How do we use your personal information?
The following is a summary of the purposes for which we use personal information together with the legal basis for collecting such information.
Performing services for our clients
We process personal information which our clients provide to us to perform our Rewards Solutions and Performance Solutions practices services, analytics, and advisory services. This may impact you, for example, where you are the employee or prospective employee of our client. The precise purposes for which your personal information is processed will be determined by the scope and specification of our client engagement, and by applicable laws, regulatory guidance and professional standards. It is the obligation of our client to ensure that you understand that your personal information will be disclosed to the Rewards Solutions and Performance Solutions practices at Aon as outlined in this Notice.
Administering our client engagements
We process personal information about our clients and the employees of our clients to:
- carry out "Know Your Client" checks and screenings prior to starting a new engagement;
- carry out client communications, services, billing, and administration;
- complete client projects;
- secure client feedback;
- deal with client complaints and requests;
- create marketing materials such as white papers, case studies, and social media content; or
- contacting and marketing to our clients.
We also process personal information about our clients/prospective clients and employees of our clients/prospective clients to:
- contact our prospects and clients in relation to current, future and proposed engagements;
- send our prospects and clients newsletters, know-how, promotional material and other marketing communications; or
- invite our prospects and clients to events (and arrange and administer those events).
Conducting data analytics
We are an innovative business, which relies on developing sophisticated products and services by drawing on our experience from prior engagements. We are not concerned with an analysis of identifiable individuals, and we take steps to ensure that your rights and the legitimacy of our activities are ensured through the use of aggregated or otherwise de-identified data.
The categories of information we use to conduct data analytics include:
- Basic personal details, education & professional experience & affiliations, family, lifestyle & social circumstances, basic HR details and employee performance.
- Job titles, job roles, age, gender and individual performance levels.
- Compensation information related to the employees of our client companies, including, but not limited to, base salaries, allowances, bonuses, and long-term cash and equity incentives
- Other relevant information that may be needed to perform our work, such as occupation, language, zip code, area code, location, and the time zone
If we wish to use your personal information for a purpose which is not compatible with the purpose for which it was collected for, we will generally request your consent. In all cases, we balance our legal use of your personal information with your interests, rights, and freedoms in accordance with applicable laws and regulations to make sure that your personal information is not subject to unnecessary risk.
Legal basis
All processing (i.e. use) of your personal information is justified by a "lawful basis" for processing. In the majority of cases, processing will be justified on the basis that:
- the processing is necessary for the performance of a contract to which you are a party, or to take steps (at your request) to enter into a contract (e.g. where we help an employer to fulfil an obligation to you under an employment contract in relation to the delivery of employee benefits);
- the processing is necessary for us to comply with a relevant legal obligation (e.g. where we are required to collect certain information about our clients for tax or accounting purposes, or where we are required to make disclosures to courts or regulators); or
- the processing is in our legitimate commercial interests, subject to your interests and fundamental rights (e.g. where we use personal information provided to us by our clients to deliver our services, and that processing is not necessary in relation to a contract to which you are a party).
In limited circumstances, we will use your consent as the basis for processing your personal information, for example, where we are required to obtain your prior consent in order to send you marketing communications.
Before collecting and/or using any special categories of personal information, or criminal record data, we will establish a lawful basis which will allow us to use that information. This basis will typically be:
- your consent;
- establishment, exercise or defence by us or third parties of legal claims; or
- specific exemption provided for under local laws countries.
We do not directly provide services and/or products to children, and we do not knowingly collect personal information from children.
How long do we retain your personal information?
How long we retain your personal information depends on the purpose for which it was obtained and its nature. We will keep your personal information for no more than the time required to fulfil the purposes described in this Notice unless a longer retention period is permitted by applicable laws.
In specific circumstances we may store your personal information for longer periods of time so that we have an accurate record of your dealings with us in the event of any complaints or challenges, or if we reasonably believe there is a prospect of litigation relating to your personal information or dealings.
We have implemented appropriate measures to ensure your personal information is securely destroyed in a timely and consistent manner when no longer required.
Do we disclose your personal information?
Within Aon
We may share your personal information with other Aon affiliates companies and subsidiaries to serve you, including for the purposes listed above.
We do not rent, sell or otherwise disclose personal information with unaffiliated third parties for their own marketing use. We do not share your personal information with third parties except in the following circumstances outlined below.
Authorized service providers
We may disclose your personal information to service providers we have retained (as processors) to perform services on our behalf (either in relation to services performed for our clients, or information which we use for its own purposes, such as marketing). These service providers are contractually restricted from using or disclosing the information except as necessary to perform services on our behalf or to comply with legal requirements. These activities could include any of the processing activities that we carry out as described in the above section, ‘How we use your personal information.’
Examples include:
- IT service providers who manage our IT and back office systems and telecommunications networks;
- marketing automation providers;
- contact centre providers;
- translation agencies; and
- companies who have surveying technology or other market research capabilities and collect insight on our behalf.
These third parties appropriately safeguard your personal information, and their activities are limited to the purposes for which your personal information was provided.
Legal requirements and business transfers
We may disclose personal information (i) if we are required to do so by law, legal process, statute, rule, regulation, or professional standard, or to respond to a subpoena, search warrant, or other legal request. (ii) in response to law enforcement authority or other government official requests, (iii) when we believe disclosure is necessary or appropriate to prevent physical harm or financial loss, (iv) in connection with an investigation of suspected or actual illegal activity, (v) in the event that we are subject to a merger or acquisition to the new owner of the business, (vi) in connection with company audits or (vii) in order to investigate a complaint or security threat.
Do we transfer your personal information across geographies?
We are a global organization and may transfer certain personal information across geographical borders to our, authorized service providers or business partners in other countries working on our behalf in accordance with applicable laws. These third parties may be based locally, or they may be overseas some of which have not been determined by the European Commission to have an adequate level of data protection.
When we do, we use a variety of legal mechanisms to help ensure your rights and protections travel with your personal information:
- we ensure transfers within are covered by agreements based on the European Commission's standard contractual clauses, which contractually oblige the concerned parties to ensure that personal information receives an adequate and consistent level of protection wherever it resides within;
- where we transfer your personal information outside of your jurisdiction to third parties who help provide our products and services, we obtain contractual commitments from them to protect your personal information such us, the European Commission's standard contractual clauses or the well-recognized certification schemes like the EU - US Privacy Shield for the protection of personal information transferred from within the European Union to the United States; or
- where we receive requests for information from law enforcement or regulators, we carefully validate these requests before any personal information are disclosed.
Examples of countries we transfer personal information to include, but are not limited to, the United States of America, the United Kingdom, Ireland, Singapore, India and the Philippines.
If you would like further information about whether your information will be disclosed to overseas recipients, please contact us as noted below. You also have a right to contact us for more information about the safeguards we have put in place (including a copy of relevant contractual commitments, which may be redacted for reasons of commercial confidentiality) to ensure the adequate protection of your personal information when this is transferred as mentioned above.
Do we have security measures in place to protect your information?
The security of your personal information is important to us and we have implemented reasonable physical, technical and administrative security standards to protect personal information from loss, misuse, alteration or destruction. We protect your personal information against unauthorized access, use or disclosure, using security technologies and procedures, such as encryption and limited access. Only authorized individuals access your personal information, and they receive training about the importance of protecting personal information.
Our service providers and business partners are contractually bound to maintain the confidentiality of personal information and may not use the information for any unauthorized purposes.
What choices do you have about your personal information?
We offer certain choices about how we communicate with our clients and what personal information we obtain about them and share with others. When you provide us with personal details, if we intend to use those details for marketing purposes, we will provide you with the option of whether you wish to receive promotional email, SMS messages, telephone calls and postal mail from us. At any time, you may opt out from receiving interest-based advertising from us by visiting the opt-out page on our websites or by contacting us using the details below.
You may also choose not to receive marketing communications from us by clicking on the unsubscribe link or other instructions in our marketing emails or contacting us as noted below.