Data Processing Protocol - Brazil

Version 2

This Data Processing Protocol (the “Protocol”) explains how Willis Towers Watson handles personal data of persons who reside in Brazil on behalf of its clients, customers or licensees (“Client”).

The Protocol forms part of any agreement in place between Willis Towers Watson and Client which expressly refers or links to it (the “Agreement”). Where this Protocol uses terms which are defined in the Brazilian General Data Protection Law (Law No. 13.709 of 2018 as amended, including its implementing regulations - “LGPD”) then the definitions set out in that the LGPD shall apply.

Data processed under this Protocol shall be in accordance with the LGPD ensuring data subject rights. Willis Towers Watson has established a privacy and data protection culture underpinning its data processing activities, which promotes constantly improving transparency, clarity, and precision with our clients, employees, partners, and all data subjects.

Data Processing

With respect to personal data processed by Willis Towers Watson on Client’s behalf (see Annex 1), Willis Towers Watson will comply with the following requirements:

Limitations on Use. Willis Towers Watson will process personal data only to deliver the relevant service, as instructed in writing by Client from time to time, or as otherwise required by law.

Confidentiality. Willis Towers Watson will hold personal data in confidence and require Willis Towers Watson personnel who will process personal data to protect all personal data in accordance with the requirements of this Protocol.

Information Security Program. Willis Towers Watson will maintain a written information security program that contains appropriate administrative, technical and physical safeguards to protect personal data against anticipated threats or hazards to its security, confidentiality or integrity.

Assistance. Willis Towers Watson will:

1. Taking into account the nature of the processing and in so far as is possible, implement technical and organizational measures to assist Client in fulfilling its obligation to respond to any requests from individuals exercising their rights under Article 18 of the LGPD;
2. Taking into account the nature of the processing and the information available to Willis Towers Watson, assist Client in complying with Client's obligations to implement appropriate security measures, to notify personal data breaches to supervisory authorities and to individuals and to conduct data protection impact assessments and consult with supervisory authorities in relation to data protection impact assessments where required; and
3. Make available to Client all information which Client reasonably requests to assist Client in demonstrating that the obligations set out in Chapter VI of the Regulation relating to the appointment of processors have been met and allow for and contributes to audits conducted by Client or another auditor nominated by Client.

Willis Towers Watson may charge a reasonable fee for all such assistance described above, save where assistance was required directly as a result of Willis Towers Watson's own acts or omissions, in which case such assistance will be at Willis Towers Watson's expense. Client shall provide Willis Towers Watson with thirty (30) days advance notice of any audit request; may not engage in an audit which would compromise confidentiality obligations to any other clients and customers of Willis Towers Watson and, if it wishes to nominate another auditor to undertake the audit, shall ensure that the auditor enters into a confidentiality agreement with Willis Towers Watson in such form as Willis Towers Watson shall reasonably require.

Security Incident. Willis Towers Watson will notify, within seventy-two (72) hours, the Client whenever Willis Towers Watson reasonably believes that there has been a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data processed by Willis Towers Watson in the context of this Protocol ("Security Incident"). After providing notice, Willis Towers Watson will investigate the Security Incident, take necessary steps to eliminate or contain the impact of the Security Incident and keep Client advised of the status of the Security Incident and all related matters.

Return or Disposal. Client may instruct Willis Towers Watson to delete or return personal data at the end of the period during which Willis Towers Watson will process such Client personal data, as specified in Annex 1.

Liability for Privacy and Data Protection. Article 42 of the LGPD sets out that the responsibility for any data breach or damage by a data processor is a joint liability of the data controller and data processor.
Willis Towers Watson and the Client, under joint and several liability, will both be accountable for any data processor violation of the LGPD.

Subprocessing

Client understands that Willis Towers Watson may use sub processors to provide the services under the Agreement. These will be listed and agreed in the specific Agreement Client has entered into with Willis Towers Watson if applicable. Willis Towers Watson shall remain primarily responsible for the performance of its obligations under this Protocol and shall ensure that its agreements with such sub processors are at least as restrictive as this Protocol. Willis Towers Watson we will ensure that all sub processors, including those located outside of Brazil, have adequate standards of data protection to enable, where necessary, appropriate international data transfers. Willis Towers Watson may change or add sub processors from time to time upon giving reasonable notice in writing to Client so that Client may express an objection, on reasonable grounds, to the proposed change.

Anonymized and Pseudonymised Data

Client acknowledges that the services include pseudonymisation and anonymization for the purpose of aggregate reporting and (trends) research, and agrees that Willis Towers Watson may use pseudonymised and anonymized data for its own business purposes, and Willis Towers Watson will comply with all applicable data protection laws in respect of such processing.

Data Transfers

To the extent that the performance of the Agreement involves international transfer of personal data outside Brazil between the Parties, the Parties hereby enter into the Standard Contractual Clauses as approved by the National Data Protection Authority (“ANPD”), with effect from the commencement of the relevant data transfer, as set forth in Annex 2.

Client confirms that Willis Towers Watson may transfer personal data to its affiliates and sub processors inside and outside Brazil for purposes of support and back-up. Willis Towers Watson has established safeguards to protect personal data transferred to countries outside Brazil, including appropriate contractual protections in line with at least the minimum requirements and standards pursuant to the LGPD, such as the Brazilian standard contractual clauses approved by the Brazilian Data Protection Authority. Personal data shall be treated confidentially as required and shall be transferred by technically secure means.

Consent

Willis Towers Watson and Client acknowledge that any data processing by Willis Towers Watson shall be under the legal basis of consent which must be a specific and highlighted clause in a contract between the data subject and the data controller that confirms the agreement of the data subject. The consent must be freely given, well-informed and unequivocal, and directly tied with a determined purpose for the data processing, which must also to be indicated in such contractual clause. In addition, this clause must inform the data subject of their legal right to consent revocation.

Annex 1 - Description of processing of personal data

1. Subject Matter, Nature and Purpose
   All processing activities (including the collection, organization and analysis of personal data) as are reasonably required to facilitate or support the provision of the services described under the Agreement.
2. Duration of processing of personal data
   Willis Towers Watson will process the personal data for as long as it provides services to Client and will hold the personal data in archive after that date to the extent necessary for legitimate business purposes. Willis Towers Watson ensures that data retention, which must have a retention period established, is in compliance with its legitimate purpose.
3. Categories of individuals:
   The data subjects may include individuals named in any policy or scheme in respect of which Willis Towers Watson is engaged to provide its services and/or individuals that are beneficiaries of, or have made claims under, or are otherwise involved in, any such policy or scheme. Most commonly the data subjects will include: (1) employees, contractors or other workers of the Client ("Workers") and/or their family members, representatives or others connected with Workers; (2) past, existing or prospective clients of the Client, and/or their employees or other individuals connected with them, and/or their family members, representatives or others connected with them; and/or (3) past, existing or prospective complainants or claimants in connection with any insurance policy, and/or their family members, representatives or others connected with them.
4. Types of personal data:
   The services under the Agreement may involve the processing of the following types of personal data:
   • names and contact information;
   • demographic information (such as gender, age, date of birth, marital status, nationality, education/work histories, academic/professional qualifications, employment details, hobbies, family composition, and dependents);
   • personal identification documentation and related information such as passport numbers and employee identification numbers;
   • financial and payment data such as bank account numbers and transaction information;
   • information related to the provision of the services, such as policy information and claims information, including information relating to incidents giving rise to claims and related losses;
   • records of communications and CCTV footage; and
   • human resources data, such as job title and role; benefits and compensation information; dependent/beneficiary information; educational, academic and professional qualifications information; emergency contact information; and performance management information.
5. Types of special categories of data referred to in Article 5º, II of the LGPD:
   The sensitive personal data processed by Willis Towers Watson may include the following special categories of personal data:
   • racial or ethnic origin,
   • religious beliefs,
   • political beliefs,
   • labor union affiliation or religious, philosophical or political organization,
   • data of health or sex life, genetic or biometric information,

when related to a natural person. Willis Towers Watson shall process sensitive personal data with due care, in consideration of the higher risk that sensitive data represents to its data subjects, and the discriminatory potential of its use.

Annex 2 – Brazilian Standard Contractual Clauses

Section I - General Information

(Note: This Section contains Clauses that may be completed by the Parties solely in the indicated spaces and following the provided guidelines. The definitions of the terms used in these Clauses are detailed in CLAUSE 6).

CLAUSE 1. Identification of the Parties

1.1. By this contractual instrument, the Exporter and the Importer (hereinafter referred to as the "Parties"), identified in the Agreement, as the case may be, agree to adopt the Standard Contractual Clauses (hereinafter referred to as "Clauses") approved by the Brazilian Data Protection Authority (ANPD) to govern the International Data Transfer described in Clause 2, in accordance with the provisions of the Brazilian Legislation.

CLAUSE 2. Object

2.1. These Clauses apply to the International Data Transfers from the Exporter to the Importer, as described below.

Description of the international data transfer: As set forth in the Agreement and in Annex 1 to this Data Processing Protocol.

CLAUSE 3. Onward Transfers

(Note: Choose "OPTION A" or "OPTION B," as applicable.)

OPTION A. (…)

3.1. The Importer may not carry out Onward Transfers of the Personal Data subject to the International Data Transfer governed by these Clauses, except in the cases provided for in item 18.3.

OPTION B. (X)

3.1. The Importer may carry out Onward Transfers of the Personal Data subject to the International Data Transfer governed by these Clauses under the conditions described below and provided that the provisions of Clause 18 are observed.

Main purposes of the transfer: As set forth in the Agreement and in Annex 1 to this Data Processing Protocol.

CLAUSE 4. Responsibilities of the Parties

(Note: Choose "OPTION A" or "OPTION B," as applicable)

OPTION A. (X)

(Option A is exclusive for international data transfers where at least one of the Parties acts as a Controller)

4.1. Without prejudice to the duty of mutual assistance and the general obligations of the Parties, the Designated Party below, as the Controller, is responsible for fulfilling the following obligations provided for in these Clauses:

1. Responsible for publishing the document provided for in Clause 14
   (X ) Exporter ( ) Importer
2. Responsible for responding to data subject requests referred to in CLAUSE 15:
   (X ) Exporter ( ) Importer
3. Responsible for notifying a data breach as provided for in Clause 16:
   (X ) Exporter ( ) Importer

(Note: In items "a," "b," and "c," mark the corresponding option to: (i) "Exporter" or "Importer," in cases where only one of the Parties acts as a Controller; or (ii) mark both options, in cases where both Parties act as Controllers. The responsibility for fulfilling the obligations referred to in Clauses 14 to 16 cannot be attributed to the Party acting as the Processor. If it is later verified that the Designated Party acts as a Processor, the provisions of item 4.2 shall apply.)

4.2. For the purposes of these Clauses, if it is later verified that the Designated Party under item 4.1 acts as a Processor, the Controller shall remain responsible:

1. for fulfilling the obligations provided for in Clauses 14, 15, and 16 and other provisions established in the Brazilian Legislation, especially in the event of omission or non-compliance by the Designated Party;
2. for complying with the determinations of the ANPD; and
3. for ensuring the rights of the Data Subjects and for compensating for damages caused, in accordance with the provisions of Clause 17.

OPTION B. (…)

(Note: Option B is exclusive for international data transfers carried out between processors)

4.3. Considering that both Parties act exclusively as Processors in the scope of the International Data Transfer governed by these Clauses, the Exporter declares and guarantees that the transfer is carried out in accordance with the written instructions provided by the Third-Party Controller identified in the table below.

Identification information of the Third-Party Controller:

Name:
Qualification:
Main address:
Email address:
Contact for the Data Subject:
Information about Linked Contract:

(Note: Fill out as detailed as possible with the identification and contact information of the Third-Party Controller and, if applicable, of the Linked Contract).

4.4. The Exporter shall be jointly liable for any damages caused by the International Data Transfer if it is carried out in non-compliance with the obligations of the Brazilian Legislation or with the lawful instructions of the Third-Party Controller, in which case the Exporter shall be deemed a Controller, in accordance with the provisions of Clause 17.

4.5. If the Exporter is deemed a Controller as provided in item 4.2, it shall be responsible for fulfilling the obligations provided for in Clauses 14, 15, and 16.

4.6. Except as provided in items 4.2 and 4.3, the provisions of Clauses 14, 15, and 16 shall not apply to the Parties acting as Processors.

4.7. The Parties shall provide, in any case, all the information they have and that is necessary for the Third-Party Controller to comply with the determinations of the ANPD and to fulfill adequately the obligations provided in the Brazilian Legislation related to transparency, the exercise of data subjects' rights, and notification of data breaches to the ANPD.

4.8. The Parties shall promote mutual assistance to respond to Data Subjects' requests.

4.9. In case of receipt of a Data Subject request, the Party shall:

1. respond to the request if it has the necessary information;
2. inform the Data Subject of the contact channel provided by the Third-Party Controller; or
3. forward the request to the Third-Party Controller as soon as possible to enable a response within the period provided in the Brazilian Legislation.

4.10. The Parties shall keep a record of data breaches involving personal data, in accordance with the Brazilian Legislation.

Section II - Mandatory Clauses

(Note: This Section contains Clauses that must be adopted in full and without any alteration in their text to ensure the validity of the international data transfer).

CLAUSE 5. Purpose

5.1. These Clauses serve as a mechanism to enable the secure international flow of personal data, establish minimum guarantees and valid conditions for the execution of International Data Transfers, and aim to ensure the adoption of appropriate safeguards for compliance with the principles, rights of the Data Subject, and the data protection regime provided in the Brazilian Legislation.

CLAUSE 6. Definitions

6.1. For the purposes of these Clauses, the definitions in Article 5 of Law No. 13,709 of August 14, 2018, and Article 3 of the International Data Transfer Regulation, without prejudice to other normative acts issued by the ANPD, shall apply. The Parties also agree to consider the terms and their respective meanings as set forth below:

1. Processing agents: the controller and the processor;
2. ANPD: Brazilian Data Protection Authority;
3. Clauses: the Standard Contractual Clauses approved by the ANPD, which comprise Sections I, II, and III;
4. Linked Agreement: a contractual instrument entered into between the Parties or, at least, between one of them and a third party, including a Third-Party Controller, that has a common purpose, linkage, or dependency relationship with the Agreement governing the International Data Transfer;
5. Controller: a Party or third party ("Third-Party Controller") responsible for decisions regarding the processing of Personal Data;
6. Personal Data: information related to an identified or identifiable natural person;
7. Sensitive Personal Data: personal data concerning racial or ethnic origin, religious belief, political opinion, membership of a trade union or a religious, philosophical, or political organization, data concerning health or sexual life, genetic or biometric data when linked to a natural person;
8. Deletion: the exclusion of data or a set of data stored in a database, regardless of the method used;
9. Exporter: a processing agent located in the Brazilian territory or in a foreign country that transfers personal data to an Importer;
10. Importer: a processing agent located in a foreign country or an international organization that receives personal data transferred by an Exporter;
11. Brazilian Legislation: the set of Brazilian constitutional, legal, and regulatory provisions regarding personal data protection, including Law No. 13,709 of August 14, 2018, the International Data Transfer Regulation, and other normative acts issued by the ANPD;
12. Arbitration Law: Law No. 9,307 of September 23, 1996;
13. Security Measures: technical and administrative measures adopted to protect personal data from unauthorized access and from accidental or unlawful situations of destruction, loss, alteration, communication, or dissemination;
14. Research Body: a body or entity of the direct or indirect public administration or a non-profit private legal entity legally constituted under Brazilian law, headquartered in the country, whose institutional mission or social/statutory purpose includes basic or applied research of a historical, scientific, technological, or statistical nature;
15. Processor: a Party or third party, including a Subcontractor, that processes Personal Data on behalf of the Controller;
16. Designated Party: the Party designated, according to Clause 4 ("Option A"), to fulfill specific obligations as a Controller concerning transparency, Data Subject rights, and notification of data breaches;
17. Parties: Exporter and Importer;
18. Access Request: a mandatory request, by law, regulation, or public authority determination, to grant access to the Personal Data subject to the International Data Transfer governed by these Clauses;
19. Subcontractor: a processing agent contracted by the Importer, with no link to the Exporter, to process Personal Data after an International Data Transfer;
20. Third-Party Controller: the Controller of the Personal Data who provides written instructions for the execution, on its behalf, of the International Data Transfer between Processors governed by these Clauses, under Clause 4 ("Option B");
21. Data Subject: the natural person to whom the Personal Data subject to the International Data Transfer governed by these Clauses relate;
22. Transfer: a processing method through which one processing agent transmits, shares, or provides access to Personal Data to another processing agent;
23. International Data Transfer: the transfer of Personal Data to a foreign country or an international organization of which the country is a member; and
24. Onward Transfer: the International Data Transfer, originating from an Importer, and intended for a third party, including a Subcontractor, provided that it does not constitute an Access Request.

CLAUSE 7. Applicable Legislation and ANPD Supervision

7.1. The International Data Transfer subject to these Clauses is governed by the Brazilian Legislation and the supervision of the ANPD, including the power to apply preventive measures and administrative sanctions to both Parties, as the case may be, as well as to limit, suspend, or prohibit international transfers arising from these Clauses or a Linked Contract.

CLAUSE 8. Interpretation

8.1. Any application of these Clauses must be in accordance with the following terms:

1. These Clauses must always be interpreted in the most favorable way to the Data Subject and in accordance with the provisions of the Brazilian Legislation;
2. In case of doubt about the meaning of terms in these Clauses, the meaning that aligns most closely with the Brazilian Legislation applies;
3. No item in these Clauses, including a Linked Agreement and the provisions of Section IV, may be interpreted with the aim of limiting or excluding the liability of any of the Parties concerning obligations provided for in the Brazilian Legislation; and
4. The provisions of Sections I and II shall prevail in the event of a conflict of interpretation with additional Clauses and other provisions set forth in Sections III and IV of this instrument or in Linked Agreement.

CLAUSE 9. Third-Party Accession

9.1. By mutual agreement between the Parties, a processing agent may accede to these Clauses as an Exporter or Importer by completing and signing a written document that will become part of this instrument.

9.2. The acceding party shall have the same rights and obligations as the original Parties, according to the assumed position of Exporter or Importer and the corresponding category of processing agent.

CLAUSE 10. General Obligations of the Parties

10.1. The Parties commit to adopting and, when necessary, demonstrating the adoption of effective measures capable of proving compliance with the provisions of these Clauses and the Brazilian Legislation and, in particular:

1. Use Personal Data only for the specific purposes described in Clause 2, with no possibility of subsequent processing in a manner incompatible with those purposes, subject, in any case, to the limitations, guarantees, and safeguards provided in these Clauses;
2. Ensure that the processing is compatible with the purposes informed to the Data Subject, according to the context of the processing;
3. Limit the processing to the minimum necessary for achieving its purposes, including relevant, proportional, and not excessive data concerning the purposes of Personal Data processing;
4. Ensure that Data Subjects, subject to the provisions of Clause 4,
   • have access to clear, precise, and easily accessible information about the processing and the respective processing agents, subject to commercial and industrial secrets;
   • have facilitated and free consultation on the form and duration of the processing, as well as on the entirety of their Personal Data; and
   • have accurate, clear, relevant, and up-to-date Personal Data, according to the necessity and for fulfilling the purpose of its processing;
5. Adopt appropriate security measures compatible with the risks involved in the International Data Transfer governed by these Clauses;
6. Not process Personal Data for discriminatory, unlawful, or abusive purposes;
7. Ensure that any person acting under their authority, including subcontractors or any agent cooperating with them, free of charge or for a fee, processes data only in accordance with their instructions and the provisions of these Clauses; and
8. Maintain a record of the Personal Data processing operations subject to the International Data Transfer governed by these Clauses and present the relevant documentation to the ANPD when requested.

CLAUSE 11. Sensitive Personal Data

11.1. If the International Data Transfer involves Sensitive Personal Data, the Parties shall apply additional safeguards, including specific security measures proportional to the risks of the processing activity, the specific nature of the data, and the interests, rights, and guarantees to be protected, as described in Section III.

CLAUSE 12. Personal Data of Children and Adolescents

12.1. If the International Data Transfer involves Personal Data of children and adolescents, the Parties shall apply additional safeguards, including measures to ensure that the processing is carried out in their best interest, in accordance with the Brazilian Legislation and relevant international legal instruments.

CLAUSE 13. Legal Use of Data

13.1. The Exporter guarantees that the Personal Data were collected, processed, and transferred to the Importer in accordance with the Brazilian Legislation.

CLAUSE 14. Transparency

14.1. The Designated Party shall publish, on its website, a document containing easily accessible information written in simple, clear, and precise language about the execution of the International Data Transfer, including at least the following information:

1. The form, duration, and specific purpose of the international transfer;
2. The destination country of the transferred data;
3. The identification and contact details of the Designated Party;
4. The data sharing by the Parties and the purpose;
5. The responsibilities of the processing agents;
6. The Data Subject's rights and the means for exercising them, including an easily accessible channel for addressing requests and the right to petition against the Controller before the ANPD; and
7. Onward Transfers, including information about the recipients and the purpose of the transfer.

14.2. The document referred to in item 14.1 may be made available on a specific page or integrated in a prominent and easily accessible manner into the Privacy Policy or equivalent document.

14.3. Upon request, the Parties shall provide the Data Subject with a free copy of these Clauses, subject to commercial and industrial secrets.

14.4. All information made available to the data subjects, as required by these Clauses, must be written in Portuguese.

CLAUSE 15. Data Subject's Rights

15.1. The Data Subject has the right to obtain from the Designated Party, concerning the Personal Data subject to the International Data Transfer governed by these Clauses, at any time and upon request, under the terms of the Brazilian Legislation:

1. Confirmation of the existence of processing;
2. Access to the data;
3. Correction of incomplete, inaccurate, or outdated data;
4. Anonymization, blocking, or deletion of unnecessary, excessive, or unlawfully processed data, in non-compliance with these Clauses and the provisions of the Brazilian Legislation;
5. Data portability to another service or product provider, upon express request, in accordance with ANPD regulations, subject to commercial and industrial secrets;
6. Deletion of Personal Data processed with the Data Subject's consent, except in the cases provided for in Clause 20;
7. Information about the public and private entities with whom the Parties have shared data;
8. Information about the possibility of not providing consent and the consequences of denial;
9. Withdrawal of consent through a free and facilitated procedure, with ratification of the processing carried out before the deletion request;
10. Review of decisions made solely based on automated processing of personal data that affect their interests, including decisions aimed at defining their personal, professional, consumption, and credit profile or aspects of their personality; and
11. Information about the criteria and procedures used for automated decision- making, subject to commercial and industrial secrets.

15.2. The Data Subject may object to processing carried out based on one of the grounds for exemption from consent, in case of non-compliance with these Clauses or the Brazilian Legislation.

15.3. The deadline for responding to requests provided for in this Clause and in item 14.3 is 15 (fifteen) days from the date of the Data Subject's request, except in cases where a different deadline is established by specific ANPD regulations.

15.4. If the Data Subject's request is directed to the Party not designated as responsible for the obligations provided for in this Clause or item 14.3, the Party shall:

1. Inform the Data Subject of the contact channel provided by the Designated Party; or
2. Forward the request to the Designated Party as soon as possible, to enable a response within the period provided by the Brazilian Legislation.

15.5. The Parties shall immediately inform the Processing Agents with whom they have shared data of any correction, deletion, anonymization, or blocking of data, so that they may take the same action, except in cases where this communication is demonstrably impossible or involves disproportionate effort.

15.6. The Parties must promote mutual assistance to respond to Data Subjects' requests.

CLAUSE 16. Data Breach Notification

16.1. The Designated Party shall notify the ANPD and the Data Subjects, within 3 (three) business days, of the occurrence of a data breach that may result in significant risk or damage to the Data Subjects, in accordance with the provisions of the Brazilian Legislation.

16.2. The Importer must keep a record of data breaches in accordance with the Brazilian Legislation.

CLAUSE 17. Liability and Damage Compensation

17.1. The Party that, as a result of its Personal Data processing activities, causes material, moral, individual, or collective damage, in violation of the provisions of these Clauses and the Brazilian Legislation, is obliged to compensate for such damage.

17.2. The Data Subject may seek compensation for damages caused by any of the Parties due to the violation of these Clauses.

17.3. The defense of the Data Subjects' interests and rights may be sought in court, individually or collectively, in accordance with the relevant legislation regarding individual and collective legal protection instruments.

17.4. The Party acting as a Processor is jointly liable for damages caused by the processing when it fails to comply with these Clauses or when it has not followed the lawful instructions of the Controller, subject to the provisions of item 17.6.

17.5. The Controllers directly involved in the processing that caused damage to the Data Subject are jointly liable for such damages, subject to the provisions of item 17.6.

17.6. The Parties shall not be held liable if it is proven that:

1. They did not perform the Personal Data processing attributed to them;
2. Although they performed the Personal Data processing attributed to them, there was no violation of these Clauses or the Brazilian Legislation; or
3. The damage resulted solely from the Data Subject's or a third party's fault, not being a recipient of Onward Transfer or a subcontractor of the Parties.

17.7. Under the Brazilian Legislation, the judge may reverse the burden of proof in favor of the Data Subject when the claim is credible, there is insufficiency for evidence production, or when the production of evidence by the Data Subject would be excessively burdensome.

17.8. Collective actions for damage compensation aimed at liability under this Clause may be brought collectively in court, in accordance with the relevant legislation.

17.9. The Party that compensates the Data Subject for damages has the right of recourse against the other responsible Parties, to the extent of their involvement in the harmful event.

CLAUSE 18. Safeguards for Onward Transfer

18.1. The Importer may only carry out Onward Transfers of the Personal Data subject to the International Data Transfer governed by these Clauses if expressly authorized, under the conditions described in Clause 3.

18.2. In any case, the Importer:

1. Must ensure that the purpose of the Onward Transfer is compatible with the specific purposes described in Clause 2;
2. Must ensure, through a written contractual instrument, that the safeguards provided in these Clauses are observed by the third-party recipient of the Onward Transfer; and
3. For the purposes of these Clauses, and in relation to the transferred Personal Data, shall be considered responsible for any irregularities committed by the third-party recipient of the Onward Transfer.

18.3. Onward Transfers may also be carried out based on another valid mechanism of International Data Transfer provided for in the Brazilian Legislation, regardless of the authorization mentioned in Clause 3.

CLAUSE 19. Notification of Access Request

19.1. The Importer shall notify the Exporter and the Data Subject of any Access Request related to the Personal Data subject to the International Data Transfer governed by these Clauses, except where notification is prohibited by the law of the data processing country.

19.2. The Importer shall take the appropriate legal measures, including legal actions, to protect the Data Subjects' rights whenever there is a legal basis to challenge the legality of the Access Request and, if applicable, the prohibition to notify as referred to in item 19.1.

19.3. To comply with requests from the ANPD and the Exporter, the Importer must keep a record of Access Requests, including the date, requester, purpose of the request, type of data requested, number of requests received, and legal measures taken.

CLAUSE 20. Termination of Processing and Data Erasure

20.1. The Parties shall delete the Personal Data subject to the International Data Transfer governed by these Clauses after the processing ends, within the technical scope and limits of the activities, with retention permitted only for the following purposes:

1. Compliance with a legal or regulatory obligation by the Controller;
2. Research by a Research Body, ensuring, whenever possible, the anonymization of Personal Data;
3. Transfer to a third party, provided that the requirements set out in these Clauses and in the Brazilian Legislation are respected; and
4. Exclusive use by the Controller, preventing third-party access, and provided that the data is anonymized.

20.2. For the purposes of this Clause, the termination of processing shall occur when:

• The purpose provided in these Clauses is achieved;
• The personal Data is no longer necessary or relevant to achieve the specific purpose provided in these Clauses;
• The processing period ends;
• A Data Subject's request is fulfilled; and
• Determined by the ANPD, in the event of a violation of these Clauses or the Brazilian Legislation.

CLAUSE 21. Data Processing Security

21.1. The Parties shall adopt security measures that ensure the protection of the Personal Data subject to the International Data Transfer governed by these Clauses, even after its termination.

21.2. The Parties shall specify the Security Measures adopted in Section III, considering the nature of the processed information, the specific characteristics and purpose of the processing, the current state of technology, and the risks to Data Subjects' rights, especially in the case of sensitive personal data and data of children and adolescents.

21.3. The Parties shall make the necessary efforts to adopt periodic evaluation and review measures to maintain an adequate security level according to the characteristics of data processing.

CLAUSE 22. Legislation of the Data Recipient Country

22.1. The Importer declares that it has not identified any laws or administrative practices of the data recipient country that prevent it from fulfilling the obligations assumed in these Clauses.

22.2. If any normative change occurs that alters this situation, the Importer shall immediately notify the Exporter for an evaluation of the continuity of the contract.

CLAUSE 23. Non-Compliance with the Clauses by the Importer

23.1. In case of a breach of the safeguards and guarantees provided in these Clauses or the Importer's inability to comply with them, the Exporter shall be notified immediately, subject to the provisions of item 19.1.

23.2. Upon receipt of the notification referred to in item 23.1 or verification of non-compliance with these Clauses by the Importer, the Exporter shall take the necessary measures to ensure the protection of the Data Subjects' rights and the compliance of the International Data Transfer with the Brazilian Legislation and these Clauses, which may include:

1. Suspension of the International Data Transfer;
2. Requesting the return of the Personal Data, its transfer to a third party, or its deletion; and
3. Termination of the contract.

CLAUSE 24. Choice of Forum and Jurisdiction

24.1. These Clauses are governed by Brazilian law, and any dispute between the Parties arising from these Clauses shall be resolved before the competent courts of Brazil, subject to the forum chosen by the Parties in Section IV, if applicable.

24.2. Data Subjects may file lawsuits against the Exporter or the Importer, at their discretion, before the competent courts in Brazil, including those located in their place of residence.

24.3. The Parties may mutually agree to use arbitration to resolve disputes arising from these Clauses, provided that it takes place in Brazil and in accordance with the provisions of the Arbitration Law.

Section III - Security Measures

The following Technical and Organizational Measures, including Technical and Organizational Measures to Ensure the Security of Data apply to the processing of Personal Data subject to this Protocol.

The following definitions apply in this Section III. In cases where a capitalized word or phrase is not defined in this Schedule but in the Agreement or DPA, the appropriate definitions from the Agreement or DPA are hereby incorporated by reference into this Schedule.

Definitions

Client Systems: shall mean the network and associated IT infrastructure (e.g., computers, firewalls, databases, switches, software, etc.) under the control of Client.

Personnel: shall mean a WTW or its affiliates’ employee(s) and contractor(s) hired by WTW that directly has access to Client Information.

Security Incident: shall mean (a) any circumstance that involves, or which is reasonably likely to involve, (i) the accidental or unauthorized access, use, disclosure, modification, storage, destruction or loss of Client Information in WTW’s possession, custody or control; (ii) interference with system operation in an information system or in any medium or format, including paper (hard) copy documents that subjects Client Information to risk of unauthorized access, use, disclosure, modification, storage, destruction or loss; or (b) any other similar incident as may be so defined by any applicable data privacy law and by any applicable laws and regulations (national, federal, state and provincial) relating to the protection of Client Information.

Standards: shall mean the Standards as described below.

WTW means Company

1. Written Information Security Program. WTW will maintain a comprehensive, written Information Security Program, aligned to industry standards (e.g., ISO 27001, ISF SoGP) that shall contain appropriate administrative, technical, and physical safeguards designed to protect the security, confidentiality or integrity of Confidential Information (such as unauthorized access, collection, use, copying, modification, disposal or disclosure, unauthorized, unlawful, or accidental loss, destruction, acquisition, or damage) (“Information Security Program”) that meets or exceeds the requirements of these Standards and applicable law. The Information Security Program shall be reviewed and approved by WTW Group management and stakeholders. Such Information Security Program shall be available for the Client’s review upon request, onsite at WTW’s premises or via a secure web collaboration session;
2. User Awareness and Education (Training). WTW will require WTW Personnel to comply with its Information Security Program. WTW will provide its Personnel with appropriate training regarding information security and protection of Client Information;
3. Information Security Reviews. In addition to any risk assessments that WTW may conduct, it will conduct annual review of its information Security Program to assess the strength of controls; and implement improvements, where necessary. During the course of providing the Services, WTW may not alter or modify its Information Security Program in such a way that will materially negatively impact WTW’s ability to protect the security, confidentiality, or integrity of Client Information and upon Client’s request, no more than once per year, WTW shall share the most current version of WTW Group’s information security and data privacy programs overview document;
4. Supply Chain and Third-Party Security. WTW shall have and maintain a third-party due diligence program and conduct a due-diligence risk assessment on the third-party consistent with its third-party governance process, to ensure it has sufficient controls aligned with industry standard practices, and substantially similar to those in this Agreement to the extent applicable to the nature of the third-party’s services, to protect Client Information and the confidential information of the suppliers engaged to provide services to WTW, or engaged by WTW to provide services to Client;
5. Access Controls and Management. WTW will have a formal program for managing network accounts with elevated privileges, including periodic review of access;
6. Remote Access. WTW will use two-factor authentication for remote access to its network;
7. Physical Access Controls. WTW’s facilities that store Client Information will have physical access protections in place that meet or exceed industry standards for security. This includes access restrictions at all times, including restricting access to sensitive areas to approved Personnel;
8. Secure IT Configuration. WTW shall apply its Information Security Program at each location from which WTW provides the Services. In addition, it shall ensure that its Information Security Program covers networks, systems, servers, workstations, mobile phones, and other devices and media that process, host or store Client Information. WTW’s Information Security Program includes industry standard password protection, firewalls, and anti-virus protections to protect Client Information from anticipated threats or hazards and protect against unauthorized access to or use of Client Information;
9. Password and Authentication Controls. WTW will have and maintain a formal policy with respect to the password and authentication to its network. Technical controls shall be in place to force network password changes for Personnel at least every 90 days, passwords shall have complexity requirements enforced;
10. Intrusion Detection/Prevention System. WTW shall have solutions in place that employ network-based detection sensors. All points of connectivity from the internet and extranet into the WTW network are monitored with an intrusion prevention system;
11. Information Leakage and Protection. WTW shall have in place and enforce data loss prevention (DLP) through technical controls to monitor and block the egress of unencrypted PII and other sensitive data, such as social security numbers, national insurance numbers, and client sensitive data, via WTW’s email system and other egress channels;
12. Encryption. WTW shall encrypt, using industry standard encryption tools, all Personal Information and Sensitive Personal Information that WTW transmits or sends wirelessly or across public networks and stores. WTW shall safeguard the security and confidentiality of all encryption keys;
13. Portable Media. WTW shall have technical controls in place where Personnel with access to Client Information are blocked from writing Client Sensitive Personal Information to unencrypted USB portable devices. Technical controls shall be utilized where required to prevent third parties engaged by WTW from downloading this information from the WTW network to the third-party network unless approved;
14. Patching and Vulnerability Management. WTW shall store Client Information on systems that follow a responsible vulnerability and security patch management plan and include up-to-date virus protection software. Regular vulnerability scanning of core WTW systems will be conducted and any vulnerabilities detected will be remediated in a timely matter in accordance with WTW’s policy. Such patch management plan must patch all systems consistent with WTW’s patch management program;
15. Penetration Testing. WTW shall engage an independent third party to perform a global external network penetration test on an annual basis. WTW shall provide an executive summary of the penetration testing report for Client’s review at Client’s request, subject to execution of a non-disclosure agreement if one is not already in place between Client and WTW;
16. Security Monitoring. WTW shall utilize a Security Incident and Event Management tool that receives Active Directory, Network IPS and VPN Remote Access logs. WTW will retain these logs for a period of thirteen (13) months. WTW shall have a web proxy in place to secure external web communications, prevent access to sites such as those containing malware, phishing URLs. WTW shall employ email defense for both inbound and outbound email, that would block emails with malicious content from reaching WTW Personnel;
17. Audit. For the purpose of auditing WTW’s compliance with its obligations, including these Standards, WTW shall provide to Client, on reasonable notice (at least 30 days): (a) escorted access to information processing premises and records relevant to the services in scope; (b) reasonable assistance and cooperation of relevant staff; and (c) reasonable facilities at WTW premises. In addition, upon notice to WTW, it will provide reasonable assistance and support to Client in the event of an investigation by any regulator, including a data protection regulator, or similar authority, if and to the extent that such investigation relates to Personal Information handled by WTW on behalf of Client. Any audits shall be at Client’s sole cost and expense, including WTW staff time and not performed more frequently than once every 12 months for Client across all services being provided by WTW, unless associated with a confirmed breach impacting Client Information which qualifies as an exception to the annual limitation, provided that: (i) such audit shall occur at a mutually agreeable time and the duration of the audit is limited to a reasonable period; (ii) such audit shall not unreasonably interfere with WTW’s operations; (iii) any third party performing such audit on behalf of Client shall execute a nondisclosure agreement with WTW in a form reasonably acceptable to WTW with respect to the confidential treatment and restricted use of WTW’s or its third party providers’ confidential information and under no circumstances shall WTW be required to disclose information of other customers of WTW; (iv) Client shall keep information disclosed to it in the course of the audit confidential from all third parties, except for any third party participating in the audit with WTW’s consent as described below; (v) the audit shall be performed subject to reasonable security restrictions of WTW; and (vi) Client acknowledges that WTW may require that certain logs, policies, records or other materials be reviewed on-site due to their confidential nature and that the Client auditor will not be permitted to copy them. Notwithstanding the foregoing, no third party may participate in an audit unless Client obtains WTW’s prior consent (which shall not be unreasonably withheld) and provided that Client understands that WTW will not consent to the participation of any third-party offering services or products that compete with WTW’s own; 
18. Incident Response Plan and Notification. WTW shall have a documented incident response plan which includes procedures to effectively identify and investigate Security Incidents. The WTW Client Relationship Director (or designee) shall notify Client in writing promptly (and in any event) within 72 hours of a confirmed Security Breach, except where such a notification is prohibited by applicable law. Unless required by law or requested by Client, WTW will not notify any affected individual or any third party of a Security Breach except law enforcement authorities and third parties engaged by WTW to assist with the investigation or remediation of any such Security Breach;
19. Incident Response Investigation. In the event of any Security Incident, WTW shall promptly investigate the Security Incident, and take all necessary steps to eliminate or contain the exposure of Client Information. WTW will develop a plan to remediate and, to the extent possible, reduce the likelihood of a recurrence of the Security Incident;
20. Change Control. WTW has documented change control process in place to address IT infrastructure and in accordance with our information security program; and
21. Business Continuity and Disaster Recovery. WTW shall have documented Business Continuity and Disaster Recovery plans designed to minimize disruption of services, with tests conducted at least annually.