Data Processing Protocol – Saudi Arabia

Version 1

This Data Processing Protocol ("Protocol") forms part of any agreement in place between Willis Towers Watson and Client which links to and/or expressly refers to it (the “Agreement”).

Where this Protocol uses terms which are defined in the Saudi Arabia Personal Data Protection Law issued pursuant to Royal Decree No. (M/19) dated 09/02/1443 AH corresponding to 16/09/2021 G and Amended pursuant to Royal Decree No. (M/148) dated 05/09/1444 AH corresponding to 27/03/2023 G (the “PDPL”) and the Implementing Regulation of the Personal Data Protection Law (the “Regulation”) and both as amended from time to time (collectively, the “Law”), then the definitions set out in the Law shall apply as appropriate.

In addition, "Data Protection Laws" means all relevant laws and regulations pertaining to the security, confidentiality, protection, or privacy of Personal Data, as amended or re-enacted from time to time, including (to the extent applicable) the Law to the extent it applies to the services being provided under the Agreement. In the event of inconsistencies between the terms of this Protocol and the terms of the remainder of the Agreement, the terms of this Protocol shall prevail.

Client, (“Data Controller”), represents and warrants that the Personal Data it has collected has been collected in accordance with applicable Data Protection Laws and that it has the full authority under applicable Data Protection Laws to provide such Personal Data to Willis Towers Watson ("Data Processor") for the purposes of the Agreement and the provision of the services, including as set out in the description of processing in Annex 1 (the “Description of Processing”). Data Controller shall comply with its obligations according to Data Protection Laws.

1. Data Processing

With respect to Personal Data processed by the Data Processor on behalf of the Data Controller:

1.1. Compliance with Laws.

Both parties will comply with Data Protection Laws and shall not knowingly cause the other to breach Data Protection Laws.

1.2. Limitations on Use.

i. The Data Processor will Process Personal Data only for the purposes described in the Agreement including clause 1.5 below and the Description of Processing in Annex 1 and only as further agreed mutually in writing from time to time between the Data Controller and Data Processor, unless required to do otherwise by applicable laws in which event the Data Processor will inform the Data Controller, unless that law prohibits the Data Processor from doing so on important grounds of public interest. The Data Processor shall inform the Data Controller if it believes that an instruction issued by the Data Controller infringes Data Protection Laws.

ii. In case of any violation of the Data Controller’s instructions or any other applicable laws, the Data Processor shall notify the Controller in writing without undue delay.

iii. If the Data Processor violates the instructions issued by the Data Controller or the Agreement or this Protocol regarding the Processing of Personal Data, the Data Processor shall be considered as a Controller and held directly accountable for violating any provisions of the Data Protection Laws.

1.3. Additional Provisions.

i. The Data Processor will only disclose Personal Data to, or allow access by, its personnel or any other person acting under its authority who process Personal Data whose use of Personal Data is necessary for the performance of their tasks.

ii. The Data Processor will employ technical and organizational measures to protect the Personal Data against a Personal Data Breach.

iii. The Data Processor shall delete the Personal Data at the end of the Agreement on request from the Data Controller.

iv. The Data Processor shall, if received, pass any correspondence exercising the rights of a Data Subject to the Data Controller.

1.4. Audit.

The Data Processor shall provide the Data Controller, on request, with all information reasonably required to enable the Data Controller to assess that the Data Processor (including any sub-processors acting on its behalf) complies with Data Protection Laws. The Data Controller, or any independent third party appointed by the Data Controller, may, at the Data Controller's sole cost and expense and on at least 30 days prior notice (unless a shorter timeframe is expressly required by Data Protection Laws), conduct an audit of the Data Processor's premises for this purpose.

1.5. Further Processing of Personal Data.

Data Processor will only Process the Data Controller’s Personal Data obtained in the course of providing the services: (i) to process or maintain Personal Data on behalf of the Data Controller and in compliance with the Agreement; (ii) to appoint a sub-processor where such sub-processor is required to provide the services which are the subject of the Agreement; (iii) for internal use to develop and improve WTW services; (iv) to detect data security incidents, or protect against fraudulent or illegal activity; (v) as necessary to comply with applicable laws; (vi) subject to the provisions of clause 1.6 below, to comply with a civil, criminal, or regulatory inquiry; and (vii) to exercise or defend legal claims. Data Controller acknowledges that the Data Processor may anonymise Personal Data for the purpose of aggregated reporting and improving the quality of the services provided to the Data Controller.

1.6. Mandatory disclosures.

Data Processor shall notify the Data Controller of any mandatory disclosure it is required to make to a third party under any applicable laws, however neither party shall require a Personal Data Owner to give prior consent where the Data Processor is required to make such a disclosure of Personal Data.

1.7. Security Incident.

The Data Processor will without undue delay notify the Data Controller whenever the Data Processor becomes aware that there has been a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data Processed by the Data Processor in the context of this Protocol ("Security Incident").

1.8. Subprocessing.

The Data Controller understands and hereby authorises the Data Processor to use sub-processors for the purposes of the Agreement and as described in the Description of Processing, provided that the Data Processor shall (i) choose only sub-processors that provide the sufficient guarantees to comply with the Data Protection Laws and (ii) take sufficient guarantees to ensure that contracts with those sub-processors would not adversely impact the level of protection provided to the Personal Data being processed from that afforded to it under this Protocol.

The Data Processor may change or add sub-processors from time to time upon obtaining prior acceptance from the Data Controller, with the Data Controller being notified in writing so that the Data Controller may express an objection, on reasonable grounds and within 14 calendar days, to any such proposed change.

1.9. Data transfers.

The Data Controller confirms that the Data Processor may transfer Personal Data to its affiliates and sub-processors globally including outside of the Kingdom of Saudi Arabia on the condition that the Data Processor ensures such transfers are made in compliance with applicable laws, including the implementation of appropriate safeguards to ensure an equivalent level of protection for Personal Data and appropriate contractual protections as mandated by applicable laws, the applicable supervisory authority, or data protection regulator. For the avoidance of doubt, the Data Processor confirms that where for the purposes of providing the services it transfers Personal Data to its affiliates or sub-processors outside of the Kingdom, all such transfers are made subject to appropriate transfer mechanisms as appropriate.

1.10. Other Laws or Regulations.

The Data Processor is not subject to any laws or regulations in other countries which would impact on its ability to comply with the Law.

Annex 1: Description of processing of personal data

1. Subject Matter, Nature, and Purpose.

All processing activities (including the collection, organization and analysis of personal data) as are reasonably required to facilitate or support the provision of the services described under the Agreement

2. Duration of processing of personal data.

The Data Processor will process the personal data for as long as it provides services to the Data Controller under the Agreement and will hold the personal data in archive after that date in line with the retention provisions of the Agreement (including the Protocol).

3. Categories of data subjects.

The data subjects may include individuals named in any policy or scheme in respect of which the Data Processor is engaged to provide its services and/or individuals that are beneficiaries of, or have made claims under, or are otherwise involved in, any such policy or scheme. Most commonly the data subjects will include: (1) past, existing, or prospective employees, contractors or other workers of the Data Controller or members or beneficiaries of superannuation or retirement plans for which the Data Controller is responsible ("Workers"), and/or their family members, representatives or others connected with Workers; (2) past, existing, or prospective clients of the Client, and/or their employees or other individuals connected with them, and/or their family members, representatives or others connected with them; and/or (3) past, existing or prospective complainants or claimants in connection with any insurance policy, and/or their family members, representatives or others connected with them.

4. Types of personal data.

The services under the Agreement may involve the processing of the following types of personal data:

Names and contact information;
Demographic information (such as gender, age, date of birth, marital status, nationality, education/work histories, academic/professional qualifications and affiliations, employment details, hobbies, family composition, and dependants);
Personal identification documentation and related information such as passport numbers and employee identification numbers;
Financial and payment data such as compensation information, bank account numbers, company financial data and transaction information, which may include Credit Data;
Information related to the provision of the services, such as policy information and claims information, including information relating to incidents giving rise to claims and related losses;
Records of communications; and
Human resources data, such as job title and role; benefits and compensation information; dependent/beneficiary information; educational, academic and professional qualifications information; emergency contact information; travel and expenses information and performance management information.

5. Types of sensitive data as defined in the PDPL.

The personal data processed by the Data Processor may include the following sensitive data: reference to the individual's racial or ethnic origin, or religious, intellectual or political belief, or security criminal convictions and offenses data, identifying biometric data, Genetic Data, Health Data, and data that indicates that one or both parents of the individual are unknown.

6. Sub-Processors and other parties to whom the Personal Data will be disclosed.

See Sub-Processors identified in the Statement of Work or elsewhere in the Agreement.

List of website locations and languages available in Americas
Location	Languages Available
Argentina	Spanish
Bermuda	English
Brazil	Portuguese
Canada	English French
Chile	Spanish
Colombia	Spanish
Costa Rica	Spanish
El Salvador	Spanish
Guatemala	Spanish
Honduras	Spanish
Mexico	Spanish
Nicaragua	Spanish
Panama	Spanish
Peru	Spanish
United States	English
Venezuela	Spanish

List of website locations and languages available in Asia-Pacific
Location	Languages Available
Australia	English
China	Simplified Chinese
Hong Kong (China, SAR)	English
India	English
Indonesia	English
Japan	Japanese
Korea	Korean
Malaysia	English
New Zealand	English
Philippines	English
Singapore	English
Taiwan	Traditional Chinese
Thailand	English Thai
Vietnam	English

List of website locations and languages available in Europe
Location	Languages Available
Austria	German
Belgium	English French Flemish
Croatia	English Croatian
Czech Republic	English Czech
Denmark	Danish
Finland	Finnish
France	French
Germany	German
Greece	Greek
Hungary	Hungarian
Ireland	English
Italy	Italian
Kazakhstan	Kazakh Russian
Luxembourg	French
Netherlands	Dutch English
Norway	Norwegian
Poland	Polish
Portugal	Portuguese
Romania	Romanian
Serbia	Serbian
Slovakia	Slovak
Spain	Spanish
Sweden	English Swedish
Switzerland	English French German
Turkey	Turkish
Ukraine	Ukrainian
United Kingdom	English

List of website locations and languages available in Middle East and Africa
Location	Languages Available
Cameroon	English French
Congo	French
Egypt	English
Ghana	English
Ivory Coast	French
Israel	English
Jordan	English
Kenya	English
Kuwait	English
Mauritius	English
Nigeria	English
Saudi Arabia	English
Senegal	French
South Africa	English
UAE	English
Uganda	English