Data Processing Addendum


Last Updated: 8 July 2021
This Data Processing Addendum ("DPA") forms part of the agreement (“Agreement”) between the LexisNexis Risk Solutions Group entity or entities (“RSG”) under which RSG provides Customer or Licensee (as defined in the Agreement and hereinafter “Customer”) and, if applicable, its Affiliates certain services ("Services") and in which this DPA is referenced.
      A.      Definitions
“Data protection laws” means all applicable privacy and data protection laws, regulations, orders and other government requirements, including those of the European Union (“Union”), the United Kingdom (“UK”) and the United States. “GDPR” means Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
       
The terms “personal data”, “personal data breach”, “processing”, “processor,” and “data subject”, will have the same meanings ascribed to them in Data Protection Laws, and where such laws use the term ‘personal information’, it shall be read as personal data.
      B.      Scope
This DPA applies to the processing of personal data by RSG on behalf of Customer and, if applicable, Customer Affiliates under the Agreement.
      C.        Processing
  1. RSG shall implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of the Data Protection Laws and ensure the protection of the rights of the data subject and the standard of protection will be at least comparable to the protection required under the relevant data protection laws.

  2. RSG shall not engage another processor without prior specific or general written authorisation of Customer. In the case of general written authorisation, RSG shall inform Customer of any intended changes concerning the addition or replacement of other processors, thereby giving Customer the opportunity to object to such changes in the manner more specifically set forth herein. 

  3. Processing by RSG shall be governed by this DPA, in particular, RSG will:
    1. process the personal data only on documented instructions from Customer, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by the Union, UK or Member State law to which RSG is subject; in such a case, RSG shall inform Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;

    2. ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;

    3. take all measures required pursuant to Article 32 of the GDPR;

    4. respect the conditions referred to in paragraphs 2 and 5 in this section C for engaging another processor;

    5. considering the nature of the processing, assist Customer by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of Customer’s obligation to respond to requests for exercising the data subject's rights as required under the relevant data protection laws.

    6. assist Customer in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR considering the nature of processing and the information available to RSG;

    7. at the choice of Customer, delete or return all the personal data to Customer after the end of the provision of services relating to processing and delete existing copies unless Union, UK or Member State law requires storage of the personal data;

    8. make available to Customer all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR, and allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer. RSG shall immediately inform Customer if, in its opinion, an instruction from Customer to RSG infringes the GDPR or other Union, UK or Member State data protection provisions.

  4. Where RSG engages another processor for carrying out specific processing activities on behalf of Customer, the same data protection obligations as set out in this DPA shall be imposed on that other processor by way of a contract or other legal act under Union, UK or Member State law, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the GDPR.Where that other processor fails to fulfil those data protection obligations, RSG shall (subject to the terms of the Agreement) remain fully liable to Customer for the performance of that other processor's obligations.

  5. The subject matter of the processing is the personal data provided in respect of the Services under this Agreement. The duration of the processing is the duration of the provision of the Services under the Agreement. The nature and purpose of the processing is in connection with the provision of the Services under the Agreement. RSG is prohibited from retaining, using or disclosing the personal data for any purpose other than for the specific purpose of performing the Services under the Agreement, or as otherwise permitted by the Data protection laws, including retaining, using or disclosing the personal data for a commercial purpose other than providing the Services. The types of personal data processed under the Agreement may include contact information, professional information, unique identifiers, and other types of personal data submitted by or at the direction of Customer as part of the Services. The categories of data subjects are Customer representatives, users of the Services, and/or clients, prospects, suppliers, business partners and others whose personal data may be submitted by or at the direction of Customer as part of the Services.

  6. The Agreement including this DPA, along with Customer use and configuration in the Services, are the complete and final documented instructions to RSG for the processing of the personal data. Additional or alternate instructions must be agreed upon separately by the parties. RSG will ensure that its personnel engaged in the processing of the personal data will process such data only on documented instructions provided by Customer, unless required to do so by Union, UK, Member State or other applicable law.

  7. Upon the expiration or termination of Customer’s use of the products and services, unless applicable law requires storage of the personal data, Customer will instruct RSG to delete or return the personal data in accordance with the terms and timelines, if any, for the products and services set forth in the Agreement. Where the Agreement provides Customer the choice to delete or return the personal data and Customer does not make that choice within 30 days following the termination of the Agreement, Customer will instruct RSG to delete the personal data, unless applicable law requires storage of the personal data.
      D.      Sub-processing
Customer hereby provides RSG with general authorisation to engage other processors for the processing of Customer personal data in accordance with this DPA. RSG shall maintain a list of such processors at https://risk.lexisnexis.com/group/dpa, which RSG may update from time to time. At least 14 days before authorising any new such processor to process the personal data, RSG shall update such list on its website. Customer may object to the change without penalty, by initiating the Agreement’s dispute resolution process, or any applicable refund or termination rights Customer has under the Agreement.
        E.      Data Subject Rights
    
 
 
1.            Taking into account the nature of the processing, RSG assist Customer by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of Customer’s obligation to respond to requests for exercising the data subject's rights.
         
    2.    RSG shall, to the extent legally permitted, promptly notify Customer of any data subject requests received by RSG and reasonably cooperate with Customer to fulfil its obligations under the Data Protection Laws in relation to such requests. Customer shall be responsible for any reasonable costs arising from RSG providing assistance to Customer to fulfil such obligations.
        F.      Assisting the Customer
    
 
 
              RSG will assist Customer in ensuring compliance with the obligations as required under the Data Protection Laws, including Articles 32 to 36 of the GDPR, considering the nature of processing and the information available to RSG.
        G.       Termination of Processing
    
 
                          Upon the expiration or termination of Customer’s use of the products and services, unless applicable law requires storage of the personal data, Customer instructs RSG to delete or return the personal data in accordance with the terms and timelines, if any, for the products and services set forth in the Agreement. Where the Agreement provides Customer the choice to delete or return the personal data and Customer does not make that choice within 30 days following the termination of the Agreement, Customer hereby instructs RSG to delete the personal data, unless applicable law requires storage of the personal data. In such cases, RSG will delete the personal data as soon as practicable.
        H.      Audits
         
        The rights for conducting audits are set forth in the Agreement. In the absence of such requirements in the Agreement, where the Data Protection Laws so require, audits shall be: 
    
 
 
1.     subject to the execution of appropriate confidentiality or non-disclosure agreements;
         
    2.    conducted no more than once per year, unless a demonstrated reasonable belief of non-compliance with the Agreement has been made, upon 30 days written notice and having provided a plan for such review; and
         
    3.    be conducted at a mutually agreed upon time, place, and manner.
         
IV.          Cross-border Transfer
         
  A.            RSG will ensure that, to the extent that any personal data originating from Customer’s country is transferred by RSG to another country such transfer will be subject to appropriate safeguards that provide an adequate level of protection in accordance with the Data Protection Laws.
         
   B.
 
               
  To the extent that Customer transfers personal data from the UK, Switzerland or EEA to RSG in a country or territory outside the EEA that has not received a binding adequacy decision by the European Commission or a competent national data protection authority, the parties will be deemed to have entered into the EU Standard Contractual Clauses in respect of such transfer, whereby Customer is the “data exporter”, RSG is the “data importer”, the provisions under Module Two are incorporated; the provisions under Modules One, Three, and Four are disregarded; the competent supervisory authority is the Data Protection Commission of Ireland; and the content of the applicable annexes corresponds to the respective content of this DPA and the Agreement, unless the parties may rely on an alternative transfer mechanism or basis under the Data Protection Laws (including Article 46 of the GDPR).
V.              
Personal Data Breach

                        RSG will notify Customer without undue delay after becoming aware of a personal data breach involving personal data processed under this DPA and shall reasonably respond to Customer’s request for further information so that Customer may fulfil its obligations under the Data Protection Laws (including Articles 33 and 34 of the GDPR).
VI.            
Records of Processing Activities

                    RSG will maintain all records required by the Data Protection Laws (including Article 30(2) of the GDPR as applicable) and, to the extent applicable to the processing of the personal data on behalf of Customer, make them available as required.

LexisNexis Risk Solutions Group (RSG) engages other entities to provide services on its behalf. The following sub‐processors undertake processing activities to assist RSG entities and brands in providing services:


RSG Business Services

Affiliates

  Entity Name    Entity Location
  LexisNexis Risk Solutions UK Limited   UK
  Tracesmart Ltd, trading as LexisNexis   UK
  Crediva Limited   UK
  LexisNexis Israel Ltd   Israel
  LexisNexis Risk Solutions FL Inc   US
  ThreatMetrix, Inc.   EU & US
  World Compliance Inc.   US
  Emailage   EU & US
  LexisNexis Serviços de Análise de Risco Ltda.   Brazil
Infrastructure/Cloud Service Providers/Data Centres

  Entity Name    Entity Location
  Amazon Web Services Inc. and its affiliates   UK/Ireland/US
  NTT Europe Limited   UK
  Vantage Data Centers (Previously 'New Generation Data Limited')   UK
Data Service Providers

  Entity Name    Entity Location
  Experian Limited   UK
  Equifax Limited   UK
  Liquid11 Limited, trading as Data Soap   UK
  Data8 Limited   UK
  Creditsafe Business Solutions Ltd   UK
  HM Land Registry   UK
  Kompli Global   UK
  Tracers   US
  Integrity   UK
  GRO   UK
  Ancestry   UK
  Scotlands People   UK
  Full Contact Inc.   US
  BulkSMS   UK
  Acuant Inc.   US
  Infobip   UK
  3Cinteractive Corp.   US
  Syniverse Technologies LLC   US
  Global Data Consortium Inc.   US
  Synectics Solutions Limited   UK


RSG Insurance

Affiliates

  Entity Name    Entity Location
  LexisNexis Risk Solutions UK Limited   UK
  LexisNexis Risk Solutions (Ireland) Limited   Ireland
  LexisNexis Risk Solutions (Europe) Limited   Ireland
  Wunelli Limited   UK
  Insurance Initiatives Limited   UK
  LexisNexis Risk Solutions Inc.   US
  Emailage   US
  LexisNexis Serviços de Análise de Risco Ltda.   Brazil
Infrastructure/Cloud Service Providers/Data Centres

  Entity Name    Entity Location
  Amazon Web Services Inc. and its affiliates   Ireland
  NTT Europe Limited   UK
  Rackspace Limited   UK
  Vantage Data Centers (Previously 'New Generation Data Limited')   UK
Data Service Providers – Insurance

  Entity Name    Entity Location
  Callcredit Limited   UK
  Experian Limited   UK
  Carweb Limited   UK
  Equifax Limited   UK
Data Service Providers – MapView

  Entity Name    Entity Location
  Google Ireland Limited   Ireland
  Harte Hanks Trillium UK Limited   UK
  Pitney Bowes Software Limited   UK
  JBA Risk Management Limited   UK
  Ordnance Survey   UK
  Ambiential Technical Solutions Limited   UK
Telematics Support Service Providers and Consultancies

  Entity Name    Entity Location
  Quartix Limited   UK
  CDL Vehicle Information Services Limited   UK
  Vodafone Automotive UK Ltd   UK
  Ratebox Limited   UK
  Something Interesting Limited   UK
  Hyde Park Corner Installation Limited   UK
  Luby Techologia Ltda   Brazil


Emailage Corp.

Affiliates

  Entity Name    Entity Location
  LexisNexis Risk Solutions FL Inc.   US
  ThreatMetrix, Inc.   US
Infrastructure/Cloud Service Providers

  Entity Name    Entity Location
  Amazon Web Services Inc. and its affiliates   Ireland/Germany/US/Australia
Data Service Providers

  Entity Name    Entity Location
  Telesign Corporation   US/Netherlands
  Validity, Inc.   US
  TowerData, Inc.   US


ThreatMetrix, Inc.

Affiliates

  Entity Name    Entity Location
  LexisNexis Risk Solutions UK Limited   UK
  Tracesmart Ltd, trading as LexisNexis   UK
  Crediva Limited   UK
  LexisNexis Israel Ltd   Israel
  LexisNexis Risk Solutions FL Inc.   US
  World Compliance Inc.   US
Infrastructure/Data Centres

  Entity Name    Entity Location
  RagingWire Data Centers, Inc.   US
  Equinix (Netherlands) B.V.   Netherlands
  Verne Global hf / Verne Real Estate II hf   Iceland
Data Service Providers

  Entity Name    Entity Location
  Telesign Corporation   US
  Vocalink Limited   UK
  Neustar Inc   US


RSG Data Services

Available for use by all LNRS Data Services Business Units: Accuity, XpertHR, Proagrica, Estates Gazette, Cirium, Nextens, ICIS
Cloud Services

  Entity Name    Entity Location
  Amazon Web Services Inc. and its affiliates   UK/Ireland/US/Australia
Software Solutions

  Entity Name    Entity Location
  Microsoft Ltd   UK/Ireland/US
  Salesforce   UK/US
Data Provider; Data Entry Services

  Entity Name    Entity Location
  WNS Global Services (UK) LTD   UK/India
Events Services

  Entity Name    Entity Location
  ETouches /Aventri   US


Accuity

Cloud Services

  Entity Name    Entity Location
  Rackspace   US


Fircosoft SAS

Cloud Services

  Entity Name    Entity Location
  OVH SAS   France
  Accuity Inc   US
  LNRS Data Services Ltd   UK/US


Estates Gazette

Cloud Services

  Entity Name    Entity Location
  Artrix Ltd   UK
Events Services

  Entity Name    Entity Location
  Lucky Thirteen Ltd   UK
  LKk Sutton Ltd T/A Sm1 Print Studio   UK


Cirium

Cloud Services

  Entity Name    Entity Location
  PeaSoup Cloud   UK
  Google Inc.   US
Data Provider

  Entity Name    Entity Location
  Travelport Worldwide Ltd.   UK
  Sabre Corporation   US
  Amadeus IT Group, S.A.   Spain
Project Management Services

  Entity Name    Entity Location
  Atlassian Corporation Plc.   Australia
Software Services

  Entity Name    Entity Location
  Oracle Corporation   US
  GitLab Inc.   US
  Atlassian Corporation Plc.   Australia
  3 Scale by Redhat   US
Travel Risk Management

  Entity Name    Entity Location
  WorldAware   US


Nextens

Software Solutions

  Entity Name    Entity Location
  Sendgrid   US
  Postmark   US
  New Relic   US
Webinar Services

  Entity Name    Entity Location
  ON24   US


Proagrica

Cloud Services

  Entity Name    Entity Location
  Sendgrid   US
  Tierpoint   US
  Six Degrees Technology Group Ltd   UK
Data Processing

  Entity Name    Entity Location
  Merit Group   India
IT Infrastructure Services

  Entity Name    Entity Location
  Silicon Sky   South Africa
Software Solutions

  Entity Name    Entity Location
  Sendgrid   US
  CloudConvert   Germany
  Esker   France
  Cloudtrade   UK
SMS Services

  Entity Name    Entity Location
  Esendex   Ireland
  Messagebird   The Netherlands


XpertHR

Database Program

  Entity Name    Entity Location
  MongoDB   US
Employment Law Solutions

  Entity Name    Entity Location
  Littler   US
Legal Insurance

  Entity Name    Entity Location
  Markel   UK
Webinar Service

  Entity Name    Entity Location
  ON24   US