Version 1
This Data Processing Protocol (the "Protocol") explains how Towers Watson Limited ("Willis Towers Watson") handles personal data on behalf of its clients ("Client") when acting as a processor when providing investment consulting services.
The Protocol forms part of any agreement in place between Willis Towers Watson and Client which expressly refers to it (the “Agreement”). Where this Protocol uses terms which are defined in the General Data Protection Regulation (Regulation (EU) 2016/679) (the “Regulation”), then the definitions set out in that Regulation shall apply.
Data Processing
With respect to personal data processed by Willis Towers Watson on Client’s behalf (see Annex 1), Willis Towers Watson will comply with the following requirements:
Limitations on Use. Willis Towers Watson will process personal data only to deliver the relevant service, as instructed in writing by Client from time to time, or as otherwise required by law.
Confidentiality. Willis Towers Watson will hold personal data in confidence and require Willis Towers Watson personnel who will process personal data to protect all personal data in accordance with the requirements of this Protocol.
Information Security Program. Willis Towers Watson will maintain a written information security program that contains appropriate administrative, technical and physical safeguards to protect personal data against anticipated threats or hazards to its security, confidentiality or integrity.
Assistance. Willis Towers Watson will:
i. Taking into account the nature of the processing and in so far as is possible, implement technical and organizational measures to assist Client in fulfilling its obligation to respond to any requests from individuals exercising their rights under Chapter III of the Regulation;
ii. Taking into account the nature of the processing and the information available to Willis Towers Watson, assist Client in complying with Client's obligations to implement appropriate security measures, to notify personal data breaches to supervisory authorities and to individuals and to conduct data protection impact assessments and consult with supervisory authorities in relation to data protection impact assessments where required; and
iii. Make available to Client all information which Client reasonably requests to assist Client in demonstrating that the obligations set out in Article 28 of the Regulation relating to the appointment of processors have been met and allow for and contributes to audits conducted by Client or another auditor nominated by Client.
Willis Towers Watson may charge a reasonable fee for all such assistance described above, save where assistance was required directly as a result of Willis Towers Watson's own acts or omissions, in which case such assistance will be at Willis Towers Watson's expense. Client shall provide Willis Towers Watson with thirty (30) days advance notice of any audit request; may not engage in an audit which would compromise confidentiality obligations to any other clients and customers of Willis Towers Watson and, if it wishes to nominate another auditor to undertake the audit, shall ensure that the auditor enters into a confidentiality agreement with Willis Towers Watson in such form as Willis Towers Watson shall reasonably require.
Security Incident. Willis Towers Watson will without undue delay notify Client whenever Willis Towers Watson reasonably believes that there has been a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data processed by Willis Towers Watson in the context of this Protocol ("Security Incident"). After providing notice, Willis Towers Watson will investigate the Security Incident, take necessary steps to eliminate or contain the impact of the Security Incident and keep Client advised of the status of the Security Incident and all related matters.
Return or Disposal. Client may instruct Willis Towers Watson to delete or return personal data at the end of the period during which Willis Towers Watson will process such Client personal data, as specified in Annex 1.
Subprocessing
Client understands that Willis Towers Watson may use sub processors to provide the services under the Agreement. These will be listed and agreed in the specific Agreement Client has entered into with Willis Towers Watson if applicable. Willis Towers Watson shall remain primarily responsible for the performance of its obligations under this Protocol and shall ensure that its agreements with such sub processors are at least as restrictive as this Protocol. Willis Towers Watson may change or add sub processors from time to time upon giving reasonable notice in writing to Client so that Client may express an objection, on reasonable grounds, to the proposed change.
Data Transfers
Client confirms that Willis Towers Watson may transfer personal data to its affiliates and sub processors inside and outside the European Economic Area (EEA) for purposes of support and back-up. Willis Towers Watson has established safeguards to protect personal data transferred to countries outside the EEA, including appropriate contractual protections.
Client confirms that where Willis Towers Watson transfers personal data to investment managers, custodians and fund administrators outside of the EEA on behalf of Client, Client will be responsible for ensuring adequate safeguards are in place to permit such transfer.
Annex 1 - Description of processing of personal data
1. Subject Matter, Nature and Purpose
Collection and disclosure of personal data to investment managers, custodians and fund administrators to enable the completion of identity checks required in connection with anti-money laundering and other regulations, or under the 'know your client' policies of such investment managers, custodians or fund administrators. Such investment managers, custodians and fund administrators may be located within or outside the EEA.
2. Duration of processing of personal data
Willis Towers Watson will process the personal data for as long as it provides services to Client.
3. Categories of individuals:
The data subjects may include (i) Client's trustees, directors, shareholders, beneficial owners and employees; and (ii) family members of the persons listed in (i).
4. Types of personal data:
The services under the Agreement may involve the processing of the following types of personal data:
- names, addresses, telephone numbers, email addresses and any other contact information;
- jurisdiction of residency;
- identification documents (such as copy of passport or driving licence) and proof of address;
- political affiliations; and
- any other information that is required to be collected under any relevant anti-money laundering or other regulations or under the 'know your client' policies of relevant investment managers, custodians or fund administrators.
5. Types of special categories of data referred to in Article 9 of the Regulation:
The personal data processed by Willis Towers Watson may include political beliefs.