This privacy notice describes how WTW collects and processes Personal Information when we provide Health & Benefits transactional and advisory services (such as insurance broking, claims management and consulting services) (“Services“) to our clients.
WTW operates worldwide through subsidiary and affiliate companies. Where we say “we,” “us,” or “our” in this privacy notice we mean the WTW entity that processes your data in connection with the Services.
In providing the Services, we may be required to process Personal Information of individuals named in an insurance policy, or individuals that are beneficiaries of, or have made claims under, an insurance policy, or individuals who are involved in an incident giving rise to an insurance claim. We also process Personal Information of individuals who are employees, contractors and representatives of our clients. This privacy notice applies to any individual whose Personal Information we process in the course of providing the Services (each a “data subject” or “you“).
Scope of this privacy notice
This privacy notice describes how WTW collects and processes Personal Information in the course of providing the Services, and it applies to all Personal Information we collect or process about you in relation to these Services.
When we process your Personal Information, we act as controllers together with our client and we cooperate with our client in meeting our compliance obligations under the law. For example, it is the client’s responsibility to notify data subjects about the use of your Personal Information (as described in this privacy notice); to ensure the accuracy of the Personal Information they provide to us for processing; and to handle requests received from data subjects.
WTW is a global organisation operating in more than 140 countries and our business activities are global in nature. As such we sometimes transfer personal data to countries located outside of the European Economic Area (“EEA”). The laws applicable to the country where the data is being received may not be equivalent to that in your location. However, we always take steps to ensure any transfer of information is carefully managed to protect your privacy rights. In particular:
- For transfers between WTW Group companies: We have put in place an intra group data transfer agreement incorporating the European Commission-approved Standard Contractual Clauses (“EU SCCs”) to ensure that transfers of Personal Information within our Group receive a consistent and adequate level of protection wherever they take place.
- For transfers to third parties outside of the WTW Group of Companies: Where we are legally required to do so, transfers of Personal Information to parties located in countries outside the EEA will be made pursuant to the EU SCCs or other legally acceptable mechanisms that ensure an adequate level of protection. Some recipients located outside of the EEA are located in countries for which the European Commission has issued adequacy decisions, or where there are recognized certification schemes such as the EU – US Privacy Shield for protection of Personal Information transferred from within the European Union (“EU”) to the United States of America,
Please see the Contact & Comments section below for details on how you can contact us to get further information on the third countries to which Personal Information will be transferred and further information relating to the safeguards we have in place in relation to international transfers of data.
In this section we describe the types of Personal Information we collect in providing the Services, what we use it for and what our lawful basis is for doing so under applicable data protection legislation.
(A) Personal information we collect
“Personal Information” is information that identifies you as an individual or relates to an identifiable individual.
We may collect your Personal Information in the following ways:
- Our client may provide your Personal Information to us. Our client, your employer, is also a controller in respect of your Personal Information and you should consult with them in the first instance if you have any questions about the processing of Personal Information.
- You may provide your Personal Information directly to us if you are involved in a claim that we are handling for a client.
The Personal Information we may collect about you may include:
- name and contact information;
- demographic information (such as gender, age, date of birth, marital status, nationality, employment details, hobbies, family composition, and dependents);
- personal identification documentation and related information such as passport numbers and employee identification numbers;
- financial and payment data such as bank account numbers and transaction information;
- information related to the provision of the Services, such as policy information, claims information, and information relating to incidents giving rise to claims;
- information about your property and assets;
- statements made by or about you;
- records of communications and CCTV footage; and
- human resources data, such as job title and role; benefits and compensation information; dependent/beneficiary information; educational, academic and professional qualifications information; emergency contact information; and performance management information.
Depending on the services we are providing, all or some of the above categories of Personal Information may be provided to, or made available to us, by our clients.
Some of the categories of information that we collect are special categories of Personal Information (“Sensitive Personal Information“). These include your health records (such as your medical history and reports on medical diagnoses, injuries and treatment); information about your personal characteristics and circumstances of a sensitive nature such as your racial or ethnic origin, sex life, mental and physical health and genetic information.
(B) How we may use your personal information
We use your Personal Information:
- to provide the Services and fulfil our contractual obligations to clients;
- to conduct data analysis;
- for fraud monitoring and prevention;
- to help develop new services and to enhance, improve or modify our Services;
- to operate and expand our business activities;
- to carry out background checks and conduct due diligence;
- to perform administrative activities in connection with our Services;
- to carry out marketing activities, in particular when you leave a corporate medical insurance scheme we may offer you a continuation of cover;
- to exercise, defend or protect our legal rights or the rights of our clients or third parties; and
- to comply with legal and professional obligations and to cooperate with regulatory bodies.
The way we analyse Personal Information for the purposes of risk assessment, fraud prevention and detection, and to report to our clients as part of the Services may involve profiling, which means that we may process your personal information using software that is able to evaluate your personal aspects and predict risks or outcomes.
We may also aggregate or anonymize information about you. Aggregated or anonymized data is not capable of being used to identify individuals and is not treated as Personal Information under this privacy notice.
(C) Legal bases for processing personal information
We must have a legal basis to process your Personal Information in accordance with applicable data protection legislation. This will be for at least one of the following purposes:
- where it is necessary to enter into a contract with us / in order to perform the Services to you;
- where it is necessary to comply with our legal obligations such as due diligence and reporting obligations, for example know-your-customer checks to prevent money laundering and fraudulent activities;
- where you have provided your consent, for example if you have agreed to receive marketing communications from us. You may withdraw your consent at any time by contacting us using the details at the end of this privacy notice;
- where it is necessary for our legitimate interests, or those of a third party, for example to ensure that the Services we provide are appropriate for our clients’ requirements, to improve our Services, manage our risks, maintain accurate transaction records, and manage our business in an efficient way. These circumstances shall only apply where such legitimate interests are not overridden by your interests or fundamental rights and freedoms.
We only process Sensitive Personal Information in limited circumstances:
- where applicable under national data protection laws (e.g. the United Kingdom) the processing is necessary for our insurance purposes (i.e. for advising, arranging, underwriting or administering an insurance contract or handling claims);
- where we have your explicit consent, (in which case our client will obtain your explicit consent to collect and use the data for the purposes described in this privacy notice). You may withdraw your consent at any time by contacting us using the details at the end of this privacy notice; or
- to establish, exercise or defend legal claims.
Disclosure of your personal information
We share your Personal Information with third parties under the following circumstances:
- to any WTW group company for the uses and purposes set out above;
- to our clients, intermediaries, advisers and business partners for the purposes of fulfilling our contractual obligations to clients, for example to deliver our Services and to arrange insurance products for clients;
- to third party service providers including entities providing customer service, email delivery, marketing service providers, IT service providers, auditing and other services;
- if we are obliged to disclose your Personal Information under applicable law or regulation, which may include laws outside your country of residence; and
- in the event of any reorganization, merger, sale, joint venture, assignment, transfer or other disposition of all or any portion of our business, assets or stock (including in connection with any bankruptcy or similar proceedings).
We request those third party service providers to implement and apply security safeguards to ensure the privacy and security of your Personal Information.
Security and retention
WTW maintains appropriate technical and organizational security measures to protect the security of your data against loss, misuse, unauthorized access, disclosure or alteration. These measures are aimed at ensuring the ongoing integrity and confidentiality of Personal Information. We evaluate these measures on a regular basis to ensure the security of the processing.
We will retain your Personal Information for as long as is necessary for the provision of Services to our clients. When we no longer need your Personal Information in connection with the Services, we will then retain your Personal Information for a period of time that reasonably allows us to comply with our regulatory obligations and to commence or defend legal claims. We may retain aggregated or anonymised data (which is not treated as Personal Information under this privacy notice) for longer.
Choices and access
WTW and the client are each controllers responsible for the Personal Information we collect and process.
To exercise any of your rights, which are set out below, you may contact us by sending us an email to firstname.lastname@example.org or sending your request by postal mail to the address provided in the “Contact & Comments” section.
(i) Right to rectify and complete Personal Information: you can request the rectification of inaccurate data and the completion of incomplete data. We will inform relevant third parties to whom we have transferred your data about the rectification and completion if we are legally obliged to do so.
(ii) Right to erasure (right to be forgotten): You have the right to obtain from us the erasure of Personal Information concerning you in limited circumstances where:
- it is no longer needed for the purposes for which it was collected; or
- you have withdrawn your consent (where the data processing was based on consent); or
- following a successful right to object; or
- it has been processed unlawfully; or
- the data must be erased in order to comply with a legal obligation to which WTW is subject.
We are not required to comply with your request to erase Personal Information if the processing of your Personal Information is necessary for:
- compliance with a legal obligation; or
- the establishment, exercise or defence of legal claims.
(iii) Right to restriction of processing: You have the right to obtain from us restriction of processing your Personal Information. In this case, the relevant data will be marked and only be processed by us for certain purposes. This right can only be exercised where:
- the accuracy of your Personal Information is contested, to allow us verify its accuracy; or
- the processing is unlawful, but you do not want the Personal Information erased; or
- it is no longer needed for the purposes for which it was collected, but you still need it to establish, exercise or defend legal claims; or
- you have exercised the right to object, and verification of overriding grounds is pending.
We can continue to use your Personal Information following a request for restriction, where:
- we have your consent; or
- to establish, exercise or defend legal claims; or
- to protect the rights of another natural or legal person.
(iv) Right to data portability: You have the right to receive the Personal Information concerning you, which you have provided to us, in a structured, commonly used and machine-readable format and you have the right to transmit those data to another entity without hindrance from us, but in each case only where:
- the processing is based on your consent or on the performance of a contract with you; and
- the processing is carried out by automated means.
(v) Right to object: You have the right to object at any time to any processing of your Personal Information which has our legitimate interests as its legal basis. You may exercise this right without incurring any costs. If you raise an objection, we have an opportunity to demonstrate that we have compelling legitimate interests which override your rights and freedoms.
The right to object does not exist, in particular, if the processing of your Personal Information is necessary to take steps prior to entering into a contract or to perform a contract already concluded.
(vi) Right to object to how we use your Personal Information for direct marketing purposes: You can request that we change the manner in which we contact you for marketing purposes. You can request that we not transfer your Personal Information to unaffiliated third parties for the purposes of direct marketing or any other purposes.
(vii) Right to withdraw consent: If you have given us your consent for the processing of your Personal Information, you have the right to withdraw your consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
(viii) Right to obtain a copy of Personal Information safeguards for transfers outside your jurisdiction: You can ask to obtain a copy of, or reference to, the safeguards under which your Personal Information is transferred outside the EU/EEA. We may redact data transfer agreements to protect commercial terms.
(ix) Right to lodge a complaint with your local supervisory authority: You have a right to lodge a complaint with your local supervisory authority if you have concerns about how we are processing your Personal Information. We ask that you please attempt to resolve any issue with us first, although you have a right to contact your supervisory authority at any time.
Please note that the aforementioned rights might be limited under the applicable national data protection law. We may ask you for additional information to confirm your identity and for security purposes, before disclosing the Personal Information requested to you. We reserve the right to charge a fee where permitted by law, for instance if your request is manifestly unfounded or excessive.
Subject to legal and other permissible considerations, we will make every reasonable effort to honour your request promptly or inform you if we require further information in order to fulfil your request. We may not always be able to fully address your request, for example if it would impact the duty of confidentiality we owe to others, or if we are legally entitled to deal with the request in a different way.
We are committed to working with you to obtain a fair resolution of any complaint or concern about privacy. If, however, you believe that we have not been able to assist with your complaint or concern, you have the right to make a complaint to the Information Commissioner’s Office, at www.ico.org.uk/concerns/.
Changes to our privacy notice
You may request a copy of this privacy notice from us using the contact details set out below.
We may modify or update this privacy notice from time to time by notifying or providing a revised version to our clients. Where changes to this privacy notice will have a fundamental impact on the nature of the processing or otherwise have a substantial impact on you, we will ask that our client, your employer, give you sufficient advance notice of these changes so that you have the opportunity to exercise your rights (e.g. to object to the processing)
Contact and comments
If you have any questions or comments regarding this privacy notice, please contact our Global Privacy Office, at the Willis Building, 51 Lime St, London EC3M 7DQ or at email@example.com.