Privacy Notice for Clients

Last Updated: October 2023

This privacy notice describes how Willis Towers Watson in South Africa collects and processes Personal Information when we provide transactional and advisory services to our clients.

Willis Towers Watson operates worldwide through subsidiary and affiliate companies. In South Africa this means:

• Willis South Africa (Pty) Ltd in respect of advice and arrangement of non-life insurance cover with an insurer (“CRB Services”) and broking of risk benefit insurance arrangements (“H&B Services”);
• Towers Watson (Pty) Ltd in respect of broking of risk benefit insurance arrangements (“TW Services”),
• Mutual Risk Advisory Services (Pty) Ltd in providing enterprise-wide supplier risk assessment programs of suppliers, contractors and service providers (“MRA Services”), and

in each case on behalf of our clients.

Where we say Services, we mean the CRB Services, H&B Services and MRA Services.

Where we say “we,” “us,” or “our” in this Privacy Notice we mean each of Willis South Africa (Pty) Ltd, Group Risk Management Services (Pty) Ltd and Towers Watson (Pty) Limited and those companies together.

Insurance involves the use and disclosure of Personal Information by various insurance market participants such as intermediaries, insurers and reinsurers. You should read this Privacy Notice for specific information regarding how we process Personal Information in relation to the Services.

In providing the Services, we may be required to process Personal Information of individuals named in an insurance policy, or individuals that are beneficiaries of, or have made claims under, an insurance policy, or individuals who are involved in an incident giving rise to an insurance claim. This can include children, their legal guardians or caregivers, as well as Personal Information relating to our client organisations themselves. We also process Personal Information of individuals who are employees, contractors and representatives of our clients. This privacy notice applies to any individual whose Personal Information we process in the course of providing the Services (each a "data subject" or "you").

1. Scope of this privacy notice

This privacy notice applies when we collect your Personal Information in the course of offering or administering our Services, and it applies to all Personal Information we collect or process about you in relation to this Service.

2. Cross-border transfer

Willis Towers Watson is a global organisation operating in more than 140 countries and our business activities are global in nature. As such we sometimes transfer personal information to countries located outside of the country of origin. The laws applicable to the country where the data is being received may not be equivalent to that in your location. However, we always take steps to ensure any transfer of information is carefully managed to protect your privacy rights. In particular:

• For transfers between Willis Towers Watson Group companies: We have put in place an intra group data transfer agreement to ensure that transfers of Personal Information within our Group receive a consistent and adequate level of protection, similar to that applicable under POPIA, wherever it is transferred.
• For transfers to third parties outside of the Willis Towers Watson Group of Companies: We will only transfer Personal Information to parties located outside South Africa, where the foreign jurisdiction to which the Personal information is transferred has implemented data protection legislation at least equivalent to the data protection standards and provisions required under POPIA, in accordance with applicable data protection law.

Please see the Contact & Comments section below for details on how you can contact us to get further information on the third countries to which Personal Information will be transferred and further information relating to the safeguards we have in place in relation to international transfers of Personal Information.

3. Personal information

In this section we describe the types of Personal Information we collect in providing the Services, what we use it for and what our lawful basis is for doing so under applicable data protection legislation.

(A) Personal information we collect

“Personal Information” is information that identifies you as an individual or relates to an identifiable individual.

We may collect your Personal Information in the following ways:

• Our client or third party service providers (such as insurers) may provide your Personal Information to us. When a client or third party service provider provides us with Personal Information about you, we ask that the client provides a copy of this privacy notice to you before doing so.
• You may provide your Personal Information directly to us if you are our client or if you are involved in a claim that we are handling for a client.
• We may collect your Personal Information from publicly available sources such as information available on social media platforms, information about your registered property or assets and information about claims and convictions on public records.

The Personal Information we may collect about you from our clients, third party service providers or directly from you, will depend on the type of Service we are providing and the relationship between us, or between you and our client. A failure to provide this Personal Information will mean we are unable to provide our Services, which could affect your ability to receive benefits to which you may be entitled.

Personal Information we collect may include:

• name and contact information including company name and company contact information;
• juristic data of our clients which can include the client’s name, names of directors and shareholders , its registered number and address;
• demographic information (such as gender, age, date of birth, marital status, nationality, education/work histories, academic/professional qualifications, employment details, hobbies, family composition, and dependents);
• personal identification documentation and related information such as passport numbers and employee identification numbers;
• other personal information such as date of birth, gender and marital status
• financial and payment data such as bank account numbers and transaction information;
• information related to the provision of the Services, such as policy information, claims information, and information relating to incidents giving rise to claims and related losses;
• information about your property and assets;
• statements made by or about you;
• records of communications and CCTV footage; and
• human resources data, such as job title and role; service dates, benefits and compensation information; dependent/beneficiary information; educational, academic and professional qualifications information; emergency contact information; Services other than H&B Services, performance management information, criminal records and ITC checks.

Some of the categories of information that we collect are special categories of Personal Information ("Special Personal Information"). These include your health records (such as your medical history and reports on medical diagnoses, injuries and treatment); information about your personal characteristics and circumstances of a sensitive nature such as your racial or ethnic origin, sex life, mental and physical health and genetic information; and criminal records.

(B) How we may use your personal information

We use your Personal Information:

• to provide the Services and fulfill our contractual obligations to clients;
• to conduct data analysis;
• for fraud monitoring and prevention;
• to help develop new services and to enhance, improve or modify our Services;
• to operate and expand our business activities;
• to carry out background checks and conduct due diligence;
• to perform administrative activities in connection with our Services;
• to exercise, defend or protect our legal rights or the rights of our clients or third parties; and
• to comply with legal and professional obligations and to cooperate with regulatory bodies.

The way we analyse Personal Information for the purposes of risk assessment, fraud prevention and detection, and to report to our clients as part of the Services may involve profiling, which means that we may process your personal information using software that is able to evaluate your personal aspects and predict risks or outcomes.

We may also aggregate or anonymise information about you. Aggregated or anonymised data is not capable of being used to identify individuals and is not treated as Personal Information under this privacy notice.

(C) Legal basis for processing personal information

We must have a legal basis to process your Personal Information in accordance with applicable data protection legislation. This will be for at least one of the following purposes:

• where it is necessary to enter into a contract with us / in order to perform the Services to you;
• where it is necessary to comply with our legal obligations such as due diligence and reporting obligations, for example know-your-customer checks to prevent money laundering and fraudulent activities;
• where you have provided your consent, for example if you have agreed to receive marketing communications from us. You may withdraw your consent at any time by contacting us using the details at the end of this privacy notice;
• where it is necessary for our legitimate interests, or those of a third party, for example to ensure that the Services we provide are appropriate our clients' requirements, to improve our Services, manage our risks, maintain accurate transaction records, and manage our business in an efficient way. These circumstances shall only apply where such legitimate interests are not overridden by your interests or fundamental rights and freedoms.

We only process Sensitive Personal Information in limited circumstances:

• where applicable under national data protection laws (e.g. the United Kingdom) the processing is necessary for our insurance purposes (i.e. for advising, arranging, underwriting or administering an insurance contract or handling claims);
• where we have your explicit consent, (in which case our client will obtain your explicit consent to collect and use the data for the purposes described in this privacy notice). You may withdraw your consent at any time by contacting us using the details at the end of this privacy notice; or
• to establish, exercise or defend legal claims.

4. Disclosure of your personal information

We share your Personal Information with third parties under the following circumstances:

• to any Willis Towers Watson group company for the uses and purposes set out above;
• to our clients, intermediaries, advisers and business partners for the purposes of fulfilling our contractual obligations to clients, for example to deliver our Services and to arrange insurance products for clients;
• to third party service providers including entities providing customer service, email delivery, marketing service providers, IT service providers, auditing and other services;
• if we are obliged to disclose your Personal Information under applicable law or regulation, which may include laws outside your country of residence; and
• in the event of any reorganization, merger, sale, joint venture, assignment, transfer or other disposition of all or any portion of our business, assets or stock (including in connection with any bankruptcy or similar proceedings).

We request those external service providers to implement and apply security safeguards to ensure the privacy and security of your Personal Information.

5. Security and retention

Willis Towers Watson maintains appropriate technical and organizational security measures to protect the security of your data against loss, misuse, unauthorized access, disclosure or alteration. These measures are aimed at ensuring the ongoing integrity and confidentiality of Personal Information. We evaluate these measures on a regular basis to ensure the security of the processing.

We will retain your Personal Information for as long as is necessary for the provision of Services to our clients. When we no longer need your Personal Information in connection with the Services, we will then retain your Personal Information for a period of time that reasonably allows us to comply with our regulatory obligations and to commence or defend legal claims. We may retain aggregated or anonymised data (which is not treated as Personal Information under this privacy notice) for longer.

6. Choices and access

If you would like to access or request the deletion of your Personal Information or request a copy of Personal Information about you, please contact us using the details set out in the ‘Contact and Comments’ section below.

In addition to POPIA, the Promotion of Access to Information Act (“PAIA”) is an act that was passed to give effect to the constitutional right, held by everyone in South African, of access to information which is held by the State or by another person and which is required for the exercise or protection of any right. Where a request is made in terms of PAIA, Willis Towers Watson is obliged to give access to the requested information, except where the PAIA expressly provides that the information may or must not be released.

It is important to note that PAIA recognises certain limitations to the right of access to information, including, but not exclusively, limitations aimed at the reasonable protection of privacy, commercial confidentiality, and effective, efficient and good governance, and in a manner which balances that right with any other rights, including such rights contained in the Bill of Rights in the Constitution. You may access our PAIA manual via our website at http: https://www.willistowerswatson.com/en-ZA/, that sets our your rights and obligations under PAIA and the process to follow in order to request information that Willis Towers Watson may have in its possession.

You also have a right to lodge a complaint to the Information Regulator if you have any concerns about how we are processing your Personal Information. We ask that you please attempt to resolve any issue with us first, although you have a right to contact the regulator at any time in writing at either complaints.IR@justice.gov.za or JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001.

7. Changes to our privacy notice

You may request a copy of this privacy notice from us using the contact details set out below.

We may modify or update this privacy notice from time to time by notifying or providing a revised version to our clients. Where changes to this privacy notice will have a fundamental impact on the nature of the processing or otherwise have a substantial impact on you, we will ask that our clients give you sufficient advance notice of these changes so that you have the opportunity to exercise your rights (e.g. to object to the processing).

8. Contact & comments

If you have any questions or comments regarding this privacy notice or would like to exercise your rights as a data subject, please contact our Global Privacy Office, at privacy@willistowerswatson.com or alternatively, our Information Officers using the contact details below: