We're evolving. Mercer is now part of the new, expanded Marsh brand

Discover the new Marsh

MERCER NEW ZEALAND PRIVACY POLICY 

EFFECTIVE DATE:
30 April 2026

INTRODUCTION

This Privacy Policy describes how Mercer (N.Z.) Limited (NZBN 9429040873121)  (“Mercer” or the “Company”), collect, use, share, retain, transfer and otherwise process information relating to identified or identifiable individuals (“Personal Data”), and the rights you may have regarding your Personal Data. We believe that it is important for you to understand how we process Personal Data and encourage you to take a moment to familiarize yourself with our privacy practices outlined below.

Mercer (N.Z.) Limited is a company belonging to the Marsh & McLennan Companies, Inc. (“Marsh”) group, which, in New Zealand operates through one distinct legal entity, referred in this Privacy Policy as Mercer.

Mercer is bound by and adheres to the New Zealand Privacy Act 2020 (the “Act”) and the Privacy Principles as set out in the Act and any related Codes. These govern how we collect, hold, use and disclose your Personal Data. If you wish to seek further information on the Act, see www.privacy.org.nz.

Please note that in some instances we act on behalf of and under the instructions of clients, or other partners who handle your Personal Data. Please refer to their respective privacy policies for more information regarding the processing of your Personal Data in these contexts.

WHAT PERSONAL DATA DO WE COLLECT

We may collect the following categories of Personal Data where appropriate to fulfill our intended business purposes:

Category

Examples

Biographical identifiers

Name, date of birth, age, place of birth, gender

Contact information

Home address, mailing address, telephone number, email address

Identification information

Driver’s license number, passport information, birth certificate, bank account details and any other confirmation of identity documents.

Professional or employment-related information

Employer or group, relationship to our company, job title, business contact details, employee ID, salary and remuneration arrangements and employment history and other information collected during the recruitment process, and/or your relationship to the policyholder, insured, beneficiary or claimant

Sensitive Information 

IRD Number, racial or ethnic origin, membership of a professional trade or association, membership of a trade union, criminal record, or health information

Financial Information

Bank account number and account details, source of funds and wealth information, your Prescribed Investor Rate, tax residency, assistance received from providers including WINZ, Inland Revenue and banks, and other financial information

Benefit and Pension Information

Benefit elections, superannuation information, date of retirement and any relevant matters impacting your benefits such as voluntary contributions, details of power of attorney

Insurable Risk Information

Health information, injury or disability information, relevant personal habits, medical history, historical information about the insurance quotes and coverages obtained, credit history, and claims information and history, each to the extent relevant to the risk being insured

Inferred Information

Profile reflecting a person's preferences, characteristics, predispositions, behaviour, attitudes, intelligence, abilities, and aptitudes

Internet or other similar network activity

Browsing and search history, interaction with a website, application, or advertisement, data from cookies or web beacons, login credentials, domain names, and interactions with our emails, including when you read and respond to emails, ISP (Internet Service Provider), browser details, other website activity, online identifiers (including IP address or device ID)

Any other voluntarily-provided information

Information regarding partners and dependents (including minor dependents), emergency contact details, disclosure statements, restrictive covenants, geolocation, marketing and communication preferences, information related to company-sponsored events that you have attended, and your feedback or survey responses where you choose to identify yourself

Every category of Personal Data not expressly listed as voluntarily-provided may be required to provide the requested services.

You have no legal obligation to provide us with any Personal Data when you request or use the services, and the provision of Personal Data is solely based on your free will. However, should you refuse to provide such required Personal Data, the Company may not be able to provide services offered. 

HOW WE COLLECT PERSONAL DATA

We may collect Personal Data about you from different sources, including indirectly from third parties. We may collect Personal Data from the following sources (depending on the service we are seeking to or are providing and the country you are in):

Data Provided by You, Your Representatives or Third Parties

  • Directly from you or your family members, online, face to face, by telephone, or in written correspondence, including where data is submitted on your behalf (where the person submitting has your permission to do so). For example, we may collect data when you visit a website, complete an application form, request a quote, contact us, call a service centre, or otherwise give us information;
  • Your representatives, including your employer, association, or group or benefit program/plan sponsor;
  • In the event of a claim, third parties including the other party to the claim (claimant/defendant), witnesses, experts (including medical experts), loss adjusters, lawyers and claims handlers;
  • Insurance market participants, such as insurers, reinsurers, appointed loss adjusters and other intermediaries;
  • Credit reference agencies (to the extent the Company is taking any credit risk or participating in any underwriting activities);
  • Anti-fraud databases and other third-party databases, including sanctions lists;
  • Government agencies, such as  tax authorities;
  • Law enforcement and/or credit reporting agencies, for the purposes of complying with requests by law enforcement, fraud prevention or credit reporting agencies;
  • Claim forms;
  • Business information and research tools;
  • Selected third parties who provide us with details of potential customers;
  • Third parties who introduce business to us;
  • Service providers and third-party affiliates or contractors to us;
  • Advertising service providers, who may place ads and collect information when you visit our websites; and
  • Vetting and data validation agencies and other professional advisory service providers in connection with our marketing or business development activities.

If you supply us with Personal Data about other people (e.g., family members, beneficiaries, or dependents), you represent that you have the authority to provide this data and that you have shared this Privacy Policy where appropriate.

If you communicate with one of our financial advisers or nominated representatives through any device or method, please note that we log and monitor all such communications in order to comply with our record-keeping obligations.

If you communicate with our Helpline team through any device or method, please note that we log and monitor all such communications for quality assurance and training purposes.

Collection by publicly available sources 

Personal Data may be obtained from public registers, government agency publications, news articles, sanctions lists, internet searches and social media sites in order to carry out background checks or as part of the normal course of the provision of services to you.

Collection by Automated Means 

We may collect Personal Data using automated monitoring technologies during your engagement with and/or use of our services, such as when you navigate through and interact with our websites. This may be done through log files, usage monitoring software, cookies and other related tracking technologies (“Cookies”) on our company-owned websites. If available (and to the extent required under applicable laws) based on your jurisdiction, website users can opt-out of our use of certain Cookies using the Manage Cookies link at the bottom of the website and find out more about how we use Cookies by selecting the Cookie Notice link. To the extent that you disable Cookies by refusing them through turning them off in your browser and/or deleting them in your hard drive, your access to some of the websites’ content and features may be limited. While you do not need to have Cookies turned on to use our websites, your experience may be affected.

We may also collect certain information about your equipment, browsing actions and patterns, some of which may be linked to you personally. This information helps our services and websites function correctly, helps us understand the needs of our users and may be used for the other purposes set out in this Privacy Policy. This may also include collecting information about your location if you allow our services and/or websites to deliver content based on your location (e.g., by enabling this feature on your mobile device). Location data may be collected through GPS, Bluetooth or Wi-Fi signals.

INTERACTIONS WITH THIRD PARTIES

External Links 

Our websites may include links to websites that are operated by organizations other than the Company.  If you access another organization’s website using a hyperlink on our website, the other organization may collect information from you.  To the maximum extent permitted by law, the Company is not responsible for the content or privacy practices of linked websites or their use of your Personal Data.  If you leave a Company website via such a link (you can tell where you are by checking the URL in the location bar on your browser), you should refer to that website’s privacy policies, terms of use, and other notices to determine how the other organization will handle any Personal Data they collect from you.

Our websites include social media features such as the LinkedIn button and widgets or interactive programs that run on our sites. These features may collect your IP address, which pages you visit on our sites, and how long for. If you’re a member of a social media site, the interfaces may allow the social media site to connect your visits to this site with other personal information. Social media features and widgets are either hosted by a third party or hosted directly on our websites. Your interactions with these features are governed by the privacy policy on the third party providing it and to the maximum extent permitted by law we accept no responsibility for the actions or omissions of those third parties:

  • We may provide an application programming interface (“API”) to enable third party applications to interface with our websites. Some applications enable you to interact with us through the API in a way that requires you to log in. To do this, most of these applications will direct you through a process where you are able to let the application connect to your account.
  • If you allow an application to connect to your account on our websites, including if you set up your account on our websites using an API with a third party social media platform, that application will be able to access information that you can see when you are logged into our websites. You should only allow applications you trust to access your account on our websites.
  • If you set up your account on our websites using an API with a third party social media platform, you also consent to use obtaining and using your Personal Data from such platform.

Collection by Third Parties 

If you conduct a transaction through us, a third party (e.g., a service provider or insurer) may collect and process Personal Data about you, including through Cookies, in connection with such a transaction. In those instances, and for any other arrangement where we receive information from your employer, association or other third party, we encourage you to read the third party’s privacy policy to learn more about how your information will be used and disclosed by them.

HOW WE USE THE PERSONAL DATA WE COLLECT

We will only use Personal Data for the purposes for which it was collected, for related purposes, or as otherwise permitted or required by law.

We may use Personal Data we collect:  

Purpose

Description of Use

To conduct, manage and protect our business

We use Personal Data as necessary to conduct our business, including, but not limited to, verify your identity, respond to your queries and complaints, communicate with you, process transactions, establish an online account, provide superannuation, pension and investment administration services, provide consulting services, manage and assess claims, processing payment of benefits, processing and paying claims and making and receiving other payments, manage applications for employment and any subsequent employment, or carry out our contractual obligations.

To provide you with marketing material where permissible under applicable law

We may use your contact details to send you information about products, services, and insights we think might be of interest to you. These communications may be sent by email, SMS, post, or phone in accordance with your marketing preferences and applicable global laws, including those relating to data protection and electronic communication. As a result, the basis on which we contact you will vary depending on who you are, our relationship with you, and where you are located.
Regardless of the basis on which we share our marketing communications with you, we will comply with local law and provide an option for you to unsubscribe at any time in which case we will stop sending you our marketing communications.
Please note that, even if you opt-out of receiving marketing communications, we may still send you communications in connection with the services we provide to you. 

For research, data analytics and development purposes

We may analyse Personal Data together with information from other clients to create insights, reports, and other analytics to better understand and improve the quality of our offering; market our advice, products, and services; and evaluate the effectiveness of our marketing activities, websites, and overall service. 

Please note that we may de-identify Personal Data such that it is not associated with any particular client or individual.   

To log and monitor certain activities and maintain network security and performance, and protect against cyber attacks

We may log and monitor communications and transactions to ensure service quality, compliance with procedures and legal requirements, and to combat fraud. We also use Personal Data to maintain network security, monitor website performance, and protect our systems against cyber-attacks.

To maintain our websites and ensure website content is relevant

We may use Personal Data to maintain our websites and ensure that content from our websites is presented in the most effective manner for you and for your device.

To reorganise or make changes to our business

As necessary if we: (i) are subject to negotiations for the sale of our business or part thereof to a third party; (ii) are sold to a third party; or (iii) undergo a re-organisation or a change of control. 

In connection with legal or regulatory obligations

We may use Personal Data to comply with our legal obligations, including our regulatory disclosure requirements or as part of dialogue with our regulators as applicable.   

For Fraud, Anti-Money Laundering and Sanctions Screenings

When establishing or maintaining client relationships for the provision of certain services we use Personal Data for the purposes of carrying out fraud, anti-money laundering or sanctions checks. 
We may also use the Personal Data we collect and receive as otherwise described to you at the point of collection or otherwise.

PROFILING AND AUTOMATED DECISION MAKING

Insurance premiums are calculated by insurance market participants benchmarking clients’ and beneficiaries’ attributes as against other clients’ and beneficiaries’ attributes and propensities for insured events to occur. This benchmarking requires the Company and other insurance market participants to analyse and compile information received from all insureds, beneficiaries or claimants to model such propensities.  Accordingly, Personal Data may be used by third parties to both match against the information in the models and to create the models that determine the premium pricing in general and for other insureds. The Company and insurance market participants may use Personal Data or Sensitive Personal Data, including health information, for such modelling to the extent it is relevant, such as medical history for life insurance.  

The Company and other insurance market participants use similar predictive techniques to assess information that clients and individuals provide to understand fraud patterns, the probability of future losses actually occurring in claims scenarios, and as set out below. To do this, we may use Personal Data we receive from clients to match against information in the models that we have created based on the behaviour of other individuals with similar attributes and to create further models.

We use these models only for the purposes listed in this Privacy Policy. In most cases, our staff make decisions based on the models. 

To the extent we engage in the automated processing of your Personal Data, we will do so in accordance with applicable law. Decisions regarding insurance premiums, coverage limits and eligibility, however, may be determined by insurance carriers using automated means, including through one of our websites or applications interacting with such insurers’ systems.  In those instances, you should refer to the relevant insurer’s privacy notice for further information about their automated decision-making practices.  

DIRECT MARKETING

We may use your Personal Data to provide you with information about products or services which we think would be of interest to you. We may also share your Personal Data with other companies in the Marsh group (including Marsh Risk) so that they can provide you with information about their products and services. These may be sent by email, SMS or post or, in some circumstances, we may telephone you to explain this information to you.

We take care to ensure that our marketing activities comply with all applicable legal requirements, including the Unsolicited Electronic Messages Act 2007. Where required by law, we will obtain your consent before sending marketing communications.

You can opt out of receiving marketing communications, at any time. You can do this by clicking on the "unsubscribe" link in any marketing email or by contacting us using the details set out at the end of this Privacy Policy.

Please note that, even if you opt out of receiving marketing messages, we may still send you communications in connection with the services we provide to you.

WHO WE DISCLOSE PERSONAL DATA TO

We may disclose Personal Data to the following categories of third parties: 

Categories of third parties

Purpose for Disclosure

Insurers, third-party agents/brokers, and/or other similar third parties

To provide our contracted services.

Your employer, association, group, superannuation or pension fund trustee, administrator, or benefit program sponsor (when applicable) 

Assist in the administration of a scheme, workplace savings scheme, group insurance program and as otherwise necessary to provide our contracted services

Affiliates

Assist in providing the services and, where permitted by law, enable them to provide services to you or contact you regarding additional products and services.

Agents or third-party service providers (including professional advisers, IT hosting providers, payment processors, recruiters and employment screening providers)

Perform functions or services for us or on our behalf. Such third parties are contractually restricted from using Personal Data for purposes other than providing services for us or on our behalf.

Marketing partners, including affiliates and third parties engaged by us or our clients in connection with the services.

As permitted by law to provide you with information about our products, services, events, or insights.

Potential partners or successor entities   

In the context of mergers, acquisitions, bankruptcies, asset sales or other transactions where a third party assumes control of all or part of our assets or business.

Website analytics and advertising companies

To improve our services, for general operations and business needs, and to help us to improve user experiences on our websites and personalize content, measure the performance and use of content on our websites, and derive insights about the audiences who visit our websites and review content.

Anti-fraud databases, supervisory or regulatory authorities, law enforcement and other third parties 

As necessary to prevent fraud, communicate with supervisory or regulatory authorities, protect, enforce and defend the legal rights, safety, and security of our Company, our affiliates and business partners, and users of any website; respond to claims of suspected or actual illegal activity; respond to an audit or inquiry, or investigate a complaint or security threat; or comply with applicable law (where we are authorized or required to do so), regulation, legal process, or governmental request.

More generally, we may disclose your Personal Data if you have requested or authorized us to do so.

We may also disclose de-identified information that is not reasonably likely to identify you for lawful business purposes.  Where we have de-identified information, we will maintain and use it without attempting to re-identify the data other than as permitted under law. 

STEPS WE TAKE TO PROTECT PERSONAL DATA

Our service providers (as mentioned in this Privacy Policy) may store your Personal Data on our behalf. We may also hold your Personal Data ourselves, for instance, on servers or in physical files located on our premises.

Our company strives to comply with all applicable cybersecurity and data protection laws. With these goals in mind, Marsh has a dedicated Chief Information Security Officer (CISO) and a Global Chief Privacy Officer (GCPO). The CISO is responsible for managing a Global Information Security team and a comprehensive cybersecurity program.  

The GCPO leads and oversees a Privacy Center of Excellence and a Data Protection Officer Network responsible for implementing our comprehensive global privacy program. The Data Protection Officer Network connects our Data Protection Officers across the world and seeks to implement our privacy program consistently and thoroughly wherever we process data. You can find the name and contact information for the Data Protection Officer in your jurisdiction by emailing us at privacy@mmc.com.

ACCESS AND CORRECTION

Please note that we may need to use your Personal Data to verify your identity prior to fulfilling any of the below:

  • Access

You have certain rights under the Privacy Act 2020, to confirm whether we hold any Personal Data about you, and request that we  provide you with a copy of the Personal Data that we hold about you.

  • Correction

Additionally under the Privacy Act 2020, you may ask us to correct any in the Personal Data that we hold about you if it is inaccurate, out-of-date, incomplete or misleading.

If you wish to request access to or correction of your Personal Data, please submit a Data Subject Rights Request via this portal or contact us using the details set out below. 

CROSS-BORDER TRANSFERS 

As a global company operating across more than 80 countries, there are circumstances in which we will have to transfer Personal Data outside New Zealand for the purposes outlined in this Privacy Policy. Specifically, we may transfer data to offer, administer, and manage the Services provided to you, and to enhance the efficiency of our business operations. 

QUESTIONS OR CONCERNS

If you have any questions about this Privacy Policy, the Company’s privacy practices, or wish to make a complaint about how we have handled your Personal Data, you may contact us using the details below.

You can contact us by:

If you are not satisfied with our response, you may contact the Privacy Commissioner as below:

The Privacy Commissioner

0800 803 909

www.privacy.org.nz

enquiries@privacy.org.nz

CHANGES IN PRIVACY POLICY

From time to time we may make changes to this Privacy Policy, so we encourage you to review this policy for the latest information on our privacy practices. 
NZ26/173