Hong Kong Privacy Statement
Aon plc (NYSE: AON) is a leading global professional services firm providing a broad range of risk, retirement and health solutions. Our 50,000 colleagues in 120 countries empower results for clients by using proprietary data and analytics to deliver insights that reduce volatility and improve performance.
Aon Hong Kong Limited (“Aon”, “we”, “us”, “our”) respects personal data privacy and is committed to fully implementing and complying with the requirements under the Personal Data (Privacy) Ordinance (Cap. 486) (“PDPO”). This commitment reflects the value we place on earning and keeping the trust of our employees, customers, clients, business partners and others who share their personal information with us.
What does this Privacy Statement do?
This Hong Kong Privacy Statement (“Statement”) explains Aon’s information processing practices. This Statement applies to any personal information you provide to Aon and any personal information we collect from other sources, unless you are provided a more specific privacy statement at the time of data collection. This Statement does not apply to your use of any third-party sites linked to from this website or any websites which have their own privacy notices.
This Statement aims to help you understand our personal data collection, usage and disclosure practices by explaining:
GLOBAL PRIVACY STATEMENT
- Who is responsible for your information?
- How do we collect your information and what information do we collect?
- How do we use your personal information?
- Legal basis
- Do we collect information from children?
- How long do we retain your personal information?
- How do we disclose your personal information?
- Do we transfer your personal information across geographies?
- Do we have security measures in place to protect your information?
- Other rights regarding your data
- Automated Decisions
- Contact Us
- Changes to this Statement
1. Who is responsible for your information?
Throughout this Statement, “Aon” refers to Aon plc, including its affiliated companies and subsidiaries (also referred to as “we,” “us,” or “our”). Personal information is collected by each member of the Aon group who is responsible for its processing in their capacity as a controller. A full list of our group entities is available here. These entities may provide separate privacy notices when your personal information is first collected by that Aon entity, for example, when you or the business you work for engages us to provide a service.
Aon entities also provide services to our clients as a processer. Where this is the case we will process your personal information in line with our legal obligations and contractual commitments with our clients.
2. How do we collect your information and what information do we collect?
The personal information we collect varies depending upon the nature of our services. This Statement provides an overview of the categories of personal information we collect and the purposes for which we use it. More information about the personal information collected for each of our services, together with the purpose and legal basis for collecting the information, may be provided to you in separate privacy notices relevant to the applicable services.
- Aon collects personal information in the following ways:
Information you provide to us
Aon collects information directly from you when you:
- Request a service from us;
- Visit an Aon site or attend an Aon event;
- Apply for a position at Aon;
- Contact us with a complaint or query;
- Engage with us over social media; or
- Register with or use any of our websites or applications.
You are required to provide any personal information we reasonably require (in a form acceptable to us) to meet our obligations in connection with the services we provide to you, including any legal and regulatory obligations. Where you fail to provide or delay in providing information we reasonably require to fulfill these obligations, we may be unable to offer the services to you and/or we may terminate the services provided with immediate effect.
Where you provide personal information to Aon about third-party individuals (e.g., information about your spouse, civil partner, child(ren), dependents or emergency contacts), where appropriate, you should provide these individuals with a copy of this Statement beforehand or ensure they are otherwise made aware of how their information will be used by Aon. Where you provide information to us about your beneficiaries we may require you to provide explicit consent on their behalf.
Information we automatically collect
In some instances, we automatically collect certain types of information when you visit our websites and through e-mails that we may exchange. Automated technologies may include the use of web server logs to collect IP addresses, "cookies" and web beacons. Further information about our use of cookies can be found in our Cookie Notice and Cookie Preference Center at the footer of our page (where applicable).
Information we collect from clients or third parties
When we provide the services to our clients, we may collect personal information from our clients about you, such as your name, contact details, date of birth, gender, marital status, financial details, employment details, and benefit coverage. We may also collect (in each case as strictly relevant to the services we provide) sensitive information about you, such as health information in relation to life, health, professional liability and workers compensation insurance or employee benefit programs sponsored by your employer. Most of the personal information we receive relates to your participation in the compensation and benefits programs offered by your employer. Where permitted by national law, and appropriate to do so, we may collect criminal records information; for example, where required as part of our business acceptance, finance, administration, recruitment, anti-money laundering and sanctions screening processes.
- The information we collect about you may include the following:
a. |
Basic personal details, such as your name, address contact details, date of birth, age, gender and marital status; |
b. |
Unique identifiers such as National Insurance Number or pension scheme reference number; |
c. |
Demographic details, such as information about your age, gender, race, marital status, lifestyle, and insurance requirements; |
d. |
Employment information such as role, employment status (such as full/part time, contract), salary information, employment benefits, and employment history; |
e. |
Health information such as information about your health status, medical records and medical assessment outcomes; |
f. |
Benefits information such as benefit elections, pension entitlement information, date of retirement and any relevant matters impacting your benefits such as voluntary contributions, pension sharing orders, tax protections or other adjustments; |
g. |
Financial details such as payment card and bank account details, details of your credit history and bankruptcy status, salary, tax code, third-party deductions, bonus payments, benefits and entitlement data, national insurance contributions details; |
h. |
Claims details such as information about any claims concerning your or your employer’s insurance policy; |
i. |
Your marketing preferences; |
j. |
Online information: e.g., information about your visits to our websites; |
k. |
Events information such as information about your interest in and attendance at our events, including provision of feedback forms; |
l. |
Social media information such as interactions (e.g., likes and posts) with our social media presence; and |
m. |
Criminal records information such as the existence of or alleged criminal offences, or confirmation of clean criminal records. |
Where we collect sensitive personal information (such as information about your health or alleged criminal activities), we will ensure that it is necessary and is done in accordance with applicable law, which may include obtaining your explicit consent and/or necessary authorizations prior to collection.
3. How do we use your personal information?
The following is a summary of the purposes for which we use personal information. More information about the personal information collected for each of our services, together with the purpose and legal basis for collecting the information, may be provided to you in separate privacy notices which are relevant to the services which affect you.
Performing services for our clients
We process personal information which our clients provide to us to perform our commercial risk, reinsurance, retirement, health, and data and analytics services. The precise purposes for which your personal information is processed will be determined by the scope and specification of our client engagement, and by applicable laws, regulatory guidance and professional standards.
Administering our client engagements
We process personal information about our clients and the individual representatives of our corporate clients to:
- Carry out Aon’s regulatory and compliance obligations, including:
- "Know Your Customer" checks and screening;
- Anti-money laundering;
- Trade sanctions screening;
- Obtain and update credit information with appropriate third parties, such as credit reporting agencies, where transactions are made on credit;
- Communicate with our clients;
- Address client inquiries and complaints; and
- Administer claims.
Communications and marketing to our clients and prospective clients
We process personal information about our clients, prospective clients, and the individual representatives of our corporate clients to: send newsletters, know-how, promotional material and other marketing communications; and invite our clients to events, including arranging and administering those events.
Conducting data analytics, benchmarking and modeling
Aon is an innovative business, which relies on developing sophisticated products and services by drawing on our experience from prior engagements to analyze trends. Aon also uses data to perform analysis, modeling, benchmarking and research.
Crime prevention
We process personal information to facilitate the prevention, detection and investigation of crime and the apprehension or prosecution of offenders and to comply with laws/regulations. For example, we do this as part of our business acceptance, finance, administration and recruitment processes, including anti-money laundering and sanctions screening checks.
Mergers and acquisitions
We process personal information in the event of a sale, acquisition or reorganization. This includes processing personal information for planning and due diligence purposes both prior to closing and after a transaction has closed for reasons related to the sale, acquisition, or reorganization and in order to transfer books of business to successors of the business.
Process and service improvement
We process personal data to maintain and improve processes used in providing the services and uses of technology, including testing and upgrading of systems. We also process data to develop new services.
If we wish to use your personal information for a purpose which is not compatible with the purpose for which it was collected, we will request your consent unless your personal information is being processed to satisfy our legal and regulatory obligations. In all cases, we balance our legal use of your personal information with your interests, rights, and freedoms in accordance with applicable laws and regulations to make sure that your personal information is not subject to unnecessary risk.
4. Legal basis
We rely on the following legal grounds to collect and use your personal information:
a. |
Performance of the service contract |
Where we offer services or enter into a contract with you to provide services, we will collect and use your personal information where necessary to enable us to take steps to offer you the services, process your acceptance of the offer and fulfill our obligations in the contract with you. |
b. |
Legal and regulatory obligations |
The collection and use of some aspects of your personal information is necessary to enable us to meet our legal and regulatory obligations. For example, Aon is licensed and regulated by certain industry regulators and is required to provide some services in accordance with relevant regulatory rules. |
c. |
Preventing and detecting fraud |
We will use your personal information, including information relating to criminal convictions or alleged offences to prevent and detect fraud, other financial crime, and crime generally in the insurance and financial services industry. |
d. |
Legitimate interests |
The collection and use of some aspects of your personal information is necessary to enable us to pursue our legitimate commercial interests. For example, we have legitimate interests in:
- Providing professional services across our global solution lines;
- Operating our business, and managing and developing our relationships with clients, suppliers and with you;
- Understanding and responding to inquiries;
- Receiving information from third parties and Aon affiliates to provide services;
- Sharing data in connection with mergers and acquisitions and transfers of business;
- Improving our services; and
- Understanding how you and our clients use our services and websites.
Where we rely on this legal basis to collect and use your personal information we shall take appropriate steps to ensure the processing does not infringe the rights and freedoms conferred to you under the applicable data privacy laws. |
e. |
Consent |
In certain instances, we rely on your consent as a legal basis. For example, we rely on your consent to collect and use personal information concerning any criminal convictions or alleged offences, specifically for assessing risks relating to your prospective or existing insurance policy. We may also share this information with other insurance market participants and third parties where necessary to offer, administer and manage the services provided to you, such as insurers and insurance underwriters, reinsurers, brokers and vetting agencies.
Where we rely on your consent to collect and use your information, you are not obliged to provide your consent and you may choose to subsequently withdraw your consent at any stage once provided. However, where you refuse to provide information that we reasonably require to provide the services, we may be unable to offer you the services and/or we may terminate the services provided with immediate effect.
Where you choose to receive the services from us you agree to the collection and use of your personal information in the way we describe in this section of the Statement. If applicable you also agree that such information may be collected and used for the above purpose by the insurance underwriter named in your insurance policy documentation. You should refer to the insurer’s privacy statement on their website for further information about their privacy practices.
|
f. |
Substantial public interest (in accordance with applicable law) |
If applicable law allows, we may collect and use your information for a substantial public interest. For example, to prevent or detect unlawful acts or in public health. |
g. |
In the context of a specific exemption provided for under local laws of EU Member States and other countries implementing GDPR |
We rely on specific grounds in certain circumstances, for example for insurance purposes or for determining benefits under an occupational pension scheme. The collection and use of some aspects of your personal information, such as information concerning your health, is necessary for insurance and/or occupational pension scheme purposes. |
h. |
Country specific legal basis |
In countries outside the EU which require a legal basis for data collection and use, Aon has addressed these bases through jurisdiction specific privacy notices available at the top of this page. |
5. Do we collect information from children?
Our websites are not directed to children and we do not knowingly collect personal information from children on our websites. Children are prohibited from using our websites.
Certain Aon solution lines may process data related to children, such as their date of birth, address, and other identifiable information. This information is not collected directly from children, but from other parties such as from our client, the carrier, or directly from you as the parent or guardian of the child (e.g., so that the child may be named a beneficiary to an insurance policy or pension plan).
6. How long do we retain your personal information?
How long we retain your personal information depends on the purpose for which it was obtained and its nature. We will keep your personal information for the period necessary to fulfil the purposes described in this Statement unless a longer retention period is permitted or required by law and in accordance with the Aon Record Retention Policy. Your personal information will be securely destroyed when it is no longer required.
7. How do we disclose your personal information?
We generally share your personal information with the following categories of recipients where necessary to offer, administer and manage the services provided to you:
a. |
Within Aon: we may share your personal information with other Aon entities, brands, divisions, and subsidiaries for the processing purposes outlined in this Statement; |
b. |
Insurance market participants where necessary to offer, administer and manage the services provided to you, such as insurers and insurance underwriters, reinsurers, brokers, intermediaries and loss adjusters. The insurance underwriter is the insurer that is underwriting your insurance policy and is named in your policy documentation. You should refer to the insurer’s privacy statement on their website for further information about their privacy practices; |
c. |
Vetting and risk management agencies such as credit reference, criminal record, fraud prevention, data validation and other professional advisory agencies, where necessary to prevent and detect fraud in the insurance industry and take steps to assess the risk in relation to prospective or existing insurance policies and/or the services; |
d. |
Legal advisers, loss adjusters, and claims investigators, where necessary to investigate, exercise or defend legal claims, insurance claims or other claims of a similar nature; |
e. |
Medical professionals, e.g., where you provide health information in connection with a claim against your insurance policy; |
f. |
Law enforcement bodies, when required to do so by law, legal process, statute, rule, regulation, or professional standard, or to respond to a subpoena, search warrant, or other legal request, and where necessary to facilitate the prevention or detection of crime or the apprehension or prosecution of offenders; |
g. |
Public authorities, regulators and government bodies, where necessary for us to comply with our legal and regulatory obligations, or in connection with an investigation of suspected or actual illegal activity; |
h. |
Third-party suppliers, where we outsource our processing operations to suppliers that process personal information on our behalf. Examples include IT service providers who manage our IT and back office systems and telecommunications networks, and contact center providers. These processing operations shall remain under our control and will be carried out in accordance with our security standards and strict instructions; |
i. |
Successors of the business, where Aon or the services are sold to, acquired by or merged with another organization, in whole or in part, and personal information needs to be shared with relevant third parties as part of due diligence processes and transfers to the new entity. Where personal information is shared in these circumstances it will shared in accordance with this Statement; and |
j. |
Internal and external auditors where necessary for the conduct of company audits or to investigate a complaint or security threat. |
8. Do we transfer your personal information across geographies?
We are a global organization and transfer certain personal information across geographical borders in accordance with applicable law.
When we do, if the applicable law requires we use a variety of legal mechanisms to help ensure your rights and protections travel with your data, such as:
- We ensure transfers between Aon entities are covered by agreements that incorporate prescribed contractual wording, such as the EU Commission's standard contractual clauses, which contractually oblige each party to ensure that personal information receives an adequate and consistent level of protection.
- Where we transfer to or receive your personal information from third parties who help provide our products and services, we obtain contractual commitments from them to protect your personal information, which incorporate standard contractual clauses where required.
- Where we receive requests for information from law enforcement or regulators, we carefully validate these requests before any personal information is disclosed.
Where required, further information concerning these safeguards can be obtained by contacting us.
9. Do we have security measures in place to protect your information?
The security of your personal information is important to us and Aon has implemented reasonable physical, technical and administrative security standards in an effort to protect personal information from loss, unauthorized access, misuse, alteration or destruction and to ensure that such information is processed in accordance with applicable data privacy laws.
10. Other rights regarding your data
Subject to certain exemptions and the jurisdiction in which you live, and in some cases dependent upon the processing activity we are undertaking, you may have certain rights in relation to your personal information. We have listed some of the common rights that may be applicable below. When you exercise these rights, we may need to ask you for additional information to confirm your identity, before disclosing information to you or responding to your request. We will not charge a fee unless your request is manifestly unfounded or excessive and/or we are permitted by law to levy such charges.
You can exercise your rights by contacting us. Subject to legal and other permissible considerations, we will make every reasonable effort to honor your request promptly or inform you if we require further information in order to fulfill your request. We may not always be able to fully address your request, for example if it would impact the duty of confidentiality we owe to others, or if we are legally entitled to deal with the request in a different way. If we cannot fully address your request, we will contact you to let you know and explain the reason why your request was denied.
Right to Access
You have the right under certain circumstances to access and inspect personal information which Aon holds about you. If you have created a profile, you can access that information by visiting your account.
Right to Correction
You may have the right to request us to correct your personal information where it is inaccurate or out of date.
Right to be Forgotten (Right to Erasure)
You have the right under certain circumstances to have your personal information erased. Your information can only be erased if your data is no longer necessary for the purpose for which it was collected, and we have no other legal ground for processing the data.
Right to Restrict Processing
You have the right under certain circumstances to request the restriction of your personal information from further use, e.g., where the accuracy of the information is disputed, and you request that the information not be used until its accuracy is confirmed.
Right to Data Portability
You have the right under certain circumstances to data portability, which requires us to provide personal information to you or another controller in a commonly used, machine readable format, but only where the processing of that information is based on (i) consent; or (ii) the performance of a contract to which you are a party.
Right to Object to Processing
You have the right to object the processing of your personal information at any time, but only where that processing is based our legitimate interests as its legal basis. If you raise an objection, we have an opportunity to demonstrate that we have compelling legitimate interests which override your rights and freedoms.
Right to Decline Automated Decision Making
You have the right to object to decisions involving the use of your personal information, which have been taken solely by automated means. See section eleven (11) below for further information.
Right to Object to Direct Marketing
Where your personal information is processed for direct marketing purposes, you shall have the right to object at any time to processing of personal data concerning him or her for such marketing. We will provide specific information on how to opt-out from our marketing initiatives through the medium we communicate with you.
11. Automated Decisions
Where you apply or register to receive the service we may carry out a real-time automated assessment to determine whether you are eligible to receive the service. An automated assessment is an assessment carried out automatically using technological means (e.g., computer systems) without human involvement. This assessment will analyse your personal information and comprise several checks, e.g., credit history and bankruptcy check, validation of your driving licence and motoring convictions, validation of your previous claims history and other fraud prevention checks. Where your application to receive the service does not appear to meet the eligible criteria, it may be automatically refused, and you will receive notification of this during the application process. However, where a decision is taken solely by automated means involving the use of your personal information, you have the right to challenge the decision and ask us to reconsider the matter, with human intervention. If you wish to exercise this right, you should contact us.
12. Contact Us
If you have any questions, would like further information about our privacy and information handling practices, would like to discuss opt-outs or withdrawing consent, or would like to make a complaint about this Statement, please contact Aon’s Global Privacy Office, Aon plc, 200 E. Randolph, Chicago, Illinois 60601 or [email protected].
You also have a right to lodge a complaint with your local data protection supervisory authority,
13. Changes to this Statement
We may update this Statement from time to time. When we do, we will post the current version on this site, and we will revise the version date located at the bottom of this page.
We encourage you to periodically review this Statement so that you will be aware of our privacy practices.
This Statement was last updated on 23 March 2021.