Middle East and Africa Addendum

Last updated: 7 January 2025

Saudi Arabia

To the extent that either party transfers personal data from the Kingdom of Saudi Arabia (“KSA”) to the other party located outside the KSA, unless the parties may rely on an alternative transfer mechanism or basis under the Data Protection Laws, the parties will be deemed to have entered into the Standard Contractual Clauses for Personal Data Transfer approved by the Saudi Data & Artificial Intelligence Authority available at https://sdaia.gov.sa/Documents/StandardContractualClausesForPersonalDataTransferEN.pdf 打開新的分頁／視窗 (“KSA SCC”) in respect of such transfer, whereby:

the receiving party is the “Personal Data Importer” and the other party is the “Personal Data Exporter”;

to the extent that each party acts as a Controller, the First Template applies and the Second, Third and Fourth Templates are omitted;

to the extent that Subscriber acts as a Controller and Elsevier acts as a Processor, the Second Template applies and the First, Third and Fourth Templates are omitted;

to the extent that each party acts as a Processor, the Third Template applies and the First, Second and Fourth Templates are omitted; and

if there is any conflict between the terms of the Agreement and the KSA SCC, the KSA SCC will prevail.

South Africa

To the extent that Elsevier is processing as an operator any personal information in scope of the South African Protection of Personal Information Act, No. 4 of 2013 (POPIA) for Subscriber as responsible party, Elsevier will further establish and maintain the security measures referred to in section 19 of POPIA and will notify Subscriber immediately where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorized person.