Aon's Global Data Protection Schedule

Privacy and Legal Policies

Global Data Protection Schedule

This Aon Data Protection Schedule (“Schedule”) forms part of the agreement between Aon and the entity purchasing Aon’s services (“Client”) and any applicable statement of work (collectively the “Agreement”). To the extent that the provisions of this Schedule conflict with, or are inconsistent with, any provisions in the Agreement, this Schedule shall prevail.

1. Definitions. In this Schedule the following terms shall have the following meanings:

a. “Agreement Personal Data” means any personal data (including any sensitive or special categories of data) that is transmitted, stored or otherwise processed under or in connection with the Agreement;

b. “Aon Group” means the Aon group of entities worldwide, being Aon PLC, Aon’s ultimate parent company, and all its subsidiaries, related/associated companies, Affiliates as well as joint ventures of such subsidiaries, related/associated companies and Affiliates;

c. “DP Laws” means any applicable data protection and privacy laws relating to the protection of individuals with regards to the processing of personal data including but not limited to (i) the EU General Data Protection Regulation (EU) 2016/679 (“GDPR”); (ii) the Australian Privacy Act 1988 (Cth) (“Australian Privacy Act”); (iii) the Brazilian General Data Protection Law , the Chilean Law on the Protection of Private Life , the Colombian Data Protection Law , the Mexican Federal Law for the Protection of Personal Data (“Latam Privacy Laws”); (iv) the Canada Personal Information Protection and Electronic Documents Act (“PIPEDA”)”; (v) the Personal Information Protection Law of the People’s’ Republic of China (“China PIPL”); (vi) the India Digital Personal Data Protection Act 2023; (vii) the Indonesia Law No. 27 of 2022 on Protection of Personal Data; (viii) the Japan Act on the Protection of Personal Information; (ix) the Macau Personal Data Protection Act (Act 8/2005); (x) the New Zealand Privacy Act 2020; (xi) the Philippines Data Privacy Act of 2012 (Republic Act 10173) ; (xii) the Singapore Personal Data Protection Act 2012 (No.26 of 2012); (xiii) the South Korea Personal Information Protection Act ; (xiv) the Thailand Personal Data Protection Act B.E. 2562 (2019); (xv) the GDPR as transposed into the national laws of the United Kingdom (“UK GDPR”); (xvi) the California Privacy Rights Act (“CPRA”) and the California Consumer Protection Act of 2018 (“CCPA”) and any corresponding or equivalent United States state or federal laws or regulations including any amendment, update, modification to or re-enactment of such laws (together "US Privacy Laws"); (xvii) the Vietnam Decree on Personal Data Protection (No.13/2023/ND-CP); (xviii) the Swiss Federal Act on Data Protection (“FADP”) and its Ordinance and (xix) any corresponding or equivalent national laws or regulations including any amendment, supplement, update, modification to or re-enactment of such laws;

d. “Restricted Transfer” means a transfer of the Agreement Personal Data from the Client (or a Client Affiliate) to Aon (or Aon Affiliate(s)) which, in the absence of the SCCs, would be unlawful under DP Laws;

e. “Sell[ing]”, “Sale” or “Sold” means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means personal data by one business to another business or a third party for monetary or other valuable consideration;

f. “SCCs” means (i) the standard contractual clauses set out in Commission Implementing Decision (EU)2021/914 for the transfer of personal data to third countries pursuant to GDPR, as updated, amended, replaced and superseded from time to time (“EU SCCs”) as set out in Appendix 2 and as recognised by the Swiss Federal Data Protection and Information Commissioner (“FDPIC”) in their latest official communication; and(ii) the UK IDTA; and

g. “UK IDTA” means either (i) the International Data Transfer Agreement (the “IDTA”) or (ii) the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (the “UK Addendum”) issued by the UK Information Commissioner under section 119A(1) of the Data Protection Act 2018 as set out in Appendix 3.

h. The terms "APP entity", “controller”, “data subject”, “personal data”, “processing”, “processor”, “sensitive personal dat, “special categories of data”, “supervisory authority” and “transfer” or its equivalent term under the DP Laws shall have the same meanings ascribed to them under the DP Laws.

i. Capitalised terms not defined in Section 1 shall have the meaning ascribed to them elsewhere in the Agreement. Except as modified below, the terms of the Agreement shall remain in full force and effect.

2. Controller obligations.

a. The parties envisage that under this Schedule each party is a separate controller of the Agreement Personal Data processed for the provision of the services applicable to the Agreement listed in  Appendix 1 (“Controller Services”).

b. If the parties or their Affiliates (as applicable) enter into a statement of work, under which Aon agrees to provide services to Client which: (i) are listed in Appendix 1 then the relevant services shall be deemed applicable for the purposes of Appendix 1 from the date of that statement of work; or (ii) are not covered by Appendix 1, then the parties or their Affiliates (as applicable) may agree in writing to update Appendix 1 to insert details of the relevant services.

c. Each party agrees for its own part that, to the extent that it processes Agreement Personal Data as a separate controller, it will observe all applicable requirements of DP Laws and this Schedule in relation to its processing of Agreement Personal Data. Each Party shall notify the other in writing if it is no longer able to process Agreement Personal Data in accordance with DP Laws.

d. Aon and Aon Affiliates may process, transfer and disclose personal data as described in Aon’s privacy notice in particular for (i) the delivery of the Controller Services; (ii) administration of engagement and general correspondence with Client; (iii) screening of individuals associated with Client against international sanctioned parties lists; and (iv) aggregation, de-identification and, where feasible, full anonymisation of personal data for benchmarking, market research and data analysis purposes associated with the development of Aon Group’s products and services.

e. The parties will work together in good faith to ensure information prescribed by DP Laws is made available to relevant data subjects, which may include the Client’s provision of such information to data subjects on Aon’s behalf. Client shall direct the data subject to Aon’s privacy notice as set out in Appendix 4, upon request by the data subjects.

3. Security.

a. Each party shall implement appropriate technical and organisational security measures in relation to the processing of the Agreement Personal Data under or in connection with the Agreement, which shall ensure a level of security appropriate to the risk including, as appropriate, (i) pseudonymisation and encryption; (ii) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (iii) the ability to restore the availability and access to the Agreement Personal Data in a timely manner in the event of a physical or technical incident; and (iv) a process for regularly testing, assessing and evaluating the effectiveness of those measures.

b. Aon shall maintain a global data governance framework which mandates strict technical and organisational security measures applicable to the processing of Agreement Personal Data including those relating to, without limitation, access control, data handling, malware protection, security organisation, system configuration and hardening, personnel security, physical security, business continuity plans and disaster recovery and third-party security.

4. Mutual assistance.

a. If either party receives any complaint, notice or communication from a supervisory authority which relates to the other party’s: (i) processing of the Agreement Personal Data; or (ii) potential failure to comply with DP Laws in respect of the Agreement Personal Data, that party shall direct the supervisory authority to the other party.

b. If a data subject makes a written request to a party to exercise any of their rights in relation to the Agreement Personal Data that concerns processing of the other party, that party shall direct the data subject to that other party.

c. To the extent applicable, the parties agree to cooperate to stop and remediate any actual or suspected unauthorized use of Agreement Personal Data.

5. Restricted Transfers.

a. With respect to Restricted Transfers, the SCCs contained in Appendix 2 (EU SCCs) and Appendix 3 (UK Addendum) of this Agreement will come into effect upon the commencement of any such Restricted Transfers. In each case, the data exporter is the Party or its Affiliates (as applicable) disclosing the personal data and the data importer is the Party or its Affiliates (as applicable) receiving the personal data. The parties agree that:

A. where such Restricted Transfers are subject to the GDPR, the terms of the Module 1 of the EU SCCs shall apply in the form set out in Appendix 2; and/or  

B. where such Restricted Transfers are subject to the UK GDPR, the terms of the Module 1 of the EU SCCs as amended by the UK Addendum shall apply in the form set out in Appendix 3.

b. For the avoidance of doubt (and without prejudice to third party rights for data subjects under the SCCs) the parties hereby submit to the limitations stipulated in the Agreement with respect to their respective liability towards one another under the SCCs.

c. To the extent that there is any conflict or inconsistency between the terms of the SCCs and the terms of the Agreement, the terms of the SCCs shall take precedence.

d. If, and to the extent that, the European Commission or the United Kingdom issues any amendment to, or replacement of, the EU SCCs or the UK IDTA pursuant to Article 46(5) or Article 46 of the GDPR or UK GDPR, the parties agree in good faith to take such additional steps as necessary to ensure that such replacement terms are implemented across all transfers.

e. If, at any time, a supervisory authority or a court with competent jurisdiction over a Party mandates that transfers from controllers in the EEA or the United Kingdom to controllers established outside the EEA or the United Kingdom must be subject to specific additional safeguards (including but not limited to specific technical and organisational measures), the parties shall work together in good faith to implement such safeguards and ensure that any transfer of Agreement Personal Data is conducted with the benefit of such additional safeguards.

6. ADDITIONAL PROVISIONS RELATING TO DP LAWS ENACTED IN INDIA, INDONESIA, PHILIPPINES, SOUTH KOREA, THAILAND AND VIETNAM

a. This Clause 6 applies only to the extent the DP Laws enacted in India, Indonesia, Philippines, South Korea, Thailand or Vietnam apply to Aon’s processing of Agreement Personal Data.

b. Client warrants that it has obtained all necessary consents from the data subjects so that all Agreement Personal Data (including sensitive personal information) disclosed by Client or which is otherwise provided or made available to Aon may be processed, disclosed and transferred as described in or in connection with this Schedule and the Agreement.

7. ADDITIONAL PROVISIONS APPLICABLE TO BUSINESS OR SERVICE PROVIDER UNDER THE CCPA

a. Pursuant to the Agreement, Client has contractually engaged Aon to perform the Controller Services, in support of one of more permissible purposes specified in the Agreement. In order for Aon to provide the services to Client and to perform its obligations under the Agreement Client must provide, direct others to provide, or otherwise make available (collectively “provide”) to Aon certain data, including Agreement Personal Data (“Relevant Data”). Client agrees to provide Aon the Relevant Data that is necessary for Aon’s performance of its obligations under the Agreement, and to only provide such personal data as is reasonably necessary for the performance of the Controller Services. The parties agree that (i) Aon is not able to perform its obligations to Client under the Agreement unless Client provides the Relevant Data; (ii) the Relevant Data is necessary to the performance of the services in support of the purposes specified in the Agreement; (iii) the Agreement Personal Data is not provided to Aon in exchange for any monetary or other valuable consideration from Aon to Client. Aon does not Sell any personal information as part of the Controller Services provided under the Agreement

b. Aon shall only process Agreement Personal Data to fulfill the purposes set out in the statement of work. 

c. Aon shall not retain, use, or disclose Agreement Personal Data outside of the Agreement between Aon and Client.

8. ADDITIONAL PROVISIONS APPLICABLE TO APP ENTITY UNDER THE AUSTRALIAN PRIVACY ACT

a. The parties agree to comply with the Australian Privacy Act and any other applicable privacy or data protection laws regulating the collection, storage, use and disclosure of “personal information” (including any “sensitive information”) as defined under the Australian Privacy Act, including the Spam Act 2003 (Cth) and Do Not Call Register Act 2006 (Cth), and do all that is reasonably needed on each of their parts to enable the other party to comply with them. The Client acknowledges and agrees that Aon is authorised to collect and handle the personal information disclosed by the Client in accordance with the Australian Privacy Act and Aon’s privacy notice as set out in Appendix 4.

9. ADDITIONAL PROVISIONS APPLICABLE TO PERSONAL INFORMATION HANDLER UNDER THE CHINA PIPL

a. Client warrants that it has obtained, from the data subjects, all necessary consents to making the Agreement Personal Data available to Aon to enable Aon to provide the Controller Services and to perform activities under Clause 2 (d).

b. The Client further warrants to ensure that: (i) the information relating to the handling of Agreement Personal Data by Aon as a personal information handler under this Schedule as prescribed by DP Laws is made available to relevant data subjects; and (ii) consents from data subjects in relation to the handling of Agreement Personal Data by Aon are obtained. For this purpose, the Client undertakes to ensure that the Client’s provision of such information together with Aon’s privacy notice located here is made available to relevant data subjects so that the data subjects shall have all necessary information as prescribed under the DP Laws about the provision by the Client of the Agreement Personal Data to Aon and Aon’s handling of the Agreement Personal Data under this Schedule.

10. PROVISIONS APPLICABLE TO PERSONAL DATA ORIGINATING FROM HONG KONG, MALAYSIA OR TAIWAN

a. To the extent any personal data processed under or in connection with this Agreement is originating from Hong Kong, Malaysia or Taiwan, Clauses 2, and 4 through 9 shall not apply.

b. Client acknowledges and confirms that (i) all instructions given by Client to Aon in respect of the Agreement Personal Data shall be in accordance with applicable data protection laws; and (ii) all Agreement Personal Data collected or sourced by or on behalf of Client for processing in connection with the services and the performance of the Agreement or which is otherwise provided or made available to Aon shall comply with and have been collected or otherwise obtained in compliance with the applicable data protection laws.

c. Agreement Personal Data will be transferred to, processed by, or stored globally, by Aon, its Affiliates, and third parties engaged to provide services or support to Aon in accordance with this Agreement and Aon’s privacy standards. By submitting Agreement Personal Data, Client agrees to such transfers, processing, and storage of the Agreement Personal Data, and Client confirms it has the authorizations necessary for such disclosure.

d. Aon relies on Agreement Personal Data to provide the services and Client shall ensure that the Agreement Personal Data provided to Aon by Client is accurate, complete and correct and promptly inform Aon of changes to such data. Client also acknowledges and agrees that Aon is reliant on directions from Client with respect to the processing, use and disclosure of the Agreement Personal Data for the services.

11. PROVISIONS APPLICABLE TO RESTRICTED TRANSFERS SUBJECT TO THE SWISS FEDERAL ACT ON DATA PROTECTION (FADP)

a. Where a Restricted Transfer is subject to the FADP, the EU SCCs shall apply and shall be amended as follows:

(i) the FDPIC shall act as the competent supervisory authority;

(ii) the governing law and choice of forum and jurisdiction stipulated in the Agreement shall apply;

(iii) the term “EU member state” shall not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of pursuing their rights at their place of habitual residence (Switzerland) in accordance with clause 18(c) of the EU SCCs. Accordingly, data subjects with their place of habitual residence in Switzerland may also bring legal proceedings before the competent courts in Switzerland; and

(iv) references to the GDPR should be read as references to the FADP.

 

Revision History

Date Update Made By Archived File Link
October 2023 Document created Rob Lundin N/A
March 2024 Appendix 2 and 3 links corrected. Rob Lundin N/A
June 2024 1. APAC updates
2. Link to China Privacy Notice corrected
Pei Jie Chan  
August 2024 Switzerland updates Olivier Soro  

More About Aon

About Aon