img1
CANDIDATE PRIVACY NOTICE
California Candidates: Please review the California Resident Candidate Notice.


This Privacy Notice applies to all candidates to Marsh McLennan and its businesses (Marsh, Mercer, Oliver Wyman Group, Guy Carpenter) or one of our affiliated companies (collectively, “the Company”).

The Company will process your personal information in accordance with this Privacy Notice when you apply for roles or visit or use our global recruitment website (the “Site”).

The Company believes strongly in protecting the privacy of candidates. This Privacy Notice is intended to inform you of the ways in which the Company collects personal information, the uses to which that information will be put, and the ways in which we will protect any personal information you choose to provide us. Generally, personal information is information that can be associated with you as an individual. 
 
What Data Do We Collect ? 
In jurisdictions where such collection is lawful, we may collect the following personal information about you (“Candidate Data"): 
Category                                                                           
Examplesxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx                                                           
Biographical information
name, date of birth, place of birth, language proficiencies, and information you make publicly available through job search or career networking sites, search engines, public databases, your company or social media profile;
Contact information
title, home address, telephone number(s), personal email address;
Identification information
social security number or other government issued identification number, driver’s license number, passport information, bank account details, income tax declaration, income tax number;
Individual demographic attributes
age, race, citizenship, physical or mental disability, sex (including gender, gender identity, pregnancy or childbirth and related medical conditions), sexual orientation, union membership, veteran or military status, (each only to the extent you choose to disclose these details, or they are required under applicable employment laws);
Professional Information  
job history and CV, work status (e.g., full-time/part-time), references, skills, education, professional qualifications, job preferences (such as willingness to relocate and salary expectations);
Screening information
aptitude assessments or information necessary to complete background checks, drug and/or alcohol tests, medical check report, health declaration, salary, remuneration package, and other screens permitted by law;
Internet or other similar network activity 
Audio, video, or visual information
teleconference or videoconference recordings of interviews, photographs, voicemails, closed-circuit monitoring if you come on our premises, and recruiting event recordings and pictures;
Expenses and travel information
including details of travel that you undertake and reimbursable expenses you incur in connection with the interview process;
Employment verification information
immigration status and other work authorization information that would allow us to verify your employment eligibility; if you have a disability and would like the Company to consider an accommodation, you may provide that information during the recruiting process as well;
assessments of references, interviewers, and recruiters;
Other information you choose to provide during the application process
information regarding partners and dependents; emergency contact details, disclosure statements, restrictive covenants, and your feedback or survey responses where you choose to identify yourself.

In certain cases, and only in jurisdictions where such collection is lawful, we ask you for sensitive personal information (as defined under local laws, “Sensitive Candidate Data”) for purposes of complying with applicable laws, to promote and assess our efforts to accomplish diverse hiring, to sponsor your residency application and/or where relevant for a position.  Such Sensitive Candidate Data could include citizenship, racial or ethnic origin, gender, sexual orientation, health information, and criminal records. See “What Data Do We Collect?” above for further detail.

In most cases, provision of this information is voluntary, though there are some exceptions (such as when the information is required to meet a legal obligation, for fraud prevention or for security reasons). For candidates we extend an offer to, further Sensitive Candidate Data may be required (e.g., national identifier, driver’s license, bank account data.)

The Company processes Sensitive Candidate Data in accordance with this Privacy Notice as necessary for carrying out the Company’s obligations.

For the purpose of compliance with applicable laws, you consent to the Company processing Sensitive Candidate Data in accordance with this Privacy Notice. If the Company intends to collect Sensitive Candidate Data from third parties, you will be provided notice and the opportunity to exercise your legal right where applicable.   
 
What are our Sources of Candidate Data? 
We collect the above Candidate Data directly from you, from individuals you identify to serve as referees and/or from external recruiters or others who recommend you for a role with our organization.  We also collect Candidate Data from career platforms via which you may share your data with us, or at job fairs and events in which you participate and choose to engage with us.


We also collect Candidate Data via automated means on the Site using cookies, pixels, web beacons, and other online tracking technologies (collectively, “Cookies”).  Please review Cookie Notice for further information about Cookies.  You can also find a link to manage your cookie preferences in the footer of our page at any time.

In addition, in the course of ensuring network security and consistent service for all users, the Company employs software programs to do such things as monitor network traffic, identify unauthorized access or access to non-public information, detect computer viruses and other software that might damage the Company’s computers or the network, and monitor and fine-tune the performance of the Company network and the Site. During such monitoring, these programs may detect additional information from your computer such as your IP address, addresses from network packets, and other technical information. Any such information is used only for the purpose of maintaining the security and performance of the Company’s networks and computer systems.
 
How Do We Use the Data We Collect? 
The Company processes Candidate Data for the following purposes:
Purpose of Processing  
Lawful basis of processing
Identifying and evaluating candidates for Company roles
Legitimate Interest – hiring appropriate talent to perform our functions
Record-keeping related to hiring processes
Legitimate Interest – to administer the hiring process, to conduct interviews and contact candidates
Analysing the hiring process and outcomes
Legitimate Interest – to ensure hiring process is working effectively
Conducting background and criminal checks, where permitted by law
Legal Obligation – required in relation to applicable regulated posts
Communicating with candidates in the context of current and future applications
Consent

In addition, Candidate Data may be used to comply with the Company’s legal, regulatory and corporate governance requirements. If a candidate is hired, Candidate Data may be used in connection with their employment, consistent with the Company’s employment data protection policies.   

In addition to using Candidate Data for the position for which you have applied, if at the time of your application there are no suitable positions for your skill set, the Company may retain your Candidate Data to consider you for other positions.  This data will be kept for a reasonable period and/or as otherwise required or allowed by applicable law or to otherwise fulfil a legal obligation. In those circumstances, you may be contacted in the future with details on other positions that match your expressed skills and background and to update your information. If you do not want to be considered for other positions or would like to have your Candidate Data removed, you may contact the Company as specified in this Privacy Notice.


Who Do We Share Your Data With? 
We will share Candidate Data as follows: 
Affiliates
To assist in evaluating you and to enable them to contact you regarding roles that you have expressed an interest in.  
Agents and Service Providers
We sometimes contract with other companies and individuals to perform functions or services for us or on our behalf, such as hosting the Site, conducting background checks or screening candidates. They may have access to Candidate Data, including your CV, needed to perform their functions, but are contractually restricted from using it for purposes other than providing services for the Company or on our behalf.  
Business Transfers
As we continue to develop our business, we might sell or buy assets. In such transactions, user information generally is one of the transferred business assets. Also, if either the Company itself or any of the Company’s assets were acquired (including through bankruptcy proceedings), Candidate Data may be one of the transferred assets.  
Legal Matters
The Company may preserve, and has the right to disclose any information about you or your use of this Site without your prior permission if the Company has a compelling reason to deem such action necessary to: (a) protect and defend the rights, property, or safety of the Company or its affiliates, other users of this Site, or the public; (b) enforce the terms and conditions that apply to use of this Site; (c) respond to claims that any content violates the rights of third parties; (d) respond to claims of suspected or actual illegal activity; (e) respond to an audit or investigate a complaint or security threat; or (f) comply with applicable law, regulation, legal process, or governmental requests.  
Online third-party providers
Depending on whether you choose to accept or reject certain Cookies deployed on the Site, your data may be shared with online analytics, AdTech, and other third-party providers.

If you are hired as an employee of the Company, this information may be transferred into an employee record.  

What Steps Do We Take to Protect Your Information? 
Our company has a dedicated Chief Information Security Officer who is responsible for managing a Global Information Security team and a comprehensive cybersecurity program.  As part of such program, we have implemented appropriate physical, administrative, and technical safeguards in an effort to protect your Candidate Data from unauthorized access, use, alteration and deletion. These safeguards may vary depending on the sensitivity, format, location, amount, distribution and storage of the Candidate Data, and include measures designed to keep Candidate Data protected from unauthorized access. 

Our cybersecurity program has policies and procedures for risk assessments to identify and assess cyber risks, as well as technical controls and processes to detect, respond to and recover from cybersecurity events. 

As effective as our cybersecurity program is, no security system is impenetrable. We cannot guarantee the security of our systems, nor can we guarantee that information you supply will not be intercepted while being transmitted to us over the Internet. 

Data Retention 
Our retention periods for Candidate Data vary based on the nature of the information and applicable laws.  We retain Candidate Data in accordance with our records retention schedules and only as long as reasonably necessary for our business purposes and legal obligations.   We consider the following obligations when setting retention periods for Candidate Data we maintain. The need to:
  • retain information to consider you for additional employment opportunities in the future;
  • accomplish the purposes for which it was collected;
  • comply with mandatory legal and regulatory record-keeping requirements;
  • Maintain our backup and disaster recovery procedures;
  • Meet other legal requirements such as applicable statute of limitations periods.
When we no longer need to retain Candidate Data, our Company policies require that we either de-identify or aggregate the information (in which case we may further retain and use the de-identified or aggregated information for analytics purposes) or securely destroy it.

Accessing, Correcting and Deleting Your Candidate Data 
All Candidates: You may access and correct Candidate Data you have submitted on the Site using your log in credentials to access your profile.  Alternatively, you can email database.delete@mmc.com at any time with the subject line, “Delete from Database”, and we will remove your Candidate Data from our records.  

Candidates in Jurisdictions with Formal Data Subject Rights:  Candidates in some jurisdictions may, where permitted by applicable law and subject to certain conditions, be able to submit a formal “Data Subject Request”. We will comply with such requests as required under applicable law:
(a) Subject Access: You can ask us to provide you with further details on how we make use of your Candidate Data, the sources, categories of persons who have access to the information within our company, and to request a copy of the Candidate Data that we hold about you.
(b) Rectification: You can ask us to update any inaccuracies in the Candidate Data that we hold.
(c) Erasure: You can ask us to erase your Candidate Data that we no longer have lawful grounds to process.
(d) Withdrawal of consent: You can withdraw your consent to processing so that we stop that particular processing.
(e) Restriction: You can restrict how we use information whilst a complaint is being investigated.
(f) Portability: You can ask us to transmit the Candidate Data that you have provided to us to a third party.
(g) Raise a complaint: You can raise a complaint about our processing with the data protection regulator in your jurisdiction (for example in the UK, the Information Commissioner's Office).
To exercise any of these rights, please contact us at hrdataprivacy@mmc.com.
California residents should review the California Candidate Privacy Notice for information about how to submit their requests.
You are generally not required to pay any charge for exercising your rights.
Your jurisdiction may provide for different rights under the applicable data protection laws.
If you are unaware that your data has been added by a third party and you do not agree with this Privacy Notice, then please inform the Company immediately and your data will be removed from our systems. 

Applicability of This Privacy Notice to International Users 
There are circumstances in which we will have to transfer Candidate Data out of the country, province or territory in which it was collected for the purposes outlined above. These countries, provinces or territories do not always afford an equivalent level of privacy protection and in such circumstances, we take specific steps, in accordance with data protection law, to provide an adequate level of protection for Candidate Data.  Where the need for such a transfer arises, we will take steps to ensure that there are appropriate safeguards in place to protect your Candidate Data , such as an impact assessment, adequacy decision by the appropriate supervisory authority, the use of approved binding corporate rules or standard contractual clauses, or your consent.  If you have questions regarding the specific mechanism, if any, under which your Candidate Data is transferred to another country, if applicable, you may contact us at Privacy@mmc.com.

Binding Corporate Rules
Marsh McLennan's EU Binding Corporate Rules (“EU BCR”) are a means of transferring personal data internationally within the Company group in compliance with applicable data protection legislation in the European Economic Area. The Information Commissioner’s Office (“ICO”), the local Supervisory Authority in the United Kingdom, formally approved them on October 6, 2017.  Following Brexit our new lead Supervisory Authority for the EU BCR is the Irish Data Protection Commission.  Our EU BCR consist of both Controller and Processor Standards.  For further information regarding how our EU BCR operate, click here.

Marsh McLennan’s UK Binding Corporate Rules (“UK BCR”) are a means of transferring personal data internationally within the Company group in compliance with applicable data protection legislation in the UK. Our UK BCRs are supervised by the ICO and consist of both Controller and Processor Standards. For further information regarding how our UK BCR operate, click here.
 
Changes to Privacy Notice 
This Privacy Notice is subject to change at any time. If we make changes to this Privacy Notice, we will update the date at the bottom of this page and post it on the Site.  Where required by local law, we will also notify you of any changes we make to this Privacy Notice and the notice provisions in the terms of our engagement.  To the extent permitted by law, any changes we make to this Privacy Notice become effective immediately when we post the revised Privacy Notice on the Site.  We recommend that you review this Privacy Notice regularly for changes. 
 
Questions or Concerns? 
If you have any questions, concerns, or complaints about this Privacy Notice, or our privacy practices in general, email us at Privacy@mmc.com with a subject line of “Candidate Privacy query” and your state/country of residency or write to us at:
 
Marsh & McLennan Companies 
Corporate Communications 
Attn: Global Chief Privacy Officer 
1166 Avenue of Americas 
New York, New York 10036-2774 
USA 


You may also contact the data protection officer responsible for your jurisdiction by emailing Privacy@mmc.com. In your email, please identify the relevant country.

Last updated: November 14, 2023