Last Updated: July 2022
Willis Towers Watson operates worldwide through subsidiary and affiliate companies. We are committed to privacy and to transparency in our information practices. In this privacy notice, we describe our collection, use, disclosure and processing of personal information that we collect online via our websites, as well as related to our products and services.
Overview of Our Collection and Use of Personal Information
|Categories of personal information we collect|
|Name, contact information and other identifiers: identifiers such as a real name, alias, address, unique personal identifier, online identifier, Internet Protocol (IP) address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.|
|Customer records: paper and electronic customer records containing personal information, such as name, signature, physical characteristics or description, address, telephone number, education, current employment, employment history, social security number, passport number, driver’s license or state identification card number, insurance policy number, bank account number, credit card number, debit card number, or any other financial or payment information, medical information, or health insurance information.|
|Protected classifications: characteristics of protected classifications under California or federal law such as race, color, sex, age, religion, national origin, disability, citizenship status, and genetic information.|
|Commercial Information: including records of real property, products or services purchased, obtained, or considered, or other purchasing or use histories or tendencies.|
|Usage data: internet or other electronic network activity Information including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an Internet website, application, or advertisement.|
|Geolocation data: precise geographic location information about a particular individual or device.|
|Biometric information: physiological, biological or behavioral characteristics that can be used alone or in combination with each other to establish individual identity, including DNA, imagery of the iris, retina, fingerprint, faceprint, hand, palm, vein patterns, and voice recordings, keystroke patterns or rhythms, gait patterns or rhythms, and sleep, health, or exercise data that contain identifying information. (to the extent permitted and subject to applicable laws)|
|Audio, video and other electronic data: audio, electronic, visual, thermal, olfactory, or similar information such as, CCTV footage, photographs, and call recordings.|
|Employment history: professional or employment-related information.|
|Education information: education information and records.|
|Profiles and inferences: Inferences drawn from any of the information identified above to create a profile reflecting a resident’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, or aptitudes.|
|How we use personal information|
|Providing support and services and operating our websites|
|Analyzing and improving our business|
|Personalizing content and experiences|
|Advertising, marketing and promotional purposes|
|Securing and protecting our business|
|Defending our legal rights|
|Auditing, reporting, corporate governance, and internal operations|
|Complying with legal obligations|
Individual rights. Please see the Individual Rights and Choices section below for a description of the choices we provide and the rights you have regarding your personal information. If you are a California resident, please be sure to review the section Additional information for California Residents below for important information about the categories of personal information we collect and disclose and your rights under California privacy laws.
This privacy notice describes, generally, how Willis Towers Watson, in our capacity as a “controller” or a “business” or a “responsible party” under applicable laws, handles and processes personal information related to:
- your engagement with our websites, marketing communications and associated services that link to this privacy notice, including www.wtwco.com (the “Homepage”) and other websites controlled by Willis Towers Watson (collectively, the “Websites”)
- our former, current and prospective clients
- individuals who communicate with us
- individuals who use our products and services (“Services”) and individuals whose personal information we receive in providing the Services
Our collection, use and disclosure and processing of personal information about individuals will vary depending upon the circumstances. This privacy notice is intended to describe our overall privacy and data protection practices. In some cases, different or additional notices about our data collection and processing practices may be provided and apply to our processing of certain personal information.
Personal information. In this privacy notice, our use of the term “personal information” includes other similar terms under applicable privacy laws—such as “personal data” and “personally identifiable information.” In general, personal information includes any information that identifies, relates to, describes, or is reasonably capable of being associated, linked, or linkable with a particular individual.
In South Africa only, “personal information” also includes information of juristic persons, the most common example being a company.
Not covered by this notice. This privacy notice does not apply to job applicants and candidates who apply for employment with us through our job application portal or to our employees and non-employee workers whose personal information is subject to different privacy notices which are provided to such individuals in the context of their employment or working relationship with a Willis Towers Watson group entity.
2. Controller and Responsible Willis Towers Watson Group Entities
When providing Services to clients, Willis Towers Watson may act as a “service provider” or “processor” or “operator” under applicable privacy and data protection laws. This means that we may receive or collect your personal information from or on behalf of our client. In this scenario, we will only process personal information on behalf of and subject to the instructions of our clients (who, from a privacy law perspective, are “controllers” or “businesses” or “responsible parties” with respect to the personal information we process on their behalf). In some cases, where we are acting as a “service provider” or “processor” or “operator,” our clients’ privacy notices (and not this one) will apply to and control the processing of personal information. If you have any questions which privacy notice may apply, please contact us as at email@example.com.
Where we act in our capacity as a controller or business or responsible party with respect to personal information, for the purposes of the GDPR and other relevant applicable laws, including but not limited to the Cayman Islands Data Protection Law (“DPL”), this privacy notice will apply, as explained below. Furthermore, Willis Towers Watson plc is the controller unless the processing is controlled by another Willis Towers Watson entity.
Services and other activities. With respect to our Services and other business activities, in general, the Willis Towers Watson group company with whom you engage is the controller for your personal information, together with Willis Towers Watson plc, the parent company for the Willis Towers Watson group.
3. Cross-border Transfer
Willis Towers Watson is a global company and the data that we collect from you may be transferred to, accessed, processed or stored in, and subject to requests from law enforcement in, jurisdictions outside of your home jurisdiction, including the United States, India, Bermuda, the European Union and other jurisdictions, in which we or our service providers operate. Some of these jurisdictions, including the United States, may not provide equivalent levels of data protection as your home jurisdiction. We have established safeguards to protect personal information that is transferred to other countries, including appropriate contractual protections. For more information on the appropriate safeguards in place, please contact us using the details below.
4. Personal Information Collected
We collect personal information directly from individuals, automatically related to the use of the Services and engagement with our marketing and Websites, and in some cases, from third parties (such as social networks, platform providers, payment processors, and operators of certain third-party services that we use). Generally, we collect your personal information on a voluntary basis. However, if you decline to provide certain personal information that is marked mandatory, you may not be able to access certain services or we may be unable to fully respond to your inquiry.
The personal information that we collect and process will vary depending upon the circumstances. For example, the personal information we may collect through our Websites includes:
- your name, postal address, email address, phone number, occupation and other contact information
- information regarding your interactions with us and related to your use of our Websites and Services
- interests you have in relation to our Services or our practice areas
- information you may voluntarily submit to us by completing any form on our Websites
- information about your usage of our Websites and Services
We may also collect additional personal information in providing our Services, operating our business, and interacting with individuals in the course of our business, which may at times include “sensitive" information (otherwise known as “special categories of personal information” under the GDPR, such as health records or criminal conviction data, and known as “sensitive personal data” under the DPL such as physical or mental health or condition, medical data, commission, or alleged commission of an offense; any proceedings for an offense committed, or alleged to have been committed. Where required by law, we will provide specific data processing information to you regarding how we may process that data and what rights you may have regarding such processing.
For South Africa only:
- when you interact with us because you are receiving our Services, we will collect your name, postal address, email address, phone number, occupation and other contact information and the company name and address and phone number of the company you work for so that we can do business with you.
In respect of our corporate risk and broking services and our actuarial valuation services, where we are a responsible party, we refer you to our separate privacy notices governing the provision of these Services available on our website: Privacy Notice for Clients (insurance and reinsurance services) and Valuation Services Privacy Notice (Valuator and actuarial valuation services).
- when you interact with us through our Websites, we collect personal information you may voluntarily submit to us by completing any form on our Websites and information about your usage of our Websites.
Categories of sources of personal information. We may collect personal information directly from you, as well as automatically related to your use of Services and engagement with our marketing and our Websites and other services, as well as from third parties. For example, we collect personal information:
- from you, either directly (i.e., through information you submit to us, including via forms that you may complete and submit through our Websites) or indirectly (i.e., by observing your actions on our Websites or whether you engage with email communications);
- from the content of surveys that you may complete;
- from 'cookies' and other similar tools deployed on parts of our Websites (for further information regarding cookies used on our Websites, please see Section 7 below) or within our emails and newsletters
- from our clients in connection with us providing professional services to them
- from data analytics providers
- from government entities
- from service providers (i.e., companies who are assisting us in fulfilling our contracts and carrying out our business, such as to perform mailings or to provide customer service)
- from other sources, such as public databases, joint marketing partners, social media platforms (including from people with whom you are friends or otherwise connected) and from other third parties.
Categories of personal information we collect. While the personal information we collect varies—as explained above—depending upon the nature of the services provided or used and our interactions with individuals, we may collect the following categories of personal information (subject to applicable legal requirements and restrictions):
- Name, contact information and other identifiers: identifiers such as a real name, alias, address, unique personal identifier, online identifier, Internet Protocol (IP) address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers including company names and addresses where this is personal information in your country.
- Customer records: paper and electronic customer records containing personal information, such as name, signature, physical characteristics or description, address, telephone number, education, current employment, employment history, social security number, tax ID, passport number, driver’s license or state identification card number, insurance policy number, bank account number, credit card number, debit card number, or any other financial or payment information, medical information, or health insurance information.
- Protected classifications: characteristics of protected classifications under California or federal law such as race, color, sex, age, religion, national origin, disability, citizenship status, and genetic information.
- Commercial Information: including records of real property, products or services purchased, obtained, or considered, or other purchasing or use histories or tendencies.
- Usage data: internet or other electronic network activity Information including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an Internet website, application, or advertisement.
- Geolocation data: precise geographic location information about a particular individual or device.
- Biometric information: physiological, biological or behavioral characteristics that can be used alone or in combination with each other to establish individual identity, including DNA, imagery of the iris, retina, fingerprint, faceprint, hand, palm, vein patterns, and voice recordings, keystroke patterns or rhythms, gait patterns or rhythms, and sleep, health, or exercise data that contain identifying information (to the extent permitted and subject to applicable laws).
- Audio, video and other electronic data: audio, electronic, visual, thermal, olfactory, or similar information such as, CCTV footage, photographs, and call recordings.
- Employment history: professional or employment-related information.
- Education information: education information and records.
- Profiles and inferences: Inferences drawn from any of the information identified above to create a profile reflecting a resident’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, or aptitudes.
5. Purposes and Legal Bases for Processing Personal Information
Certain laws, including the GDPR, require that we inform you of the legal bases for our processing of your personal information. Pursuant to the GDPR (and other relevant laws), we process personal information for the following legal bases:
- Performance of contract: to perform contracts that you may have with us (for example if you use our Services)
- Compliance with laws: to comply with our legal obligations
- Our legitimate business interests: in furtherance of our legitimate business interests including:
- to facilitate your participation in interactive features you may choose to use on our Websites and personalize your experience on the Websites by presenting content tailored to you
- to correspond with you, notify you of events or changes to our services, or otherwise respond to your queries and requests for information, which may include marketing to you
- for the purposes of providing professional services to you via Willis Towers Watson applications; such services will be subject to additional terms and conditions of use including privacy
- for data analysis, audits, fraud monitoring and prevention, and developing new products, enhancing, improving or modifying our Websites, identifying usage trends, determining the effectiveness of our promotional campaigns and operating and expanding our business activities
- to protect and defend our legal rights and interests and those of third parties
- With your consent: Where applicable laws require that we obtain your consent to collect and process your personal information, we will obtain your consent accordingly. When we obtain your consent, the GDPR (where it applies) and other applicable laws give you the right to withdraw your consent. You can do this at any time by contacting us using the details at the end of this privacy notice. In some jurisdictions, your use of the Websites may be taken as implied consent to the collection and processing of personal information as outlined in this privacy notice.
- Medical purposes: The processing is necessary for medical purposes (applicable to Cayman Islands DPL).
Purposes for using personal information. While the purposes for which we may process personal information will vary depending upon the circumstances, in general we use personal information for the purposes set forth below. Where GDPR or other relevant laws apply, we have set forth the legal bases for such processing (see above for further explanation of our legal bases) in parenthesis.
- Providing support and services: including to provide our Services, operate our Websites, applications and online services; to communicate with you about your access to and use of our Services; to respond to your inquiries; to provide troubleshooting, fulfill your orders and requests, process your payments and provide technical support; and for other customer service and support purposes. (Legal basis: performance of our contract with you; and our legitimate interests)
- Analyzing and improving our business: including to better understand how users access and use our Services and Websites, to evaluate and improve our Websites, Services and business operations, and to develop new features, offerings and services; to conduct surveys and other evaluations (such as customer satisfaction surveys); and for other research and analytical purposes. (Legal basis: our legitimate business interests)
- Personalizing content and experiences: including to tailor content we send or display on our websites and other Services; to offer location customization and personalized help and instructions; and to otherwise personalize your experiences. (Legal basis: our legitimate business interests and/or with your consent)
- Advertising, marketing and promotional purposes: including to reach you with more relevant ads and to evaluate, measure and improve the effectiveness of our ad campaigns; to send you newsletters, offers or other information we think may interest you; to contact you about our Services or information we think may interest you; and to administer promotions and contests. (Legal basis: our legitimate business interests and/or with your consent)
- Securing and protecting our business: including to protect and secure our business operations, assets, Services, network and information and technology resources; to investigate, prevent, detect and take action regarding fraud, unauthorized access, situations involving potential threats to the rights or safety of any person or third party, or other unauthorized activities or misconduct (Legal basis: our legitimate business interests and/or compliance with laws)
- Defending our legal rights: including to manage and respond to actual and potential legal disputes and claims, and to otherwise establish, defend or protect our rights or interests, including in the context of anticipated or actual litigation with third parties. (Legal basis: our legitimate business interests and/or compliance with laws)
- Auditing, reporting, corporate governance, and internal operations: including relating to financial, tax and accounting audits; audits and assessments of our operations, privacy, security and financial controls, risk, and compliance with legal obligations; our general business, accounting, record keeping and legal functions; and related to any actual or contemplated merger, acquisition, asset sale or transfer, financing, bankruptcy or restructuring of all or part of our business. (Legal basis: our legitimate business interests and/or compliance with laws)
- Complying with legal obligations: including to comply with the law, our legal obligations and legal process, such warrants, subpoenas, court orders, and regulatory or law enforcement requests. (Legal basis: our legitimate business interests and/or compliance with laws)
Aggregate and de-identified information. We may de-identify personal information and create anonymous and aggregated data sets and reports in order to assess, improve and develop our business, products and services, prepare benchmarking reports on our industry and for other research, marketing and analytics purposes.
6. Disclosure of Personal Information
We disclose the personal information we collect as set forth in this section.
A. Purposes for Which We Disclose Personal Information
Willis Towers Watson may disclose your personal information to any Willis Towers Watson group company for the uses and purposes set out above, including for marketing the products and services offered by other businesses across the Willis Towers Watson group (subject to applicable laws). We may also disclose your personal information for the following reasons:
- to third party service providers such as entities providing customer service, email delivery, auditing, hosting our Websites and other services
- to third parties involved with events that you register for, to facilitate your participation in those events, support feedback collection and evaluation and for some events, to third parties who provide a central record keeping system for continuing professional development event attendance
- if we are obliged to disclose your personal information under applicable law or regulation, which may include laws outside your country of residence
- subject to applicable laws, to respond to requests from courts, law enforcement agencies, regulatory agencies, and other public and government authorities, which may include such authorities outside your country of residence
- in connection with the planning, due diligence and implementation of commercial transactions, including a reorganization, merger, sale of all or a portion of our assets, a joint venture, assignment, transfer or other disposition of all or any portion of our business, assets or stock (including in connection with any bankruptcy or similar proceedings)—in such cases, your personal information will be transferred to the acquiring entity
- in accordance with the separate terms and conditions of use that may apply to you or with your explicit consent.
We request those external service providers to implement and apply security safeguards to ensure the privacy and security of your personal information. These third parties have agreed to confidentiality restrictions and to use of any personal information we share with them or which they collect on our behalf solely for the purpose of providing the contracted service to us.
Aggregate and de-identified information. We may share aggregate or de-identified information, which does not identify and is not linked or linkable to a particular individual, with third parties for research, marketing, analytics and other purposes.
B. Categories of Personal Information Disclosed
Certain privacy laws (such as the California Consumer Privacy Act (“CCPA”)) require that we disclose the categories of Personal Information that we have disclosed for a business purpose as well as the categories that we have “sold” (as that term is defined under the CCPA or other applicable laws). Please review the descriptions of the categories of personal information under the Personal Information Collected section above, for further descriptions of each category of personal information.
Categories of personal information disclosed for a business purpose. In general, we may disclose the following categories of personal information in support of our business purposes identified above:
- Name, company name, contact information and other identifiers
- Customer records
- Protected classifications
- Commercial Information
- Usage data
- Geolocation data
- Biometric information
- Audio, video and other electronic data
- Employment history
- Education information
- Profiles and inferences
We have disclosed the categories of personal information listed above to the following categories of third parties in the preceding twelve months: our clients, advertising networks, data analytics providers, other service providers, other insurance companies, and government entities.
Categories of personal information sold. While we do not disclose personal information to third parties in exchange for monetary compensation from such third parties, we do disclose or make available personal information to third parties, in order to receive certain services or benefits from them, such as when we allow third party tags to collect information such as browsing history on our Websites, in order to improve and measure our ad campaigns. The CCPA defines a “sale” as disclosing or making available to a third party Personal Information in exchange for monetary or other valuable consideration. Pursuant to the CCPA, the categories of Personal Information that we may “sell” as defined under the CCPA includes:
- Usage data
- Geolocation data
We have “sold” the categories of personal information listed above to data analytics providers in the preceding twelve months.
7. Cookies and Tracking
Our Websites may use first party and third-party cookies, pixel tags, plugins and other tools to gather device, usage and browsing information when users visit our Websites or use our online services. For instance, when you visit our Websites, our server may record your IP address (and associated location information) and other information such as the type of your internet browser, your Media Access Control (MAC) address, computer type (Windows or Macintosh), screen resolution, operating system name and version, device manufacturer and model, language, and the pages you view and links you click on our Websites, as well as date and time stamps associated with your activities on our Websites.
Pixel tags and other similar technologies. Pixel tags (also known as web beacons and clear GIFs) may be used in connection with some Websites to, among other things, track the actions of users of the Websites (including email recipients), measure the success of our marketing campaigns and compile statistics about usage of the Websites and response rates. We and our service providers also use pixel tags in HTML emails to our customers, to help us track email response rates, identify when our emails are viewed, and track whether our emails are forwarded.
Log files. Most browsers collect certain information, such as your IP address, device type, screen resolution, operating system version and internet browser type and version. This information is gathered automatically and stored in log files.
Do-Not-Track signals. Please note that our Websites do not recognize or respond to any signal which your browser might transmit through the so-called 'Do Not Track' feature your browser might have. If you wish to disable cookies on our Websites, you should not rely on any 'Do Not Track' feature your browser might have. For more information about do-not-track signals, please click here.
8. Interest-based Advertising
You can manage how your preferences regarding third party ad company cookies set by this Website, using our cookie preference manager. If you have reached this Privacy Notice from a Website other than the Homepage, please go back and use the cookie preference manager on that Website to set your cookie preferences.
Please see our Cookie Notice for information about the third parties we may work with to display targeted ads on third-party sites and to measure the success of our marketing and campaigns. If you have reached this Privacy Notice from a Website other than the Homepage, please go back and review the Cookie Notice on that Website to understand how cookies are used there. You may also obtain more information about targeted or “interest-based advertising” and opt-out of many ad networks at the industry websites below:
Willis Towers Watson has implemented technical and organizational security measures to protect the personal information we collect. Despite this, the security of the transmission of information via the Internet cannot always be guaranteed and you acknowledge this in your access and use of our Websites and Services. If you have reason to believe that your interaction with us is no longer secure (for example, if you feel that the security of your account has been compromised), please immediately notify us in accordance with the "Contact and Comments" section below.
10. Individual Rights and Choices
Marketing. You may opt out from receiving marketing-related communications from us on a going-forward basis by contacting us or by using the unsubscribe mechanism contained in each email. We will try to comply with your request(s) as soon as reasonably practicable. Please note that if you opt out of receiving marketing-related emails from us, we may still send you important administrative messages, from which you cannot opt out.
Access, amendment and deletion. You may request to review, make amendments, have deleted or otherwise exercise your rights under applicable privacy laws over your personal information that we hold, subject to certain limitations under applicable law. You may submit a request to us related to your personal information:
- By submitting a request to us at contact us
- By contacting us at 1-800-889-9288 (toll free)
- By emailing us at firstname.lastname@example.org
We take steps in accordance with applicable legislation to keep your personal information accurate, complete and up-to-date. If you would like to review, correct, update, suppress, or restrict the processing of your personal information or request a copy of personal information about you, you may contact us by sending us an email at email@example.com or sending your request by postal mail to the address provided in the "Contact & Comments" section below.
In your request, please make clear what personal information you would like to have changed, whether you would like to have your personal information suppressed from our database or otherwise let us know what limitations you would like to put on our use of your personal information. For your protection, we may only implement requests with respect to the personal information associated with the particular email address that you use to send us your request, and we may need to verify your identity before implementing your request. We will try to comply with your request as soon as reasonably practicable.
Please note that we may need to retain certain information for recordkeeping purposes and/or to complete any transactions that you began prior to requesting a change or deletion. There may also be residual information that will remain within our databases and other records, which will not be removed.
To exercise your rights please contact us using the contact information below. Subject to legal and other permissible considerations, we will make reasonable efforts to honour your request promptly or inform you if we require further information in order to fulfil your request.
We may not always be able to fully address your request, for example if it would impact the duty of confidentiality we owe to others, or if we are legally entitled to deal with the request in a different way.
Additional information for certain jurisdictions. Willis Towers Watson is committed to respecting the privacy rights of individuals under all privacy laws applicable to us. Some privacy laws require that we provide specific information about individual rights to applicable consumers, which we have set forth at the end of this Notice:
- California: if you are a California resident, you have certain rights under California privacy laws regarding your personal information as set forth below in the Additional Information for Certain Jurisdictions section.
- EU/EEA/UK: if you are in the European Union / European Economic Area/United Kingdom, please go to the Additional Information for Certain Jurisdictions below for details about your rights under the GDPR.
- Brazil/LGPD: if you are in the Brazil and subject to the Brazilian General Data Protection Law (LGPD), please go to the Additional Information for Certain Jurisdictions below for details about your rights under the LGPD.
- Cayman Islands: if you are in the Cayman Islands and subject to the Cayman Islands Data Protection Law, please go to the Additional Information for Certain Jurisdictions below for details about your rights under that law.
11. Retention Period
We will retain your personal information for the period necessary to fulfill the purposes outlined in this privacy notice unless a longer retention period is required or permitted by law or defined in an agreement. We may retain personal information for longer where required by our regulatory obligations or professional indemnity obligations, or where we believe it is necessary to establish, defend or protect our legal rights and interests or those of others. With respect to the data and files we handle as a processor, we retain this personal information in accordance with our clients’ instructions and as required by law.
12. Children and Minors
The Websites and Services are not directed to individuals under the age of sixteen (16), and we do not knowingly collect personal information from minors under the age of 16.
13. Changes to our Privacy Notice
From time to time, we may change our Privacy Notice. The effective date set forth at the top indicates the last time this Privacy Notice was revised. Checking this effective date allows you to determine whether there have been changes since the last time you reviewed the notice. We will notify you of changes to this privacy notice by posting the revised Privacy Notice on our Websites.
14. Contact and Comments
If you have any questions or comments regarding this Privacy Notice, please contact our Privacy Team, at 800 North Glebe Road, Arlington, VA 22203 or at firstname.lastname@example.org.
In some countries, there is a legal requirement to provide a named individual and their contact details. These are:
Willis Towers Watson Nigeria Limited
6th Floor, Africa RE Building. Plot 1679 Karimu Kotun Street, Victoria Island Lagos, Nigeria.
|South Africa||André Wild||Andre.Wild@wtwco.com
Towers Watson (Pty) Ltd
Level 4, MontClare Place, 23 Main Road, Claremont, Cape Town, 7708
Private Bag X30, Rondebosch, 7701
Willis South Africa (Pty) Ltd
Illovo Edge, 1 Harries Road, Illovo, Johannesburg 2196
15. Additional Information for Residents in Certain Jurisdictions
In this section, we set forth additional information as required under applicable privacy laws in certain jurisdictions.
A. California Residents
In this section, we provide information for California residents as required under California privacy laws, including the CCPA, which requires that we provide California residents certain specific information about how handle their personal information, whether collected online or offline. This section does not address or apply to our handling of:
- publicly available information made lawfully available by state or federal governments
- personal information that is subject to an exemption under Section 1798.145(c) – (f) of the CCPA (such as protected health information that is subject to HIPAA or the California Medical Information Act, and non-public information subject to the Gramm-Leach Bliley Act or the California Financial Information Privacy Act)
- personal information we collect about job applicants, independent contractors, or current or former full-time, part-time and temporary employees and staff, officers, directors or owners of Willis Towers Watson
- personal information about individuals acting for or on behalf of another company, to the extent the information relates to our transactions with such company, products or services that we receive from or provide to such company, or associated communications or transactions (except that such individuals have the right to opt-out of any sale of their personal information and to not be subject to any discrimination for exercising such right)
Categories of personal information that we collect and disclose. Our collection, use and disclosure of personal information about a California resident will vary depending upon the circumstances and nature of our interactions or relationship with such resident. The table above sets out generally the categories of personal information (as defined by the CCPA) about California residents that we collect, sell, and disclose to others for a business purpose. We collect these categories of personal information from the sources described in the Personal information we may collect section above, and for the purposes described in the Purposes for which we use personal information section above.
Rights of California residents. California law grants California residents certain rights and imposes restrictions on particular business practices as set forth below.
- Do-Not-Sell: California residents have the right to opt-out of our sale of their personal information. Opt-out rights can be exercised by clicking the Do Not Sell My Information link in the footer of our Website Homepage. If you have reached this Privacy Notice from a website other than our Homepage, please go back and use the cookie preference manager on that website to exercise your opt-out rights to the extent they may apply on that website. We do not sell personal information about residents who we know are younger than 16 years old without opt-in consent.
- Initial Notice: We are required to notify California residents, at or before the point of collection of their personal information, the categories of personal information collected and the purposes for which such information is used.
- Request to Delete: California residents have the right to request deletion of their personal information that we have collected about them and to have such personal information deleted, except where an exemption applies. We will respond to verifiable requests received from California residents as required by law. The instructions for submitting a verifiable Request to Delete are described in the “Submitting Requests” section below.
- Request to Know: California residents have the right to request and, subject to certain exemptions, receive a copy of the specific pieces of personal information that we have collected, used, disclosed and sold about them in the prior 12 months and to have this delivered, free of charge, either (a) by mail or (b) electronically in a portable and, to the extent technically feasible, readily useable format that allows the individual to transmit this information to another entity without hindrance. California residents also have the right to request that we provide them certain information about how we have handled their personal information in the prior 12 months, including the:
- categories of personal information collected;
- categories of sources of personal information;
- business and/or commercial purposes for collecting and selling their personal information;
- categories of third parties with whom we have shared their personal information;
- categories of personal information that we have sold in the preceding 12 months, and for each category identified, the categories of third parties to which we sold that particular category of information; and
- categories of personal information disclosed for a business purpose in the preceding 12 months, and for each category identified, the categories of third parties to which we disclosed that particular category of personal information.
California residents may make a Request to Know up to twice every 12 months. We will respond to verifiable requests received from California residents as required by law. The instructions for submitting a verifiable Request to Know are described in the “Submitting Requests” section below.
- Right to non- discrimination: The CCPA prohibits discrimination against California residents for exercising their rights under the CCPA. Discrimination may exist where a business denies or provides a different level or quality of goods or services, or charges (or suggests that it will charge) different prices, rates, or penalties on residents who exercise their CCPA rights, unless doing so is reasonably related to the value provided to the business by the residents’ data.
- Financial incentives: A business may offer financial incentives for the collection, sale or deletion of California residents’ personal information, where the incentive is not unjust, unreasonable, coercive or usurious, and is made available in compliance with applicable transparency, informed consent, and opt-out requirements. California residents have the right to be notified of any financial incentives offers and their material terms, the right to opt-out of such incentives at any time, and may not be included in such incentives without their prior informed opt-in consent. We do not offer any such incentives at this time.
Submitting Requests. Do-Not-Sell (Opt-out) Requests, Requests to Know, and Requests to Delete may be submitted:
- By contacting us at 1-800-889-9288 (toll free).
- By submitting a Consumer Request through this link.
We will use the following process to verify Requests to Know and Requests to Delete: We will acknowledge receipt of you Consumer Request, verify it using processes required by law, then process and respond to your request as required by law. To verify such requests, we may ask you to provide the following information:
- For a request to know categories of personal information which we collect, we will verify your identity to a reasonable degree of certainty by matching at least two data points provided by you against information in our systems which are considered reasonably reliable for the purposes of verifying a consumer’s identity.
- For a request to know specific pieces of personal information or for requests to delete, we will verify your identity to a high degree of certainty by matching at least three pieces of personal information provided by you to personal information maintained in our systems and also by obtaining a signed declaration under penalty of perjury that the requestor is the consumer whose personal information is the subject of the request.
An authorized agent can make a request on a California residents’ behalf by providing a power of attorney valid under California law, or providing: (1) proof that the consumer authorized the agent to do so; (2) verification of their own identity with respect to a right to know categories, right to know specific pieces of personal information, or requests to delete which are outlined above; and (3) direct confirmation that the consumer provided the authorized agent permission to submit the request.
We will respond to verifiable requests received from California residents as required by law. For more information about our privacy practices, you may contact us as set forth in the Contact and Comments section above.
Consumer Requests Received in 2021. In calendar year 2021, we received and responded to consumer requests under the CCPA as set forth in the table below:
|Request Type||Number of Requests Received||Number of Requests With Which We Complied (in whole or in part)||Number of Requests Denied*||Average Response Time (Number of Days)|
|Requests to Know||1||1||0||33|
|Requests to Delete||3||1||2||64|
|Requests to Opt-Out of the Sale of Personal Information||790||782**||0||0|
*This includes requests that were denied because we were unable to verify the identity of the requestor.
**We receive opt-out requests through multiple channels including a cookie preference manager and by email. The difference between the number of requests received and the number of requests we responded to is due to the channel by which we received the request to opt-out. We received 8 requests to opt-out through email. We followed up with the requestors for more information, but the requestor never clarified to which WTW group or information their request applied to.
B. European Union / European Economic Area / United Kingdom
Residents of the European Union (EU) and the European Economic Area (EEA) have the following rights, under the GDPR, regarding their personal information:
- Right of access: You have the right to obtain from us confirmation as to whether or not personal information concerning you is being processed, and where that is the case, to request access to the personal information. The accessed information includes – among others - the purposes of the processing, the categories of personal information concerned, and the recipients or categories of recipient to whom the personal information have been or will be disclosed. You have the right to obtain a copy of the personal information undergoing processing. For further copies requested by you, we may charge a reasonable fee based on administrative costs.
- Right to rectify and complete personal information: you can request the rectification of inaccurate data and the completion of incomplete data. We will inform relevant third parties to whom we have transferred your data about the rectification and completion if we are legally obliged to do so.
- Right to erasure (right to be forgotten): You have the right to obtain from us the erasure of personal information concerning you in limited circumstances where:
- it is no longer needed for the purposes for which it was collected; or
- you have withdrawn your consent (where the data processing was based on consent); or
- following a successful right to object; or
- it has been processed unlawfully; or
- the data has to be erased in order to comply with a legal obligation to which Willis Towers Watson is subject.
We are not required to comply with your request to erase personal information if the processing of your personal information is necessary for:
- compliance with a legal obligation; or
- the establishment, exercise or defense of legal claims.
- Right to restriction of processing: You have the right to obtain from us restriction of processing your personal information. In this case, the respective data will be marked and only be processed by us for certain purposes. This right can only be exercised where:
- the accuracy of your personal information is contested, to allow us to verify its accuracy; or
- the processing is unlawful, but you do not want the personal information erased; or
- it is no longer needed for the purposes for which it was collected, but you still need it to establish, exercise or defend legal claims; or
- you have exercised the right to object, and verification of overriding grounds is pending.
We can continue to use your personal information following a request for restriction, where:
- we have your consent; or
- to establish, exercise or defend legal claims; or
- to protect the rights of another natural or legal person.
- Right to data portability: You have the right to receive the personal information concerning you, which you have provided to us, in a structured, commonly used and machine-readable format and you have the right to transmit those data to another entity without hindrance from us, but in each case only where the processing is (a) based on your consent or on the performance of a contract with you, and (b) also carried out by automated means.
Right to object: You have the right to object at any time to any processing of your personal information which has our legitimate interests as its legal basis. You may exercise this right without incurring any costs. If you raise an objection, we have an opportunity to demonstrate that we have compelling legitimate interests which override your rights and freedoms. The right to object does not exist, in particular, if the processing of your personal information is necessary to take steps prior to entering into a contract or to perform a contract already concluded.
Right to object to our use of your personal information for direct marketing purposes: You can request that we change the manner in which we contact you for marketing purposes. You can request that we do not transfer your personal information to unaffiliated third parties for the purposes of direct marketing or any other purposes.
- Right to withdraw consent: if you have given us your consent for the processing of your personal information, you have the right to withdraw your consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
- Right to obtain a copy of safeguards and EU Standard Contractual Clauses: you can ask to obtain a copy of, or reference to, the safeguards and any relevant EU Standard Contractual Clauses (“SCCs”) under which your personal information is transferred outside the EU/EEA. We may redact data transfer agreements/SCCs to protect commercial terms.
- Right to lodge a complaint with your local supervisory authority: You have a right to lodge a complaint with your local supervisory authority if you have concerns about how we are processing your personal information. We ask that you please attempt to resolve any issue with us first by contacting us at email@example.com, although you have a right to contact your supervisory authority at any time.
The following information applies to personal data which we process from any individuals that is related to Brazil’s territory under the National Data Protection Law (LGPD):
- Scope: In addition to the circumstances set forth in the section above regarding Scope, the LGPD applies when we process personal data subject to protect fundamental rights of freedom, privacy and the free development of the personality of individuals.
- Sensitive Personal Data under the LGPD: Sensitive personal data under the LGPD includes personal data (as defined above in Scope section of this Notice) about racial or ethnic origin, religious belief, political opinion, union membership or organization of a religious, philosophical or political nature, data relating to health or sexual life, genetic or biometric data, when linked to a natural person. Please see the section above regarding Personal Information Collected for more information on how we treat sensitive personal data.
- Individual rights: Under the LGPD, individuals have certain rights related to their personal data, subject to other limitations in this law, as follows:
- Confirmation of the existence of data processing;
- Access to your personal data;
- Correction of incomplete, inaccurate, or out-of-date data;
- Anonymization, blocking, or deletion of unnecessary or excessive data, or data processed in non-compliance with LGPD;
- Portability of data to another service or product provider, subject to the LGPD;
- Deletion of personal data, to the extent permitted by the LGPD;
- Information about the entities with whom we have shared personal data;
- Information about the possibility of denying consent and consequences of such denial;
- Revocation of consent.
- Processing of Children’s Personal Data: We process personal data belonging to children and adolescents, defined as individuals 16 years or younger. In this case, in accordance with the LGPD, we process children´s personal data when in their own best interests and with the specific consent of at least one of their parents or legal representatives.
- Contacting Us in Brazil: If you have any questions or comments about this Privacy Notice as it relates to the LGPD or our processing activities in Brazil, please contact our Brazil Data Protection Officer (DPO) at firstname.lastname@example.org.
D. Cayman Islands Data Protection Law (“DPL”)
Individuals whose Personal Data is collected and/or used in the Cayman Islands have the following rights over their Personal Data:
- Right of Access: You have the right to obtain from us confirmation as to whether or not personal data concerning you is being processed, and where that is the case, to request access to the personal data. The information which may be accessed includes – among others - the purposes of the processing, the categories of personal information concerned, and the recipients or categories of recipient to whom the personal information have been or will be disclosed, any countries or territories outside Caymans that your personal data is sent and general security measures taken over your personal data. You have the right to obtain a copy of the personal information undergoing processing. If the requests are deemed excessive, we may charge a reasonable fee based on administrative costs.
- Right to stop or restrict processing Personal Data: You have the right to obtain from us restriction of processing your personal data. We shall comply with this request unless the processing is necessary for certain purposes. These purposes include: (a) the processing is necessary for the performance of a contract to which the data subject is a party or the taking of steps at the request of the data subject with a view to entering into a contract; (b) the processing is necessary for compliance with any legal obligation to which the data controller is subject, other than an obligation imposed by contract; (c) the processing is necessary in order to protect the vital interests of the data subject; or (d) the processing is necessary in such other circumstances as may be prescribed by regulations.
- Right to be informed about the collection and use if their Personal Data: You have the right to be informed about the collection and use of your personal data, which includes information such as who we are, and the purposes for our processing your personal data.
- Right to stop processing for direct marketing: You have the right to obtain from us restriction of processing of your personal data for direct marketing purposes. We shall honor this request without undue delay within a reasonable period of time. You may complain to the Ombudsman if we do not comply with this request.
- Rights in relation to automated decision making: You have the right to obtain from us restriction from us making a decision that significantly affects you based on the processing of automatic means of your personal data for the purpose of evaluating your performance at work, creditworthiness, reliability, conduct or other matters.
- Right to complain/seek compensation: You have a right to complain to the Ombudsman regarding any perceived violation of the DPL. If you suffer damage due to a violation of the DPL by us, you may be able to seek compensation via the court system.
- Right to rectification, blocking, erasure, or destruction: You have a right to have inaccurate personal data rectified or completed if incomplete, without undue delay. You may complain to the Ombudsman, who may issue an order for rectification, blocking, erasure or destruction of the data.
Submitting Requests. Requests may be submitted: