PRIVACY NOTICE
MERCER BELONG® AND MERCER TOTAL REWARDS®
Effective Date: December 2024
This Privacy Notice describes how Mercer LLC and its subsidiaries (collectively, “Mercer”), collect, use, share, retain, transfer and otherwise process information relating to identified or identifiable individuals (Personal Information) in connection with its Mercer Belong® and Mercer Total Rewards® sites, and the rights you may have regarding your Personal Information. We believe that it is important for you to understand how we process Personal Information and encourage you to take a moment to familiarize yourself with our privacy practices outlined below.
Please note that in some instances we act on behalf of and under the instructions of clients, financial institutions, merchants, and other partners who act as data controllers. Please refer to their respective privacy policies for more information regarding the processing of your Personal Information in these contexts.
PERSONAL INFORMATION WE COLLECT
| Category |
Examples |
| Biographical identifiers |
Name, date of birth, age. |
| Contact information |
Telephone number, personal email address. |
| Identification information |
Social security number or other government issued identification number (where your employer does not provide us with an alternative employee identifier). |
| Professional or employment-related information |
Employer or group, relationship to our company, job title, business contact details, employee ID, employment grade, employee performance and training, salary and remuneration arrangements and employment history. |
| Financial Information |
Income and other financial information. |
| Benefit and Pension Information |
Benefit elections, pension entitlement information, date of retirement, beneficiaries and any relevant matters impacting your benefits such as voluntary contributions. |
| Insurable Risk Information |
Health plan selections, coverages obtained, and plan IDs. |
| Internet or other similar network activity |
Interaction with a website, application, data from cookies or web beacons, login credentials, domain names, and interactions with our emails, including when you read and respond to emails, ISP (Internet Service Provider), browser details, other website activity, online identifiers (including IP address or device ID). |
| Any other voluntarily provided information |
Information regarding partners and dependents (including minor dependents); geolocation, and your feedback or survey responses where you choose to identify yourself. |
HOW WE COLLECT PERSONAL INFORMATION
Information Provided by You, Your Representatives or Third Parties
We may collect Personal Information from the following sources:
- Directly from you, for example when you visit a website, enroll in benefits, or otherwise give us information.
- Your representatives, including your employer, or group or benefit program/plan sponsor.
- Other third parties, including insurance companies, plan administrators and service providers, brokers or agents, financial institutions, or persons acting on behalf of such parties.
We do not knowingly collect Personal Information directly from minors.
If a third party (e.g., your employer) collects your personal information, we encourage you to read the third party’s privacy policy to learn more about how your information will be used and disclosed by them.
Collection by Automated Means
We use cookies and related tracking technologies (“Cookies”) on our company-owned websites. If available based on your jurisdiction, website users can opt-out of our use of certain Cookies using the Manage Cookies link at the bottom of the website. To find out more about how we use Cookies, please see our Cookie Notice.
Collection by Third Parties
If you conduct a transaction through a third party (e.g., a service provider or insurer) they may collect and process Personal Information about you, including through Cookies, in connection with such a transaction. In those instances, we encourage you to read the third party’s privacy policy to learn more about how your information will be used and disclosed by them.
HOW WE USE THE PERSONAL INFORMATION WE COLLECT
| Purpose |
Description of Use |
Legal Basis |
| To conduct our business |
We use Personal Information as necessary to conduct our business, including to verify your identity, respond to your queries, communicate with you, establish an online account, or carry out our contractual obligations. | Contract performance and, where applicable, legitimate interests (to enable us to perform our obligations and provide our services to you). |
| For research, data analytics and development purposes |
We may analyse Personal Information together with information from other clients to create insights, reports, and other analytics to better understand and improve the quality of our offering and evaluate the effectiveness of our websites, and overall service. Please note that we may de-identify Personal Information such that it is not associated with any particular client or individual. |
Where applicable, legitimate interests (to allow us to improve our services). |
| To log and monitor certain activities and maintain network security and performance, and protect against cyber attacks |
We log and monitor communications and transactions to ensure service quality, compliance with procedures and legal requirements, and to combat fraud. We also use Personal Information as necessary to maintain network security, monitor website performance, and protect our systems against cyber attacks. | Legal obligation, and, where applicable, legitimate interests (to ensure the quality and legality of our services). |
| To maintain our websites and ensure website content is relevant |
We use Personal Information as necessary to maintain our websites and ensure that content from our websites is presented in the most effective manner for you and for your device. | Contract performance and, where applicable, legitimate interests (to allow us to provide you with content and services on the websites). |
| To reorganise or make changes to our business |
As necessary if we: (i) are subject to negotiations for the sale of our business or part thereof to a third party; (ii) are sold to a third party; or (iii) undergo a re-organisation. |
Legal obligation or legitimate interests (to allow us to change our business). |
| In connection with legal or regulatory obligations |
We use Personal Information to comply with our regulatory disclosure requirements or as part of dialogue with our regulators as applicable. |
Legal obligation, and where appropriate, legitimate interests (to cooperate with law enforcement and regulatory authorities). |
We may also use the Personal Information we collect and receive as otherwise described to you at the point of collection.
External Links
Our websites may include links to websites that are operated by organizations other than Mercer. If you access another organization’s website using a hyperlink on our website, the other organization may collect information from you. Mercer is not responsible for the content or privacy practices of linked websites or their use of your Personal Information. If you leave a Mercer website via such a link (you can tell where you are by checking the URL in the location bar on your browser), you should refer to that website’s privacy policies, terms of use, and other notices to determine how the other organization will handle any Personal Information they collect from you.
WHO WE DISCLOSE PERSONAL INFORMATION TO
| Categories of third parties |
Purpose for Disclosure |
| Your employer, or benefit program sponsor (when applicable) | Assist in the administration of a group insurance program. |
| Agents or third-party service providers | Perform functions or services for us or on our behalf. Such third parties are contractually restricted from using Personal Information for purposes other than providing services for or on behalf of Mercer. |
| Potential partners or successor entities |
In the context of mergers, acquisitions, bankruptcies, asset sales or other transactions where a third party assumes control of all or part of our assets. |
| Website analytics and advertising companies |
Help us to personalize ads and content based on your interests, measure the performance of our ads and content, and derive insights about the audiences who see our ads and content. |
| Anti-fraud databases, supervisory or regulatory authorities, law enforcement and other third parties |
As necessary to prevent fraud, communicate with supervisory or regulatory authorities, protect and defend the legal rights, safety, and security of Mercer, our affiliates and business partners, and users of any website, enforce the Terms of Use of a website; respond to claims of suspected or actual illegal activity; respond to an audit or investigate a complaint or security threat; or comply with applicable law, regulation, legal process, or governmental request. |
STEPS WE TAKE TO PROTECT PERSONAL INFORMATION
Our company strives to comply with all applicable cybersecurity and data protection laws. With these goals in mind, Marsh McLennan has a dedicated Chief Information Security Officer (CISO) and a Global Chief Privacy Officer (GCPO). The CISO is responsible for managing a Global Information Security team and a comprehensive cybersecurity program. As part of our cybersecurity program, we have implemented commercially reasonable physical, administrative, and technical safeguards to protect Personal Information from unauthorized access, use, alteration, and deletion.
The GCPO leads and oversees a Privacy Center of Excellence and a Data Protection Officer Network responsible for implementing our comprehensive global privacy program. The Data Protection Officer Network connects our Data Protection Officers across the world and seeks to implement our privacy program consistently and thoroughly wherever we process data. You can request the name and contact information for the Data Protection Officer in your jurisdiction by sending an email to privacy@mmc.com.
YOUR DATA PROTECTION RIGHTS
We handle Personal Information relating to this Site to provide our services to corporate clients. As such, we act as a “service provider” or “processor” when it comes to handling your Personal Information, which means all of the Personal Information that we collect from or about you in connection with the Site is processed under the direction of our client and governed by our agreement with such client. Our collection, use, sharing, and retention of your Personal Information for use on this Site is limited to providing the services for which our client has engaged us.
Accordingly, if you are using this Site in connection with your duties of employment or by virtue of some other relationship with our client, we encourage you to review that client’s privacy notice to understand the full scope of how your Personal Information will be handled.
Further, if you wish to exercise any rights that may be available to you under certain data privacy laws (for example, the right to access, correct or delete), you should direct your request to our client, who is the party responsible for receiving, assessing, and responding to such requests.
We do not sell your Personal Information and, therefore, do not provide a mechanism for opting out of the sale or sharing of information.
CROSS-BORDER TRANSFERS
As a global company operating across more than 80 countries, there are circumstances in which we will have to transfer Personal Information out of the country, province, or territory in which it was collected for the purposes outlined in this Privacy Notice. Specifically, we may transfer data to offer, administer, and manage the Services provided to you, and to enhance the efficiency of our business operations. We will make every effort to ensure that these transfers adhere to all relevant data protection legislation, and that the rights and freedoms of individuals under such laws are appropriately safeguarded.
Where the need for such a transfer arises, we will take steps to ensure that there are appropriate safeguards in place to protect Personal Information such as an impact assessment, adequacy decision by the appropriate supervisory authority, the use of approved binding corporate rules or standard contractual clauses, or your consent.
For information regarding how Marsh & McLennan Companies’ EU (European Union) Binding Corporate Rules (EU BCRs) operate, click here. For a list of entities that have agreed to be bound by the EU BCRs, click here.
For information regarding how Marsh & McLennan Companies’ UK Binding Corporate Rules (UK BCRs) operate, click here. For a list of entities that have agreed to be bound by the UK BCRs, click here.
RETENTION OF PERSONAL INFORMATION
Our products, services, and regulatory obligations are complex, and thus our retention periods for Personal Information vary. We consider the following obligations when setting retention periods for Personal Information and the records we maintain:
- the need to retain information to accomplish the business purposes or contractual obligations for which it was collected;
- our duties to effectuate our clients’ instructions with respect to Personal Information we process on their behalf;
- our duties to comply with mandatory legal and regulatory record-keeping requirements;
- our backup and disaster recovery procedures; and
- other legal impacts such as the applicable statute of limitations periods.
Based on the factors above, we may retain Personal Information beyond the period for which we provide services to you. When we no longer need to retain Personal Information, our company policies require that we either de-identify or aggregate the information (in which case we may further retain and use the de-identified or aggregated information for analytics purposes) or securely destroy it.
QUESTIONS OR CONCERNS
To submit questions or requests regarding this Privacy Notice or Mercer’s privacy practices, please email us at privacy@mmc.com. If you would prefer to contact us by post or by phone, please contact your local Data Protection Officer at one of the following addresses:
Chief Compliance Officer
Marsh & Mercer, Canada
120 Bremner Blvd, Suite 800
Toronto, Ontario M5J 0A8
Or
Chief Privacy Officer – US/Canada
Marsh & McLennan Companies, Inc.
1166 Avenue of the Americas
New York, NY 10036