This Data Processing Protocol (the “Protocol”) explains how Willis Towers Watson handles personal data on behalf of its clients, customers or licensees (“Client”).
The Protocol forms part of any agreement in place between Willis Towers Watson and Client which expressly refers to it (the “Agreement”). Where this Protocol uses terms which are defined in the General Data Protection Regulation (Regulation (EU) 2016/679) (the “Regulation”), then the definitions set out in that Regulation shall apply.
With respect to personal data processed by Willis Towers Watson on Client’s behalf (see Annex 1), Willis Towers Watson will comply with the following requirements:
Limitations on Use. Willis Towers Watson will process personal data only to deliver the relevant service, as instructed in writing by Client from time to time, or as otherwise required by law.
Confidentiality. Willis Towers Watson will hold personal data in confidence and require Willis Towers Watson personnel who will process personal data to protect all personal data in accordance with the requirements of this Protocol.
Information Security Program. Willis Towers Watson will maintain a written information security program that contains appropriate administrative, technical and physical safeguards to protect personal data against anticipated threats or hazards to its security, confidentiality or integrity.
Assistance. Willis Towers Watson will:
i. Taking into account the nature of the processing and in so far as is possible, implement technical and organizational measures to assist Client in fulfilling its obligation to respond to any requests from individuals exercising their rights under Chapter III of the Regulation;
ii. Taking into account the nature of the processing and the information available to Willis Towers Watson, assist Client in complying with Client's obligations to implement appropriate security measures, to notify personal data breaches to supervisory authorities and to individuals and to conduct data protection impact assessments and consult with supervisory authorities in relation to data protection impact assessments where required; and
iii. Make available to Client all information which Client reasonably requests to assist Client in demonstrating that the obligations set out in Article 28 of the Regulation relating to the appointment of processors have been met and allow for and contributes to audits conducted by Client or another auditor nominated by Client.
Willis Towers Watson may charge a reasonable fee for all such assistance described above, save where assistance was required directly as a result of Willis Towers Watson's own acts or omissions, in which case such assistance will be at Willis Towers Watson's expense. Client shall provide Willis Towers Watson with thirty (30) days advance notice of any audit request; may not engage in an audit which would compromise confidentiality obligations to any other clients and customers of Willis Towers Watson and, if it wishes to nominate another auditor to undertake the audit, shall ensure that the auditor enters into a confidentiality agreement with Willis Towers Watson in such form as Willis Towers Watson shall reasonably require.
Security Incident. Willis Towers Watson will without undue delay notify Client whenever Willis Towers Watson reasonably believes that there has been a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data processed by Willis Towers Watson in the context of this Protocol ("Security Incident"). After providing notice, Willis Towers Watson will investigate the Security Incident, take necessary steps to eliminate or contain the impact of the Security Incident and keep Client advised of the status of the Security Incident and all related matters.
Return or Disposal. Client may instruct Willis Towers Watson to delete or return personal data at the end of the period during which Willis Towers Watson will process such Client personal data, as specified in Annex 1.
Client understands that Willis Towers Watson may use sub processors to provide the services under the Agreement. These will be listed and agreed in the specific Agreement Client has entered into with Willis Towers Watson if applicable. Willis Towers Watson shall remain primarily responsible for the performance of its obligations under this Protocol and shall ensure that its agreements with such sub processors are at least as restrictive as this Protocol. Willis Towers Watson may change or add sub processors from time to time upon giving reasonable notice in writing to Client so that Client may express an objection, on reasonable grounds, to the proposed change.
Anonymized and Pseudonymised Data
Client acknowledges that the services include pseudonymisation and anonymization for the purpose of aggregate reporting and (trends) research, and agrees that Willis Towers Watson may use pseudonymised and anonymized data for its own business purposes, and Willis Towers Watson will comply with all applicable data protection laws in respect of such processing.
Client confirms that Willis Towers Watson may transfer personal data to its affiliates and sub processors inside and outside the European Economic Area (EEA) for purposes of support and back-up. Willis Towers Watson has established safeguards to protect personal data transferred to countries outside the EEA, including appropriate contractual protections.
Annex 1 - Description of processing of personal data
1. Subject Matter, Nature and Purpose
All processing activities (including the collection, organization and analysis of personal data) as are reasonably required to facilitate or support the provision of the services described under the Agreement.
2. Duration of processing of personal data
Willis Towers Watson will process the personal data for as long as it provides services to Client and will hold the personal data in archive after that date to the extent necessary for legitimate business purposes.
3. Categories of individuals:
The data subjects may include individuals named in any policy or scheme in respect of which Willis Towers Watson is engaged to provide its services and/or individuals that are beneficiaries of, or have made claims under, or are otherwise involved in, any such policy or scheme. Most commonly the data subjects will include: (1) employees, contractors or other workers of the Client ("Workers") and/or their family members, representatives or others connected with Workers; (2) past, existing or prospective clients of the Client, and/or their employees or other individuals connected with them, and/or their family members, representatives or others connected with them; and/or (3) past, existing or prospective complainants or claimants in connection with any insurance policy, and/or their family members, representatives or others connected with them.
4. Types of personal data:
The services under the Agreement may involve the processing of the following types of personal data:
- names and contact information;
- demographic information (such as gender, age, date of birth, marital status, nationality, education/work histories, academic/professional qualifications, employment details, hobbies, family composition, and dependents);
- personal identification documentation and related information such as passport numbers and employee identification numbers;
- financial and payment data such as bank account numbers and transaction information;
- information related to the provision of the services, such as policy information and claims information, including information relating to incidents giving rise to claims and related losses;
- records of communications and CCTV footage; and
- human resources data, such as job title and role; benefits and compensation information; dependent/beneficiary information; educational, academic and professional qualifications information; emergency contact information; and performance management information.
5. Types of special categories of data referred to in Article 9 of the Regulation:
The personal data processed by Willis Towers Watson may include the following special categories of personal data: personal characteristics and circumstances of sensitive nature such as racial or ethnic origin, sex life, mental and physical health, genetic information, details of injuries, medication/treatment received, political or religious beliefs, labour union affiliation, and criminal records, fines and other like judicial records.