Data protection 

We have made changes to our Business Purposes and Analytics Privacy Notice. You can read the updated version here.

Your Data Matters

We are focused on protecting your privacy and want to ensure that you understand how we collect and use personal data and how you can contact our Data Protection Office to find out more.

On this page you can find:

  • Our Privacy Notices that provide you with a clear explanation of when, why and how we collect and use your personal data when we process your data as a data controller.  You can also find a description of your data protection rights and how to exercise them and details of how to contact our Data Protection Officer.
  • Information about our Binding Corporate Rules, used for international data transfers.
  • Details of the sub-processors that we use when we are acting as a data processor and how you can subscribe to find out about changes to these.

Our Privacy Notices

 Notice Services Covered
UK Actuarial Services Services provided by our actuaries in the UK in relation to pension schemes.
Mercer Private Wealth Financial management services to individuals, trusts and charities.
Mercer Marsh Benefits Consumer Services Private medical insurance broking services provided to individuals.
Career Workforce Products Services provided to our corporate clients in relation to Career Workforce Products.
Business Purposes and Analytics Covering data processed for Mercer’s business purposes, such as anti-money laundering checks, retained data, or analytics and benchmarking.
French Broking Services Insurance broking services provided in France.
Spanish Broking Services Insurance broking services provided in Spain.
Portuguese Broking Services Insurance broking services provided in Portugal.
Website use Covering any data gathered within this website.

If you use any of our digital platforms, such as Mercer Money, Darwin, Ondo or Harmonise, you will find the applicable privacy notice on that platform.

Otherwise, if the service we provide is not described in the table above then it is likely that we provide that service as a data processor on behalf of another party, such as the trustees of your pension scheme. If this is the case and you would like a copy of their Privacy Notice then please contact them directly or contact our Data Protection Officer who will do their best to help you.

Binding Corporate Rules

Marsh McLennan holds EU and UK Binding Corporate Rules (BCRs) for the transfer of personal data from the European Economic Area and the UK respectively. BCRs are privacy standards approved by a supervisory authority for transfers of personal data within a corporate group. Marsh McLennan’s EU BCRs are approved by all supervisory authorities in the European Economic Area (with the Irish Data Protection Commission acting as the lead supervisory authority) and its UK BCRs are approved by the UK Information Commissioner’s Office. Marsh McLennan holds both the EU and UK BCRs in Controller and Processor forms.

When making transfers of personal data to group companies outside the European Economic Area and the UK, we usually rely on Marsh McLennan’s BCRs.

The summaries below set of the principles established by the EU and UK Controller and Processor BCR standards:

The Marsh McLennan entities that have signed the EU and UK BCRs agreement are detailed in the lists below:


You can find information about the sub-processors used by Mercer here.

Whether any sub-processor is used for any particular client engagement will depend on the country in which services are provided, the line of business, the nature of the services and any specific client terms or processes agreed.

Further information regarding the sub-processors used by Mercer can be obtained from your local Mercer contact.