Aon Bermuda Data Privacy Notice
for when Aon uses personal information under instruction from clients.
1. Introduction
This Privacy Notice (“Notice”) contains the information which we are required to provide under the Bermuda Personal Information Protection Act 2016 (including any guidelines, regulations or amendments made thereto) ("PIPA"). This Notice explains how Aon Bermuda and its affiliated companies and subsidiaries (“Aon”) makes use of the personal information collected about you in connection with Aon’s Insurance Management Services (the “Services”). Throughout this Notice, Aon may be referred to as "we", "us", "our" or “Aon”. This Notice may be supplemented by additional privacy statements, terms or notices relevant to applicable services, including Aon’s Global Privacy Statement.
We have appointed a Privacy Officer for the purposes of compliance with PIPA, who will have primary responsibility for communicating with the Privacy Commissioner of Bermuda. The full details of such Privacy Officer can be found at paragraph 13 of this Notice.
2. Responsibility for your information
Aon in its provision of the Services, engages in the use of the personal information which information may be collected by Aon itself or obtained from its clients. Our clients may have their own privacy notices and you should refer to those in the first instance as applicable for more information about their practices and your rights.
We act solely on the specific detailed instructions of our clients in terms of what personal data must be processed and for what purpose and we have limited discretion/independence/control over the processing. Broadly, and on the instruction of our client, we may process personal information such as
- completion of mandatory individual questionnaires for proposed Directors and Heads of Function and associated due diligence as required by local regulations;
- processing of periodic salary and expense payments to directors;
- collection of due diligence information on banking signatories and provision of same to banking/treasury counterparties prior to making payments to beneficiaries;
- receipt, recording and retention of quarterly bordereaux, and claims individual reports, which is anonymised but may also contain personal claimant information;
- collation of agenda and all supporting materials for circulation to directors in advance of a board meeting date which contains Directors and other function holder names, and financial information; and
a. other processing as may be directed by our clients.
We have express indicated throughout this notice where information is used by us (for example, information collected by cookies which we place on the website).
3. Collecting Your Information
3.1 The information we collect about you may include but not limited to the following
| a. |
Contact details: such as your name, email, postal address and phone number |
| b. |
Unique identifiers: such as Passport details, National ID or National Insurance Number |
| c. |
Demographic details: such as your date of birth |
| d. |
Employment information: such as job title, employment history, qualifications, affiliations and Directorships held |
| e. |
Financial information: such as credit history and bankruptcy status for applicable Fitness and Probity requirements/td> |
| f. |
Background checking information: such as inclusion in our counterparty database for screening against approved sanctions lists or checking against a public list of disqualified directors, the existence of previous or alleged criminal offences, or confirmation of clean criminal records, information in relation to politically exposed persons (“PEPs”) |
| g. |
Payment information: such as credit or debit card number and bank account details |
3.2 You are requested to provide any personal information we reasonably require (in a form acceptable to us) to meet our obligations in connection with the Services, including any legal and regulatory obligations. If you do not provide this information that we require to fulfil these obligations, the client will be notified and there may be regulatory or other implications for the client
3.3 In addition to collecting personal information from you directly, we may also collect personal information about you from other third parties, such as your employer and credit reference agencies, government bodies, vetting and data validation agencies and other professional advisory service providers. This information may be sourced prior to and during the course of providing the Services.
3.4 In some instances, we automatically collect certain types of information when you visit our website(s) and through e-mails that we may exchange. Automated technologies may include the use of web server logs to collect IP addresses, "cookies" and web beacons. Further information about our use of cookies can be found in our Cookie Notice and Cookie Preference Center at the footer of our page (where applicable).
4. Processing your information
We will use the information we collect about you in connection with the Services to:
| a. |
carry out due diligence, identity, credit reference, bankruptcy, sanctions, data validation and other vetting checks; |
| b. |
facilitate the prevention, detection and investigation of crime and the apprehension or prosecution of offenders; |
| c. |
trace debtors and recover any outstanding debt in connection with the services provided; |
| d. |
fulfil legal and regulatory obligations and monitor compliance with the same; or |
| e. |
transfer books of business to successors of the business in the event of a sale or reorganisation. |
5. Legal Grounds for Use of Information
All processing (i.e. use) of your personal information must be justified by a lawful basis for processing (with is also known as a legal ground for processing).
As an 'organization' (as defined in PIPA), we use your information solely in accordance with the contractual obligations agreed with our clients.
The types of legal grounds which may be relied upon by our clients are as follows:
| a. |
Performance of the service contract |
Where we offer the Services or enter into a contract with our clients to provide the services, we will collect and use personal information where necessary to enable us to take steps to offer the services, process acceptance of the offer and fulfil our obligations in the contract. |
| b. |
Legal and regulatory obligations |
The collection and use of some aspects of your personal information is necessary to enable us to meet our local legal and regulatory obligations. |
| c. |
Performance of the service contract |
We will use personal information, including information relating to criminal convictions or alleged offences to prevent and detect fraud, other financial crime and crime generally in the insurance industry. |
| d. |
Legitimate interests |
Where we rely on this legal basis to collect and use personal information, we shall take appropriate steps to ensure the processing does not infringe the rights and freedoms conferred to individuals under the applicable data privacy laws |
| e. |
Consent |
We may rely on consent to collect and use personal information concerning any criminal convictions or alleged offences.
Where we rely on consent to collect and use personal information, individuals are not obliged to provide consent and they may choose to subsequently withdraw their consent at any stage once provided.
|
6. Accuracy of Your Information
We rely on the availability of accurate personal information in order to provide the Services to our clients and operate our business in accordance with relevant regulations.
7. Recipients of Your Information
We generally share your personal information with the following categories of recipients where necessary to offer, administer and manage the services provided to our clients:
| a. |
vetting and risk management agencies, such as credit reference, criminal record, fraud prevention, data validation and other professional advisory agencies, where necessary to prevent and detect fraud in the insurance industry and take steps to assess the risk in relation to prospective or existing insurance policies and/or the services; |
| b. |
legal advisers, loss adjusters and claims investigators, where necessary to investigate, exercise or defend legal claims, insurance claims or other claims of a similar nature |
| c. |
law enforcement bodies, where necessary to facilitate the prevention or detection of crime or the apprehension or prosecution of offenders; |
| d. |
public authorities, regulators and government bodies, where necessary for us to comply with our legal and regulatory obligations; |
| e. |
third party suppliers, where we outsource our processing operations to suppliers that process personal information on our behalf. These processing operations shall remain under our control and will be carried out in accordance with our security standards and strict instructions; and |
| f. |
successors of the business, where Aon or the services are sold to, acquired by or merged with another organisation, in whole or in part. Where personal information is shared in these circumstances it will continue to be used in accordance with this Notice. |
8. Overseas Transfers of Your Information
8.1 We operate on a global and worldwide basis and we therefore reserve the right to transfer personal information about you to other countries, to be processed for the purposes outlined in the Notice. In particular, we may make such transfers to offer, administer and manage the Services provided and improve the efficiency of our business operations. We shall endeavour to ensure that such transfers comply with PIPA and all applicable data privacy laws and regulations and provide appropriate protection for the rights and freedoms conferred to individuals under such laws
8.2 Where we collect personal information about you in the United Kingdom (the “UK”) or the European Economic Area (the “EEA”) we may transfer the information to countries outside the UK or EEA for the processing purposes outlined in this Notice. This may include transfers to countries that the European Commission (the “EC”) and UK data protection regulator consider to provide adequate data privacy safeguards and to some countries that are not subject to an adequacy decision. Where we transfer personal information to countries that are not subject to an adequacy decision we shall put in place appropriate safeguards, such as standard contractual clauses approved by the EC or UK data protection regulator, as appropriate. Where necessary, we may implement additional technical, organisational or contractual measures to ensure an adequate level of protection for your personal information. Where required, further information concerning these safeguards can be obtained by contacting us.
9. Retention of Your Information
We retain appropriate records of your personal information to operate our business and comply with our legal and regulatory obligations. These records are retained for predefined retention periods that may extend beyond the period for which we provide the Services to you. We shall retain your personal information for no longer than is required under PIPA or any other applicable data protection laws. We have implemented appropriate measures to ensure your personal information is securely destroyed in a timely and consistent manner when no longer required.
10. Information Security
The security of your personal information is important to us and we have implemented appropriate security measures to protect the confidentiality, integrity and availability of the personal information we collect about you and ensure that such information is processed in accordance with applicable data privacy laws.
11. Your Information Rights
11.1 You have the following rights under applicable data privacy laws in respect of any personal information we collect and use about you (understanding that some of these rights may be limited by applicable laws which may require absolute disclosure of your personal information):
| a. |
The right to access and inspect your personal information or be provided with a permanent copy of the information being held about you. |
| b. |
The right to request the correction of your personal information or in cases where the accuracy of information is disputed, to supplement the information to give notice that you dispute its accuracy. |
| c. |
The right to request the erasure of your personal information, particularly where the continued use of the information is no longer necessary. |
| d. |
The right to object to the use of your personal information, particularly where you feel there are no longer sufficient legitimate grounds for us to continue processing the information. |
| e. |
The right to object to the use of your personal information for direct marketing purposes |
| f. |
The right to request the restriction of your personal information from further use, i.e. where the accuracy of the information is disputed and you request that the information not be used until its accuracy is confirmed |
| g. |
The right to request that some aspects of your personal information be provided to you or a third party of your choice in electronic form to enable its reuse. |
| h. |
The right to object to decisions involving the use of your personal information, which have been taken solely by automated means |
| i. |
The right to complain to the Privacy Commissioner about our use of your personal information. |
11.2 It is important to note, however, that some of the rights described above in section 11.1 can only be exercised in certain circumstances. If we are unable to fulfil a request from you to exercise one of your rights under PIPA or any other applicable data privacy laws we will write to you to explain the reason for refusal. Where required, further information concerning these rights and their application can be obtained by contacting us.
12. Complaints
If you wish to make a complaint about the way we use your personal information you should raise this with us by contacting us using the details set out in Section 13 below.
However, if you are not satisfied with the way we have handled your complaint you have the right to raise the matter with the relevant data protection regulator in your country.
13. Contact Information
If you have any questions about the content of this Statement or the rights conferred to you under PIPA or any applicable data privacy laws, you should in the first instance contact the Bermuda Privacy Officer at [email protected]. Otherwise, please feel free to contact us at:
- EU Representative – Aon plc, Metropolitan Building, James Joyce Street, Dublin 1, D01 K0Y8, Ireland
- UK Representative – Aon UK Limited, The Aon Centre, The Leadenhall Building, 122 Leadenhall Street, London, EC3V 4AN, United Kingdom
- US Contact – Aon plc, 200 E. Randolph, Chicago, Illinois 60601, United States
14. Changes to this Notice
This Notice is not contractual and Aon reserves the right to reasonably amend it from time to time to ensure it continues to accurately reflect the way that we collect and use personal information about you. Any updates or changes to this Notice will be made available to you.
You should periodically review this Notice to ensure you understand how we collect and use your personal information.
This Notice was last updated on January 1, 2025.