This Data Processing Protocol (the “Protocol”) explains how Willis Towers Watson, acting as operator, handles personal information in accordance with the instructions of its clients, customers or licensees (each a “Client”) acting as responsible parties.
The Protocol forms part of any agreement in place between Willis Towers Watson and the Client which expressly refers to it (the “Agreement”). Where this Protocol uses terms which are defined in the Protection of Personal Information Act of 2013 ( “POPIA”), then the definitions set out in POPIA shall apply.
With respect to personal information processed by Willis Towers Watson on the Client’s behalf (see Annex 1), Willis Towers Watson will comply with the following requirements:
Limitations on Use. Willis Towers Watson will process personal information only to deliver the relevant service, as instructed in writing by Client from time to time, or as otherwise required by law.
Confidentiality. Willis Towers Watson will hold personal information in confidence and not disclose it unless required by law or in the proper performance of our duties and will require Willis Towers Watson personnel who will process personal information to protect all personal information in accordance with the requirements of this Protocol.
Information Security Program. Willis Towers Watson will maintain a written information security program to secure the integrity and confidentiality of personal information that contains appropriate, reasonable technical and organizational safeguards to protect personal information against loss or damage, and unauthorised destruction, access or processing.
Assistance. Willis Towers Watson will:
- Taking into account the nature of the processing, and in so far as is possible, implement technical and organizational measures to assist the Client in fulfilling its obligation to respond to any requests from individuals exercising their rights under Section 23 of POPIA;
- Taking into account the nature of the processing and the information available to Willis Towers Watson, assist the Client in complying with the Client's obligations to implement appropriate security measures; and
- To the extent that it can be given without adversely affecting its security measures, make available to the Client all information which the Client reasonably requests to assist the Client in demonstrating to the information regulator that the obligations set out in section 21(1) of POPIA relating to the appointment of operators have been met.
Willis Towers Watson may charge a reasonable fee for all such assistance described above, save where assistance was required directly as a result of Willis Towers Watson's own acts or omissions, in which case such assistance will be at Willis Towers Watson's expense.
Security Incident. Willis Towers Watson will without undue delay notify Client whenever Willis Towers Watson reasonably believes that any personal information it processes on behalf of a Client has been accessed or acquired by any unauthorised person ("Security Incident"). After providing notice, Willis Towers Watson will investigate the Security Incident, take necessary steps to eliminate or contain the impact of the Security Incident and keep the Client advised of the status of the Security Incident and all related matters.
Return or Disposal. The Client may instruct Willis Towers Watson to delete or return personal information at the end of the period during which Willis Towers Watson will process such Client’s personal information for the provision of the services in accordance with the Client’s instruction. Where Willis Towers Watson is required by applicable law to retain personal information for longer than is needed to deliver the services, it will be permitted to do so subject to it continuing to comply with the terms of this Protocol.
The Client understands that Willis Towers Watson may use sub-operators to provide services under the Agreement which can include sub-operators in countries other than South Africa. The pre-agreed sub-operators in use as at the date of this Protocol are listed in Annex 1. Willis Towers Watson shall remain primarily responsible for the performance of its obligations under this Protocol and shall ensure that its agreements with such sub-operators are at least as restrictive as this Protocol including in relation to any transfer of personal information to the sub-operator by Willis Towers Watson and in relation to any onward transfers by the sub-operator.
Changes to, or the addition of new, sub-operators will be notified to the affected Clients. Where a change to or addition of a new sub-operator is a sub-operator within the Willis Towers Watson group of companies, the Client acknowledges that on the basis that any transfer of personal information will be protected by the intercompany transfer agreement in place between all Willis Towers Watson group companies, such change or addition is hereby approved.
In relation to sub-operators that are not Willis Towers Watson group companies, such notification will be given to enable the Client to object, on reasonable grounds, to the proposed change or addition within 20 days of receiving such notification. If no objection is received from the Client within such period, Willis Towers Watson will be permitted to make the change or addition.
Description of processing of personal information
Subject Matter, Nature and Purpose
All processing activities (including the collection, organization and analysis of personal information) as are reasonably required to facilitate or support the provision of the services described under the Agreement.
Duration of processing of personal information
Willis Towers Watson will process the personal information for as long as it provides products and/or services to Client and will hold the personal information in archive after that date to the extent necessary for legitimate business purposes.
Categories of individuals:
Depending on the particular services provided under the Agreement, the data subjects may include:
- the trustees, directors or employees or other workers of the Client; and
- the individuals who are members of a Client’s retirement fund or medical scheme or other similar arrangement, plan or scheme under which benefits are provided to individual members, as well as their family members, beneficiaries or other individuals that are connected to those members.
Types of personal information:
The relevant services provided under the Agreement may involve the processing of the following types of personal information:
- names and contact information of individuals;
- juristic data of the companies and Funds to whom Willis Towers Watson delivers the relevant services. This will include entity name, its registered number and address as a minimum and could also include other information related to the entity such as investment portfolio information, valuations, financial statements and Trustee minutes, depending on the services being provided under the Agreement;
- demographic information (such as gender, age, date of birth, marital status, nationality, employment details, family composition, and dependants);
- personal identification documentation and related information such as national identity numbers, passport numbers, employee identification numbers and fund membership numbers;
- financial and payment data such as remuneration, scheme account balances, pension payments if any, scheme benefits paid, bank account numbers and transaction information;
- information related to the provision of the services, such as policy information and claims information;
- records of communications;
- human resources data, such as job title; benefits and compensation information; and
- dependant/beneficiary information.
Types of special categories of data:
The personal information processed by Willis Towers Watson may include the following special categories of personal information: mental and physical health, details of injuries and medication/treatment received.
Willis Towers Watson uses the following sub-operators for its Talent and Reward services only:
The Willis Towers Watson Global Resource Center (Towers Watson Global Business Services, Inc.), located in Manila, The Philippines. 16th Floor, Bonifacio One Technology Tower, Rizal Drive Corner 31st Street, Fort Bonifacio, Taguig City, Philippines 1634;
Provision of the following services:
- Software support services;
- Cloud technology operations; and
- Client support services
Willis Towers Watson US LLC 800 North Glebe Road, Arlington, VA 22203, USA
Provision of the following services:
- Data Services Participation Portal is hosted on WTW servers in the US;
- Validation of data services.
Towers Watson Limited Watson House, London Road, Reigate, Surrey, RH2 9PQ, England
Provision of the following services:
- Compensation Software is hosted on WTW servers in the UK.
Singular Systems (Pty) Ltd P O Box 785261, Sandton, 2146 Maintainenance and support of the PECSLINX platform The Cloud Value Factory (Pty) Limited Killdrummy Office Park, Cnr Witkoppen and Umhlanga Avenue, Paulshof, 2191, Johannesburg CRM system data hosting