Data Protection Addendum

Last Updated: 14 December 2022

This Data Protection Addendum ("DPA") forms part of the agreement (“Agreement”) between the LexisNexis Risk Solutions Group entity or entities (“RSG”) under which RSG provides Customer or Licensee (as defined in the Agreement and hereinafter “Customer”) and, if applicable, its Affiliates certain products or services ("Services") and in which this DPA is referenced.

I.          Definitions
    
 
 
   1.          “Data Protection Laws” means all applicable privacy and data protection laws, rules, regulations, decrees, orders and other government requirements.
 
   2.      The terms “controller”, “personal data”, “processing” and “data subject” will have the same meanings ascribed to them in the Data Protection Laws, and where the Data Protection Laws use equivalent or corresponding terms, such as “personal information” instead of “personal data,” they will be read herein as the same.

II.                    Scope
    
 


 
             This DPA applies to the processing of personal data each Party receives from the other and, if applicable, its Affiliates under the Agreement, excluding any personal data that either Party is processing on behalf of the other.

III.  

         Party Roles and Restrictions
 
1.          The Parties acknowledge that each separately and independently determines the purposes and means of processing and, therefore, each is an independent controller of the personal data. The Parties do not and will not process the personal data as joint controllers.
         
 
2.    Each Party will comply with its obligations under the Data Protection Laws, and each Party will be individually and separately responsible for its own compliance. Nothing in this DPA will modify any restrictions applicable to either Party’s rights to use or otherwise process the personal data under the Agreement.  
         
    3.    Customer agrees that the personal data received by RSG has been collected, transferred, and otherwise processed in accordance with the Data Protection Laws, including by providing information set out in the applicable LexisNexis Risk Solutions Group Processing Notice at https://risk.lexisnexis.com/group/processing-notices.  
         
    4.    Customer agrees that RSG is processing any authentication details, account data, usage data, service logs, and other personal data processed as necessary to provide, manage or secure the Services subject to the LexisNexis Risk Solutions Group Privacy Policy at https://risk.lexisnexis.com/group/privacy-policy
         
    5.    Customer agrees that personnel that are processing any personal data will receive appropriate privacy training (including as may be required by the Data Protection Laws).
IV.                   Data Subject Rights
    
 


 
             Each Party will be responsible for responding to inquiries from data subjects. Neither Party has any obligation to notify the other of a request from a data subject or to respond on the other Party’s behalf.
V.                      Assistance
 
               Each Party will cooperate with and assist the other as reasonably required to enable the other Party to comply with its obligation under the Data Protection Laws, taking into account the nature of processing and the information available to the Party.
VI.                      Cross-border Transfer
 
               Each Party will ensure that, to the extent that any personal data is transferred by the Party to another country, such transfer will be subject to appropriate safeguards that provide an adequate level of protection in accordance with the Data Protection Laws.
VII.            Jurisdiction-Specific Terms
           
            To the extent that either Party is processing any personal data originating from or otherwise subject to the Data Protection Laws of any of the jurisdictions listed below, the terms specified therein with respect to the applicable jurisdiction(s) apply in addition to the foregoing terms
             
            European Economic Area, United Kingdom and Switzerland
             
     
1.   To the extent that either Party transfers personal data from the European Economic Area (“EEA”), the United Kingdom (“UK”) or Switzerland to the other Party located outside the EEA, UK or Switzerland, unless the Parties may rely on an alternative transfer mechanism or basis under the Data Protection Laws, the Parties will be deemed to have entered into the standard contractual clauses approved by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 available at http://data.europa.eu/eli/dec_impl/2021/914/oj (“Clauses”) in respect of such transfer, whereby:
  1.  the receiving Party is the “data importer” and the other Party is the “data exporter”;
  2.  Module One applies, Modules Two, Three and Four, the footnotes, Clause 11(a) Option and Clause 17 Option 1 are omitted, and the applicable annexes are completed   respectively with the information set out in the DPA and the Agreement (as applicable);
  3.  the “competent supervisory authority” is the supervisory authority in Ireland;
  4.  the Clauses are governed by the law of Ireland;
  5.  any dispute arising from the Clauses will be resolved by the courts of Ireland; and
  6.  if there is any conflict between the terms of the Agreement and the Clauses, the Clauses will prevail.
     
2.   In relation to transfers of personal data from the UK, the Clauses as implemented under section 1 above will apply subject to the following modifications:
  1.  the Clauses are amended as specified by Part 2 of the international data transfer addendum to the European Commission’s standard contractual clauses issued under   Section 119A of the UK Data Protection Act 2018, as may be amended or superseded from time to time (“UK Addendum”);
  2.  tables 1 to 3 in Part 1 of the UK Addendum are completed respectively with the information set out in the DPA and the Agreement (as applicable); and
  3.  table 4 in Part 1 of the UK Addendum is completed by selecting “neither party”.
     
3.    In relation to transfers of personal data from Switzerland, the Clauses as implemented under section 1 above will apply subject to the following modifications:
  1.  references to “Regulation (EU) 2016/679” shall be interpreted as references to the Swiss Federal Act on Data Protection (“FADP”);
  2.  references to specific Articles of “Regulation (EU) 2016/679” shall be replaced with the equivalent article or section of the FADP;
  3.  references to “EU”, “Union”, “a Member State” and “Member State law” shall be replaced with references to “Switzerland” or “Swiss law”, as applicable;
  4.  the term “member state” shall not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of accessing their rights;
  5.  Clause 13(a) and Part C of Annex I are not used and the “competent supervisory authority” is the Swiss Federal Data Protection Information Commissioner;
  6.  the Clauses are governed by the law of Switzerland; and
  7.  any dispute arising from the Clauses will be resolved by the courts of Switzerland.
             
            United States
             
          California
           
           

To the extent that Customer sells to RSG or shares with RSG any personal information in scope of the California Consumer Privacy Act of 2018 (“CCPA”), as amended by the California Privacy Rights Act of 2020, and its implementing regulations (collectively, the “CPRA”), effective as of January 1, 2023: 
        1.    The purposes for which the personal information is made available to RSG is to provide, manage and secure the Services subject to the LexisNexis Risk Solutions Group Privacy Policy at https://risk.lexisnexis.com/group/privacy-policy
        2.    Customer is making the personal information available to RSG only for the limited and specified purposes set forth in the Agreement, and RSG is required to use the personal information only for those limited and specified purposes; 
        3.    RSG is required to comply with applicable sections of the CPRA, including – with respect to the personal information that Customer makes available to RSG – providing the same level of privacy protection as required of businesses by the CPRA; 
        4.    RSG grants Customer the right – with respect to the personal information that Customer makes available to RSG – to take reasonable and appropriate steps to ensure that RSG uses the personal information in a manner consistent with Customer’s obligations under the CPRA; 
        5.    RSG grants Customer the right, upon notice, to take reasonable and appropriate steps to stop and remediate unauthorized use of personal information made available to RSG; and 
        6.    RSG is required to notify Customer after it makes a determination that it can no longer meet its obligations under the CPRA. 
           
            Brazil
             
         1.            Each Party shall:
  1. comply with its obligations under the Brazilian General Data Protection Law, nº 13.709 of 2018 (Lei Geral de Proteção de Dados Pessoais) (LGPD); 
  2. shall keep a record of the personal data processing operations that it performs;
  3. appoint a data protection officer; and
  4. adopt security, technical and administrative measures capable of protecting personal data from unauthorized access and from accidental or unlawful destruction, loss, alteration, communication or any form of improper or illegal treatment, including applicable minimum technical standards as laid down by the national authority.
         2.            To the extent that either Party transfers personal information from Brazil to the other Party located outside Brazil, the receiving Party will comply with the principles and the rights of the data subject and the regime of data protection provided under the LGPD.