Last Updated: 25 October 2023
This Data Protection Addendum ("DPA") forms part of the agreement (“Agreement”) between the LexisNexis Risk Solutions entity or entities (“LNRS”) under which LNRS provides Customer or Licensee (as defined in the Agreement and hereinafter “Customer”) and, if applicable, its Affiliates certain products or services ("Services") and in which this DPA is referenced.
I. | Definitions |
|||
1. | “Data Protection Laws” means all applicable privacy and data protection laws, rules, regulations, decrees, orders and other government requirements. | |||
2. | The terms “controller”, “personal data”, “processing” and “data subject” will have the same meanings ascribed to them in the Data Protection Laws, and where the Data Protection Laws use equivalent or corresponding terms, such as “personal information” instead of “personal data,” they will be read herein as the same. |
II. | Scope |
|||||
This DPA applies to the processing of personal data each Party receives from the other and, if applicable, its Affiliates under the Agreement, excluding any personal data that either Party is processing on behalf of the other. |
III. |
Party Roles and Restrictions | |||
1. | The Parties acknowledge that each separately and independently determines the purposes and means of processing and, therefore, each is an independent controller of the personal data. The Parties do not and will not process the personal data as joint controllers. | |||
2. | Each Party will comply with its obligations under the Data Protection Laws, and each Party will be individually and separately responsible for its own compliance. Nothing in this DPA will modify any restrictions applicable to either Party’s rights to use or otherwise process the personal data under the Agreement. | |||
3. | Customer agrees that the personal data received by LNRS has been collected, transferred, and otherwise processed in accordance with the Data Protection Laws, including by providing information set out in the applicable LexisNexis Risk Solutions Processing Notice at https://risk.lexisnexis.com/corporate/processing-notices. | |||
4. | Customer agrees that LNRS is processing any authentication details, account data, usage data, service logs, and other personal data processed as necessary to provide, manage or secure the Services subject to the LexisNexis Risk Solutions Privacy Policy at https://risk.lexisnexis.com/corporate/privacy-policy. | |||
5. | Customer agrees that personnel that are processing any personal data will receive appropriate privacy training (including as may be required by the Data Protection Laws). |
IV. | Data Subject Rights |
|||||
Each Party will be responsible for responding to inquiries from data subjects. Neither Party has any obligation to notify the other of a request from a data subject or to respond on the other Party’s behalf. |
V. | Assistance |
||||||
Each Party will cooperate with and assist the other as reasonably required to enable the other Party to comply with its obligation under the Data Protection Laws, taking into account the nature of processing and the information available to the Party. |
VI. | Cross-border Transfer |
||||||
Each Party will ensure that, to the extent that any personal data is transferred by the Party to another country, such transfer will be subject to appropriate safeguards that provide an adequate level of protection in accordance with the Data Protection Laws. |
VII. | Jurisdiction-Specific Terms |
|||||
To the extent that either Party is processing any personal data originating from or otherwise subject to the Data Protection Laws of any of the jurisdictions listed below, the terms specified therein with respect to the applicable jurisdiction(s) apply in addition to the foregoing terms | ||||||
European Economic Area, United Kingdom and Switzerland | ||||||
1. |
To the extent that either Party transfers personal data from the European Economic Area (“EEA”), the United Kingdom (“UK”) or Switzerland to the other Party located outside the EEA, UK or Switzerland, unless the Parties may rely on an alternative transfer mechanism or basis under the Data Protection Laws, the Parties will be deemed to have entered into the standard contractual clauses approved by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 available at http://data.europa.eu/eli/dec_impl/2021/914/oj (“Clauses”) in respect of such transfer, whereby:
|
|||||
2. |
In relation to transfers of personal data from the UK, the Clauses as implemented under section 1 above will apply subject to the following modifications:
|
|||||
3. |
In relation to transfers of personal data from Switzerland, the Clauses as implemented under section 1 above will apply subject to the following modifications:
|
|||||
United States | ||||||
Brazil | ||||||
1. | Each Party shall:
|
|||||
2. | To the extent that either Party transfers personal information from Brazil to the other Party located outside Brazil, the receiving Party will comply with the principles and the rights of the data subject and the regime of data protection provided under the LGPD. |