Mercer Privacy Notice relating to Business Purposes and Analytics
Mercer Limited (Mercer) is committed to safeguarding the privacy of individuals whose personal information it processes in the course of, and after, providing services (you).
This privacy notice (the Privacy Notice) describes how Mercer and its affiliates processing personal information within the European Economic Area (the EEA) and the United Kingdom (we, us, our) collect personal information, and how we will use that personal information for business purposes and analytics.
This Privacy Notice covers the following areas:
(1) Our status
When we process your personal information in connection with business purposes and analytics, we act as an independent data controller.
This Privacy Notice only applies in relation to the processing of personal information that we undertake as a controller for business purposes or analytics.
We may also process personal information about you in relation to other relationships that we have with you or services that we provide. Where we collect this additional personal information as a controller, how we collect and handle this personal information may be set out in other Mercer privacy notices and terms and conditions. You can find out more here.
For activities that we perform as a processor on behalf of our clients (such as pension scheme administration services), details of processing will be set out in the privacy notice of your relevant pension scheme trustee and/or employer.
(2) Information we collect about you
We may collect and process some or all of the following personal information about you:
- Personal Details: name, date of birth/age, gender, address, email address, telephone number, national insurance/national identification number/social security number, passport number, marital status, driving licence number.
- Employment details: employee ID, employment status, dates of absence, employment grade, employee performance, job title, salary and remuneration arrangements, employer location and office address, employer name, employment periods, employee benefits, short and long term incentive payouts and targets, company car, business travel information, educational background.
- Pension information: pensionable service status, pension benefit amounts, nature and details of current and historic pension arrangements, pension amounts, pension contributions, beneficiary details, number of dependents/beneficiaries.
- Other: insurance cover, insurance claim details and amount, bank details, underwriting status, details of power of attorney, psychometric test results, marketing data regarding marketing consents and preferences.
- Special category data: details of a Data Subject’s sexual orientation, trade union membership, ill-health status and/or medical details, including condition type and treatment type, location and date.
(3) Sources of Information
We collect and receive Personal Data from various sources, including (depending on the service we are seeking to or are providing and the country you are in):
(a) Information that you provide to us
If we receive information from you directly.
(b) Information provided to us by our clients or other third parties
If we receive information from our clients, such as your employer, your pension scheme trustees or your insurer, or their advisors, insurers, or intermediaries, or any other third party.
(c) Information from publically available sources
If we obtain information from publically available sources, such as websites, anti-fraud or other third party databases, including sanctions lists or the electoral roll.
(d) Website and communication usage
Details of your visits to our website and information collected through cookies and other tracking technologies including, but not limited to, your IP address and domain name, your browser version and operating system, traffic data, location data, web logs and other communication data, and the resources you access. Information on how we handle this type of data can be found in our website cookie notice, which can be found here.
(4) How we use your personal information
This section sets out the purposes for which we use personal information that we collect and, in compliance with our obligations under European data protection law, identifies the “legal grounds” (or “use justifications”) which we rely on to process the information (the full description of each of these grounds can be found in Annex 1 to this Privacy Notice).
We may use your personal information for the following purposes:
(a) Data analytics: To conduct benchmarking, modelling and data analytics to create insights, reports and other analytics to inform, improve the quality of and market Mercer’s advice, products and services and to provide industry insights. Where possible, we pseudonymise and de-identify the information used for analytics. This means we remove information from which you can be directly identified, e.g. your name, and replace it with a unique identifier.
Use justification: Legitimate interests (to enable us to perform our contractual obligations and allow us to develop insights and improve our service), for statistical purposes.
(b) Regulatory compliance: To undertake such other activities as are required in order to meet our ongoing regulatory, legal and compliance obligations, including the prevention and detection of crime, for fraud detection purposes, anti-money laundering and sanctions checks and in order to liaise with statutory bodies.
Use justification: Legitimate interests (to enable us to perform our contractual obligations and to cooperate with our regulators), contract performance, legal obligation.
(c) To communicate effectively with our clients: To conduct our business, including to respond to our clients’ queries and to otherwise communicate with our clients, including to inform them of changes to our services and products.
Use justification: legitimate interests (to enable us to perform our obligations, provide our services to you and defend or make legal claims), contract performance, legal obligation.
(d) To reorganise or make changes to our business: To share data as part of any due diligence process, or following a sale or reorganisation, in the event that we: (i) are subject to negotiations for the sale of all or part of our business to a third party; (ii) are sold to a third party; or (iii) undergo a reorganisation.
Use justification: Legitimate interests (in order to allow us to change or business).
(e) Legal claims and complaints: Investigate and respond to queries, complaints or claims regarding our services.
Use justification: Legitimate interests (in order to allow us improve our services and to defend or make legal claims), legal obligation.
(f) To provide you with marketing material: To provide you with updates and offers. We may use your name and contact details to provide you with information about products or services which we think would be of interest to you. We may also share your personal information with our affiliates within the March & McLennan Companies, Inc (“MMC”) corporate group (“MMC Affiliates”) so that they can provide you with information about their products and services. These may be sent by email, SMS, phone, fax or post.
Within MMC, we operate under a number of brands and you may receive such communications from our different trading names, such as, Mercer, Mercer Marsh Benefits (MMB), Darwin, Marsh, Marsh Commercial, Marsh Networks and others.
We take care to ensure that our marketing activities comply with all applicable EEA and UK legal requirements. In some cases, this may mean that we ask for your consent in advance of us or MMC Affiliates sending you marketing materials.
In all cases, you can always opt out of receiving marketing communications from us or MMC Affiliates, at any time. We will always provide an option to unsubscribe or opt-out of further communication on any electronic marketing communications sent to you or you may opt out by contacting us as set out below.
Please note that, even if you opt out of receiving marketing messages, we may still send you communications in connection with the services we provide to you.
Use justification: consent and legitimate interest (to keep you updated with news in relation to our products and services).
(5) Who we share your personal information with
We may share your personal information with the following categories of recipients:
(a) Our clients, such as your employer or former employer and their respective service providers or such other third parties as they instruct us to release the personal data to on their behalf;
(b) Law enforcement bodies, third party agencies and sanctions lists, in connection with the prevention or detection of criminal activities, including fraud;
(c) Public authorities, regulators and government bodies (such as HMRC), where this is necessary for us to comply with our legal and regulatory obligations;
(d) Advisers, including legal advisers, loss adjusters and claims investigators, in connection with the investigation, exercise or defence of legal claims;
(e) Our MMC Affiliates and our commercial partners who are licensed to market our products in other territories.
(f) Third parties (and their advisers) in the event of a sale or reorganisation of our business;
(g) Third party suppliers to whom we have outsourced certain activities, who process personal information on our behalf.
(6) How we protect your personal information
Security over the internet
We maintain commercially reasonable physical, electronic and procedural safeguards to protect your personal information in accordance with data protection legislative requirements.
All personal information that we hold is stored on our, or our third party suppliers’, secure servers and only accessed and used subject to our security policies and standards.
Export outside the EEA and the United Kingdom
Your personal information may be accessed by our staff, affiliates or suppliers in, transferred to, and/or stored at, a destination outside the country in which you are located, whose data protection law may be of a lower standard than those in your country. We will, in all circumstances, safeguard personal information as set out in this Privacy Notice.
Where we transfer personal information from inside the EEA or the United Kingdom to outside the EEA or United Kingdom, we are required to take specific measures to safeguard the relevant personal information. Certain countries outside the EEA and the United Kingdom have been approved by the European Commission or the United Kingdom Government as providing essentially equivalent protections to EEA or United Kingdom data protection laws and therefore no additional safeguards are required to export personal information to these jurisdictions (see the full EEA list here). In countries which are not subject to this approval, we will establish legal grounds justifying such transfer, such as MMC Binding Corporate Rules (see here for MMC’s BCR Summary), model contractual clauses, or other legal grounds permitted by applicable legal requirements.
Please contact us as set out below if you would like to see a copy of the specific safeguards applied to the export of your personal information.
(7) Your Rights
Under certain conditions, you have the right to ask us to:
a) provide you with further details on the use we make of your information;
b) provide you with a copy of information that you have provided to us;
c) update any inaccuracies in the personal information we hold; and
d) delete any personal information that we no longer have a lawful ground to use,
e) object to any processing that we justify on the basis of our “legitimate interests” unless our reasons for undertaking that processing outweigh any prejudice to your data protection rights;
f) object to direct marketing (including any profiling for such purposes);
g) restrict how we use your information whilst we consider your inquiry; and
h) where processing is based on consent, you have the right to withdraw your consent by contacting us at the contact details below or as indicated when consent was given.
You can exercise these rights by contacting us as set out in the “contacting us” section below. Your exercise of these rights is subject to certain exemptions to safeguard the public interest (e.g. the prevention or detection of crime) and our interests (e.g. the maintenance of legal privilege). If you exercise any of these rights we will check your entitlement and respond in most cases within a month.
If you are not satisfied with our use of your personal information or our response to any exercise of these rights you have the right to complain to the data protection regulator in your country.
(8) Contacting Us
If you have any questions in relation to this Privacy Notice, please contact our Data Protection Officer at firstname.lastname@example.org or at:
Data Protection Officer
Marsh & McLennan Companies, Inc.
Tower Place West
(9) Changes to Our Privacy Notice
We may change our Privacy Notice from time to time in the future. If we change this Privacy Notice, we will update the date the Privacy Notice was last changed below. If these changes are material, we will take reasonable steps to notify you of the changes.
This Privacy Notice was last updated in March 2023.
These are the principal legal grounds that justify our use of your information:
Consent: where you have consented to our use of your information you will have been presented with a consent form in relation to any such use and may withdraw your consent as indicated by such form or by emailing us at email@example.com.
Contract performance: where your information is necessary to enter into or perform our contract with you.
Legal obligation: where we need to use your information to comply with our legal obligations.
Legitimate interests: where we use your information to achieve a legitimate interest and our reasons for using it outweigh any prejudice to your data protection rights.
Statistical Purposes: where we use your information for the purposes of carrying out statistical analysis in the public interest, in a way that is proportionate to the aim pursued and that safeguards your interests.
Substantial public interest: where your information is necessary for: (i) the purposes of making a determination in connection with an occupational pension scheme; (ii) fraud prevention purposes; (iii) insurance purposes; or (iv) some other purpose that applicable data protection law considers to represent a substantial public interest, in each case subject to applicable conditions.