Skip to main content

Unfortunately we don't fully support your browser. If you have the option to, please upgrade to a newer version or use Mozilla Firefox, Microsoft Edge, Google Chrome, or Safari 14 or newer. If you are unable to, and need support, please send us your feedback.

Elsevier
Publish with us

U.S. Privacy Laws Addendum to Elsevier Data Processing Addendum

Last updated: October 1, 2024

California

A.   To the extent that Elsevier is processing on behalf of the Subscriber any personal information in scope of the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020, and its implementing regulations (“CCPA”):

  1. Elsevier is prohibited from selling or sharing such personal information it collects pursuant to the Agreement;

  2. The specific business purpose for which Elsevier is processing personal information pursuant to the Agreement is to provide, manage, operate and secure the services under the Agreement, and the Subscriber is disclosing the personal information to Elsevier only for the limited and specified business purpose set forth in the Agreement;

  3. Elsevier is prohibited from retaining, using, or disclosing the personal information that it collected pursuant to the Agreement for any purpose other than for the business purpose specified in the Agreement or as otherwise permitted by the CCPA;

  4. Elsevier is prohibited from retaining, using, or disclosing the personal information that it collected pursuant to the Agreement for any commercial purpose other than the business purposes specified in the Agreement, unless expressly permitted by the CCPA;

  5. Elsevier is prohibited from retaining, using, or disclosing the personal information that it collected pursuant to the Agreement outside the direct business relationship between Elsevier and the Subscriber, unless expressly permitted by the CCPA;

  6. Elsevier is required to comply with all applicable sections of the CCPA, including – with respect to the personal information that Elsevier collected pursuant to the Agreement – providing the same level of privacy protection as required of businesses by the CCPA;

  7. Elsevier grants the Subscriber the right to take reasonable and appropriate steps to ensure that Elsevier uses the personal information that it collected pursuant to the Agreement in a manner consistent with the Subscriber’s obligations under the CCPA;

  8. Elsevier is required to notify the Subscriber after it makes a determination that it can no longer meet its obligations under the CCPA;

  9. Elsevier grants the Subscriber the right, upon notice, to take reasonable and appropriate steps to stop and remediate Elsevier’s unauthorized use of personal information; and

  10. Elsevier is required to enable the Subscriber to comply with consumer requests made pursuant to the CCPA or the Subscriber is required to inform Elsevier of any consumer request made pursuant to the CCPA that they must comply with and provide the necessary information to Elsevier to comply with the request.

B.   To the extent that the Subscriber sells to or shares with Elsevier any personal information in scope of the CCPA:

  1. The purposes for which such personal information is made available to Elsevier is to provide, manage, operate and secure the services under the Agreement subject to the Elsevier Privacy Policy;

  2. The Subscriber is making the personal information available to Elsevier only for the limited and specified purposes set forth in the Agreement, and Elsevier is required to use the personal information only for those limited and specified purposes;

  3. Elsevier is required to comply with applicable sections of the CCPA, including – with respect to the personal information that the Subscriber makes available to Elsevier – providing the same level of privacy protection as required of businesses by the CCPA;

  4. Elsevier grants the Subscriber the right – with respect to the personal information that the Subscriber makes available to Elsevier – to take reasonable and appropriate steps to ensure that Elsevier uses the personal information in a manner consistent with the Subscriber’s obligations under the CCPA;

  5. Elsevier grants the Subscriber the right, upon notice, to take reasonable and appropriate steps to stop and remediate unauthorized use of personal information made available to Elsevier; and

  6. Elsevier is required to notify the Subscriber after it makes a determination that it can no longer meet its obligations under the CCPA.

Colorado, Connecticut, Montana, Oregon, Texas, Utah and Virginia

A.   To the extent that Elsevier is processing on behalf of the Subscriber any personal data in scope of the Colorado Privacy Act, Connecticut Data Privacy Act, Montana Consumer Data Privacy Act, Oregon Consumer Privacy Act, Texas Data Privacy and Security Act, Utah Consumer Privacy Act and/or Virginia Consumer Data Protection Act, Elsevier shall:

  1. Ensure that each person processing personal data is subject to a duty of confidentiality with respect to the data;

  2. At the direction of the Subscriber, delete or return all personal data to the Subscriber as requested at the end of the provision of the services under the Agreement, unless retention of the personal data is required by law;

  3. Upon reasonable request of the Subscriber, make available to the Subscriber all information in its possession necessary to demonstrate its compliance with the obligations under the foregoing laws;

  4. Allow, and cooperate with, reasonable assessments by the Subscriber or its designated assessor; alternatively, Elsevier may arrange for a qualified and independent assessor to conduct an assessment of Elsevier’s policies and technical and organizational measures in support of the obligations under the foregoing laws using an appropriate and accepted control standard or framework and assessment procedure for such assessments. Elsevier shall provide a report of such assessment to the Subscriber upon request; and

  5. Engage any subcontractor pursuant to a written contract in accordance with the foregoing laws that requires the subcontractor to meet the obligations of Elsevier with respect to the personal data;

and the parties shall, taking into account the context of the processing, implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk and establish a clear allocation of the responsibilities between them to implement the measures.