Mercer Privacy Notice relating to Business Purposes and Analytics 

Mercer is committed to safeguarding the privacy of individuals whose personal data it processes in the course of, and after, providing services (you). 

This privacy notice (the Privacy Notice) describes how Mercer businesses located within the European Economic Area (the EEA), the United Kingdom and Switzerland (we, us, our) collect personal data, and how we will use that personal data for business purposes and analytics. 

This Privacy Notice covers the following areas:

1. Our status
2. Personal data we collect about you
3. Sources of personal data
4. How we use your personal data
5. Who we share your personal data with
6. How we protect your personal data
7. Your rights
8. Contacting us
9. Changes to our Privacy Notice

When we process your personal data in connection with business purposes and analytics, we act as an independent data controller.

This Privacy Notice only applies in relation to the processing of personal data that we undertake as a controller for business purposes or analytics.

We may also process personal data about you in relation to other relationships that we have with you or services that we provide. Where we collect this additional personal data as a controller, how we collect and handle this personal data may be set out in other Mercer privacy notices and terms and conditions.  You can find out more here.

For activities that we perform as a processor on behalf of our clients, details of processing will be set out in the privacy notice of your relevant pension scheme trustee and/or employer.

We may collect and process some or all of the following personal data about you:

• Personal Details: name, date of birth/age, gender, address, email address, telephone number, national insurance/national identification number/social security number, passport number, marital status, driving licence number.
• Employment details: employee ID, employment status, dates of absence, employment grade, employee performance, job title, salary and remuneration arrangements, employer location and office address, employer name, employment periods, employee benefits, short and long term incentive payouts and targets, company car, business travel information, educational background.
• Pension information: pensionable service status, pension benefit amounts, nature and details of current and historic pension arrangements, pension amounts, pension contributions, beneficiary details, number of dependents/beneficiaries.
• Other: insurance cover, insurance claim details and amount, bank details, underwriting status, details of power of attorney, pyschometric test results, marketing data regarding marketing consents and preferences.
• Special category or sensitive personal data: details of a Data Subject’s sexual orientation, trade union membership, ill-health status and/or medical details, including condition type and treatment type, location and date.

We collect and receive personal data from various sources, including (depending on the service we are seeking to or are providing and the country you are in):

(a)  Personal data that you provide to us

If we receive personal data from you directly.

(b)  Personal data provided to us by our clients or other third parties

If we receive personal data from our clients, such as your employer, your pension scheme trustees or your insurer, or their advisors, insurers, or intermediaries, our affiliates in the Marsh McLennan corporate group, or any other third party.

(c)  Personal data from publicly available sources

If we obtain personal data from publicly available sources, such as websites, anti-fraud or other third party databases, including sanctions lists or the electoral roll.

(d) Website and communication usage

Details of your visits to our website and information collected through cookies and other tracking technologies including, but not limited to, your IP address and domain name, your browser version and operating system, traffic data, location data, web logs and other communication data, and the resources you access.  Information on how we handle this type of data can be found in our website cookie notice, which can be found here.

This section sets out the purposes for which we use personal data that we collect and, in compliance with our obligations under applicable data protection laws of the EEA, the United Kingdom and Switzerland, identifies the “legal grounds” (or “use justifications”) which we rely on to process the personal data (the full description of each of these grounds can be found in Annex 1 to this Privacy Notice).

We may use your personal data for the following purposes:

(a)   Data analytics: To conduct benchmarking, modelling and data analytics to create insights, reports and other analytics to inform, improve the quality of and market Mercer’s advice, products and services and to provide industry insights.  Where possible, we pseudonymise and de-identify the personal data used for analytics.  This means we remove personal data from which you can be directly identified, e.g. your name, and replace it with a unique identifier. 

Use justification: our legitimate interests which are: (a) to enable us to provide professional, effective and valuable services to our clients; and (b) to ensure our services are continuously improved and updated., for statistical purposes.

(b)  To detect fraud, waste and abuse in health insurance claims using artificial intelligence technology: Analysing claims data to detect fraud, waste and abuse in claims made under our client’s health insurance policies using artificial intelligence technology. This may involve processing special category data. Where possible, we use pseudonymised and de-identified personal data for this purpose. This means the data does not contain any information from which you can be directly identified.

Use justification: our and our client’s legitimate interests which are to detect fraud, waste and abuse in health insurance claims, substantial public interest (insurance).

(c)   Legal and regulatory compliance: To undertake such other activities as are required in order to meet our ongoing regulatory, legal and compliance obligations, including the prevention and detection of crime, for fraud detection purposes, anti-money laundering and sanctions checks and in order to liaise with statutory bodies.

Use justification: (i) legal obligation; and (ii) our legitimate interests which are: (a) to protect our business interests in providing our services in compliance with requests, demands and guidance from our regulators; and (b) to ensure our service offering to clients is amended as required to continue to provide those services in accordance with current regulatory guidance and best practice principles.

(d)  Effective communication with our clients: To conduct our business, including to respond to our clients’ queries and to otherwise communicate with our clients, including to inform them of changes to our services and products.

Use justification:

(i) the legitimate interests of our clients to receive information about their services; or (ii) our legitimate interests which are: (a) to keep our clients informed about relevant services; (b) to ensure our service offering, and any changes to that offering, is communicated to clients using the most appropriate and effective method; (c) to enable us to provide professional, timely and efficient services to our clients; and (d) to ensure our client relationships are well managed.

(e)   To reorganise or make changes to our business: To share data as part of any due diligence process, or following a sale or reorganisation, in the event that we: (i) are subject to negotiations for the sale of all or part of our business to a third party; (ii) are sold to a third party; or (iii) undergo a reorganisation.

Use justification: our legitimate interests which are to allow us to change our business.

(f)    Legal claims and complaints: To investigate, establish, exercise and defend actual or potential legal claims or complaints.

Use justification: (i) our legitimate interests which are (a) to defend ourselves against legal or regulatory claims brought against us or our affiliates; or (b) to enforce our legal rights including the commencement and carrying out of legal and court proceedings, where necessary; and (c) to recover any payments due to us, (ii) legal claims.

(g)   To provide you with marketing material: To provide you with updates and offers. We may use your name and contact details to provide you with information about products or services which we think would be of interest to you. We may also share your personal information with our affiliates within the Marsh McLennan corporate group (“Marsh McLennan Affiliates”) so that they can provide you with information about their products and services. These may be sent by email, SMS, phone, fax or post.

Within Marsh McLennan, we operate under a number of brands and you may receive such communications from our different trading names, such as, Mercer, Mercer Marsh Benefits (MMB), Darwin, Marsh, Marsh Commercial, Marsh Networks and others.

We take care to ensure that our marketing activities comply with all applicable EEA, UK and Swiss legal requirements. In some cases, this may mean that we ask for your consent in advance of us or Marsh McLennan Affiliates sending you marketing materials.

In all cases, you can always opt out of receiving marketing communications from us or Marsh McLennan Affiliates, at any time. We will always provide an option to unsubscribe or opt-out of further communication on any electronic marketing communications sent to you or you may opt out by contacting us as set out below.

Please note that, even if you opt out of receiving marketing messages, we may still send you communications in connection with the services we provide to you.

Use justification: (i) consent; (ii) the legitimate interests of our clients and their employees which are to receive information about the most up-to-date, accurate and secure services we can offer; and (iii) our legitimate interests which are (a) to keep our clients informed about relevant services and (b) to ensure our client relationships are well managed.

We may share your personal data with the following categories of recipients:

(a)  Our clients, such as your employer or former employer and their respective service providers or such other third parties as they instruct us to release the personal data to on their behalf;

(b)  Law enforcement bodies, third party agencies and sanctions lists, in connection with the prevention or detection of criminal activities, including fraud;

(c)   Public authorities, regulators and government bodies (such as HMRC), where this is necessary for us to comply with our legal and regulatory obligations;

(d)  Advisers, including legal advisers, loss adjusters and claims investigators, in connection with the investigation, exercise or defence of legal claims;

(e)  Marsh McLennan Affiliates and our commercial partners who are licensed to market our products in other territories.

(f)    Third parties (and their advisers) in the event of a sale or reorganisation of our business;

(g)  Third party suppliers to whom we have outsourced certain activities, who process personal data on our behalf.

We maintain commercially reasonable physical, electronic and procedural safeguards to protect your personal data in accordance with data protection legislative requirements.

All personal data that we hold is stored on our, or our third party suppliers’, secure servers and only accessed and used subject to our security policies and standards.  

Your personal data may be accessed by our staff, affiliates or suppliers in, transferred to, and/or stored at, a destination outside the country in which you are located, whose data protection law may be of a lower standard than those in your country.  These countries may include the member states of the EEA, Switzerland, the United Kingdom, the United States, Canada, India and Singapore. We will, in all circumstances, safeguard personal data as set out in this Privacy Notice.

Where we transfer personal data from inside the EEA, the United Kingdom or Switzerland to outside the EEA, United Kingdom or Switzerland, we are required to take specific measures to safeguard the relevant personal data.  Certain countries outside the EEA, the United Kingdom and Switzerland have been approved by the European Commission, the United Kingdom Government or the Swiss Federal Data Protection and Information Commissioner as providing essentially equivalent protections to EEA, United Kingdom or Swiss data protection laws and therefore no additional safeguards are required to export personal data to these jurisdictions (see the full EEA list here, the UK list here and the Switzerland list here). In countries which are not subject to this approval, we will establish legal grounds justifying such transfer, such as Marsh McLennan Binding Corporate Rules (see here for Marsh McLennan’s Binding Corporate Rule summaries), model contractual clauses, or other legal grounds permitted by applicable legal requirements.

Please contact us as set out below if you would like to see a copy of the specific safeguards applied to the export of your personal data.

We will retain your personal data for as long as is necessary for the processing purpose(s) for which it was collected and any other permitted linked purpose (for example where we are required to retain personal data for longer than the purpose for which we originally collected it in order to comply with certain regulatory requirements, to defend legal claims, respond to complaints or to ensure that we have an accurate record of the service that we have provided). Our retention periods are based on business needs and your personal data that is no longer needed is either irreversibly anonymised (and the anonymised information is retained) or securely destroyed.

Under certain conditions, you have the right to ask us to:

a)      provide you with further details on the use we make of your personal data;

b)      provide you with a copy of your personal data we hold;

c)      update any inaccuracies in the personal data we hold; and

d)      delete any personal data that we no longer have a lawful ground to use,

and to:

e)      object to any processing that we justify on the basis of our “legitimate interests” unless our reasons for undertaking that processing outweigh any prejudice to your data protection rights;

f)       object to direct marketing (including any profiling for such purposes);

g)      restrict how we use your personal data whilst we consider your inquiry; and

h)      where processing is based on consent, you have the right to withdraw your consent by contacting us at the contact details below or as indicated when consent was given.

You can exercise these rights by contacting us as set out in the “contacting us” section below. Your exercise of these rights is subject to certain exemptions to safeguard the public interest (e.g.  the prevention or detection of crime) and our interests (e.g. the maintenance of legal privilege).  If you exercise any of these rights we will check your entitlement and respond in most cases within a month.

If you are not satisfied with our use of your personal data or our response to any exercise of these rights you have the right to complain to the data protection regulator in your country.

If you have any questions in relation to this Privacy Notice, please contact our Data Protection Officer at privacy@mmc.com or at:

Data Protection Officer

Marsh McLennan

Tower Place West

London

EC3R 5BU

We may change our Privacy Notice from time to time in the future.  If we change this Privacy Notice, we will update the date the Privacy Notice was last changed below.  If these changes are material, we will take reasonable steps to notify you of the changes.

This Privacy Notice was last updated in July 2025.

These are the principal legal grounds that justify our use of your information:

Consent: where you have consented to our use of your information you will have been presented with a consent form in relation to any such use and may withdraw your consent as indicated by such form or by emailing us at privacycoordinator@mercer.com.

Contract performance: where your information is necessary to enter into or perform our contract with you.

Legal obligation: where we need to use your information to comply with our legal obligations.

Legitimate interests: where we use your information to achieve a legitimate interest and our reasons for using it outweigh any prejudice to your data protection rights.

Statistical Purposes: where we use your information for the purposes of carrying out statistical analysis in the public interest, in a way that is proportionate to the aim pursued and that safeguards your interests.

Substantial public interest: where your information is necessary for: (i) the purposes of making a determination in connection with an occupational pension scheme; (ii) fraud prevention purposes; (iii) insurance purposes; or (iv) some other purpose that applicable data protection law considers to represent a substantial public interest, in each case subject to applicable conditions.