LexisNexis Data Processing Addendum
1. SCOPE AND DEFINITIONS
1.1. This LexisNexis Data Processing Addendum ("DPA") forms part of the agreement (“Agreement”) between the customer (“you,” “your”) and the LexisNexis entity (“LN,” "we," “us,” “our”) under which we provide you and, if applicable, your affiliates certain services ("Services") and in which this DPA is referenced.
1.2. “Data protection laws” means all applicable privacy and data protection laws, rules, regulations, decrees, orders and other government requirements. The terms “controller,” “data subject,” “personal data,” “personal data breach,” “processing,” and “processor” will have the meanings ascribed to them in the data protection laws, and where such laws use equivalent or corresponding terms, such as ‘personal information’ instead of ‘personal data,’ they will be read herein as the same.
2. PROCESSING
2.1. We will implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of the data protection laws, ensure the protection of the rights of the data subjects, and provide a standard of protection that is at least the same level of protection as is required under the data protection laws.
2.2. The subject matter of our processing is the personal data provided in respect of the Services. The duration of the processing is the duration of the provision of the Services until disposal of the personal data in accordance with the Agreement. The nature and purpose of the processing is in connection with the provision of the Services. The types of personal data processed are those submitted to the Services. The categories of data subjects are those whose personal data is submitted to the Services.
2.3. To the extent that we are processing personal data on your behalf, we will:
- process the personal data only on your documented instructions, including with regard to transfers of personal data to a third country or an international organization, unless required to do so by applicable law to which we are subject; in such a case, we will inform you of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;
- ensure that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
- take all security measures required pursuant to the data protection laws;
- respect the conditions referred to in paragraphs 3.1 and 3.2 for engaging another processor;
- taking into account the nature of the processing, assist you by taking appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of your obligation to respond to requests for exercising the data subject's rights laid down in the data protection laws;
- assist you in ensuring compliance with the obligations pursuant to the data protection laws taking into account the nature of processing and the information available to us;
- at your choice, delete or return to you all the personal data after the end of the provision of services relating to processing and delete existing copies unless applicable law requires storage of the personal data;
- make available to you all information necessary to demonstrate compliance with the obligations laid down in the data protection laws and allow for and contribute to audits, including inspections, conducted by you or another auditor you mandate;
and promptly inform you if, in our opinion, an instruction from you to us infringes the data protection laws.
2.4. The Agreement including this DPA, along with your use and configuration in the Services, are your complete and final documented instructions to us for the processing of personal data. Additional or alternate instructions must be agreed upon separately by the parties.
3. SUB-PROCESSORS
3.1. To the extent that we are processing personal data on your behalf, we have your general authorization to engage other processors for the processing of such personal data in accordance with this DPA from our list of such processors at https://www.lexisnexis.com/global/privacy/subprocessors.page, which we may update from time to time. We will inform you of any changes by updating the list on our website at least 14 days in advance. You may object to such changes by notifying us within 14 days after the list is updated and describing your reasons to object. Without prejudice to any applicable refund or termination rights you have under the Agreement, we will use reasonable endeavors to avoid processing any personal data by such new processor to which you reasonably object.
3.2. Where we engage another processor for carrying out specific processing activities on your behalf, the same data protection obligations as set out in this DPA, in substance, will be imposed on that other processor by way of a contract or other legal act under applicable law, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the data protection laws. Where that other processor fails to fulfil those data protection obligations, we will (subject to the terms of the Agreement) remain fully liable to you for the performance of that other processor's obligations.
4. DATA SUBJECT RIGHTS
4.1. To the extent that we are processing personal data on your behalf, we will, to the extent legally permitted, promptly notify you of any data subject rights requests we receive.
4.2. Each party will reasonably cooperate with the other to assist the other party in fulfilling its obligations under the data protection laws in relation to data subject rights requests.
5. TRANSFER
5.1. We will ensure that, to the extent that any personal data originating from your country is transferred to another country, such transfer will be subject to appropriate safeguards in accordance with the data protection laws.
6. SECURITY OF PROCESSING
6.1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the parties will implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including among other things as appropriate:
- the pseudonymization and encryption of personal data;
- the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and
- a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
6.2. In assessing the appropriate level of security, we will take into account the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed.
6.3. The parties will take reasonable steps to ensure that any natural person acting under the authority of either party who has access to personal data does not process the data except on instructions from you, unless he or she is required to do so by applicable law.
7. PERSONAL DATA BREACH
7.1. To the extent that we are processing personal data on your behalf, we will notify you without undue delay after becoming aware of a personal data breach and will reasonably respond to your requests for further information to assist you in fulfilling your obligations under the data protection laws.
8. RECORDS OF PROCESSING ACTIVITIES
8.1. We will maintain all records required by the data protection laws and, to the extent applicable to the processing of personal data on your behalf, make them available to you as required.
9. AUDIT
9.1. Audits will be:
- subject to the execution of appropriate confidentiality or non-disclosure agreements;
- conducted no more than once per year, unless a demonstrated reasonable belief of non-compliance with the Agreement has been made, upon 30 days’ prior written notice and having provided a plan for such review; and
- conducted at a mutually agreed upon time, place and manner.
10. CONFLICT
10.1. If there is any conflict between the terms of this DPA and the Agreement, the terms of this DPA will control to the extent required by law.
11. JURISDICTION-SPECIFIC TERMS
11.1. To the extent that we are processing any personal data originating from or otherwise subject to the Data Protection Laws of any of the jurisdictions listed in the annex herein, the terms specified therein with respect to the applicable jurisdiction(s) apply in addition to the foregoing terms.
ANNEX
Jurisdiction-Specific Terms
1. European Economic Area, United Kingdom and Switzerland
1.1. To the extent that you transfer personal data from the European Economic Area (“EEA”), the United Kingdom (“UK”) or Switzerland to LN located outside the EEA, UK or Switzerland, unless the parties may rely on an alternative transfer mechanism or basis under the data protection laws, the parties will be deemed to have entered into the standard contractual clauses approved by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 available at http://data.europa.eu/eli/dec_impl/2021/914/oj (“Clauses”) in respect of such transfer, whereby:
- the footnotes and Clause 11(a) Option are omitted, and the applicable annexes are completed respectively with the information set out in the DPA and the Agreement;
- to the extent that each party acts as a controller, Module One applies and Modules Two, Three and Four and Clause 17 Option 2 are omitted;
- to the extent that you act as a controller and LN acts as a processor, Module Two applies, Modules One, Three and Four and Clause 17 Option 1 are omitted, Clause 9(a) Option 1 is omitted and the time period in Clause 9(a) Option 2 is 14 days;
- to the extent that each party acts as a processor, Module Three applies, Modules One, Two and Four and Clause 17 Option 1 are omitted, Clause 9(a) Option 1 is omitted and the time period in Clause 9(a) Option 2 is 14 days;
- the “competent supervisory authority” is that in the country where the data exporter is established;
- the Clauses are governed by the law of the country where the data exporter is established;
- any dispute arising from the Clauses shall be resolved by the courts of the country where the data exporter is established; and
- if there is any conflict between the terms of the Agreement and the Clauses, the Clauses will prevail.
1.2. In relation to transfers of personal data from the UK, the Clauses as implemented under section 1.1 above will apply subject to the following modifications:
- the Clauses are amended as specified by Part 2 of the international data transfer addendum to the European Commission’s standard contractual clauses issued under Section 119A of the UK Data Protection Act 2018, as may be amended or superseded from time to time (“UK Addendum”);
- tables 1 to 3 in Part 1 of the UK Addendum are completed respectively with the information set out in the DPA and the Agreement (as applicable); and
- table 4 in Part 1 of the UK Addendum is completed by selecting “neither party”.
1.3. In relation to transfers of personal data from Switzerland, the Clauses as implemented under section 1.1 above will apply subject to the following modifications:
- references to “Regulation (EU) 2016/679” shall be interpreted as references to the Swiss Federal Act on Data Protection (“FADP”);
- references to specific Articles of “Regulation (EU) 2016/679” shall be replaced with the equivalent article or section of the FADP;
- references to “EU”, “Union”, “a Member State” and “Member State law” shall be replaced with references to “Switzerland” or “Swiss law”, as applicable;
- the term “member state” shall not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of accessing their rights;
- Clause 13(a) and Part C of Annex I are not used and the “competent supervisory authority” is the Swiss Federal Data Protection and Information Commissioner;
- the Clauses are governed by the law of Switzerland; and
- any dispute arising from the Clauses will be resolved by the courts of Switzerland.
2. Brazil
2.1. Each party shall:
- comply with its obligations under the Brazilian General Data Protection Law, nº 13.709 of 2018 (Lei Geral de Proteção de Dados Pessoais) (LGPD);
- keep a record of the personal data processing operations that it performs;
- appoint a data protection officer; and
- adopt security, technical and administrative measures capable of protecting personal data from unauthorized access and from accidental or unlawful destruction, loss, alteration, communication, or any form of improper or illegal treatment, including applicable minimum technical standards as laid down by the national authority.
2.2. To the extent that you transfer personal information from Brazil to LN located outside Brazil, LN will comply with the principles and the rights of the data subject and the regime of data protection provided under the LGPD, unless the parties may rely on an alternative transfer mechanism or basis under the data protection laws.
3. South Africa
3.1. To the extent that LN is processing as an operator any personal information in scope of the South African Protection of Personal Information Act, No. 4 of 2013 (POPIA) for you as responsible party, LN will further establish and maintain the security measures referred to in section 19 of POPIA and will notify you immediately where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorized person.
4. United States
U.S. State Privacy Laws Addendum to LexisNexis Data Processing Addendum
Last updated: December 20th, 2022