General Data Protection Regulation (GDPR) Schedule
This GDPR schedule ("GDPR Schedule") forms part of the Engagement Letter ("Agreement") between Aon and Client (each a "Party" and together the "Parties") and any applicable Statement of Work (as defined below).
To the extent that the provisions of this GDPR Schedule conflict with, or are inconsistent with, any provisions in the Agreement, the GDPR Schedule shall prevail.
1. DEFINITIONS AND INTERPRETATION
a. In this GDPR Schedule the following terms shall have the following meanings:
"Affiliate" means, with respect to a Party, an entity that is Controlled by, Controlling or in common Control with that Party, where "Control" means the power to direct or cause the direction of the management and policies of an entity, whether through the ownership of voting shares, by contract or otherwise;
"Agreement Personal Data" means any personal data (including any sensitive or special categories of data) that is transmitted, stored or otherwise processed under or in connection with the Agreement;
"Aon Group" means the Aon group of entities worldwide, being Aon PLC, Aon’s ultimate parent company, and all its subsidiaries, related/associated companies, Affiliates as well as joint ventures of such subsidiaries, related/associated companies and Affiliates;
"DP Laws" means any applicable data protection and privacy laws relating to the protection of individuals with regards to the processing of personal data including but not limited to (i) the General Data Protection Regulation (EU) 2016/679 ("GDPR"); (ii) the GDPR as transposed into the national laws of the United Kingdom ("UK GDPR"); (iii) Directive 2002/58/EC ("ePrivacy Directive"); (iv) the California Consumer Protection Act of 2018 ("CCPA") and any corresponding or equivalent United States state or federal laws or regulations including any amendment, update, modification to or re-enactment of such laws (together "US Privacy Laws");and (v) any corresponding or equivalent national laws or regulations including any amendment, supplement, update, modification to or re-enactment of such laws;
"Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to the Agreement Personal Data;
"Restricted Transfer" means a transfer of the Agreement Personal Data between Client and Aon which, in the absence of the SCCs, would be unlawful under DP Laws;
"SCCs" means (i) the standard contractual clauses set out in Commission Implementing Decision (EU) 2021/914 for the transfer of personal data to third countries pursuant to the GDPR, as updated, amended, replaced and superseded from time to time ("EU SCCs"); and/or (ii) the UK IDTA;
"Statement of Work" means a statement of work, work order or other document ancillary to the Agreement, under which Aon or its Affiliates agree or have agreed to provide services to Client or its Affiliates; and
“UK IDTA” means either the International Data Transfer Agreement (the “IDTA”) or the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (the “UK Addendum”) issued by the UK Information Commissioner under section 119A(1) Data Protection Act 2018.
The terms "controller", "data subject", "personal data", "processing", "processor", "sensitive personal data", "special categories of data", "supervisory authority" and "transfer" shall have the same meanings ascribed to them under the DP Laws.
b. Capitalised terms not defined in Clause 1.1 shall have the meaning ascribed to them elsewhere in the Agreement
c. Except as modified below, the terms of the Agreement shall remain in full force and effect.
2. PROVISIONS APPLICABLE TO CONTROLLER SERVICES
a. The Parties envisage that under this GDPR Schedule, each Party is a separate controller of the Agreement Personal Data processed for the provision of the services applicable to the Agreement listed in Appendix 1 ("Controller Services").
b. If the Parties or their Affiliates (as applicable) enter into a Statement of Work, under which Aon agrees to provide services to Client which:
i. are listed in Appendix 1 then the relevant services shall be deemed applicable for the purposes of Appendix 1 from the date of that Statement of Work; or
ii. are not covered by Appendix 1, then the Parties or their Affiliates (as applicable) may agree in writing to update Appendix 1 to insert details of the relevant services.
c. Each Party agrees for its own part that, to the extent that it processes Agreement Personal Data as a separate controller:
i. it will observe all applicable requirements of DP Laws and this GDPR Schedule in relation to its processing of Agreement Personal Data; and
ii. all Agreement Personal Data collected or sourced by it or on its behalf for processing in connection with the Agreement or which is otherwise provided or made available to the other Party shall have been collected or otherwise obtained in compliance with DP Laws, and may be processed, disclosed and transferred as described in or in connection with the Agreement.
d. Aon and Aon Affiliates may process, transfer and disclose personal data as described in Aon’s privacy notice in particular for (i) the delivery of the Controller Services; (ii) administration of engagement and general correspondence with Client; (iii) screening of individuals associated with Client against international sanctioned parties lists; and (iv) aggregation, de-identification and, where feasible, full anonymisation of personal data for benchmarking, market research and data analysis purposes associated with the development of Aon Group’s products and services.
e. The Parties will work together in good faith to ensure information prescribed by DP Laws is made available to relevant data subjects, including where necessary the Client’s provision of such information to data subjects on Aon’s behalf.
f. Each Party shall implement appropriate technical and organisational security measures in relation to the processing of the Agreement Personal Data under or in connection with the Agreement, which shall ensure a level of security appropriate to the risk including, as appropriate, (i) pseudonymisation and encryption; (ii) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (iii) the ability to restore the availability and access to the Agreement Personal Data in a timely manner in the event of a physical or technical incident; and (iv) a process for regularly testing, assessing and evaluating the effectiveness of those measures.
g. Aon shall maintain a global data governance framework which mandates strict technical and organisational security measures applicable to the processing of Agreement Personal Data including those relating to, without limitation, access control, data handling, malware protection, security organisation, system configuration and hardening, personnel security, physical security, business continuity plans and disaster recovery and third party security.
h. Aon shall retain the Agreement Personal Data pursuant to its corporate record retention schedules for the purposes of meeting Aon’s legal and regulatory obligations, and enabling Aon to establish, exercise or defend legal claims.
i. If either Party receives any complaint, notice or communication from a supervisory authority which relates to the other Party’s: (i) processing of the Agreement Personal Data; or (ii) potential failure to comply with DP Laws in respect of the Agreement Personal Data, that Party shall direct the supervisory authority to the other Party.
j. If a data subject makes a written request to a Party to exercise any of their rights in relation to the Agreement Personal Data that concerns processing of the other Party, that Party shall direct the data subject to that other Party.
k. If either Party becomes aware of a Personal Data Breach that requires notification to a supervisory authority, it shall notify the other Party without undue delay, and each Party shall co-operate with the other, to the extent reasonably requested, in relation to any notifications to supervisory authorities and/or to affected data subjects.
l. The Parties acknowledge that Agreement Personal Data may be transferred or otherwise processed or transferred outside the United Kingdom and the European Economic Area ("International Transfers") provided that such International Transfer is made in compliance with DP Laws, including, if applicable, by adoption of SCCs, or such other international transfer mechanism that effectively complies with DP Laws.
m. With respect to Restricted Transfers, the SCCs are hereby incorporated into this Agreement by reference and will come into effect upon the commencement of any such Restricted Transfer, and the following terms shall apply. In each case, the data exporter is the Party or its Affiliates (as applicable) disclosing the personal data and the data importer is the Party or its Affiliates (as applicable) receiving the personal data:
i. where a Restricted Transfer is subject solely to the GDPR the following terms shall apply:
1. Annex IA of the EU SCCs will be populated with the details of the Parties set out in the Agreement, Annex IB of the EU SCCs will be populated with the description of processing of personal data set out in Appendix 1 to this GDPR Schedule; and
2. For the purposes of Module 1 of the EU SCCs: clause 7 and the optional language in clause 11(a) shall not apply, the supervisory authority for the purposes of clause 13(a) shall be determined by the place of establishment of the data exporter, the governing law and choice of forum and jurisdiction stipulated in the Agreement shall apply to the extent that it is the law and the courts of an EU member state otherwise it shall be those of the Republic of Ireland, and the technical and organizational security measures set out in Clauses 2.6 and 2.7 shall apply. The frequency of the transfer shall be continuous, as necessary to deliver the Controller Services, and retention shall be determined by Aon’s corporate record retention schedules and policies.
ii. where a Restricted Transfer is subject to both GDPR and UK GDPR the following terms with respect to the UK Addendum shall, in addition to Clause 2.13(a) above, also apply:
1. the EU SCCs shall be read in accordance with, and deemed amended by, the provisions of Part 2 (Mandatory Clauses) of the UK Addendum; and
2. the Parties confirm that the information required for the purposes of Part 1 (Tables) of the UK Addendum is set out in the Agreement.
iii. where a Restricted Transfer is subject solely to the UK GDPR the Parties confirm that the information required for the purposes of Part 1 (Tables), Part 2 (Extra Protection Clauses) and Part 3 (Commercial Clauses) of the IDTA is set out in the Agreement and Appendix 1 to this GDPR Schedule and the technical and organizational security measures set out in Clauses 2.6 and 2.7 shall apply.
n. For the avoidance of doubt (and without prejudice to third party rights for data subjects under the SCCs) the Parties hereby submit to the limitations stipulated in the Agreement with respect to their respective liability towards one another under the SCCs.
o. To the extent that there is any conflict or inconsistency between the terms of the SCCs and the terms of the Agreement, the terms of the SCCs shall take precedence.
p. If, and to the extent that, the European Commission or the United Kingdom issues any amendment to, or replacement of, the EU SCCs or the UK IDTA pursuant to Article 46(5) or Article 46 of the GDPR or UK GDPR, the Parties agree in good faith to take such additional steps as necessary to ensure that such replacement terms are implemented across all transfers.
q. If, at any time, a supervisory authority or a court with competent jurisdiction over a Party mandates that transfers from controllers in the EEA or the United Kingdom to controllers established outside the EEA or the United Kingdom must be subject to specific additional safeguards (including but not limited to specific technical and organisational measures), the Parties shall work together in good faith to implement such safeguards and ensure that any transfer of personal data is conducted with the benefit of such additional safeguards.
Appendix 1: Controller Services
