Marsh, part of the Marsh & McLennan Companies, Inc. (MMC) group, strives to protect the privacy and the confidentiality of Personal Data that the company processes in connection with the services it provides to clients. Marsh’s services consist primarily of risk consulting and insurance intermediation, which facilitate the consideration of, access to, administration of, and making of claims in respect of, insurance services.
Insurance is the pooling and sharing of risk against a possible eventuality. In order to do this, information, including the Personal Data of different categories of individuals, needs to be shared between different insurance market participants through the insurance lifecycle.
To clarify the terms used in this Privacy Notice we have set out the roles of the key Insurance Market Participants below:
During the insurance lifecycle Marsh may receive Personal Data relating to potential or actual Policyholders, Beneficiaries under a policy, their family members, claimants and other parties involved in a claim. Therefore references to “individuals” in this Privacy Notice include any living person from the preceding list, whose Personal Data Marsh receives in connection with the services it provides under its engagements with its clients. This Privacy Notice sets out Marsh’s uses of this Personal Data and the disclosures it makes to other Insurance Market Participants and other third parties.
A glossary of key terms used in this Privacy Notice can be found here.
Marsh Oy, Keilaranta 10 E, 02150 Espoo, Finland (Marsh or We) is the controller in respect of the Personal Data it processes in connection with the services provided under the relevant engagement with its client.
In certain cases, and for the purposes of performing some services, Marsh and its client may have agreed that Marsh is a processor. When Marsh acts as a processor, it complies with the obligations set out in the agreement concluded with its client.
Personal information that may be processed
We may collect and process the following Personal Data:
Where we collect such information directly from individuals, we will inform them of whether the information is required and the consequences of not providing it on the relevant form.
We collect Personal Data from various sources, including (depending on the country you are in):
In this section, we set out the purposes for which we use Personal Data, explain how we share the information, and identify the “legal grounds” on which we rely to process the information.
These “legal grounds” are set out in the General Data Protection Regulation (GDPR), which allows companies to process Personal Data only when the processing is permitted by the specific “legal grounds” set out in the regulation (the full description of each of the grounds can be found here).
Please note that in addition to the disclosures we have identified in the table below, we may disclose Personal Data for the purposes we explain in this notice to service providers, contractors, agents and MMC group companies that perform activities on our behalf.
In order to facilitate the provision of insurance cover and administer insurance claims, we rely on the data subject’s consent to process Special Categories of Personal Data and Criminal Records Data, such as medical and criminal convictions records, as set out in the table above and for profiling as set out in the next section. This consent allows us to share the information with other Insurers, Intermediaries and Reinsurers that may need to process the information in order to undertake their role in the insurance market (which in turn allows for the pooling and pricing of risk in a sustainable manner).
The affected individual’s consent to this processing of Special Categories of Personal Data and Criminal Records Data is a necessary condition for Marsh to be able to provide the services the client requests.
Where you are providing us with information about a person other than yourself, you agree to notify them of our use of their Personal Data and to obtain such consent for us.
Individuals may withdraw their consent to such processing at any time. However, doing so may prevent Marsh from continuing to provide the services. In addition, if an individual withdraws consent to an Insurer’s or Reinsurer’s processing of their Special Categories of Personal Data and Criminal Records Data, it may not be possible for the insurance cover to continue.
Insurance premiums are calculated by Insurance Market Participants benchmarking clients’ and beneficiaries’ attributes as against other clients’ and beneficiaries’ attributes and propensities for insured events to occur. This benchmarking requires Marsh and other Insurance Market Participants to analyse and compile information received from all insureds, beneficiaries or claimants to model such propensities. Accordingly, we may use Personal Data to both match against the information in the models and to create the models that determine the premium pricing in general and for other insureds. Marsh and other Insurance Market Participants may use Special Categories of Personal Data and Criminal Records Data for such modelling to the extent it is relevant, such as medical history for life insurance or past motor vehicle convictions for motor insurance.
Marsh and other insurance market participants use similar predictive techniques to assess information that clients and individuals provide to understand fraud patterns, the probability of future losses actually occurring in claims scenarios, and as set out below.
We use these models only for the purposes listed in this Privacy Notice. In most cases, our staff make decisions based on the models.
These automated processes may result in a client not being offered insurance or affect the price or terms of the insurance.
Clients may request that we provide information about the decision-making methodology and ask us to verify that the automated decision has been made correctly. We may reject the request, as permitted by applicable law, including when providing the information would result in a disclosure of a trade secret or would interfere with the prevention or detection of fraud or other crime but generally in these circumstances we will verify that the algorithm and source data are functioning as anticipated without error or bias.
We have in place physical, electronic, and procedural safeguards appropriate to the sensitivity of the information we maintain. These safeguards will vary depending on the sensitivity, format, location, amount, distribution and storage of the Personal Data, and include measures designed to keep Personal Data protected from unauthorized access. If appropriate, the safeguards include the encryption of communications via SSL, encryption of information during storage, firewalls, access controls, separation of duties, and similar security protocols. We restrict access to Personal Data to personnel and third parties that require access to such information for legitimate, relevant business purposes.
We collect, use, disclose and otherwise process Personal Data that is necessary for the purposes identified in this Privacy Notice or as permitted by law. If we require Personal Data for a purpose inconsistent with the purposes we identified in this Privacy Notice, we will notify clients of the new purpose and, where required, seek individuals’ consent (or ask other parties to do so on Marsh’s behalf) to process Personal Data for the new purposes.
Our retention periods for Personal Data are based on business needs and legal requirements. We retain Personal Data for as long as is necessary for the processing purpose(s) for which the information was collected, and any other permissible, related purpose or as required by law. For example, we may retain certain transaction details and correspondence until the time limit for claims arising from the transaction has expired, or to comply with regulatory requirements regarding the retention of such data. When Personal Data is no longer needed, we either irreversibly anonymise the data (and we may further retain and use the anonymised information) or securely destroy the data.
Marsh transfers Personal Data to, or permits access to Personal Data from, countries outside the European Economic Area (EEA). These countries’ data protection laws do not always offer the same level of protection for Personal Data as offered in the EEA. We will, in all circumstances, safeguard Personal Data as set out in this Privacy Notice.
Certain countries outside the EEA have been approved by the European Commission as providing essentially equivalent protections as EEA data protection laws. EU data protection laws allow Marsh to freely transfer Personal Data to such countries.
If we transfer Personal Data to other countries outside the EEA, we will establish legal grounds justifying such transfer, such as MMC Binding Corporate Rules, model contractual clauses, individuals’ consent, or other legal grounds permitted by applicable legal requirements.
Individuals can request additional information about the specific safeguards applied to the export of their Personal Data by contacting the Data Protection Officer at the address below.
We strive to maintain Personal Data that is accurate, complete and current. Individuals should contact us at email@example.com to update their information.
Questions regarding Marsh’s privacy practices should be first directed to Marsh’s Data Protection Officer.
Under certain conditions, individuals have the right to request Marsh to:
These rights are subject to certain exemptions to safeguard the public interest (e.g., the prevention or detection of crime) and our interests (e.g., the maintenance of legal privilege). We will respond to most requests within 30 days.
If we are unable to resolve an inquiry or a complaint, individuals have the right to lodge a complaint with the applicable supervisory authority.
To submit questions or requests regarding this Privacy Notice or Marsh’s privacy practices, please write to the Data Protection Officer at the following address:
The Compliance Officer
This Privacy Notice is subject to change at any time. It was last changed on 23.03.18. If we make changes to this Privacy Notice, we will update the date it was last changed. Any changes we make to this Privacy Notice become effective immediately.
A copy of this Privacy Notice (and any significant changes) can be obtained from here. Please note this URL is not available via a general search of the web.