Print Friendly and PDF

Elsevier Data Processing Addendum

  1. Definitions
    1. The terms “data subject”, “personal data”, “personal data breach”, “processing”, and “processor” will have the meanings ascribed to them in the Data Protection Laws, and where the relevant Data Protection Laws use the term ‘personal information’, it shall be read as personal data.
    2. “Data Protection Laws” means all privacy and data protection laws and regulations, including the GDPR and those of the European Union (“Union”), the United Kingdom (“UK”) and Switzerland, applicable to the processing of personal data under the applicable Elsevier services agreement (“Agreement”).
    3. “DPA” means this Elsevier Data Processing Addendum.
    4. “GDPR” means Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
  2. Scope

    This DPA applies to the processing of personal data within the scope of the Data Protection Laws by Elsevier on behalf of the Subscriber under the Agreement.

  3. Processing
    1. Elsevier will implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of the GDPR and ensure the protection of the rights of the data subject and the standard of protection will be at least comparable to the protection required under the relevant Data Protection Laws.
    2. Elsevier shall not engage another processor without prior specific or general written authorization of the Subscriber. In the case of general written authorization, Elsevier shall inform the Subscriber of any intended changes concerning the addition or replacement of other processors, thereby giving the Subscriber the opportunity to object to such changes.
    3. Processing by Elsevier shall be governed by this DPA. In particular, Elsevier shall:

      (a) process the personal data only on documented instructions from the Subscriber, including with regard to transfers of personal data to a third country or an international organization, unless required to do so by UK, Union or Member State law to which Elsevier is subject; in such a case, Elsevier shall inform the Subscriber of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;

      (b) ensure that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;

      (c) take all measures required pursuant to Article 32 of the GDPR;

      (d) respect the conditions referred to in paragraphs 2 and 4 in this clause C for engaging another processor;

      (e) taking into account the nature of the processing, assist the Subscriber by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Subscriber’s obligation to respond to requests for exercising the data subject's rights laid down in Chapter III of the GDPR;

      (f) assist the Subscriber in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR taking into account the nature of processing and the information available to Elsevier;

      (g) at the choice of the Subscriber, delete or return all the personal data to the Subscriber after the end of the provision of services relating to processing and delete existing copies unless UK, Union or Member State law requires storage of the personal data;

      (h) make available to the Subscriber all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by the Subscriber or another auditor mandated by the Subscriber.

      Elsevier shall immediately inform the Subscriber if, in its opinion, an instruction from the Subscriber to Elsevier infringes the GDPR or other UK, Union or Member State data protection provisions.

    4. Where Elsevier engages another processor for carrying out specific processing activities on behalf of the Subscriber, the same data protection obligations as set out in this DPA shall be imposed on that other processor by way of a contract or other legal act under UK, Union or Member State law, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the GDPR. Where that other processor fails to fulfil those data protection obligations, Elsevier shall (subject to the terms of the Agreement) remain fully liable to the Subscriber for the performance of that other processor's obligations.
    5. The subject-matter of processing is the personal data provided by the Subscriber to Elsevier under the Agreement. The duration of the processing is the duration of Elsevier’s provision of the services to the Subscriber under the Agreement. The nature and purpose of the processing is in connection with Elsevier’s provision of the services to the Subscriber under the Agreement. Elsevier is prohibited from retaining, using or disclosing the personal data for any purpose other than for the specific purpose of performing the services under the Agreement, or as otherwise permitted by applicable law, including retaining, using or disclosing the personal data for a commercial purpose other than providing such services. The types of personal data processed and categories of data subjects are described in the Agreement.
    6. The Agreement including this DPA are the Subscriber’s complete and final documented instructions to Elsevier for the processing of personal data. Additional or alternate instructions must be agreed upon separately by the parties in writing. Elsevier will ensure that its personnel engaged in the processing of personal data will process personal data only on documented instructions from the Subscriber, unless required to do so by UK, Union, Member State or other applicable law.
    7. On expiration or termination of the Agreement and conclusion of the services provided by Elsevier to the Subscriber, Elsevier shall delete or return personal data in accordance with the terms and timelines set forth in the Agreement, unless UK, Union, Member State or other applicable law requires storage of the personal data.
  4. Subprocessors
  5. Elsevier may engage other processors for the processing of personal data in accordance with this DPA. Elsevier shall maintain a list of such processors at https://www.elsevier.com/legal/subprocessors which Elsevier may update from time to time. At least fourteen (14) days before authorizing any new such processor to process personal data, Elsevier shall update the list on its website. The Subscriber may object to the change without penalty by notifying Elsevier within fourteen (14) days after the website is updated and describing its reasons to object. Elsevier shall use reasonable endeavors to avoid processing of personal data by such new processor to which the Subscriber reasonably objects.

  6. Data Subject Rights
  7. Elsevier shall, to the extent legally permitted, promptly notify the Subscriber of any data subject requests Elsevier receives and reasonably cooperate with the Subscriber to fulfil its obligations under the Data Protection Laws in relation to such requests. The Subscriber shall be responsible for any reasonable costs arising from Elsevier providing assistance to the Subscriber to fulfil such obligations.

  8. Transfer
  9. Elsevier shall ensure that, to the extent that any personal data originating from the European Economic Area (“EEA”), UK or Switzerland is transferred by Elsevier to another processor in a country or territory outside the EEA or Switzerland that has not received a binding adequacy decision by the European Commission or competent national data protection authority, such transfer shall be subject to appropriate safeguards in accordance with the Data Protection Laws (including Article 46 of the GDPR).

  10. Security
    1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the parties shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate.

      (a) the pseudonymization and encryption of personal data;

      (b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

      (c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and

      (d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

    2. In assessing the appropriate level of security, account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed.
    3. The parties shall take steps to ensure that any natural person acting under the authority of either party who has access to personal data does not process them except on instructions from the Subscriber, unless he or she is required to do so by UK, Union or Member State law.
  11. Personal Data Breach
  12. Elsevier shall notify the Subscriber without undue delay after becoming aware of a personal data breach and shall reasonably respond to the Subscriber’s requests for further information to assist the Subscriber in fulfilling its obligations under the Data Protection Laws (including Articles 33 and 34 of the GDPR as applicable).

  13. Records of Processing Activities
  14. To the extent applicable to the processing of personal data on behalf of the Subscriber, Elsevier shall maintain all records required by Article 30(2) of the GDPR and make them available to the Subscriber as required.

  15. Audit
  16. Audits shall be (i)subject to the execution of appropriate confidentiality undertakings; (ii)conducted no more than once per year, unless a demonstrated reasonable belief of non-compliance with the Agreement has been made, upon thirty (30) days written notice and having provided a plan for such review; and (iii) conducted at a mutually agreed upon time and in an agreed upon manner.

  17. Conflict
  18. If there is any conflict or inconsistency between the terms of this DPA and the rest of the Agreement, the terms of this DPA shall control to the extent required by law. Otherwise, the Agreement shall control in the case of such conflict or inconsistency.