This Data Processing Protocol ("Protocol") forms part of any agreement in place between Willis Towers Watson and Client which expressly refers to it (the “Agreement”) .
Where this Protocol uses terms which are defined in the EU General Data Protection Regulation (Regulation (EU) 2016/679) or in the UK General Data Protection Regulation, as transposed into national law by operation of section 3 of the European Union (Withdrawal) Act 2018, and both as amended from time to time (each, the “Regulation”), then the definitions set out in the respective Regulation shall apply as appropriate. "Data Protection Laws" means all relevant laws and regulations pertaining to the security, confidentiality, protection, or privacy of Personal Data, as amended or re-enacted from time to time, including (to the extent applicable) the Regulation to the extent applicable to the services being provided under the Agreement. In the event of inconsistencies between the terms of this Protocol and the terms of the remainder of the Agreement, the terms of this Protocol shall prevail.
Client, (“Data Controller”), represents and warrants that the Personal Data it has collected has been collected in accordance with applicable Data Protection Laws and that it has the full authority under applicable Data Protection Laws to provide such Personal Data to Willis Towers Watson ("Data Processor") for the purposes of the Agreement and the provision of the services, including as set out in the description of processing in Annex 1 (the “Description of Processing”). Client shall comply with its obligations as Data Controller, according to the Applicable Law.
With respect to Personal Data processed by the Data Processor on behalf of the Data Controller:
1.1. Compliance with Laws.
Both parties will comply with Data Protection Laws and shall not knowingly cause the other to breach Data Protection Laws.
1.2. Limitations on Use.
The Data Processor will Process Personal Data only for the purposes described in the Agreement including clause 1.5 below and the Description of Processing and only as further agreed mutually in writing from time to time between the Data Controller and Data Processor, unless required to do otherwise by applicable laws in which event the Data Processor will inform the Data Controller, unless that law prohibits the Data Processor from doing so on important grounds of public interest. The Data Processor shall inform the Data Controller if it believes that an instruction issued by the Data Controller infringes Data Protection Laws.
The Data Processor will:
i. hold Personal Data in confidence and require its personnel or any other person acting under its authority who Process Personal Data to be bound by duties of confidentiality, whether under a written agreement or an appropriate statutory obligation of confidentiality or otherwise, and protect all Personal Data in accordance with the requirements of this Protocol and Data Protection Laws; and
ii. only disclose Personal Data to, or allow access by, its personnel or any other person acting under its authority who Process Personal Data whose use of Personal Data is necessary for the performance of their tasks.
The Data Processor will:
i. Taking into account the nature of the Processing and insofar as is possible, implement technical and organizational measures to assist the Data Controller in fulfilling its obligation to respond to:
a. any requests from Data Subjects exercising their rights under any Data Protection Laws; and
b. any request or communication with a supervisory authority in relation to Personal Data;
ii. Taking into account the nature of the Processing and the information available to the Data Processor, assist the Data Controller in complying with the Data Controller's obligations to implement appropriate technical and organisational security measures, to notify Personal Data Breaches to supervisory authorities and to Data Subjects, to conduct data protection impact assessments and to consult with supervisory authorities in relation to data protection impact assessments where required.
iii. For the purpose of auditing Data Processor’s compliance with its obligations under this Protocol, Data Processor shall provide to Data Controller, on reasonable notice (at least 30 days): (a) access to information processing premises and records relevant to the services in scope; (b) reasonable assistance and cooperation of relevant staff; and (c) reasonable facilities at Data Processor premises. In addition, upon notice to Data Processor, Data Processor will provide reasonable assistance and support to Data Controller in the event of an investigation by any regulator, including a data protection regulator, or similar authority, if and to the extent that such investigation relates to Data Controller’s Personal Data processed by Data Processor. Any audits shall be at Data Controller’s sole cost and expense, including Data Processor staff time and not performed more frequently than once every 12 months for Data Controller across all services being provided by Data Processor, unless associated with a confirmed breach impacting Data Controller Personal Data which qualifies as an exception to the annual limitation, provided that: (i) such audit shall occur at a mutually agreeable time and the duration of the audit is limited to a reasonable period; (ii) such audit shall not unreasonably interfere with Data Processor’s operations; (iii) any third party performing such audit on behalf of Data Controller shall execute a nondisclosure agreement with Data Processor in a form reasonably acceptable to Data Processor with respect to the confidential treatment and restricted use of Data Processor’s or its third party Data Processors’ confidential information and under no circumstances shall Data Processor be required to disclose information of other customers of Data Processor; (iv) Data Controller shall keep information disclosed to it in the course of the audit confidential from all third parties, except for any third party participating in the audit with Data Processor’s consent as described below; (v) the audit shall be performed subject to reasonable security restrictions of Data Processor; and (vi) Data Controller acknowledges that Data Processor may require that certain logs, policies, records or other materials be reviewed on-site due to their confidential nature and that the Data Controller auditor will not be permitted to copy them. Notwithstanding the foregoing, no third party may participate in an audit unless Data Controller obtains Data Processor’s prior consent (which shall not be unreasonably withheld) and provided that Data Controller understands that Data Processor will not consent to the participation of any third-party offering services or products that compete with Data Processor’s own.
1.5. Further Processing of Personal Data.
Data Processor will only Process the Data Controller’s Personal Data obtained in the course of providing the services: (i) to process or maintain Personal Data on behalf of the Data Controller and in compliance with the Agreement; (ii) to appoint a sub-processor where such sub-processor is required to provide the services which are the subject of the Agreement; (iii) for internal use to develop and improve WTW services; (iv) to detect data security incidents, or protect against fraudulent or illegal activity; (v) as necessary to comply with applicable laws; (vi) subject to the provisions of clause 1.8 below, to comply with a civil, criminal, or regulatory inquiry; and (vii) to exercise or defend legal claims. Data Controller acknowledges that the Data Processor may anonymise Personal Data for the purpose of aggregated reporting and improving the quality of the services provided to the Controller.
1.6. Security measures.
The Data Processor will maintain a written information security program that contains appropriate administrative, technical and physical safeguards to protect Personal Data against anticipated threats or hazards to its security, confidentiality or integrity and, having regard to the state of technological development, the cost of implementation and the nature, scope context and purposes of Processing, the Data Processor will implement appropriate technical and organisational security and confidentiality measures (that may include the pseudonymisation and/or anonymisation of Personal Data where appropriate taking into account the nature of the Processing) necessary to protect against unauthorised or unlawful Processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful Processing or accidental loss, destruction or damage. Such written information security program shall not be amended where such amendments would reduce such protection of Personal Data.
1.7. Security Incident.
The Data Processor will without undue delay notify the Data Controller whenever the Data Processor becomes aware that there has been a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data Processed by the Data Processor in the context of this Protocol ("Security Incident"). After providing the notice, the Data Processor will investigate the Security Incident, take necessary steps to eliminate or contain the impact of the Security Incident and keep the Data Controller advised of the status of the Security Incident and all related matters.
1.8. Notification of access requests or complaints.
The Data Processor will, to the extent legally permitted, promptly notify the Data Controller of any request or communication from any law enforcement authority relating to Personal Data processed pursuant to this Agreement. Data Processor will not comply substantively with any request for disclosure of Personal Data prior to receiving written authorisation from the Data Controller, unless it is compelled to do so by law, court order or other legally enforceable mechanism.
1.9. Return or Disposal.
The Data Controller may instruct the Data Processor to delete or return the Personal Data after the termination or expiry of this Agreement and the Data Processor will comply with such instruction and confirm to the Data Controller that deletion has taken place (if applicable) unless otherwise required by applicable law, Data Processor's archival requirements (including professional standards requirements, defence of legal claims and substantiation of work products) or with respect to backup media and archived Personal Data for which selective deletion of files is not feasible, provided always that the Data Processor will continue to comply with the relevant terms of this Protocol in respect of any retained Personal Data and will not Process the retained Personal Data for any other purpose.
The Data Controller understands and hereby authorises the Data Processor to use sub-processors for the purposes of the Agreement and as described in the Description of Processing, provided that the Data Processor shall (i) remain responsible for the performance of its obligations under this Protocol, (ii) engage such sub-processors in accordance with Data Protection Laws (where required), and (iii) ensure that it enters into written and legally binding agreements with such sub-processors which contain obligations which are at least as restrictive as those set out in this Protocol. Data Processor shall be expressly authorised to use the sub-processors required to provide the services to the Data Controller and will provide a list of sub-processors upon request.
The Data Processor may change or add sub-processors from time to time upon giving reasonable notice in writing to the Data Controller so that the Data Controller may express an objection, on reasonable grounds and within 14 calendar days, to any such proposed change.
1.11. Data transfers.
The Data Controller confirms that the Data Processor may transfer Personal Data to its affiliates and sub-processors globally including outside of the UK and European Economic Area on the condition that the Data Processor ensures such transfers are made in compliance with applicable laws, including the implementation of appropriate safeguards to ensure an equivalent level of protection for Personal Data and appropriate contractual protections as mandated by applicable laws, the applicable supervisory authority or data protection regulator. For the avoidance of doubt, the Data Processor confirms that where for the purposes of providing the services it transfers Personal Data to its affiliates or sub-processors outside of the UK or the European Economic Area, all such transfers are made subject to the UK international data transfer agreement or addendum and/or the EU standard contractual clauses as appropriate.
Annex 1: Description of processing of personal data
1. Subject Matter, Nature and Purpose
All processing activities (including the collection, organization and analysis of personal data) as are reasonably required to facilitate or support the provision of the services described under the Agreement.
2. Duration of processing of personal data
The Data Processor will process the personal data for as long as it provides services to the Data Controller under the Agreement and will hold the personal data in archive after that date in line with the retention provisions of the Agreement (including the Protocol).
3. Categories of data subjects
The data subjects may include individuals named in any policy or scheme in respect of which the Data Processor is engaged to provide its services and/or individuals that are beneficiaries of, or have made claims under, or are otherwise involved in, any such policy or scheme. Most commonly the data subjects will include: (1) past, existing, or prospective employees, contractors or other workers of the Data Controller or members or beneficiaries of superannuation or retirement plans for which the Data Controller is responsible ("Workers"), and/or their family members, representatives or others connected with Workers; (2) past, existing, or prospective clients of the Client, and/or their employees or other individuals connected with them, and/or their family members, representatives or others connected with them; and/or (3) past, existing or prospective complainants or claimants in connection with any insurance policy, and/or their family members, representatives or others connected with them.
4. Types of personal data
The services under the Agreement may involve the processing of the following types of personal data:
- names and contact information;
- demographic information (such as gender, age, date of birth, marital status, nationality, education/work histories, academic/professional qualifications, employment details, hobbies, family composition, and dependants);
- personal identification documentation and related information such as passport numbers and employee identification numbers;
- financial and payment data such as bank account numbers and transaction information;
- information related to the provision of the services, such as policy information and claims information, including information relating to incidents giving rise to claims and related losses;
- records of communications; and
- human resources data, such as job title and role; benefits and compensation information; dependant/beneficiary information; educational, academic and professional qualifications information; emergency contact information; and performance management information.
5. Types of special categories of data referred to in Article 9 of the Regulation
The personal data processed by the Data Processor may include the following special categories of personal data: personal characteristics and circumstances of sensitive nature such as racial or ethnic origin, sex life or sexual orientation, mental and physical health, genetic information, details of injuries, medication/treatment received, political or religious beliefs and labour union affiliation.