Canadian Privacy Notice (Marsh and Mercer) 

Effective Date: November 2024

Marsh Canada Limited (“Marsh”), Mercer (Canada) Limited (“Mercer”) and other Canadian affiliates of Marsh and Mercer are all affiliates of Marsh & McLennan Companies, Inc. (“MMC”). This Privacy Notice is issued on behalf of the Canadian Marsh and Mercer affiliates within the MMC group so when we mention “MMC”, "we", "us" or "our" in this Privacy Notice, we are referring to the relevant company in the MMC group responsible for processing the information.  

We believe strongly in protecting the privacy and the confidentiality of the information that identifies or relates to an identifiable individual (“personal information” or “personal data”) that we collect, use, disclose, store, and transmit (“process”) while providing insurance and risk advisory services, wealth, health and career consulting and other services or solutions (the “Services”).  This Privacy Notice is intended to inform you of the ways in which we collect, use, and disclose personal information, and sets forth your rights. 

This Privacy Notice is subject to change at any time. If we make changes to this Privacy Notice, we will update the “Effective Date” at the top of this page and post it on our websites, portals, applications or tools where applicable (“Sites”). 

Our contractual commitments to clients will supersede any terms in this Privacy Notice. In some instances our Services may be subject to additional privacy notices or related disclosure. In the event of a conflict or inconsistency between this Privacy Notice and any service-specific privacy notice or related disclosure, the latter shall prevail. 

The types of personal information we collect will vary depending on the nature of our relationship with our clients, such as the type of product or service we provide and the type of Site being accessed. Our goal is to limit the personal information that we collect to that which will allow us to fulfill our intended business purposes. Failure to provide us with information may prohibit us from delivering requested services.

Generally, we may collect and process the following types of personal information about individuals and, if required for the services provided, their dependents or beneficiaries under an employer, association, group or benefit program sponsor:

  • Individual Contact and Demographic Information (which may include Family Members)
    Name, address and/or proof of address, email address, telephone number, gender, marital status, family details, date and place of birth, employment information – employer, job title, employee ID, employment grade, employee performance, salary and remuneration arrangements and employment history, and/or the individual’s relationship to the policyholder, insured, beneficiary or claimant.
  • Business Contact Information
    Employer, job title, business address, email and phone numbers.
  • Identification Details
    Identification numbers issued by government bodies or agencies (e.g., social security or national insurance number, passport number, tax identification number, ID number, or driver’s license number), and/or insurance provider (e.g., policy number or claim number).
  • Pension and Benefits Information
    Benefit elections, pension entitlement information (including pension amounts, contributions, and nature and details of current and historic pension arrangements), date of retirement and any relevant matters impacting your benefits such as voluntary contributions, pension sharing orders, tax protections or other adjustments, number of dependents or beneficiaries, details of power of attorney.
  • Financial Information
    Payment card number and related data Bank account number and account details, income and other financial information.
  • Insurable Risk Information
    The information necessary for us to secure insurance products/quotes, provide risk consulting services, and/or offer guidance on other financial products and services.  This information may include to the extent relevant to the risk being insured:
    o   Criminal records data – criminal convictions, including driving offenses;
    o   Vehicle information - vehicle identification number and other vehicle details;
    o   Health data - current or former physical or mental medical conditions, health status, injury or disability information, medical procedures performed, relevant personal habits (e.g., smoking), medical history, psychometric test results, previous health insurance information;
    o   Policy information - historical information about the insurance quotes individuals receive and the policies they obtain;
    o   Education information – information about current and/or previous education
    o   Claims information - information about current and/or previous claims, including health data; and
    o   Other Special Categories of Personal Information - Racial or ethnic origin, political opinions or affiliation, religious or philosophical beliefs, trade union membership, genetic data, biometric data, and/or data concerning an individual’s sex life or sexual orientation.
  • Credit and Anti-fraud Data
    Credit history and credit score, individual information about fraud convictions, allegations of crimes and sanctions details received from various anti-fraud and sanctions databases, or regulators or law enforcement agencies.
  • Marketing Data
    Whether or not an individual has consented to receive marketing from us and/or from third parties; interaction with our Sites, marketing communications, articles, and social media.
  • Event and Survey Information
    Information related to MMC-sponsored events that you have attended and product or service-related surveys you have completed.
  • Site-Related Information
    Information related to the operation of and use of a Site and information collected through cookie or other tracking technologies, which may include log-in credentials, IP addresses, domain names, browser versions and operating system, traffic data, the resources you access, and other Site-related information.

Information Provided by You, Your Representatives or Third Parties

We may collect information from you, your representatives, your employer, association, group or benefit program/plan sponsor, and/or third parties that have roles in delivering services to our clients. 

You might provide personal information when you visit a Site; apply or request a quote for insurance coverage; enroll in an association, group, or employer benefits program; communicate with us or our service providers through email, chat and instant messenger; speak to one of our representatives by phone or in a call centre; enroll in events, or marketing or business development activities, or send mail to our office.  In addition, we may collect information from vetting and data validation agencies and other professional advisory service providers in connection with our marketing or business development activities. 

Third parties, including insurance companies, recordkeepers, plan administrators and service providers, brokers or agents, credit agencies, financial institutions, and government agencies or persons acting on behalf of such parties, may disclose your personal information to us.  Your employer or program/plan sponsor or someone acting on their behalf, or claimants, may also provide us with information about you in connection with our services.  In the event we receive from and process your personal information in accordance with instructions from our clients and other third parties, we encourage you to review such third party’s privacy notice to understand the full scope of how your personal information will be handled.      

If you supply us with personal information about other people, you represent that you have the authority to provide this information on their behalf and have obtained their consent where necessary.  In these instances, you further represent that the individuals to whom this information relates have been informed of the information in this Privacy Notice and understand the reason(s) for obtaining the information, the manner in which this information will be used and disclosed, and have consented to such use and disclosure.

Collection by Automated Means

We use cookies on our company-branded websites. If available, Site users can opt-out of our use of certain cookies using our Cookie Management Tool linked at the bottom of the site. To find out more about how we use cookies, please see our Cookie Notices for Marsh and Mercer.

Collection by Third Parties

If you conduct a transaction through us, a third party (e.g., a service provider or insurer) may collect and process credit card or other personal information about you, including through the use of website cookies, in connection with such transaction. In those instances, we will identify the third party to you and we encourage you to read the third party’s privacy policy to learn more about how your information will be used and disclosed by them.    

We may use the personal information received from you or your broker, insurance carrier, employer or association, group or benefit program/plan sponsor to:

  • Verify your identity;
  • Register and service your online account;
  • Communicate with you and conduct our business;
  • Process a reinsurance transaction, enrollment or provide a service requested by you directly, or by a third party, including the following:
    o   The procurement of reinsurance (new and renewals);
    o   Reinsurance policy administration;
    o   Claims processing;
    o   Consulting and related risk control services; and/or
    o   General risk modeling, benchmarking and/or other analytics services
  • Allow you to manage the services requested by you, or through a third party;
  • Where permissible by and in accordance with local law, market our services to you or market the services of our affiliates and third parties engaged by us or our clients in connection with the services; 
  • Analyze, administer, develop, and improve our products and services and evaluate the overall effectiveness of our marketing activities, Sites, and overall service;
  • Maintain network security and performance and protect against cyber-attacks;
  • Comply with and enforce applicable laws, industry standards, and our own policies;
  • Prevent and detect fraud and other legal or policy violations;
  • For research and development purposes (including but not limiting to performing benchmarking and analytics that support our client services);
  • De-identify information; and/or
  • As otherwise described to you at the point of collection, for our legitimate business purposes, or pursuant to your consent.

We may also process de-identified information that is not reasonably likely to identify you for commercially legitimate and lawful business purposes. 

We may need to disclose your personal information in order to deliver the insurance and consulting products or services requested by you or your employer, or association, group or benefit sponsor, and/or to administer our Sites.  We may disclose this information: 

  • to insurers, third-party agents/brokers and/or other service providers
  • with your employer, association, group or benefit program sponsor
  • with affiliates
  • with agents or third-party service providers
  • with marketing partners
  • to successor entities
  • to anti-fraud databases, supervisory or regulatory authorities and law enforcement agencies

Our company has a dedicated Chief Information Security Officer (CISO) who is responsible for managing a Global Information Security team and a comprehensive cybersecurity program.  As part of such program, we have implemented commercially reasonable physical, administrative, and technical safeguards in an effort to protect your personal information from unauthorized access, use, alteration and deletion. These safeguards may vary depending on the sensitivity, format, location, amount, distribution and storage of the personal information, and include measures designed to keep personal information protected from unauthorized access. 

Our cybersecurity program has policies and procedures for risk assessments to identify and assess cyber risks, as well as technical controls and processes to detect, respond to and recover from cybersecurity events.  

As effective as our cybersecurity program is, no security system is impenetrable. We cannot guarantee the security of our systems, nor can we guarantee that information you supply will not be intercepted while being transmitted to us over the internet.

You may have some or all of the following rights in relation to the personal information we collect about or from you, depending on the jurisdiction and our reason for processing your information:

  • Right of access
    You may ask us to confirm whether we are processing your personal information, the sources, categories of persons who have access to the information within our company, the retention period.  You may also have a right to receive a copy of personal information, where technically feasible. 
  • Right to correct/rectify
    If the personal information we hold about you is inaccurate or incomplete, you may be entitled to request to have it corrected, taking into account the nature of the personal information and the purposes of the processing of your personal information.
  • Right to withdraw consent
    If we rely on your consent (or explicit consent) as our legal basis for processing your personal information, you may have the right to withdraw that consent. If you withdraw your consent, we may not be able to carry out your instructions or perform the contract we have or are trying to enter into with you.

If you wish to exercise any of the above rights or opt out of marketing communications please Complete this Form.

For your protection, we will need to validate the identity of anyone making a request relating to your personal information.  We will respond to your request within a period of time required under law unless it is reasonably necessary for us to extend our response time.

There are circumstances in which we will transfer your personal information out of the country, province or territory in which it was collected for the purposes of carrying out the services we provide to you.  Where the need for such a transfer arises, we will take steps to ensure that there are appropriate safeguards in place to protect your personal information such as an impact assessment, appropriate contractual protections, or an adequacy decision by the appropriate supervisory authority.  

Calls and Text Messages

In some instances, your employer or association, group or benefit program sponsor may request services that require us to contact you via telephone calls or text.  By accepting the terms of this Privacy Notice and providing us with your contact information, you consent to receive automated calls and texts, as well as emails and/or standard mail, from us including but not limited to information regarding your policy, account, benefits, relationship with us, and other products or services offered through us and/or your employer or program sponsor. Consent is not a condition of any purchase or to obtain a quote.  Message and data rates may apply.  If you wish to withdraw your consent in the future, follow the prompts described in the call or text or contact us as described below. 

Minors

We do not knowingly collect personal information directly from children under 14.  If we learn that we have collected any personal information from a child under the age of 14 without verifiable parental consent, we will delete that information from our files as quickly as possible.  If you believe that we may have collected information from a child under 14, please contact us at the email address provided below.

External Links

Our Sites may include links to websites that are operated by third-party organizations.  If you access another organization’s website using a hyperlink on our Site, the other organization may collect information from you.  We are not responsible for the content or privacy practices of linked websites or their use of your information.  If you leave a MMC Site via such a link (you can tell where you are by checking the URL in the location bar on your browser), you should refer to that websites' privacy policies, terms of use, and other notices to determine how they will handle any information they collect from you.

To submit questions or requests regarding this Privacy Notice or our privacy practices, please email us as specified below:

For Marsh: privacypolicyinquiries@marsh.com 

For Mercer: privacycoordinator@dos5.net

If you would prefer to contact us by post, please contact our privacy office using the following contact details: 

Chief Compliance Officer
Marsh & Mercer, Canada
120 Bremner Blvd, Suite 800
Toronto, Ontario M5J 0A8

If we are unable to resolve an enquiry or a complaint, individuals may have a right to contact the applicable supervisory or regulatory authority.  For more information about how to contact your supervisory or regulatory authority, please email us at privacypolicyinquiries@marsh.com for Marsh, or privacycoordinator@dos5.net for Mercer.