India Privacy Statement
Aon plc (NYSE: AON) is a leading global professional services firm providing a broad range of risk, retirement and health solutions. Our 50,000 colleagues in 120 countries empower results for clients by using proprietary data and analytics to deliver insights that reduce volatility and improve performance.
Aon is committed to protecting your privacy. This commitment reflects the value we place on earning and keeping the trust of our employees, customers, clients, business partners and others who share their personal information with us.
What does this Privacy Statement do?
This India Privacy Statement (“Statement”) explains Aon’s information processing practices. This Statement applies to any personal data you provide to Aon and any personal data we collect from other sources, unless you are provided a more specific privacy statement at the time of data collection. This Statement does not apply to your use of any third-party sites linked to from this website or any websites which have their own privacy notices.
This Statement aims to help you understand our personal data collection, usage and disclosure practices by explaining:
INDIA PRIVACY STATEMENT
- Who is responsible for your personal data?
- How do we collect your personal data and what personal data do we collect?
- How do we use your personal data?
- Legal basis
- Do we collect personal data from children?
- How long do we retain your personal data?
- How do we disclose your personal data?
- Do we transfer your personal data across geographies?
- Do we have security measures in place to protect your data?
- Other rights regarding your personal data
- Automated Decisions
- Contact Us
- Changes to this Statement
1. Who is responsible for your personal data?
Throughout this Statement, “Aon” refers to Aon plc, including its affiliated companies and subsidiaries (also referred to as “we,” “us,” or “our”). Personal data is collected by each member of the Aon group who is responsible for its processing in their capacity as a controller. A full list of our group entities is available here. These entities may provide separate privacy notices when your personal data is first collected by that Aon entity, for example, when you or the business you work for engages us to provide a service.
Aon entities also provide services to our clients as a processer. Where this is the case we will process your personal data in line with our legal obligations and contractual commitments with our clients.
2. How do we collect your information and what information do we collect?
The personal data we collect varies depending upon the nature of our services. This Statement provides an overview of the categories of personal data we collect and the purposes for which we use it. More information about the personal data collected for each of our services, together with the purpose and legal basis for collecting the personal data, may be provided to you in separate privacy notices relevant to the applicable services.
a. Aon collects personal data in the following ways:
Personal data you provide to us
Aon collects data directly from you when you:
- Request a service from us;
- Visit an Aon site or attend an Aon event;
- Apply for a position at Aon;
- Contact us with a complaint or query;
- Engage with us over social media; or
- Register with or use any of our websites or applications.
You are required to provide any personal data we reasonably require (in a form acceptable to us) to meet our obligations in connection with the services we provide to you, including any legal and regulatory obligations. Where you fail to provide or delay in providing data we reasonably require to fulfill these obligations, we may be unable to offer the services to you and/or we may terminate the services provided with immediate effect.
Where you provide personal data to Aon about third-party individuals (e.g., information about your spouse, civil partner, child(ren), dependents or emergency contacts), where appropriate, you should provide these individuals with a copy of this Statement beforehand or ensure they are otherwise made aware of how their personal data will be used by Aon. Where you provide information to us about your beneficiaries we may require you to provide explicit consent on their behalf.
Personal data we automatically collect
In some instances, we automatically collect certain types of personal data when you visit our websites and through e-mails that we may exchange. Automated technologies may include the use of web server logs to collect IP addresses, "cookies" and web beacons. Further information about our use of cookies can be found in our Cookie Notice.
Personal data we collect from clients or third parties
When we provide the services to our clients, we may collect personal data from our clients about you, such as your name, contact details, date of birth, gender, marital status, financial details, employment details, and benefit coverage. We may also collect (in each case as strictly relevant to the services we provide) sensitive personal data about you, such as health information in relation to life, health, professional liability and workers compensation insurance or employee benefit programs sponsored by your employer. Most of the personal data we receive relates to your participation in the compensation and benefits programs offered by your employer. Where permitted by national law, and appropriate to do so, we may collect criminal records information; for example, where required as part of our business acceptance, finance, administration, recruitment, anti-money laundering and sanctions screening processes.
b. The personal data we collect about you may include the following:
| a. |
Basic personal details, such as your name, address contact details, gender, marital status and sensitive personal data such as your date of birth, age,etc.; |
| b. |
Unique identifiers of sensitive personal data such as National Insurance Number or pension scheme reference number; |
| c. |
Demographic details, such as information about your age, gender, race, marital status, lifestyle, and insurance requirements; |
| d. |
Employment information such as role, employment status (such as full/part time, contract), salary information, employment benefits, and employment history; |
| e. |
Health information of sensitive personal data such as information about your health status, medical records and medical assessment outcomes; |
| f. |
Benefits information of sensitive personal data such as benefit elections, pension entitlement information, date of retirement and any relevant matters impacting your benefits such as voluntary contributions, pension sharing orders, tax protections or other adjustments; |
| g. |
Financial details of sensitive personal data such as payment card and bank account details, details of your credit history and bankruptcy status, salary, tax code, third-party deductions, bonus payments, benefits and entitlement data, national insurance contributions details; |
| h. |
Claims details of sensitive personal data such as information about any claims concerning your or your employer’s insurance policy; |
| i. |
Your marketing preferences: |
| j. |
Online information: e.g., information about your visits to our websites; |
| k. |
Events information such as information about your interest in and attendance at our events, including provision of feedback forms; |
| l. |
Social media information such as interactions (e.g., likes and posts) with our social media presence; and |
| m. |
Criminal records information of sensitive personal data such as the existence of or alleged criminal offences, or confirmation of clean criminal records. |
Where we collect sensitive personal data (such as information about your health or alleged criminal activities), we will ensure that it is necessary and is done in accordance with applicable law, which may include obtaining your explicit consent and/or necessary authorizations prior to collection.
3. How do we use your personal data?
The following is a summary of the purposes for which we use personal data. More information about the personal data collected for each of our services, together with the purpose and legal basis for collecting the personal data, may be provided to you in separate privacy notices which are relevant to the services which affect you.
Performing services for our clients
We process personal data which our clients provide to us to perform our commercial risk, reinsurance, retirement, health, and data and analytics services. The precise purposes for which your personal data is processed will be determined by the scope and specification of our client engagement, and by applicable laws, regulatory guidance and professional standards.
Administering our client engagements
We process personal data about our clients and the individual representatives of our corporate clients to:
- Carry out Aon’s regulatory and compliance obligations, including:
- "Know Your Customer" checks and screening;
- Anti-money laundering;
- Trade sanctions screening;
- Obtain and update credit information with appropriate third parties, such as credit reporting agencies, where transactions are made on credit;
- Communicate with our clients;
- Address client inquiries and complaints; and
- Administer claims.
Communications and marketing to our clients and prospective clients
We process personal data about our clients, prospective clients, and the individual representatives of our corporate clients to: send newsletters, know-how, promotional material and other marketing communications; and invite our clients to events, including arranging and administering those events.
Conducting data analytics, benchmarking and modeling
Aon is an innovative business, which relies on developing sophisticated products and services by drawing on our experience from prior engagements to analyze trends. Aon also uses data to perform analysis, modeling, benchmarking and research.
Crime prevention
We process personal data to facilitate the prevention, detection and investigation of crime and the apprehension or prosecution of offenders and to comply with laws/regulations. For example, we do this as part of our business acceptance, finance, administration and recruitment processes, including anti-money laundering and sanctions screening checks.
Mergers and acquisitions
We process personal data in the event of a sale, acquisition or reorganization. This includes processing personal data for planning and due diligence purposes both prior to closing and after a transaction has closed for reasons related to the sale, acquisition, or reorganization and in order to transfer books of business to successors of the business.
Process and service improvement
We process personal data to maintain and improve processes used in providing the services and uses of technology, including testing and upgrading of systems. We also process data to develop new services.
If we wish to use your personal data for a purpose which is not compatible with the purpose for which it was collected, we will request your consent unless your personal data is being processed to satisfy our legal and regulatory obligations. In all cases, we balance our legal use of your personal data with your interests, rights, and freedoms in accordance with applicable laws and regulations to make sure that your personal data is not subject to unnecessary risk.
4. Legal basis
We rely on the following legal grounds to collect and use your personal data:
| a. |
Performance of the service contract |
Where we offer services or enter into a contract with you to provide services, we will collect and use your personal data where necessary to enable us to take steps to offer you the services, process your acceptance of the offer and fulfill our obligations in the contract with you. |
| b. |
Legal and regulatory obligations |
The collection and use of some aspects of your personal data is necessary to enable us to meet our legal and regulatory obligations. For example, Aon is licensed and regulated by certain industry regulators and is required to provide some services in accordance with relevant regulatory rules. |
| c. |
Preventing and detecting fraud |
We will use your personal data, including sensitive personal data relating to criminal convictions or alleged offences to prevent and detect fraud, other financial crime, and crime generally in the insurance and financial services industry. |
| d. |
Legitimate interests |
The collection and use of some aspects of your personal data is necessary to enable us to pursue our legitimate commercial interests. For example, we have legitimate interests in:
- Providing professional services across our global solution lines;
- Operating our business, and managing and developing our relationships with clients, suppliers and with you;
- Understanding and responding to inquiries;
- Receiving information from third parties and Aon affiliates to provide services;
- Sharing data in connection with mergers and acquisitions and transfers of business;
- Improving our services; and
- Understanding how you and our clients use our services and websites.
Where we rely on this legal basis to collect and use your personal data we shall take appropriate steps to ensure the processing does not infringe the rights and freedoms conferred to you under the applicable data privacy laws. |
| e. |
Consent |
In certain instances, we rely on your consent as a legal basis. For example, we rely on your consent to collect and use personal data concerning any criminal convictions or alleged offences, specifically for assessing risks relating to your prospective or existing insurance policy. We may also share this information with other insurance market participants and third parties where necessary to offer, administer and manage the services provided to you, such as insurers and insurance underwriters, reinsurers, brokers and vetting agencies.
Where we rely on your consent to collect and use your personal data and sensitive personal data, you are not obliged to provide your consent and you may choose to subsequently withdraw your consent at any stage once provided. However, where you refuse to provide personal data and sensitive personal data that we reasonably require to provide the services, we may be unable to offer you the services and/or we may terminate the services provided with immediate effect.
Where you choose to receive the services from us you agree to the collection and use of your personal personal data and sensitive personal data in the way we describe in this section of the Statement. If applicable you also agree that such personal data and sensitive personal data may be collected and used for the above purpose by the insurance underwriter named in your insurance policy documentation.
You should refer to the insurer’s privacy statement on their website for further information about their privacy practices.
|
| f. |
Substantial public interest (in accordance with applicable law) |
If applicable law allows, we may collect and use your personal data and sensitive personal data for a substantial public interest. For example, to prevent or detect unlawful acts or in public health. |
| g. |
In the context of a specific exemption provided for under local laws |
We may rely on specific grounds in certain circumstances, for example for insurance purposes or for determining benefits under an occupational pension scheme. The collection and use of some aspects of your personal data and sensitive personal data, such as information concerning your health, is necessary for insurance and/or occupational pension scheme purposes. |
5. Do we collect information from children?
Our websites are not directed to children and we do not knowingly collect personal personal data from children on our websites. Children are prohibited from using our websites.
Certain Aon solution lines may process data related to children, such as their date of birth, address, and other identifiable information. This information is not collected directly from children, but from other parties such as from our client, the carrier, or directly from you as the parent or guardian of the child with your express consent (e.g., so that the child may be named a beneficiary to an insurance policy or pension plan).
6. How long do we retain your personal information?
How long we retain your personal data and sensitive personal data depends on the purpose for which it was obtained and its nature. We will keep your said personal data for the period necessary to fulfil the purposes described in this Statement unless a longer retention period is permitted or required by law and in accordance with the Aon Record Retention Policy. Your personal data and sensitive personal datawill be securely destroyed when it is no longer required.
7. How do we disclose your personal data?
We generally share your personal data with the following categories of recipients where necessary to offer, administer and manage the services provided to you:
| a. |
Within Aon: we may share your personal data and sensitive personal data with other Aon entities, brands, divisions, and subsidiaries for the processing purposes outlined in this Statement; |
| b. |
Insurance market participants where necessary to offer, administer and manage the services provided to you, such as insurers and insurance underwriters, reinsurers, brokers, intermediaries and loss adjusters. The insurance underwriter is the insurer that is underwriting your insurance policy and is named in your policy documentation. You should refer to the insurer’s privacy statement on their website for further information about their privacy practices; |
| c. |
Vetting and risk management agencies such as credit reference, criminal record, fraud prevention, data validation and other professional advisory agencies, where necessary to prevent and detect fraud in the insurance industry and take steps to assess the risk in relation to prospective or existing insurance policies and/or the services; |
| d. |
Legal advisers, loss adjusters, and claims investigators, where necessary to investigate, exercise or defend legal claims, insurance claims or other claims of a similar nature; |
| e. |
Medical professionals, e.g., where you provide health information in connection with a claim against your insurance policy; |
| f. |
Law enforcement bodies , when required to do so by law, legal process, statute, rule, regulation, or professional standard, or to respond to a subpoena, search warrant, or other legal request, and where necessary to facilitate the prevention or detection of crime or the apprehension or prosecution of offenders; |
| g. |
Public authorities, regulators and government bodies , where necessary for us to comply with our legal and regulatory obligations, or in connection with an investigation of suspected or actual illegal activity; |
| h. |
Third-party suppliers, where we outsource our processing operations to suppliers that process personal data on our behalf. Examples include IT service providers who manage our IT and back office systems and telecommunications networks, and contact center providers. These processing operations shall remain under our control and will be carried out in accordance with our security standards and strict instructions; |
| i. |
Successors of the business, where Aon or the services are sold to, acquired by or merged with another organization, in whole or in part, and personal data needs to be shared with relevant third parties as part of due diligence processes and transfers to the new entity. Where personal data is shared in these circumstances it will shared in accordance with this Statement; and |
| j. |
Internal and external auditors where necessary for the conduct of company audits or to investigate a complaint or security threat. |
8. Do we transfer your personal data across geographies?
We are a global organization and transfer certain personal data across geographical borders in accordance with applicable law.
When we do, if the applicable law requires, we use a variety of legal mechanisms to help ensure your rights and protections travel with your data, such as:
- We ensure transfers between Aon entities are covered by agreements that incorporate prescribed contractual wording, such as the EU Commission's standard contractual clauses, which contractually oblige each party to ensure that personal data receives an adequate and consistent level of protection.
- Where we transfer to or receive your personal data from third parties who help provide our products and services, we obtain contractual commitments from them to protect your personaldata, which incorporate standard contractual clauses where required.
- Where we receive requests for information from law enforcement or regulators, we carefully validate these requests before any personal data is disclosed.
Where required, further information concerning these safeguards can be obtained by contacting us.
9. Do we have security measures in place to protect your personal data?
The security of your personal information is important to us and Aon has implemented reasonable physical, technical and administrative security standards in an effort to protect personal data from loss, unauthorized access, misuse, alteration or destruction and to ensure that such personal data is processed in accordance with applicable data privacy laws.
10. Other rights regarding your data
Subject to certain exemptions and the jurisdiction in which you live, and in some cases dependent upon the processing activity we are undertaking, you may have certain rights in relation to your personal data. We have listed some of the common rights that may be applicable below. When you exercise these rights, we may need to ask you for additional information to confirm your identity, before disclosing information to you or responding to your request. We will not charge a fee unless your request is manifestly unfounded or excessive and/or we are permitted by law to levy such charges.
You can exercise your rights by contacting us. Subject to legal and other permissible considerations, we will make every reasonable effort to honor your request promptly or inform you if we require further information in order to fulfill your request. We may not always be able to fully address your request, for example if it would impact the duty of confidentiality we owe to others, or if we are legally entitled to deal with the request in a different way. If we cannot fully address your request, we will contact you to let you know and explain the reason why your request was denied.
Right to Access
You have the right under certain circumstances to access and inspect personal data which Aon holds about you. If you have created a profile, you can access that information by visiting your account.
Right to Correction
You may have the right to request us to correct your personal data where it is inaccurate or out of date.
You have the right under certain circumstances to have your personal data erased. Your personal data can only be erased if your data is no longer necessary for the purpose for which it was collected, and we have no other legal ground for processing the data.
Right to Restrict Processing
You have the right under certain circumstances to request the restriction of your personal data from further use, e.g., where the accuracy of the information is disputed, and you request that the information not be used until its accuracy is confirmed
Right to Data Portability
You have the right under certain circumstances to data portability, which requires us to provide personal data to you or another controller in a commonly used, machine readable format, but only where the processing of that information is based on (i) consent; or (ii) the performance of a contract to which you are a party.
Right to Object to Processing
You have the right to object the processing of your personal data at any time. Where that processing is based our legitimate interests as its legal basis, if you raise an objection, we will have an opportunity to demonstrate that we may have compelling legitimate interests which override your rights and freedoms.
Right to Decline Automated Decision Making
You have the right to object to decisions involving the use of your personal data, which have been taken solely by automated means. See section eleven (11) below for further information..
Right to Object to Direct Marketing
Where your personal data is processed for direct marketing purposes, you shall have the right to object at any time to processing of personal data concerning him or her for such marketing. We will provide specific information on how to opt-out from our marketing initiatives through the medium we communicate with you.
11. Automated Decisions
Where you apply or register to receive the service we may carry out a real-time automated assessment to determine whether you are eligible to receive the service. An automated assessment is an assessment carried out automatically using technological means (e.g., computer systems) without human involvement. This assessment will analyse your personal data and comprise several checks, e.g., credit history and bankruptcy check, validation of your driving licence and motoring convictions, validation of your previous claims history and other fraud prevention checks. Where your application to receive the service does not appear to meet the eligible criteria, it may be automatically refused, and you will receive notification of this during the application process. However, where a decision is taken solely by automated means involving the use of your personaldata, you have the right to challenge the decision and ask us to reconsider the matter, with human intervention. If you wish to exercise this right, you should contact us.
12. Contact Us
If you have any questions, would like further information about our privacy and personal data handling practices, would like to discuss opt-outs or withdrawing consent, or would like to make a complaint about this Statement, please contact Aon’s Global Privacy Office at Aon plc, 200 E. Randolph, Chicago, Illinois 60601 or [email protected].
Alternatively, please direct your query to our India Data Protection Officer at:
You also have a right to lodge a complaint with your local data protection supervisory authority,
13. Changes to this Statement
We may update this Statement from time to time. When we do, we will post the current version on this site, and we will revise the version date located at the bottom of this page.
We encourage you to periodically review this Statement so that you will be aware of our privacy practices.
This Statement was last updated on [ ] December 2022.