Privacy Notice

Review the below Privacy Notices to learn more about how we collect and process personal data, when and how we share personal data, and how to contact us.

Marsh NV (Marsh Belgium) Privacy Notice

Marsh respects the EU General Data Protection Regulation (GDPR).

As part of our services as insurance broker and risk consultant, we may process health or judicial data. For processing your health data, your consent is needed. Please give us your consent here. Please find here the legal basis for processing the judicial data of your policy.

Marsh, part of the Marsh & McLennan Companies, Inc. (MMC) group, strives to protect the privacy and the confidentiality of Personal Data that the company processes in connection with the services it provides to clients. Marsh’s services consist primarily of risk consulting and insurance intermediation, which facilitate the consideration of, access to, administration of, and making of claims in respect of, insurance services.

Insurance is the pooling and sharing of risk against a possible eventuality. In order to do this, information, including the Personal Data of different categories of individuals, needs to be shared between different insurance market participants through the insurance lifecycle.

To clarify the terms used in this Privacy Notice we have set out the roles of the key Insurance Market Participants below:

  • Policyholders: request insurance to protect themselves against risks that could affect them. They may approach an  Intermediary (such as Marsh) to purchase insurance or they may approach an Insurer directly or via a price comparison website.
  • Intermediaries: help Policyholders and Insurers arrange insurance cover.  They may offer advice and handle claims. Many insurance and reinsurance policies are obtained through Intermediaries.
  • Insurers: (sometimes also called underwriters) provide insurance cover to Policyholders in return for payment (premium).
  • Reinsurers: provide insurance cover to another Insurer or Reinsurer.  That insurance is known as

During the insurance lifecycle Marsh may receive Personal Data relating to potential or actual Policyholders, Beneficiaries under a policy, their family members, claimants and other parties involved in a claim. Therefore references to “individuals” in this Privacy Notice include any living person from the preceding list, whose Personal Data Marsh receives in connection with the services it provides under its engagements with its clients. This Privacy Notice sets out Marsh’s uses of this Personal Data and the disclosures it makes to other Insurance Market Participants and other third parties.

A glossary of key terms used in this Privacy Notice can be found here.

IDENTITY OF CONTROLLER AND CONTACT DETAILS

Marsh nv, Herrmann-Debrouxlaan 2, 1160 Brussel (Oudergem) (Marsh or We) is the controller in respect of the Personal Data it processes in connection with the services provided under the relevant engagement with its client.  

In certain cases, and for the purposes of performing some services, Marsh and its client may have agreed that Marsh is a processor. When Marsh acts as a processor, it complies with the obligations set out in the agreement concluded with its client.

Personal information that may be processed 

We may collect and process the following Personal Data:

  • Individual details: Name, address (and proof of address), other contact details (e.g., email and telephone details), gender, marital status, family details, date and place of birth, employer, job title and employment history, relationship to the policyholder, insured, beneficiary or claimant.
  • Identification details: Identification numbers issued by government bodies or agencies (e.g., depending on the country you are in, social security or national insurance number, passport number, ID number, tax identification number, driver’s license number).
  • Financial information: Payment card number, bank account number and account details, income and other financial information.
  • Insured risk: Information about the insured risk, which contains Personal Data and may include, only to the extent relevant to the risk being insured:
    • Health data: Current or former physical or mental medical conditions, health status, injury or disability information, medical procedures performed, relevant personal habits (e.g., smoking or consumption of alcohol), prescription information, medical history;
    • Criminal records data: Criminal convictions, including driving offences; and
    • Other Special Categories of Personal Data: Racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning an individual’s sex life or sexual orientation.
  • Policy information: Information about the quotes individuals receive and the policies they obtain.
  • Credit and anti-fraud data: Credit history and credit score, information about fraud convictions, allegations of crimes and sanctions details received from various anti-fraud and sanctions databases, or regulators or law enforcement agencies.
  • Previous claims: Information about previous claims, which may include health data, criminal records data, and other Special Categories of Personal Data  (as described in the Insured Risk definition above).
  • Current claims: Information about current claims, which may include health data, criminal records data, and other Special Categories of Personal Data  (as described in the Insured Risk definition above).
  • Marketing data: Whether or not the individual  has consented to receive marketing from us and from third parties.

Where we collect such information directly from individuals, we will inform them of whether the information is required and the consequences of not providing it on the relevant form.

Sources of personal data

We collect Personal Data from various sources, including (depending on the country you are in):

  • Individuals and their family members, online or by telephone, or in written correspondence
  • Individuals’ employers
  • In the event of a claim, third parties including the other party to the claim (claimant/ defendant), witnesses, experts (including medical experts), loss adjustors, lawyers and claims handlers
  • Other insurance market participants, such as Insurers, Reinsurers and other Intermediaries
  • Credit reference agencies (to the extent Marsh is taking any credit risk)
  • Anti-fraud databases and other third party databases, including sanctions lists
  • Government agencies, such as vehicle registration authorities and tax authorities
  • Claim forms

How we use and disclose your personal data

In this section, we set out the purposes for which we use Personal Data, explain how we share the information, and identify the “legal grounds” on which we rely to process the information.

These “legal grounds” are set out in the General Data Protection Regulation (GDPR), which allows companies to process Personal Data only when the processing is permitted by the specific “legal grounds” set out in the regulation [(the full description of each of the grounds can be found here.

Please note that in addition to the disclosures we have identified in the table below, we may disclose Personal Data for the purposes we explain in this Privacy Notice to service providers, contractors, agents and MMC group companies that perform activities on our behalf.

Consent

In order to facilitate the provision of insurance cover and administer insurance claims, we rely on the data subject’s consent to process Special Categories of Personal Data and Criminal Records Data, such as medical and criminal convictions records, as set out in the table above and for profiling as set out in the next section. This consent allows us to share the information with other Insurers, Intermediaries and Reinsurers that may need to process the information in order to undertake their role in the insurance market (which in turn allows for the pooling and pricing of risk in a sustainable manner).

The affected individual’s consent to this processing of Special Categories of Personal Data and Criminal Records Data is a necessary condition for Marsh to be able to provide the services the client requests.

Where you are providing us with information about a person other than yourself, you agree to notify them of our use of their Personal Data and to obtain such consent for us.

Individuals may withdraw their consent to such processing at any time. However, doing so may prevent Marsh from continuing to provide the services. In addition, if an individual withdraws consent to an Insurer’s or Reinsurer’s processing of their Special Categories of Personal Data and Criminal Records Data, it may not be possible for the insurance cover to continue.

Profiling and automated decision making   

Insurance premiums are calculated by Insurance Market Participants benchmarking clients’ and beneficiaries’ attributes as against other clients’ and beneficiaries’ attributes and propensities for insured events to occur. This benchmarking requires Marsh and other Insurance Market Participants to analyse and compile information received from all insureds, beneficiaries or claimants to model such propensities. Accordingly, we may use Personal Data to both match against the information in the models and to create the models that determine the premium pricing in general and for other insureds. Marsh and other Insurance Market Participants may use Special Categories of Personal Data and Criminal Records Data for such modelling to the extent it is relevant, such as medical history for life insurance or past motor vehicle convictions for motor insurance.

Marsh and other Insurance Market Participants use similar predictive techniques to assess information that clients and individuals provide to understand fraud patterns, the probability of future losses actually occurring in claims scenarios.

We use these models only for the purposes listed in this Privacy Notice. [In most cases,] our staff make decisions based on the models. [In the following cases, decisions are made exclusively based on the models and the benchmarking of Personal Data to the models by automated means:

Automated broking platform

Where clients use an automated broking platform, insurance quotations are offered entirely by matching whether the attributes that the client has provided meet the criteria set by the insurers, which determines, to the extent permitted by applicable law (a) whether a quotation will be made; (b) on what terms; and (c) at what price. Each insurer will use different algorithms to determine their pricing, and clients must consult each insurer’s privacy policy for further details. Our platform merely queries whether clients’ attributes satisfy insurers’ models and then returns the results. We also apply fraud prediction algorithms to the information clients provide to assist us in detecting and preventing fraud. We regularly review all profiling and associated algorithms against inaccuracies and bias.

These automated processes may result in a client not being offered insurance or affect the price or terms of the insurance.

Clients may request that we provide information about the decision-making methodology and ask us to verify that the automated decision has been made correctly. We may reject the request, as permitted by applicable law, including when providing the information would result in a disclosure of a trade secret or would interfere with the prevention or detection of fraud or other crime but generally in these circumstances we will verify that the algorithm and source data are functioning as anticipated without error or bias.

Safeguards

We have in place physical, electronic, and procedural safeguards appropriate to the sensitivity of the information we maintain. These safeguards will vary depending on the sensitivity, format, location, amount, distribution and storage of the Personal Data, and include measures designed to keep Personal Data protected from unauthorized access. If appropriate, the safeguards include the encryption of communications via SSL, encryption of information during storage, firewalls, access controls, separation of duties, and similar security protocols. We restrict access to Personal Data to personnel and third parties that require access to such information for legitimate, relevant business purposes.

Limiting collection and retention of personal information   

identified in this Privacy Notice, we will notify clients of the new purpose and, where required, seek individuals’ consent (or ask other parties to do so on Marsh’s behalf) to process Personal Data for the new purposes.

Our retention periods for Personal Data are based on business needs and legal requirements. We retain Personal Data for as long as is necessary for the processing purpose(s) for which the information was collected, and any other permissible, related purpose or as required by law. For example, we may retain certain transaction details and correspondence until the time limit for claims arising from the transaction has expired, or to comply with regulatory requirements regarding the retention of such data. When Personal Data is no longer needed, we either irreversibly anonymise the data (and we may further retain and use the anonymised information) or securely destroy the data.

Cross–border transfer of personal information

Marsh transfers Personal Data to, or permits access to Personal Data from, countries outside the European Economic Area (EEA). These countries’ data protection laws do not always offer the same level of protection for Personal Data as offered in the EEA. We will, in all circumstances, safeguard Personal Data as set out in this Privacy Notice.

Certain countries outside the EEA have been approved by the European Commission as providing essentially equivalent protections as EEA data protection laws. EU data protection laws allow Marsh to freely transfer Personal Data to such countries.

If we transfer Personal Data to other countries outside the EEA, we will establish legal grounds justifying such transfer, such as MMC Binding Corporate Rules, model contractual clauses, individuals’ consent, or other legal grounds permitted by applicable legal requirements.

Individuals can request additional information about the specific safeguards applied to the export of their Personal Data by contacting the Functionaris voor Gegevensbescherming at the address below.

ACCURACY, ACCOUNTABILITY, OPENNESS AND YOUR RIGHTS

We strive to maintain Personal Data that is accurate, complete and current. Individuals should contact us at privacy.belgium@marsh.com to update their information.

Questions regarding Marsh’s privacy practices should be first directed to Marsh’s Data Protection Officer.

Under certain conditions, individuals have the right to request Marsh to:

  • Provide further details on how we use and process their Personal Data;
  • Provide a copy of the Personal Data we maintain about the individual;
  • Update any inaccuracies in the Personal Data we hold;
  • Delete Personal Data that we no longer have a legal ground to process;
  • Where processing is based on consent, to withdraw the consent;
  • Object to any processing of Personal Data that Marsh justifies on the “legitimate interests” legal grounds, unless our reasons for undertaking that processing outweigh any prejudice to the individual’s privacy rights; and
  • Restrict how we process the Personal Data while we consider your inquiry.

These rights are subject to certain exemptions to safeguard the public interest (e.g., the prevention or detection of crime) and our interests (e.g., the maintenance of legal privilege). We will respond to most requests within 30 days.

If we are unable to resolve an inquiry or a complaint, individuals have the right to lodge a complaint with the applicable supervisory authority:

Gegevensbeschermingsautoriteit
Drukpersstraat 35
1000 Brussel
Tel. +32 (0)2 274 48 00
Fax +32 (0)2 274 48 35
commission@privacycommission.be

Functionaris voor Gegevensbescherming
Marsh nv
Lokale vertegenwoordiger
Herrmann-Debrouxlaan 2
1160 Brussel
België
privacy.belgium@marsh.com

CHANGES TO THIS PRIVACY NOTICE

This Privacy Notice is subject to change at any time. It was last changed on 23.03.18. If we make changes to this Privacy Notice, we will update the date it was last changed. Any changes we make to this Privacy Notice become effective immediately.

A copy of this Privacy Notice (and any significant changes) can be obtained from here. Please note this URL is not available via a general search of the web.

Marsh NV / SA UK Branch Privacy Notice

Introduction

The UK branch of Marsh nv/sa, trading as Marsh Trade Insure, Marsh Claims Management Services, Lloyd & Partners, Claims Solutions, Echelon Claims Consultants, Marsh Aviation Consulting, Marsh JLT Specialty, Marsh Reclaim, Marsh and Reclaim Consulting Services (Marsh), a business of Marsh & McLennan Companies, Inc. (MMC), strives to protect the privacy and the confidentiality of Personal Data that the company processes in connection with the services it provides to clients and individuals’ use of the Marsh websites. Marsh’s services consist primarily of risk consulting and insurance broking, which enable the consideration of, access to, administration of, and making of claims on, insurance.

To arrange insurance cover and handle insurance claims, Marsh and other participants in the insurance industry are required to use and share Personal Data. For an overview of how and why the insurance industry is required to use and share Personal Data please see the Insurance Market Core Uses Information Notice hosted on the website of a UK insurance industry association, the Lloyd’s Market Association (the LMA Notice). Marsh’s use of Personal Data is consistent with the LMA Notice. 

During the insurance lifecycle Marsh will receive Personal Data relating to potential or actual policyholders, beneficiaries under a policy, their family members, claimants and other parties involved in a claim.  Therefore references to “individuals” in this notice include any living person from the preceding list, whose Personal Data Marsh receives in connection with the services it provides under its engagements with its clients.  This notice sets out Marsh’s uses of this Personal Data and the disclosures it makes to other insurance market participants and other third parties.

Identity of Controller and Contract Details

The UK branch of Marsh nv/sa, trading as Marsh Trade Insure, Marsh Claims Management Services, Lloyd & Partners, Claims Solutions, Echelon Claims Consultants, Marsh Aviation Consulting, Marsh JLT Specialty, Marsh Reclaim, Marsh and Reclaim Consulting Services of 1 Tower Place West, Tower Place, London EC3R 5BU (Marsh or We) is the controller in respect of the Personal Data it receives in connection with the services provided under the relevant engagement with its client.

Personal Information that We Process

We collect and process the following Personal Data:

  •  Individual details: name, address (and proof of address), other contact details (e.g. email and telephone details), gender, marital status, family details, date and place of birth, employer, job title and employment history, relationship to the policyholder, insured, beneficiary or claimant, images
  •  Identification details: identification numbers issued by government bodies or agencies (e.g. depending on the country you are in, social security or national insurance number, passport number, ID number, tax identification number, driver’s licence number);
  • Financial information: payment card number, bank account number and account details, income and other financial information;
  •  Risk details: information about the insured risk, which contains Personal Data and may include, only to the extent relevant to the risk being insured:
    • Health data: current or former physical or mental medical conditions, health status, injury or disability information, medical procedures performed, relevant personal habits (e.g. smoking or consumption of alcohol), prescription information, medical history;
    • Criminal records data: criminal convictions, including driving offences; and
    • Other special categories of Personal Data: racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning an individual’s sex life or sexual orientation;
  • Policy information: information about the quotes individuals receive and the policies they obtain;
  • Credit and anti-fraud data: credit history and credit score, information about fraud convictions, allegations of crimes and sanctions details received from various anti-fraud and sanctions databases, regulators or law enforcement agencies;
  • Previous claims: information about previous claims, which may include health data, criminal records data and other special categories of Personal Data (as described in the Insured Risk definition above);
  •  Current claims: information about current claims, which may include health data, criminal records data and other special categories of Personal Data (as described in the Insured Risk definition above);
  • Marketing data: whether or not the individual has consented to receive marketing from us and/or from third parties and/or their marketing preferences; and
  • Website and communication usage: details of your visits to our websites and information collected through cookies and other tracking technologies, including, but not limited to, your IP address and domain name, your browser version and operating system, traffic data, location data, web logs and other communication data, and the resources that you access.

Where we collect such information directly from individuals, we will inform them of whether the information is required and the consequences of not providing it on the relevant form.

Sources of Personal Data

We collect and receive Personal Data from various sources, including (depending on the service we are seeking to or are providing and country you are in):

  • Individuals and their family members, online, face to face, or by telephone, or in written correspondence;
  • Individuals’ employers or trade or professional associations of which they are a member,
  • In the event of a claim, third parties including the other party to the claim (claimant/defendant), witnesses, experts (including medical experts), loss adjusters, lawyers and claims handlers;
  • Other insurance market participants, such as insurers, reinsurers and other intermediaries;
  •  Credit reference agencies (to the extent Marsh is taking any credit risk
  • Anti-fraud databases and other third party databases, including sanctions lists;
  • Government agencies, such as vehicle registration authorities and tax authorities;
  • Claim forms
  • Open electoral registers and other publicly available information,
  • Business information and research tools;
  • Selected third parties who provide us with details of potential customers
  • Third parties who introduce business to us; and,
  • Forms on our website and your interactions with our website (please also see our Cookie Notice).

How We Use and Disclose Your Personal Data

In this section, we set out the purposes for which we use Personal Data, explain how we share the information, and identify the “legal grounds” on which we rely to process the information. 

These “legal grounds” are set out in the data privacy laws applicable in the relevant country. In the UK, this means the UK General Data Protection Regulation and the Data Protection Act 2018 and, in Belgium or to the extent that Belgian law applies to the processing, the EU General Data Protection Regulation, the Belgium Data Protection Authority Act 2018 and the Framework Act 2018 (we refer to the applicable data protection legislation in this Privacy Notice as the GDPR).  The GDPR allows companies to process Personal Data only when the processing is permitted by the specific “legal grounds” set out in the GDPR (the full description of each of the grounds can be found in the Appendix below).

Read our Purpose of Processing (PDF)

Quotation/Inception

  • Establishing a client relationship, including fraud, anti-money laundering and sanctions checks
  •  Checking credit where we are taking any credit risk
  • Evaluating the risks to be covered and matching to appropriate insurer, policy and premium

Policy Administration

  • General client care, including communicating with clients
  •  Collection or refunding of premiums, paying on claims, processing and facilitating other payments
  • Facilitating premium finance arrangements

Claims processing

  •  Managing insurance claims
  •  Defending or prosecuting legal claims
  • Investigating and prosecuting fraud or possible criminal offences

Renewals

  • Contacting you in order to arrange the renewal of the insurance policy

Throughout the insurance lifecycle

  • Marketing analytics, sending marketing materials and communications including data de-identification and/or aggregation
  • Carrying out customer satisfaction surveys and market research
  • Transferring books of business, company sales and reorganisations
  • General risk modelling
  • Analytics include the de-identification of personal data for the purposes of analytics
  • Complying with our legal or regulatory obligations

Consultancy activities

  • General client care, including communications with clients
  • General risk modelling in the context of our consultancy services in order to evaluate risks and provide advice
  • Analysis as part of the specific consultancy advice
  • Complying with our legal or regulatory obligations in the context of our consultancy business

Website activities

  • To communicate with you regarding any queries you raise via the website
  • To monitor your interaction with the website to ensure service quality, compliance with procedures and to combat fraud.
  • To ensure the website content is relevant and presented in the most effective manner for you and your device

Please note that in addition to the disclosures we have identified in this table, we will disclose Personal Data for the purposes we explain in this notice to service providers, contractors, advisers, agents and MMC group companies that perform activities on our behalf.

Special Categories of Personal Data and Criminal Data

When we collect, use or disclose to third parties (such as insurers, intermediaries and reinsurers) Special Categories of Personal Data and Criminal Records Data for the reasons set out in the table above and for profiling as set out in the next section, we typically do so for reasons of substantial public interests, namely because it is necessary for the wide range of insurance-related activities that we undertake or because it is necessary for fraud prevention purposes We will ask for your explicit consent where it does not meet the criteria and will explain at the time why this is necessary.

Before you provide us with Special Categories of Personal Data and Criminal Records Data about a person other than yourself, you agree to notify such person of our use of their Personal Data and, if requested by us, to obtain their consent to our use of their Special Categories of Personal Data and Criminal Records Data (for example, by requiring the individual to sign a consent form).

Profiling and Automated Decision Making

Insurance premiums are calculated by insurance market participants benchmarking clients’ and beneficiaries’ attributes as against other clients’ and beneficiaries’ attributes and propensities for insured events to occur.  This benchmarking requires Marsh and other insurance market participants to analyse and compile information received from all insureds, beneficiaries or claimants to model such propensities.  Accordingly, we may use Personal Data to both match against the information in the models and to create the models that determine the premium pricing in general and for other insureds.  Marsh and other insurance market participants may use special categories of Personal Data and criminal records data for such modelling to the extent it is relevant, such as medical history for life insurance or past motor vehicle convictions for motor insurance. 

Marsh and other insurance market participants use similar predictive techniques to assess information that clients and individuals provide to understand fraud patterns, the probability of future losses actually occurring in claims scenarios, and as set out below. 

We use these models only for the purposes listed in this Privacy Notice.  In most cases, our staff make decisions based on the models. 

Automated Broking Platform

Where clients use the automated broking platform, insurance quotations are offered entirely by matching whether the attributes that the client has provided meet the criteria set by the insurers, which determines (a) whether a quotation will be made; (b) on what terms; and (c) at what price.  Each insurer will use different algorithms to determine their pricing, and clients must consult each insurer’s privacy policy for further details.  Our platform merely queries whether attributes of potential insureds satisfy insurers’ models and then returns the results.  If the potential insured’s attributes do not satisfy insurers’ models, the quotation request is referred for review by a team with underwriting authority.  We also apply fraud prediction algorithms to the information clients provide to assist us in detecting and preventing fraud.  We regularly review all profiling and associated algorithms against inaccuracies and bias.

These partially automated processes may result in a client not being offered insurance or affect the price or terms of the insurance. 

Clients may request that we provide information about the decision-making methodology and ask us to verify that the automated decision has been made correctly.  We may reject the request, as permitted by applicable law, including when providing the information would result in a disclosure of a trade secret or would interfere with the prevention or detection of fraud or other crime.  However, generally in these circumstances we will verify that the algorithm and source data are functioning as anticipated without error or bias. 

Marketing

We may use your Personal Data to provide you with information about products or services which we think would be of interest to you.  We may also share your Personal Data with other companies in the MMC group so that they can provide you with information about their products and services. These may be sent by email or post or, in some circumstances, we or our group companies may telephone you to explain this information to you.

Within the MMC group we operate under a number of brands and you may receive such communications from the following of our trading names Marsh Trade Insure, Marsh Claims Management Services, Lloyd & Partners, Claims Solutions, Echelon Claims Consultants, Marsh Aviation Consulting, Marsh JLT Specialty, Marsh Reclaim, Marsh and Reclaim Consulting Services.

We take care to ensure that our marketing activities comply with all applicable legal requirements. In some cases, this may mean that we ask for your consent in advance of us or our group companies sending you marketing materials.

In all cases, you can opt out of receiving marketing communications, at any time. You can do this by clicking on the "unsubscribe" link in any marketing email or by contacting us using the details set out at the end of this Privacy Notice.

Please note that, even if you opt out of receiving marketing messages, we may still send you communications in connection with the services we provide to you.

Safeguards

We have in place physical, electronic, and procedural safeguards appropriate to the sensitivity of the information we maintain.  These safeguards will vary depending on the sensitivity, format, location, amount, distribution and storage of the Personal Data, and include measures designed to keep Personal Data protected from unauthorised access. 

If appropriate, the safeguards include the encryption of communications via Secure Sockets Layer, encryption of information during storage, firewalls, access controls, separation of duties, and similar security protocols.  We restrict access to Personal Data to personnel and third parties that require access to such information for legitimate, relevant business purposes. 

Limiting Collection and Retention of Personal Information

We collect, use, disclose and otherwise process Personal Data that is necessary for the purposes identified in this Privacy Notice or as permitted by law.  If we require Personal Data for a purpose inconsistent with the purposes we identified in this Privacy Notice, we will notify clients of the new purpose and, where required, seek individuals’ consent (or ask other parties to do so on Marsh’s behalf) to process Personal Data for the new purposes.

Our retention periods for Personal Data are based on business needs and legal requirements.  We retain Personal Data for as long as is necessary for the processing purpose(s) for which the information was collected, and any other permissible, related purpose.  For example, we retain certain transaction details and correspondence until the time limit for claims arising from the transaction has expired, or to comply with regulatory requirements regarding the retention of such data.  When Personal Data is no longer needed, we either de-identify or aggregate the data (in which case we may further retain and use the de-identified or aggregated information for analytics purposes) or securely destroy the data.

Cross-Border Transfer of Personal Information

Marsh transfers Personal Data to, or permits access to Personal Data from, countries outside the UK and European Economic Area (EEA).  These countries’ data protection laws do not always offer the same level of protection for Personal Data as offered in the UK and EEA.  We will, in all circumstances, safeguard Personal Data as set out in this Privacy Notice.

Certain countries outside the EEA have been approved by the European Commission as providing essentially equivalent protections as EEA data protection laws. The UK Government has approved the same countries as providing essentially equivalent protections as UK data protection laws. Both the UK and EU data protection laws allow Marsh to freely transfer Personal Data to such countries.

If we transfer Personal Data to other countries outside the UK or EEA, we will establish legal grounds justifying such transfer, such as MMC Binding Corporate Rules, model contractual clauses, individuals’ consent, or other legal grounds permitted by applicable legal requirements.

Individuals can request additional information about the specific safeguards applied to the export of their Personal Data by contacting the Data Protection Officer using the contact details in the Questions, Requests or Complaints section below.

Accuracy, Accountability, Openness and Your Rights

We strive to maintain Personal Data that is accurate, complete and current.  Individuals should contact us at dataprotection@marsh.com to update their information. 

Questions regarding Marsh’s privacy practices should be directed to the Data Protection Officer using the contact details in the Questions, Requests or Complaints section below. 

Under certain conditions, individuals have the right to request that Marsh:

  •  provide further details on how we use and process their Personal Data;
  • provide a copy of the Personal Data we maintain about the individual;
  • update any inaccuracies in the Personal Data we hold;
  • delete Personal Data that we no longer have a legal ground to process; and
  • restrict how we process the Personal Data while we consider the individual’s enquiry.

In addition, under certain conditions, individuals have the right to:

  • where processing is based on consent, withdraw the consent, 
  • object to any processing of Personal Data that Marsh justifies on the “legitimate interests” legal grounds, unless our reasons for undertaking that processing outweigh any prejudice to the individual’s privacy rights; and
  •  object to direct marketing (including any profiling for such purposes) at any time.

These rights are subject to certain exemptions to safeguard the public interest (e.g. the prevention or detection of crime) and our interests (e.g. the maintenance of legal privilege).  We will respond to most requests within 30 days. 

If we are unable to resolve an enquiry or a complaint, individuals have the right to contact the UK data protection regulator, the Information Commissioner’s Office (ICO).

The ICO can be contacted by telephone at 0303 123 1113 or by email at casework@ico.org.uk.

Belgian data protection laws apply to Marsh nv/sa and therefore if you have any concerns about their processing of your personal data by Marsh nv/sa in Belgium, or to the extent that Belgian law applies to processing by the UK branch, individuals have the right to contact the Data Protection Authority of Belgium (DPA).

The DPA can be contacted on +32(0)2 274 48 00, +32(0)2 274 48 35 or via email at contact@apd-gba.be

Questions, Requests or Complaints

To submit questions or requests regarding this Privacy Notice or Marsh’s privacy practices, please write to the

Data Protection Officer at the following address:

The Data Protection Officer
UK branch of Marsh nv/sa
Tower Place London
EC3R 5BU

Phone: 020 7357 1000

Email: dataprotection@marsh.com

If we are unable to resolve an enquiry or a complaint, individuals have the right to contact the UK data protection regulator, the Information Commissioner's Office (ICO).

The ICO can be contacted by telephone at 0303 123 1113 or by email at casework@ico.org.uk.

Belgian data protection laws apply to Marsh nv/sa and therefore if you have any concerns about their processing of your personal data by Marsh nv/sa in Belgium, or to the extent that Belgian law applies to processing by the UK branch, individuals may contact the Data Protection Officer at the following address:

Marsh nv
Lokale vertegenwoordiger
Herrmann-Debrouxlaan 2
1160 Brussel
België

privacy.belgium@marsh.com

Individuals also have the right to contact the Data Protection Authority of Belgium.

The DPA can be contacted on +32(0)2 274 48 00, +32(0)2 274 48 35 or via email at contact@apd-gba.be

Links to Third Party Websites

Our websites may contain links to other third party websites. If you follow a link to any of those third party websites, please note that they have their own privacy policies and that we do not accept any responsibility or liability for their policies or processing of your personal information. Please check these policies before you submit any personal information to such third party websites.

Changes to this Privacy Notice

This Privacy Notice is subject to change at any time.  It was last changed on 25 November 2021. If we make changes to this Privacy Notice, we will update the date on which it was last changed. Where we have an engagement with you, we will notify you of any changes we make to this Privacy Notice in accordance with the notice provisions in the terms of our engagement.  In other circumstances, we will publish the revised Privacy Notice on our website.

Download our Privacy Notice here.

Appendix

 

Processing Personal Data
For  Processing Personal Data 
Legal GroundDetails
Performance of our contract with youProcessing is necessary for the performance of a contract to which you are party or in order to take steps at your request prior to entering into a contract.
Compliance with a legal obligationProcessing is necessary for compliance with a legal obligation to which we are subject.
For Processing Personal Data
For our legitimate business interestsProcessing is necessary for the purposes of the legitimate interests pursued by us or by a third party, except where such interests are overridden by your interests or fundamental rights and freedoms which require protection of personal data, in particular where you are a child.  These legitimate interests are set out next to each purpose.
For processing personal data and special categories of personal data
testtest