Elsevier Data Processing Addendum
Last updated: 1 January 2023
This Elsevier Data Processing Addendum ("DPA") forms part of the agreement (“Agreement”) between the Elsevier entity (“Elsevier”) and subscriber, customer or other partner and any applicable affiliate (“Subscriber”) under which Elsevier provides certain services and in which this DPA is referenced.
1.1. “Data Protection Laws” means all privacy and data protection laws, rules, regulations, decrees, orders and other government requirements applicable to the processing of personal data under the Agreement.
1.2. The terms “controller,” “data subject”, “personal data”, “personal data breach”, “processing”, and “processor” will have the meanings ascribed to them in the Data Protection Laws, and where the Data Protection Laws use equivalent or corresponding terms, such as ‘personal information’ instead of ‘personal data,’ they shall be read herein as the same.
2.1. The subject matter of processing is the personal data provided in respect of the services under the Agreement. The duration of the processing is the duration of the provision of the services under the Agreement until disposal of the personal data in accordance with the Agreement. The nature and purpose of the processing is in connection with the provision of the services under the Agreement. The types of personal data processed are those submitted by or at the direction of Subscriber as part of the services under the Agreement. The categories of data subjects are those whose personal data is submitted by or at the direction of Subscriber as part of the services under the Agreement.
2.2 The Agreement, including this DPA, along with Subscriber’s use and/or configuration of the services, are the Subscriber’s complete and final documented instructions to Elsevier for the processing of personal data. Additional or alternate instructions must be agreed upon separately by the parties.
3.1. Elsevier will implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of the Data Protection Laws, ensure the protection of the rights of the data subjects, and provide a standard of protection that is at least the same level of protection as is required under the Data Protection Laws.
3.2. To the extent that Elsevier is processing personal data on behalf of the Subscriber, Elsevier shall: 3.2.1. process the personal data only on documented instructions from the Subscriber, including with regard to transfers of personal data to a third country or an international organization, unless required to do so by applicable law to which Elsevier is subject; in such a case, Elsevier shall inform the Subscriber of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest; 3.2.2. ensure that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; 3.2.3. take all security measures required pursuant to the Data Protection Laws; 3.2.4. respect the conditions referred to in paragraph 4 for engaging another processor; 3.2.5. taking into account the nature of the processing, assist the Subscriber by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Subscriber’s obligation to respond to requests for exercising the data subject's rights laid down in the Data Protection Laws; 3.2.6. assist the Subscriber in ensuring compliance with the obligations pursuant to the Data Protection Laws taking into account the nature of processing and the information available to Elsevier; 3.2.7. at the choice of the Subscriber, delete or return all the personal data to the Subscriber after the end of the provision of services relating to processing and delete existing copies unless applicable law requires storage of the personal data; 3.2.8. make available to the Subscriber all information necessary to demonstrate compliance with the obligations laid down in the Data Protection Laws and allow for and contribute to audits, including inspections, conducted by the Subscriber or another auditor mandated by the Subscriber; and immediately inform the Subscriber if, in its opinion, an instruction from the Subscriber to Elsevier infringes the Data Protection Laws.
4.1. To the extent that Elsevier is processing personal data on behalf of the Subscriber, Elsevier has the Subscriber’s general authorization to engage other processors for the processing of personal data in accordance with this DPA from Elsevier’s list of such processors at https://www.elsevier.com/legal/subprocessors which Elsevier may update from time to time. Elsevier shall inform the Subscriber of any intended changes by updating the list on its website at least fourteen (14) days in advance. The Subscriber may object to the change without penalty by notifying Elsevier within fourteen (14) days after the list is updated and describing its reasons to object. Elsevier shall use reasonable endeavors to avoid processing of personal data by such new processor to which the Subscriber reasonably objects.
4.2. Where Elsevier engages another processor for carrying out specific processing activities on behalf of the Subscriber, the same data protection obligations as set out in this DPA, in substance, shall be imposed on that other processor by way of a contract or other legal act under applicable law, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the Data Protection Laws. Where that other processor fails to fulfil those data protection obligations, Elsevier shall (subject to the terms of the Agreement) remain fully liable to the Subscriber for the performance of that other processor's obligations.
5. Data Subject Rights
5.1. To the extent that Elsevier is processing personal data on behalf of the Subscriber, Elsevier shall, to the extent legally permitted, promptly notify the Subscriber of any data subject requests Elsevier receives, and the Subscriber authorizes Elsevier to redirect such requests to the Subscriber to respond directly.
5.2. To the extent legally permitted, the Subscriber shall be responsible for any reasonable costs arising from Elsevier providing assistance to the Subscriber in responding to such requests.
Elsevier shall ensure that, to the extent that any personal data originating from the Subscriber’s country is transferred by Elsevier to another country, such transfer shall be subject to appropriate safeguards in accordance with the Data Protection Laws.
7.1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the parties shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: 7.1.1. the pseudonymization and encryption of personal data; 7.1.2. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; 7.1.3. the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and 7.1.4. a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
7.2. In assessing the appropriate level of security, account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed.
7.3. To the extent that Elsevier is processing personal data on behalf of the Subscriber, Elsevier shall take steps to ensure that any natural person acting under the authority of Elsevier who has access to such personal data does not process it except on instructions from the Subscriber, unless he or she is required to do so by applicable law.
8. Personal Data Breach
To the extent that Elsevier is processing personal data on behalf of the Subscriber, Elsevier shall notify the Subscriber without undue delay after becoming aware of a personal data breach and shall reasonably respond to the Subscriber’s requests for further information to assist the Subscriber in fulfilling its obligations under the Data Protection Laws.
9. Records of Processing Activities
Elsevier shall maintain all records required by the Data Protection Laws and, to the extent applicable to the processing of personal data on behalf of the Subscriber, make them available to the Subscriber as required.
Audits under paragraph 3.2.8 shall be (i) subject to the execution of appropriate confidentiality undertakings; (ii) conducted no more than once per year, unless a demonstrated reasonable belief of non-compliance with the Agreement has been made, upon thirty (30) days written notice and having provided a plan for such review; and (iii) conducted at a mutually agreed upon time and in an agreed upon manner.
If there is any conflict or inconsistency between the terms of this DPA and the rest of the Agreement, the terms of this DPA shall control to the extent required by law. Otherwise, the Agreement shall control in the case of such conflict or inconsistency.
12. Jurisdiction-Specific Terms
To the extent that Elsevier is processing any personal data originating from or otherwise subject to the Data Protection Laws of any of the jurisdictions listed in the annex herein, the terms specified therein with respect to the applicable jurisdiction(s) apply in addition to the foregoing terms.
European Economic Area, United Kingdom and Switzerland
1. To the extent that the Subscriber transfers personal data from the European Economic Area (“EEA”), the United Kingdom (”UK”) or Switzerland to Elsevier located outside the EEA, the UK or Switzerland, unless the parties may rely on an alternative transfer mechanism or basis under the data protection laws, the parties will be deemed to have entered into the standard contractual clauses approved by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 available at https://data.europa.eu/eli/dec_impl/2021/914/oj(opens in new tab/window) (“Clauses”) in respect of such transfer, whereby: 1.1. the Subscriber is the “data exporter” and Elsevier is the “data importer”; 1.2. the footnotes, Clause 11(a) Option and Clause 17 Option 1 are omitted, and the applicable annexes are completed with the respective content of the Agreement, including the DPA; 1.3. to the extent that each party acts as a controller, Module One applies and Modules Two, Three and Four are omitted; 1.4. to the extent that the Subscriber acts as a controller and Elsevier acts as a processor, Module Two applies and Modules One, Three and Four are omitted, Clause 9(a) Option 1 is omitted and the time period in Option 2 is 14 days; 1.5. to the extent that each party acts as a processor, Module Three applies and Modules One, Two and Four are omitted, Clause 9(a) Option 1 is omitted and the time period in Option 2 is 14 days; 1.6. the “competent supervisory authority” is the supervisory authority in the Netherlands; 1.7. the Clauses are governed by the law of the Netherlands; 1.8. any dispute arising from the Clauses shall be resolved by the courts of the Netherlands; and 1.9. if there is any conflict between the terms of the Agreement and the Clauses, the Clauses will prevail.
2. In relation to transfers of personal data from the UK, the Clauses as implemented under section 1 above will apply subject to the following modifications: 2.1. the Clauses are amended as specified by Part 2 of the international data transfer addendum to the European Commission’s standard contractual clauses issued under Section 119A of the UK Data Protection Act 2018, as may be amended or superseded from time to time (“UK Addendum”); 2.2. tables 1 to 3 in Part 1 of the UK Addendum are completed with the respective content of the Agreement, including the DPA; and 2.3. table 4 in Part 1 of the UK Addendum is completed by selecting “neither party”.
3. In relation to transfers of personal data from Switzerland, the Clauses as implemented under section 1 above will apply subject to the following modifications: 3.1. references to “Regulation (EU) 2016/679” shall be interpreted as references to the Swiss Federal Act on Data Protection (“FADP”); 3.2. references to specific Articles of “Regulation (EU) 2016/679” shall be replaced with the equivalent article or section of the FADP; 3.3. references to “EU”, “Union”, “a Member State” and “Member State law” shall be replaced with references to “Switzerland” or “Swiss law”, as applicable; 3.4. the term “member state” shall not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of accessing their rights; 3.5. Clause 13(a) and Part C of Annex I are not used and the “competent supervisory authority” is the Swiss Federal Data Protection Information Commissioner; 3.6. the Clauses are governed by the law of Switzerland; and 3.7. any dispute arising from the Clauses will be resolved by the courts of Switzerland.
To the extent that Elsevier is processing as an operator any personal information in scope of the South African Protection of Personal Information Act, No. 4 of 2013 (POPIA) for the Subscriber as responsible party, Elsevier will further establish and maintain the security measures referred to in section 19 of POPIA and will notify the Subscriber immediately where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorized person.