Privacy notice

INTRODUCTION

This Privacy Notice describes how Marsh and its subsidiaries (collectively, the “Company”), collect, use, share, retain, transfer and otherwise process information relating to identified or identifiable individuals (“Personal Data”), and the rights you may have regarding your Personal Data. We believe that it is important for you to understand how we process Personal Data and encourage you to take a moment to familiarize yourself with our privacy practices outlined below.

Please note that in some instances we act on behalf of and under the instructions of clients, or other partners who act as controllers. Please refer to their respective privacy policies for more information regarding the processing of your Personal Data in these contexts.

IDENTITY OF DATA FIDUCIARY

Depending on your jurisdiction and the specific service offered, the Company may solely determine the means and purposes of processing your Personal Data (and therefore would be acting as the Data Fiduciary). In other jurisdictions or for other services, the Company may be following the specific instructions of a third-party Data Fiduciary, such as your employer or another client. In these jurisdictions, the Company acts as a Data Processor.

To determine whether the Company is a Data Fiduciary or Data Processor in your jurisdiction or to find the contact information for the Company, please contact your Data Protection Officer at privacy@mmc.com.

WHAT PERSONAL DATA DO WE COLLECT

We may collect the following categories of Personal Data where appropriate to fulfill our intended business purposes:


Category	Examples
Category	Examples
Biographical identifiers	Name, date of birth, age, place of birth, gender
Contact information	Home address, telephone number, personal email address.
Identification information	Tax number, social security number or other government issued identification number, driver’s license number, passport information, bank account details, income tax declaration, income tax number
Professional or employment-related information	Employer or group, relationship to our company, job title, business contact details, employee ID, employment grade, employee performance, salary and remuneration arrangements and employment history, and/or your relationship to the policyholder, insured, beneficiary or claimant
Protected Classifications	Race, citizenship, physical or mental health or disability, sex, gender, gender identity, pregnancy or childbirth and related medical conditions, sexual orientation, union membership, veteran, or military status
Financial Information	Payment card number and related bank account number and account details, income, and other financial information
Benefit and Pension Information	Benefit elections, pension entitlement information, date of retirement and any relevant matters impacting your benefits such as voluntary contributions, details of power of attorney
Insurable Risk Information	Criminal records data, including driving offenses, vehicle information, health information, injury or disability information, relevant personal habits, medical history, psychometric test results, historical information about the insurance quotes and coverages obtained, education information, credit history, and claims information and history, each to the extent relevant to the risk being insured
Inferred Information	Profile reflecting a person's preferences, characteristics, predispositions, behaviour, attitudes, intelligence, abilities, and aptitudes
Internet or other similar network activity	Browsing and search history, interaction with a website, application, or advertisement, data from cookies or web beacons, login credentials, domain names, and interactions with our emails, including when you read and respond to emails, ISP (Internet Service Provider), browser details, other website activity, online identifiers (including IP address or device ID)
Any other voluntarily-provided information	Information regarding partners and dependents (including minor dependents); emergency contact details, disclosure statements, restrictive covenants, geolocation, marketing and communication preferences, information related to company-sponsored events that you have attended, and your feedback or survey responses where you choose to identify yourself

Whenever Marsh collects this information directly from data subjects, they will be informed of the requirement for this information and the consequences of refusing to provide it.

HOW WE COLLECT PERSONAL DATA

We may collect Personal Data from the following sources (depending on the service we are seeking to or are providing and country you are in):

Information Provided by You, Your Representatives or Third Parties

Directly from you or your family members, online, face to face, by telephone, or in written correspondence, including where information is submitted on your behalf (where the person submitting has your permission to do so). For example we may collect information when you visit a website, enroll in benefits, request a quote, call a service center, or otherwise give us information;
Your representatives, including your employer, association, or group or benefit program/plan sponsor;
In the event of a claim, third parties including the other party to the claim (claimant/defendant), witnesses, experts (including medical experts), loss adjusters, lawyers and claims handlers;
Other insurance market participants, such as insurers, reinsurers, appointed loss adjusters and other intermediaries;
Credit reference agencies (to the extent the Company is taking any credit risk or participating in any underwriting activities);
Anti-fraud databases and other third-party databases, including sanctions lists;
Government agencies, such as vehicle registration authorities and tax authorities;
Claim forms;
Resources that provide publicly-available information;
Business information and research tools;
Selected third parties who provide us with details of potential customers;
Third parties who introduce business to us; and
Vetting and data validation agencies and other professional advisory service providers in connection with our marketing or business development activities.

If you supply us with Personal Data about other people (e.g., family members, beneficiaries, or dependents), you represent that you have the authority to provide this information and that you have shared this Privacy Notice where appropriate. We do not knowingly collect Personal Data directly from minors.

If you communicate with one of our investment advisors through any device or method, please note that we log and monitor all such communications in order to comply with our record-keeping obligations.

Collection by Automated Means

We use cookies and related tracking technologies (“Cookies”) on our company-owned websites. If available based on your jurisdiction, website users can opt-out of our use of certain Cookies using the Manage Cookies link at the bottom of the website and find out more about how we use Cookies by selecting the Cookie Notice link.

INTERACTIONS WITH THIRD PARTIES

External Links

Our websites may include links to websites that are operated by organizations other than the Company. If you access another organization’s website using a hyperlink on our website, the other organization may collect information from you. The Company is not responsible for the content or privacy practices of linked websites or their use of your Personal Data. If you leave a Company website via such a link (you can tell where you are by checking the URL in the location bar on your browser), you should refer to that website’s privacy policies, terms of use, and other notices to determine how the other organization will handle any Personal Data they collect from you.

Collection by Third Parties

If you conduct a transaction through us, a third party (e.g., a service provider or insurer) may collect and process credit card or other Personal Data about you, including through Cookies, in connection with such a transaction. In those instances, and for any other arrangement where we receive information from your employer, association or other third party, we encourage you to read the third party’s privacy policy to learn more about how your information will be used and disclosed by them.

HOW WE USE THE PERSONAL DATA WE COLLECT

We may use Personal Data we collect:


Purpose	Description of Use	Legal Basis
Purpose	Description of Use	Legal Basis
To conduct our business	We use Personal Data as necessary to conduct our business, including to verify your identity, respond to your queries, communicate with you, process transactions, establish an online account, or carry out our contractual obligations.	Contract performance and, where applicable, legitimate interests (to enable us to perform our obligations and provide our services to you).
To provide you with marketing material where permissible under applicable law	We may use your contact details to send you information about products, services, and insights we think might be of interest to you. These communications may be sent by email, text, post, or phone in accordance with your marketing preferences and applicable global laws, including those relating to data protection and electronic communication. As a result, the basis on which we contact you will vary depending on who you are, our relationship with you, and where you are located. Regardless of the basis on which we share our marketing communications with you, we will comply with local law and provide an option for you to unsubscribe at any time in which case we will stop sending you our marketing communications. You can also change your marketing preferences by contacting us at privacy@mmc.com. Please note that, even if you opt-out of receiving marketing communications, we may still send you communications in connection with the services we provide to you.	Legal obligation, consent (which you can refuse or withdraw) and, where applicable, legitimate interest (to keep you updated with news in relation to our products and services).
For research, data analytics and development purposes	We may analyse Personal Data together with information from other clients to create insights, reports, and other analytics to better understand and improve the quality of our offering; market our advice, products, and services; and evaluate the effectiveness of our marketing activities, websites, and overall service. Please note that we may de-identify Personal Data such that it is not associated with any particular client or individual.	Where applicable, legitimate interests (to allow us to improve our services).
To log and monitor certain activities and maintain network security and performance, and protect against cyber attacks	We log and monitor communications and transactions to ensure service quality, compliance with procedures and legal requirements, and to combat fraud. We also use Personal Data as necessary to maintain network security, monitor website performance, and protect our systems against cyber-attacks.	Legal obligation, and, where applicable, legitimate interests (to ensure the quality and legality of our services).
To maintain our websites and ensure website content is relevant	We use Personal Data as necessary to maintain our websites and ensure that content from our websites is presented in the most effective manner for you and for your device.	Contract performance and, where applicable, legitimate interests (to allow us to provide you with content and services on the websites).
To reorganise or make changes to our business	As necessary if we: (i) are subject to negotiations for the sale of our business or part thereof to a third party; (ii) are sold to a third party; or (iii) undergo a re-organisation.	Legal obligation or legitimate interests (to allow us to change our business).
In connection with legal or regulatory obligations	We use Personal Data to comply with our regulatory disclosure requirements or as part of dialogue with our regulators as applicable.	Legal obligation, and where appropriate, legitimate interests (to cooperate with law enforcement and regulatory authorities).
For Fraud, Anti-Money Laundering and Sanctions Screenings	When establishing or maintaining client relationships for the provision of certain services we use Personal Data for the purposes of carrying out fraud, anti-money laundering or sanctions checks.	Legal obligations and, where appropriate, legitimate interests (to cooperate with law enforcement and regulatory authorities).

We may also use the Personal Data we collect and receive as otherwise described to you at the point of collection.

PROFILING AND AUTOMATED DECISION MAKING

Insurance premiums are calculated by insurance market participants benchmarking clients’ and beneficiaries’ attributes as against other clients’ and beneficiaries’ attributes and propensities for insured events to occur. This benchmarking requires the Company and other insurance market participants to analyse and compile information received from all insureds, beneficiaries or claimants to model such propensities. Accordingly, we may use Personal Data to both match against the information in the models and to create the models that determine the premium pricing in general and for other insureds. The Company and other insurance market participants may use special categories of Personal Data and criminal records data for such modelling to the extent it is relevant, such as medical history for life insurance or past motor vehicle convictions for motor insurance.

The Company and other insurance market participants use similar predictive techniques to assess information that clients and individuals provide to understand fraud patterns, the probability of future losses actually occurring in claims scenarios, and as set out below. To do this, we may use Personal Data we receive from clients to match against information in the models that we have created based on the behaviour of other individuals with similar attributes and to create further models.

We use these models only for the purposes listed in this Privacy Notice. In most cases, our staff make decisions based on the models.

To the extent we engage in the automated processing of your Personal Data, we will provide you in advance with any notices, including regarding your rights, that are required under law. Decisions regarding insurance premiums, coverage limits and eligibility, however, may be determined by insurance carriers using automated means, including through one of our websites or applications interacting with such insurers’ systems. In those instances, we encourage you to review the applicable insurers’ privacy notices to obtain additional information regarding their automated decision-making practices, as well as any right to opt-out of such processing or challenge a prediction, recommendation or decision that has impacted you.

MARKETING

We may use your Personal Data to provide you with information about products or services which we think would be of interest to you. We may also share your Personal Data with other companies in the MMC group so that they can provide you with information about their products and services. These may be sent by email or post or, in some circumstances, we may telephone you to explain this information to you.

We take care to ensure that our marketing activities comply with all applicable legal requirements. In some cases, this may mean that we ask for your consent in advance of us or our group companies sending you marketing materials.

In all cases, you can opt out of receiving marketing communications, at any time. You can do this by clicking on the "unsubscribe" link in any marketing email or by contacting us using the details set out at the end of this Privacy Notice.

Please note that, even if you opt out of receiving marketing messages, we may still send you communications in connection with the services we provide to you.

Right to Opt in or out of Sale or Sharing for Cross-Context Advertising

If you visit one of our websites, we may disclose your internet or other electronic network activity information, biographical identifiers, geolocation data, and professional information (to the extent it can be derived from your activity on our website) to website analytic and advertising providers for cross-context behavioral or targeted advertising purposes utilizing advertising cookies. Under some laws, this activity may be considered a sale or sharing of information, and you may have the right to opt in or out of these types of disclosures. To opt-in or out of our selling or sharing your Personal Data on our websites or to view the names of specific third parties with whom we have sold or shared your information, please click on the “Manage Cookies” link at the bottom of our webpage. If you would like to opt out of the sale or sharing of your information, ensure the toggles for “Advertising” and “Analytics” trackers are set to “No” or, where available, enable the Do Not Sell or Share My Personal Data toggle.

You may also implement a browser setting or extension to communicate your selling and sharing preferences automatically to the websites you visit. Our websites process such “opt-out preference signals” in a frictionless manner by recognizing the Global Privacy Control (GPC). If you want to use GPC, you can download and enable it via a participating browser or browser extension. More information about downloading GPC is available here.

Direct Marketing and Do Not Track Signals

You may have a right to request and obtain a notice once a year about the Personal Data we disclosed to other businesses for their own direct marketing purposes, where permitted by law. If applicable, such a notice will include a list of the categories of Personal Data that were disclosed (if any) and the names and addresses of all third parties to whom the Personal Data was disclosed (if any). The notice will cover the preceding calendar year. You may contact us as provided below if you would like to learn if this right applies to you and, if so, exercise that right.

Please note that some of these rights may be limited where we have an overriding legitimate interest or legal, regulatory, or contractual obligation to continue to process the Personal Data, or where the Personal Data may be exempt from disclosure or erasure under to applicable law. Some of these rights can be exercised only in certain circumstances or may otherwise be limited by data protection legislation in your jurisdiction.

WHO WE DISCLOSE PERSONAL DATA TO

We may disclose Personal Data to the following categories of third parties:


Categories of third parties	Purpose for Disclosure
Categories of third parties	Purpose for Disclosure
Insurers, third-party agents/brokers, and/or other similar third parties	As necessary to provide our contracted services
Your employer, association, group, or benefit program sponsor (when applicable)	Assist in the administration of a group insurance program and as otherwise necessary to provide our contracted services.
Affiliates	Assist in providing the services and enable them to provide services to you or contact you regarding additional products and services.
Agents or third-party service providers	Perform functions or services for us or on our behalf. Such third parties are contractually restricted from using Personal Data for purposes other than providing services for us or on our behalf.
Marketing partners, including affiliates and third parties engaged by us or our clients in connection with the services.	As permitted by law to provide you with information about our products, services, events, or insights.
Potential partners or successor entities	In the context of mergers, acquisitions, bankruptcies, asset sales or other transactions where a third party assumes control of all or part of our assets.
Website analytics and advertising companies	To improve our services, for general operations and business needs, and to help us to improve user experiences on our websites and personalize content, measure the performance and use of content on our websites, and derive insights about the audiences who visit our websites and review content.
Anti-fraud databases, supervisory or regulatory authorities, law enforcement and other third parties	As necessary to prevent fraud, communicate with supervisory or regulatory authorities, protect, enforce and defend the legal rights, safety, and security of our Company, our affiliates and business partners, and users of any website; respond to claims of suspected or actual illegal activity; respond to an audit or inquiry, or investigate a complaint or security threat; or comply with applicable law, regulation, legal process, or governmental request.

We may also disclose de-identified information that is not reasonably likely to identify you for commercially legitimate and lawful business purposes. Where we have de-identified information, we will maintain and use it without attempting to re-identify the data other than as permitted under law.

STEPS WE TAKE TO PROTECT PERSONAL DATA

Our company strives to comply with all applicable cybersecurity and data protection laws. With these goals in mind, Marsh McLennan has a dedicated Chief Information Security Officer (CISO) and a Global Chief Privacy Officer (GCPO). The CISO is responsible for managing a Global Information Security team and a comprehensive cybersecurity program. As part of our cybersecurity program, we have implemented commercially reasonable physical, administrative, and technical safeguards to protect your Personal Data from unauthorized access, use, alteration, and deletion.

The GCPO leads and oversees a Privacy Center of Excellence and a Data Protection Officer Network responsible for implementing our comprehensive global privacy program. The Data Protection Officer Network connects our Data Protection Officers across the world and seeks to implement our privacy program consistently and thoroughly wherever we process data. You can find the name and contact information for the Data Protection Officer in your jurisdiction by emailing us at privacy@mmc.com.

YOUR DATA PROTECTION RIGHTS

Where we act as a Processor, we process Personal Data based on the instructions of our corporate clients who act as the Controller of that information, and you should contact them to exercise any rights you may have under applicable privacy laws.

Where we act as the Controller, we are primarily responsible for deciding how your information is processed. In such case, you may have some or all the rights listed below, depending on the jurisdiction and our reason for processing your information.

Please note that we may need to use your Personal Data to verify your identity prior to fulfilling any of the below rights:

Right of access (Right to know) - You may ask us to provide you with further details on how we make use of your Personal Data, the sources, the categories or specific pieces of Personal Data we have collected, the categories of third parties to whom we have disclosed the information, and to request a copy of the Personal Data that we hold about you.
Right to correct - You may ask us to update any inaccuracies in the Personal Data we hold. If we disclose your Personal Data to others, we will tell them about the correction where possible.
Right to delete - You may ask us to erase your Personal Data where we no longer have lawful grounds to process it.
Right to data portability - You may have the right, where it is technically feasible, to ask that we transfer to a third party of your choice a copy of Personal Data we have obtained from you, in a structured, commonly used, and machine-readable format.
Right to withdraw consent - If we rely on your consent as our legal basis for processing your Personal Data, you have the right to withdraw that consent.

If you wish to exercise any of the above rights or request a review of a decision or denial, please submit a Data Subject Rights Request via this portal.

CROSS-BORDER TRANSFERS

As a global company operating across more than 80 countries, there are circumstances in which we will have to transfer Personal Data out of the country, province, or territory in which it was collected for the purposes outlined in this Privacy Notice. Specifically, we may transfer data to offer, administer, and manage the Services provided to you, and to enhance the efficiency of our business operations. We will make every effort to ensure that these transfers adhere to all relevant data protection legislation, and that the rights and freedoms of individuals under such laws are appropriately safeguarded.

Where the need for such a transfer arises, we will take steps to ensure that there are appropriate safeguards in place to protect Personal Data such as an impact assessment, adequacy decision by the appropriate supervisory authority, the use of approved binding corporate rules or standard contractual clauses, or your consent.

RETENTION OF YOUR INFORMATION

Our products, services, and regulatory obligations are complex, and thus our retention periods for Personal Data vary. We consider the following obligations when setting retention periods for Personal Data and the records we maintain:

the need to retain information to accomplish the business purposes or contractual obligations for which it was collected;
our duties to effectuate our clients’ instructions with respect to Personal Data we process on their behalf;
our duties to comply with mandatory legal and regulatory record-keeping requirements;
our backup and disaster recovery procedures; and
other legal impacts such as the applicable statute of limitations periods.

Based on the factors above, we may retain Personal Data beyond the period for which we provide services to you. When we no longer need to retain Personal Data, our company policies require that we either de-identify or aggregate the information (in which case we may further retain and use the de-identified.

QUESTIONS OR CONCERNS

To submit questions or requests regarding this Privacy Notice or our privacy practices, please email us at privacy@mmc.com. If you would prefer to contact us by post or by phone, please contact your local Data Protection Officer. You can find the contact information for your local Data Protection Officer by emailing us at privacy@mmc.com.