9 March 2018
Mr Terence Larkin
Thomson Reuters
5 Canada Square
Canary Wharf
London
E14
ATTENTION OF LEGAL DEPARTMENT OR GENERAL COUNSEL
Dear Valued Customer
New Contractual Commitments for the General Data Protection Regulation
As a provider of trusted answers to you, Thomson Reuters is strongly committed to maintaining the highest standards in privacy and compliance.
By now you will be well aware of the significance of the European Union’s General Data Protection regulation (GDPR). We welcome the additional protections it provides to individuals and are committed to complying withnits principles.
New Commitments
To make sure that you and your group companies can use Thomson Reuters products and services in compliance with the GDPR, we have enclosed new contractual commitments. These supplementary provisions are an addition to the existing contract(s) under which we provide you with products and services. These commitments include those required from data processors under Article 28 of the GDPR.
Through your continued use of our products and services, you confirm your agreement to these commitments being added to your contract(s). Please keep a copy of this letter safe for your records.
Processing Information
Between now and the date on which the GDPR takes effect (25 May 2018), we will be updating our product information at www.tr.com/privacy-information to provide more information about how personal data is processed within our products and services.
In the meantime, if you have any questions about this letter, please email us at GDPRenquiries@thomsonreuters.com. For matters not related to the contents of this letter please contact your account manager.
Yours sincerely
Thomson Reuters
GDPRenquiries@thomsonreuters.com
New Contractual Commitments for the General Data Protection Regulation
Either you and/or your affiliates, including subsidiaries and holding companies (collectively, “you” and “your”), receive services and products from one or more members of the Thomson Reuters group of companies (“Thomson Reuters”, “we” and “our”). From 25 May 2018, the terms set out below will come into force between you and Thomson Reuters to coincide with the taking effect of the General Data Protection Regulation (2016/679) (“GDPR”).
1. You and we will each comply with the GDPR and any other similar national privacy legislation (collectively the “Data Protection Legislation”) applicable to any personal data processed as part of the products and services you receive from us or otherwise in connection with those products and services (the “Personal Data”). We may process the Personal Data in connection with the provision and administration of the products or services and as permitted or in accordance with law.
2. Where we process personal data made available by you to us in relation to the products and services we
provide (“Supplied Personal Data”) as your Processor (as defined in the Data Protection Legislation):
a) the subject matter, nature, purpose and duration of our Supplied Personal Data processing (as well as information on the types of Personal Data processed and categories of data subjects) is set out in product information provided to you from time to time in respect of our services and products at www.tr.com/privacy-information;
b) we will only process the Supplied Personal Data on your documented instructions unless we are required to process it for other purposes by EU law (in which case we will give prior notice of that requirement unless the relevant law prohibits the giving of notice);
c) we will comply with the express obligations of a Processor under Articles 28(3)(b) to 28(3)(h) of the GDPR. However, you may not instruct us to delete copies of data that we hold as Controller (as defined in the Data Protection Legislation);
d) you generally authorise us to engage further Processors to process Supplied Personal Data. A list of those further Processors is available at www.tr.com/privacy-information. We will update this list in advance of making any change. If you reasonably object to a change, at our option we will either: (i) give you an opportunity to pay for a version of the relevant product or service without use of the Processor to which you object; or (ii) terminate the provision of the affected product or service to you;
e) you will tell us if you require any assistance pursuant to Articles 28(3)(a) to 28(3)(h) of the GDPR inclusive. We and you will agree the scope, method, timing and reasonable fees chargeable by Thomson Reuters for such assistance; and
f) in fulfilment of our obligation to demonstrate compliance with this paragraph, we will make available to you information on our processing of your Supplied Personal Data (including, at our discretion, certificates, third party audit reports or other relevant information).
3. Where we process Personal Data as Controller:
a) you will bring to the attention of any individuals that you make our products and services available to (or that you ask us to deal with or carry out research on) any privacy notices we make available for those products and services;
b) you continue to act as Controller in respect of any Personal Data you choose to record or otherwise process as a result of your receipt and use of the services; and
c) only in very limited circumstances might you and we be considered to be joint Controllers, and where this is the case, our respective responsibilities will be clearly set out in product information.
4. We may transfer Supplied Personal Data outside of the EEA where we are permitted to do so for that transfer under Articles 44 to 49 of the GDPR.
5. You confirm that any Supplied Personal Data provided to us by you or on your behalf has been collected and disclosed in accordance with Data Protection Legislation. When using our products and services, you will take reasonable steps to ensure that you and your employees, agents and contractors do not input, upload or disclose to us any irrelevant or unnecessary information about individuals.
6. You and we will each maintain, and will require your and our Processors (respectively) to maintain, appropriate physical, technical and organisational measures to protect Personal Data against accidental, unauthorised or unlawful destruction, loss, alteration, disclosure or access (“Data Breach”). You will, without undue delay, tell us of any actual or suspected non-trivial Data Breach relating to Personal Data that may also impact us or the security of our systems, products or services. Where we act as your Processor, we will notify you, without undue delay, of any non-trivial Data Breach that may adversely affect the Supplied Personal Data.
Aguarde...