Controller Data Protection Terms
chevron down
back search icon cancel search

Fitbit Controller-Controller Data Protection Terms

Last revised on May 18, 2022

Fitbit and the other party agreeing to these terms ("Partner") have entered into an agreement for the provision of the Controller Services (as amended from time to time, the "Agreement").

These Fitbit Controller-Controller Data Protection Terms (including its appendix(es), the "Controller Terms") are entered into by Fitbit and Partner and supplement the Agreement. These Controller Terms will be effective, and replace any previously applicable terms relating to their subject matter, from the Terms Effective Date.

If you are accepting these Controller Terms on behalf of Partner, you warrant that: (a) you have full legal authority to bind Partner to these Controller Terms; (b) you have read and understand these Controller Terms; and (c) you agree, on behalf of Partner, to these Controller Terms. If you do not have the legal authority to bind Partner, please do not accept these Controller Terms.

1. Introduction

These Controller Terms reflect the parties’ agreement on the processing of certain data in connection with the European Data Protection Legislation and Non-European Data Protection Legislation.

2. Definitions and Interpretation

2.1 In these Controller Terms:

"Additional Terms for Non-European Data Protection Legislation" means the additional terms referred to in Appendix 1, which reflect the parties’ agreement on the terms governing the processing of certain data in connection with certain Non-European Data Protection Legislation.

"Adequate Country" means:

a. for data processed subject to the EU GDPR: the EEA, or a country or territory that is the subject of an adequacy decision by the Commission under Article 45(1) of the EU GDPR;

b. for data processed subject to the UK GDPR: the UK or a country or territory that is the subject of the adequacy regulations under Article 45(1) of the UK GDPR and Section 17A of the Data Protection Act 2018; and/or

c. for data processed subject to the Swiss FDPA: Switzerland, or a country or territory that (i) is included in the list of the states whose legislation ensures an adequate level of protection as published by the Swiss Federal Data Protection and Information Commissioner, or (ii) is the subject of an adequacy decision by the Swiss Federal Council under the Swiss FDPA.

"Affiliate" means an entity that directly or indirectly controls, is controlled by, or is under common control with, a party.

"Alternative Transfer Solution" means a solution, other than the Controller SCCs, that enables the lawful transfer of personal data to a third country in accordance with the European Data Protection Legislation. "Controller Data Subject" means a data subject to whom Controller Personal Data relates.

"Controller Personal Data" means any personal data that is processed by a party under the Agreement in connection with its provision or use (as applicable) of the Controller Services.

"Controller SCCs" means, as applicable: (a) the SCCs (EU Controller-to-Controller); and/or (b) the SCCs (UK Controller-to-Controller), which are standard contractual clauses for the transfer of personal data to controllers established in third countries that do not ensure an adequate level of data protection, as described in Article 46 of the EU GDPR and UK GDPR.

"Controller Services" means the Fitbit products or services that incorporate these Controller Terms by reference in their terms of service or other agreements, including the Fitbit APIs and Developer Tools.

"EEA" means the European Economic Area.

"End Controller" means, for each party, the ultimate controller of Controller Personal Data.

"EU GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

"European Controller Personal Data" means Controller Personal Data of Controller Data Subjects located in the EEA or Switzerland.

"European Data Protection Legislation" means, as applicable: (a) the GDPR; and/or (b) the Swiss FDPA.

"Fitbit" means the Fitbit Entity that is party to the Agreement.

"Fitbit End Controllers" means the End Controllers of Controller Personal Data processed by Fitbit.

"Fitbit Entity" means Fitbit LLC (formerly known as Fitbit Inc.), or Fitbit International Limited.

"GDPR" means, as applicable: (a) the EU GDPR; and/or (b) the UK GDPR.

"Non-European Data Protection Legislation" means data protection or privacy laws in force outside the EEA, Switzerland, and the UK.

"Permitted Transfers" means the processing of Controller Personal Data in, or the transfer of Controller Personal Data to, an Adequate Country.

"Restricted Transfer(s)" means transfer(s) of Controller Personal Data that are (a) subject to the European Data Protection Legislation; and (b) not Permitted Transfers.

"SCCs (EU Controller-to-Controller)" means the European Commission’s standard contractual clauses for data controllers.

"SCCs (UK Controller-to-Controller)" means the UK government’s standard contractual clauses for data controllers.

"Swiss FDPA" means the Federal Data Protection Act of 19 June 1992 (Switzerland).

"Terms Effective Date" means the date on which Partner clicked to accept or the parties otherwise agreed to these Controller Terms.

"UK Controller Personal Data" means Controller Personal Data of Controller Data Subjects located in the UK.

"UK GDPR" means the EU GDPR as amended and incorporated into UK law under the UK European Union (Withdrawal) Act 2018, and applicable secondary legislation made under that Act.

2.2 The terms "controller", "data subject", "personal data", "processing" and "processor" as used in these Controller Terms have the meanings given in the GDPR, and the terms "data importer" and "data exporter" have the meanings given in the Controller SCCs.

2.3 The words "include" and "including" mean “including but not limited to”. Any examples in these Controller Terms are illustrative and not the sole examples of a particular concept.

2.4 Any reference to a legal framework, statute or other legislative enactment is a reference to it as amended or re-enacted from time to time.

2.5 To the extent any translated version of these Controller Terms is inconsistent with the English version, the English version will govern.

3. Application of these Controller Terms

3.1 Application of European Data Protection Legislation. Sections 4 (Roles and Restrictions on Processing) to 6 (Controller SCCs) (inclusive) will only apply to the extent that the European Data Protection Legislation applies to the processing of Controller Personal Data.

3.2 Application to Controller Services. These Controller Terms will only apply to the Controller Services for which the parties agreed to these Controller Terms (for example: (a) the Controller Services for which Partner clicked to accept these Controller Terms; or (b) if the Agreement incorporates these Controller Terms by reference, the Controller Services that are the subject of the Agreement).

3.3 Incorporation of Additional Terms for Non-European Data Protection Legislation. The Additional Terms for Non-European Data Protection Legislation supplement these Controller Terms.

4. Roles and Restrictions on Processing

4.1 Independent Controllers. Subject to Section 4.3 (End Controllers), each party:

a. is an independent controller of Controller Personal Data under the European Data Protection Legislation;

b. will individually determine the purposes and means of its processing of Controller Personal Data; and

c. will comply with the obligations applicable to it under the European Data Protection Legislation regarding the processing of Controller Personal Data.

4.2 Restrictions on Processing. Section 4.1 (Independent Controllers) will not affect any restrictions on either party’s rights to use or otherwise process Controller Personal Data under the Agreement.

4.3 End Controllers. Without reducing either party’s obligations under these Controller Terms, each party acknowledges that: (a) the other party’s Affiliates or clients may be End Controllers; and (b) the other party may act as a processor on behalf of its End Controllers. The Fitbit End Controller is Fitbit International Limited for European Controller and UK Controller Personal Data processed by Fitbit (the "European End Controller"). Each party will ensure that its End Controllers comply with the Controller Terms, including (where applicable) the Controller SCCs.

5. Data Transfers

5.1 Restricted Transfers. Either party may make Restricted Transfers if it complies with the provisions on Restricted Transfers in the European Data Protection Legislation.

5.2 Alternative Transfer Solution. If Fitbit announces its adoption of an Alternative Transfer Solution for any Restricted Transfers, then: (a) Fitbit will ensure that such Restricted Transfers are made in accordance with that Alternative Transfer Solution; and (b) Section 6 (Controller SCCs) will not apply to such Restricted Transfers.

6. Controller SCCs

6.1 Transfers of European and UK Controller Personal Data to Partner. To the extent that:

a. Fitbit transfers European and UK Controller Personal Data to Partner, and

b. the transfer is a Restricted Transfer,

the parties will be deemed to have entered into the SCCs (EU or UK Controller-to-Controller as applicable) for such transfers, with Partner as data importer and Fitbit International Limited (the applicable Fitbit End Controller) as data exporter, unless otherwise specified in the Agreement.

6.2 Transfers of European and UK Controller Personal Data to Fitbit. The parties acknowledge that to the extent that Partner transfers European and UK Controller Personal Data to Fitbit, the Controller SCCs are not required if the address of the Fitbit End Controller is in an Adequate Country (for example, if the Fitbit End Controller is Fitbit International Limited). This does not affect Fitbit’s obligations under Section 5.1 (Restricted Transfers).

6.3 Contacting Fitbit; Partner Information.

a. Partner may contact Fitbit International Limited and/or Fitbit Inc. in connection with the Controller SCCs at data-protection-office@fitbit.com or through such other means as may be provided by Fitbit from time to time, including for the purposes of requesting an Audit under Section 6.5(a) below, to the extent applicable under the relevant Controller SCCs.

b. Partner acknowledges that Fitbit is required under the SCCs (EU Controller-to-Controller) to record certain information, including (i) the identity and contact details of the data importer (including any contact person with responsibility for data protection); and (ii) the technical and organisational measures implemented by the data importer. Accordingly, Partner will provide such information as requested by Fitbit, and will ensure that such information is kept accurate and up-to-date.

6.4 Responding to Data Subject Enquiries. The applicable data importer will be responsible for responding to enquiries from data subjects and the supervisory authority concerning the processing of applicable Controller Personal Data by the data importer.

6.5 Reviews, Audits and Certifications of Compliance.

a. If the Controller SCCs apply under Section 6 (Controller SCCs), the applicable data importer will allow the applicable data exporter (or a third-party inspection agent or auditor appointed by the data exporter) to request reasonable certification, or conduct a reasonable review or audit, as described in the Controller SCCs ("Audit"), in accordance with this Section 6.5 (Reviews, Audits and Certifications of Compliance).

b. Following receipt by the data importer of a request for an Audit, the data importer and the data exporter will discuss and agree in advance on the scope and rules of the Audit, including reasonable: start date, scope and duration, use of security certifications, cost allocation and reimbursement schedule, and security and confidentiality controls applicable to the Audit. The Audit will be conducted by mutually-agreed Audit members with a strict need-to-know and who have no conflicts-of-interest. The Audit will not require any party to disclose trade secrets, internal financial information, customer or partner data, data protected from disclosure by applicable laws, or out-of-scope information.

7. Liability

7.1 Liability Cap. If the Agreement is governed by the laws of:

a. a state of the United States of America, then, regardless of anything else in the Agreement, the total liability of either party towards the other party under or in connection with these Controller Terms will be limited to the maximum monetary or payment-based amount at which that party’s liability is capped under the Agreement (and therefore any exclusion of indemnification claims from the Agreement’s limitation of liability will not apply to indemnification claims under the Agreement relating to the European Data Protection Legislation or the Non-European Data Protection Legislation); or

b. a jurisdiction that is not a state of the United States of America, then the liability of the parties under or in connection with these Controller Terms will be subject to the exclusions and limitations of liability in the Agreement.

7.2 Liability if the Controller SCCs Apply. If the Controller SCCs apply under Section 6 (Controller SCCs), then the total combined liability of each party and its Affiliates towards the other party and its Affiliates under or in connection with the Agreement and the Controller SCCs combined will be subject to Section 7.1 (Liability Cap). Clause 12 of the SCCs (EU Controller-to-Controller) and Clause III(a) of the SCCs (UK Controller-to-Controller) will not affect the previous sentence.

8. Third-Party Beneficiaries

If a party’s Affiliate is a party to the Controller SCCs that apply under Section 6 (Controller SCCs), then that Affiliate will be a third-party beneficiary of Sections 4.3 (End Controllers), 6 (Controller SCCs), and 7.2 (Liability if the Controller SCCs Apply). To the extent this Section 8 (Third-Party Beneficiaries) conflicts or is inconsistent with any other clause in the Agreement, this Section 8 (Third-Party Beneficiaries) will apply.

9. Effect of Controller Terms

9.1 Order of Precedence. If there is any conflict or inconsistency between the Controller SCCs, the Additional Terms for Non-European Data Protection Legislation, and the remainder of these Controller Terms and/or the remainder of the Agreement then, subject to Sections 4.2 (Restrictions on Processing) and 9.4 (No Effect on Processor Terms), the following order of precedence will apply:

a. the Controller SCCs (if applicable);

b. the Additional Terms for Non-European Data Protection Legislation (if applicable);

c. the remainder of these Controller Terms; and

d. the remainder of the Agreement.

9.2 Additional Commercial Clauses. Subject to the amendments in these Controller Terms, the Agreement remains in full force and effect. Sections 6.3 (Contacting Fitbit; Partner Information) to 6.5 (Reviews, Audits and Certifications of Compliance), and Section 7.2 (Liability if Controller SCCs Apply) are additional commercial clauses relating to the Controller SCCs as permitted by Clause 2(a) (Effect and invariability of the Clauses) of the SCCs (EU Controller-to-Controller), and Clause VII (Variation of these Clauses) of the SCCs (UK Controller-to-Controller), as applicable.

9.3 No Modification of Controller SCCs. Nothing in the Agreement (including these Controller Terms) is intended to modify or contradict any Controller SCCs or prejudice the fundamental rights or freedoms of data subjects under the European Data Protection Legislation.

9.4 No Effect on Processor Terms. These Controller Terms will not affect any separate terms between Fitbit and Partner reflecting a controller-processor, processor-processor, or processor-controller relationship for a service other than the Controller Services.

10. Changes to these Controller Terms

10.1 Changes to Controller Terms. Fitbit may change these Controller Terms if the change:

a. is required to comply with applicable law, applicable regulation, a court order, or guidance issued by a governmental regulator or agency, or reflects Fitbit’s adoption of an Alternative Transfer Solution; or

b. does not: (i) seek to alter the categorisation of the parties as independent controllers of Controller Personal Data under the European Data Protection Legislation; (ii) expand the scope of, or remove any restrictions on, either party’s rights to use or otherwise process (x) in the case of the Additional Terms for Non-European Data Protection Legislation, the data in scope of the Additional Terms for Non-European Data Protection Legislation or (y) in the case of the remainder of these Controller Terms, Controller Personal Data; or (iii) have a material adverse impact on Partner, as reasonably determined by Fitbit.

10.3 Notification of Changes. If Fitbit intends to change these Controller Terms under Section 10.2(b) and such change will have a material adverse impact on Partner, as reasonably determined by Fitbit, then Fitbit will use commercially reasonable efforts to inform Partner at least 30 days (or such shorter period as may be required to comply with applicable law, applicable regulation, a court order, or guidance issued by a governmental regulator or agency) before the change will take effect. If Partner objects to any such change, Partner may terminate the Agreement by giving written notice to Fitbit within 90 days of being informed by Fitbit of the change.

Appendix 1: Additional Terms for Non-European Data Protection Legislation

CCPA Addendum to Fitbit Controller-Controller Data Protection Terms

Fitbit and the Partner have entered into the Fitbit Controller-Controller Data Protection Terms ("Controller Terms"), which supplement the Agreement. This CCPA Addendum to the Controller Terms (the "CCPA Addendum") is entered into by Fitbit and the Partner and also supplements the Agreement.

1. Introduction

This CCPA Addendum reflects the parties’ agreement on the processing of personal information in connection with the California Consumer Privacy Act of 2018 ("CCPA"). This CCPA Addendum is effective solely to the extent the CCPA applies.

2. Definitions and Interpretation

2.1 The terms "personal information", "sale(s)", and "sell" as used in this CCPA Addendum have the meanings given in the CCPA.

2.2 Capitalised terms used but not defined in this CCPA Addendum will have the meanings given in the Controller Terms.

2.3 If this CCPA Addendum conflicts or is inconsistent with the remainder of the Agreement (including the Controller Terms), this CCPA Addendum will govern.

3. CCPA Terms

3.1 Neither party will sell any personal information that it obtains from the other party in connection with the Agreement.

3.2 Each party is solely liable for its compliance with the CCPA if it uses the other party’s services under the Agreement.

4. Changes to this CCPA Addendum

In addition to Section 10 of the Controller Terms (Changes to these Controller Terms), Fitbit may change this CCPA Addendum without notice if the change (a) is based on applicable law, applicable regulation, a court order, or guidance issued by a governmental regulator or agency; and (b) does not have a material adverse impact on Partner with respect to exemptions from "sales" under the CCPA, as reasonably determined by Partner.

LGPD Controller Addendum to the Fitbit Controller-Controller Data Protection Terms

Fitbit and the Partner have entered into the Fitbit Controller-Controller Data Protection Terms ("Controller Terms"), which supplement the Agreement. This LGPD Controller Addendum to the Fitbit Controller-Controller Data Protection Terms (the "LGPD Controller Addendum") is entered into by Fitbit and the Partner and also supplements the Agreement.

1. Introduction

This LGPD Controller Addendum reflects the parties’ agreement on the terms governing the processing of certain data in connection with the Brazilian General Data Protection Law (Lei Geral de Proteção de Dados Pessoais) ("LGPD"). This LGPD Controller Addendum is effective solely to the extent the LGPD applies.

2.Definitions and Interpretation

2.1 In this LGPD Controller Addendum:

"Brazilian Controller Personal Data" means any personal data that is processed by a party under the Agreement in connection with its provision or use (as applicable) of the Controller Services.

"Controller Data Subject" means a data subject to whom Brazilian Controller Personal Data relates.

"Fitbit Entity" means Fitbit LLC (formerly known as Fitbit Inc.), or any other Affiliate of Fitbit LLC.

2.2 The terms "controller", "data subject", "personal data", "processing", "processing agent", and "processor" as used in this LGPD Controller Addendum have the meanings given in the LGPD.

2.3 Capitalised terms used but not defined in this LGPD Controller Addendum will have the meanings given in the Controller Terms.

2.4 If this LGPD Controller Addendum conflicts or is inconsistent with the remainder of the Agreement (including the Controller Terms), this LGPD Controller Addendum will govern.

3. Roles and Restrictions on Processing

3.1 Independent Controllers. Each party:

a. is an independent controller of Brazilian Controller Personal Data under the LGPD;

b. is individually responsible for its decisions regarding the processing of Brazilian Controller Personal Data, including determining the purposes and means of such processing; and

c. will comply with the obligations applicable to it under the LGPD with respect to the processing of Brazilian Controller Personal Data.

3.2 Restrictions on Processing. Section 3.1 (Independent Controllers) will not affect any restrictions on either party’s rights to use or otherwise process Brazilian Controller Personal Data under the Agreement.

4. Transparency

4.1 Partner Properties. Where Partner uses the Controller Services on any site, app, or other property under its control, or the control of a Partner Affiliate or client, Partner will ensure that the site, app, or other property provides data subjects with clear, precise and easily accessible information about:

a. the processing of Brazilian Controller Personal Data; and

b. the processing agents (including Fitbit, and the identity of any other controller(s)) that may collect, receive, or use Brazilian Controller Personal Data.

4.2 Third-Party Properties. If Brazilian Controller Personal Data of data subjects using a third-party property is shared with Fitbit due to Partner’s use of, or integration with, the Controller Services, then Partner will use commercially reasonable efforts to ensure the operator of the third-party property complies with Partner’s obligations in Section 4.1. In this Section 4.2, a "third-party property" means a site, app, or other property that is not under Partner’s, a Partner Affiliate's, or a Partner client's control, and whose operator is not already using a Controller Service that incorporates this LGPD Controller Addendum.

5. Changes to this LGPD Controller Addendum

In addition to Section 10 of the Controller Terms (Changes to these Controller Terms), Fitbit may change this LGPD Controller Addendum without notice if the change is required to comply with applicable law, applicable regulation, a court order, or guidance issued by a governmental regulator or agency.