Data Processing Protocol - Brazil

Version 1

This Data Processing Protocol (the “Protocol”) explains how Willis Towers Watson handles personal data on behalf of its clients, customers or licensees (“Client”).

The Protocol forms part of any agreement in place between Willis Towers Watson and Client which expressly refers to it (the “Agreement”). Where this Protocol uses terms which are defined in the Brazilian General Data Protection Regulation – the “LGPD” – Lei 13.709/18 - then the definitions set out in that the LGPD shall apply.

Data processed under this Protocol shall be in accordance with the LGPD ensuring data subject rights. Willis Towers Watson has established a privacy and data protection culture underpinning its data processing activities, which promotes constantly improving transparency, clarity, and precision with our clients, employees, partners, and all data subjects.

Data Processing

With respect to personal data processed by Willis Towers Watson on Client’s behalf (see Annex 1), Willis Towers Watson will comply with the following requirements:

Limitations on Use. Willis Towers Watson will process personal data only to deliver the relevant service, as instructed in writing by Client from time to time, or as otherwise required by law.

Confidentiality. Willis Towers Watson will hold personal data in confidence and require Willis Towers Watson personnel who will process personal data to protect all personal data in accordance with the requirements of this Protocol.

Information Security Program. Willis Towers Watson will maintain a written information security program that contains appropriate administrative, technical and physical safeguards to protect personal data against anticipated threats or hazards to its security, confidentiality or integrity.

Assistance. Willis Towers Watson will:

Taking into account the nature of the processing and in so far as is possible, implement technical and organizational measures to assist Client in fulfilling its obligation to respond to any requests from individuals exercising their rights under Article 18 of the LGPD;
Taking into account the nature of the processing and the information available to Willis Towers Watson, assist Client in complying with Client's obligations to implement appropriate security measures, to notify personal data breaches to supervisory authorities and to individuals and to conduct data protection impact assessments and consult with supervisory authorities in relation to data protection impact assessments where required; and
Make available to Client all information which Client reasonably requests to assist Client in demonstrating that the obligations set out in Chapter VI of the Regulation relating to the appointment of processors have been met and allow for and contributes to audits conducted by Client or another auditor nominated by Client.

Willis Towers Watson may charge a reasonable fee for all such assistance described above, save where assistance was required directly as a result of Willis Towers Watson's own acts or omissions, in which case such assistance will be at Willis Towers Watson's expense. Client shall provide Willis Towers Watson with thirty (30) days advance notice of any audit request; may not engage in an audit which would compromise confidentiality obligations to any other clients and customers of Willis Towers Watson and, if it wishes to nominate another auditor to undertake the audit, shall ensure that the auditor enters into a confidentiality agreement with Willis Towers Watson in such form as Willis Towers Watson shall reasonably require.

Security Incident. Willis Towers Watson will notify, within seventy-two (72) hours, the Client whenever Willis Towers Watson reasonably believes that there has been a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data processed by Willis Towers Watson in the context of this Protocol ("Security Incident"). After providing notice, Willis Towers Watson will investigate the Security Incident, take necessary steps to eliminate or contain the impact of the Security Incident and keep Client advised of the status of the Security Incident and all related matters.

Return or Disposal. Client may instruct Willis Towers Watson to delete or return personal data at the end of the period during which Willis Towers Watson will process such Client personal data, as specified in Annex 1.

Liability for Privacy and Data Protection. Article 42 of the LGPD sets out that the responsibility for any data breach or damage by a data processor is a joint liability of the data controller and data processor.

Willis Towers Watson and the Client, under joint and several liability, will both be accountable for any data processor violation of the LGPD.

Subprocessing

Client understands that Willis Towers Watson may use sub processors to provide the services under the Agreement. These will be listed and agreed in the specific Agreement Client has entered into with Willis Towers Watson if applicable. Willis Towers Watson shall remain primarily responsible for the performance of its obligations under this Protocol and shall ensure that its agreements with such sub processors are at least as restrictive as this Protocol. Willis Towers Watson we will ensure that all sub processors, including those located outside of Brazil, have adequate standards of data protection to enable, where necessary, appropriate international data transfers. Willis Towers Watson may change or add sub processors from time to time upon giving reasonable notice in writing to Client so that Client may express an objection, on reasonable grounds, to the proposed change.

Anonymized and Pseudonymised Data

Client acknowledges that the services include pseudonymisation and anonymization for the purpose of aggregate reporting and (trends) research, and agrees that Willis Towers Watson may use pseudonymised and anonymized data for its own business purposes, and Willis Towers Watson will comply with all applicable data protection laws in respect of such processing.

Data Transfers

Client confirms that Willis Towers Watson may transfer personal data to its affiliates and sub processors inside and outside Brazil for purposes of support and back-up. Willis Towers Watson has established safeguards to protect personal data transferred to countries outside Brazil, including appropriate contractual protections in line with at least the minimum requirements and standards pursuant to the LGPD. Personal data shall be treated confidentially as required and shall be transferred by technically secure means.

Consent

Willis Towers Watson and Client acknowledge that any data processing by Willis Towers Watson shall be under the legal basis of consent which must be a specific and highlighted clause in a contract between the data subject and the data controller that confirms the agreement of the data subject. The consent must be freely given, well-informed and unequivocal, and directly tied with a determined purpose for the data processing, which must also to be indicated in such contractual clause. In addition, this clause must inform the data subject of their legal right to consent revocation.

Annex 1 - Description of processing of personal data

1. Subject Matter, Nature and Purpose

All processing activities (including the collection, organization and analysis of personal data) as are reasonably required to facilitate or support the provision of the services described under the Agreement.

2. Duration of processing of personal data

Willis Towers Watson will process the personal data for as long as it provides services to Client and will hold the personal data in archive after that date to the extent necessary for legitimate business purposes. Willis Towers Watson ensures that data retention, which must have a retention period established, is in compliance with its legitimate purpose.

3. Categories of individuals:

The data subjects may include individuals named in any policy or scheme in respect of which Willis Towers Watson is engaged to provide its services and/or individuals that are beneficiaries of, or have made claims under, or are otherwise involved in, any such policy or scheme. Most commonly the data subjects will include: (1) employees, contractors or other workers of the Client ("Workers") and/or their family members, representatives or others connected with Workers; (2) past, existing or prospective clients of the Client, and/or their employees or other individuals connected with them, and/or their family members, representatives or others connected with them; and/or (3) past, existing or prospective complainants or claimants in connection with any insurance policy, and/or their family members, representatives or others connected with them.

4. Types of personal data:

The services under the Agreement may involve the processing of the following types of personal data:

names and contact information;
demographic information (such as gender, age, date of birth, marital status, nationality, education/work histories, academic/professional qualifications, employment details, hobbies, family composition, and dependents);
personal identification documentation and related information such as passport numbers and employee identification numbers;
financial and payment data such as bank account numbers and transaction information;
information related to the provision of the services, such as policy information and claims information, including information relating to incidents giving rise to claims and related losses;
records of communications and CCTV footage; and
human resources data, such as job title and role; benefits and compensation information; dependent/beneficiary information; educational, academic and professional qualifications information; emergency contact information; and performance management information.

5. Types of special categories of data referred to in Article 5º, II of the LGPD:

The sensitive personal data processed by Willis Towers Watson may include the following special categories of personal data:

racial or ethnic origin,
religious beliefs,
political beliefs,
labor union affiliation or religious, philosophical or political organization,
data of health or sex life, genetic or biometric information,

when related to a natural person. Willis Towers Watson shall process sensitive personal data with due care, in consideration of the higher risk that sensitive data represents to its data subjects, and the discriminatory potential of its use.

List of website locations and languages available in Americas
Location	Languages Available
Argentina	Spanish
Bermuda	English
Brazil	Portuguese
Canada	English French
Chile	Spanish
Colombia	Spanish
Costa Rica	Spanish
El Salvador	Spanish
Guatemala	Spanish
Honduras	Spanish
Mexico	Spanish
Nicaragua	Spanish
Panama	Spanish
Peru	Spanish
United States	English
Venezuela	Spanish

List of website locations and languages available in Asia-Pacific
Location	Languages Available
Australia	English
China	Simplified Chinese
Hong Kong (China, SAR)	English
India	English
Indonesia	English
Japan	Japanese
Korea	Korean
Malaysia	English
New Zealand	English
Philippines	English
Singapore	English
Taiwan	Traditional Chinese
Thailand	English Thai
Vietnam	English

List of website locations and languages available in Europe
Location	Languages Available
Austria	German
Belgium	English French Flemish
Croatia	English Croatian
Czech Republic	English Czech
Denmark	Danish
Finland	Finnish
France	French
Germany	German
Greece	Greek
Hungary	Hungarian
Ireland	English
Italy	Italian
Kazakhstan	Kazakh Russian
Luxembourg	French
Netherlands	Dutch English
Norway	Norwegian
Poland	Polish
Portugal	Portuguese
Romania	Romanian
Serbia	Serbian
Slovakia	Slovak
Spain	Spanish
Sweden	English Swedish
Switzerland	English French German
Turkey	Turkish
Ukraine	Ukrainian
United Kingdom	English

List of website locations and languages available in Middle East and Africa
Location	Languages Available
Cameroon	English French
Congo	French
Egypt	English
Ghana	English
Ivory Coast	French
Israel	English
Jordan	English
Kenya	English
Kuwait	English
Mauritius	English
Nigeria	English
Saudi Arabia	English
Senegal	French
South Africa	English
UAE	English
Uganda	English