Aon's Global Data Protection Schedule

Aon Policy

Global Data Protection Schedule

This Aon Data Protection Schedule (“Schedule”) forms part of the agreement between Aon and the entity purchasing Aon’s services (“Client”) and any applicable statement of work (collectively the “Agreement”). To the extent that the provisions of this Schedule conflict with, or are inconsistent with, any provisions in the Agreement, this Schedule shall prevail.

  1. Definitions. In this Schedule the following terms shall have the following meanings:
  1. Agreement Personal Data” means any personal data (including any sensitive or special categories of data) that is transmitted, stored or otherwise processed under or in connection with the Agreement;
  2. Aon Group” means the Aon group of entities worldwide, being Aon PLC, Aon’s ultimate parent company, and all its subsidiaries, related/associated companies, Affiliates as well as joint ventures of such subsidiaries, related/associated companies and Affiliates;
  3. DP Laws” means any applicable data protection and privacy laws relating to the protection of individuals with regards to the processing of personal data including but not limited to (i) the EU General Data Protection Regulation (EU) 2016/679 (“GDPR”); (ii) the Australian Privacy Act 1988 (Cth) (“Australian Privacy Act”); (iii) the Brazilian General Data Protection Law (LGPD), the Chilean Law No. 19,628 on the Protection of Private Life (DPL), the Colombian Data Protection Law No. 1581, the Mexican Federal Law for the Protection of Personal Data (“Latam Privacy Laws”); (iv) the Canada Personal Information Protection and Electronic Documents Act (“PIPEDA”)”; (v) the Personal Information Protection Law of the People’s’ Republic of China (“China PIPL”); (vi) the Indonesia Law No. 27 of 2022 on Protection of Personal Data; (vii) the Japan Act on the Protection of Personal Information; (viii) the Macau Personal Data Protection Act (Act 8/2005); (ix) the Philippines Data Privacy Act of 2012 (Republic Act 10173) (“Philippines DPA”); (x) the South Korea Personal Information Protection Act (“PIPA”); (xi) the Thailand Personal Data Protection Act Act B.E. 2562 (2019); (xii) the GDPR as transposed into the national laws of the United Kingdom (“UK GDPR”); (xiii) the California Privacy Rights Act (“CPRA”) and the California Consumer Protection Act of 2018 (“CCPA”) and any corresponding or equivalent United States state or federal laws or regulations including any amendment, update, modification to or re-enactment of such laws (together "US Privacy Laws"); (xiv) the Vietnam Decree on Personal Data Protection (No.13/2023/ND-CP); and (xv) any corresponding or equivalent national laws or regulations including any amendment, supplement, update, modification to or re-enactment of such laws;
  4. Restricted Transfer” means a transfer of the Agreement Personal Data from the Client (or a Client Affiliate) to Aon (or Aon Affiliate(s)) which, in the absence of the SCCs, would be unlawful under DP Laws;
  5.  “Sell[ing]”, “Sale” or “Sold” means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means personal data by one business to another business or a third party for monetary or other valuable consideration;
  6. SCCs” means (i) the standard contractual clauses set out in Commission Implementing Decision (EU)2021/914 for the transfer of personal data to third countries pursuant to GDPR, as updated, amended, replaced and superseded from time to time (“EU SCCs”) as set out in Appendix 2; and the UK IDTA; and
  7. UK IDTA” means either (i) the International Data Transfer Agreement (the “IDTA”) or (ii) the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (the “UK Addendum”) issued by the UK Information Commissioner under section 119A(1) of the Data Protection Act 2018 as set out in Appendix 3.
  8. The terms “controller”, “data subject”, “personal data”, “processing”, “processor”, “sensitive personal dat, “special categories of data”, “supervisory authority” and “transfer” shall have the same meanings ascribed to them under the DP Laws.
  9. Capitalised terms not defined in Section 1 shall have the meaning ascribed to them elsewhere in the Agreement. Except as modified below, the terms of the Agreement shall remain in full force and effect.
  1. Controller obligations.
  1. The parties envisage that under this Schedule each party is a separate controller of the Agreement Personal Data processed for the provision of the services applicable to the Agreement listed in  Appendix 1 (“Controller Services”).
  2. If the parties or their Affiliates (as applicable) enter into a statement of work, under which Aon agrees to provide services to Client which: (i) are listed in Appendix 1 then the relevant services shall be deemed applicable for the purposes of Appendix 1 from the date of that statement of work; or (ii) are not covered by Appendix 1, then the parties or their Affiliates (as applicable) may agree in writing to update Appendix 1 to insert details of the relevant services.
  3. Each party agrees for its own part that, to the extent that it processes Agreement Personal Data as a separate controller, it will observe all applicable requirements of DP Laws and this Schedule in relation to its processing of Agreement Personal Data. Each Party shall notify the other in writing if it is no longer able to process Agreement Personal Data in accordance with DP Laws.
  4. Aon and Aon Affiliates may process, transfer and disclose personal data as described in Aon’s privacy notice in particular for (i) the delivery of the Controller Services; (ii) administration of engagement and general correspondence with Client; (iii) screening of individuals associated with Client against international sanctioned parties lists; and (iv) aggregation, de-identification and, where feasible, full anonymisation of personal data for benchmarking, market research and data analysis purposes associated with the development of Aon Group’s products and services.
  5. The parties will work together in good faith to ensure information prescribed by DP Laws is made available to relevant data subjects, which may include the Client’s provision of such information to data subjects on Aon’s behalf.

  1. Security.
  1. Each party shall implement appropriate technical and organisational security measures in relation to the processing of the Agreement Personal Data under or in connection with the Agreement, which shall ensure a level of security appropriate to the risk including, as appropriate, (i) pseudonymisation and encryption; (ii) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (iii) the ability to restore the availability and access to the Agreement Personal Data in a timely manner in the event of a physical or technical incident; and (iv) a process for regularly testing, assessing and evaluating the effectiveness of those measures.
  2. Aon shall maintain a global data governance framework which mandates strict technical and organisational security measures applicable to the processing of Agreement Personal Data including those relating to, without limitation, access control, data handling, malware protection, security organisation, system configuration and hardening, personnel security, physical security, business continuity plans and disaster recovery and third-party security.

  1. Mutual assistance.
  1. If either party receives any complaint, notice or communication from a supervisory authority which relates to the other party’s: (i) processing of the Agreement Personal Data; or (ii) potential failure to comply with DP Laws in respect of the Agreement Personal Data, that party shall direct the supervisory authority to the other party.
  2. If a data subject makes a written request to a party to exercise any of their rights in relation to the Agreement Personal Data that concerns processing of the other party, that party shall direct the data subject to that other party.
  3. To the extent applicable, the parties agree to cooperate to stop and remediate any actual or suspected unauthorized use of Agreement Personal Data.
  1. Restricted Transfers.
  1. With respect to Restricted Transfers, the SCCs contained in Appendix 2 (EU SCCs) and Appendix 3 (UK Addendum) of this Agreement will come into effect upon the commencement of any such Restricted Transfers. In each case, the data exporter is the Party or its Affiliates (as applicable) disclosing the personal data and the data importer is the Party or its Affiliates (as applicable) receiving the personal data. The parties agree that:
    1. where such Restricted Transfers are subject to the GDPR, the terms of the Module 1 of the EU SCCs shall apply in the form set out in Appendix 2; and/or  
    2. where such Restricted Transfers are subject to the UK GDPR, the terms of the Module 1 of the EU SCCs as amended by the UK Addendum shall apply in the form set out in Appendix 3.
  2. For the avoidance of doubt (and without prejudice to third party rights for data subjects under the SCCs) the parties hereby submit to the limitations stipulated in the Agreement with respect to their respective liability towards one another under the SCCs.
  3. To the extent that there is any conflict or inconsistency between the terms of the SCCs and the terms of the Agreement, the terms of the SCCs shall take precedence.
  4. If, and to the extent that, the European Commission or the United Kingdom issues any amendment to, or replacement of, the EU SCCs or the UK IDTA pursuant to Article 46(5) or Article 46 of the GDPR or UK GDPR, the parties agree in good faith to take such additional steps as necessary to ensure that such replacement terms are implemented across all transfers.
  5. If, at any time, a supervisory authority or a court with competent jurisdiction over a Party mandates that transfers from controllers in the EEA or the United Kingdom to controllers established outside the EEA or the United Kingdom must be subject to specific additional safeguards (including but not limited to specific technical and organisational measures), the parties shall work together in good faith to implement such safeguards and ensure that any transfer of Agreement Personal Data is conducted with the benefit of such additional safeguards.

  1. ADDITIONNAL PROVISIONS RELATING TO DP LAWS ENACTED IN INDONESIA, PHILIPPINES, SOUTH KOREA, THAILAND AND VIETNAM
  1. This Clause 6 applies only to the extent the DP Laws enacted in Indonesia, Philippines, South Korea, Thailand or Vietnam apply to Aon’s processing of Agreement Personal Data.
  2. Client warrants that it has obtained all necessary consents from the data subjects so that all Agreement Personal Data (including sensitive personal information) disclosed by Client or which is otherwise provided or made available to Aon may be processed, disclosed and transferred as described in or in connection with this Schedule and the Agreement.

  1. ADDITITONAL PROVISIONS APPLICABLE TO BUSINESS OR SERVICE PROVIDER UNDER THE CCPA
  1. Pursuant to the Agreement, Client has contractually engaged Aon to perform the Controller Services, in support of one of more permissible purposes specified in the Agreement. In order for Aon to provide the services to Client and to perform its obligations under the Agreement Client must provide, direct others to provide, or otherwise make available (collectively “provide”) to Aon certain data, including Agreement Personal Data (“Relevant Data”). Client agrees to provide Aon the Relevant Data that is necessary for Aon’s performance of its obligations under the Agreement, and to only provide such personal data as is reasonably necessary for the performance of the Controller Services. The parties agree that (i) Aon is not able to perform its obligations to Client under the Agreement unless Client provides the Relevant Data; (ii) the Relevant Data is necessary to the performance of the services in support of the purposes specified in the Agreement; (iii) the Agreement Personal Data is not provided to Aon in exchange for any monetary or other valuable consideration from Aon to Client. Aon does not Sell any personal information as part of the Controller Services provided under the Agreement
  2. Aon shall only process Agreement Personal Data to fulfill the purposes set out in the statement of work. 
  3. Aon shall not retain, use, or disclose Agreement Personal Data outside of the Agreement between Aon and Client.
  1. ADDITIONAL PROVISIONS APPLICABLE TO APP ENTITY UNDER THE AUSTRALIAN PRIVACY ACT
  1. The parties agree to comply with the AustralianPrivacy Act and any other applicable privacy or data protection laws regulating the collection, storage, use and disclosure of “personal information” (including any “sensitive information”) as defined under the AustralianPrivacy Act, including the Spam Act 2003 (Cth) and Do Not Call Register Act 2006 (Cth), and do all that is reasonably needed on each of their parts to enable the other party to comply with them. The Client acknowledges and agrees that: (i) it will provide Aon’s privacy notice located at https://www.aon.com/australia/legal/privacy-policy.jsp to the individual who is the subject of the personal information provided to Aon; and (ii) Aon is authorised to collect and handle the personal information disclosed by the Client in accordance with the Privacy Act and Aon’s privacy notice.
  1. PROVISIONS APPLICABLE TO PERSONAL INFORMATION CONTROLLER UNDER THE CHINA PIPL
  1. Client warrants that it has obtained, from the data subjects, all necessary consents to making the Agreement Personal Data available to Aon to enable Aon to provide the Controller Services and to perform activities under Clause 2 (d).
  2. The Client further warrants to ensure that: (i) the information relating to the handling of Agreement Personal Data by Aon as a personal information handler under this Schedule as prescribed by DP Laws is made available to relevant data subjects; and (ii) consents from data subjects in relation to the handling of Agreement Personal Data by Aon are obtained. For this purpose, the Client undertakes to ensure that the Client’s provision of such information together with Aon’s privacy notice located at https://www.aon.com/en/about/leadership-and-governance/data-protection-schedule/china-privacy-notice is made available to relevant data subjects so that the data subjects shall have all necessary information as prescribed under the DP Laws about the provision by the Client of the Agreement Personal Data to Aon and Aon’s handling of the Agreement Personal Data under this Schedule.

Aon's Better Being Podcast

Our Better Being podcast series, hosted by Aon Chief Wellbeing Officer Rachel Fellowes, explores wellbeing strategies and resilience. This season we cover human sustainability, kindness in the workplace, how to measure wellbeing, managing grief and more.

Cyber Labs

Stay in the loop on today's most pressing cyber security matters.

Cyber Resilience

Our Cyber Resilience collection gives you access to Aon’s latest insights on the evolving landscape of cyber threats and risk mitigation measures. Reach out to our experts to discuss how to make the right decisions to strengthen your organization’s cyber resilience.

Employee Wellbeing

Our Employee Wellbeing collection gives you access to the latest insights from Aon's human capital team. You can also reach out to the team at any time for assistance with your employee wellbeing needs.

Environmental, Social and Governance Insights

Explore Aon's latest environmental social and governance (ESG) insights.

Q4 2023 Global Insurance Market Insights

Our Global Insurance Market Insights highlight insurance market trends across pricing, capacity, underwriting, limits, deductibles and coverages.

Regional Results

How do the top risks on business leaders’ minds differ by region and how can these risks be mitigated? Explore the regional results to learn more.

Human Capital Analytics

Our Human Capital Analytics collection gives you access to the latest insights from Aon's human capital team. Contact us to learn how Aon’s analytics capabilities helps organizations make better workforce decisions.

Insights for HR

Explore our hand-picked insights for human resources professionals.

Workforce

Our Workforce Collection provides access to the latest insights from Aon’s Human Capital team on topics ranging from health and benefits, retirement and talent practices. You can reach out to our team at any time to learn how we can help address emerging workforce challenges.

Mergers and Acquisitions

Our Mergers and Acquisitions (M&A) collection gives you access to the latest insights from Aon's thought leaders to help dealmakers make better decisions. Explore our latest insights and reach out to the team at any time for assistance with transaction challenges and opportunities.

Navigating Volatility

How do businesses navigate their way through new forms of volatility and make decisions that protect and grow their organizations?

Parametric Insurance

Our Parametric Insurance Collection provides ways your organization can benefit from this simple, straightforward and fast-paying risk transfer solution. Reach out to learn how we can help you make better decisions to manage your catastrophe exposures and near-term volatility.

Property Risk Management

Our Property Risk Management collection gives you access to the latest insights from Aon's thought leaders to help organizations make better decisions. Explore our latest insights to learn how your organization can benefit from property risk management.

Technology

Our Technology Collection provides access to the latest insights from Aon's thought leaders on navigating the evolving risks and opportunities of technology. Reach out to the team to learn how we can help you use technology to make better decisions for the future.

Top 10 Global Risks

Trade, technology, weather and workforce stability are the central forces in today’s risk landscape.

Trade

Our Trade Collection gives you access to the latest insights from Aon's thought leaders on navigating the evolving risks and opportunities for international business. Reach out to our team to understand how to make better decisions around macro trends and why they matter to businesses.

Weather

With a changing climate, organizations in all sectors will need to protect their people and physical assets, reduce their carbon footprint, and invest in new solutions to thrive. Our Weather Collection provides you with critical insights to be prepared.

Workforce Resilience

Our Workforce Resilience collection gives you access to the latest insights from Aon's Human Capital team. You can reach out to the team at any time for questions about how we can assess gaps and help build a more resilience workforce.

More About Aon

About Aon
About Aon