This privacy notice describes how Willis Towers Watson collects and processes Personal Information when we provide Human Capital & Benefits and Investment, Risk & Reinsurance advisory services (such as consulting services) ("Services") to our clients.
Willis Towers Watson operates worldwide through subsidiary and affiliate companies (collectively, “Willis Towers Watson,” “we,” “us,” or “our”).
In providing the Services, we may be required to process Personal Information of individuals named in an insurance policy, or individuals that are beneficiaries of, or have made claims under, an insurance policy, or individuals who are involved in an incident giving rise to an insurance claim. We also process Personal Information of individuals who are employees, contractors and representatives of our clients. This privacy notice applies to any individual whose Personal Information we process in the course of providing the Services (each a "data subject" or "you").
Scope of this privacy notice
Personal information we collect
This privacy notice describes how Willis Towers Watson collects and processes Personal Information in the course of providing the Services, and it applies to all Personal Information we collect or process about you.
When we process your Personal Information we act as either controller together with our client, or as their data processor and we cooperate with our client in meeting our compliance obligations under the law.
Your Personal Information may be transferred to, stored, and processed in a country that is not regarded as ensuring an adequate level of protection for Personal Information under European Union law. We have put in place appropriate safeguards (such as contractual commitments) in accordance with applicable legal requirements to ensure that your data is adequately protected. For more information on the appropriate safeguards in place, please contact us at the details provided under the "Contact and Comments" section below.
“Personal Information” is information that identifies you as an individual or relates to an identifiable individual.
We may collect your Personal Information in the following ways:
- Our client may provide your Personal Information to us. If our client is your employer our client is the data controller in respect of your Personal Information and you should consult with them in the first instance if you have any questions about the processing of Personal Information.
- You may provide your Personal Information directly to us if you are a client.
- We may collect your Personal Information from public sources.
The Personal Information we may collect about you from our clients (or directly from you) will depend on the type of Service we are providing and the relationship between you and our client, but may include:
- name and contact information;
- demographic information (such as gender, age, date of birth, marital status, nationality, employment details, hobbies, family composition, and dependents);
- personal identification documentation and related information such as passport numbers and employee identification numbers;
- financial and payment data such as bank account numbers and transaction information;
- information related to the provision of the Services, such as policy information, claims information, and information relating to incidents giving rise to claims;
- information about your property and assets;
- statements made by or about you;
- records of communications and CCTV footage; and
- human resources data, such as job title and role; benefits and compensation information; dependent/beneficiary information; educational, academic and professional qualifications information; emergency contact information; and performance management information
Some of the categories of information that we collect are special categories of Personal Information ("Sensitive Personal Information"). These include your health records (such as your medical history and reports on medical diagnoses, injuries and treatment); information about your personal characteristics and circumstances of a sensitive nature such as your racial or ethnic origin, sex life, mental and physical health and genetic information.
Legal bases for processing personal information
We must have a legal basis to process your Personal Information. In most cases the legal basis will be one of the following:
- processing is necessary for the performance of a contract between us or in order to take steps at your request prior to entering into a contract;
- for our legitimate interests, for example to provide Services to our clients, to ensure that the Services we provide are appropriate to our clients' requirements, to improve our Services, manage our risks, maintain accurate transaction records, and manage our business in an efficient way;
- for the legitimate interests of our clients and other third parties (for example, to investigate and assess claims made against policies held or underwritten by them and to prevent and detect suspicions of fraud); or
- to comply with our legal obligations such as due diligence and reporting obligations.
We process Sensitive Personal Information on the following legal bases:
- your consent. The client may obtain your explicit consent to collect and use the data for the purposes described in this Policy Notice. You may withdraw your consent at any time by contacting us using the details at the end of this privacy notice; or
- to establish, exercise or defend legal claims.
- where legislation otherwise permits us to process Sensitive Personal Information.
How we may use your personal information
We use your Personal Information:
- to provide the Services and fulfill our contractual obligations to clients;
- to conduct data analysis;
- for fraud monitoring and prevention;
- to help develop new services and to enhance, improve or modify our Services;
- to operate and expand our business activities;
- to carry out background checks and conduct due diligence;
- to perform administrative activities in connection with our Services;
- to exercise, defend or protect our legal rights or the rights of our clients or third parties; and
- to comply with legal and professional obligations and to cooperate with regulatory bodies.
The way we analyse Personal Information for the purposes of risk assessment, fraud prevention and detection, and to report to our clients as part of the Services may involve profiling, which means that we may process your personal information using software that is able to evaluate your personal aspects and predict risks or outcomes.
We may also aggregate or anonymize information about you. Aggregated or anonymized data is not capable of being used to identify individuals and is not treated as Personal Information under this privacy notice.
Disclosure of your personal information
We may share your Personal Information with third parties under the following circumstances:
- to any Willis Towers Watson group company for the uses and purposes set out above;
- to our clients, intermediaries, advisers and business partners for the purposes of fulfilling our contractual obligations to clients, for example to deliver our Services and to arrange insurance products for clients;
- to third party service providers such as entities providing customer service, email delivery, auditing and other services;
- if we are obliged to disclose your Personal Information under applicable law or regulation, which may include laws outside your country of residence; and
- in the event of any reorganization, merger, sale, joint venture, assignment, transfer or other disposition of all or any portion of our business, assets or stock (including in connection with any bankruptcy or similar proceedings)
Security and retention
Willis Towers Watson maintains appropriate technical and organizational security measures to protect the security of your data against loss, misuse, unauthorized access, disclosure or alteration. These measures are aimed at ensuring the ongoing integrity and confidentiality of Personal Information. We evaluate these measures on a regular basis to ensure the security of the processing.
We will retain your Personal Information for as long as is necessary for the provision of Services to our clients. When we no longer need your personal information in connection with the Services, we will then retain your Personal Information for a period of time that reasonably allows us to comply with out regulatory obligations and to commence or defend legal claims. We may retain aggregated or anonymised data (which is not treated as Personal Information under this privacy notice) for longer.
Choices and access
If you would like to review, correct, update, suppress, object to, or restrict the processing of your Personal Information or request a copy of Personal Information about you, you may contact us by sending us an email at email@example.com or sending your request by postal mail to the address provided in the “Contact & Comments” section below.
In your request, please make clear what Personal Information you would like to have changed, whether you would like to have your Personal Information suppressed from our database or otherwise let us know what limitations you would like to put on our use of your Personal Information. For your protection, we may only implement requests with respect to the Personal Information associated with the particular email address that you use to send us your request, and we may need to verify your identity before implementing your request. We will try to comply with your request as soon as reasonably practicable.
Please note that we may need to retain certain information for recordkeeping purposes and/or to complete any transactions that you began prior to requesting a change or deletion. There may also be residual information that will remain within our databases and other records, which will not be removed.
We are committed to working with you to obtain a fair resolution of any complaint or concern about privacy. If, however, you believe that we have not been able to assist with your complaint or concern, you have the right to make a complaint to the local data protection authority. In Sweden the local data authority is called Datainspektionen and in Finland the local data authority is called Tietosuojavaltuutetun toimisto.
Changes to our privacy notice
You may request a copy of this privacy notice from us using the contact details set out below.
We may modify or update this privacy notice from time to time by notifying or providing a revised version to our clients. Where changes to this privacy notice will have a fundamental impact on the nature of the processing or otherwise have a substantial impact on you, we will ask that our clients give you sufficient advance notice of these changes so that you have the opportunity to exercise your rights (e.g. to object to the processing).
Contact & comments
If you have any questions or comments regarding this privacy notice, please contact our Data Protection Officer for Sweden and Finland at Box 7273, 103 89 Stockholm, Sweden or at firstname.lastname@example.org.