Additional information for clients for whom we process personal data on their behalf

On this page you will find additional information about our approach to personal data privacy

Data subject right requests

We are contracted to process personal data on your behalf and therefore need to help you to fulfil the rights that individuals have in respect of the Data Protection Act 2018.  Please click here for our data subject rights statement.

Personal Data Retention Statement

We are contracted to process personal data on your behalf and therefore collect and retain information about you and your data subjects (your personal data). We are subject to various industry specific rules, national laws and European regulation, including the General Data Protection Regulation (GDPR), that affect how information should be managed. We have set out our policy in the JLT EB UK Records Management Policy. The purpose of this statement is to provide you with an overview of that policy. Please click here for our personal data retention statement.

Sub-Processor Statement

We are contracted to process personal data on your behalf and in doing so we sub-contract some of that processing to third parties (sub-processors). The General Data Protection Regulation (GDPR) focuses attention on how personal data is moved around the supply chain with a view to keeping that data secure, processed in line with the purposes set out by the controller and processed in accordance with the GDPR principles and rights of data subjects. The purpose of this statement is to provide you with details of the sub-processors that we employ to process personal data on your behalf.

Summary of our approach to sub-processors:

  1. Our contract with you includes specific provisions in relation to the employment of sub-processors. For example our contract permits us to appoint sub-processors and to inform you as soon as reasonably practicable of any intended changes concerning the addition or replacement of sub-processors.
  2. From 25 May 2018 our contracts with our sub-processors are GDPR compliant. The contracts include the regulated clauses, including the requirement to take all measures required pursuant to the security of processing of personal data (GDPR Article 32). We require sub-processors to give us prior notice of any changes to sub-processors they employ to process personal data on our behalf.
  3. We have had and continue to have a rigorous and effective due diligence process for the contracting of sub-processors. This is managed by our central procurement team who use a standard procurement process.

Please contact your usual representative if you would like a copy of our latest Sub-processor statement.