VII. |
|
|
|
|
|
Jurisdiction-Specific Terms
|
|
|
|
|
|
|
|
|
|
|
|
|
|
To the extent that either Party is processing any personal data originating from or otherwise subject to the Data Protection Laws of any of the jurisdictions listed below, the terms specified therein with respect to the applicable jurisdiction(s) apply in addition to the foregoing terms |
|
|
|
|
|
|
|
|
|
|
|
|
|
European Economic Area, United Kingdom and Switzerland |
|
|
|
|
|
|
|
|
|
|
|
1. |
|
To the extent that either Party transfers personal data from the European Economic Area (“EEA”), the United Kingdom (“UK”) or Switzerland to the other Party located outside the EEA, UK or Switzerland, unless the Parties may rely on an alternative transfer mechanism or basis under the Data Protection Laws, the Parties will be deemed to have entered into the standard contractual clauses approved by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 available at http://data.europa.eu/eli/dec_impl/2021/914/oj (“Clauses”) in respect of such transfer, whereby:
- the receiving Party is the “data importer” and the other Party is the “data exporter”;
- Module One applies, Modules Two, Three and Four, the footnotes, Clause 11(a) Option and Clause 17 Option 1 are omitted, and the applicable annexes are completed respectively with the information set out in the DPA and the Agreement (as applicable);
- the “competent supervisory authority” is the supervisory authority in Ireland;
- the Clauses are governed by the law of Ireland;
- any dispute arising from the Clauses will be resolved by the courts of Ireland; and
- if there is any conflict between the terms of the Agreement and the Clauses, the Clauses will prevail.
|
|
|
|
|
2. |
|
In relation to transfers of personal data from the UK, the Clauses as implemented under section 1 above will apply subject to the following modifications:
- the Clauses are amended as specified by Part 2 of the international data transfer addendum to the European Commission’s standard contractual clauses issued under Section 119A of the UK Data Protection Act 2018, as may be amended or superseded from time to time (“UK Addendum”);
- tables 1 to 3 in Part 1 of the UK Addendum are completed respectively with the information set out in the DPA and the Agreement (as applicable); and
- table 4 in Part 1 of the UK Addendum is completed by selecting “neither party”.
|
|
|
|
|
3. |
|
In relation to transfers of personal data from Switzerland, the Clauses as implemented under section 1 above will apply subject to the following modifications:
- references to “Regulation (EU) 2016/679” shall be interpreted as references to the Swiss Federal Act on Data Protection (“FADP”);
- references to specific Articles of “Regulation (EU) 2016/679” shall be replaced with the equivalent article or section of the FADP;
- references to “EU”, “Union”, “a Member State” and “Member State law” shall be replaced with references to “Switzerland” or “Swiss law”, as applicable;
- the term “member state” shall not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of accessing their rights;
- Clause 13(a) and Part C of Annex I are not used and the “competent supervisory authority” is the Swiss Federal Data Protection Information Commissioner;
- the Clauses are governed by the law of Switzerland; and
- any dispute arising from the Clauses will be resolved by the courts of Switzerland.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
United States |
|
|
|
|
|
|
|
|
|
|
|
|
|
California
|
|
|
|
|
|
|
|
|
|
|
|
|
|
To the extent that Customer sells to RSG or shares with RSG any personal information in scope of the California Consumer Privacy Act of 2018 (“CCPA”), as amended by the California Privacy Rights Act of 2020, and its implementing regulations (collectively, the “CPRA”), effective as of January 1, 2023:
|
|
|
|
|
1. |
|
The purposes for which the personal information is made available to RSG is to provide, manage and secure the Services subject to the LexisNexis Risk Solutions Group Privacy Policy at https://risk.lexisnexis.com/group/privacy-policy; |
|
|
|
|
2. |
|
Customer is making the personal information available to RSG only for the limited and specified purposes set forth in the Agreement, and RSG is required to use the personal information only for those limited and specified purposes; |
|
|
|
|
3. |
|
RSG is required to comply with applicable sections of the CPRA, including – with respect to the personal information that Customer makes available to RSG – providing the same level of privacy protection as required of businesses by the CPRA; |
|
|
|
|
4. |
|
RSG grants Customer the right – with respect to the personal information that Customer makes available to RSG – to take reasonable and appropriate steps to ensure that RSG uses the personal information in a manner consistent with Customer’s obligations under the CPRA; |
|
|
|
|
5. |
|
RSG grants Customer the right, upon notice, to take reasonable and appropriate steps to stop and remediate unauthorized use of personal information made available to RSG; and |
|
|
|
|
6. |
|
RSG is required to notify Customer after it makes a determination that it can no longer meet its obligations under the CPRA. |
|
|
|
|
|
|
|
|
|
|
|
|
|
Brazil |
|
|
|
|
|
|
|
|
|
|
|
1. |
|
Each Party shall:
- comply with its obligations under the Brazilian General Data Protection Law, nº 13.709 of 2018 (Lei Geral de Proteção de Dados Pessoais) (LGPD);
- shall keep a record of the personal data processing operations that it performs;
- appoint a data protection officer; and
- adopt security, technical and administrative measures capable of protecting personal data from unauthorized access and from accidental or unlawful destruction, loss, alteration, communication or any form of improper or illegal treatment, including applicable minimum technical standards as laid down by the national authority.
|
|
|
|
|
2. |
|
To the extent that either Party transfers personal information from Brazil to the other Party located outside Brazil, the receiving Party will comply with the principles and the rights of the data subject and the regime of data protection provided under the LGPD. |