U.S. Service Provider and Processor Protocol

View the list of WTW service provider groups

Version 4
Last updated: June 2023

This Data Service Provider Protocol (“Protocol”) forms part of a certain Agreement between Willis Towers Watson, its subsidiaries and/or affiliates (“WTW”) and Client and is entered into for the purpose of confirming WTW’s role as a service provider or processor under Applicable Privacy Law, meaning the state laws in the United States and their corresponding implementing regulations concerning the processing of Personal Information to the extent they apply to the Services, including but not limited to the California Consumer Privacy Act as amended by the California Privacy Rights Act, Cal. Civ. Code § 1798.100 et seq., the Colorado Privacy Act, Colo. Rev. Stat. § 6-1-1301 et seq., the Connecticut Act Concerning Personal Data Privacy and Online Monitoring, Conn. Pub. Act No. 22-15, the Utah Consumer Privacy Act, Utah Code Ann. § 13-61-101 et seq., and the Virginia Consumer Data Protection Act, Va. Code Ann. § 59.1-575 et seq. (collectively “Applicable Privacy Law”). This Protocol hereby incorporates by reference any defined or capitalized terms not otherwise so defined herein as they are set forth in the underlying agreement between WTW and Client to which this Protocol applies (“Agreement”).

1. Applicability and Scope

1.1. This Protocol applies to the extent WTW acts as a “Service Provider” or “Processor” under Applicable Privacy Law.

1.2. In such cases, WTW processes Personal Information on behalf of clients for the purposes set forth in Section 3 below, pursuant to individual client agreements that specify the deliverables provided to each client (“Services”) by WTW.

1.3. To the extent the provision of the Services involves WTW collecting, receiving, or otherwise processing personal information on Client’s behalf, WTW and Client have agreed to the terms of this Protocol, which is incorporated into the Agreement and supplements any currently existing data privacy language. For the purposes of this Protocol, “Personal Information” means any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household, as well as other information defined as “personal information,” “personal data,” or a similar term under Applicable Privacy Law, only to the extent such information is covered by an Applicable Privacy Law.

1.4. If and to the extent there is a direct conflict between: (1) this Protocol, and (2) more restrictive terms agreed to by the Parties in the Agreement, the more restrictive terms in the Agreement shall control.

2. Roles of the Parties

2.1. The Parties agree that Client controls the purposes and means of processing the Personal Information, and WTW processes such Personal Information (the “Client Personal Information”) in accordance with the Client’s instructions pursuant to the Services.

2.2. Client acknowledges its responsibility to comply with any notice, consent, opt out, and privacy policy requirements, as well as to respond to consumer rights requests with respect to Client Personal Information (including but not limited to requests to know, to correct, to delete, and to opt out), as may be required by Applicable Privacy Law. Upon request, WTW will provide reasonable assistance as necessary to permit Client to respond to consumer requests as required by Applicable Privacy Law.

2.3. For brokerage services only, Client shall at all times: (i) provide Personal Information to WTW, including any sensitive or special categories of Personal Information, in compliance with applicable laws, with proper notice and consent for both Parties’ collection and use of such Personal Information as contemplated by WTW’s Brokerage Terms, Conditions & Disclosures, and in compliance with Client’s own privacy policies; and (ii) have procured all rights, licenses, and consents, and have all power and authority necessary, to provide Personal Information to WTW and/or to enable WTW’s collection of the same (iii) take all reasonable steps to ensure it has the rights, in compliance with applicable laws, to disclose to WTW any and all Personal Information requested by WTW in conjunction with the provision of the coverages, products, and/or services to enable WTW’s processing of such Personal Information, and (iv) provide appropriate notice, in the form of a privacy policy or similar statement compliant with applicable laws, to individuals regarding its collection, processing, and disclosure of Personal Information, particularly with respect to its disclosure of Personal Information to WTW, including on any websites, applications, or similar online services or functions that involve the collection or use of Personal Information by or on behalf of WTW; and (v) obtain an individual’s consent, honor individual preferences, and/or confirm an individual’s directives in a manner compliant with applicable laws, with respect to the use of Personal Information, including with respect to any and all disclosures of Personal Information to WTW.

3. Processing of Personal Information

3.1. WTW will only retain, use, or disclose Client Personal Information obtained while providing the Services as set forth herein, including, to the extent not prohibited by the Agreement:

1. For the specific Business Purposes set forth in the Agreement and Section 3.2 below that are required by Applicable Privacy Law,
2. To retain and employ another service provider, processor, or contractor as a subcontractor, where the subcontractor meets the requirements for a service provider, processor, or contractor under Applicable Privacy Law,
3. For internal use to build or improve the quality of WTW’s services provided to the Client, even if this Business Purpose is not specified in the Agreement, provided that WTW does not use the Personal Information to perform services on behalf of another person or entity,
4. To prevent, detect, or investigate data security incidents, or protect against malicious, deceptive, fraudulent, or illegal activity, even if this Business Purpose is not specified in the Agreement,
5. As necessary to comply with applicable laws, or comply with a court order or subpoena,
6. To comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, or local authorities,
7. To cooperate with law enforcement agencies concerning conduct or activity that WTW reasonably and in good faith believes may violate federal, state, or local law,
8. To the extent required by law, cooperate with a government agency request for emergency access to Client Personal Information subject to Applicable Privacy Law, if WTW reasonably and in good faith believes that a natural person is at risk or danger of death or serious physical injury, provided that: (i) the request is approved by a high-ranking agency officer for emergency access to Client Personal Information, (ii) the request is based on the agency’s good faith determination that it has a lawful basis to access the information on a nonemergency basis, and (iii) the agency agrees to petition a court for an appropriate order within three days and to destroy the information if that order is not granted,
9. To exercise or defend legal claims,
10. To collect, use, retain, sell, share, or disclose Client Personal Information that is deidentified or aggregate Client information. Client acknowledges and agrees that aggregated, anonymized, and/or deidentified data (meaning data that cannot reasonably be used to infer information about, or otherwise be linked to, a particular individual or household, including deidentified and aggregate Client Personal Information, as defined by Applicable Privacy Law, collectively “Deidentified Data”) is not Personal Information under Applicable Privacy Law. To the extent that WTW discloses Deidentified Data to Client, client will comply with all requirements regarding Deidentified Data established by Applicable Privacy Law. To the extent Client discloses Deidentified Data to WTW, WTW will maintain and use the information in deidentified form and not attempt to reidentify the information, except that WTW may attempt to reidentify the information solely for the purpose of determining whether its deidentification processes satisfy the requirements of Applicable Privacy Law.
    
    WTW may create and use Deidentified Data derived from Client Personal Information and/or the Services for its own purposes, including to provide its services, improve its operations, and enhance the features, functions, and performance of its services. All analysis and output derived from Deidentified Data, including any normative benchmarks or databases that include Deidentified Data, shall be owned by WTW.

3.2. WTW may process the Client Personal Information for the Business Purposes indicated below, as that term is defined by Applicable Privacy Law, as set forth in Exhibit A to this Protocol which is available at this link.

3.3. To the extent required by Applicable Privacy Law, and in its role as a service provider, WTW is prohibited from, and confirms that it will not engage in:

1. Providing Cross-Context Behavioral Advertising (meaning the targeting of advertising to an individual based on the Client Personal Information obtained from the individual’s activity across businesses, distinctly branded websites, applications, or services, other than the business, distinctly branded website, application, or service with which the individual intentionally interacts),
2. Selling, transferring, or disclosing any Client Personal Information to any third party for monetary or other valuable consideration,
3. Sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, Client Personal Information by the business to a third party for Cross-Context Behavioral Advertising (as defined in 3.3(a)) whether or not for monetary or other valuable consideration, including transactions between a business and third-party for Cross-Context Behavioral Advertising for the benefit of a business in which no money is exchanged,
4. Retaining, using, or disclosing Client Personal Information for any purpose other than the Business Purposes specified in section 3.2 above and in the Agreement or as otherwise permitted by Applicable Privacy Law,
5. Retaining, using, or disclosing Client Personal Information for any commercial purpose other than the Business Purposes identified herein and in the Agreement, unless expressly permitted by Applicable Privacy Law, or
6. Retaining, using, or disclosing Client Personal Information outside the direct business relationship with the Client unless expressly permitted by Applicable Privacy Law. This includes prohibiting WTW from combining or updating Client Personal Information with Personal Information it collects on its own or receives from another source, unless expressly permitted by Applicable Privacy Law.

4. Additional Requirements

4.1. If WTW receives a consumer rights request under Applicable Privacy Law directly from an individual, it will inform the individual that the request cannot be acted upon because the request has been sent to a service provider or processor and/or act in accordance with the Client’s instructions for responding to the request.

4.2. WTW shall comply with all requirements of Applicable Privacy Law in its role as a service provider or processor. This includes providing the same level of privacy protection as required of Client by Applicable Privacy Law, including cooperating with Client in responding to and complying with verified consumer requests under Applicable Privacy Law and subject to the terms herein, and implementing reasonable security procedures and practices appropriate to the nature of the Client Personal Information to protect it from unauthorized or illegal access, destruction, use, modification, or disclosure.

4.3. Client may take reasonable and appropriate steps to ensure that WTW uses Client Personal Information in a manner consistent with the Client’s obligations under Applicable Privacy Law.

4.4. WTW will notify the Client if it determines that it can no longer meet its obligations under Applicable Privacy Law.

4.5. To the extent permitted by Applicable Privacy Law, Client may, upon notice, take reasonable and appropriate steps to stop and remediate WTW’s unauthorized use of Client Personal Information.

4.6. To the extent required by Applicable Privacy Law, WTW will enable the Client to comply with any consumer request made pursuant to Applicable Privacy Law or the Client will inform WTW of any consumer request made pursuant to Applicable Privacy Law the Client must comply with, and promptly provide the information necessary for WTW to comply with such a request. If responding to such request requires WTW to make any programming changes and/or create a custom data extract, such programming changes and/or custom data extract will be paid for by Client to the extent the programming changes and/or custom data extract are specific to only Client and are pre-approved by Client in writing; otherwise, all other such responses are without cost to Client.

4.7. To the extent that WTW subcontracts any Services provided to the Client, its agreement with any subcontractor shall comply with Applicable Privacy Law.

5. Effective Date

Client’s continued use of the Services and/or instructions to WTW related to the Services after receiving from WTW notice of the Protocol will constitute Client’s full acceptance of the terms of the Protocol.

6. Further Amendment

WTW reserves the right to revise this Protocol as required by Applicable Privacy Law and/or update the Services within the scope of this Protocol.