Aon's Global Data Protection Schedule

This Aon Data Protection Schedule (“Schedule”) forms part of the agreement between Aon and the entity purchasing Aon’s services (“Client”) and any applicable statement of work (collectively the “Agreement”). To the extent that the provisions of this Schedule conflict with, or are inconsistent with, any provisions in the Agreement, this Schedule shall prevail.

1. Definitions. In this Schedule the following terms shall have the following meanings:

a. “Agreement Personal Data” means any personal data (including any sensitive or special categories of data) that is transmitted, stored or otherwise processed under or in connection with the Agreement;

b. “Aon Group” means the Aon group of entities worldwide, being Aon PLC, Aon’s ultimate parent company, and all its subsidiaries, related/associated companies, Affiliates as well as joint ventures of such subsidiaries, related/associated companies and Affiliates;

c. "APAC" means, for the purpose of this Schedule, countries where Aon has a presence including Australia, Fiji, Hong Kong, India, Indonesia, Japan, Malaysia, Macau, New Zealand, Papua New Guinea, People’s Republic of China, Philippines, Singapore, South Korea, Taiwan, Thailand and Vietnam.

d. “DP Laws” means any applicable data protection and privacy laws relating to the protection of individuals with regards to the processing of personal data including but not limited to (i) the EU General Data Protection Regulation (EU) 2016/679 (“GDPR”); (ii) the Australian Privacy Act 1988 (Cth) (“Australian Privacy Act”); (iii) the Brazilian General Data Protection Law , the Chilean Law on the Protection of Private Life , the Colombian Data Protection Law , the Mexican Federal Law for the Protection of Personal Data (“Latam Privacy Laws”); (iv) the Canada Personal Information Protection and Electronic Documents Act (“PIPEDA”)”; (v) the Personal Information Protection Law of the People’s’ Republic of China (“China PIPL”); (vi) the Hong Kong Personal Data (Privacy) Ordinance (Cap.486); (vii) the India Digital Personal Data Protection Act 2023; (viii) the Indonesia Law No. 27 of 2022 on Protection of Personal Data; (ix) the Japan Act on the Protection of Personal Information; (x) the Macau Personal Data Protection Act (Act 8/2005); (xi) the Malaysia Personal Data Protection Act 2010; (xii) the New Zealand Privacy Act 2020; (xiii) the Philippines Data Privacy Act of 2012 (Republic Act 10173) ; (xiv) the Singapore Personal Data Protection Act 2012 (No.26 of 2012); (xv) the South Korea Personal Information Protection Act ; (xvi) the Taiwan Personal Data Protection Act; (xvii) the Thailand Personal Data Protection Act B.E. 2562 (2019); (xviii) the GDPR as transposed into the national laws of the United Kingdom (“UK GDPR”); (xix) the California Privacy Rights Act (“CPRA”) and the California Consumer Protection Act of 2018 (“CCPA”) and any corresponding or equivalent United States state or federal laws or regulations including any amendment, update, modification to or re-enactment of such laws (together "US Privacy Laws"); (xx) the Vietnam Decree on Personal Data Protection (No.13/2023/ND-CP); (xxi) the Swiss Federal Act on Data Protection (“FADP”) and its Ordinance; (xxii) the KSA Personal Data Protection Law issued by Royal Decree No. (M/19) dated 9/2/1443 AH and amended by Royal Decree No. (M/148) dated 5/9/1444 AH as supplemented by the Implementing Regulation of the Personal Data Protection Law including both the Implementing Regulations and the Regulation for Personal Data Transfer outside the Kingdom and any SDAIA regulations, circulars, guidance as published from time to time (together “KSA DP Laws”); (xxiii) the United Arab Emirates ("UAE") Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data Protection ("PDPL"); (xxiv) Dubai International Financial Centre’s ("DIFC") Data Protection Law, DIFC No. 5 of 2020 (together with implementing regulations and guidance from the DIFC Commissioner of Data Protection ("DIFC DPL")); and (xxv) any corresponding or equivalent national laws or regulations including any amendment, supplement, update, modification to or re-enactment of such laws;

e. “Restricted Transfer” means a transfer of the Agreement Personal Data from the Client (or a Client Affiliate) to Aon (or Aon Affiliate(s)) which, in the absence of the SCCs, would be unlawful under DP Laws;

f. “Sell[ing]”, “Sale” or “Sold” means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means personal data by one business to another business or a third party for monetary or other valuable consideration;

g. “SCCs” means (i) the standard contractual clauses set out in Commission Implementing Decision (EU)2021/914 for the transfer of personal data to third countries pursuant to GDPR, as updated, amended, replaced and superseded from time to time (“EU SCCs”) as set out in Appendix 2; (ii) the EU SCCs  as recognised by the Swiss Federal Data Protection and Information Commissioner (“FDPIC”) in their latest official communication; (iii) the UK IDTA; and (iv) any other standard contractual clauses issued or approved by any supervisory authority; and

h. “UK IDTA” means either (i) the International Data Transfer Agreement (the “IDTA”) or (ii) the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (the “UK Addendum”) issued by the UK Information Commissioner under section 119A(1) of the Data Protection Act 2018 as set out in Appendix 3; and

i. The terms "APP entity", “controller”, “data subject”, “personal data”, “processing”, “processor”, “sensitive personal data”, “special categories of data”, “supervisory authority” and “transfer” or its equivalent term under the DP Laws shall have the same meanings ascribed to them under the DP Laws.

j. Capitalised terms not defined in Section 1 shall have the meaning ascribed to them elsewhere in the Agreement. Except as modified below, the terms of the Agreement shall remain in full force and effect.

2. Controller obligations.

a. The parties envisage that under this Schedule each party is a separate controller of the Agreement Personal Data processed for the provision of the services applicable to the Agreement listed in  Appendix 1 (“Controller Services”).

b. If the parties or their Affiliates (as applicable) enter into a statement of work, under which Aon agrees to provide services to Client which: (i) are listed in Appendix 1 then the relevant services shall be deemed applicable for the purposes of Appendix 1 from the date of that statement of work; or (ii) are not covered by Appendix 1, then the parties or their Affiliates (as applicable) may agree in writing to update Appendix 1 to insert details of the relevant services.

c. Each party agrees for its own part that, to the extent that it processes Agreement Personal Data as a separate controller, it will observe all applicable requirements of DP Laws and this Schedule in relation to its processing of Agreement Personal Data. Each Party shall notify the other in writing if it is no longer able to process Agreement Personal Data in accordance with DP Laws.

d. Aon and Aon Affiliates may process, transfer and disclose personal data as described in Aon’s privacy notice in particular for (i) the delivery of the Controller Services; (ii) administration of engagement and general correspondence with Client; (iii) screening of individuals associated with Client against international sanctioned parties lists; and (iv) aggregation, de-identification and, where feasible, full anonymisation of personal data for benchmarking, market research and data analysis purposes associated with the development of Aon Group’s products and services.

e. The parties will work together in good faith to ensure information prescribed by DP Laws is made available to relevant data subjects, which may include the Client’s provision of such information to data subjects on Aon’s behalf. Client shall direct the data subject to Aon’s privacy notice as set out in Appendix 4, upon request by the data subjects.

3. Security.

a. Each party shall implement appropriate technical and organisational security measures in relation to the processing of the Agreement Personal Data under or in connection with the Agreement, which shall ensure a level of security appropriate to the risk including, as appropriate, (i) pseudonymisation and encryption; (ii) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (iii) the ability to restore the availability and access to the Agreement Personal Data in a timely manner in the event of a physical or technical incident; and (iv) a process for regularly testing, assessing and evaluating the effectiveness of those measures.

b. Aon shall maintain a global data governance framework which mandates strict technical and organisational security measures applicable to the processing of Agreement Personal Data including those relating to, without limitation, access control, data handling, malware protection, security organisation, system configuration and hardening, personnel security, physical security, business continuity plans and disaster recovery and third-party security.

4. Mutual assistance.

a. If either party receives any complaint, notice or communication from a supervisory authority which relates to the other party’s: (i) processing of the Agreement Personal Data; or (ii) potential failure to comply with DP Laws in respect of the Agreement Personal Data, that party shall direct the supervisory authority to the other party.

b. If a data subject makes a written request to a party to exercise any of their rights in relation to the Agreement Personal Data that concerns processing of the other party, that party shall direct the data subject to that other party.

c. To the extent applicable, the parties agree to cooperate to stop and remediate any actual or suspected unauthorized use of Agreement Personal Data.

5. Restricted Transfers.

a. With respect to Restricted Transfers, the SCCs contained in Appendix 2 (EU SCCs) and Appendix 3 (UK Addendum) of this Agreement will come into effect upon the commencement of any such Restricted Transfers. In each case, the data exporter is the Party or its Affiliates (as applicable) disclosing the personal data and the data importer is the Party or its Affiliates (as applicable) receiving the personal data. The parties agree that:

A. where such Restricted Transfers are subject to the GDPR, the terms of the Module 1 of the EU SCCs shall apply in the form set out in Appendix 2; and/or  

B. where such Restricted Transfers are subject to the UK GDPR, the terms of the Module 1 of the EU SCCs as amended by the UK Addendum shall apply in the form set out in Appendix 3.

b. For the avoidance of doubt (and without prejudice to third party rights for data subjects under the SCCs) the parties hereby submit to the limitations stipulated in the Agreement with respect to their respective liability towards one another under the SCCs.

c. To the extent that there is any conflict or inconsistency between the terms of the SCCs and the terms of the Agreement, the terms of the SCCs shall take precedence.

d. If, and to the extent that, the European Commission, the UK Information Commissioner  or any other relevant supervisory authority issues any amendment to, or replacement of  the relevant SCCs applicable to any transfers of Agreement Personal Data  pursuant to applicable DP Laws, the parties agree in good faith to take such additional steps as necessary to ensure that such replacement terms are implemented across all transfers of Agreement Personal Data.

e. If, at any time, a supervisory authority or a court with competent jurisdiction over a Party mandates that the transfers of Agreement Personal Data must be subject to specific additional safeguards (including but not limited to specific technical and organisational measures), the parties shall work together in good faith to implement such safeguards and ensure that such transfer is conducted with the benefit of such additional safeguards.

6. ADDITIONAL PROVISIONS RELATING TO DP LAWS ENACTED IN APAC

a. This Clause 6 applies only to the extent the DP Laws enacted in APAC apply to Aon’s processing of Agreement Personal Data.

b. Client warrants that it shall secure and has secured all necessary legal bases under DP Laws, including but not limited to valid consents from the data subjects so that all Agreement Personal Data (including sensitive personal data) disclosed by Client or which is otherwise provided or made available to Aon may be lawfully processed, disclosed and transferred by Aon as described in or in connection with this Schedule, Aon’s privacy notice as set out in Appendix 4 and the Agreement. For this purpose, the Client undertakes to ensure that Aon’s privacy notice is made available to relevant data subjects so that the data subjects shall have all necessary information as prescribed under the DP Laws about the transfer by the Client of the Agreement Personal Data to Aon and Aon’s processing of the Agreement Personal Data under this Schedule.

c. Australia
The parties agree to comply with the Australian Privacy Act and any other applicable privacy or data protection laws regulating the collection, storage, use and disclosure of “personal information” (including any “sensitive information”) as defined under the Australian Privacy Act, including the Spam Act 2003 (Cth) and Do Not Call Register Act 2006 (Cth), and do all that is reasonably needed on each of their parts to enable the other party to comply with them. The Client acknowledges and agrees that Aon is authorised to collect and handle the personal information disclosed by the Client in accordance with the Australian Privacy Act and Aon’s privacy notice as set out in Appendix 4.

d. People’s Republic of China
For the purpose of Clause 6(b) and in respect of Agreement Personal Data originating from the People’s Republic of China, the Client undertakes to ensure that the Client’s provision of such information together with Aon’s privacy notice located here is made available to relevant data subjects so that the data subjects shall have all necessary information as prescribed under the China PIPL about the provision by the Client of the Agreement Personal Data to Aon and Aon’s handling of the Agreement Personal Data under this Schedule.

7. ADDITIONAL PROVISIONS APPLICABLE TO BUSINESS OR SERVICE PROVIDER UNDER THE CCPA

a. Pursuant to the Agreement, Client has contractually engaged Aon to perform the Controller Services, in support of one of more permissible purposes specified in the Agreement. In order for Aon to provide the services to Client and to perform its obligations under the Agreement Client must provide, direct others to provide, or otherwise make available (collectively “provide”) to Aon certain data, including Agreement Personal Data (“Relevant Data”). Client agrees to provide Aon the Relevant Data that is necessary for Aon’s performance of its obligations under the Agreement, and to only provide such personal data as is reasonably necessary for the performance of the Controller Services. The parties agree that (i) Aon is not able to perform its obligations to Client under the Agreement unless Client provides the Relevant Data; (ii) the Relevant Data is necessary to the performance of the services in support of the purposes specified in the Agreement; (iii) the Agreement Personal Data is not provided to Aon in exchange for any monetary or other valuable consideration from Aon to Client. Aon does not Sell any personal information as part of the Controller Services provided under the Agreement

b. Aon shall only process Agreement Personal Data to fulfill the purposes set out in the statement of work. 

c. Aon shall not retain, use, or disclose Agreement Personal Data outside of the Agreement between Aon and Client.

8. PROVISIONS APPLICABLE TO RESTRICTED TRANSFERS SUBJECT TO THE SWISS FEDERAL ACT ON DATA PROTECTION (FADP)

a. Where a Restricted Transfer is subject to the FADP, the EU SCCs shall apply and shall be amended as follows:

(i) the FDPIC shall act as the competent supervisory authority;

(ii) the governing law and choice of forum and jurisdiction stipulated in the Agreement shall apply;

(iii) the term “EU member state” shall not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of pursuing their rights at their place of habitual residence (Switzerland) in accordance with clause 18(c) of the EU SCCs. Accordingly, data subjects with their place of habitual residence in Switzerland may also bring legal proceedings before the competent courts in Switzerland; and

(iv) references to the GDPR should be read as references to the FADP.

9. PROVISIONS RELATING TO DP LAWS ENACTED IN THE UNITED ARAB EMIRATES (UAE) AND THE DUBAI INTERNATIONAL FINANCIAL CENTRE (DIFC)

a. This Clause 9 applies only to the extent the DP Laws enacted in the UAE and the DIFC (including, without limitation, the UAE Federal Personal Data Protection Law and its implementing regulations, and the DIFC DP Laws) apply to Aon’s processing of Agreement Personal Data in connection with the Controller Services and any related International Transfers.

b. Client agrees to provide Aon only such Agreement Personal Data as is reasonably necessary for Aon’s performance of the Controller Services and Aon’s other obligations under the Agreement. The parties acknowledge that Aon is not able to perform its obligations to Client under the Agreement unless Client provides the relevant Agreement Personal Data.

c. Client warrants that it shall secure and has secured all necessary legal bases under applicable DP Laws, including but not limited to valid consents from data subjects where required, so that all Agreement Personal Data (including any sensitive personal data) disclosed by Client or which is otherwise provided or made available to Aon may be lawfully collected, processed, disclosed, transferred (including any International Transfers) and otherwise used by Aon as described in or in connection with this Data Protection Schedule, Aon’s privacy notice as set out in Appendix 4 and the Agreement.

d. For this purpose, the Client undertakes to ensure that Aon’s privacy notice is provided or made available to relevant data subjects (whether by Client or, where agreed, by Aon on Client’s behalf) so that data subjects receive all information prescribed under applicable DP Laws in the UAE and DIFC regarding: (i) the Client’s disclosure or other provision of the Agreement Personal Data to Aon; (ii) any related International Transfers; and (iii) Aon’s subsequent processing of that data under this Data Protection Schedule and the Agreement.

e. With respect to Restricted Transfers, the DIFC SCCs are hereby incorporated into these terms by reference and will come into effect upon the commencement of any such Restricted Transfer, and the following terms shall apply:

a) in the DIFC SCCs: (i) all references to the DIFC DPL and specific articles of the DIFC DPL, the Supervisory Authority (including in Annex 1), and governing law, choice of forum and jurisdiction shall be understood to refer to the PDPL, the Data Office, and the governing law, choice of forum and jurisdiction of the UAE, respectively; (ii) if there is any inconsistency or conflict between the PDPL and the DIFC SCCs, the PDPL shall prevail; and (iii) if the meaning of the DIFC SCCs is unclear in so far as it applies to transfers of Personal Data outside the UAE, or there is more than one meaning, the meaning which most closely aligns with the PDPL shall apply;

b) for the purposes of the DIFC SCCs: (i) Clause 7 – Docking Clause is not used; and (ii) in respect of Clause 9 – Use of Sub-processors, for the purposes of Clauses 9.1(a) and 9(2)(a) Option 1: Specific Prior Authorization shall apply and the “time period” shall be thirty (30) days;

c) Appendix 1 of the DIFC SCCs shall be populated with: (i) the identity and contact details of the parties, as set out in the contract, with the contact points for data protection enquiries to be the usual business contacts for each Party; (ii) the applicable party allocated to the role of either the data exporter, being the Party or its Affiliates (as applicable) disclosing the Agreement Personal Data or the data importer being the Party or its Affiliates (as applicable) receiving the Agreement Personal Data; (iii) the relevant information about the data subjects, categories of personal data, categories of sensitive personal data, and the purposes of the transfer as specified in Appendix 1 to this Global Data Protection Schedule; (iii) the restrictions and safeguards applied to sensitive personal data shall be in accordance with Clause 3 of this Global Data Protection Schedule; (iv) the frequency of transfers shall be on a continuous basis; (v) the nature and purpose of the processing are for the purposes of providing the Controller Services and as otherwise detailed in Clause 2.d) of this Global Data Protection Schedule and includes access, adaptation, alteration, collection, combination, consultation, copying, deletion, destruction, disclosure, disposal, organization, recording, restriction, retrieval, storage, structuring, transfer and use; (vi) the retention period and criteria shall be determined in accordance with Aon’s corporate record retention schedules and policies, which are hereby incorporated by reference; (vii) the section regarding transfers to sub-processors shall be marked as 'not applicable'; and (e) the other competent supervisory authorities who may have jurisdiction includes any applicable Supervisory Authority;

d) Appendix 2 of the DIFC SCCs shall be populated with (i) the information about the technical, administrative and organisational measures implemented by the parties as detailed in Clause 3 of this Global Data Protection Schedule; and (ii) the section regarding the technical, administrative and organisational measures implemented by sub-processors shall be marked as 'not applicable'; and

e) Appendix 3 will be marked as 'not applicable'.

10. PROVISIONS RELATING TO DP LAWS ENACTED IN THE KINGDOM OF SAUDI ARABIA (KSA)

a. This Clause 10 applies only to the extent the KSA DP Laws apply to a Party’s processing of Agreement Personal Data in connection with the Controller Services and any related Restricted Transfers.

b. Client agrees to provide Aon only such Agreement Personal Data as is reasonably necessary for Aon’s performance of the Controller Services and Aon’s other obligations under the Agreement. The parties acknowledge that Aon is not able to perform its obligations to Client under the Agreement unless Client provides the relevant Agreement Personal Data.

c. Client warrants that it has secured and shall secure all necessary legal bases under applicable KSA DP Laws, including but not limited to valid consents from data subjects where required, so that all Agreement Personal Data (including any sensitive personal data) disclosed by Client or which is otherwise provided or made available to Aon may be lawfully collected, processed, disclosed, transferred (including any Restricted Transfers) and otherwise used by Aon as described in or in connection with this Global Data Protection Schedule, Aon’s privacy notice as set out in Appendix 4 and the Agreement.

d. For this purpose, the Client undertakes to ensure that Aon’s privacy notice is provided or made available to relevant data subjects (whether by Client or, where agreed, by Aon on Client’s behalf) so that data subjects receive all information prescribed under applicable KSA DP Laws regarding: (i) the Client’s disclosure or other provision of the Agreement Personal Data to Aon; (ii) any related Restricted Transfers; and (iii) Aon’s subsequent processing of that data under this Global Data Protection Schedule and the Agreement.

e. With respect to Restricted Transfers, the SDAIA SCCs (First Template: Controller–Controller) are hereby incorporated into these terms by reference and will come into effect upon the commencement of any such Restricted Transfer, and the following terms shall apply:

1) In the SDAIA SCCs, the data exporter shall be the Party or its Affiliates (as applicable) disclosing the Agreement Personal Data and the data importer shall be the Party or its Affiliates (as applicable) receiving the Agreement Personal Data, with both parties identified as acting as controllers.

2) Appendix 1 of the SDAIA SCCs shall be populated with: (i) the identity and contact details of the parties, as set out in the Agreement, including contact points for data protection enquiries being the usual business contacts for each Party; and (ii) the allocation of each Party to its applicable role as either data exporter or data importer, as described in sub‑clause (a) above.

3) Appendix 2 of the SDAIA SCCs shall be populated with: (i) the relevant information about the categories of data subjects, categories of personal data (including categories of sensitive data) and the purposes of the transfer as specified in Appendix 1 to this Global Data Protection Schedule; and (ii) the retention period and criteria, which shall be determined in accordance with Aon’s corporate record retention schedules and policies, which are hereby incorporated by reference.

4) Appendix 3 of the SDAIA SCCs shall be populated with the information about the technical, administrative and organisational measures implemented by the parties as set out in Clause 3 of this Global Data Protection Schedule.

f. For the avoidance of doubt, the parties agree, to the extent permitted by applicable KSA DP Laws, to: (i) submit to the applicable liability provisions and audit obligations stipulated in the Agreement; and (ii) undertake to comply with and enforce any binding decision in accordance with the governing law stipulated in the Agreement.

h. To the extent that there is any conflict or inconsistency between the terms of the SDAIA SCCs and the terms of the Agreement (including this Global Data Protection Schedule), the terms of the SDAIA SCCs shall take precedence.

i. If, and to the extent that, SDAIA issues any amendment to, or replacement of, the SDAIA SCCs pursuant to the KSA DP Laws, the parties agree in good faith to take such additional steps as are necessary to ensure that such replacement terms are implemented across all Restricted Transfers undertaken in connection with this Agreement.

j. If, at any time, a Supervisory Authority or a court with competent jurisdiction over a Party mandates that a transfer of Agreement Personal Data from controllers in the Kingdom of Saudi Arabia to controllers established outside of the Kingdom of Saudi Arabia must be subject to specific additional safeguards (including but not limited to specific technical and organisational measures), the parties shall work together in good faith to implement such safeguards and ensure that any such transfer of Agreement Personal Data is conducted with the benefit of those additional safeguards.

Revision History