Privacy Policy

Privacy and Legal Policies

Privacy Schedule for Commercial Risk Solutions U.S.

This Privacy Schedule ("Privacy Schedule") forms part of the Renewal Proposal (“Agreement”) between Aon and Client and any applicable Statement of Work (as defined below).

To the extent that the provisions of this Privacy Schedule conflict with, or are inconsistent with, any provisions in the Agreement, the Privacy Schedule shall prevail.

1. Definitions and Interpretation

1.1. In this Privacy Schedule the following terms shall have the following meanings:

"Affiliate" means, with respect to a Party, an entity that is Controlled by, Controlling or in common Control with that Party, where "Control" means the power to direct or cause the direction of the management and policies of an entity, whether through the ownership of voting shares, by contract or otherwise;

"Agreement Personal Data" means any personal data, personal information (including any sensitive or special categories of data) that is transmitted, stored or otherwise processed under or in connection with the Agreement;

"Aon Group" means the Aon group of entities worldwide, being Aon PLC, Aon’s ultimate parent company, and all its subsidiaries, related/associated companies, Affiliates as well as joint ventures of such subsidiaries, related/associated companies and Affiliates;

"DP Laws" means any applicable data protection and privacy laws relating to the protection of individuals with regards to the processing of personal data] including but not limited to (i) the General Data Protection Regulation (EU) 2016/679 ("GDPR"); (ii) the GDPR as transposed into the national laws of the United Kingdom ("UK GDPR"); (iii) Directive 2002/58/EC ("ePrivacy Directive"); and (iv) the California Privacy Rights Act (“CPRA”) and the California Consumer Protection Act of 2018 ("CCPA") and any corresponding or equivalent United States, state, or federal laws or regulations including any amendment, update, modification to or re-enactment of such laws (together "US Privacy Laws"); (v) and any corresponding or equivalent national laws or regulations [including any amendment, supplement, update, modification to or re-enactment of such laws;

"Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to the Agreement Personal Data;

"Restricted Transfer" means a transfer of the Agreement Personal Data between Client (or a Client Affiliate) and Aon (or Aon Affiliate(s)) which, in the absence of the SCCs, would be unlawful under DP Laws;

"SCCs" means (i) the standard contractual clauses set out in Commission Implementing Decision (EU) 2021/914 for the transfer of personal data to third countries pursuant to the GDPR, as updated, amended, replaced and superseded from time to time ("EU SCCs"); and/or (ii) the UK IDTA;

"Sell[ing]", "Sale" or "Sold" means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means Personal Information by one business to another business or a third Party for monetary or other valuable consideration;

"Statement of Work" means a statement of work, work order or other document ancillary to the Agreement, under which Aon or its Affiliates agree or have agreed to provide services to Client or its Affiliates; and

UK IDTA” means either the International Data Transfer Agreement (the “IDTA”) or the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (the “UK Addendum”) issued by the UK Information Commissioner under section 119A(1) Data Protection Act 2018.

The terms "business", "controller", "data subject", "personal data", "personal information", "processing", "processor", "sensitive personal data", "service provider", "special categories of data", "supervisory authority" and "transfer" shall have the same meanings ascribed to them or equivalent terms under DP Laws, and references to the term "personal data" shall be interpreted to include any information defined as “personal information” or any other such similar term as defined in DP Laws.

1.2. Capitalised terms not defined in Clause 1.1 shall have the meaning ascribed to them elsewhere in the Agreement.

1.3. Except as modified below, the terms of the Agreement shall remain in full force and effect.

2. General

2.1. Each Party shall comply with its respective obligations under DP Laws with regards to Agreement Personal Data.

2.2. If the Parties or their Affiliates (as applicable) enter into a Statement of Work, under which Aon agrees to provide services to Client which:

(a) are listed in Appendix 1 then the relevant services shall be deemed applicable for the purposes of Appendix 1 from the date of that Statement of Work; or

(b) are not covered by Appendix 1, then the Parties or their Affiliates (as applicable) may agree in writing to update Appendix 1 to insert details of the relevant services.

3. Data Protection Obligations

3.1. Sections 4 and 5 shall apply only to the extent that (i) DP Laws apply to Aon’s processing of Agreement Personal Data; and (ii) such laws impose or require that each of the following obligations be imposed on the Parties, in light of Aon’s processing of Agreement Personal Data. For the avoidance of doubt, this means that where DP Laws only impose or require certain of the following obligations, only those obligations shall apply between the Parties.

3.2. The Parties shall take all measures to comply with DP Laws.

3.3. Each Party shall notify the other in writing, without undue delay, if it is no longer able to process Agreement Personal Data in accordance with DP Laws.

4. Provisions Applicable to Controller Services

4.1. The Parties envisage that under this Privacy Schedule, each Party is a separate controller or business of the Agreement Personal Data processed for the provision of the services applicable to the Agreement listed in Appendix 1 ("Controller Services").

4.2. Each Party agrees for its own part that, to the extent that it processes Agreement Personal Data as a separate controller or business:

(a) it will observe all applicable requirements of DP Laws and this Privacy Schedule in relation to its processing of Agreement Personal Data; and

(b) all Agreement Personal Data collected or sourced by it or on its behalf for processing in connection with the Agreement or which is otherwise provided or made available to the other Party shall have been collected or otherwise obtained in compliance with DP Laws, and may be processed, disclosed and transferred as described in or in connection with the Agreement.

4.3. Aon and Aon Affiliates may process, transfer and disclose personal data as described in Aon’s privacy notice in particular for (i) the delivery of the Controller Services; (ii) administration of engagement and general correspondence with Client; (iii) screening of individuals associated with Client against international sanctioned parties lists; and (iv) aggregation, de-identification and, where feasible, full anonymisation of personal data for benchmarking, market research and data analysis purposes associated with the development of Aon Group’s products and services.

4.4. The Parties will work together in good faith to ensure information prescribed by DP Laws is made available to relevant data subjects, including where necessary Client’s provision of such information to data subjects on Aon’s behalf.

4.5. Each Party shall implement appropriate technical and organisational security measures in relation to the processing of the Agreement Personal Data under or in connection with the Agreement, which shall ensure a level of security appropriate to the risk including, as appropriate, (i) pseudonymisation and encryption; (ii) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (iii) the ability to restore the availability and access to the Agreement Personal Data in a timely manner in the event of a physical or technical incident; (iv) a process for regularly testing, assessing and evaluating the effectiveness of those measures, and (v) any other measures required by DP Laws.

4.6. Aon shall maintain a global data governance framework which mandates strict technical and organisational security measures applicable to the processing of Agreement Personal Data including those relating to, without limitation, access control, data handling, malware protection, security organisation, system configuration and hardening, personnel security, physical security, business continuity plans and disaster recovery and third Party security.

4.7. Aon shall retain the Agreement Personal Data pursuant to its corporate record retention schedules for the purposes of meeting Aon’s legal and regulatory obligations, and enabling Aon to establish, exercise or defend legal claims.

4.8. If either Party receives any complaint, notice or communication from a supervisory authority which relates to the other Party’s: (i) processing of the Agreement Personal Data; or (ii) potential failure to comply with DP Laws in respect of the Agreement Personal Data, that Party shall direct the supervisory authority to the other Party.

4.9. If a data subject makes a written request to a Party to exercise any of their rights in relation to the Agreement Personal Data that concerns processing of the other Party, that Party shall direct the data subject to that other Party.

4.10. If either Party becomes aware of a Personal Data Breach that requires notification to a supervisory authority, it shall notify the other Party without undue delay, and each Party shall co-operate with the other, to the extent reasonably requested, in relation to any notifications to supervisory authorities and/or to affected data subjects.

4.11. The Parties acknowledge that Agreement Personal Data may be transferred or otherwise processed or transferred outside of its country of origin ("International Transfers") provided that such International Transfers are made in compliance with DP Laws, including, if applicable, by adoption of SCCs, or such other international transfer mechanism that effectively complies with DP Laws.

4.12. With respect to Restricted Transfers subject to the GDPR, the SCCs are hereby incorporated into this Agreement by reference and will come into effect upon the commencement of any such Restricted Transfer, and the following terms shall apply. In each case, the data exporter is the Party or its Affiliates (as applicable) disclosing the personal data and the data importer is the Party or its Affiliates (as applicable) receiving the personal data:

(a) where a Restricted Transfer is subject to the GDPR the following terms shall apply:

(i) Annex IA of the EU SCCs will be populated with the details of the Parties set out in the Agreement, Annex IB of the EU SCCs will be populated with the description of processing of personal data set out in Appendix 1 of this GDPR Schedule; and

(ii) For the purposes of Module 1 of the EU SCCs: clause 7 and the optional language in clause 11(a) shall not apply, the supervisory authority for the purposes of clause 13(a) shall be determined by the place of establishment of the data exporter, the governing law and choice of forum and jurisdiction stipulated in the Agreement shall apply to the extent that it is the law and the courts of an EU member state otherwise it shall be those of the Republic of Ireland, and the technical and organizational security measures set out in Clauses 4.5 and 4.6 shall apply. The frequency of the transfer shall be continuous, as necessary to deliver the Controller Services, and retention shall be determined by Aon’s corporate record retention schedules and policies; and

(b) where a Restricted Transfer is subject to the GDPR and UK GDPR the following terms with respect to the UK Addendum shall, in addition to Clause 4.12 above, also apply:

(i) the EU SCCs shall be read in accordance with, and deemed amended by, the provisions of Part 2 (Mandatory Clauses) of the UK Addendum; and

(ii) the Parties confirm that the information required for the purposes of Part 1 (Tables) of the UK Addendum is set out in the Agreement.

(c) where a Restricted Transfer is subject to the UK GDPR the Parties confirm that the information required for the purposes of Part 1 (Tables), Part 2 (Extra Protection Clauses) and Part 3 (Commercial Clauses) of the IDTA is set out in the Agreement and Appendix 1 to this GDPR Schedule and the technical and organizational security measures set out in Clauses 4.5 and 4.6 shall apply.

4.13. For the avoidance of doubt (and without prejudice to third Party rights for data subjects under the SCCs) the Parties hereby submit to the limitations stipulated in the Agreement with respect to their respective liability towards one another under the SCCs.

4.14. To the extent that there is any conflict or inconsistency between the terms of the SCCs and the terms of the Agreement, the terms of the SCCs shall take precedence.

4.15. If, and to the extent that, the European Commission or the United Kingdom issues any amendment to, or replacement of, the EU SCCs or the UK IDTA pursuant to Article 46(5) or Article 46 of the GDPR or UK GDPR, the Parties agree in good faith to take such additional steps as necessary to ensure that such replacement terms are implemented across all transfers.

4.16. If, at any time, a supervisory authority or a court with competent jurisdiction over a Party mandates that transfers from controllers in the EEA or the United Kingdom to controllers established outside the EEA or the United Kingdom must be subject to specific additional safeguards (including but not limited to specific technical and organisational measures), the Parties shall work together in good faith to implement such safeguards and ensure that any transfer of personal data is conducted with the benefit of such additional safeguards.

5. Provisions Applicable to Separate Controllers

5.1. Pursuant to the Agreement, Client has contractually engaged Aon to perform the Controller Services, in support of one of more specific purposes. In order for Aon to provide the services to Client and to perform its obligations under the Agreement, Client must provide, direct others to provide, or otherwise make available (collectively "provide") to Aon certain data, including Agreement Personal Data ("Relevant Data"). Client agrees to provide to Aon the Relevant Data that is necessary for Aon’s performance of its obligations under the Agreement, and to only provide such personal data as is reasonably necessary to the performance of the Controller Services. The Parties agree that (i) Aon is not able to perform its obligations to Client under the Agreement unless Client provides the Relevant Data, (ii) the Relevant Data is necessary to the performance of the services, and (iii) the Agreement Personal Data is not provided to Aon in exchange for any monetary or other valuable consideration from Aon to Client.

5.2. Aon shall only process Agreement Personal Data to fulfill the business purposes set out in the Statement of Work.

5.3. Aon shall not retain, use, or disclose Agreement Personal Data outside of the Agreement between Aon and Client.

Appendix 1: Controller Services

Description of processing

Where applicable, for the purposes of Annex 1 to Module 1 of the EU SCCs, Annex B of the Controller SCCs and/or any IDTA, the data exporter(s) is the Party disclosing the Agreement Personal Data and the data importer(s) is the Party receiving the Agreement Personal Data. The Agreement Personal Data is processed for the purposes of providing the Controller Services listed below and is processed for the duration of the Agreement. Processing operations may be set out more specifically in the Agreement and/or any applicable Statement of Work.

Solution Line Service Type of Personal Data Categories of Data Subject

Commercial Risk Solutions and Reinsurance Solutions

(i) Insurance and reinsurance Brokerage and consultancy services and (ii) Aon M&A and Transaction Solutions (AMATS): (i) Advising on insurance and/or reinsurance contracts ("Contracts"), arranging deals in Contracts, making arrangements with a view to transactions in Contracts, dealing as agent in Contracts, and assisting in the administration and performance of Contracts and consulting on risks and insurance and re-insurance claims; (ii) Advising on risk and insurance, risk and insurance due diligence, cyber security consultancy and cyber due diligence, human capital due diligence (pensions, health and benefits, compensation), IP consultancy.
  • Basic personal details (name, address, date of birth, age, gender, nationality)
  • Family, lifestyle and social circumstances
  • Employment and professional qualifications
  • Information on account opening forms
  • Identification and verification data (including images of ID card or passport)
  • Financial details
  • Information about shareholdings where relevant to the insurance
  • Insurance details (type and amount of insurance, details of claim)
  • Medical history where relevant to the services
  • Insured individuals
  • Claimants
  • Beneficiaries

More About Aon

About Aon