Privacy Notice

Effective Date: November 28, 2022

Marsh is made up of different legal entities, namely Marsh LLC, an international insurance brokerage with offices based in more than 75 countries. This Privacy Notice is issued on behalf of the Marsh Group so when we mention “Marsh”, "we", "us" or "our" in this Privacy Notice, we are referring to the relevant company in the Marsh Group responsible for processing the information.

Marsh believes strongly in protecting the privacy and the confidentiality of the information that identifies or relates to an identifiable individual (“Personal Information” or “Personal Data”) that it collects, uses, discloses, stores, and transmits (processes) in the course of providing its insurance placement, managing general underwriter, program administrator, risk advisory or management, and other services (the “Services”). This Privacy Notice is intended to inform you of the ways in which we collect, use, and disclose personal information, and sets forth your rights.

Please take a moment to familiarize yourself with our privacy practices outlined below. If you are viewing this Privacy Notice on one of our websites or applications (“Sites”), including those managed by third parties we engage, please also familiarize yourself with the applicable Terms of Use to see how this Privacy Notice applies to your use of the Site. This Privacy Notice is incorporated into such Terms of Use. By using one of our Sites, you acknowledge that you have read, understand and accept this Privacy Notice and the Terms of Use.

This Privacy Notice is subject to change at any time. If we make changes to this Privacy Notice, we will update the “Effective Date” at the top of this page and post it on our Sites. Where required by local law, we will also notify you of any changes we make to this Privacy Notice in accordance with law and the notice provisions in the terms of our engagement. To the extent permitted by law, any changes we make to this Privacy Notice become effective immediately.

Our contractual commitments to clients will supersede any terms in this Privacy Notice.

OUR ROLE

In the United States, we generally collect personal information in the course of providing our Services pursuant to a contract we have with a commercial client (our “Client”). In such circumstances, we act as a “service provider” or “processor” under applicable US privacy laws and are thus obligated to process personal information in accordance with instructions from our Client, the business ultimately responsible for determining how your personal information will be handled. Accordingly, if you disclose personal information to us in connection with your role as an employee of our Client, or by virtue of some other relationship you have with our Client, we encourage you to review that Client’s privacy notice to understand the full scope of how your personal information will be handled. Further, in any case where we are acting as a service provider to a Client, if you or your authorized agent (together referred to hereinafter, where applicable, as “you”) wish to exercise any rights that may be available to you under law, you should direct your request to our Client, who is the party responsible for receiving, assessing, and responding to your requests.

Under the privacy laws in other countries, we generally act as a data controller and will determine the purposes and means of the processing of personal information and will be responsible for handling any request you submit to exercise your rights under such privacy laws.

If you are not certain what our role is with respect to your personal information, please contact us through one of the methods described at the end of this Privacy Notice.

PERSONAL INFORMATION WE COLLECT

The types of personal information we collect will vary depending on the nature of our relationship with our clients, such as the type of product or service we provide or the type of Site being accessed. In either case, we limit the personal information that we collect to that which will allow us to fulfill our intended business purposes. In many cases, the personal information we collect is required for us to provide our clients with our services or meet legal requirements, and failure to provide us with the information may prohibit us from delivering requested services.

Generally, we may collect and process the following types of personal information about individuals and, if required for the services provided, their dependents or beneficiaries under an employer, association, group or benefit program sponsor:

  • Individual Contact and Demographic Information (which may include Family Members)
    Name, address and/or proof of address, email address, telephone number, gender, marital status, family details, date and place of birth, employment information – employer, job title, employee ID, and employment history, and/or the individual’s relationship to the policyholder, insured, beneficiary or claimant, images.
  • Business Contact Information
    Employer, job title, business address, email and phone numbers.
  • Identification Details
    Identification numbers issued by government bodies or agencies (e.g., social security or national insurance number, passport number, tax identification number, ID number, or driver’s license number), and/or insurance provider (e.g., policy number or claim number).
  • Benefits Information
    Benefit elections, pension entitlement information, date of retirement and any relevant matters impacting your benefits such as voluntary contributions, pension sharing orders, tax protections or other adjustments.
  • Financial Information
    Payment card number and related data, bank account number and account details, income and other financial information.
  • Insurable Risk Information
    The information necessary for us to secure insurance products/quotes, provide risk consulting services, and/or offer guidance on other financial products and services. This information may include to the extent relevant to the risk being insured:
    • Criminal records data – criminal convictions, including driving offenses;
    • Vehicle information - vehicle identification number and other vehicle details;
    • Health data - current or former physical or mental medical conditions, health status, injury or disability information, medical procedures performed, relevant personal habits (e.g., smoking), medical history, previous health insurance information;
    • Policy information - historical information about the insurance quotes individuals receive and the policies they obtain;
    • Claims information - information about current and/or previous claims, including health data; and
    • Other Special Categories of Personal Information - Racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, and/or data concerning an individual’s sex life or sexual orientation.
  • Credit and Anti-fraud Data
    Credit history and credit score, individual information about fraud convictions, allegations of crimes and sanctions details received from various anti-fraud and sanctions databases, or regulators or law enforcement agencies.
  • Marketing Data
    Whether or not an individual has consented to receive marketing from us and/or from third parties; interaction with our Sites, marketing communications, articles, and social media.
  • Event and Survey Information
    Information related to Marsh-sponsored events that you have attended and product or service-related surveys you have completed.
  • Site-Related Information
    Information related to the operation of and use of a Site and information collected through cookie or other tracking technologies, which may include log-in credentials, IP addresses, domain names, browser versions and operating system, traffic data, the resources you access, and other Site-related information.

To learn more about each category of personal information we collect, the purpose for collection, the sources, and the parties to whom to disclose such personal information, please view this comprehensive chart.

SPECIAL CATEGORIES OF PERSONAL INFORMATION, INCLUDING CRIMINAL DATA

When we collect, use or disclose to third parties (such as insurers, intermediaries and reinsurers) Special Categories of personal information and criminal records data, we typically do so for reasons of substantial public interests, namely because it is necessary for the wide range of insurance-related activities that we undertake or because it is necessary for fraud prevention purposes.

Where we collect, use or disclose Special Categories of Personal Data in the administration of a government arrangement to provide compensation to industries affected by the COVID-19 pandemic, we may do so for reasons of substantial public interests insofar as it is necessary for government purposes.

Before you provide us with Special Categories of Personal Data and Criminal Records Data about a person other than yourself, you agree to notify such person of our use of their personal information and, if requested by us, to obtain their consent to our use of their Special Categories of personal information and Criminal Records Data (for example, by requiring the individual to sign a consent form)

HOW WE COLLECT PERSONAL INFORMATION

Information Provided by You, Your Representatives or Third Parties

We may collect information from you, your representatives, your employer, association, group or benefit program/plan sponsor, and/or third parties that have roles in delivering services to our clients. These third parties may include insurance companies, plan administrators and service providers, brokers or agents, credit agencies, financial institutions, and government agencies or persons acting on behalf of such parties. You might provide this information when you visit a Site; apply or request a quote for insurance coverage; enroll in an association, group, or employer benefits program; communicate with us or our service providers through email, chat and instant messenger; speak to a Marsh representative by phone or in a call center; enroll in events, or marketing or business development activities, or send mail to our office. In addition, your employer or program/plan sponsor or someone acting on their behalf may provide us with information about you.

If you supply us with personal information about other people, you represent that you have the authority to provide this information on their behalf and have obtain their consent where necessary. In these instances, you further represent that the individuals to whom this information relates have been informed of the information in this Privacy Notice and understand the reason(s) for obtaining the information, the manner in which this information will be used and disclosed, and have consented to such use and disclosure.

Collection by Automated Means

We use cookies on our company-branded websites. If available, Site users can opt-out of our use of certain cookies using our Cookie Management Tool linked at the bottom of the site. To find out more about how we use cookies, please see our Cookie Notice.

HOW WE USE THE PERSONAL INFORMATION WE COLLECT

Marsh may use the personal information received from you or your broker, insurance carrier, employer or association, group or benefit program/plan sponsor to:

  • Verify your identity;
  • Register and service your online account;
  • Contact you when necessary and respond to your requests and inquiries;
  • Process an insurance transaction, enrollment or service requested by you directly, or by a third party, including the following:
    • The procurement of insurance (new and renewals);
    • Insurance policy administration;
    • Claims processing;
    • Consulting and related risk control services; and/or
    • General risk modeling, benchmarking and/or other analytics services
  • Allow you to manage the services requested by you, or through or third party;
  • Market our services to you, including ours, those of our affiliates and those of third parties;
  • Analyze, administer, develop, personalize, and improve our products and services and evaluate the overall effectiveness of our marketing activities, Sites, and overall service;
  • Maintain network security and performance and protect against cyber-attacks;
  • Comply with and enforce applicable laws, industry standards, and our own policies;
  • Prevent and detect fraud and other legal or policy violations;
  • Perform benchmarking and analytics that support our client services;
  • De-identify information; and/or
  • As otherwise described to you at the point of collection, for our legitimate business purposes, or pursuant to your consent.

We may also process de-identified information that is not reasonably likely to identify you for commercially legitimate and lawful business purposes. Where we have de-identified information, we will maintain and use it without attempting to re-identify the data other than as permitted under law.

LEGAL BASIS FOR PROCESSING YOUR PERSONAL INFORMATION

The legal basis for our ability to process your personal information depends on which Services we provide to you. Please read our Purpose of Processing for complete details. Note that we may process your personal information for more than one legal basis depending on the specific purpose for which we are using your data.

We do not generally rely on consent as a legal basis for processing your personal information other than in relation to sending third-party direct marketing communications to you via email or text message. You have the right to withdraw consent to marketing at any time by contacting us at privacypolicyinquiries@marsh.com or by contacting our privacy office using the contact details in the Questions or Concerns section below.

You may also contact us if you need details about the specific legal basis we are relying on to process your personal information where more than one basis has been set out in the attached table.

DISCLOSURE OF YOUR PERSONAL INFORMATION

We may need to disclose your personal information in order to deliver the insurance and consulting products or services requested by you or your employer, or association, group or benefit sponsor, and/or to administer our Sites. We may disclose this information:

  • to perform the services you request from us
    • We may disclose your personal information to insurers, and/or third-party agents/brokers in connection with providing insurance quotes, binding insurance coverage, administering claims and other services.
  • with your employer, association, group or benefit program sponsor (when applicable)
    • To assist in the administration of a group insurance program, insurance program-related personal information required for the administration and governance of the group program may be disclosed.
  • with affiliates
    • To enable them to provide services to you or contact you regarding additional products and services that you have expressed an interest in.
  • with agents or third-party service providers
    • We sometimes contract with other companies and individuals to perform functions or services for us or on our behalf. To perform these services, they may have access to personal information required to perform these services, but are contractually restricted from using it for purposes other than providing services for or on behalf of Marsh.
  • with marketing partners
    • This sharing may occur, to the extent permitted by law, if you have requested a quote or service from us through such partners
  • in the context of mergers, acquisitions, and asset sales
  • to address legal matters
    • Marsh may preserve, and has the right to disclose, any information about you related to our rendered services or your use of this Site without your prior permission if we have a good faith belief that such action is necessary to: (a) protect and defend the legal rights, safety, and security of Marsh, our affiliates and business partners, and users of this site, (b) enforce the Terms of Use of a Site; (c) respond to claims of suspected or actual illegal activity, (d) respond to an audit or investigate a complaint or security threat; or (e) comply with applicable law, regulation, legal process, or governmental requests.

We may also disclose de-identified information that is not reasonably likely to identify you for commercially legitimate and lawful business purposes. Where we have de-identified information, we will maintain and use it without attempting to re-identify the data other than as permitted under law.

STEPS WE TAKE TO PROTECT YOUR INFORMATION

We have implemented commercially reasonable physical, administrative, and technical safeguards in an effort to protect your personal information from unauthorized access, use, alteration and deletion. These safeguards may vary depending on the sensitivity, format, location, amount, distribution and storage of the personal information, and include measures designed to keep personal information protected from unauthorized access. However, as effective as our security measures are, no security system is impenetrable. We cannot guarantee the security of our systems, nor can we guarantee that information you supply will not be intercepted while being transmitted to us over the Internet.

YOUR DATA PROTECTION RIGHTS

Certain jurisdictions extend enhanced personal information rights to residents of or persons located in the jurisdiction. You may have some or all of the following rights in relation to the personal information we collect about or from you, depending on the jurisdiction and our reason for processing your information:

  • Right of access
    You may ask us to confirm whether we are processing your personal information and the specific pieces of personal information we have collected and, if necessary, provide you with a copy of that personal information (along with certain other details).
  • Right to correct (rectify)
    If the personal information we hold about you is inaccurate or incomplete, you may be entitled to request to have it corrected, taking into account the nature of the personal information and the purposes of the processing of your personal information.
  • Right to delete
    You may have a right in some circumstances, such as where we no longer need it or if you withdraw your consent (where applicable), to request that we delete or remove your personal information.
  • Right to restrict/limit processing
    You may have a right to restrict the processing of your personal information in certain circumstances, such as where you contest the accuracy of that personal information or you object to us. Please note that we process Sensitive Personal Information solely as necessary in performance of the Services, to ensure the security and integrity of the information, or as otherwise authorized under law or regulation. Because we do not process your Sensitive Personal Information for other purposes, you may not have a right to limit our processing of such information.
  • Right to data portability
    You may have the right to receive a copy of personal information we've obtain from you, where technically feasible, in a structured, commonly used and machine-readable format, and to reuse it elsewhere or to ask us to transfer this to a third party of your choice.
  • Rights in relation to automated decision making and profiling
    We do not engage in wholly-automated processing of Personal Information to make decisions that produce a legal or other significant effect. Because we do not engage in such automated processing, we do not provide a mechanism for you to limit our processing of Personal Information in such a manner.
  • Right to withdraw consent
    If we rely on your consent (or explicit consent) as our legal basis for processing your personal information, you may have the right to withdraw that consent. If you withdraw your consent, we may not be able to carry out your instructions or perform the contract we have or are trying to enter into with you.

If you wish to exercise any of the above rights, opt out of marketing communications or appeal a decision or denial we have made with respect to your personal information please select one of the following options:

For your protection, we will need to validate the identity of anyone making a request relating to your personal information. We will respond to your request within a period of time required under law (generally within 30-45 days) unless it is reasonably necessary for us to extend our response time.

You may also have some or all of the following rights:

  • Right to lodge a complaint
    If you have a concern about any aspect of our privacy practices, including the way we've handled your personal information, you may report it to the relevant supervisory or regulatory authority. You may contact us as provided at the bottom of this Privacy Notice if you would like to receive contact information for your local authority.
  • Right to Opt in or out of Sale or Sharing for Cross-Context Advertising
    If you visit one of our Sites, we may share your internet or other electronic network activity information for cross-context targeted advertising purposes utilizing advertising cookies. Under some laws, this activity may be considered a sale of information. As such, you may have the right to opt in or out of the sale of your personal information or the sharing of your personal information for cross context behavioral advertising or targeting purposes. To opt in or out of our selling or sharing of your personal information on our websites or to view the names of specific third parties with whom we have sold or shared your information, please click on the “Manage Cookies” link at the bottom of our webpage, where you will find instructions on how to manage cookies and other online trackers that may collect and share personal information in a manner that could be considered a sale or sharing under applicable law. If you would like to opt out of the sale or sharing of your information, ensure the toggles for “Advertising” and “Analytics” trackers are set to “No”.

You may also implement a browser setting or extension to communicate your selling and sharing preferences automatically to the websites you visit. Our websites process such “opt out preference signals” in a frictionless manner. The current “opt out preference signal” with a defined protocol for companies to follow if they receive the signal is called the Global Privacy Control (GPC). GPC is available for an increasing number of browsers and browser extensions, listed here. If you want to use GPC, you can download and enable it via a participating browser or browser extension. More information about downloading GPC is available here.

  • Direct Marketing and Do Not Track Signals
    You may have a right to request and obtain a notice once a year about the personal information we disclosed to other businesses for their own direct marketing purposes. If applicable, such a notice will include a list of the categories of personal information that were disclosed (if any) and the names and addresses of all third parties with which the personal information was disclosed (if any). The notice will cover the preceding calendar year. You may contact us as provided at the bottom of this Privacy Notice if you would like to learn if this right applies to you and, if so, exercise that right.
  • Right to Non-Discrimination
    You may exercise your rights under law without discrimination. For example, unless applicable law provides an exception, we will not:
  • Deny you goods or services;
  • Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties;
  • Provide you a different level or quality of goods or services; or
  • Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.

We may offer you financial incentives to provide us with personal information that is reasonably related to the information’s value. This could result in different prices, rates, or quality levels for our products or services. Any financial incentive we offer will be described in written terms that explain the material aspects of the financial incentive program. You must opt-in to any financial incentive program and may revoke your consent at any time.

Please note that some of these rights may be limited where we have an overriding legitimate interest or legal, regulatory or contractual obligation to continue to process the personal information, or where the personal information may be exempt from disclosure or erasure under to applicable law.

These rights are in some circumstances limited by data protection legislation.

PROFILING AND AUTOMATED DECISION MAKING

Insurance premiums are calculated by insurance market participants benchmarking clients’ and beneficiaries’ attributes as against other clients’ and beneficiaries’ attributes and propensities for insured events to occur. This benchmarking requires Marsh and other insurance market participants to analyze and compile information received from all insureds, beneficiaries or claimants to model such propensities. Accordingly, we may use personal information to both match against the information in the models and to create the models that determine the premium pricing in general and for other insureds. Marsh and other insurance market participants may use special categories of personal information and criminal records data for such modelling to the extent it is relevant, such as medical history for life insurance or past motor vehicle convictions for motor insurance.

Marsh and other insurance market participants use similar predictive techniques to assess information that clients and individuals provide to understand fraud patterns, the probability of future losses actually occurring in claims scenarios, and as set out below. To do this, we may use personal information we receive from clients to match against information in the models that we have created based on the behavior of other individuals with similar attributes and to create further models. We use these models only for the purposes listed in this Privacy Notice. In most cases, our staff make decisions based on the models.

Automated broking platform

Where clients use the automated broking platform, insurance quotations are offered entirely by matching whether the attributes that the client has provided meet the criteria set by the insurers, which determines (a) whether a quotation will be made; (b) on what terms; and (c) at what price. Each insurer will use different algorithms to determine their pricing, and clients must consult each insurer’s privacy policy for further details. Our platform merely queries whether attributes of potential insureds satisfy insurers’ models and then returns the results. If the potential insured’s attributes do not satisfy insurers’ models, the quotation request is referred for review by a team with underwriting authority. We also apply fraud prediction algorithms to the information clients provide to assist us in detecting and preventing fraud.

These partially automated processes may result in a client not being offered insurance or affect the price or terms of the insurance.

Clients may request that we provide information about the decision-making methodology and ask us to verify that the automated decision has been made correctly. We may reject the request, as permitted by applicable law, including when providing the information would result in a disclosure of a trade secret or would interfere with the prevention or detection of fraud or other crime. However, generally in these circumstances we will verify that the algorithm and source data are functioning as anticipated without error or bias.

CROSS-BORDER TRANSFERS

There are circumstances in which we will have to transfer your personal information out of the country in which it was collected for the purposes of carrying out the services we provide to you. These countries do not always afford an equivalent level of privacy protection and in such circumstances we take specific steps, in accordance with data protection law, to provide an adequate level of protection for personal information. Where the need for such a transfer arises, we will take steps to ensure that there are appropriate safeguards in place to protect your personal information such as an adequacy decision by the appropriate supervisory authority, the use of approved binding corporate rules or standard contractual clauses, or your consent. If you have questions regarding the specific mechanism under which your personal information is transferred to another country, if applicable, you may contact us at privacypolicyinquiries@marsh.com or by contacting our privacy office using the contact details in the Questions or Concerns section below.

For information regarding how Marsh & McLennan Companies’ EU Binding Corporate Rules (EU BCRs) operate, click here. For a list of entities that have agreed to be bound by the EU BCRs, click here.

For information regarding how Marsh & McLennan Companies’ UK Binding Corporate Rules (UK BCRs) operate, click here. For a list of entities that have agreed to be bound by the UK BCRs, click here.

MARKETING

We may use your personal information to provide you with information about products or services that we think would be of interest to you. We may also disclose your personal information with other companies in the Marsh group so that they can provide you with information about their products and services. These may be sent by email or post or, in some circumstances, we may telephone you to explain this information to you.

We take care to ensure that our marketing activities comply with all applicable legal requirements. In some cases, this may mean that we ask for your consent in advance of us or our group companies sending you marketing materials.

In all cases, you can opt out of receiving marketing communications at any time. You can do this by clicking on the "unsubscribe" link in any marketing email or by contacting us using the details set out at the end of this Privacy Notice.

Please note that, even if you opt out of receiving marketing messages, we may still send you communications in connection with the services we provide to you.

RETENTION OF YOUR INFORMATION

Our products, services, and regulatory obligations are complex, and thus our retention periods for personal information vary. We consider the following obligations when setting retention periods for personal information and the records we maintain: the need to retain information to accomplish the business purposes or contractual obligations for which it was collected; our duties to effectuate our clients’ instructions with respect to personal information we process on their behalf; our duties to comply with mandatory legal and regulatory record-keeping requirements; and other legal impacts such as applicable statute of limitations periods. We may also retain personal information for other purposes delineated in applicable privacy laws. When Personal Information is no longer needed, our company policies require that we either de-identify or aggregate the information (in which case we may further retain and use the de-identified or aggregated information for analytics purposes) or securely destroy it.

OTHER INFORMATION YOU SHOULD KNOW

Calls and Text Messages
In some instances, your employer or association, group or benefit program sponsor may request services that require Marsh to contact you via telephone calls or text. By accepting the terms of this

Privacy Notice and providing us with your contact information, you consent to receive automated calls and texts, as well as emails and/or standard mail, from us including but not limited to information regarding your policy, account, benefits, relationship with us, and other products or services offered through us and/or your employer or program sponsor. Consent is not a condition of any purchase or to obtain a quote. Message and data rates may apply. If you wish to withdraw your consent in the future, follow the prompts described in the call or text or contact us as described below.

Minors

We do not knowingly collect personal information directly from children under 13. If we learn that we have collected any personal information from a child under the age of 13 without verifiable parental consent, we will delete that information from our files as quickly as possible. If you believe that we may have collected information from a child under 13, please contact us at the email address provided below.

If you are 16 years of age or older, you have the right to direct us to not sell your personal information at any time (the “right to opt-out”). However, we never knowingly sell or share the personal information of minors under 16 years of age and would not do so in the future without affirmative authorization of the individual if between 13 to 16 years of age, or the parent or guardian of an individual less than 13 years of age.

External Links

Our Sites may include links to websites that are operated by organizations other than Marsh. If you access another organization’s website using a hyperlink on our Site, the other organization may collect information from you. Marsh is not responsible for the content or privacy practices of linked websites or their use of your information. If you leave a Marsh Site via such a link (you can tell where you are by checking the URL in the location bar on your browser), you should refer to that websites' privacy policies, terms of use, and other notices to determine how they will handle any information they collect from you.

QUESTIONS OR CONCERNS

To submit questions or requests regarding this Privacy Notice or Marsh’s privacy practices, please email us at privacypolicyinquiries@marsh.com. If you would prefer to contact us by post or by phone, please contact our privacy office using the following contact details:

EU/UK
The Data Protection Officer
Marsh Ltd
Tower Place
London
EC3R 5BU
Phone: +44 (0)207 357 1447 Email: dataprotection@marsh.com

Outside of the EU/UK
Marsh Global Chief Privacy Officer
Marsh & McLennan Companies, Inc.
1166 Avenue of the Americas
New York, NY 10036

If we are unable to resolve an enquiry or a complaint, individuals may have a right to contact the applicable supervisory or regulatory authority. For more information about how to contact your supervisory or regulatory authority, please email us at privacypolicyinquiries@marsh.com.