LexisNexis Data Processing Addendum

1. SCOPE

1.1. This Data Processing Agreement ("DPA") applies to the processing of personal data by LexisNexis, a division of RELX Inc., (“LexisNexis”, “LN”, "we", "us", "our") on behalf of the customer ("you", "Customer") pursuant to an agreement between you and LN ("Agreement") under which we provide you certain services ("Services") and in which this DPA is referenced. This DPA is subject to the terms of the Agreement, and all capitalized terms used, but not defined herein shall have the meanings given them in the Agreement. This DPA does not apply where we are a controller of personal data.

2. PROCESSING

2.1. We will implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of the relevant data protection laws and ensure the protection of the rights of the data subject and the standard of protection will be at least comparable to the protection required under the relevant data protection laws.

2.2. We will not engage another processor without your prior specific or general written authorization. In the case of general written authorization, we will inform you of any intended changes concerning the addition or replacement of other processors, thereby giving you the opportunity to object to such changes in the manner more specifically set forth herein.

2.3. Our processing will be governed by this DPA. In particular, we will:

  1. process the personal data only on your documented instructions, including with regard to transfers of personal data to a third country or an international organization, unless required to do so by Union, UK or Member State law to which we are subject; in such a case, we will inform you of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;
  2. ensure that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
  3. take all measures required pursuant to Article 32 of the General Data Protection Regulations (“GDPR”);
  4. respect the conditions referred to in paragraphs 2.2 and 2.4 for engaging another processor;
  5. taking into account the nature of the processing, assist you by taking appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of your obligation to respond to requests for exercising the data subject's rights listed in Chapter III of the GDPR;
  6. assist you in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR taking into account the nature of processing and the information available to us;
  7. at your choice, delete or return to you all the personal data after the end of the provision of services relating to processing and delete existing copies unless Union, UK or Member State law requires storage of the personal data;
  8. make available to you all information necessary to demonstrate compliance with the obligations listed in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by you or another auditor you mandate.

We will promptly inform you if, in our opinion, an instruction from you to us infringes the GDPR or other Union, UK or Member State data protection provisions.

2.4. Where we engage another processor for carrying out specific processing activities on your behalf, the same data protection obligations as set out in this DPA will be imposed on that other processor by way of a contract or other legal act under Union, UK or Member State law, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the GDPR. Where that other processor fails to fulfil those data protection obligations, we will (subject to the terms of this Agreement) remain fully liable to you for the performance of that other processor's obligations.

2.5. The subject matter of our processing is the personal data provided in respect of the Services under this Agreement. The duration of the processing is the duration of the provision of the Services under the Agreement. The nature and purpose of the processing is in connection with the provision of the Services under the Agreement. The types of personal data processed are names; contact details; government-issued identification; date of birth; place of birth; and other types of personal data submitted to the Services. The categories of data subjects are your representatives, users of the Services, and clients, prospects, suppliers, business partners and others whose personal data may be submitted to the Services.

2.6. The Agreement including this DPA, along with your use and configuration in the Services, are your complete and final documented instructions to us for the processing of personal data. Additional or alternate instructions must be agreed upon separately by the parties. We will ensure that our personnel engaged in the processing of personal data will process such data only on your documented instructions, unless required to do so by Union, UK, Member State or other applicable law.

2.7. Upon the expiration or termination of your use of the Services, we will delete or return personal data in accordance with the terms and timelines set forth in the Agreement, unless Union, UK, Member State or other applicable law requires continued storage of the personal data.

3. SUBPROCESSING

3.1. You hereby provide us general authorization to engage other processors for the processing of personal data in accordance with this DPA. We will maintain a list of such processors at http://www.lexisnexis.com/global/privacy/en/subprocessor-us.page, which we may update from time to time. At least 14 days before authorizing any new such processor to process personal data, we shall update the list on our website. You may object to the change without penalty by notifying us within 14 days after the website is updated and describing your reasons to object. Without prejudice to any applicable refund or termination rights you have under the Agreement, we shall use reasonable endeavors to avoid processing any personal data by such new processor to which you reasonably object.

4. DATA SUBJECT RIGHTS

4.1. We will, to the extent legally permitted, promptly notify you of any data subject requests we receive and reasonably cooperate with you to fulfil your obligations under the data protection laws in relation to such requests. You will be responsible for any reasonable costs arising from our providing assistance to you to fulfil such obligations.

5. TRANSFER

5.1. We will ensure that, to the extent that any personal data originating from the UK, Switzerland or European Economic Area ("EEA") is transferred to a country or territory outside the UK, Switzerland or EEA that has not received a binding adequacy decision by the European Commission or a competent national data protection authority, such transfer will be subject to appropriate safeguards in accordance with the data protection laws (including Article 46 of the GDPR).

6. SECURITY OF PROCESSING

6.1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the parties will implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:

  1. the pseudonymization and encryption of personal data;
  2. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
  3. the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and
  4. a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

6.2. In assessing the appropriate level of security, account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed.

6.3. The parties will take reasonable steps to ensure that any natural person acting under the authority of either party who has access to personal data does not process the data except on instructions from you, unless he or she is required to do so by Union, UK or Member State law.

7. PERSONAL DATA BREACH

7.1. We will notify you without undue delay after becoming aware of a personal data breach and will reasonably respond to your requests for further information to assist you in fulfilling your obligations under the data protection laws (including Articles 33 and 34 of the GDPR as applicable).

8. RECORDS OF PROCESSING ACTIVITIES

8.1. We will maintain all records required by the data protection laws (including Article 30(2) of the GDPR as applicable) and, to the extent applicable to the processing of personal data on your behalf, make them available to you as required.

9. AUDIT

9.1. Audits shall be:

  1. subject to the execution of appropriate confidentiality or non-disclosure agreements;
  2. conducted no more than once per year, unless a demonstrated reasonable belief of non-compliance with the Agreement has been made, upon thirty (30) days’ prior written notice and having provided a plan for such review; and c) conducted at a mutually agreed upon time, place and manner.

10. CONFLICT

10.1. If there is any conflict or inconsistency between the terms of this DPA and the Agreement, the terms of this DPA shall control to the extent required by law.