Skip to main content
What can we help you find?
main content, press tab to continue

Risk intelligence central privacy notice

1. Scope

This privacy notice describes how we handle personal information collected through your use of Risk Intelligence Central websites (“Websites”). Risk Intelligence Central is provided on behalf of affiliates worldwide within the WTW Group which form part of the global Corporate Risk and Broking (“CRB”) business (hereafter referred to as “We” or “WTW”). If you would like information about WTW’s privacy practices with respect to its other websites, products, and services, please review our Global Website Privacy Notice. This Privacy Notice only applies to all Risk Intelligence Central applications excluding Country Information, which is subject to the Privacy Notice of the provider.

Risk Intelligence Central is a web-based platform that provides data and information and allows clients to manage their documents. Risk Intelligence Central is only provided to clients who receive CRB services from WTW or other third parties that help WTW to provide these services. WTW ensures that it has a legal basis for processing your personal information, for example if it is necessary for the Online Terms of Use, or for the legitimate business interests of WTW in providing CRB services and Risk Intelligence Central. Risk Intelligence Central can be accessed via a web portal called One Place.

Our collection, use, disclosure and processing of personal information about individuals will vary depending upon the circumstances. This privacy notice is intended to describe our overall privacy and data protection practices. In some cases, different or additional notices about our data collection and processing practices may be provided and apply to our processing of certain personal information.

2. Controller and responsible WTW group entities

Where we act in our capacity as a “controller,” “business,” “responsible party” or “orgnaisation,” as applicable, with respect to personal information, for the purposes of the European Union’s General Data Protection Regulation (“GDPR”) and other relevant applicable laws, including but not limited to the California Consumer Privacy Act (“CCPA”), the Cayman Islands Data Protection Law (“DPL”), and the Personal Information Protection Act 2016 of Bermuda (“PIPA”), this privacy notice will apply, as explained below.  Furthermore, WTW plc is the controller unless the processing is controlled by another WTW entity.

3. Cross-border transfers

Your personal information may be stored and processed in any country where we or our Affiliates operate, have facilities, or engage third party service providers, for example but not limited to the including Bermuda, the European Union, India, Quebec, the United States. By using the Websites, you understand that we will transfer personal information to countries outside of your country of residence which may have data protection rules that are different from those of your country. We have established safeguards to protect personal information that is transferred to other countries to ensure that such information is accorded a level of protection at least comparable to how we handle such information in your country.

Please see the Privacy Officer, Contact & Comments section below for details on how you can contact us to get further information on the third countries to which personal information will be transferred and further information relating to the safeguards we have in place in relation to international transfers of data.

4. Personal information collected

We collect personal information directly from individuals, automatically related to the use of the Services and engagement with our marketing and Websites, and in some cases, from third parties (such as social networks, platform providers, payment processors, and operators of certain third-party services that we use). Sometimes we collect information about you in conjunction with our partners or other companies that we work with to provide you our Services, or they provide us with your personal information consistent with your direction to do so. Generally, we collect your personal information on a voluntary basis. However, if you decline to provide certain personal information that is marked mandatory, you may not be able to access certain services, or we may be unable to fully respond to your inquiry.

The personal information that we collect and process will vary depending on the circumstances. For example, the personal information we collect through our Websites includes:

  • Employer or company name
  • Full name and title
  • Business address or place of work
  • Job title/role
  • Preferred language
  • Contact details including email, telephone numbers,
  • Your contact preferences such as contact restrictions and preferred method of contact,
  • Any other information, including that which could be considered to be sensitive personal information as defined by applicable privacy laws.

We may also collect additional personal information in providing our Services, operating our business, and interacting with individuals in the course of our business. This may at times include “sensitive" information (otherwise known as “special categories of personal information” under the GDPR, “sensitive personal data” under the DPL or “sensitive personal information” under the CCPA and PIPA, and other applicable data privacy laws). This information may include health records or criminal conviction data; physical or mental health or condition; medical data; commission, or alleged commission of an offense; any proceedings for an offense committed, or alleged to have been committed. Where required by law, we will provide specific data processing information to you regarding how we may process that data and what rights you may have regarding such processing.

For South Africa only:

  • when you interact with us because you are receiving our Services, we will collect your name, postal address, email address, phone number, occupation and other contact information and the company name and address and phone number of the company you work for so that we can do business with you.
  • in respect of our corporate risk and broking services and our actuarial valuation services, where we are a responsible party, we refer you to our separate privacy notices governing the provision of these Services available on our website: Privacy Notice for Clients (insurance and reinsurance services) and Valuation Services Privacy Notice (Valuator and actuarial valuation services).
  • when you interact with us through our Websites, we collect personal information you may voluntarily submit to us by completing any form on our Websites and information about your usage of our Websites.

Once you are accessing and using Risk Intelligence Central, we may also collect:

  • Information regarding your dealing with us,
  • Any interest you have in relation to our services or practice areas,
  • Any information you voluntarily submit to us by completing any form withing One Place or Risk Intelligence Central, and
  • Details of your use of Risk Intelligence Central such as technical information about the session, dates and duration of access.

Categories of Sources of Personal Information

We may collect your personal information from the following sources:

  • from you, either directly (i.e., through information you submit to us, including via forms that you may complete and submit through our Website or applications) or indirectly (i.e., by observing your actions on our Websites)
  • from the content of messages, documents and surveys that you may complete on our Websites;
  • from ‘cookies’ and other similar tools deployed on parts of our Websites that can only be accessed by authenticated users who are logged into the Website (for further information regarding cookies used on our Websites, please see the section titled Cookies and Tracking below)
  • from our clients, in connection with us providing professional services to them, and related service providers.

Categories of Personal Information Collected

While the personal information we collect varies depending upon the nature of the services provided or used and our interactions with individuals, we may collect the following categories of personal information (subject to applicable legal requirements and restrictions):

  • Name, contact information and other identifiers: identifiers such as a real name, alias, address, unique personal identifier, online identifier, Internet Protocol (IP) address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.
  • Customer records: paper and electronic customer records containing personal information, such as name, signature, physical characteristics or description, address, telephone number, education, current employment, employment history, social security number, tax ID, passport number, driver’s license or state identification card number, insurance policy number, bank account number, credit card number, debit card number, or any other financial or payment information, medical information, or health insurance information.
  • Protected classifications: characteristics of protected classifications under California or federal law such as race, color, sex, age, religion, national origin, disability, citizenship status, and genetic information.
  • Commercial Information: including records of real property, products or services purchased, obtained, or considered, or other purchasing or use histories or tendencies.
  • Usage data: internet or other electronic network activity information including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an Internet website, application, or advertisement.
  • Geolocation data: precise geographic location information about a particular individual or device.
  • Audio, video and other electronic data: audio, electronic, visual, thermal, olfactory, or similar information such as CCTV footage, photographs, and call recordings.
  • Employment history: professional or employment-related information.
  • Education information: education information and records.
  • Profiles and inferences: Inferences drawn from any of the information identified above to create a profile reflecting a resident’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, or aptitudes.

Aggregate and de-identified information. We may de-identify personal information and create anonymous and aggregated data sets and reports in order to assess, improve, and develop our business, products, and services, prepare benchmarking reports, and for other research, marketing and analytics purposes. When we de-identify personal information, we have implemented reasonable measures as required by law to ensure that the de-identified data cannot be associated with any individual or client. We will only maintain and use such data in a de-identified manner and do not attempt to re-identify the data, except as permitted by law.

5. Purposes and legal basis for processing personal information

Certain laws, including the GDPR, require that we inform you of the legal bases for our processing of your personal information. Pursuant to the GDPR (and other relevant laws), we use or process personal information for the following legal bases:

  • Performance of contract: to perform contracts that you may have with us (for example if you use our Services).
  • Compliance with laws: to comply with our legal obligations.
  • Our legitimate business interests: in furtherance of our legitimate business interests including:
    • to facilitate your participation in interactive features you may choose to use on our Websites and personalize your experience on the Websites by presenting content tailored to you;
    • to correspond with you, notify you of events or changes to our services, or otherwise respond to your queries and requests for information, which may include marketing to you;
    • for the purpose of providing professional services to you or your company (such services will be subject to additional terms and conditions of use, including privacy);
    • for data analysis, audits, fraud monitoring and prevention, and developing new products, enhancing, improving or modifying our Websites, identifying usage trends, determining the effectiveness of our promotional campaigns and operating and expanding our business activities; and
    • to protect and defend our legal rights and interests and those of third parties.
  • With your consent: Where applicable laws require that we obtain your consent to collect and process your personal information, we will obtain your consent accordingly. When we obtain your consent, the GDPR (where it applies) and other applicable laws give you the right to withdraw your consent. You can do this at any time by contacting us using the details at the end of this privacy notice. In some jurisdictions, your use of the Websites may be taken as implied consent to the collection and processing of personal information as outlined in this privacy notice.
  • Publicly available information: personal information that is publicly available information will be used for a purpose that is consistent with the purpose of its public availability.
  • Medical or Emergency purposes: The processing is necessary for medical purposes (applicable to Cayman Islands DPL) or is necessary to respond to an emergency that threatens the life, health or security of an individual or the public (applicable to PIPA).
  • Your reasonable expectations (other than for sensitive personal information): where a reasonable person would view that you would not reasonably request that we cease or not use your personal information and that our use does not prejudice your rights (applicable to PIPA).

Purposes of using personal information. While the purposes for which we may process personal information will vary depending upon the circumstances, in general we may use personal information about you for our legitimate business interests, including the following:

  • Providing support and services: including to provide our services, operate our Websites, applications and online services; to communicate with you about your access to and use of our services; to respond to your inquiries; to provide troubleshooting, fulfill your orders and requests, process your payments and provide technical support; and for other customer service and support purposes.
  • Analyzing and improving our business: including to better understand how users access and use our services and Websites, to evaluate and improve our Websites, services and business operations, and to develop new features, offerings and services; to conduct surveys and other evaluations (such as customer satisfaction surveys); and for other research and analytical purposes.
  • Personalizing content and experiences: including to tailor content we send or display on our websites and other services; to offer location customization and personalized help and instructions; and to otherwise personalize your experiences.
  • Advertising, marketing and promotional purposes: including to reach you with more relevant ads and to evaluate, measure and improve the effectiveness of our ad campaigns; to send you newsletters, offers or other information we think may interest you; to contact you about our services or information we think may interest you; and to administer promotions and contests.
  • Securing and protecting our business: including to protect and secure our business operations, assets, services, network and information and technology resources; to investigate, prevent, detect and take action regarding fraud, unauthorized access, situations involving potential threats to the rights or safety of any person or third party, or other unauthorized activities or misconduct.
  • Defending our legal rights: including to manage and respond to actual and potential legal disputes and claims, and to otherwise establish, defend or protect our rights or interests, including in the context of anticipated or actual litigation with third parties.
  • Auditing, reporting, corporate governance, and internal operations: including relating to financial, tax and accounting audits; audits and assessments of our operations, privacy, security and financial controls, risk, and compliance with legal obligations; our general business, accounting, record keeping and legal functions; and related to any actual or contemplated merger, acquisition, asset sale or transfer, financing, bankruptcy or restructuring of all or part of our business.
  • Complying with legal obligations: including to comply with the law, our legal obligations and legal process, such warrants, subpoenas, court orders, and regulatory or law enforcement requests.

Aggregate and de-identified information. We may de-identify personal information and create anonymous and aggregated data sets and reports in order to assess, improve, and develop our business, products, and services, prepare benchmarking reports, and for other research, marketing and analytics purposes. When we de-identify personal information, we have implemented reasonable measures as required by law to ensure that the de-identified data cannot be associated with any individual or client. We will only maintain and use such data in a de-identified manner and do not attempt to re-identify the data, except as permitted by law.

6. Disclosure of personal information

We disclose personal information we process as set forth in this section.

  1. Purposes for Which We Disclose Personal Information

    2. WTW may disclose your personal information to any WTW group company for the uses and purposes set out above, including for marketing the products and services offered by other businesses across the WTW group (subject to applicable laws). We may also disclose your personal information for the following reasons:

    • to third party service providers, which may include recipients outside your country of residence, such as entities providing customer service, email delivery, auditing, hosting and supporting our Website and providing other services to WTW including the provision of applications, software and externally hosted platforms which may form part of the Websites;
    • if we are obliged to disclose your personal information under applicable law or regulation, which may include laws outside your country of residence;
    • in order to enforce or apply our Website terms of use, or to protect the rights, privacy, safety or property of WTW, our clients, Affiliates or other third parties including third party service providers;
    • to respond to requests from courts, law enforcement agencies, regulatory agencies, and other public and government authorities, which may include such authorities outside your country of residence;
    • in connection with the planning, due diligence and implementation of commercial transactions, including any reorganization, merger, sale, joint venture, assignment, transfer or other disposition of all or any portion of our business, assets or stock (including in connection with any bankruptcy or similar proceedings) - in such cases, your personal information will be transferred to the acquiring entity.

    We request those external service providers to implement and apply security safeguards to ensure the privacy and security of your personal information. These third parties have agreed to confidentiality restrictions and to use of any personal information we share with them or which they collect on our behalf solely for the purpose of providing the contracted service to us.

    Aggregate and de-identified information. We may share aggregate or de-identified information, which does not identify and is not linked or linkable to a particular individual, with third parties for research, marketing, analytics and other purposes.

  2. Categories of Personal Information Disclosed

Certain privacy laws (such as the CCPA) require that we disclose the categories of personal information that we have disclosed for a business purpose as well as the categories that we have “sold” (as that term is defined under the CCPA or other applicable laws). Please review the descriptions of the categories of personal information under the Personal Information Collected section above, for further descriptions of each category of personal information.

In general, we may disclose the following categories of personal information in support of our business purposes identified above:

  • Name, contact information, and other identifiers
  • Usage Data
  • Electronic network activity information, including information regarding your interaction with our Websites

We have disclosed the categories of personal information listed above to the following categories of third parties in the preceding twelve months:

  • Service providers and marketing partners

Categories of personal information sold or shared. While we do not disclose personal information to third parties in exchange for monetary compensation from such third parties, we do disclose or make available personal information to third parties, in order to receive certain services or benefits from them, such as when we allow third party tags to collect information such as browsing history on our Websites, in order to improve and measure our ad campaigns. The CCPA defines a “sale” as disclosing or making available to a third-party personal information in exchange for monetary or other valuable consideration, and it defines “share” in pertinent part as disclosing personal information to a third party for cross-context behavioral advertising. Pursuant to the CCPA, the categories of personal information that we may “sell,” and/or “share” as defined under the CCPA includes:

  • Identifiers
  • Usage data
  • Electronic network activity information, including information regarding your interaction with our Websites

7. Cookies and tracking

Our Websites use first party and third-party cookies, pixel tags, plugins and other tools to gather device, usage and browsing information when users visit our Websites or use our online services. For instance, when you visit our Websites, our server may record your IP address (and associated location information) and other information such as the type of your internet browser, your Media Access Control (MAC) address, computer type (Windows or Macintosh), screen resolution, operating system name and version, device manufacturer and model, language, and the pages you view and links you click on our Websites, as well as date and time stamps associated with your activities on our Websites.

We use the information for security purposes, to facilitate navigation, to personalize and improve your experience while using the Websites, to improve and measure our advertising campaigns and to better reach users with relevant advertising both on our Websites and on third party websites. We also gather statistical information about use of the Websites in order to continually improve their design and functionality, understand how they are used and assist us with resolving questions regarding them. Our Cookie Notice contains further information about our use of cookies. You can manage how your preferences regarding cookies using our cookie preference manager.

Cookies. Cookies are small text files that a website transfers to your computer or other device to store and sometimes collect information about your usage of websites, such as time spent on the websites, pages visited, language preferences, and other anonymous traffic data. You can control the way in which cookies are used by altering your browser settings. You may refuse to accept cookies by activating the setting on your browser that allows you to reject cookies. However, if you select such a setting, this may affect the functioning of our Websites. Unless you have adjusted your browser setting so that it will refuse cookies, our system will issue cookies when you access or log on to our Websites. To find out more about cookies, including how to see what cookies have been set and how to manage and delete them, visit www.aboutcookies.org or www.allaboutcookies.org. For more information about the use of cookies on our Websites and your choices regarding the placement of cookies, please see our Cookie Notice.

Pixel tags and other similar technologies. Pixel tags (also known as web beacons and clear GIFs) may be used in connection with some Websites to, among other things, track the actions of users of the Websites (including email recipients), measure the success of our marketing campaigns and compile statistics about usage of the Websites and response rates. We and our service providers also use pixel tags in HTML emails to our customers, to help us track email response rates, identify when our emails are viewed, and track whether our emails are forwarded.

Log files. Most browsers collect certain information, such as your IP address, device type, screen resolution, operating system version and internet browser type and version. This information is gathered automatically and stored in log files.

Third Party Analytics Tools. Our Websites may use automated devices and applications operated by third parties (e.g., Google Analytics), which use cookies and similar technologies to collect and analyze information about use of the Websites and report on activities and trends. Please see our Cookie Notice for more information. If you have reached this privacy notice from a website other than our Homepage, please go back and review the Cookie Notice on that website to understand how cookies are used on that website.

Opt-Out Preference Signals and “Do-Not-Track” Signals. If your browser enables the Global Privacy Control (GPC) when visiting our Website, our Website will automatically opt you out of any tracking cookies that constitute a “sale” where required by applicable privacy law.  For more information about the GPC and to learn how to implement it on your browser, please click here. Please note, our Website does not recognize or respond to any signal which your browser might transmit through its so-called “Do Not Track” (DNT) feature. If you wish to disable cookies on our Websites, you should not rely on DNT browser settings. For more information about DNT signals, please click here.

8. Interest based advertising

On some of our Websites, we may work with third-party ad networks, analytics companies, measurement services and others (“third-party ad companies”) to display advertising on our Websites and to manage our advertising on third-party sites, mobile apps and online services. We and these third-party ad companies may use cookies, pixels tags and other tools to collect information on our Websites (and on third-party sites and services), such as browsing history, IP address, device ID, cookie and advertising IDs, and other identifiers, general location information and, with your consent, your device’s geolocation information; we and these third-party ad companies use this information to provide you more relevant ads and content and to evaluate the success of such ads and content.

You can manage how your preferences regarding third party ad company cookies are set by this Website, using our cookie preference manager. If you have reached this privacy notice from a Website other than the Homepage, please go back and use the cookie preference manager on that Website to set your cookie preferences.

Please see our Cookie Notice for information about the third parties we may work with to display targeted ads on third-party sites and to measure the success of our marketing and campaigns. You may also obtain more information about targeted or “interest-based advertising” and opt-out of many ad networks at the industry websites below:

9. Security

We maintain appropriate technical and organizational security measures to protect the security of your data against loss, misuse, unauthorized access, disclosure or alteration. Despite this, the security of the transmission of information via the Internet cannot always be guaranteed and you acknowledge this in your access and use of our Websites. If you have reason to believe that your interaction with us is no longer secure (for example, if you feel that the security of your account has been compromised), please immediately notify us in accordance with the Privacy Officer, Contact & Comments section.

10. Individual rights and choices

Marketing. You may opt-out from receiving marketing-related communications from us on a going-forward basis by contacting us or by using the unsubscribe mechanism contained in each email. We will try to comply with your request(s) as soon as reasonably practicable. Please note that if you opt-out of receiving marketing-related emails from us, we may still send you important administrative messages, from which you cannot opt-out.

Access, amendment and deletion. We have to process personal information to provide you with access to Risk Intelligence Central. You do not have to provide such personal information, however, such a refusal would prevent you from accessing Risk Intelligence Central.

You may choose to discontinue your access to Risk Intelligence Central and ask that we no longer process your personal information in accordance with this notice. Please note that if you do discontinue your use of, or refuse access to Risk Intelligence Central, we may still have the right or obligation under applicable law to collect, use, transfer or disclose personal information (for example in the context of other services including CRB Services) and we reserve the right to undertake that activity when appropriate.

Depending on the laws of the country which you are based in, you have certain rights to your personal information which we hold about you. Some of these rights may be the rights to access information of the use/process/sharing of your Personal Information, to review, correct, update, erase your personal information with us, to suppress, restrict or object to the processing of your personal information, and/ or request a copy of personal information about you.

You may request to review, make amendments, have deleted or otherwise exercise your rights under applicable privacy laws over your personal information that we hold, subject to certain limitations under applicable law. To exercise your rights please contact us using the information and instructions set forth in this section. Subject to legal and other permissible considerations, we will make reasonable efforts to honour your request promptly or inform you if we require further information to fulfil your request.

For requests under the CCPA, please follow the instructions provided in the section Additional Information for Certain Jurisdictions. For all other jurisdictions, you may submit a request to us at wtwco.com, by contacting us at 1-800-889-9288 (toll free), or by emailing us at dataaccessrequest@wtwco.com.

We may not always be able to fully address your request, for example if it would impact the duty of confidentiality we owe to others, or if we are legally entitled to deal with the request in a different way.

Please note that these rights might be limited under the applicable national data protection law. We may ask you for additional information to confirm your identity and for security purposes, before disclosing the personal information requested to you. We reserve the right to charge a fee where permitted by law, for instance if your request is manifestly unfounded or excessive.

In your request, please make clear what personal information you would like to have changed, whether you would like to have your personal information suppressed from our database or otherwise let us know what limitations you would like to put on our use of your personal information. For your protection, we may only implement requests with respect to the personal information associated with the particular email address that you use to send us your request, and we may need to verify your identity before implementing your request. We will try to comply with your request as soon as reasonably practicable.

Subject to legal and other permissible considerations, we will make every reasonable effort to honour your request promptly or inform you if we require further information in order to fulfil your request. We may not always be able to fully address your request, for example if it would impact the duty of confidentiality we owe to others, or if we are legally entitled to deal with the request in a different way.

Please note that we may need to retain certain information for record keeping purposes and/or to complete any transactions that you began prior to requesting a change or deletion. There may also be residual information that will remain within our databases and other records, which will not be removed.

11. Retention period

WTW stores personal information as needed to accomplish the purposes identified in this privacy notice and to meet legal requirements, including legal and compliance requirements regarding records retention, resolving disputes, and enforcing our agreements. This means that WTW may be required to maintain your information, for example, to: (1) comply with our legal or regulatory compliance needs (e.g., maintaining records of transactions you have made with us); (2) to exercise, establish or defend legal claims; and/or (3) to protect against fraudulent or abusive activity on our services and systems. For these and possibly other reasons, we may be unable to delete personal information upon request of an individual in certain cases.

We may retain different categories of information for different periods of time for the instances stated above. However, it is our policy as an organization that when personal information is no longer needed or after legal authority to retain it has expired, personal information will be destroyed in accordance with applicable law and pursuant to procedures established in relation to the relevant WTW services, systems, or processes. Retention periods for records maintained by WTW, including those containing personal data are established based upon business need, statutory and regulatory record keeping requirements in the geographies where we do business, and legal obligations. If you have any further questions about our handling of personal information, please contact us at privacy@wtwco.com.

12. Children and minors

The Websites and Services are not directed to individuals under the age of sixteen (16), and we do not knowingly collect personal information from minors under the age of 16. Where we receive personal information related to children in the course of providing Services, we rely on the legal bases set forth above to process their information.

13. Changes to our privacy notice

From time to time, we may change our privacy notice. The effective date of this privacy notice, as indicated at the beginning of this privacy notice, indicates the last time this privacy notice was revised. Checking this effective date allows you to determine whether there have been changes since the last time you reviewed the notice. We will notify you of changes to this privacy notice by posting the revised privacy notice on our Websites. Your use of the Websites following these changes means that you accept the revised privacy notice.

14. Privacy officer, contact and comments

The Websites are controlled by various companies within the WTW Group providing CRB Services including the entity with which you have a Relationship Agreement.

If you have any questions or comments regarding this privacy notice, or if you have any query or complaint regarding the handling of Your personal information by WTW, please contact our Global Privacy Office, at The Willis Building, 51 Lime St, London EC3M 7DQ or at privacy@wtwco.com in the first instance. You may also contact our local privacy officers in certain countries, as follows:

Country

Name

Contact details

Bermuda

Attention of the Privacy Officer

90 Pitts Bay Road
Wellesley House, Floor 2
Hamilton HM 08

Email: privacy@wtwco.com

Phone: +1 441 295 1272

Canada

Attention of the Privacy Officer

130 King St W, Exchange Tower, Suite 1500

P.O. Box 424

Toronto, ON M5X 1E3

Email: privacy@wtwco.com

Phone: 786.437.1231

Nigeria

Adewunmi Akinmodiro

Adewunmi.Akinmodiro@wtwco.com

WTW Nigeria Limited

6th Floor, Africa RE Building. Plot 1679 Karimu Kotun Street, Victoria Island Lagos, Nigeria.

South Africa

André Wild

Andre.Wild@wtwco.com

Towers Watson (Pty) Ltd

Level 4, MontClare Place, 23 Main Road, Claremont, Cape Town, 7708

Private Bag X30, Rondebosch, 7701

Pasha Karodia

Pasha.Karodia@wtwco.com

Willis South Africa (Pty) Ltd

Illovo Edge, 1 Harries Road, Illovo, Johannesburg 2196

15. Additional information for residents in certain jurisdictions

WTW is committed to respecting the privacy rights of individuals under all privacy laws applicable to us. Some privacy laws require that we provide specific information about individual rights to applicable consumers, which we have set forth below for the following jurisdictions:

  • EU/EEA/UK: If you are in the European Union / European Economic Area / United Kingdom, please go to the European Union / European Economic Area section for details about your rights under the GDPR.
  • California: If you are a resident of California, you have certain rights under state privacy laws regarding your personal information as set forth at our California residents section.
  • Canada: If your personal data is subject to the privacy laws enacted in Canada, please go to the Canada section for details about your rights under PIPEDA, and other similar laws, as may be applicable.
  • Other Jurisdictions: If your personal data is subject to the privacy laws enacted in Argentina, Bermuda, Brazil, Cayman Islands, Colombia, Costa Rica, Nicaragua, Panama, the Philippines, the Kingdom of Saudi Arabia, Turkey, or Mainland China, please see the Other Jurisdictions section.

1. European union / European economic area

Residents of the European Union (EU) and the European Economic Area (EEA) have the following rights, under the GDPR, regarding their personal information:

  • Right of access: You have the right to obtain from us, confirmation as to whether or not personal information concerning you is being processed, and where that is the case, to request access to the personal information. The accessed information includes – among others - the purposes of the processing, the categories of personal information concerned, and the recipients or categories of recipient to whom the personal information have been or will be disclosed. You have the right to obtain a copy of the personal information undergoing processing. For further copies requested by you, we may charge a reasonable fee based on administrative costs.
  • Right to rectify and complete personal information: you can request the rectification of inaccurate data and the completion of incomplete data. We will inform relevant third parties to whom we have transferred your data about the rectification and completion if we are legally obliged to do so.
  • Right to erasure (right to be forgotten): You have the right to obtain from us the erasure of personal information concerning you in limited circumstances where:
    • it is no longer needed for the purposes for which it was collected; or
    • you have withdrawn your consent (where the data processing was based on consent); or
    • following a successful right to object; or
    • it has been processed unlawfully; or
    • the data has to be erased in order to comply with a legal obligation to which WTW is subject.

We can continue to use your personal information following a request for restriction, where:

  • we have your consent; or
  • to establish, exercise or defend legal claims; or
  • to protect the rights of another natural or legal person
  • Right to data portability: You have the right to receive the personal information concerning you, which you have provided to us, in a structured, commonly used and machine-readable format and you have the right to transmit those data to another entity without hindrance from us, but in each case only where the processing is (a) based on your consent or on the performance of a contract with you, and (b) also carried out by automated means.
  • Right to object: You have the right to object at any time to any processing of your personal information which has our legitimate interests as its legal basis. You may exercise this right without incurring any costs. If you raise an objection, we have an opportunity to demonstrate that we have compelling legitimate interests which override your rights and freedoms. The right to object does not exist, in particular, if the processing of your personal information is necessary to take steps prior to entering into a contract or to perform a contract already concluded.
  • Right to object to our use of your personal information for direct marketing purposes: You can request that we change the manner in which we contact you for marketing purposes. You can request that we do not transfer your personal information to unaffiliated third parties for the purposes of direct marketing or any other purposes.
  • Right to withdraw consent: if you have given us your consent for the processing of your personal information, you have the right to withdraw your consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
  • Right to obtain a copy of safeguards: you can ask to obtain a copy of, or reference to, the safeguards under which your personal information is transferred outside the EU/EEA. We may redact data transfer agreements to protect commercial terms.
  • Right to lodge a complaint with your local supervisory authority: You have a right to lodge a complaint with your local supervisory authority if you have concerns about how we are processing your personal information. We ask that you please attempt to resolve any issue with us first by contacting us at privacy@wtwco.com, although you have a right to contact your supervisory authority at any time.

2. California Residents

In this section, we provide information for California residents as required under California privacy laws, including the CCPA, which requires that we provide California residents with certain specific information about how we handle their personal information, whether collected online or offline. This section does not address or apply to our handling of:

  • publicly available information made lawfully available
  • personal information that is subject to an exemption under Section 1798.145(c) – (f) of the CCPA (such as protected health information that is subject to HIPAA or the California Medical Information Act, and non-public information subject to the Gramm-Leach Bliley Act or the California Financial Information Privacy Act)
  • personal information we collect about job applicants, independent contractors, or current or former full-time, part-time and temporary employees and staff, officers, directors or owners of WTW
  • personal information about individuals acting for or on behalf of another company, to the extent the information relates to our transactions with such company, products or services that we receive from or provide to such company, or associated communications or transactions (except that such individuals have the right to opt-out of any sale of their personal information and to not be subject to any discrimination for exercising such right)

Categories of personal information that we collect and disclose. Our collection, use and disclosure of personal information about a California resident will vary depending upon the circumstances and nature of our interactions or relationship with such resident. The list below sets out generally, the categories of personal information (as defined by the CCPA) about California residents that we collect, sell, and disclose to others for a business purpose. We collect these categories of personal information from the sources described in the Personal Information Collected section above, and for the purposes described in the Purposes and Legal Basis for Processing Personal Information section above.

Rights of California residents. California law grants California residents, certain rights and imposes restrictions on particular business practices as set forth below.

  • Do-Not-Sell or Share: California residents have the right to opt-out of our sale or sharing of their personal information. Opt-out rights can be exercised by clicking the Do Not Sell Or Share My Information link in the footer of our Website. We do not sell personal information about residents who we know are younger than 16 years old without opt-in consent.
  • Limit the Use of Sensitive Personal Information: California residents have the right in certain instances to request that we limit the use and sharing of their sensitive personal information. The CCPA defines “sensitive personal information” to include, among other things, your social security, driver’s license, state identification card, or passport numbers; account log-in, financial account, debit card, or credit card numbers in combination with any required security or access code, password, or credentials allowing access to an account; racial or ethnic origin, religious or philosophical beliefs, or union membership; genetic data; and biometric information (including physiological, biological, or behavioral characteristics). You may exercise this right by clicking the link in the footer of our Website Homepage titled “Limit the Use of My Sensitive Personal Information,” clicking here, or contacting us toll-free at 1-800-889-9288 (toll free).
  • Initial Notice: We are required to notify California residents, at or before the point of collection of their personal information, the categories of personal information collected and the purposes for which such information is used.
  • Request to Delete: California residents have the right to request deletion of their personal information that we have collected about them and to have such personal information deleted, except where an exemption applies. We will respond to verifiable requests received from California residents as required by law. The instructions for submitting a verifiable Request to Delete are described in the “Submitting Requests” section below.
  • Request to Know: California residents have the right to request and, subject to certain exemptions, receive a copy of the specific pieces of personal information that we have collected about them in the prior 12 months and to have this delivered, free of charge, either (a) by mail or (b) electronically in a portable and, to the extent technically feasible, readily useable format that allows the individual to transmit this information to another entity without hindrance. California residents also have the right to request that we provide them certain information about how we have handled their personal information in the prior 12 months, including the:
  • categories of personal information collected;
  • categories of sources of personal information;
  • business and/or commercial purposes for collecting and selling their personal information;
  • categories of third parties/with whom we have shared their personal information;
  • categories of personal information that we have disclosed or shared with a third party for a business purpose; and
  • categories of personal information disclosed for a business purpose in the preceding 12 months, and for each category identified, the categories of third parties to which we disclosed that particular category of personal information.

California residents may make a Request to Know up to twice every 12 months. We will respond to verifiable requests received from California residents as required by law. The instructions for submitting a verifiable Request to Know are described in the “Submitting Requests” section below.

  • Right to non-discrimination: The CCPA prohibits discrimination against California residents for exercising their rights under the CCPA. Discrimination may exist where a business denies or provides a different level or quality of goods or services, or charges (or suggests that it will charge) different prices, rates, or penalties on residents who exercise their CCPA rights, unless doing so is reasonably related to the value provided to the business by the residents’ data.
  • Financial incentives: A business may offer financial incentives for the collection, sale or deletion of California residents’ personal information, where the incentive is not unjust, unreasonable, coercive or usurious, and is made available in compliance with applicable transparency, informed consent, and opt-out requirements. California residents have the right to be notified of any financial incentives offers and their material terms, the right to opt-out of such incentives at any time and may not be included in such incentives without their prior informed opt-in consent. We do not offer any such incentives at this time.

Submitting Requests. Requests to Know, Requests to Limit, and Requests to Delete may be submitted by:

  • By contacting us at 1-800-889-9288 (toll free)
  • By submitting a Consumer Request through this link.

We will use the following process to verify Requests to Know and Requests to Delete: We will acknowledge receipt of your Consumer Request, verify it using processes required by law, then process and respond to your request as required by law. To verify such requests, we may ask you to provide the following information:

  • For a request to know categories of personal information which we collect, we will verify your identity to a reasonable degree of certainty by matching at least two data points provided by you against information in our systems which are considered reasonably reliable for the purposes of verifying a consumer’s identity.
  • For a request to know specific pieces of personal information or for requests to delete, we will verify your identity to a high degree of certainty by matching at least three pieces of personal information provided by you to personal information maintained in our systems and also by obtaining a signed declaration under penalty of perjury that the requestor is the consumer whose personal information is the subject of the request.

An authorized agent can make a CCPA request on a California resident’s behalf by providing either: (1) a power of attorney valid under California law; or (2) proof that the consumer gave the agent signed permission to submit the request. The consumer must also provide either: (1) verification of their own identity with respect to a right to know categories, right to know specific pieces of personal information, or requests to delete which are outlined above; or (2) direct confirmation that the consumer provided the authorized agent with permission to submit the request.

We will respond to verifiable requests received from California residents as required by law. For more information about our privacy practices, you may contact us as set forth in the Privacy Officer, Contact, and Comments section above.

Consumer Request Statistics: The number of requests received and responded to by WTW under the CCPA can be found here.

3. Canada

You may have certain rights under applicable Canadian data privacy laws, such as the personal information Protection and Electronic Documents Act (“PIPEDA”), and other similar provincial or local laws, in relation to personal data. Subject to applicable law, you may request:

  • Access to your personal information, in a reasonably portable format.
  • Correction or deletion of your personal information (unless we are required to retain it in accordance with applicable law).

Submitting Requests: Requests to exercise privacy rights under Canadian laws may be submitted using:

Depending on applicable laws, if your request to exercise a right is denied or not responded to within a reasonable time, you may appeal that decision through this link or emailing privacy@wtwco.com

4. Other jurisdictions

a) Argentina

The following information applies to the personal data that WTW processes on individuals and legal entities residents in the territory of the Argentine Republic in accordance with the Personal Data Protection Law.

Definition of Personal Data: Information of any kind referring to determined or determinable individuals or legal entities.

Rights under the Argentina Data Protection Law regarding personal information:

  • Right to Information:when you are required to provide personal data, you have the right to be informed about the existence of personal database, its purpose, who are responsible for it and its legal address. In this way, you will have the necessary information to exercise your other rights.
  • Right of access:
    • Once your identity has been duly evidenced, you have the right to request and obtain information your personal data included in public data registers or banks, or in private registers or banks intended for the provision of reports.
    • The person responsible or user shall provide the requested information within ten calendar days of being demanded of such request. Upon expiration of the said term without such request being answered, or if the report is deemed insufficient, the proceeding to protect personal data or habeas data herein provided for shall be started.
    • The right of access may only be exercised free of charge within intervals no shorter than six months, unless a legitimate interest to do otherwise is shown.
  • Rectification, updating or suppression right:
    • You have the right to rectify, update, and when applicable, suppress or keep confidential your personal data included in WTW database.
    • WTW will proceed to rectify, suppress or update your personal data within the maximum term of five business days of the query being received or the mistake or false information being noticed.
    • The suppression right must not be affected in the event it could cause harm to the rights or legitimate interests of third parties, or there existed a legal obligation to preserve such data.
    • The personal data must be kept during the terms contemplated in the applicable provisions or, where appropriate, in the contractual relationships between WTW and the data subject.

Submitting Requests. Requests may be submitted:

b) Bermuda

WTW shall use personal information for the performance of the agreement(s) between the parties, and as outlined therein, and as required by PIPA as set forth in the Bermuda Data Processing Protocol. Our Additional Brokerage Terms available here also apply to our brokerage services in Bermuda.

The following information applies to any individual’s personal information used in Bermuda in accordance with Bermuda’s Personal Information Protection Act 2016 (PIPA):

Individual Rights under PIPA:

  • Right to Access: You have the right to request access: (i) your personal information in the custody or under the control of the WTW; (ii) the purposes for which your personal information has been and is being used by us; and (iii) the names of the persons or types of persons to whom and circumstances in which your personal information has been and is being disclosed.
  • Right to Access Medical Records: You have the right to request access to personal information (i) of a medical or psychiatric nature; or (ii) kept for the purposes of, or obtained in the course of, the carrying out of social work in relation to the individual.
  • Right of Correction: You have the right to request us to correct an error or omission in your personal information which is under the control of WTW.
  • Right of Erasure or Destruction: You have the right to request us to erase or destroy personal information about you where that personal information is no longer relevant for the purposes of its use.
  • Right of Blocking: You have the right to request us to cease, or not to begin, using your personal information for the purposes of advertising, marketing or public relations, or where the use of that personal information is causing or is likely to cause substantial damage or substantial distress to you or to another individual.
  • Right to Review or Initiate a Complaint: Where an individual has made a request of us in respect of their personal information, they may ask the Privacy Commissioner for Bermuda to review our decision, action or failure to act.

Submitting Requests: You can exercise your rights by submitting a written request setting out sufficient detail to enable us to reasonably identify the personal information in the request:

Compensation for financial loss or distress: An individual who suffers financial loss or emotional distress by reason of failure to comply with any of the requirements of PIPA by WTW is entitled to compensation from WTW.

How to contact us in Bermuda: If you have any questions or comments about this privacy notice regarding PIPA or our uses of personal information, please contact our Privacy Officer by writing to privacy@wtwco.com.

c) Brazil

The following information applies to personal data which we process from any individuals that is related to Brazil’s territory under the National Data Protection Law (LGPD):

  • Scope: In addition to the circumstances set forth in the section above regarding Scope, the LGPD applies when we process personal data subject to protect fundamental rights of freedom, privacy and the free development of the personality of individuals.
  • Sensitive Personal Data under the LGPD:Sensitive personal data under the LGPD includes personal data (as defined above in Scope section of this Notice) about racial or ethnic origin, religious belief, political opinion, union membership or organization of a religious, philosophical or political nature, data relating to health or sexual life, genetic or biometric data, when linked to a natural person. Please see the section above regarding Personal Information Collected for more information on how we treat sensitive personal data.
  • Individual rights: Under the LGPD, individuals have certain rights related to their personal data, subject to other limitations in this law, as follows:
  1. Confirmation of the existence of data processing;
  2. Access to your personal data;
  3. Correction of incomplete, inaccurate, or out-of-date data
  4. Anonymization, blocking, or deletion of unnecessary or excessive data, or data processed in non-compliance with LGPD;
  5. Portability of data to another service or product provider, subject to the LGPD;
  6. Deletion of personal data, to the extent permitted by the LGPD;
  7. Information about the entities with whom we have shared personal data;
  8. Information about the possibility of denying consent and consequences of such denial; and
  9. Revocation of consent.

Processing of Children’s Personal Data: We process personal data belonging to children and adolescents, defined as individuals 16 years or younger. In this case, in accordance with the LGPD, we process children´s personal data when in their own best interests and with the specific consent of at least one of their parents or legal representatives.

Contacting Us in Brazil: If you have any questions or comments about this Privacy Notice as it relates to the LGPD or our processing activities in Brazil, please contact our Brazil Data Protection Officer (DPO) at Lucas Paglia at lucas.paglia@wtwco.com or privacy.brasil@wtwco.com.

Controller and Processor information: The following applications operate in Brazil: Benefits Access, Employee Engagement Software and Embark. For purposes of the LGPD, these Applications and Services are classified as follows:

  • Benefits Access (health and risk brokerage and administration), we act as a controller.
  • Employee Engagement Software (employee opinion surveys), we act as a processor.
  • Embark (integrated employee experience platform providing access to other Applications and Services) we are a controller and processor depending on the Services.
d) Cayman Islands

Individuals whose personal data is collected and/or used in the Cayman Islands have the following rights over their personal data:

  • Right to be informed about the collection and use of your personal data: You have the right to be informed about the collection and use of your personal data, which includes information such as who we are and the purposes for our processing your personal data.
  • Right to Access:You have the right to obtain from us confirmation as to whether or not personal data concerning you is being processed, and where that is the case, to request access to the personal data. The information which may be accessed includes – among others - the purposes of the processing, the categories of personal data concerned, and the recipients or categories of recipient to whom the personal data have been or will be disclosed, any countries or territories outside Caymans that your personal data is sent and general security measures taken over your personal data. You have the right to obtain a copy of the personal data undergoing processing. If the requests are deemed excessive, we may charge a reasonable fee based on administrative costs.
  • Right to rectification: You have a right to have inaccurate personal data rectified or completed if incomplete, without undue delay. You may submit a complaint to the Cayman Islands Ombudsman, who may issue an order for rectification, blocking, erasure or destruction of the data.
  • Right to erasure:You have a right to request that we cease processing your personal data, which includes the erasure of personal data. You have an absolute right to erasure if your personal data is no longer required for processing.
  • Right to stop or restrict processing Personal Data: You have the right to obtain from us restriction of processing your personal data. We shall comply with this request unless the processing is necessary for certain purposes. These purposes include: (i) the processing is necessary for the performance of a contract to which you are is a party or the taking of steps at your request with a view to entering into a contract; (ii) the processing is necessary for compliance with any legal obligation to which you are the subject, other than an obligation imposed by contract; (iii) the processing is necessary in order to protect your vital interests; or (iv) the processing is necessary in circumstances as may be prescribed by regulations.
  • Right to stop processing for direct marketing: You have the right to obtain from us restriction of processing of your personal data for direct marketing purposes. We shall honour this request without undue delay within a reasonable period of time. You may submit a complaint to the Ombudsman if we do not comply with this request.
  • Rights in relation to automated decision making: You have the right to obtain from us restriction from us making a decision that significantly affects you based on the processing of automatic means of your personal data for the purpose of (i) evaluating your performance at work, (ii) creditworthiness, (iii) reliability, (iv) conduct, or (v) other matters related to you.
  • Right to complain/seek compensation:You have a right to submit a complaint to the Ombudsman regarding any perceived violation of the DPA. If you suffer damage due to a violation of the DPA by us, you may be able to seek compensation via the court system.

Submitting Requests. Requests may be submitted:

e) Colombia

The following information applies to the processing of personal data related to the territory of Colombia and in accordance with the Personal Data Protection Law (Law 1581 of 2012).

Definitions:

  • Data subject: Is the individual whose personal data are subject to processing. The data subjects, altogether with the data controllers and the data processors, are the main actors defined by Colombian privacy law.
  • Personal data: Any information related to, or that may be related to, one or several determined or determinable individuals, meaning natural persons only.
    • Sensitive Data: Any data that affects its owner’s intimacy or whose improper use might cause discrimination. Data that reveals any of the below information is considered sensitive data and its processing is prohibited by law:
      • Ethnic or racial origin
      • Political orientation
      • Religious or philosophic convictions
      • Membership in labor unions, human right groups or social organizations
      • Membership in any group that promotes any political interest or that promotes the rights of opposition parties
      • Information regarding health and sexual life, and
      • Biometrics
  • Data processing: The data processing includes any operation carried out on personal data, such as the collection, storage, use, circulation, transmission, transfer and suppression of information, among others
  • Authorization: Is the prior, express and informed consent given by the data subjects in order to carry out the processing of their personal data. Under Colombian privacy law, the authorization constitutes a fundamental pillar as well as the general rule to legitimize the processing of personal data.

Data subjects rights

In accordance with the provisions of the Personal Data Protection Law, the rights provided to the data subject are as follows:

  • To allow access, updates, and amends in their personal data held by either the data controller or the data processor. Situations in which this right may be exercised include when there is partial, inaccurate, incomplete, or misleading data or data whose processing is expressly prohibited or has not been authorized.
  • To be able to request for proof or evidence of consent granted for the data to the data controller, except when the data doesn’t require consent for processing
  • To be informed by the data controllers and processors on the use made by their personal data.
  • To submit to the Superintendencia de Industria y Comercio (SIC) claims for violations of the provisions that contain the Data Protection Law and other rules that modify, amend, or complement it.
  • To revoke or request for deletion of data when processing is not compliant with principles, rights, and constitutional guarantee.
  • Right to access their personal data that has been processed. For queries whose frequency is greater than one per calendar month, the data controller may charge only the shipping costs, reproduction, and, where applicable, certification of documents. Reproduction costs may not be higher than recovery costs.
  • Right to data portability

Submitting Requests. If you wish to submit a query, claim or request for information related to the protection of personal data, you can exercise your rights:

f) Costa Rica

The following information applies to the personal data that we treat of individuals that are related to the territory of Costa Rica in accordance with Law No. 8968 “Protection of the Person against the Processing of their Personal Data” that establishes mandatory guidelines for the Protection of Personal Data and its regulations:

Scope: Any operation applied to personal data, such as collection, recording, organization, storage, modification, extraction, consultation, use, communication by transmission, dissemination or any other form that facilitates access to data that are in automated or manual databases, of public or private bodies, and to any form of subsequent use of these data.

  • Rights of individuals: the Law grants individuals rights with respect to the protection of their personal data:
    • Access to information: the information must be stored in such a way as to fully guarantee the right of access by the person concerned.
    • Right of rectification: The right to obtain, where appropriate, the rectification of personal data and its updating or deletion is guaranteed when they have been processed in violation of the provisions of this Law, in particular because of the incomplete or inaccurate nature of the data or have been collected without the authorization of the owner.
  • Processing of personal data of minors or incapacitated persons: we will process the personal data of children and/or incapacitated persons in their interest and with the specific consent of at least one of their parents or legal representatives.

How to contact us in Costa Rica: If you have any questions or comments about this Privacy Notice in relation to the Law or our processing activities, please contact our Data Protection Officer (DPO) by writing to dataprivacy.CostaRica@wtwco.com

g) Mainland China

This section applies to the processing of personal information of residents of Mainland China who are covered by PIPL.

Sensitive Personal Data under PIPL means the personal information of which the leakage or illegal use could easily lead to the violation of the personal dignity of a natural person or harm to personal or property safety, including information on biometric identification, religious beliefs, specific identity, health care, financial accounts, and personal whereabouts, and personal information of minors under the age of fourteen.

Additional Individual Rights: In addition to the “Individual Rights” stated above, a data subject also has the right to:

  • request us to explain our personal information processing rules;
  • have his or her close relatives exercise the rights to consult, duplicate, correct and delete the data subject’s relevant personal information upon the data subject’s passing on and in accordance to the provisions set out under the applicable law.

Contacting Us in Mainland China: If you have any questions or comments about Privacy Notice as it relates to PIPL or our data processing activities in Mainland China, please contact our China Data Protection Officer at dataprivacycn@wtwco.com.

h) Nicaragua

The following information applies to the personal data that we treat of individuals that are related to the territory of Nicaragua in compliance with Law No.787, on the Protection of Personal Data, (the “PDP Law”) that establishes mandatory guidelines for the Protection of Personal Data.

Scope: the protection of the natural or legal person against the processing, automated or not, of their personal data in public and private data files, to guarantee the right to personal and family privacy and the right to informative self-determination.

Principles of personal data processing: Lawfulness; Quality; Transparency Purpose; Accuracy; Limitation of the conservation period; Confidentiality and Others.

Rights of individuals over their data: The PDP Law grants individuals the “ARCO” rights which are the rights of access, rectification, cancellation and opposition of their personal data.

Access: As the owner of the data has the right to request and obtain information on their personal data processed by those responsible for the file, both in relation to public and private data files, the way in which their data were collected and the reasons that motivated their collection, and the transfers or assignments that were made and the record of their sending and receiving must be kept, Access must be in formats readable or understandable to the holder.

Rectification: As the owner of the personal data, you can request the rectification of your personal data, and even the modification, complementation, inclusion, updating and cancellation of the personal data of which you are the owner, which are included in a data file.

Cancellation: as the owner of the data, you may request at any time the cancellation of your personal data when they are no longer necessary or relevant for the purpose that gave rise to their treatment or when you consider that they are not being treated in accordance with the regulations. In those cases in which the blocking of the data proceeds, it will have the purpose of preventing the treatment, except for the storage, or possible access by any person, unless any legal provision provides otherwise, the blocking period will be until the corresponding legal or contractual limitation period and after this, the personal data will be cancelled in the data file in which they are located.

Opposition: as the owner of the data, you have the right not to carry out the processing of your personal data or to cease it when you have not given your consent for its collection because they were taken from sources of public access. Even if you have given your consent, as the owner of the data you have the right to oppose the processing of your data, if you prove the existence of well-founded and legitimate reasons related to a specific personal situation that justify the exercise of this right. In the event that the opposition is justified, the treatment that has given rise to the opposition will be terminated, but the right of opposition will not be exercised in those cases in which the treatment is required by law.

Processing of personal data of minors, incapacitated or deceased: we treat the data ensuring their interest and with the specific consent of at least one of their parents or legal representatives; the rights may be exercised, the representative of the owner of the data, upon presentation of the sufficient power of representation and identity document required by law, the parents or guardians of the owner of the data and in the case of deceased persons, upon presentation of the legal document.

How to contact us in Nicaragua: If you have any questions or comments about this Privacy Notice regarding the Law or our processing activities, please contact our Data Protection Officer (DPO) by writing to dataprivacy.nicaragua@wtwco.com

i) Panama

The following information applies to the personal data that we treat of individuals that are related to the territory Panama in accordance with Law 81 of March 26, 2019 (the “PDP Law”) that establishes mandatory guidelines for the Protection of Personal Data and its regulation Executive Decree 285 of May 28, 2021:

  1. Scope: In addition to the circumstances set out in the Scope section above, the PDP Act applies when we process personal data subject to the protection of individuals' fundamental rights of liberty, privacy, and free development of personality.
  2. Sensitive personal data under the PDP Act: sensitive personal data as set out by the PDP Act is personal data (as defined in the Scope section of this Notice) about racial or ethnic origin, religious beliefs, political opinions, trade union membership or organization of a religious, philosophical or political nature, data relating to health or sex life, genetic or biometric data, when linked to a natural person. Please see the section on Personal Information Collected for more information on how we process sensitive personal data.

Rights of individuals: The PDP Law grants individuals the “ARCO” rights that are the rights of access, rectification, cancellation, and opposition of their personal data, subject to other limitations of this law.

“Right of Access” It is the right that the Owner has to know about the Personal Data related to his person that are in the possession of the person in charge in question or of his managers, also to whom they have been shared and for what purpose.

“Right to Rectification” Each Holder has the right to have their Personal Data rectified when they are inaccurate or incomplete.

“Right of Opposition” The Owner always has the right to request, provided that he has a legitimate cause, that the person responsible stops handling his Personal Data.

Processing of personal data of minors or incapacitated persons: In case of the processing of personal data belonging to 18 years of age and / or incapacitated, we treat the data ensuring their interest and with the specific consent of at least one of their parents or legal representatives.

How to contact us in Panama: If you have any questions or comments about this Privacy Notice regarding the PDP Law or our processing activities in Panama, please contact our Data Protection Officer (DPO) in Panama by writing to dataprivacy.panama@wtwco.com.

j) Philippines

Under certain circumstances where permitted by law, residents of the Philippines also may be entitled to indemnity for damages caused by inaccurate, incomplete, outdated, false, unlawfully obtained or unauthorized use of personal information.

k) Kingdom of Saudi Arabia

The following information applies to the personal data that we process of individuals that are residents of the Kingdom of Saudi Arabia in compliance with the Saudi Arabia Personal Data Protection Law issued pursuant to Royal Decree No. (M/19) dated 09/02/1443 AH corresponding to 16/09/2021 G and Amended pursuant to Royal Decree No. (M/148) dated 05/09/1444 AH corresponding to 27/03/2023 G (the “PDPL”):

What do we do? At WTW Plc we provide data-driven, insight-led solutions in the areas of people, risk and capital.

Additional legal basis. The PDPL provides several sets of legal bases for processing personal data. In addition to those listed above, and in the event that personal data is to be processed in accordance with the PDPL, we may process your personal data on the basis of your actual interests – this would be the case where the processing would serve your actual interests, but communicating with you becomes difficult, or even impossible.

Additional rights. You may have the right to claim compensation for material or moral damage if you are harmed as a result of our violation of the PDPL or its implementing regulations.

As outlined in the section above, entitled Individual Rights and Choices, you can complain to us and if you are not satisfied with how we handle your complaint, you can file a complaint to the Saudi Data and Artificial Intelligence Authority at this link:

l) Turkey

Within the scope of Article 11 of the Turkish Personal Data Protection Act, as a personal data subject, you may send requests related to your rights to the Data Controller in writing as per Communique on Principles on Application to Data Controller, using the contact details set out in the Contacts & Comments section or at Esentepe Mah. Büyükdere Caddesi No:127 Astoria İş Merkezi A Kule Kat:4, 34394 Şişli/İstanbul or you may email us at willistowerswatson@hs01.kep.tr. or privacy@wtwco.com.

In addition, under Turkish law, personal data subjects are entitled to:

  • learn whether personal information about them is processed;
  • request information, if personal information are processed;
  • learn the purpose of personal information processing, and whether those are utilized for such purpose;
  • be aware of third persons such personal data are transferred, inland or abroad;
  • ask for correction of personal information, if the same are missing or erroneously processed; and to ask for notification of third persons accordingly, who received such personal data;
  • despite processing in accordance with the Turkish Personal Data Protection Act and other relevant legislation, if the ground for processing such personal information no longer exists, the data owner may ask for deletion or destruction of personal data, and to ask for notification of third persons accordingly, who received such personal information;
  • oppose to an adverse conclusion which may arise out of analysis of personal information processed through automated systems;
  • ask for compensation, in case of loss, due to illegal processing of personal information.
Contact us