Data Processing Protocol – Canada

Version 1

This Data Processing Protocol (“Protocol”) explains how WTW (“Company” or “WTW”) processes Personal Information that is subject to Canadian Data Protection Laws (as defined below) on behalf of its clients, customers, or licensees (“Clients”).

This Protocol forms part of any agreement in place between WTW and the Client which expressly refers or links to this Protocol or the WTW Data Processing Protocol Landing Page and involves the processing of Personal Information subject to Canadian Data Protection Laws (“Agreement”).

Definitions. In this Protocol, capitalized terms not defined herein have the same meaning as given in the Agreement. In addition, the following definitions apply:

1.1. “Canadian Data Protection Laws” means the Personal Information Protection and Electronic Documents Act, SC 2000, c 5, the Personal Information Protection Act, SBC 2003, c 63, the Personal Information Protection Act, SA 2003, c P-6.5 and the Act respecting the protection of personal information in the private sector, CQLR c P-39.1, each as amended from time to time and the regulations made pursuant thereto and other similar provincial or territorial acts, each as amended from time to time and the regulations made pursuant thereto.

1.2. “Data Subject” means the individual about whom the Personal Information relates.

1.3. “Personal Information” has the same meaning as “Personal Data” refers to any information relating to an identified or identifiable natural person, whether identified directly or indirectly.

1.4. “Personal Information Breach” means any unauthorized or unlawful breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to Personal Information. A “Personal Information Breach” does not include unsuccessful attempts or activities that do not compromise the security of Personal Information, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.

1.5. “Privacy Commissioner” means the applicable governmental authority with jurisdiction to enforce Canadian Data Protection Laws.

1.6. “Process” or “Processing” or “Processed” means any operation or set of operations which is performed on Personal Information or on sets of Personal Information, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

1.7. “Client Personal Information” means any Personal Information subject to Canadian Data Protection Laws and which WTW processes on behalf of a Client as part of the Services, as more particularly described below in Annex 1.

1.8. “Services” means the services provided by WTW to Client as specified in the Agreement.

1.9. “Sub-processor” means any third party engaged by WTW to Process Personal Information for the purposes of providing the Services in accordance with the Agreement and clause 2.3 below. A “Sub-processor” may include a WTW affiliate or subsidiary, but does not include WTW employees, contractors, or consultants.
Role and Scope of Processing

2.1. Scope. This Protocol applies to the processing of Client Personal Information as part of the Services. This Protocol does not apply to Personal Information that WTW collects and uses for its own purposes or to Personal Information that may be processed via third-party websites or services.

2.2. Details of Processing. The subject matter, nature, purpose, and duration of the Processing, along with the types of Personal Information processed and categories of data subjects are described in Annex 1 to this Protocol.

2.3. Limitations on Use. WTW will Process Client Personal Information only for the purposes described in the Agreement, in clause 3.6 below, and in the Description of Processing set out in Annex 1), and only as further agreed mutually in writing from time to time between the Client and WTW, unless WTW is required to do otherwise because of applicable laws in which event WTW will inform the Client unless applicable law prohibits such notification.

2.4. Client Responsibilities. Client will, in its use of the Services:
- be responsible for determining whether the Services are appropriate for the Processing of the Client Personal Information under Canadian Data Protection Laws;
- comply with its obligations under the applicable Canadian Data Protection Laws and ensure that its instructions to WTW are lawful and comply with Canadian Data Protection Laws;
- have sole responsibility for the accuracy quality, and legality of the Client Personal Information and represent and warrant that the Client Personal Information has been collected in accordance with the applicable Canadian Data Protection Laws and that it has the full authority and obtained consent as and where required under applicable Canadian Data Protection Laws to provide such Client Personal Information to WTW for the purposes of the Agreement and the provision of the Services, including as set out in the Description of Processing;
- has obtained all necessary consents, permissions, and rights necessary for WTW, and its affiliates and sub-processors to lawfully Process the Client Personal Information for the purposes contemplated by the Agreement, including as necessary on behalf of dependents and beneficiaries, some of whom may be minors.
Processing of Personal Information

3.1. Processing Instructions. WTW will Process Client Personal Information in accordance with Client’s lawful documented instructions, applicable Canadian Data Protection Laws, the Agreement, and this Protocol. WTW shall promptly notify Client if it determines that it cannot comply with any such instructions as a result of applicable Data Protection Laws or otherwise.

3.2. Confidentiality. WTW will:
- hold Client Personal Information in confidence and require its personnel or any other person acting under its authority who Process Client Personal Information to be bound by duties of confidentiality, whether under a written agreement or an appropriate statutory obligation of confidentiality or otherwise, and protect all Client Personal Information in accordance with the requirements of this Protocol and applicable Canadian Data Protection Laws; and
- only allow access to Client Personal Information by WTW personnel or any other person acting under WTW’s authority for the purposes of providing the Services in accordance with the Agreement and this Protocol.
3.3. Assistance. WTW will, to the extent required by applicable Canadian Data Protection Laws:
- taking into account the nature of the Processing and to the extent commercially reasonable, assist the Client in fulfilling its obligation to respond to: (a) requests from Data Subjects exercising their rights under applicable Canadian Data Protection Laws in connection with Client Personal Information held by WTW; and (b) any request or communication from a Privacy Commissioner in relation to Client Personal Information held by WTW;
- taking into account the nature of the Processing and the information available to WTW, assist the Client in complying with the Client's obligations to implement appropriate technical and organizational security measures, to provide notification of Personal Information Breaches to the applicable Privacy Commissioner(s) and to Data Subjects, to conduct data protection impact assessments, and to consult with Privacy Commissioners in relation to data protection impact assessments where required; and
- taking into account the nature of the Processing, permit the Client’s privacy officer to conduct the confidentiality verifications that may be strictly required by law, on at least 30 days’ notice.
3.4. Investigations. Upon notice to WTW, WTW will provide reasonable assistance and support to Client in the event of an investigation by a Privacy Commissioner if and to the extent that such investigation relates to the Client Personal Information processed by WTW under the terms of an Agreement. WTW reserves the right to charge for assistance depending on the circumstances.

3.5. Data Protection Impact Assessments. To the extent required under applicable Canadian Data Protection Laws, WTW will provide Client with reasonable assistance in conducting data protection impact assessments related to the processing of Client Personal Information by WTW in accordance with Canadian Data Protection Laws, this Protocol, and the Agreement. WTW reserves the right to charge for assistance depending on the circumstances.

3.6. Further Processing of Personal Information. WTW will only Process Client Personal Information: (i) on behalf of the Client in compliance with the Agreement; (ii) to appoint a sub-processor where such sub-processor is required to provide the Services which are the subject of the Agreement; (iii) as required to ensure delivery, management and improvement of the Services; (iv) for internal use to develop and improve WTW services; (v) to detect data security incidents, or protect against fraudulent or illegal activity; (vi) as necessary to comply with applicable laws; (vii) subject to the provisions of clause 3.9 below, to comply with a civil, criminal, or regulatory inquiry; and (viii) for the purpose of legal proceedings as required or authorized by applicable law. Client acknowledges that WTW may anonymize Client Personal Information for the purpose of aggregated reporting and improving the quality of the Services provided to the Client.

3.7. Security. WTW will maintain a written information security program that contains appropriate administrative, technical and physical safeguards to protect Personal Information against anticipated threats or hazards to its security, confidentiality or integrity and, having regard to the state of technological development, the cost of implementation and the nature, scope context and purposes of processing, WTW will implement appropriate technical and organizational security and confidentiality measures (that may include the pseudonymization and/or anonymization of Personal Information where appropriate and where permitted by applicable law, taking into account the nature of the processing) necessary to protect against unauthorized or unlawful access, use, disclosure of Client Personal Information and against accidental loss or destruction of, or damage to, Personal Information, appropriate to the harm that might result from the unauthorized or unlawful access, use or disclosure of Client Personal Information or accidental loss, destruction or damage. Such written information security program shall not be amended where such amendments would reduce such protection of Client Personal Information.

3.8. Security Incidents. WTW will, without undue delay, notify the Client whenever WTW becomes aware that there has been a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Client Personal Information Processed by WTW under this Protocol ("Security Incident"). WTW will comply with notification obligations as required by applicable law. After providing notice, WTW will investigate the Security Incident, take necessary steps to eliminate or contain the impact of the Security Incident and keep the Client advised of the status of the Security Incident and all related matters.

3.9. Notification of Access Requests or Complaints. WTW will, to the extent legally permitted, promptly notify Client of (i) any request by an individual to access their Personal Information or otherwise exercise their Data Subject Rights, at which time WTW will transfer the request to the Client; and (ii) any request or communication from any law enforcement authority or Privacy Commissioner relating to Client Personal Information processed pursuant to this Agreement. WTW will not comply substantively with any request for disclosure of Personal Information prior to receiving written authorization from Client, unless it is compelled to do so by law, court order or other legally enforceable mechanism.

3.10. Return or Disposal. Client may instruct WTW to delete or return the Personal Information after the termination or expiry of the Agreement and WTW will comply with such instruction and confirm to the Client that deletion has taken place (if applicable) unless otherwise required or authorized by applicable law, such as WTW’s compliance with professional standards requirements or defense of legal claims, or with respect to backup media and archived Personal Information for which selective deletion of files is not feasible, provided always that WTW will continue to comply with the relevant terms of this Protocol in respect of any retained Personal information and will not Process the retained Personal Information for any other purpose.

3.11. Sub-processing. The Client understands and hereby expressly authorizes WTW to use sub-processors for the purposes of providing the Services under the Agreement, and as described in the Description of Processing, provided that WTW shall:
- remain responsible for the performance of its obligations under this Protocol,
- engage such sub-processors in accordance with Canadian or other Data Protection Laws (where required), and,
- ensure that it enters into written and legally binding agreements with such sub-processors which contain obligations that are at least as substantially similar as those set out in this Protocol and in the Agreement. WTW will provide a list of sub-processors upon request.
WTW may change or add sub-processors from time to time in accordance with this Section 3.11 and this Protocol.

3.12. Cross-Border Data Transfers. Client confirms that WTW may transfer Personal Information to its affiliates and sub-processors globally including outside of the province of residence of the Data Subjects, including outside of Canada on the condition that WTW ensures such transfers are made in compliance with applicable laws, including the implementation of appropriate safeguards to ensure an equivalent or adequate level of protection for Personal Information and appropriate contractual protections as mandated by applicable laws, the applicable supervisory authority or data protection regulator. For the avoidance of doubt, WTW confirms that where for the purposes of providing the Services it transfers Personal Information to its affiliates or sub-processors outside of the province of residents of the Data Subjects or outside of Canada, all such transfers are made subject to appropriate transfer mechanisms as appropriate. The Client acknowledges having notified and obtained consent from Data Subjects to the transfer of their Personal Information outside of their jurisdiction of residence where required by applicable Data Protection Laws.

Annex 1 – Description of Processing of Personal Information

Subject Matter, Nature and Purpose.

All processing activities (including the collection, use and disclosure of personal information) as are reasonably required to facilitate or support the provision of the Services described under the Agreement.
Duration of processing of Personal Information

WTW will process the Personal Information for as long as it provides the Services to the Client under the Agreement and will comply with the retention and destruction provisions of the Agreement (including the Protocol).
Categories of Data Subjects

The Data Subjects may include individuals named in any policy or scheme in respect of which WTW is engaged to provide its services and/or individuals that are beneficiaries of, or have made claims under, or are otherwise involved in, any such policy or scheme. Most commonly the Data Subjects will include: (1) past, existing, or prospective employees, contractors or other workers of the Client or members or beneficiaries of superannuation or retirement plans for which the Client is responsible ("Workers"), and/or their family members, representatives or others connected with Workers; (2) past, existing, or prospective clients of the Client, and/or their employees or other individuals connected with them, and/or their family members, representatives or others connected with them; and/or (3) past, existing or prospective complainants or claimants in connection with any insurance policy, and/or their family members, representatives or others connected with them.
Types of Personal Information

The Services under the Agreement may involve the processing of the following types of Personal Information:
- Names and contact information;
- Demographic information (such as gender, age, date of birth, marital status, nationality, education/work histories, academic/professional qualifications, employment details, hobbies, family composition, and dependents);
- Health information including medical assessments, diagnostic test results, treatment plans, names of physicians and other health providers, medical accommodation information and disability status and payments received, alcohol and drug testing, assessment and/or treatment, dates of death and/or disability;
- Information about other insurance claims (i.e., workers’ compensation, auto insurance, creditor insurance) and legal representation, litigation, subrogation;
- Information concerning offsets based on claims settlements, advance payments, government benefits, or other insurance including workers’ compensation, auto, creditor disability, and/or CPP/QPP disability.
- Personal identification documentation and related information such as passport numbers, Social Insurance number, and employee identification numbers;
- Financial and payment data such as bank account numbers and transaction information;
- Information related to the provision of the services, such as policy information and claims information, including information relating to incidents giving rise to claims and related losses;
- Records of communications; and
- Human resources data, such as employment status, job title and role; benefits and compensation information; dependent/beneficiary information; educational, academic and professional qualifications information; emergency contact information; and performance management information.

List of website locations and languages available in Americas
Location	Languages Available
Argentina	Spanish
Bermuda	English
Brazil	Portuguese
Canada	English French
Chile	Spanish
Colombia	Spanish
Costa Rica	Spanish
El Salvador	Spanish
Guatemala	Spanish
Honduras	Spanish
Mexico	Spanish
Nicaragua	Spanish
Panama	Spanish
Peru	Spanish
United States	English
Venezuela	Spanish

List of website locations and languages available in Asia-Pacific
Location	Languages Available
Australia	English
China	Simplified Chinese
Hong Kong (China, SAR)	English
India	English
Indonesia	English
Japan	Japanese
Korea	Korean
Malaysia	English
New Zealand	English
Philippines	English
Singapore	English
Taiwan	Traditional Chinese
Thailand	English Thai
Vietnam	English

List of website locations and languages available in Europe
Location	Languages Available
Austria	German
Belgium	English French Flemish
Croatia	English Croatian
Czech Republic	English Czech
Denmark	Danish
Finland	Finnish
France	French
Germany	German
Greece	Greek
Hungary	Hungarian
Ireland	English
Italy	Italian
Kazakhstan	Kazakh Russian
Luxembourg	French
Netherlands	Dutch English
Norway	Norwegian
Poland	Polish
Portugal	Portuguese
Romania	Romanian
Serbia	Serbian
Slovakia	Slovak
Spain	Spanish
Sweden	English Swedish
Switzerland	English French German
Turkey	Turkish
Ukraine	Ukrainian
United Kingdom	English

List of website locations and languages available in Middle East and Africa
Location	Languages Available
Cameroon	English French
Congo	French
Egypt	English
Ghana	English
Ivory Coast	French
Israel	English
Jordan	English
Kenya	English
Kuwait	English
Mauritius	English
Nigeria	English
Saudi Arabia	English
Senegal	French
South Africa	English
UAE	English
Uganda	English