MEDEFEND-MARSH DATA PROTECTION POLICY
Marsh Insurance Brokers (Malaysia) Sdn Bhd ("MARSH", "our," "us" and "we") has created this MEDEFEND-MARSH Data Protection Policy in order to communicate our commitment to the privacy of information provided to us by our employer clients and their employees through the MEDEFEND-MARSH platform. We understand the nature of the information entrusted to us and acknowledge that maintenance of the privacy of such information is of the highest importance to our clients and their employees. The following discloses our information gathering and dissemination practices in relation to the services we provide through or in connection with the MEDEFEND-MARSH website that you have accessed ().
Marsh safeguards your Personal Data (as defined in paragraph 2 below) in accordance with the Personal Data Protection Act (2010) (“The Act"). You are requested and invited to read this MEDEFEND-MARSH Data Protection Policy so that you know and understand the purposes for which we collect, use and disclose your Personal Data. This MEDEFEND-MARSH Data Protection Policy supplements but does not supersede nor replace any other consents which you may have previously provided to our employer client or directly to us in respect of your Personal Data, including any consents provided to us through the MEDEFEND-MARSH Personal Information Collection Statement at PICS , and your consents herein are additional to any rights which we may have at law to collect, use or disclose your Personal Data except that the consent provided by you through acceptance of this MEDEFEND-MARSH Data Protection Policy and/or the PICS supersedes any previous election in respect of any specific matter.
For the avoidance of doubt, this MEDEFEND-MARSH Data Protection Policy forms a part of the terms and conditions governing your relationship with us, written or implied, (“Terms and Conditions”) and should be read in conjunction with those Terms and Conditions.
1. Your consent is important
When you make use of our Website and the Services, you may be required to provide us with your Personal Data. In doing so, you agree and consent to MARSH as well as other entities whose ultimate parent company is Marsh McLennan. (“Marsh Group”), our subsidiaries, business partners, respective agents, authorised service providers and relevant third parties collecting, using and/or disclosing your Personal Data in accordance with this MEDEFEND-MARSH Data Protection Policy.
You have the choice, at any time, not to provide your Personal Data or to withdraw your consent to Marsh’s collection, use and/or disclosure of your Personal Data. You are not obliged to provide your Personal Data to us. You should note, however that failure to provide certain Personal Data or a withdrawal of your consent for us to process your Personal Data may result in Marsh being unable to provide you with effective and continuous products and services you wish to receive from us. It is likely that in such a scenario, we may not be in a position to provide, or to continue to provide our products or services to you or administer any contractual relationship which may be in place between us.
You should also be aware of your duty of disclosure that applies in relation to insurance policies. Your duty of disclosure requires you to disclose all material information relating to the risk under consideration. This duty continues until the insurance has been concluded and ‘resurrects’ in the event of any amendment to the risk during the policy period or extension/renewal. You may also be subject to specific ongoing disclosure conditions or warranties according to the terms of your policy, which effectively extend the duty of disclosure post inception of the policy. The information you may need to disclose may in some cases be Personal Data. Please read the Terms and Conditions for more detail about this duty of disclosure. There are severe consequences for failing to comply with your duty of disclosure, including the avoidance of your policy from its commencement and the obligation to return claims already paid.
Notwithstanding the generality of the foregoing and for avoidance of doubt, upon the termination or expiry of your contractual relationship (written or implied) with us (howsoever caused), we may still continue using or disclosing your personal data as may be necessary, required, authorised or permitted for compliance with applicable law or as may be requested by the relevant regulatory bodies, government agencies, statutory boards, administrative bodies, authorities or law enforcement agencies to comply with any laws, rules, guidelines and regulations or schemes to which we may be subject, whether situated locally or overseas.
2. What types of Personal Data do we collect?
In this MEDEFEND-MARSH Data Protection Policy, “Personal Data” refers to any data, whether true or not, about an individual who can be identified (a) from that data; or (b) from that data and other information to which we have or are likely to have access, including data in our records as may be updated from time to time.
Examples of such Personal Data you may provide to us may include (depending on the nature of your interaction with us), without limitation, the name, identity card number (Malaysia NRIC) or passport number (and/or copies thereof), contact information and, family history.
3. How do we collect your Personal Data?
Generally, we obtain your Personal Data from you, your employer or from third parties in various ways:
- when clients and prospective clients engage us or inquire about our Services, we ask them to provide us with company contact information, some examples of which are the company's name, address, contact person phone number and designation, number of employees and industry classification;
- when your employer decides to use our Services to enable you to join and manage your employee benefits, your employer provides us with information which includes, but is not limited to, your name, address, ID card number (Malaysia NRIC), title, salary, commencement of employment and information regarding your employment;
- we may obtain personal data about you from insurance companies or agents, for example if you make a claim that is covered by two policies;
- we may occasionally obtain personal data about you from government agencies, for example if they request information about you;
- we may obtain personal data about you from medical personnel in connection with your policy and/or any claims;
- we may receive personal data about you from credit reporting agencies in connection with arranging financial products and services for you; we may obtain personal data about you from courts or public records from time to time, for example in connection with any legal proceedings you are involved in;
- when you provide any data in connection with the PICS;
- when you provide any data required for the use of the Services (whether the Services are provided by Marsh or a third party service provider);
- when you request that we contact you, be included in an email or other mailing list; or when you respond to our request for additional Personal Data;
- when you contact any Marsh entities through various methods such as completing application forms, emails and letters, telephone calls and conversations you have with our staff. If you contact us or we contact you using telephone, we may monitor or record the phone call for quality assurance, training and security purposes; and
- when you submit your Personal Data to us for any other reason.
If you do not wish us to collect, use or disclose your personal data in order to use our Services, please send an email to email@example.com
Cookie and related technologies
Information on Cookies
An IP address is a number that is automatically assigned to your computer when you signed up with an Internet Service Provider. When you visit our Website, your IP address is automatically logged in our server. We use your IP address to help diagnose problems with our server, and to administer our website. From your IP address, we may identify the general geographic area from which you are accessing our Website however; we will not be able to pinpoint the exact geographic location from which you are accessing our Website. Generally we do not link your IP address to anything that can enable us to identify you unless it is required by applicable laws and regulations.
Our Services require users to choose a username and password in order to activate their account and these will be the login credentials to access the Website. You agree to maintain the confidentiality of your username and password and agreed to notify us immediately should you become aware of any unauthorised use of your username, password, account or information on the Website. You are responsible for the security of your username and password and Marsh accepts no responsibility howsoever arising and will not be liable for any and all activities that occur under your account to the extent that they result from your failure to comply with this paragraph.
Service Activity Logging
All transactions conducted through the Website will be monitored and recorded for the purposes of logging Website usage, diagnosing problems, enhancing features and functionality of the Services, the purposes described elsewhere in this MEDEFEND-MARSH Data Protection Policy, and for other legitimate business purposes.
Third party sites
Our Website may contain links to other web sites which are not maintained by or under the control of Marsh. This MEDEFEND-MARSH Data Protection Policy only applies to the web sites of Marsh. When visiting these third party web sites, you should read their privacy policies which will apply to your use of such third party web sites. Should you decide to leave the Website to access such third party web sites, you agree to do so at your own risk.
4. What is the purpose of processing your Personal Data?
Generally, Marsh collects, uses, discloses and/or processes Personal Data for the following purposes:
- allowing us to process your enrolment, provide you with updated details of your employee benefits, to assist you in applying for further benefits or products and to allow us to process those applications;
- providing the Services, and other products, services and benefits to you, including administering and processing payment instructions, insurance policies, insurance claims and medical claims, security and underwriting checks;
- conducting identity and/or credit checks and/or debt collection;
- verifying the eligibility information of you, your spouse, partner, children or other immediate family member, for insurance, financial or wealth management products and services or any other products provided in connection with the Services;
- using company contact information to provide information to clients and prospective clients (paper and electronic) in relation to our Services and to maintain a record of inquiries regarding our Services;
- aggregating employee information from multiple employer clients to monitor Website usage, assist us to develop our Services and to analyse performance. Examples of analyses performed include, but are not limited to: number of employees enrolled in plans provided by a particular insurance carrier, average number of employees employed by our clients and average number of benefit plans sponsored by our clients. When used to perform such analyses, information provided by an employer customer or its employees is never disclosed in a level of detail sufficient to permit the identification of any individual employer customer or individual employee record;
- conducting research and analysis in relation to products and services provided by or through Marsh Group, including analytics performed on insurance claims (and claims data) and analytics to determine which products and services may be of interest to you;
- performing a policy review or needs analysis;
- subject to your consent, contacting you for the purposes of marketing or providing you with promotional materials relating to (a) insurance or financial services or related wealth management products arranged by Marsh, the entities within Marsh Group or partnering insurance companies or financial institutions; or (b) other products and services provided by Marsh or the entities within Marsh Group (as described in paragraph 5 below);
- subject to your consent, disclosing your information to (a) other entities within the Marsh Group so that they may contact you with respect to their products and services; and (b) selected business partners so that they can contact in relation to insurance services (as described in paragraph 5 below);
- organising promotional events and corporate social responsibility projects (including but not limited to taking pictures and recording your video/audio feedback and testimony in relation thereto);
- conducting market research, understanding and determining customer location, preferences and demographics for us to review, develop and improve our products, services and also develop special offers and marketing programmes;
- from time to time, we may provide your information to our client service agencies for research and analysis purposes so that we can monitor and improve our Services. We, or our agents and sub-contractors may contact you by post, e-mail or telephone to ask you for your feedback and comments on our Services;
- subject to your consent, providing cross-referrals to other members of the Marsh Group;
- sharing such data with sub-contractors or service providers of Marsh in relation to our Services;
- managing the administrative and business operations of Marsh and complying with internal policies and procedures, including but not related to transferring (through secured means) and populating databases in secured sites outside our premises as part of our data backup programmes;
- matching any Personal Data held which relates to you for any of the purposes listed herein;
- matching Personal Data with other data collected for other purposes and from other sources (including third parties) in connection with the provision or offering of products and services, whether by Marsh or other third parties;
- subject to your consent, contacting you regarding details of products or services which we send to our employer clients or their employees generally, or which we have identified may be of interest to you (including but not limited to cross selling);
- communicating with you, including resolving complaints and handling requests and enquiries;
- providing media announcements and responses;
- meeting or complying with any applicable laws, regulations, regulatory policies, directives, rules, codes of practice or guidelines of any jurisdiction, judgments, orders, directions or requests issued by any court, legal or regulatory bodies which Marsh or any member of the Marsh Group may be subject to, whether local or overseas (including but not limited to disclosures to regulatory bodies, rules and regulations relating to anti-money laundering and countering the financing of terrorism, and conducting audit checks, surveillance and investigation);
- obtaining legal services, seeking legal advice and engaging in dispute resolution;
- any other purposes as set out in the PICS; and
- purposes which are reasonably related to the aforesaid.
5. Direct marketing
Provided you give your consent (which includes an indication of no objection), we may use your Personal Data (including your name, address, email address and telephone number) to contact you with news, offers and information on insurance, financial, wealth management or related products and services that may be of interest to you. We may also use other Personal Data about you (such as your age, gender and income group) to customise our direct marketing and to ensure you receive information about products and services that are likely to be most suitable for you.
Provided you give your consent (which includes an indication of no objection), we may also provide your Personal Data (including your name, address, email address and telephone number) to (a) other entities within the Marsh Group so that they may contact you with respect to their insurance and financial products and services; and (b) selected business partners within the financial and insurance sector, so that they can contact you with news, offers and information on insurance, financial, wealth management or related products and services that may be of interest to you. We may also provide other Personal Data about you (such as your age, gender and income group) to enable them to customise their direct marketing and to ensure you receive information about products and services that are likely to be most suitable for you. We may provide your Personal Data to these third parties for gain.
We cannot use or provide your Personal Data for direct marketing purposes without your consent (which includes an indication of no objection). You can opt out of direct marketing, free of charge, at any time. You may do so by providing notice to us via one of the following response channels:
a) by email to firstname.lastname@example.org or
b) by post to:
Data Privacy Officer
Marsh (Singapore) Pte Ltd
8 Marina View,
#09-02 Asia Square Tower 1
Please be aware that once we receive confirmation that you wish to withdraw your consent for marketing or promotional materials/communication, we will require a reasonable period of time to process your withdrawal request. During this period of time you may still receive marketing or promotional materials/communications. Please note that even if you withdraw your consent for the receipt of direct marketing materials, we may still contact you for other purposes in relation to the facilities or services that you hold or have subscribed to with Marsh.
6. To whom do we disclose your Personal Data?
Personal Data held by us shall be kept confidential. However, in order to provide you with effective and continuous products and services, and for the purposes listed above (where applicable), your Personal Data may be disclosed to the following parties, who may be located within or outside Malaysia:
- insurance and re-insurance companies;
- insurance brokers and agents;
- claims investigation companies;
- entities within Marsh Group including our head office and any of its branches, representatives offices, subsidiaries, related corporations and affiliates;
- agents, contractors or third party service providers who provide administrative and operational services to Marsh, such as courier services, telecommunications, information technology, payment, printing, redemption, payroll, processing, training, survey, market research, storage, archival or other services to Marsh;
- when you apply for any benefits and/or products offered through the Website, we will pass your personal details and those of your beneficiary, where applicable, to the provider of those benefits and/or products. Thereafter, the provider may correspond with you directly. Information we have gathered from your employer and you may also be used by us to communicate with you on any matter relating to your benefits and the provision of our Services in general;
- vendors and other third party administrators and/or service providers in connection with services, promotions and events offered by Marsh, including without limitation, bankers, lawyers, healthcare providers and accountants;
- any business partner, investor, assignee or transferee (actual or prospective) to facilitate business asset transactions (which may extend to any merger, acquisition or asset sale);
- credit reference agencies;
- debt collection agencies;
- partnering financial institutions;
- our business partners for the purpose of contacting you with information about insurance, financial, wealth management or related products and services;
- our professional advisers such as financial advisors, auditors and lawyers;
- industry associations and federations;
- medical bill review companies;
- relevant courts, regulatory bodies, government agencies, statutory boards, administrative bodies, industry bodies, authorities or law enforcement agencies located anywhere in the world, in order to comply with any laws, rules, guidelines and regulations or schemes to which Marsh or any member of the Marsh Group may be subject, whether situated locally or overseas;
- external business, referral and charity partners in relation to the marketing and promotion of products and corporate promotional events; and
- any other party to whom you authorise us to disclose your Personal Data to.
In connection with the purposes set out in this MEDEFEND-MARSH Data Protection Policy, your Personal Data may be transferred outside Malaysia. That means your Personal Data may not be protected to the same or a similar level as it would in Malaysia. However, we will take all reasonable measures to ensure that your Personal Data is processed and stored securely, regardless of the country in which it is processed or stored.
7. How do we protect your data?
The security of Personal Data is our priority. Marsh takes all practicable physical, technical and organisational measures to ensure the security and confidentiality of Personal Data. We protect your information in a highly secure data centre, adhering to strict computer security standards. We have put in place, privacy protection control systems designed to ensure that our customers' information remain safe, secure and private. For more information on our security measures, please write to us to seek our security statement.
Employee access is only limited to authorised employees who are fully trained in handling your information. These authorised personnel are required to ensure the confidentiality of your information and to respect your privacy at all times. Employees who have access to your information will be subjected to disciplinary action should they fail to observe this MEDEFEND-MARSH Data Protection Policy and other guidelines, codes or policies which we may issue to them from time to time.
If we disclose any of your Personal Data to our authorised agents or service providers, we will require them to appropriately safeguard the Personal Data provided to them.
When disclosing Personal Data to persons both within and outside Malaysia, we shall:
- require that such recipients are subject to duties of confidentiality in relation to your Personal Data;
- require that such recipients abide by the requirements of the Ordinance; and
- prohibit such recipients from using your Personal Data for any purpose other than for the purpose for which Marsh originally collected your Personal Information.
Your employer has provided us with your business e-mail address in order for us to communicate your benefit offering and our Services. E-mail messages sent over the Internet cannot be guaranteed to be completely secure as they may be subject to possible interception or loss. If you do not want to be contacted on your business e-mail address, please send an email to email@example.com
8. How long may we retain your Personal Data?
We will only retain Personal Data for as long as necessary to fulfil the purpose(s) for which it was collected (and any related purposes) or to comply with legal, regulatory and internal requirements
9. Changes to this MEDEFEND-MARSH Data Protection Policy
Please note that we may update this MEDEFEND-MARSH Data Protection Policy from time to time to ensure that this MEDEFEND-MARSH Data Protection Policy is consistent with our future developments, industry trends and/or any changes in legal or regulatory requirements. If there are material changes to any of the content of this MEDEFEND-MASRH Data Protection Policy, we will notify you by posting a notice of such changes on our Website or by sending you a notification directly. Any revised version of this MEDEFEND-MASRH Data Protection Policy will take effect immediately upon publishing it on the Website. Do periodically review this MEDEFEND-MARSH Data Protection Policy to stay informed on how we are protecting and managing your information.
Subject to your rights at law, you agree to be bound by the prevailing terms of this MEDEFEND-MARSH Data Protection Policy.
10. Access and correction of your Personal Data
You should ensure that all Personal Data submitted to us is complete, accurate, true and correct. Failure on your part to do so may result in our inability to provide you with products and services you have requested / applied for or you not being able to use such product and/or service. In some circumstances, the provision of inaccurate or incomplete information may amount to a breach of your duty of disclosure, which may result in more serious consequences, such as avoidance of your insurance policy and recovery of claims already paid under it.
We are committed to ensuring that the Personal Data we hold about you is accurate, complete, and up-to-date. If there are any changes to your Personal Data or if you believe that the Personal Data we have about you is inaccurate, incomplete, misleading or not up-to-date, please contact us so that we may take steps to update your Personal Data.
You have the right to access your Personal Data. If you would like to request access to your Personal Data, please send us a request in writing to the email address or postal address below. Please note that depending on the information requested we may charge a reasonable fee. We may also take steps to verify your identity before fulfilling your request for access to your Personal Data.
11. How can you contact us?
Requests for access and correction or for information regarding policies and practices and kinds of Personal Information held by Marsh should be directed to any one of the following response channels:
a) by email to firstname.lastname@example.org or
b) by post to:
Data Privacy Officer
Marsh (Singapore) Pte Ltd
8 Marina View,
#09-02 Asia Square Tower 1