IHS Markit Policy for the Processing of Data Governed by the GDPR
In connection with the services offered by IHS Markit Group Holdings Limited and its affiliates (“IHS Markit”), IHS Markit may collect, process or handle Personal Data relating to individuals in the European Economic Area (the “Personal Data”) on behalf of its customers and its affiliates, where applicable (“customer”).
Although IHS Markit’s relationship with its customers is typically governed by general terms and conditions and/or a master agreement, which includes order forms, schedules and addenda (the “Agreement”), IHS Markit is also legally bound under the EU General Data Protection Regulation 2016/679 (the “GDPR”) concerning the manner in which it collects, uses, and processes Personal Data. This Policy describes IHS Markit’s commitment to the processing of Personal Data under the GDPR.
If the European Economic Area (“EEA”) member state law applicable to a specific IHS Markit customer requires that this Policy be appended to the Agreement, then, IHS Markit will execute a version of this Policy upon written request. Please contact your usual account representative or IHS Markit at firstname.lastname@example.org if you would like an executed version of this Policy.
1. Appropriate Technical and Organizational Measures. When IHS Markit processes Personal Data on behalf of a customer, IHS Markit implements appropriate technical and organizational measures to satisfy the requirements of the GDPR, to ensure the level of security of Personal Data is appropriate to the level of risk, and to help ensure the protection of the rights of the data subject.
2. Subprocessing. Customers may provide IHS Markit specific or general written authorisation to utilize subprocessors. IHS Markit requires that each of its subprocessors that may have access to Personal Data through IHS Markit agrees to provide at least the same level of protection as is described in this Policy. To the extent required by law, IHS Markit remains liable to its customers for any actions by its subprocessors that impact any rights guaranteed under the GDPR. If you would like further information about the service providers that we use from time to time to subprocess Personal Data, please contact IHS Markit at email@example.com.
4. Transfers to non-EEA Countries. In connection with certain of its products and services, IHS Markit confirms that Personal Data may be transmitted outside of the EEA. However, IHS Markit will only transfer Personal Data provided it has a legal basis to do so under the GDPR, such as by offering to customers the Controller-Processor Standard Contractual Clauses or where it abides by the EU-U.S. Privacy Shield framework. IHS Markit can provide customers a list of the countries to which Personal Data related to IHS Markit’s relevant products or services may be transmitted, as well as the Controller-Processor Standard. Contractual Clauses that govern such products or services, upon request to IHS Markit at firstname.lastname@example.org. For Controller-Processor Standard Contractual Clauses that will be applicable if the United Kingdom should exit the European Union in a “no deal” scenario and that are available online for signing and returning to IHS Markit at email@example.com in order to be effective, please click here.
5. Confidentiality. IHS Markit requires that the people it authorizes to process Personal Data are under appropriate obligations of confidentiality.
6. Cooperation Concerning Data Subjects. IHS Markit cooperates with the reasonable requests of its customers (at the customer’s reasonable expense) to help them fulfill their obligations under the GDPR to respond to requests by data subjects to access, modify, rectify, or remove their Personal Data.
7. Cooperation Concerning Customer Documentation. IHS Markit cooperates with the reasonable requests of its customers to provide information necessary to demonstrate compliance with this Policy and the GDPR or to conduct audits of the Personal Data held by IHS Markit that was received from the customer. IHS Markit will typically agree to such audits on the following basis: (a) audits may only occur once per calendar year and during normal business hours, and only after reasonable notice to IHS Markit (not less than 30 business days); (b) audits will be conducted by customer or an appropriate independent auditor appointed by customer (not being a competitor of IHS Markit) to conduct audits, in a manner that does not have any adverse impact on IHS Markit’s normal business operations; (c) customer and/or its representatives will comply with IHS Markit’s standard safety, confidentiality and security procedures in conducting any such audits and shall not have access to any proprietary or third party information or data; and (d) any records, data or information accessed by the Company and/or its representatives in the performance of any such audit will be deemed to be the confidential information of IHS Markit, as applicable, and may be used for no other reason than to assess IHS Markit’s compliance with the terms of this Policy (in connection with the foregoing, IHS Markit may require Customer and and/or its representatives to enter into a customary confidentiality agreement prior to any such audit); (e) to the extent any such audit incurs or is reasonably likely to incur in excess of 10 hours of IHS Markit personnel time, IHS Markit shall be entitled to charge Customer USD500 per hour for any such excess hours.
8. Personal Data Breach. In the event of a Personal Data breach under the GDPR, IHS Markit will notify its applicable customers without undue delay after becoming aware of the breach. Such notification(s) may be delivered to an email address provided by Customer or, at IHS Markit’s discretion, by direct communication (for example, by phone call or an in-person meeting). Customer is responsible for ensuring that any email address provided by Customer is current and valid. IHS Markit will take reasonable steps to provide its customers with information that they may reasonably require to comply with their obligations to notify impacted data subjects or supervisory authorities.
9. Deletion of Data; Termination and Variation. At the termination of a customer’s relationship with IHS Markit, IHS Markit will delete or return all Personal Data to our customer, unless IHS Markit is permitted to retain it or is otherwise required to retain it by applicable laws, regulations or bona fide audit and compliance policies. IHS Markit reserves the right to charge a reasonable fee to comply with any customer’s request to return Personal Data. This Policy shall not be effective until May 25, 2018 and will remain in effect until, and automatically expire upon, deletion of all Personal Data by IHS Markit. IHS Markit reserves the right to reasonably amend and update this Policy from time to time. IHS Markit will give no less than 30 days’ notice of any such changes, which shall be included on the IHS Markit website.
10. Governing Law. This Policy shall be governed by the governing law (and subject to the jurisdiction(s)) of the relevant Agreement and otherwise subject to the limitations and remedies expressly set out in the Agreement.
If you have any queries about this Policy please contact your usual account representative or IHS Markit at firstname.lastname@example.org.