Skip to main content

Privacy notice

This Privacy Notice describes how Marsh LLC and its subsidiaries (collectively, “Marsh”), process personal information.

For Arabic version of this Privacy Notice, please click here.

Effective Date: 15 September 2024

This Privacy Notice describes how Marsh LLC and its subsidiaries (collectively, “Marsh”), process personal information. We believe that it is important for you to understand what information we collect and how we use and share it.  That is why we encourage you to take a moment to familiarize yourself with our privacy practices outlined below.  In this Privacy Notice, we explain how we collect, use, share, retain, and transfer your personal information. We also explain what rights you may have regarding your personal information.

Please note that we also act on behalf of and under the instructions of financial institutions, merchants and other partners which act as data controllers, including for processing payment transactions. Please refer to their respective privacy policies for more information regarding the processing of your Personal Information in these contexts.

Though we strive to describe our practices and your rights fully below, each jurisdiction imposes obligations and grants rights to you depending on how you interact with us or the jurisdiction in which we are doing business with you.

What personal information do we collect

“Personal Information” means any information relating to an identified or identifiable individual.  We may collect the following categories of personal information where appropriate to fulfil our intended business purposes:

How we collect personal information

Information Provided by You, Your Representatives or Third Parties

We may collect information from the following categories of sources:

  • Directly from you, for example when you visit a website, enroll in benefits, request a quote, call a service center, or otherwise give us information.
  • Your representatives, including your employer, association, or group or benefit program/plan sponsor.
  • Other third parties, including insurance companies, plan administrators and service providers, brokers or agents, credit agencies, financial institutions, and government agencies or persons acting on behalf of such parties.
  • Vetting and data validation agencies and other professional advisory service providers in connection with our marketing or business development activities.

If you supply us with personal information about other people (e.g., family members, beneficiaries, or dependents), you represent that you have the authority to provide this information and that you have shared this Privacy Notice where appropriate. We do not knowingly collect personal information directly from minors.

Collection by Automated Means

We use cookies and related tracking technologies (“Cookies”) on our company-owned websites. If available based on your jurisdiction, website users can opt-out of our use of certain Cookies using the Manage Cookies link at the bottom of the website. To find out more about how we use Cookies, please see our Cookie Notice.

Collection by Third Parties

If you conduct a transaction through us, a third party (e.g., a service provider or insurer) may collect and process credit card or other Personal Information about you, including through Cookies, in connection with such a transaction. In those instances, and for any other arrangement where we receive information from your employer, association or other third party, we encourage you to read the third party’s privacy policy to learn more about how your information will be used and disclosed by them.

How we use the personal information we collect

We may use Personal Information we collect:

We may also use the Personal Information we collect and receive as otherwise described to you at the point of collection.

We may also disclose de-identified information that is not reasonably likely to identify you for commercially legitimate and lawful business purposes.  Where we have de-identified information, we will maintain and use it without attempting to re-identify the data other than as permitted under law. In de-identifying your information, we rely, where available, on your legitimate interests.

External Links

Our websites may include links to websites that are operated by organizations other than Marsh.  If you access another organization’s website using a hyperlink on our website, the other organization may collect information from you.  Marsh is not responsible for the content or privacy practices of linked websites or their use of your Personal Information.  If you leave a Marsh website via such a link (you can tell where you are by checking the URL in the location bar on your browser), you should refer to that website’s privacy policies, terms of use, and other notices to determine how the other organization will handle any Personal Information they collect from you.

Who we disclose personal information to

We may disclose Personal Information to the following categories of third parties:

Steps we take to protect personal information

Our company strives to comply with all applicable cybersecurity and data protection laws. With these goals in mind, MMC has a dedicated Chief Information Security Officer (CISO) and a Global Chief Privacy Officer (GCPO). The CISO is responsible for managing a Global Information Security team and a comprehensive cybersecurity program.  As part of our cybersecurity program, we have implemented commercially reasonable physical, administrative, and technical safeguards to protect Personal Information from unauthorized access, use, alteration, and deletion.

The GCPO leads and oversees a Privacy Center of Excellence and a Data Protection Officer Network responsible for implementing our comprehensive global privacy program. The Data Protection Officer Network connects our Data Protection Officers across the world and seeks to implement our privacy program consistently and thoroughly wherever we process data. You can obtain the name and contact information for the Data Protection Officer in your jurisdiction by contacting us at privacy@mmc.com.

Your data protection rights

In many cases, we handle Personal Information to provide our services to corporate clients, and you should contact them to exercise any rights you may have under applicable privacy laws. However, where we act as the controller or business that is primarily responsible for deciding how your information is processed, you may have some or all the rights listed below, depending on the jurisdiction and our reason for processing your information.  Please note that we may need to use your Personal Information to verify your identity prior to responding to any of the below rights.

  • Right of access (Right to know)

You may ask us to provide you with further details on how we make use of your Personal Information, the sources, the categories or specific pieces of Personal Information we have collected, the categories of third parties to whom we have disclosed the information, and to request a copy of the Personal Information that we hold about you.

  • Right to correct

You may ask us to update any inaccuracies in the Personal Information we hold. If we disclose your Personal Information to others, we will tell them about the correction where possible.

  • Right to delete

You may ask us to erase your Personal Information where we no longer have lawful grounds to process it.

  • Right to object to or restrict processing

You may have a right to restrict the processing of your Personal Information in certain circumstances, such as where you contest its accuracy.

  • Right to data portability

You may have the right, where it is technically feasible, to ask that we transfer to a third party of your choice a copy of Personal Information we have obtained from you, in a structured, commonly used, and machine-readable format.

  • Right to withdraw consent

If we rely on your consent as our legal basis for processing your Personal Information, you have the right to withdraw that consent.

  • Right to lodge a complaint

You may have the right to lodge a complaint with the relevant supervisory or regulatory authority in your jurisdiction if you have a concern about any aspect of our privacy practices.

If you wish to exercise any of the above rights or request review of a decision or denial, please contact us by completing this form.

Depending on your country, you may also have some or all the following rights:

  • Right to Opt in or out of Sale or Sharing for Cross-Context Advertising

If you visit one of our websites, we may disclose your internet or other electronic network activity information, biographical identifiers, geolocation data, and professional information (to the extent it can be derived from your activity on our website) to website analytic and advertising providers for cross-context behavioral or targeted advertising purposes utilizing advertising cookies.  Under some laws, you may have the right to opt in or out of these types of disclosures.  To make your selection(s) or to view the names of specific third parties with whom we have sold or shared your information, please click on the “Manage Cookies” link at the bottom of our webpage. If you would like to opt out of the sale or sharing of your information, ensure the toggles for “Advertising” and “Analytics” trackers are set to “No” or, where available, enable the Do Not Sell or Share My Personal Information toggle.

You may also implement a browser setting or extension to communicate your selling and sharing preferences automatically to the websites you visit.  Our websites process such “opt-out preference signals” in a frictionless manner by recognizing the Global Privacy Control (GPC). If you want to use GPC, you can download and enable it via a participating browser or browser extension. More information about downloading GPC is available here.

  • Rights in relation to automated decision making and profiling

To the extent we engage in the automated processing of your Personal Information, we will provide you in advance with any notices, including regarding your rights, that are required under law.  Decisions regarding insurance premiums, coverage limits and eligibility, however, may be determined by insurance carriers using automated means, including through one of our websites or applications interacting with such insurers’ systems.  In those instances, we encourage you to review the applicable insurers’ privacy notices to obtain additional information regarding their automated decision-making practices, as well as any right to opt out of such processing or challenge a prediction, recommendation or decision that has impacted you.

  • Direct Marketing and Do Not Track Signals

You may have a right to request and obtain a notice once a year about the Personal Information we disclosed to other businesses for their own direct marketing purposes, where permitted by law.  If applicable, such a notice will include a list of the categories of Personal Information that were disclosed (if any) and the names and addresses of all third parties to whom the Personal Information was disclosed (if any).  The notice will cover the preceding calendar year.  You may contact us as provided below if you would like to learn if this right applies to you and, if so, exercise that right.

Please note that some of these rights may be limited where we have an overriding legitimate interest or legal, regulatory, or contractual obligation to continue to process the Personal Information, or where the Personal Information may be exempt from disclosure or erasure under applicable law.  Some of these rights can be exercised only in certain circumstances or may otherwise be limited by data protection legislation in your jurisdiction.

Cross-border transfers

As a global company operating across more than 80 countries, there are circumstances in which we will have to transfer Personal Information out of the country, province, or territory in which it was collected for the purposes outlined in this Privacy Notice. Specifically, we may transfer data to offer, administer, and manage the Services provided to you, and to enhance the efficiency of our business operations. We will make every effort to ensure that these transfers adhere to all relevant data protection legislation, and that the rights and freedoms of individuals under such laws are appropriately safeguarded.

Where the need for such a transfer arises, we will take steps to ensure that there are appropriate safeguards in place to protect Personal Information such as an impact assessment, adequacy decision by the appropriate supervisory authority, the use of approved binding corporate rules or standard contractual clauses, or your consent.

For information regarding how MMC’s EU (European Union) Binding Corporate Rules (EU BCRs) operate, click here.  For a list of entities that have agreed to be bound by the EU BCRs, click here.

For information regarding how MMC’s UK Binding Corporate Rules (UK BCRs) operate, click here.  For a list of entities that have agreed to be bound by the UK BCRs, click here.

Retention of your information

Our products, services, and regulatory obligations are complex, and thus our retention periods for Personal Information vary.  We consider the following obligations when setting retention periods for Personal Information and the records we maintain:

  • the need to retain information to accomplish the business purposes or contractual obligations for which it was collected;
  • our duties to effectuate our clients’ instructions with respect to Personal Information we process on their behalf;
  • our duties to comply with mandatory legal and regulatory record-keeping requirements;
  • our backup and disaster recovery procedures; and
  • other legal impacts such as the applicable statute of limitations periods.

Based on the factors above, we may retain Personal Information beyond the period for which we provide services to you. When we no longer need to retain Personal Information, our company policies require that we either de-identify or aggregate the information (in which case we may further retain and use the de-identified or aggregated information for analytics purposes) or securely destroy it.

Questions or concerns

To submit questions or requests regarding this Privacy Notice or Marsh’s privacy practices, please email us at privacy@mmc.com.   If you would prefer to contact us by post or by phone, please contact your local Data Protection Officer. You can obtain the contact information for your local Data Protection Officer by contacting us at privacy@mmc.com.