Version 2
CCPA Data Service Provider Protocol
This Data Service Provider Protocol (the “Protocol”) explains how Willis Towers Watson handles personal data on behalf of its clients, customers or licensees (“Client”).
The Protocol forms part of any agreement in place between Willis Towers Watson and Client which expressly refers to it (the “Agreement”) and is entered into for the purpose of clarifying Willis Towers Watson’s role as a service provider. Where this Protocol uses terms that are defined in the California Consumer Privacy Act of 2018 (the “CCPA”), the definitions set out in the CCPA shall apply.
The parties agree that Client controls the purposes and means of processing the personal information, and Willis Towers Watson processes such personal information (the “Client Personal Information”) in accordance with Client’s instructions pursuant to the services provided by Willis Towers Watson to Client under the Agreement (the “Relevant Service”).
Client acknowledges its responsibility to comply with all notice, consent, opt out and privacy policy requirements, as well as for complying with all requests from individuals with respect to Client Personal Information (including but not limited to requests to know, to delete, and to opt out), as required by applicable law. Upon reasonable notice, Willis Towers Watson will provide reasonable assistance as necessary to permit Client to respond to such requests as required by applicable law. Willis Towers Watson may charge a reasonable fee for such assistance described above. Client may not request assistance which would compromise confidentiality obligations to any other clients and customers of Willis Towers Watson.
Willis Towers Watson is a global company and the data collected from Clients may be transferred to, accessed, processed or stored in jurisdictions outside of Clients’ home jurisdictions in which Willis Towers Watson or its service providers operate. Some of these jurisdictions may not provide equivalent levels of data protection as Clients’ home jurisdictions. Willis Towers Watson has established safeguards to protect personal information that is transferred to other countries, including appropriate contractual protections.
Data Processing
In addition to any currently existing data privacy language in the Agreement, with respect to Client Personal Information processed by Willis Towers Watson on Client’s behalf, Willis Towers Watson will comply with the following requirements:
Limitations on Use. Willis Towers Watson will only retain, use, or disclose Client Personal Information obtained in the course of providing the Relevant Services: (1) to process or maintain personal information on behalf of Client and in compliance with the Agreement and Willis Towers Watson’s policies; (2) to retain and employ another service provider as a subcontractor, where the subcontractor meets the requirements for a service provider; (3) for internal use to build or improve the quality of Willis Towers Watson’s services, provided that the use does not include building or modifying household or individual profiles to use in providing services to another business, or correcting or augmenting data acquired from another source; (4) to detect data security incidents, or protect against fraudulent or illegal activity; (5) as necessary to comply with applicable laws; (6) to comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, or local authorities; (7) to cooperate with law enforcement agencies concerning conduct or activity that Willis Towers Watson reasonably and in good faith believes may violate federal, state, or local law; or (8) to exercise or defend legal claims.
No Sale. Willis Towers Watson confirms and certifies that with respect to Client Personal Information: (a) it will not transfer or disclose any Client Personal Information to a third party for monetary or other valuable consideration; and (b) it will not collect, use, retain or disclose any Client Personal Information except as necessary to perform the Relevant Services and as otherwise set forth herein, which for the avoidance of doubt prohibits Willis Towers Watson’s use of Client Personal Information for any other commercial purpose.
Deidentified Data and Aggregated Data. Client acknowledges and agrees that aggregated, anonymized, and deidentified data (together, “Deidentified Data”) is not personal information under applicable privacy laws. Willis Towers Watson may use Deidentified Data derived from Client Personal Information or the Relevant Services for its own purposes, including to provide the Relevant Services, improve its operations, and enhance the features, functions, and performance of the Relevant Services. All Deidentified Data shall be owned solely and exclusively by Willis Towers Watson.
