Marsh, part of the Marsh & McLennan Companies, Inc. (MMC) group, strives to protect the privacy and the confidentiality of Personal Data that the company processes in connection with the services it provides to clients. Marsh’s services consist primarily of risk consulting and insurance intermediation, which facilitate the consideration of, access to, administration of, and making of claims in respect of, insurance services.
Insurance is the pooling and sharing of risk against a possible eventuality. In order to do this, information, including the Personal Data of different categories of individuals, needs to be shared between different insurance market participants through the insurance lifecycle.
To clarify the terms used in this Privacy Notice we have set out the roles of the key Insurance Market Participants below:
- Policyholders: Request insurance to protect themselves against risks that could affect them. They may approach an Intermediary (such as Marsh) to purchase insurance or they may approach an Insurer directly or via a price comparison website.
- Intermediaries: Help Policyholders and Insurers arrange insurance cover. They may offer advice and handle claims. Many insurance and reinsurance policies are obtained through Intermediaries.
- Insurers: Sometimes also called underwriters. Provide insurance cover to Policyholders in return for payment (premium).
- Reinsurers: Provide insurance cover to another Insurer or Reinsurer. That insurance is known as reinsurance.
During the insurance lifecycle Marsh may receive Personal Data relating to potential or actual Policyholders, Beneficiaries under a policy, their family members, claimants and other parties involved in a claim. Therefore references to “individuals” in this Privacy Notice include any living person from the preceding list, whose Personal Data Marsh receives in connection with the services it provides under its engagements with its clients. This Privacy Notice sets out Marsh’s uses of this Personal Data and the disclosures it makes to other Insurance Market Participants and other third parties.
A glossary of key terms used in this Privacy Notice can be found here.
IDENTITY OF CONTROLLER AND CONTACT DETAILS
Marsh [Country Name], [Address Line 1], [Address Line 2], [Address Line 3] (Marsh or We) is the controller in respect of the Personal Data it processes in connection with the services provided under the relevant engagement with its client.
In certain cases, and for the purposes of performing some services, Marsh and its client may have agreed that Marsh is a processor. When Marsh acts as a processor, it complies with the obligations set out in the agreement concluded with its client.
Personal information that may be processed
We may collect and process the following Personal Data:
- Individual details: Name, address (and proof of address), other contact details (e.g., email and telephone details), gender, marital status, family details, date and place of birth, employer, job title and employment history, relationship to the policyholder, insured, beneficiary or claimant.
- Identification details: Identification numbers issued by government bodies or agencies (e.g., depending on the country you are in, social security or national insurance number, passport number, ID number, tax identification number, driver’s license number).
- Financial information: Payment card number, bank account number and account details, income and other financial information.
- Insured risk: Information about the insured risk, which contains Personal Data and may include, only to the extent relevant to the risk being insured:
- Health data: Current or former physical or mental medical conditions, health status, injury or disability information, medical procedures performed, relevant personal habits (e.g., smoking or consumption of alcohol), prescription information, medical history;
- Criminal records data: Criminal convictions, including driving offences; and
- Other Special Categories of Personal Data: Racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning an individual’s sex life or sexual orientation.
- Policy information: Information about the quotes individuals receive and the policies they obtain.
- Credit and anti-fraud data: Credit history and credit score, information about fraud convictions, allegations of crimes and sanctions details received from various anti-fraud and sanctions databases, or regulators or law enforcement agencies.
- Previous claims: Information about previous claims, which may include health data, criminal records data, and other Special Categories of Personal Data (as described in the Insured Risk definition above).
- Current claims: Information about current claims, which may include health data, criminal records data, and other Special Categories of Personal Data (as described in the Insured Risk definition above).
- Marketing data: Whether or not the individual has consented to receive marketing from us and from third parties.
Where we collect such information directly from individuals, we will inform them of whether the information is required and the consequences of not providing it on the relevant form.
Sources of personal data
We collect Personal Data from various sources, including (depending on the country you are in):
- Individuals and their family members, online or by telephone, or in written correspondence
- Individuals’ employers
- In the event of a claim, third parties including the other party to the claim (claimant/ defendant), witnesses, experts (including medical experts), loss adjustors, lawyers and claims handlers
- Other insurance market participants, such as Insurers, Reinsurers and other Intermediaries
- Credit reference agencies (to the extent Marsh is taking any credit risk)
- Anti-fraud databases and other third party databases, including sanctions lists
- Government agencies, such as vehicle registration authorities and tax authorities
- Claim forms
How we use and disclose your personal data
In this section, we set out the purposes for which we use Personal Data, explain how we share the information, and identify the “legal grounds” on which we rely to process the information.
These “legal grounds” are set out in the General Data Protection Regulation (GDPR), which allows companies to process Personal Data only when the processing is permitted by the specific “legal grounds” set out in the regulation (the full description of each of the grounds can be found here).
Please note that in addition to the disclosures we have identified in the table below, we may disclose Personal Data for the purposes we explain in this notice to service providers, contractors, agents and MMC group companies that perform activities on our behalf.
In order to facilitate the provision of insurance cover and administer insurance claims, we rely on the data subject’s consent to process Special Categories of Personal Data and Criminal Records Data, such as medical and criminal convictions records, as set out in the table above and for profiling as set out in the next section. This consent allows us to share the information with other Insurers, Intermediaries and Reinsurers that may need to process the information in order to undertake their role in the insurance market (which in turn allows for the pooling and pricing of risk in a sustainable manner).
The affected individual’s consent to this processing of Special Categories of Personal Data and Criminal Records Data is a necessary condition for Marsh to be able to provide the services the client requests.
Where you are providing us with information about a person other than yourself, you agree to notify them of our use of their Personal Data and to obtain such consent for us.
Individuals may withdraw their consent to such processing at any time. However, doing so may prevent Marsh from continuing to provide the services. In addition, if an individual withdraws consent to an Insurer’s or Reinsurer’s processing of their Special Categories of Personal Data and Criminal Records Data, it may not be possible for the insurance cover to continue.
Profiling and automated decision making
Insurance premiums are calculated by Insurance Market Participants benchmarking clients’ and beneficiaries’ attributes as against other clients’ and beneficiaries’ attributes and propensities for insured events to occur. This benchmarking requires Marsh and other Insurance Market Participants to analyse and compile information received from all insureds, beneficiaries or claimants to model such propensities. Accordingly, we may use Personal Data to both match against the information in the models and to create the models that determine the premium pricing in general and for other insureds. Marsh and other Insurance Market Participants may use Special Categories of Personal Data and Criminal Records Data for such modelling to the extent it is relevant, such as medical history for life insurance or past motor vehicle convictions for motor insurance.
Marsh and other insurance market participants use similar predictive techniques to assess information that clients and individuals provide to understand fraud patterns, the probability of future losses actually occurring in claims scenarios, and as set out below.
We use these models only for the purposes listed in this Privacy Notice. In most cases, our staff make decisions based on the models.
Automated broking platform
These automated processes may result in a client not being offered insurance or affect the price or terms of the insurance.
Clients may request that we provide information about the decision-making methodology and ask us to verify that the automated decision has been made correctly. We may reject the request, as permitted by applicable law, including when providing the information would result in a disclosure of a trade secret or would interfere with the prevention or detection of fraud or other crime but generally in these circumstances we will verify that the algorithm and source data are functioning as anticipated without error or bias.
We have in place physical, electronic, and procedural safeguards appropriate to the sensitivity of the information we maintain. These safeguards will vary depending on the sensitivity, format, location, amount, distribution and storage of the Personal Data, and include measures designed to keep Personal Data protected from unauthorized access. If appropriate, the safeguards include the encryption of communications via SSL, encryption of information during storage, firewalls, access controls, separation of duties, and similar security protocols. We restrict access to Personal Data to personnel and third parties that require access to such information for legitimate, relevant business purposes.
Limiting collection and retention of personal information
We collect, use, disclose and otherwise process Personal Data that is necessary for the purposes identified in this Privacy Notice or as permitted by law. If we require Personal Data for a purpose inconsistent with the purposes we identified in this Privacy Notice, we will notify clients of the new purpose and, where required, seek individuals’ consent (or ask other parties to do so on Marsh’s behalf) to process Personal Data for the new purposes.
Our retention periods for Personal Data are based on business needs and legal requirements. We retain Personal Data for as long as is necessary for the processing purpose(s) for which the information was collected, and any other permissible, related purpose or as required by law. For example, we may retain certain transaction details and correspondence until the time limit for claims arising from the transaction has expired, or to comply with regulatory requirements regarding the retention of such data. When Personal Data is no longer needed, we either irreversibly anonymise the data (and we may further retain and use the anonymised information) or securely destroy the data.
Cross-border transfer of personal information
Marsh transfers Personal Data to, or permits access to Personal Data from, countries outside the European Economic Area (EEA). These countries’ data protection laws do not always offer the same level of protection for Personal Data as offered in the EEA. We will, in all circumstances, safeguard Personal Data as set out in this Privacy Notice.
Certain countries outside the EEA have been approved by the European Commission as providing essentially equivalent protections as EEA data protection laws. EU data protection laws allow Marsh to freely transfer Personal Data to such countries.
If we transfer Personal Data to other countries outside the EEA, we will establish legal grounds justifying such transfer, such as MMC Binding Corporate Rules, model contractual clauses, individuals’ consent, or other legal grounds permitted by applicable legal requirements.
Individuals can request additional information about the specific safeguards applied to the export of their Personal Data by contacting the Data Protection Officer at the address below.
ACCURACY, ACCOUNTABILITY, OPENNESS AND YOUR RIGHTS
We strive to maintain Personal Data that is accurate, complete and current. Individuals should contact us at firstname.lastname@example.org to update their information.
Questions regarding Marsh’s privacy practices should be first directed to Marsh’s Data Protection Officer.
Under certain conditions, individuals have the right to request Marsh to:
- Provide further details on how we use and process their Personal Data;
- Provide a copy of the Personal Data we maintain about the individual;
- Update any inaccuracies in the Personal Data we hold;
- Delete Personal Data that we no longer have a legal ground to process;
- Where processing is based on consent, to withdraw the consent;
- Object to any processing of Personal Data that Marsh justifies on the “legitimate interests” legal grounds, unless our reasons for undertaking that processing outweigh any prejudice to the individual’s privacy rights; and
- Restrict how we process the Personal Data while we consider your inquiry.
These rights are subject to certain exemptions to safeguard the public interest (e.g., the prevention or detection of crime) and our interests (e.g., the maintenance of legal privilege). We will respond to most requests within 30 days.
If we are unable to resolve an inquiry or a complaint, individuals have the right to lodge a complaint with the applicable supervisory authority.
QUESTIONS, REQUESTS OR COMPLAINTS
To submit questions or requests regarding this Privacy Notice or Marsh’s privacy practices, please write to the Data Protection Officer at the following address:
Data Protection Officer
Marsh [Country Name]
Attention: [First and Last Name]
[Address Line 1]
[Address Line 2]
[Address Line 3]
CHANGES TO THIS PRIVACY NOTICE
This Privacy Notice is subject to change at any time. It was last changed on 27.11.17. If we make changes to this Privacy Notice, we will update the date it was last changed. Any changes we make to this Privacy Notice become effective immediately.
A copy of this Privacy Notice (and any significant changes) can be obtained from here. Please note this URL is not available via a general search of the web.
12 A Abba Hillel St.
Ramat Gan, Israel 52506
PURPOSE FOR COLLECTION, USE AND DISCLOSURE OF PERSONAL INFORMATION
- Establishing and maintaining communications with you;
- Where you have requested a service from Marsh, assisting you in the completion of your application, the assessment of your eligibility for any such requested service, the processing and maintenance of the service, as well as any applicable renewal of such service;
- Responding to your inquiries about applications, accounts and other services;
- Making proposals for future service needs;
- Allowing our affiliated companies to notify you of certain products or services offered by our affiliated companies;
- Processing transactions through service providers;
- Sharing with associations for those clients/participants obtaining insurance coverage by being a member of the association;
- Sharing with financial institutions and other organizations where we have joint marketing agreements;
- Meeting legal, security, processing and regulatory requirements;
- Protecting against fraud, suspicious or other illegal activities; and
- Compiling statistics for analysis of our sites and our business.
WHAT INFORMATION WE COLLECT
The information gathered by Marsh from this site falls into two categories: (1) information voluntarily supplied by visitors to our site and (2) tracking information gathered as visitors navigate through our site.
Information voluntarily provided by you
When using this site, you may choose to provide us with information to help us serve your needs. The personal information that we collect will depend on how you choose to use this site.
- Where you request a brochure or report: If you request a brochure or report or further information from us, we require you to submit your name, email address, the name of your organization, and the country in which you are based so we may send you the material you have requested, and to enable us to identify if you are an existing client of Marsh.
- Where you register with us and/or request an insurance quote: If you register with the site, or request an insurance quote, we may ask you for your name, email address, country, telephone number and the reason for your communication, as well as information about your position and organization and such other information as is reasonably necessary so that we can provide you with the quote. On the data submission form, we shall indicate by way of an asterisk, which information is optional and which information is mandatory. This information can include:
- Information you provide on applications or other forms, which may include your name, address, email address, age, personal identification numbers, credit card numbers, credit records, banking information, payment records, medical and health information, employment and income information;
- Information we acquire from and/or transfer to other persons (such as government agencies, industry associations, auditors, claims adjusters, your insurer and your employer) to verify your identity and the accuracy of the information you have provided;
- Information about you received from Marsh affiliates, insurers, other intermediaries, third party providers and others for underwriting or claims purposes (such as previous insurance and claims history) about our Clients and Participants; and
- Information we receive from consumer reporting agencies.
Following the quote, if you decide to proceed, we will collect personal information necessary to finalize the relevant quote and proceed with the transaction, such as your name, address, post code, contact telephone number, email address, billing address or payment details, as relevant to the product. We will use your personal information to administer your policy, process claims etc. and generally manage your relationship with us. Please see the Disclosure of Your Information to Others section for information on the categories of recipients of the personal data.
- Where you submit content: Finally, if you submit content regarding any of the information that you view on our site, we will ask for your name and email address, so that, if you choose, we can update you by email when others also comment on the content, and also so that we can manage the content in line with our acceptable use policy. You should be aware that the information you provide there will be made publically available to Marsh employees and other users of the site.
Website Navigational Information / Cookies
As you navigate the site, we may also collect information through the use of commonly-used information-gathering tools, such as cookies and web beacons (collectively “Website Navigational Information”). Website Navigational Information includes standard information from your web browser (such as browser type and browser language), your Internet Protocol (“IP”) address, and the actions you take on the site (such as the web pages viewed and the links clicked).
DISCLOSURE OF INFORMATION TO OTHERS
Third parties to whom we disclose information are required by law and contractual undertakings to keep your personal information confidential and secure, and to use and disclose it for purposes that a reasonable person would consider appropriate in the circumstances, in compliance with all applicable legislation, which purposes are as follows:
- To assess eligibility for coverage, process and maintain insurance coverage, renewal of coverage or related products and services – we disclose to the insurance companies, reinsurers, intermediaries or other brokers that make available the coverage;
- To associations for those Clients/Participants obtaining insurance coverage by being a member of the association;
- To notify you or allow our affiliated companies to notify you of certain products or services offered by our affiliated companies;
- For legal, claims settlement and valuation services;
- To update information with credit bureaus and insurance reporting agencies;
- To process transactions through data processing service providers;
- If the information is a credit card number, to process credit card payments – through third party payment processing, clearing and settlement systems in association with various banks; and
- To other financial institutions with whom we have joint marketing agreements.
If these third parties wish to use your personal information for any other purpose, they will have a legal obligation to notify you of this and, where required, to obtain your consent.
In the normal course of performing services for our clients, personal information may be shared within Marsh and its affiliates for research and statistical purposes, system administration and crime prevention or detection. This may require personal information to be accessed or moved to a country different from the one where the personal information was collected. When you supply us with information containing third party personal information (names, addresses, or other information relating to living individuals), we will hold and use that personal information to perform general insurance and other services for you on the understanding that the individuals to whom the personal information relates have been informed of the reason(s) for obtaining the personal information, the fact that it may be disclosed to third parties such as Marsh, and have consented to such disclosure and use.
Because a number of the service providers we use are located in the United States, including certain Marsh affiliates, your personal information may be processed and stored inside the United States, and the U.S. government, courts, or law enforcement or regulatory agencies may be able to obtain disclosure of your personal information under US laws.
The transfer of personal information is governed by European Union (EU) standard contractual clauses, the EU-US Privacy Shield or equivalent data transfer agreements to protect the security and confidentiality of your personal information.
As we continue to develop our business, we might sell or buy assets. In such transactions, user information, including personal information, generally is one of the transferred business assets. Also, if either Marsh itself or substantially all of Marsh assets were acquired, your personal information may be one of the transferred assets. Therefore, we may disclose and/or transfer your personal information to a third party purchaser in these circumstances.
Other Legally Required Disclosures
Marsh preserves the right to disclose without your prior permission any personal information about you or your use of this site if Marsh has a good faith belief that such action is necessary to: (a) protect and defend the rights, property or safety of Marsh, employees, other users of this site, or the public; (b) enforce the terms and conditions that apply to use of this site; (c) as required by a legally valid request from a competent governmental authority; or (d) respond to claims that any content violates the rights of third-parties. We may also disclose personal information as we deem necessary to satisfy any applicable law, regulation, legal process or governmental request
Your knowledge of and consent to Marsh’s collection, use and disclosure of your personal information is critical. We rely on the following actions by you as indications of your consent to our existing and future personal information practices:
- Your voluntary provision of personal information to us directly or through another insurance broker or representative or your employer for the purpose of acquiring an insurance contract or related service or product (including information previously provided to Marsh);
- Your express consent or acknowledgement contained within a written, verbal or electronic application or claims process; and
- Your verbal consent solicited by Marsh (or our agent) for a specified purpose.
Where Marsh relies on consent for the fair and lawful processing of personal information, the opportunity to consent will be provided when the personal information in question is collected. Your consent may be given through your authorized representative such as a legal guardian, agent or holder of a power of attorney.
Subject to certain legal or contractual restrictions and reasonable notice, you may withdraw this consent at any time. Marsh will inform you of the consequences of withdrawing your consent. In some cases, refusing to provide certain personal information or withdrawing consent for Marsh to collect, use or disclose your personal information could mean that we cannot obtain insurance coverage or other requested products, services or information for you.
If you wish to withdraw your consent please refer to the Questions or to Withdraw Consent section below.
However, there are a number of instances where Marsh does not require your consent to engage in the processing or disclosure of personal information. Marsh may not solicit your consent for the processing or transfer of Personal information for those purposes which have a statutory basis, such as:
- The transfer or processing is necessary for the performance of a contract between you and Marsh (or one of its affiliates);
- The transfer or processing is necessary for the performance of a contract, concluded in your interest, between Marsh (or one of its affiliates) and a third party;
- The transfer or processing is necessary, or legally required, on important public interest grounds, for the establishment, exercise, or defense of legal claims, or to protect your vital interests; or
- The transfer or processing is required by applicable law.
LIMITING COLLECTION AND RETENTION OF PERSONAL INFORMATION
Marsh will collect, use, or disclose personal information that is necessary for the Identified Purposes or as permitted by law. If we require personal information for any other purpose, you will be notified of the new purpose, and subject to your consent (where appropriate), that new purpose will become an Identified Purpose.
Marsh will collect personal information by fair and lawful means. We will normally retain personal information as long as necessary for the fulfillment of the Identified Purposes. However, some personal information may be retained for longer periods as required by law, contract, or auditing requirements.
We have in place physical, electronic and procedural safeguards appropriate to the sensitivity of the information we maintain regarding Clients and Participants. Safeguards will vary depending on the sensitivity, format, location, amount, distribution and storage of the personal information. They include physical, technical, and managerial measures to keep personal information protected from unauthorized access. Among such safeguards are the encryption of communications via SSL, encryption of information while it is in storage, firewalls, access controls, separation of duties, and similar security protocols. However, due to the nature of the Internet and related technology, we cannot absolutely guarantee the security of personal information, and Marsh expressly disclaims any such obligation.
ACCURACY, ACCOUNTABILITY, OPENNESS AND CUSTOMER ACCESS
Our knowing about changes to some of your personal information (e.g. email address) may be key to effectively communicating with you at your request. If any of your details change you can update us by emailing us at email@example.com or log in to the site and update your contact information. Please keep us informed of changes to your personal information.
You have the right to access your personal information and request rectification of any personal information in the file that may be obsolete, incomplete or incorrect. However, to secure your personal information, Marsh does not provide online access to its customers to view or amend personal information in its database.
12 A Abba Hillel St.
Ramat Gan, Israel 52506
Your personal information will be stored and can also be accessed at the Marsh office with which you do business. For a complete list of our offices, click here.
QUESTIONS OR TO WITHDRAW CONSENT
You may exercise your right to withdraw your consent to applicable uses or disclosures of your personal information (which may limit or terminate the products and services that Marsh provides to you) by writing to us at the above address. We will need to validate the identity of anyone making such a request to ensure that we do not provide your information to anyone who does not have the right to such information.
Normally we will respond to access requests within 30 days.