controller Terms, the Standard Contractual Clauses incorporate the following amendments:

UK Controller-Controller SCCs

• The section entitled “Categories of data” is deleted and replaced with the following language: “Categories of data.  The personal data transferred concern the following categories of data: the categories of personal data described in the Agreement.

Fitbit Health Solutions Controller-Controller Data Protection Terms

27 October 2021