| I. | Definitions |
|||
| 1. | “Data Protection Laws” means all applicable privacy and data protection laws, rules, regulations, decrees, orders and other government requirements. |
|||
| 2. | The terms “personal data”, “personal data breach”, “processing”, “processor,” and “data subject”, will have the same meanings ascribed to them in the Data Protection Laws, and where the Data Protection Laws use equivalent or corresponding terms, such as “personal information” instead of “personal data,” they will be read herein as the same. |
| II. | Scope |
|||
| This DPA applies to the processing of personal data by RSG on behalf of Customer and, if applicable, Customer Affiliates under the Agreement. |
| III. | Scope of Processing |
|||
| 1. | Processing by RSG will be governed by this DPA, in particular, RSG will process the personal data only on documented instructions from Customer, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by applicable law to which RSG is subject; in such a case, RSG will inform Customer of that legal requirement before processing, unless that law prohibits RSG from doing so on important grounds of public interest. |
|||
| 2. | The subject matter of the processing is the personal data provided in respect of the Services under this Agreement. The duration of the processing is the duration of the provision of the Services under the Agreement until disposal of the personal data in accordance with the Agreement. The nature and purpose of the processing is in connection with the provision of the Services under the Agreement. The types of personal data processed are those submitted to RSG by or at the direction of Customer as part of the Services. The categories of data subjects are those whose personal data is submitted to RSG by or at the direction of Customer as part of the Services. |
|||
| 3. | The Agreement, including this DPA, along with Customer use and configuration of the Services, are the complete and final documented instructions to RSG for the processing of the personal data. Additional or alternate instructions must be agreed upon separately by the parties. RSG will ensure that its personnel engaged in the processing of the personal data will process such data only on documented instructions provided by Customer, unless required to do so by applicable law. |
|||
| IV. | Confidentiality | |||
| RSG will ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. | ||||
| V. | Security of Processing | |||
| 1. | Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Customer and RSG will implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as described in the Agreement and including inter alia as appropriate: | |||
| (a) the pseudonymisation and encryption of personal data; | ||||
| (b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; | ||||
| (c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and | ||||
| (d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing. | ||||
| 2. | In assessing the appropriate level of security, account will be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed. | |||
| 3. | Customer and RSG will take steps to ensure that any natural person acting under the authority of Customer or RSG who has access to personal data does not process data except on instructions from Customer unless he or she is required to do so by applicable law. | |||
| 4. | Notwithstanding any provision to the contrary, RSG may modify or update its security measures at its discretion provided that such modification or update does not result in a material degradation in the protection offered by the Agreement. |
|
VI. |
Sub-processing | |||
| 1. | Customer hereby provides RSG with general authorisation to engage other processors for the processing of personal data in accordance with this DPA. RSG will maintain a list of such processors at https://risk.lexisnexis.com/group/dpa#sub-processors, which RSG may update from time to time. At least 14 days before authorising any new such processor to process the personal data, RSG will update such list on its website. Customer may object to the change without penalty, subject to the Agreement’s dispute resolution process or any applicable refund or termination rights Customer may have under the Agreement. | |||
| 2. | Where RSG engages another processor for carrying out specific processing activities on behalf of Customer, the same data protection obligations as set out in this DPA will be imposed on that other processor by way of a contract or under the Data Protection Laws. Where that other processor fails to fulfil those data protection obligations, RSG will (subject to the terms of the Agreement) remain fully liable to Customer for the performance of that other processor's obligations. |
| VII. | Data Subject Rights | |||
| 1. | Taking into account the nature of the processing, RSG will assist Customer by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of Customer’s obligation to respond to requests for exercising the data subject's rights. | |||
| 2. | RSG will, to the extent legally permitted, promptly notify Customer of any data subject requests received by RSG and reasonably cooperate with Customer to fulfil its obligations under the Data Protection Laws in relation to such requests. Customer will be responsible for any reasonable costs arising from RSG providing assistance to Customer to fulfil such obligations. |
| VIII. | Assisting the Customer |
|||
| RSG will assist Customer in ensuring compliance with data security, personal breach notification and other obligations as required under the Data Protection Laws, taking into account the nature of processing and the information available to RSG. |
| IX. | Termination of Processing | |||
| Upon the expiration or termination of Customer’s use of the Services, unless applicable law requires storage of the personal data, Customer instructs RSG to delete or return the personal data in accordance with the terms and timelines, if any, for the Services set forth in the Agreement. Where the Agreement provides Customer the choice to delete or return the personal data and Customer does not make that choice within 30 days following the termination of the Agreement, Customer hereby instructs RSG to delete the personal data, unless applicable law requires storage of the personal data. In such cases, RSG will delete the personal data as soon as practicable. |
| X. | Audits | ||||||||
| The rights for conducting audits are set forth in the Agreement. In the absence of such requirements in the Agreement, where the Data Protection Laws so require, audits will be: (i) subject to the execution of appropriate confidentiality or non-disclosure agreements; (ii) conducted no more than once per year, unless a demonstrated reasonable belief of non-compliance with the Agreement has been made, upon 30 days written notice and having provided a plan for such review; and (iii) be conducted at a mutually agreed upon time, place, and manner. |
| XI. | Cross-border Transfer |
|||
| RSG will ensure that, to the extent that any personal data originating from Customer’s country is transferred by RSG to another country such transfer will be subject to appropriate safeguards that provide an adequate level of protection in accordance with the Data Protection Laws |
| XII. | Personal Data Breach |
|||
| RSG will notify Customer without undue delay after becoming aware of a personal data breach involving personal data processed under this DPA and will reasonably respond to Customer’s request for further information so that Customer may fulfil its obligations under the Data Protection Laws. |
| XIII. | Records of Processing Activities |
||
| RSG will maintain all records required by the Data Protection Laws and, to the extent applicable to the processing of the personal data on behalf of Customer, make them available as required. |
| XIV. | Lawful Basis for Processing |
|||
| Customer warrants that, where required by the Data Protection Laws, it has provided notice to any and all data subjects and has received requisite consent from the data subject or its legally authorised representative or guardian. |
| XV. | Jurisdiction-Specific Terms |
||||||
| To the extent that RSG is processing any personal data originating from or otherwise subject to the Data Protection Laws of any of the jurisdictions listed below, the terms specified therein with respect to the applicable jurisdiction(s) apply in addition to the foregoing terms. | |||||||
| European Economic Area and Switzerland | |||||||
| 1. | To the extent that Customer transfers personal data from the European Economic Area (“EEA”) or Switzerland to RSG located outside the EEA or Switzerland, unless the parties may rely on an alternative transfer mechanism or basis under the data protection laws, the parties will be deemed to have entered into the standard contractual clauses approved by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 available at http://data.europa.eu/eli/dec_impl/2021/914/oj (“2021 EU SCCs”) in respect of such transfer, whereby Customer is the “data exporter,” RSG is the “data importer,” the “competent supervisory authority” is the supervisory authority in Ireland, the footnotes, Clause 9(a) Option 1, Clause 11(a) Option and Clause 17 Option 1 are omitted, the time period in Clause 9(a) Option 2 is 14 days, the content of the applicable annexes corresponds to the respective content of the DPA and the Agreement, and (i) to the extent that Customer acts as a controller and RSG acts as a processor, Module Two applies and Modules One, Three and Four are omitted and (ii) to the extent that each party acts as a processor, Module Three applies and Modules One, Two and Four are omitted. |
||||||
| 2. | The 2021 EU SCCs are governed by the law of Ireland. Any dispute arising from the 2021 EU SCCs will be resolved by the courts of Ireland. |
||||||
| 3. | If there is any conflict between the terms of the Agreement and the 2021 EU SCCs, the 2021 EU SCCs will prevail. |
||||||
| United Kingdom | |||||||
| 1. | To the extent that Customer transfers personal data from the United Kingdom (“UK”) to RSG located outside the UK, unless the parties may rely on an alternative transfer mechanism or basis under the data protection laws, the parties will be deemed to have entered into the standard contractual clauses approved by the European Commission Decision 2010/87/EC of 5 February 2010 available at http://data.europa.eu/eli/dec/2010/87/oj (“Clauses”) in respect of such transfer, whereby Customer is the “data exporter,” RSG is the “data importer,” any optional clauses are omitted, and the content of the appendices corresponds to the respective content of the Agreement. | ||||||
| 2. | The Clauses are governed by the laws of England and Wales. All references in the Clauses to “Union,” “EU,” “Member State” and their laws are replaced with “UK” and the equivalent laws of England and Wales. Any dispute arising from the Clauses will be resolved by the courts of England and Wales. | ||||||
| 3. | If there is any conflict between the terms of the Agreement and the Clauses, the Clauses will prevail. | ||||||
| California, USA | |||||||
| To the extent that RSG is processing on behalf of Customer any personal information in scope of the California Consumer Privacy Act of 2018 (CCPA), RSG is prohibited from retaining, using or disclosing the personal information for any purpose other than for the specific purpose of performing the Services, or as otherwise permitted by the CCPA, including retaining, using or disclosing the personal information for a commercial purpose (as that term is defined in the CCPA) other than providing the Services. | |||||||
| South Africa | |||||||
| 1. | To the extent that RSG is processing any personal information in scope of the South African Protection of Personal Information Act, No. 4 of 2013 (POPIA) for Customer, RSG will further establish and maintain the security measures referred to in section 19 of POPIA. | ||||||
| 2. | RSG will notify Customer immediately where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person. |
| I. | Definitions |
|||
| 1. | “Data Protection Laws” means all applicable privacy and data protection laws, rules, regulations, decrees, orders and other government requirements. |
|||
| 2. | The terms “controller”, “personal data”, “processing” and “data subject” will have the same meanings ascribed to them in the Data Protection Laws, and where the Data Protection Laws use equivalent or corresponding terms, such as “personal information” instead of “personal data,” they will be read herein as the same. |
| II. | Scope |
|||||
| This DPA applies to the processing of personal data each Party receives from the other and, if applicable, its Affiliates
under the Agreement, excluding any personal data that either Party is processing on behalf of the other. |
|
III. |
Party Roles and Restrictions | |||
| 1. | The Parties acknowledge that each separately and independently determines the purposes and means of processing and, therefore, each is an independent controller of the personal data. The Parties do not and will not process the personal data as joint controllers. | |||
| 2. | Each Party will comply with its obligations as a controller under the Data Protection Laws, and each Party will be individually and separately responsible for its own compliance. Nothing in this DPA will modify any restrictions applicable to either Party’s rights to use or otherwise process the personal data under the Agreement. | |||
| 3. | Customer agrees that the personal data has been collected, transferred, and otherwise processed in accordance with the Data Protection Laws. | |||
| 4. | Customer agrees that RSG is processing any authentication details, account data, usage data, service logs, and other personal data processed as necessary to provide, manage or secure the Services as a controller subject to the LexisNexis Risk Solutions Group Privacy Policy at https://risk.lexisnexis.com/group/privacy-policy. |
| IV. | Data Subject Rights |
|||||
| Each Party will be responsible for responding to inquiries from data subjects. Neither Party has any obligation to notify the other of a request from a data subject or to respond on the other Party’s behalf. |
| V. | Assistance |
||||||
| Each Party will cooperate with and assist the other as reasonably required to enable the other Party to comply with its obligation under the Data Protection Laws, taking into account the nature of processing and the information available to the Party. |
| VI. | Cross-border Transfer |
|||||
| Each Party will ensure that, to the extent that any personal data is transferred by the Party to another country, such transfer will be subject to appropriate safeguards that provide an adequate level of protection in accordance with the Data Protection Laws. |
| VII. | Jurisdiction-Specific Terms |
|||||
| To the extent that either Party is processing any personal data originating from or otherwise subject to the Data Protection Laws of any of the jurisdictions listed below, the terms specified therein with respect to the applicable jurisdiction(s) apply in addition to the foregoing terms | ||||||
| European Economic Area and Switzerland | ||||||
| 1. | To the extent that either Party transfers personal data from the European Economic Area (“EEA”) or Switzerland to the other Party located outside the EEA or Switzerland, unless the Parties may rely on an alternative transfer mechanism or basis under the Data Protection Laws, the Parties will be deemed to have entered into the standard contractual clauses approved by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 available at http://data.europa.eu/eli/dec_impl/2021/914/oj (“2021 EU SCCs”) in respect of such transfer, whereby the receiving Party is the “data importer”; the other Party is the “data exporter”; the “competent supervisory authority” is the supervisory authority in Ireland; Module One applies, Modules Two, Three and Four, the footnotes, Clause 11(a) Option and Clause 17 Option 1 are omitted; and the content of the applicable annexes corresponds to the respective content of the DPA and the Agreement. |
|||||
| 2. | The 2021 EU SCCs are governed by the law of Ireland. Any dispute arising from the 2021 EU SCCs will be resolved by the courts of Ireland. |
|||||
| 3. | If there is any conflict between the terms of the Agreement and the 2021 EU SCCs, the 2021 EU SCCs will prevail. |
|||||
| United Kingdom | ||||||
| 1. | To the extent that either Party transfers personal data from the United Kingdom (“UK”) to the other Party located outside the UK, unless the Parties may rely on an alternative transfer mechanism or basis under the Data Protection Laws, the Parties will be deemed to have entered into the standard contractual clauses approved by the European Commission Decision 2004/915/EC of 27 December 2004 available at http://data.europa.eu/eli/dec/2004/915/oj (“Clauses”) in respect of such transfer, whereby the receiving Party is the “data importer,” the other Party is the “data exporter,” any optional clauses are omitted, and the content of the appendices corresponds to the respective content of the Agreement. | |||||
| 2. | The Clauses are governed by the laws of England and Wales. All references in the Clauses to “Union,” “EU,” “Member State” and their laws are replaced with “UK” and the equivalent UK laws. Any dispute arising from the Clauses will be resolved by the courts of England and Wales. | |||||
| 3. | If there is any conflict between the terms of the Agreement and the Clauses, the Clauses will prevail. | |||||
| Brazil | ||||||
| To the extent that either Party transfers personal information from Brazil to the other Party located outside Brazil, the receiving Party will comply with the principles and the rights of the data subject and the regime of data protection provided under the Brazilian General Data Protection Law, nº 13.709 of 2018 (Lei Geral de Proteção de Dados Pessoais) (LGPD). |
LexisNexis Risk Solutions Group (RSG) engages other entities to provide services on its behalf. The following sub‐processors undertake processing activities to assist RSG entities and brands in providing services:
RSG Business Services
| Entity Name | Entity Location |
| LexisNexis Risk Solutions UK Limited | UK |
| Tracesmart Ltd, trading as LexisNexis | UK |
| Crediva Limited | UK |
| LexisNexis Israel Ltd | Israel |
| LexisNexis Risk Solutions FL Inc | US |
| ThreatMetrix, Inc. | EU & US |
| World Compliance Inc. | US |
| Emailage | EU & US |
| LexisNexis Serviços de Análise de Risco Ltda. | Brazil |
| Entity Name | Entity Location |
| Amazon Web Services Inc. and its affiliates | UK/Ireland/US |
| NTT Europe Limited | UK |
| Vantage Data Centers (Previously 'New Generation Data Limited') | UK |
| Entity Name | Entity Location |
| Experian Limited | UK |
| Equifax Limited | UK |
| Liquid11 Limited, trading as Data Soap | UK |
| Data8 Limited | UK |
| Creditsafe Business Solutions Ltd | UK |
| HM Land Registry | UK |
| Kompli Global | UK |
| Tracers | US |
| Integrity | UK |
| GRO | UK |
| Ancestry | UK |
| Scotlands People | UK |
| Full Contact Inc. | US |
| BulkSMS | UK |
| Acuant Inc. | US |
| Infobip | UK |
| 3Cinteractive Corp. | US |
| Syniverse Technologies LLC | US |
| Global Data Consortium Inc. | US |
| Synectics Solutions Limited | UK |
RSG Insurance
| Entity Name | Entity Location |
| LexisNexis Risk Solutions UK Limited | UK |
| LexisNexis Risk Solutions (Ireland) Limited | Ireland |
| LexisNexis Risk Solutions (Europe) Limited | Ireland |
| Wunelli Limited | UK |
| Insurance Initiatives Limited | UK |
| LexisNexis Risk Solutions Inc. | US |
| Emailage | US |
| LexisNexis Serviços de Análise de Risco Ltda. | Brazil |
| Entity Name | Entity Location |
| Amazon Web Services Inc. and its affiliates | Ireland |
| NTT Europe Limited | UK |
| Rackspace Limited | UK |
| Vantage Data Centers (Previously 'New Generation Data Limited') | UK |
| Entity Name | Entity Location |
| Callcredit Limited | UK |
| Experian Limited | UK |
| Carweb Limited | UK |
| Equifax Limited | UK |
| Entity Name | Entity Location |
| Google Ireland Limited | Ireland |
| Harte Hanks Trillium UK Limited | UK |
| Pitney Bowes Software Limited | UK |
| JBA Risk Management Limited | UK |
| Ordnance Survey | UK |
| Ambiential Technical Solutions Limited | UK |
| Entity Name | Entity Location |
| Quartix Limited | UK |
| CDL Vehicle Information Services Limited | UK |
| Vodafone Automotive UK Ltd | UK |
| Ratebox Limited | UK |
| Something Interesting Limited | UK |
| Hyde Park Corner Installation Limited | UK |
| Luby Techologia Ltda | Brazil |
Emailage Corp.
| Entity Name | Entity Location |
| LexisNexis Risk Solutions FL Inc. | US |
| ThreatMetrix, Inc. | US |
| Entity Name | Entity Location |
| Amazon Web Services Inc. and its affiliates | Ireland/Germany/US/Australia |
| Entity Name | Entity Location |
| Telesign Corporation | US/Netherlands |
| Validity, Inc. | US |
| TowerData, Inc. | US |
ThreatMetrix, Inc.
| Entity Name | Entity Location |
| LexisNexis Risk Solutions UK Limited | UK |
| Tracesmart Ltd, trading as LexisNexis | UK |
| Crediva Limited | UK |
| LexisNexis Israel Ltd | Israel |
| LexisNexis Risk Solutions FL Inc. | US |
| World Compliance Inc. | US |
| Entity Name | Entity Location |
| Telesign Corporation | US |
| Vocalink Limited | UK |
RSG Data Services
| Entity Name | Entity Location |
| Amazon Web Services Inc. and its affiliates | UK/Ireland/US/Australia |
| Entity Name | Entity Location |
| Microsoft Ltd | UK/Ireland/US |
| Salesforce | UK/US |
| Entity Name | Entity Location |
| WNS Global Services (UK) LTD | UK/India |
| Entity Name | Entity Location |
| ETouches /Aventri | US |
Accuity
| Entity Name | Entity Location |
| Rackspace | US |
Fircosoft SAS
| Entity Name | Entity Location |
| OVH SAS | France |
| Accuity Inc | US |
| LNRS Data Services Ltd | UK/US |
Estates Gazette
| Entity Name | Entity Location |
| Artrix Ltd | UK |
| Entity Name | Entity Location |
| Lucky Thirteen Ltd | UK |
| LKk Sutton Ltd T/A Sm1 Print Studio | UK |
Cirium
| Entity Name | Entity Location |
| PeaSoup Cloud | UK |
| Google Inc. | US |
| Entity Name | Entity Location |
| Travelport Worldwide Ltd. | UK |
| Sabre Corporation | US |
| Amadeus IT Group, S.A. | Spain |
| Entity Name | Entity Location |
| Atlassian Corporation Plc. | Australia |
| Entity Name | Entity Location |
| Oracle Corporation | US |
| GitLab Inc. | US |
| Atlassian Corporation Plc. | Australia |
| 3 Scale by Redhat | US |
| Entity Name | Entity Location |
| WorldAware | US |
Nextens
| Entity Name | Entity Location |
| Sendgrid | US |
| Postmark | US |
| New Relic | US |
| Entity Name | Entity Location |
| ON24 | US |
Proagrica
| Entity Name | Entity Location |
| Sendgrid | US |
| Tierpoint | US |
| Six Degrees Technology Group Ltd | UK |
| Entity Name | Entity Location |
| Merit Group | India |
| Entity Name | Entity Location |
| Silicon Sky | South Africa |
| Entity Name | Entity Location |
| Sendgrid | US |
| CloudConvert | Germany |
| Esker | France |
| Cloudtrade | UK |
| Entity Name | Entity Location |
| Esendex | Ireland |
| Messagebird | The Netherlands |
XpertHR
| Entity Name | Entity Location |
| MongoDB | US |
| Entity Name | Entity Location |
| Littler | US |
| Entity Name | Entity Location |
| Markel | UK |
| Entity Name | Entity Location |
| ON24 | US |