Milliman Personal Data Privacy Policy – Milliman GmbH, Austria

Last updated September 2023

Where Milliman is Acting as a Data Controller

Milliman, Inc. and its affiliates (“Milliman” or “we”) take data privacy very seriously. This Privacy Policy sets out the principles governing the Austrian affiliate’s (Milliman GmbH) use and protection of personal data that individuals and clients residing within the European Economic Area, the Isle of Man, Switzerland and the UK, share with us (“Personal Data”), hereafter “you”. Milliman is committed to handling Personal Data in accordance with this Privacy Policy, the EU General Data Protection Regulation (GDPR) and other data protection and privacy laws, as applicable.

Milliman, Inc. and Milliman GmbH are joint-controllers with respect to the processing of Personal Data described in this Privacy Policy. This means that Milliman, Inc. and Milliman GmbH are both responsible for the compliance with applicable data protection laws.

Collection of Data

Aggregate Data

Like many companies, Milliman monitors the use of its websites by collecting aggregate data. No Personal Data is collected in this process. Typically, Milliman collects data about the number of visitors to the website, to each web page, and the originating domain name of the visitor's Internet Service Provider. This data is used to improve the usability, performance and effectiveness of Milliman’s website.

Cookies, Third-Party Embedded Content and Do Not Track

For more detailed information describing how Milliman uses cookies and your choices surrounding the use and opt out of such cookies, including information about third party embedded content on Milliman’s website and how Milliman responds to Do Not Track signals in browsers, please review our Cookie Policy which can be found here.

Processing of Personal Data

The Personal Data we collect varies depending upon the nature of the services provided and our interactions with individuals. In the context of the collection of data through this website, Milliman’s marketing activities and contract administration, we may collect, store and otherwise process Personal Data of:

- visitors to our websites (first name, last name, title, company, phone number, location, email address, subject of the request and message given) who request information about products or services from Milliman, for the purpose of the management of the relationship with visitors and the administration of the website. The legal basis for the processing of Personal Data is Milliman’s legitimate interest (Art. 6 (1) letter (f) GDPR).

- clients’ representatives, officers, agents and employees, business partners, providers, parties to a contract (name, professional address, title, email and other professional contact details) for contract administration purposes. The professional contact details of clients’ representatives, their employees and business partners are also used to activate and maintain client accounts, including for billing purposes, due diligence and conflict checks, to facilitate the communication, to fulfill requests or respond to inquiries about Milliman products or services and to provide offers and information (as permitted by law) about products, services, or events offered by Milliman or that Milliman thinks may be of interest. The legal basis for the processing of Personal Data is Milliman’s legitimate interest (Art. 6 (1) letter (f) GDPR). Milliman may rely on your consent (Art. 6 (1) letter (a) GDPR) for the sending of marketing communications when so required by data protection and privacy laws, in which case we will ask your consent prior to the sending of the communication. Milliman GmbH may also use professional contact details of its clients’ employees for the purpose of sending surveys, questionnaires or for the purpose of organizing contests. For those activities, the legal basis for the processing of Personal Data is Milliman GmbH’s legitimate interest (Art. 6 (1) letter (f) GDPR), unless data protection and privacy laws require your prior consent. We may also collect and process limited Personal Data about you from public resources (such as LinkedIn) including your name/surname, email address, telephone number, organization, title/position, profession, professional interests, to allow us to assess a potential interest in our services and to contact you for marketing purposes.

When we communicate with you regarding the products and services we offer or develop, you will be given the opportunity in each communication to unsubscribe and prevent future communications of that sort. If you do not want us to collect your Personal Data for our marketing emails, or if you wish to unsubscribe from direct marketing communications from us, you may write to us at [email protected] requesting the same. We will cease using your Personal Data for direct marketing purposes once you have requested us to do so.

If you provide us with Personal Data of another individual, it is your duty to make sure that these individuals have consented to or are appropriately informed about the processing of their Personal Data by Milliman.

You should also ensure that all Personal Data submitted to us is complete, accurate, true and correct. Failure on your part to do so may result in our inability to provide you with the products and services you have requested.

No automated decision-making is undertaken based on the Personal Data collected from you.

Affiliates and Authorized Third-Party Agents

All Milliman websites, products, and services are provided in cooperation with Milliman, Inc., located in the U.S. Any Personal Data may be shared between Milliman GmbH and Milliman, Inc. or other entities controlled by or under common control with Milliman, Inc., located in the U.S. and/or Europe, for the purposes of the centralisation of Milliman’s General Corporate Services, including: administrative services, contract management, Client Relationship Management (CRM), IT-maintenance  and security, data privacy (management of data subjects’ request) and marketing services (cookie management, inquiry tracking via Milliman’s website form, communication regarding Milliman’s products, services, or events).

We may also share Personal Data with affiliated entities using the MILLIMAN® mark, in which case we will require those affiliates to comply with this Privacy Policy. Please note that we may be transferring your Personal Data to a country that does not have the same data protection laws as your home country. However, Milliman ensures that itself and its affiliates will process Personal Data in compliance with this Privacy Policy.

Milliman also may share Personal Data with authorized third-party agents or contractors that perform services for Milliman. If Milliman shares Personal Data with a third party, Milliman requires that those third parties agree to process Personal Data based on Milliman’s instructions and in compliance with this Privacy Policy.

Any transfers of Personal Data are subject to appropriate safeguards that are compliant with the GDPR, as is described in the section “Transfer of Personal Data Across Borders”.

Other Disclosures

Milliman may also disclose Personal Data and other related information in response to subpoenas, court orders, or other lawful requests by public authorities, and to meet national security or law enforcement requirements. Milliman may collect and share Personal Data in order to investigate or take action regarding illegal activities, suspected fraud, violations of Milliman's Terms of Use, or as otherwise required by law or regulation.

Security

Milliman stores Personal Data on a secure server that is password protected and shielded from unauthorized access by a firewall. Milliman has in place security policies that are intended to ensure the security and integrity of all Personal Data. Milliman has appropriate technical and organisational measures in place to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data held or processed by Milliman. If Milliman forwards Personal Data to any third party, Milliman requires that those third parties have appropriate technical and organisational measures in place to comply with this Privacy Policy and applicable laws.

Data Retention

Milliman retains Personal Data only as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or not prohibited by law. Milliman will delete your Personal Data once the purpose of the collection and processing of such Personal Data has been fulfilled and the adequate duration for documentation and backup storage of such Personal Data has lapsed. If you have unsubscribed from receiving marketing information from us, we will continue to maintain your Personal Data for any other purpose for which we still have legal grounds for processing such Personal Data (such as for the purposes of complying with a legal obligation or when the processing is necessary for the purpose of our legitimate interest). In certain cases, if no other legal grounds exist, we will maintain limited Personal Data (such as your email address) about you on record, so as to be able to ensure for the future that such marketing communications are no longer sent to you.

Children

Milliman’s websites, products, and services are not directed to children, and Milliman does not knowingly collect Personal Data from children. If a parent or legal guardian becomes aware that his or her child has provided Milliman with Personal Data without their consent, the parent or legal guardian should contact Milliman at [email protected], and Milliman will take steps to delete any such Personal Data.

Third-party Links

Milliman’s website may contain links to websites hosted and operated by companies other than us (“Third-Party Websites”) to which you can export (part of) your Personal Data.

We do not disclose your Personal Data to these Third-Party Websites without your explicit consent. Note that any information you disclose to Third-Party Websites is no longer under our control and no longer subject to Milliman Personal Data Privacy Policy.

You should review the privacy policy practices of any such Third-Party Website to understand how that Third-Party Website collects and uses your Personal Data should you have decided to disclose your Personal Data to them. We are not responsible for the content or performance of these Third-Party Websites. We are in no way responsible or liable for the manner in which a Third-Party Website treats any Personal Data that you choose to provide to such a Third-Party Website and use of Third-Party Websites is strictly at your own risk.

Policy Updates

Milliman may change its Privacy Policy from time to time. Milliman therefore asks all persons concerned to check it occasionally to ensure that they are aware of the most recent version.

Transfers of Personal Data across National Borders

Milliman is a global company that transfers Personal Data across national borders in compliance with the laws that apply to such transfers. Milliman has put in place appropriate safeguards to ensure its data transfers are adequately protected. Milliman’s legal bases for respective data transfers are outlined in this Privacy Policy. When Personal Data is transferred from one of our entities in the European Economic Area (“EEA”), Switzerland, the Isle of Man or the United Kingdom to the United States or another country outside of the EEA, or from entities in the EEA to another country outside of the EEA, we rely on one or more of the following legal mechanisms which provide adequate safeguards for the transfers: the adequacy decisions adopted by the European Commission on the basis of Art. 45 GDPR, the European Commission-approved Standard Contractual Clauses, the EU-US Data Privacy Framework (EU-US DPF), the UK Extension to the EU-US DPF, and the Swiss-US Data Privacy Framework (Swiss-US DPF), or any other applicable transfer mechanism deemed as adequate by applicable data protection laws. You can request a copy of any standard contractual clauses relating to your Personal Data that we may have executed by contacting us using the details below. Milliman commits to cooperate with the EU data protection authorities, the Swiss Federal Data Protection Information Commissioner, the Isle of Man Information Commissioner, the UK Information Commissioner’s Office and any other relevant data protection authority, and to comply with the advice given by such authorities, with regard to Personal Data transferred from one of our entities in the EEA, Switzerland, the Isle of Man or the United Kingdom, to countries outside of the EEA. Milliman will conduct any necessary impact assessments, following the rules under applicable data protection laws and thus guaranteeing the safe transfer of your Personal Data.

Data Privacy Framework

Milliman is committed to handling Personal Data in accordance with this Privacy Policy and the EU-US Data Privacy Framework (EU-US DPF), the UK Extension to the EU-US DPF, and the Swiss-US Data Privacy Framework (Swiss-US DPF), as administered by the U.S. Department of Commerce. Milliman has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. Milliman has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF.

If there is any conflict between the terms of this Privacy Policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view Milliman’s certification, please visit https://www.dataprivacyframework.gov/.

Milliman’s accountability for Personal Data that it receives under the DPF Principles and subsequently transfers to a third party is described in the DPF Principles. In particular, Milliman remains responsible and liable under the DPF Principles if third parties engaged by Milliman process the Personal Data in a manner inconsistent with the Principles, unless Milliman proves that it is not responsible for the event giving rise to any damage. Additionally, Milliman, Inc. has put in place data protection agreements with its affiliates located in the European Economic Area based on the EU Standard Contractual Clauses issued by the European Commission (the “EU Standard Contractual Clauses”).

As further explained in the "How to Contact Us" section below, Milliman encourages any individual to contact us should they have a DPF-related (or general privacy-related) complaint. Any right of access, rectification, erasure, restriction of the processing as well as the right to data portability of individuals domiciled in the European Economic Area or Switzerland may be exercised under the conditions set forth in the GDPR by contacting Milliman at: [email protected]. Furthermore, these individuals will have the right to lodge a complaint with a competent supervisory authority at any time.

Rights

1. the right of access pursuant to Art. 15 GDPR: you have the right to obtain from us confirmation as to whether or not Personal Data concerning you is being processed, and, where that is the case, access to (including by obtaining a copy of) such Personal Data and the manner in which, and the purposes for which we process your Personal Data, so that you can verify its accuracy and the lawfulness of the processing.
2. the right to rectification pursuant to Art. 16 GDPR: you have the right to obtain from us the rectification of inaccurate Personal Data concerning you, and the right to have incomplete personal data completed, including by means of providing a supplementary statement.
3. the right to erasure pursuant to Art. 17 GDPR: the right to obtain from us the erasure of your Personal Data without undue delay where (a) your Personal Data is no longer necessary for the purpose for which it was collected/processed; (b) you wish to withdraw your consent to processing (except where we have another legal ground for the processing that we may rely on); (c) where processing is based on our legitimate interests and there are no overriding legitimate grounds for processing; (d) where your Personal Data has been unlawfully processed.
4. the right to restriction of processing pursuant to Art. 18 GDPR: you have the right to obtain from us the restriction of processing of your Personal Data where (a) the accuracy of such Personal Data is contested by you (for such period as will enable us to verify the accuracy of your Personal Data); (b) the processing of your Personal Data is unlawful, but you do object to the deletion of such data and request restriction of its use instead; (c) you consider that we no longer need your Personal Data for the purposes of the processing, but require such Personal Data for the establishment, exercise or defense of legal claims; (d) you have objected to the processing of your Personal Data on grounds of “legitimate interest” as per (iii) above, pending verification by us on whether our legitimate grounds override your own.
5. the right to objection pursuant to Art. 21 GDPR: you have the right to object, on grounds relating to your particular situation, at any time to processing of your Personal Data, which is based on our legitimate interests, including profiling based on those provisions. We shall no longer process the Personal Data unless we have compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defense of legal claims. You may object to the processing of your Personal Data or direct marketing purposes at any time, without giving reason.
6. the right to data portability pursuant to Art. 20 GDPR: you have the right to receive Personal Data concerning you, and which you have provided to us, in a structured, commonly used and machine-readable format, and to transmit such data to another data controller (please note this applies only where our processing of your Personal Data is based on your consent, and the processing is carried out by automated means).
7. the right to appeal to a competent data protection supervisory authority (Art. 77 GDPR): you have the right to appeal to the competent data protection supervisory authority - in Austria, such authority is the “Österreichische Datenschutzbehörde” (https://www.dsb.gv.at/).

Please note that any processing of your Personal Data prior to the deletion of your account with us, or your request that we no longer contact you for direct marketing purposes will remain valid under the legal grounds then prevailing.

You can exercise any of your rights as stated above, by sending us a request to [email protected] or to: Milliman GmbH Data Protection Officer, 14 Avenue de la Grande Armée, F-75017 Paris. We will endeavor to respond to any such request as soon as possible, and in any event within 30 days.

How to Contact Us

Milliman can be contacted at [email protected]. Milliman welcomes feedback and questions on this Privacy Policy. If for any reason you wish to contact us, please send an email ([email protected]). Complaints will be resolved internally in accordance with Milliman’s complaints procedures.

If you live in the European Union, European Economic Area, or Switzerland and you have a complaint regarding the handling of your Personal Data in accordance with the DPF Principles and your efforts to resolve the matter internally are unsatisfactory, the complaint may be submitted to the American Arbitration Association (http://www.adr.org/), which has been selected as the independent recourse mechanism to resolve complaints and disputes relating to treatment of Personal Data originating in the European Union, European Economic Area, or Switzerland and transferred to the U.S. under this Privacy Policy. Under certain conditions, you may be entitled to invoke binding arbitration when other dispute resolution procedures have been exhausted. Milliman is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC).

Milliman Personal Data Privacy Policy – Milliman BVBA, Belgium

Last updated September 2023

Where Milliman is Acting as a Data Controller

Milliman, Inc. and its affiliates (“Milliman” or “we”) take data privacy very seriously. This Privacy Policy sets out the principles governing the Belgian affiliate’s (Milliman BVBA) use and protection of personal data that individuals and clients residing within the European Economic Area, the Isle of Man, Switzerland and the UK, share with us (“Personal Data”), hereafter “you”. Milliman is committed to handling Personal Data in accordance with this Privacy Policy, the EU General Data Protection Regulation (GDPR) and other data protection and privacy laws, as applicable.

Milliman, Inc. and Milliman BVBA are joint-controllers with respect to the processing of Personal Data described in this Privacy Policy. This means that Milliman, Inc. and Milliman BVBA are both responsible for the compliance with applicable data protection laws.

Collection of Data

Aggregate Data

Like many companies, Milliman monitors the use of its websites by collecting aggregate data. No Personal Data is collected in this process. Typically, Milliman collects data about the number of visitors to the website, to each web page, and the originating domain name of the visitor's Internet Service Provider. This data is used to improve the usability, performance and effectiveness of Milliman’s website.

Cookies, Third-Party Embedded Content and Do Not Track

For more detailed information describing how Milliman uses cookies and your choices surrounding the use and opt out of such cookies, including information about third party embedded content on Milliman’s website and how Milliman responds to Do Not Track signals in browsers, please review our Cookie Policy which can be found here.

Processing of Personal Data

The Personal Data we collect varies depending upon the nature of the services provided and our interactions with individuals. In the context of the collection of data through this website, Milliman’s marketing activities and contract administration, we may collect, store and otherwise process Personal Data of:

- visitors to our websites (first name, last name, title, company, phone number, location, email address, subject of the request and message given) who request information about products or services from Milliman, for the purpose of the management of the relationship with visitors and the administration of the website. The legal basis for the processing of Personal Data is Milliman’s legitimate interest (Art. 6 (1) letter (f) GDPR).

- clients’ representatives, officers, agents and employees, business partners, providers, parties to a contract (name, professional address, title, email and other professional contact details) for contract administration purposes. The professional contact details of clients’ representatives, their employees and business partners are also used to activate and maintain client accounts, including for billing purposes, due diligence and conflict checks, to facilitate the communication, to fulfill requests or respond to inquiries about Milliman products or services and to provide offers and information (as permitted by law) about products, services, or events offered by Milliman or that Milliman thinks may be of interest. The legal basis for the processing of Personal Data is Milliman’s legitimate interest (Art. 6 (1) letter (f) GDPR). Milliman may rely on your consent (Art. 6 (1) letter (a) GDPR) for the sending of marketing communications when so required by data protection and privacy laws, in which case we will ask your consent prior to the sending of the communication. Milliman BVBA may also use professional contact details of its clients’ employees for the purpose of sending surveys, questionnaires or for the purpose of organizing contests. For those activities, the legal basis for the processing of Personal Data is Milliman BVBA’s legitimate interest (Art. 6 (1) letter (f) GDPR), unless data protection and privacy laws require your prior consent. We may also collect and process limited Personal Data about you from public resources (such as LinkedIn) including your name/surname, email address, telephone number, organization, title/position, profession, professional interests, to allow us to assess a potential interest in our services and to contact you for marketing purposes.

When we communicate with you regarding the products and services we offer or develop, you will be given the opportunity in each communication to unsubscribe and prevent future communications of that sort. If you do not want us to collect your Personal Data for our marketing emails, or if you wish to unsubscribe from direct marketing communications from us, you may write to us at [email protected] requesting the same. We will cease using your Personal Data for direct marketing purposes once you have requested us to do so.

If you provide us with Personal Data of another individual, it is your duty to make sure that these individuals have consented to or are appropriately informed about the processing of their Personal Data by Milliman.

You should also ensure that all Personal Data submitted to us is complete, accurate, true and correct. Failure on your part to do so may result in our inability to provide you with the products and services you have requested.

No automated decision-making is undertaken based on the Personal Data collected from you.

Affiliates and Authorized Third-Party Agents

All Milliman websites, products, and services are provided in cooperation with Milliman, Inc., located in the U.S. Any Personal Data may be shared between Milliman BVBA and Milliman, Inc. or other entities controlled by or under common control with Milliman, Inc., located in the U.S. and/or Europe, for the purposes of the centralisation of Milliman’s General Corporate Services, including: administrative services, contract management, Client Relationship Management (CRM), IT-maintenance  and security, data privacy (management of data subjects’ request) and marketing services (cookie management, inquiry tracking via Milliman’s website form, communication regarding Milliman’s products, services, or events).

We may also share Personal Data with affiliated entities using the MILLIMAN® mark, in which case we will require those affiliates to comply with this Privacy Policy. Please note that we may be transferring your Personal Data to a country that does not have the same data protection laws as your home country. However, Milliman ensures that itself and its affiliates will process Personal Data in compliance with this Privacy Policy.

Milliman also may share Personal Data with authorized third-party agents or contractors that perform services for Milliman. If Milliman shares Personal Data with a third party, Milliman requires that those third parties agree to process Personal Data based on Milliman’s instructions and in compliance with this Privacy Policy.

Any transfers of Personal Data are subject to appropriate safeguards that are compliant with the GDPR, as is described in the section “Transfer of Personal Data Across Borders”.

Other Disclosures

Milliman may also disclose Personal Data and other related information in response to subpoenas, court orders, or other lawful requests by public authorities, and to meet national security or law enforcement requirements. Milliman may collect and share Personal Data in order to investigate or take action regarding illegal activities, suspected fraud, violations of Milliman's Terms of Use, or as otherwise required by law or regulation.

Security

Milliman stores Personal Data on a secure server that is password protected and shielded from unauthorized access by a firewall. Milliman has in place security policies that are intended to ensure the security and integrity of all Personal Data. Milliman has appropriate technical and organisational measures in place to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data held or processed by Milliman. If Milliman forwards Personal Data to any third party, Milliman requires that those third parties have appropriate technical and organisational measures in place to comply with this Privacy Policy and applicable laws.

Data Retention

Milliman retains Personal Data only as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or not prohibited by law. Milliman will delete your Personal Data once the purpose of the collection and processing of such Personal Data has been fulfilled and the adequate duration for documentation and backup storage of such Personal Data has lapsed. If you have unsubscribed from receiving marketing information from us, we will continue to maintain your Personal Data for any other purpose for which we still have legal grounds for processing such Personal Data (such as for the purposes of complying with a legal obligation or when the processing is necessary for the purpose of our legitimate interest). In certain cases, if no other legal grounds exist, we will maintain limited Personal Data (such as your email address) about you on record, so as to be able to ensure for the future that such marketing communications are no longer sent to you.

Children

Milliman’s websites, products, and services are not directed to children, and Milliman does not knowingly collect Personal Data from children. If a parent or legal guardian becomes aware that his or her child has provided Milliman with Personal Data without their consent, the parent or legal guardian should contact Milliman at [email protected], and Milliman will take steps to delete any such Personal Data.

Third-party Links

Milliman’s website may contain links to websites hosted and operated by companies other than us (“Third-Party Websites”) to which you can export (part of) your Personal Data.

We do not disclose your Personal Data to these Third-Party Websites without your explicit consent. Note that any information you disclose to Third-Party Websites is no longer under our control and no longer subject to Milliman Personal Data Privacy Policy.

You should review the privacy policy practices of any such Third-Party Website to understand how that Third-Party Website collects and uses your Personal Data should you have decided to disclose your Personal Data to them. We are not responsible for the content or performance of these Third-Party Websites. We are in no way responsible or liable for the manner in which a Third-Party Website treats any Personal Data that you choose to provide to such a Third-Party Website and use of Third-Party Websites is strictly at your own risk.

Policy Updates

Milliman may change its Privacy Policy from time to time. Milliman therefore asks all persons concerned to check it occasionally to ensure that they are aware of the most recent version.

Transfers of Personal Data across National Borders

Milliman is a global company that transfers Personal Data across national borders in compliance with the laws that apply to such transfers. Milliman has put in place appropriate safeguards to ensure its data transfers are adequately protected. Milliman’s legal bases for respective data transfers are outlined in this Privacy Policy. When Personal Data is transferred from one of our entities in the European Economic Area (“EEA”), Switzerland, the Isle of Man or the United Kingdom to the United States or another country outside of the EEA, or from entities in the EEA to another country outside of the EEA, we rely on one or more of the following legal mechanisms which provide adequate safeguards for the transfers: the adequacy decisions adopted by the European Commission on the basis of Art. 45 GDPR, the European Commission-approved Standard Contractual Clauses, the EU-US Data Privacy Framework (EU-US DPF), the UK Extension to the EU-US DPF, and the Swiss-US Data Privacy Framework (Swiss-US DPF), or any other applicable transfer mechanism deemed as adequate by applicable data protection laws. You can request a copy of any standard contractual clauses relating to your Personal Data that we may have executed by contacting us using the details below. Milliman commits to cooperate with the EU data protection authorities, the Swiss Federal Data Protection Information Commissioner, the Isle of Man Information Commissioner, the UK Information Commissioner’s Office and any other relevant data protection authority, and to comply with the advice given by such authorities, with regard to Personal Data transferred from one of our entities in the EEA, Switzerland, the Isle of Man or the United Kingdom, to countries outside of the EEA. Milliman will conduct any necessary impact assessments, following the rules under applicable data protection laws and thus guaranteeing the safe transfer of your Personal Data.

Data Privacy Framework

Milliman is committed to handling Personal Data in accordance with this Privacy Policy and the EU-US Data Privacy Framework (EU-US DPF), the UK Extension to the EU-US DPF, and the Swiss-US Data Privacy Framework (Swiss-US DPF), as administered by the U.S. Department of Commerce. Milliman has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. Milliman has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF.

If there is any conflict between the terms of this Privacy Policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view Milliman’s certification, please visit https://www.dataprivacyframework.gov/.

Milliman’s accountability for Personal Data that it receives under the DPF Principles and subsequently transfers to a third party is described in the DPF Principles. In particular, Milliman remains responsible and liable under the DPF Principles if third parties engaged by Milliman process the Personal Data in a manner inconsistent with the Principles, unless Milliman proves that it is not responsible for the event giving rise to any damage. Additionally, Milliman, Inc. has put in place data protection agreements with its affiliates located in the European Economic Area based on the EU Standard Contractual Clauses issued by the European Commission (the “EU Standard Contractual Clauses”).

As further explained in the "How to Contact Us" section below, Milliman encourages any individual to contact us should they have a DPF-related (or general privacy-related) complaint. Any right of access, rectification, erasure, restriction of the processing as well as the right to data portability of individuals domiciled in the European Economic Area or Switzerland may be exercised under the conditions set forth in the GDPR by contacting Milliman at: [email protected]. Furthermore, these individuals will have the right to lodge a complaint with a competent supervisory authority at any time.

Rights

1. the right of access pursuant to Art. 15 GDPR: you have the right to obtain from us confirmation as to whether or not Personal Data concerning you is being processed, and, where that is the case, access to (including by obtaining a copy of) such Personal Data and the manner in which, and the purposes for which we process your Personal Data, so that you can verify its accuracy and the lawfulness of the processing.
2. the right to rectification pursuant to Art. 16 GDPR: you have the right to obtain from us the rectification of inaccurate Personal Data concerning you, and the right to have incomplete personal data completed, including by means of providing a supplementary statement.
3. the right to erasure pursuant to Art. 17 GDPR: the right to obtain from us the erasure of your Personal Data without undue delay where (a) your Personal Data is no longer necessary for the purpose for which it was collected/processed; (b) you wish to withdraw your consent to processing (except where we have another legal ground for the processing that we may rely on); (c) where processing is based on our legitimate interests and there are no overriding legitimate grounds for processing; (d) where your Personal Data has been unlawfully processed
4. the right to restriction of processing pursuant to Art. 18 GDPR: you have the right to obtain from us the restriction of processing of your Personal Data where (a) the accuracy of such Personal Data is contested by you (for such period as will enable us to verify the accuracy of your Personal Data); (b) the processing of your Personal Data is unlawful, but you do object to the deletion of such data and request restriction of its use instead; (c) you consider that we no longer need your Personal Data for the purposes of the processing, but require such Personal Data for the establishment, exercise or defense of legal claims; (d) you have objected to the processing of your Personal Data on grounds of “legitimate interest” as per (iii) above, pending verification by us on whether our legitimate grounds override your own.
5. the right to objection pursuant to Art. 21 GDPR: you have the right to object, on grounds relating to your particular situation, at any time to processing of your Personal Data, which is based on our legitimate interests, including profiling based on those provisions. We shall no longer process the Personal Data unless we have compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defense of legal claims. You may object to the processing of your Personal Data or direct marketing purposes at any time, without giving reason.
6. the right to data portability pursuant to Art. 20 GDPR: you have the right to receive Personal Data concerning you, and which you have provided to us, in a structured, commonly used and machine-readable format, and to transmit such data to another data controller (please note this applies only where our processing of your Personal Data is based on your consent, and the processing is carried out by automated means).
7. the right to appeal to a competent data protection supervisory authority (Art. 77 GDPR): you have the right to appeal to the competent data protection supervisory authority - in Belgium, such authority is the “Autorité de protection des données (APD)” (Homepage | Autorité de protection des données<br>Gegevensbeschermingsautoriteit (dataprotectionauthority.be)).

Please note that any processing of your Personal Data prior to the deletion of your account with us, or your request that we no longer contact you for direct marketing purposes will remain valid under the legal grounds then prevailing.

You can exercise any of your rights as stated above, by sending us a request to [email protected] or to: Milliman BVBA Data Protection Officer, 14 Avenue de la Grande Armée, F-75017 Paris.  We will endeavor to respond to any such request as soon as possible, and in any event within 30 days.

How to Contact Us

 Milliman can be contacted at [email protected]. Milliman welcomes feedback and questions on this Privacy Policy. If for any reason you wish to contact us, please send an email ([email protected]). Complaints will be resolved internally in accordance with Milliman’s complaints procedures.

If you live in the European Union, European Economic Area, or Switzerland and you have a complaint regarding the handling of your Personal Data in accordance with the DPF Principles and your efforts to resolve the matter internally are unsatisfactory, the complaint may be submitted to the American Arbitration Association (http://www.adr.org/), which has been selected as the independent recourse mechanism to resolve complaints and disputes relating to treatment of Personal Data originating in the European Union, European Economic Area, or Switzerland and transferred to the U.S. under this Privacy Policy. Under certain conditions, you may be entitled to invoke binding arbitration when other dispute resolution procedures have been exhausted. Milliman is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC).

Where Milliman is Acting as a Data Controller

Milliman, Inc. and its affiliates (“Milliman” or “we”) take data privacy very seriously. This Privacy Policy sets out the principles governing Milliman’s and the Brazilian affiliate’s (Milliman Consultoria Atuarial LTDA) use and protection of personal data that individuals and clients residing within the territory of Brazil share with us (“Personal Data”), hereafter “you”. Milliman is committed to handling Personal Data in accordance with this Privacy Policy, the Brazilian General Protection Data Law (LGPD), the Brazilian Internet Law, the Brazilian Consumers Right Law, and other data protection and privacy laws, as applicable.

Milliman, Inc. and Milliman Consultoria Atuarial LTDA are joint-controllers with respect to the processing of Personal Data described in this Privacy Policy. This means that Milliman, Inc. and Milliman Consultoria Atuarial LTDA are both responsible for the compliance with applicable data protection laws and therefore fully liable for any Personal Data under the terms of the LGPD and applicable laws of the land on privacy.

Collection of Data

Aggregate Data

Like many companies, Milliman monitors the use of its websites by collecting aggregate data. No Personal Data is collected in this process. Typically, Milliman collects data about the number of visitors to the website, to each web page, and the originating domain name of the visitor's Internet Service Provider. This data is used to improve the usability, performance and effectiveness of Milliman’s website.

Cookies, Third-Party Embedded Content and Do Not Track

For more detailed information describing how Milliman uses cookies and your choices surrounding the use and opt out of such cookies, including information about third party embedded content on Milliman’s website and how Milliman responds to Do Not Track signals in browsers, please review our Cookie Policy which can be found here.

Processing of Personal Data

The Personal Data we collect varies depending upon the nature of the services provided and our interactions with individuals. In the context of the collection of data through this website, Milliman’s marketing activities and contract administration, we may collect, store and otherwise process Personal Data of:

- visitors to our websites (first name, last name, title, company, phone number, location, email address, subject of the request and message given) who request information about products or services from Milliman, for the purpose of the management of the relationship with clients and the administration of the website. The legal basis for the processing of Personal Data is Milliman’s legitimate interest (Item I of Art. 10 of the LGDP).

- clients’ representatives, officers, agents and employees, business partners, providers, parties to a contract (name, professional address, title, email and other professional contact details) for contract administration purposes. The professional contact details of clients’ representatives, their employees and business partners are also used to activate and maintain client accounts, to fulfill requests or respond to inquiries about Milliman products or services and to provide offers and information (as permitted by law) about products, services, or events offered by Milliman or that Milliman thinks may be of interest. The legal basis for the processing of Personal Data is Milliman’s legitimate interest (Item I of Art. 10 of LGPD). Milliman may rely on your consent (Item I of Art. 10 of LGPD) for the sending of marketing communications when so required by data protection and privacy laws, in which case we will ask your consent prior to the sending of the communication. Milliman may also use professional contact details of its clients’ employees for the purpose of sending surveys, questionnaires or for the purpose of organizing contests. For those activities, the legal basis for the processing of Personal Data is Milliman’s legitimate interest (Item I of Art. 10 of LGPD), unless data protection and privacy laws require your prior consent. We may also collect and process limited Personal Data about you from public resources including your name/surname, email address, telephone number, organization, title/position, profession, professional interests, to allow us to assess a potential interest in our services and to contact you for marketing purposes. Data from public resources are those available in public platforms that are structured to permit automated processing and that are available to any person without any registration requirement.

When we communicate with you regarding the products and services we offer or develop, you will be given the opportunity in each communication to unsubscribe and prevent future communications of that sort. If you do not want us to collect this information from our marketing emails, or if you wish to unsubscribe from direct marketing communications from us, you may write to us at [email protected] requesting the same. We will cease using your Personal Data for direct marketing purposes once you have requested us to do so.

If you provide us with Personal Data of another individual, it is your duty to make sure that these individuals have consented to or are appropriately informed about the processing of their Personal Data by Milliman.

No automated decision-making is undertaken based on the Personal Data collected from you.

Affiliates and Authorized Third-Party Agents

All Milliman websites, products, and services are provided in cooperation with Milliman, Inc., located in the U.S. Any Personal Data may be shared between Milliman Consultoria Atuarial LTDA and Milliman, Inc. or other entities controlled by or under common control with Milliman, Inc., for purposes of centralization of Milliman’s administrative, contract management, Client Relationship Management (CRM), IT maintenance, marketing and IT security practices, for the purpose of the website’s management and security, and to provide information about Milliman products, services, or events. We may also share Personal Data with affiliated entities using the MILLIMAN® mark, in which case we will require those affiliates to comply with this Privacy Policy. Please note that we may be transferring your Personal Data to a country that does not have the same data protection laws as your home country. However, Milliman ensures that it and its affiliates will process Personal Data in compliance with this Privacy Policy, the laws of the LGPD and laws of the land on privacy, and for implementing technical measures to prevent leakage of Personal Data.

Milliman also may share Personal Data with authorized third-party agents or contractors that perform services for Milliman. If Milliman shares Personal Data with a third party, Milliman requires that those third parties agree to process Personal Data based on Milliman’s instructions and in compliance with this Privacy Policy.

Any transfers of Personal Data are subject to appropriate safeguards that are compliant with the LGPD and the laws of the land on personal data protection. Those can be made available at Milliman’s premises by contacting us at [email protected].

Other Disclosures

Milliman may also disclose Personal Data and other related information in response to subpoenas, court orders, or other lawful requests by public authorities, and to meet national security or law enforcement requirements. Milliman may collect and share Personal Data in order to investigate or take action regarding illegal activities, suspected fraud, violations of Milliman's Terms of Use, or as otherwise required by law or regulation.

Security

Milliman stores Personal Data on a secure server that is password protected and shielded from unauthorized access by a firewall. Milliman has in place security policies that are intended to ensure the security and integrity of all Personal Data. Milliman has appropriate technical and organisational measures in place to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data held or processed by Milliman. If Milliman forwards Personal Data to any third party, Milliman requires that those third parties have appropriate technical and organisational measures in place to comply with this Privacy Policy and applicable laws.

Data Retention

Milliman retains Personal Data only as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or not prohibited by law. Milliman will delete your Personal Data once the purpose of the collection and processing of such Personal Data has been fulfilled and the adequate duration for documentation and backup storage of such Personal Data has lapsed. If you have unsubscribed from receiving marketing information from us, we will continue to maintain your Personal Data for any other purpose for which we still have legal grounds for processing such Personal Data (such as for the purposes of complying with a legal obligation or when the processing is necessary for the purpose of our legitimate interest). In certain cases, if no other legal grounds exist, we will maintain limited Personal Data (such as your email address) about you on record, so as to be able to ensure for the future that such marketing communications are no longer sent to you.

Children

Milliman’s websites, products, and services are not directed to children, and Milliman does not knowingly collect Personal Data from children. If a parent or legal guardian becomes aware that his or her child has provided Milliman with Personal Data without their consent, the parent or legal guardian should contact Milliman at [email protected], and Milliman will take steps to delete any such Personal Data.

Sensitive Personal Data

Milliman’s policy is to process Sensitive Personal Data in conformity with the LGPD and with your prior and explicit consent. Processing will be limited and directly related to the purposes for which it was accessed, stored and used. The legal basis for the processing of Sensitive Personal Data is set out by Art. 11 to 13 of the LGPD.

Third-party Links

Milliman’ website may contain links to websites hosted and operated by companies other than us (“Third-Party Websites”) to which you can export (part of) your Personal Data.

We do not disclose your Personal Data to these Third-Party Websites without your explicit consent. Note that any information you disclose to Third-Party Websites is no longer under our control and no longer subject to this Data Privacy Policy.

You should review the privacy policy practices of any such Third-Party Website to understand how that Third-Party Website collects and uses your Personal Data should you have decided to disclose your Personal Information to them. We are not responsible for the content or performance of these Third-Party Websites. We are in no way responsible or liable for the manner in which a Third-Party Website treats any Personal Data that you choose to provide to such a Third-Party Website and use of Third-Party Websites is strictly at your own risk.

Policy Updates

Milliman may change its Privacy Policy from time to time. Milliman therefore asks all persons concerned to check it occasionally to ensure that they are aware of the most recent version.

Privacy Shield

Milliman is committed to handling Personal Data in accordance with this Privacy Policy, the LGPD and the laws of the land on privacy and, in the case of data transfers to the United States, the EU-U.S. Privacy Shield Framework (or the Swiss-U.S. Privacy Shield Framework, as the case may be), as administered by the U.S. Department of Commerce. If there is any conflict between the terms of this Privacy Policy and the Privacy Shield Principles and the LGPD, the LGPD shall govern. To learn more about the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks, and to view Milliman’s certification, please visit: https://www.privacyshield.gov/list.

Milliman’s accountability for Personal Data that it receives under the Privacy Shield and subsequently transfers to a third party is described in the Privacy Shield Principles. In particular, Milliman remains responsible and liable under the Privacy Shield Principles if third parties engaged by Milliman process the Personal Data in a manner inconsistent with the Principles, unless Milliman proves that it is not responsible for the event giving rise to any damage. Additionally, Milliman, Inc. has put in place data protection agreements with its affiliates located in the Brazilian territory.

As further explained in the "How to Contact Us" section below, Milliman encourages any individual to contact us should they have a Privacy Shield-related (or general privacy-related) complaint. Any right of access, rectification, erasure, restriction of the processing as well as the right to data portability of individuals domiciled in the Brazilian territory may be exercised under the conditions set forth in the LGPD by contacting Milliman at: [email protected]. Furthermore, these individuals will have the right to lodge a complaint with a competent supervisory authority at any time.

Rights

You have a number of rights under the LGPD in relation to your Personal Data, namely:

1. the right of access pursuant to Art. 18, I and II of the LGPD: you have the right to obtain from us confirmation as to whether or not Personal Data concerning you is being processed, and, where that is the case, access to (including by obtaining a copy of) such Personal Data and the manner in which, and the purposes for which we process your Personal Data, so that you can verify its accuracy and the lawfulness of the processing.
2. the right to rectification pursuant to Art. 18, III of the LGPD: you have the right to obtain from us the rectification of inaccurate Personal Data concerning you, and the right to have incomplete personal data completed, including by means of providing a supplementary statement.
3. the right to erasure pursuant to Art. 18, VI of the LGPD: the right to obtain from us the erasure of your Personal Data delay where (a) your Personal Data is no longer necessary for the purpose for which it was collected/processed; (b) you wish to withdraw your consent to processing (except where we have another legal ground for the processing that we may rely on); (c) where processing is based on our legitimate interests and there are no overriding legitimate grounds for processing; (d) where your Personal Data has been unlawfully processed.
4. the right to restriction of processing pursuant to Art. 18, IV of the LGPD: you have the right to obtain from us the restriction of processing of your Personal Data where (a) the accuracy of such Personal Data is contested by you (for such period as will enable us to verify the accuracy of your Personal Data); (b) the processing of your Personal Data is unlawful, but you do object to the deletion of such data and request restriction of its use instead; (c) you consider that we no longer need your Personal Data for the purposes of the processing, but require such Personal Data for the establishment, exercise or defense of legal claims; (d) you have objected to the processing of your Personal Data on grounds of “legitimate interest” as per (iii) above, pending verification by us on whether our legitimate grounds override your own.
5. the right to objection pursuant to Art. 18, IX of the LGPD: you have the right to object, on grounds relating to your particular situation, at any time to processing of your Personal Data, which is based on point our legitimate interests, including profiling based on those provisions. We shall no longer process the Personal Data unless we have compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defense of legal claims. You may object to the processing of your Personal Data or direct marketing purposes at any time, without giving reason.
6. the right to data portability pursuant to Art. 18, V of the LGPD: you have the right to receive Personal Data concerning you, and which you have provided to us, in a structured, commonly used and machine-readable format, and to transmit such data to another data controller (please note this applies only where our processing of your Personal Data is based on your consent, and the processing is carried out by automated means).
7. the right to appeal to a competent data protection supervisory authority pursuant to Paragraph 1 of Art. 18 of the LGPD: you have the right to appeal to the competent data protection supervisory authority - in Brazil it is called the National Authority for the Protection of Data (ANPD). Please note that any processing of your Personal Data prior to the deletion of your account with us or your request that we no longer contact you for direct marketing purposes will remain valid under the legal grounds then prevailing.

You can exercise any of your rights as stated above by sending a request to Brazil’s Data Protection Officer (DPO), Joao Longo, at [email protected]. We will endeavor to respond to any such request as soon as possible, and in any event within the legal deadline.

How to Contact Us

You may contact the DPO regarding this policy at [email protected].

If you live in the Brazilian territory and you have a complaint regarding the handling of your Personal Data in accordance with the LGPD and your efforts to resolve the matter internally are unsatisfactory, the complaint may be submitted to the American Arbitration Association (http://go.adr.org/privacyshield.html), which has been selected as the independent recourse mechanism to resolve complaints and disputes relating to treatment of Personal Data under the LGPD and the laws of the land and transferred to the U.S. under this Privacy Policy. Under certain conditions, you may be entitled to invoke binding arbitration through the Privacy Shield Panel when other dispute resolution procedures have been exhausted. Milliman is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC).

Milliman Personal Data Privacy Policy – Milliman Limited, Cyprus

Last updated September 2023

Where Milliman is Acting as a Data Controller

Milliman, Inc. and its affiliates (“Milliman” or “we”) take data privacy very seriously. This Privacy Policy sets out the principles governing the Cypriot affiliate’s (Milliman Limited) use and protection of personal data that individuals and clients residing within the European Economic Area, the Isle of Man, Switzerland and the UK, share with us (“Personal Data”), hereafter “you”. Milliman is committed to handling Personal Data in accordance with this Privacy Policy, the EU General Data Protection Regulation (GDPR) and other data protection and privacy laws, as applicable.

Milliman, Inc. and Milliman Limited are joint-controllers with respect to the processing of Personal Data described in this Privacy Policy. This means that Milliman, Inc. and Milliman Limited are both responsible for the compliance with applicable data protection laws.

Collection of Data

Aggregate Data

Like many companies, Milliman monitors the use of its websites by collecting aggregate data. No Personal Data is collected in this process. Typically, Milliman collects data about the number of visitors to the website, to each web page, and the originating domain name of the visitor's Internet Service Provider. This data is used to improve the usability, performance and effectiveness of Milliman’s website.

Cookies, Third-Party Embedded Content and Do Not Track

For more detailed information describing how Milliman uses cookies and your choices surrounding the use and opt out of such cookies, including information about third party embedded content on Milliman’s website and how Milliman responds to Do Not Track signals in browsers, please review our Cookie Policy which can be found here.

Processing of Personal Data

The Personal Data we collect varies depending upon the nature of the services provided and our interactions with individuals. In the context of the collection of data through this website, Milliman’s marketing activities and contract administration, we may collect, store and otherwise process Personal Data of:

- visitors to our websites (first name, last name, title, company, phone number, location, email address, subject of the request and message given) who request information about products or services from Milliman, for the purpose of the management of the relationship with visitors and the administration of the website. The legal basis for the processing of Personal Data is Milliman’s legitimate interest (Art. 6 (1) letter (f) GDPR).

- clients’ representatives, officers, agents and employees, business partners, providers, parties to a contract (name, professional address, title, email and other professional contact details) for contract administration purposes. The professional contact details of clients’ representatives, their employees and business partners are also used to activate and maintain client accounts, including for billing purposes, due diligence and conflict checks, to facilitate the communication, to fulfill requests or respond to inquiries about Milliman products or services and to provide offers and information (as permitted by law) about products, services, or events offered by Milliman or that Milliman thinks may be of interest. The legal basis for the processing of Personal Data is Milliman’s legitimate interest (Art. 6 (1) letter (f) GDPR). Milliman may rely on your consent (Art. 6 (1) letter (a) GDPR) for the sending of marketing communications when so required by data protection and privacy laws, in which case we will ask your consent prior to the sending of the communication. Milliman Limited may also use professional contact details of its clients’ employees for the purpose of sending surveys, questionnaires or for the purpose of organizing contests. For those activities, the legal basis for the processing of Personal Data is Milliman Limited’s legitimate interest (Art. 6 (1) letter (f) GDPR), unless data protection and privacy laws require your prior consent. We may also collect and process limited Personal Data about you from public resources (such as LinkedIn) including your name/surname, email address, telephone number, organization, title/position, profession, professional interests, to allow us to assess a potential interest in our services and to contact you for marketing purposes.

When we communicate with you regarding the products and services we offer or develop, you will be given the opportunity in each communication to unsubscribe and prevent future communications of that sort. If you do not want us to collect your Personal Data for our marketing emails, or if you wish to unsubscribe from direct marketing communications from us, you may write to us at [email protected] requesting the same. We will cease using your Personal Data for direct marketing purposes once you have requested us to do so.

If you provide us with Personal Data of another individual, it is your duty to make sure that these individuals have consented to or are appropriately informed about the processing of their Personal Data by Milliman.

You should also ensure that all Personal Data submitted to us is complete, accurate, true and correct. Failure on your part to do so may result in our inability to provide you with the products and services you have requested.

No automated decision-making is undertaken based on the Personal Data collected from you.

Affiliates and Authorized Third-Party Agents

All Milliman websites, products, and services are provided in cooperation with Milliman, Inc., located in the U.S. Any Personal Data may be shared between Milliman Limited and Milliman, Inc. or other entities controlled by or under common control with Milliman, Inc., located in the U.S. and/or Europe, for the purposes of the centralisation of Milliman’s General Corporate Services, including: administrative services, contract management, Client Relationship Management (CRM), IT-maintenance  and security, data privacy (management of data subjects’ request) and marketing services (cookie management, inquiry tracking via Milliman’s website form, communication regarding Milliman’s products, services, or events).

We may also share Personal Data with affiliated entities using the MILLIMAN® mark, in which case we will require those affiliates to comply with this Privacy Policy. Please note that we may be transferring your Personal Data to a country that does not have the same data protection laws as your home country. However, Milliman ensures that itself and its affiliates will process Personal Data in compliance with this Privacy Policy.

Milliman also may share Personal Data with authorized third-party agents or contractors that perform services for Milliman. If Milliman shares Personal Data with a third party, Milliman requires that those third parties agree to process Personal Data based on Milliman’s instructions and in compliance with this Privacy Policy.

Any transfers of Personal Data are subject to appropriate safeguards that are compliant with the GDPR, as is described in the section “Transfer of Personal Data Across Borders”.

Other Disclosures

Milliman may also disclose Personal Data and other related information in response to subpoenas, court orders, or other lawful requests by public authorities, and to meet national security or law enforcement requirements. Milliman may collect and share Personal Data in order to investigate or take action regarding illegal activities, suspected fraud, violations of Milliman's Terms of Use, or as otherwise required by law or regulation.

Security

Milliman stores Personal Data on a secure server that is password protected and shielded from unauthorized access by a firewall. Milliman has in place security policies that are intended to ensure the security and integrity of all Personal Data. Milliman has appropriate technical and organisational measures in place to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data held or processed by Milliman. If Milliman forwards Personal Data to any third party, Milliman requires that those third parties have appropriate technical and organisational measures in place to comply with this Privacy Policy and applicable laws.

Data Retention

Milliman retains Personal Data only as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or not prohibited by law. Milliman will delete your Personal Data once the purpose of the collection and processing of such Personal Data has been fulfilled and the adequate duration for documentation and backup storage of such Personal Data has lapsed. If you have unsubscribed from receiving marketing information from us, we will continue to maintain your Personal Data for any other purpose for which we still have legal grounds for processing such Personal Data (such as for the purposes of complying with a legal obligation or when the processing is necessary for the purpose of our legitimate interest). In certain cases, if no other legal grounds exist, we will maintain limited Personal Data (such as your email address) about you on record, so as to be able to ensure for the future that such marketing communications are no longer sent to you.

Children

Milliman’s websites, products, and services are not directed to children, and Milliman does not knowingly collect Personal Data from children. If a parent or legal guardian becomes aware that his or her child has provided Milliman with Personal Data without their consent, the parent or legal guardian should contact Milliman at [email protected], and Milliman will take steps to delete any such Personal Data.

Third-party Links

Milliman’ website may contain links to websites hosted and operated by companies other than us (“Third-Party Websites”) to which you can export (part of) your Personal Data.

We do not disclose your Personal Data to these Third-Party Websites without your explicit consent. Note that any information you disclose to Third-Party Websites is no longer under our control and no longer subject to Milliman Personal Data Privacy Policy.

You should review the privacy policy practices of any such Third-Party Website to understand how that Third-Party Website collects and uses your Personal Data should you have decided to disclose your Personal Data to them. We are not responsible for the content or performance of these Third-Party Websites. We are in no way responsible or liable for the manner in which a Third-Party Website treats any Personal Data that you choose to provide to such a Third-Party Website and use of Third-Party Websites is strictly at your own risk.

Policy Updates

Milliman may change its Privacy Policy from time to time. Milliman therefore asks all persons concerned to check it occasionally to ensure that they are aware of the most recent version.

Transfers of Personal Data across National Borders

Milliman is a global company that transfers Personal Data across national borders in compliance with the laws that apply to such transfers. Milliman has put in place appropriate safeguards to ensure its data transfers are adequately protected. Milliman’s legal bases for respective data transfers are outlined in this Privacy Policy. When Personal Data is transferred from one of our entities in the European Economic Area (“EEA”), Switzerland, the Isle of Man or the United Kingdom to the United States or another country outside of the EEA, or from entities in the EEA to another country outside of the EEA, we rely on one or more of the following legal mechanisms which provide adequate safeguards for the transfers: the adequacy decisions adopted by the European Commission on the basis of Art. 45 GDPR, the European Commission-approved Standard Contractual Clauses, the EU-US Data Privacy Framework (EU-US DPF), the UK Extension to the EU-US DPF, and the Swiss-US Data Privacy Framework (Swiss-US DPF), or any other applicable transfer mechanism deemed as adequate by applicable data protection laws. You can request a copy of any standard contractual clauses relating to your Personal Data that we may have executed by contacting us using the details below. Milliman commits to cooperate with the EU data protection authorities, the Swiss Federal Data Protection Information Commissioner, the Isle of Man Information Commissioner, the UK Information Commissioner’s Office and any other relevant data protection authority, and to comply with the advice given by such authorities, with regard to Personal Data transferred from one of our entities in the EEA, Switzerland, the Isle of Man or the United Kingdom, to countries outside of the EEA. Milliman will conduct any necessary impact assessments, following the rules under applicable data protection laws and thus guaranteeing the safe transfer of your Personal Data.

Data Privacy Framework

Milliman is committed to handling Personal Data in accordance with this Privacy Policy and the EU-US Data Privacy Framework (EU-US DPF), the UK Extension to the EU-US DPF, and the Swiss-US Data Privacy Framework (Swiss-US DPF), as administered by the U.S. Department of Commerce. Milliman has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. Milliman has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF.

If there is any conflict between the terms of this Privacy Policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view Milliman’s certification, please visit https://www.dataprivacyframework.gov/.

Milliman’s accountability for Personal Data that it receives under the DPF Principles and subsequently transfers to a third party is described in the DPF Principles. In particular, Milliman remains responsible and liable under the DPF Principles if third parties engaged by Milliman process the Personal Data in a manner inconsistent with the Principles, unless Milliman proves that it is not responsible for the event giving rise to any damage. Additionally, Milliman, Inc. has put in place data protection agreements with its affiliates located in the European Economic Area based on the EU Standard Contractual Clauses issued by the European Commission (the “EU Standard Contractual Clauses”).

As further explained in the "How to Contact Us" section below, Milliman encourages any individual to contact us should they have a DPF-related (or general privacy-related) complaint. Any right of access, rectification, erasure, restriction of the processing as well as the right to data portability of individuals domiciled in the European Economic Area or Switzerland may be exercised under the conditions set forth in the GDPR by contacting Milliman at: [email protected]. Furthermore, these individuals will have the right to lodge a complaint with a competent supervisory authority at any time.

Rights

1. the right of access pursuant to Art. 15 GDPR: you have the right to obtain from us confirmation as to whether or not Personal Data concerning you is being processed, and, where that is the case, access to (including by obtaining a copy of) such Personal Data and the manner in which, and the purposes for which we process your Personal Data, so that you can verify its accuracy and the lawfulness of the processing.
2. the right to rectification pursuant to Art. 16 GDPR: you have the right to obtain from us the rectification of inaccurate Personal Data concerning you, and the right to have incomplete personal data completed, including by means of providing a supplementary statement.
3. the right to erasure pursuant to Art. 17 GDPR: the right to obtain from us the erasure of your Personal Data without undue delay where (a) your Personal Data is no longer necessary for the purpose for which it was collected/processed; (b) you wish to withdraw your consent to processing (except where we have another legal ground for the processing that we may rely on); (c) where processing is based on our legitimate interests and there are no overriding legitimate grounds for processing; (d) where your Personal Data has been unlawfully processed.
4. the right to restriction of processing pursuant to Art. 18 GDPR: you have the right to obtain from us the restriction of processing of your Personal Data where (a) the accuracy of such Personal Data is contested by you (for such period as will enable us to verify the accuracy of your Personal Data); (b) the processing of your Personal Data is unlawful, but you do object to the deletion of such data and request restriction of its use instead; (c) you consider that we no longer need your Personal Data for the purposes of the processing, but require such Personal Data for the establishment, exercise or defense of legal claims; (d) you have objected to the processing of your Personal Data on grounds of “legitimate interest” as per (iii) above, pending verification by us on whether our legitimate grounds override your own.
5. the right to objection pursuant to Art. 21 GDPR: you have the right to object, on grounds relating to your particular situation, at any time to processing of your Personal Data, which is based on our legitimate interests, including profiling based on those provisions. We shall no longer process the Personal Data unless we have compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defense of legal claims. You may object to the processing of your Personal Data or direct marketing purposes at any time, without giving reason.
6. the right to data portability pursuant to Art. 20 GDPR: you have the right to receive Personal Data concerning you, and which you have provided to us, in a structured, commonly used and machine-readable format, and to transmit such data to another data controller (please note this applies only where our processing of your Personal Data is based on your consent, and the processing is carried out by automated means).
7. the right to appeal to a competent data protection supervisory authority (Art. 77 GDPR): you have the right to appeal to the competent data protection supervisory authority - in Cyprus, such authority is the “Office of the Commissioner for Personal Data Protection (Γραφείο Επιτρόπου Δεδομένων Προσωπικού Χαρακτήρα)” (Γραφείο Επιτρόπου Προστασίας Δεδομένων Προσωπικού Χαρακτήρα (dataprotection.gov.cy)).

Please note that any processing of your Personal Data prior to the deletion of your account with us, or your request that we no longer contact you for direct marketing purposes will remain valid under the legal grounds then prevailing.

You can exercise any of your rights as stated above, by sending us a request to [email protected] or to: Milliman Limited Data Protection Officer, 14 Avenue de la Grande Armée, F-75017 Paris.  We will endeavor to respond to any such request as soon as possible, and in any event within 30 days.

How to Contact Us

Milliman can be contacted at [email protected]. Milliman welcomes feedback and questions on this Privacy Policy. If for any reason you wish to contact us, please send an email ([email protected]). Complaints will be resolved internally in accordance with Milliman’s complaints procedures.

If you live in the European Union, European Economic Area, or Switzerland and you have a complaint regarding the handling of your Personal Data in accordance with the DPF Principles and your efforts to resolve the matter internally are unsatisfactory, the complaint may be submitted to the American Arbitration Association (http://www.adr.org/), which has been selected as the independent recourse mechanism to resolve complaints and disputes relating to treatment of Personal Data originating in the European Union, European Economic Area, or Switzerland and transferred to the U.S. under this Privacy Policy. Under certain conditions, you may be entitled to invoke binding arbitration when other dispute resolution procedures have been exhausted. Milliman is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC).

Milliman Personal Data Privacy Policy – Milliman SARL, France

Last updated September 2023

Where Milliman is Acting as a Data Controller

Milliman, Inc. and its affiliates (“Milliman” or “we”) take data privacy very seriously. This Privacy Policy sets out the principles governing the French affiliate’s (Milliman SARL) use and protection of personal data that individuals and clients residing within the European Economic Area, the Isle of Man, Switzerland and the UK, share with us (“Personal Data”), hereafter “you”. Milliman is committed to handling Personal Data in accordance with this Privacy Policy, the EU General Data Protection Regulation (GDPR) and other data protection and privacy laws, as applicable.

Milliman, Inc. and Milliman SARL are joint-controllers with respect to the processing of Personal Data described in this Privacy Policy. This means that Milliman, Inc. and Milliman SARL are both responsible for the compliance with applicable data protection laws.

Collection of Data

Aggregate Data

Like many companies, Milliman monitors the use of its websites by collecting aggregate data. No Personal Data is collected in this process. Typically, Milliman collects data about the number of visitors to the website, to each web page, and the originating domain name of the visitor's Internet Service Provider. This data is used to improve the usability, performance and effectiveness of Milliman’s website.

Cookies, Third-Party Embedded Content and Do Not Track

For more detailed information describing how Milliman uses cookies and your choices surrounding the use and opt out of such cookies, including information about third party embedded content on Milliman’s website and how Milliman responds to Do Not Track signals in browsers, please review our Cookie Policy which can be found here.

Processing of Personal Data

The Personal Data we collect varies depending upon the nature of the services provided and our interactions with individuals. In the context of the collection of data through this website, Milliman’s marketing activities and contract administration, we may collect, store and otherwise process Personal Data of:

- visitors to our websites (first name, last name, title, company, phone number, location, email address, subject of the request and message given) who request information about products or services from Milliman, for the purpose of the management of the relationship with visitors and the administration of the website. The legal basis for the processing of Personal Data is Milliman’s legitimate interest (Art. 6 (1) letter (f) GDPR).

- clients’ representatives, officers, agents and employees, business partners, providers, parties to a contract (name, professional address, title, email and other professional contact details) for contract administration purposes. The professional contact details of clients’ representatives, their employees and business partners are also used to activate and maintain client accounts, including for billing purposes, due diligence and conflict checks, to facilitate the communication, to fulfill requests or respond to inquiries about Milliman products or services and to provide offers and information (as permitted by law) about products, services, or events offered by Milliman or that Milliman thinks may be of interest. The legal basis for the processing of Personal Data is Milliman’s legitimate interest (Art. 6 (1) letter (f) GDPR). Milliman may rely on your consent (Art. 6 (1) letter (a) GDPR) for the sending of marketing communications when so required by data protection and privacy laws, in which case we will ask your consent prior to the sending of the communication. Milliman SARL may also use professional contact details of its clients’ employees for the purpose of sending surveys, questionnaires or for the purpose of organizing contests. For those activities, the legal basis for the processing of Personal Data is Milliman SARL’s legitimate interest (Art. 6 (1) letter (f) GDPR), unless data protection and privacy laws require your prior consent. We may also collect and process limited Personal Data about you from public resources (such as LinkedIn) including your name/surname, email address, telephone number, organization, title/position, profession, professional interests, to allow us to assess a potential interest in our services and to contact you for marketing purposes.

When we communicate with you regarding the products and services we offer or develop, you will be given the opportunity in each communication to unsubscribe and prevent future communications of that sort. If you do not want us to collect your Personal Data for our marketing emails, or if you wish to unsubscribe from direct marketing communications from us, you may write to us at [email protected] requesting the same. We will cease using your Personal Data for direct marketing purposes once you have requested us to do so.

If you provide us with Personal Data of another individual, it is your duty to make sure that these individuals have consented to or are appropriately informed about the processing of their Personal Data by Milliman.

You should also ensure that all Personal Data submitted to us is complete, accurate, true and correct. Failure on your part to do so may result in our inability to provide you with the products and services you have requested.

No automated decision-making is undertaken based on the Personal Data collected from you.

Affiliates and Authorized Third-Party Agents

All Milliman websites, products, and services are provided in cooperation with Milliman, Inc., located in the U.S. Any Personal Data may be shared between Milliman SARL and Milliman, Inc. or other entities controlled by or under common control with Milliman, Inc., located in the U.S. and/or Europe, for the purposes of the centralisation of Milliman’s General Corporate Services, including: administrative services, contract management, Client Relationship Management (CRM), IT-maintenance  and security, data privacy (management of data subjects’ request) and marketing services (cookie management, inquiry tracking via Milliman’s website form, communication regarding Milliman’s products, services, or events).

We may also share Personal Data with affiliated entities using the MILLIMAN® mark, in which case we will require those affiliates to comply with this Privacy Policy. Please note that we may be transferring your Personal Data to a country that does not have the same data protection laws as your home country. However, Milliman ensures that itself and its affiliates will process Personal Data in compliance with this Privacy Policy.

Milliman also may share Personal Data with authorized third-party agents or contractors that perform services for Milliman. If Milliman shares Personal Data with a third party, Milliman requires that those third parties agree to process Personal Data based on Milliman’s instructions and in compliance with this Privacy Policy.

Any transfers of Personal Data are subject to appropriate safeguards that are compliant with the GDPR, as is described in the section “Transfer of Personal Data Across Borders”.

Other Disclosures

Milliman may also disclose Personal Data and other related information in response to subpoenas, court orders, or other lawful requests by public authorities, and to meet national security or law enforcement requirements. Milliman may collect and share Personal Data in order to investigate or take action regarding illegal activities, suspected fraud, violations of Milliman's Terms of Use, or as otherwise required by law or regulation.

Security

Milliman stores Personal Data on a secure server that is password protected and shielded from unauthorized access by a firewall. Milliman has in place security policies that are intended to ensure the security and integrity of all Personal Data. Milliman has appropriate technical and organisational measures in place to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data held or processed by Milliman. If Milliman forwards Personal Data to any third party, Milliman requires that those third parties have appropriate technical and organisational measures in place to comply with this Privacy Policy and applicable laws.

Data Retention

Milliman retains Personal Data only as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or not prohibited by law. Milliman will delete your Personal Data once the purpose of the collection and processing of such Personal Data has been fulfilled and the adequate duration for documentation and backup storage of such Personal Data has lapsed. If you have unsubscribed from receiving marketing information from us, we will continue to maintain your Personal Data for any other purpose for which we still have legal grounds for processing such Personal Data (such as for the purposes of complying with a legal obligation or when the processing is necessary for the purpose of our legitimate interest). In certain cases, if no other legal grounds exist, we will maintain limited Personal Data (such as your email address) about you on record, so as to be able to ensure for the future that such marketing communications are no longer sent to you.

Children

Milliman’s websites, products, and services are not directed to children, and Milliman does not knowingly collect Personal Data from children. If a parent or legal guardian becomes aware that his or her child has provided Milliman with Personal Data without their consent, the parent or legal guardian should contact Milliman at [email protected], and Milliman will take steps to delete any such Personal Data.

Third-party Links

Milliman’s website may contain links to websites hosted and operated by companies other than us (“Third-Party Websites”) to which you can export (part of) your Personal Data.

We do not disclose your Personal Data to these Third-Party Websites without your explicit consent. Note that any information you disclose to Third-Party Websites is no longer under our control and no longer subject to Milliman Personal Data Privacy Policy.

You should review the privacy policy practices of any such Third-Party Website to understand how that Third-Party Website collects and uses your Personal Data should you have decided to disclose your Personal Data to them. We are not responsible for the content or performance of these Third-Party Websites. We are in no way responsible or liable for the manner in which a Third-Party Website treats any Personal Data that you choose to provide to such a Third-Party Website and use of Third-Party Websites is strictly at your own risk.

Policy Updates

Milliman may change its Privacy Policy from time to time. Milliman therefore asks all persons concerned to check it occasionally to ensure that they are aware of the most recent version.

Transfers of Personal Data across National Borders

Milliman is a global company that transfers Personal Data across national borders in compliance with the laws that apply to such transfers. Milliman has put in place appropriate safeguards to ensure its data transfers are adequately protected. Milliman’s legal bases for respective data transfers are outlined in this Privacy Policy. When Personal Data is transferred from one of our entities in the European Economic Area (“EEA”), Switzerland, the Isle of Man or the United Kingdom to the United States or another country outside of the EEA, or from entities in the EEA to another country outside of the EEA, we rely on one or more of the following legal mechanisms which provide adequate safeguards for the transfers: the adequacy decisions adopted by the European Commission on the basis of Art. 45 GDPR, the European Commission-approved Standard Contractual Clauses, the EU-US Data Privacy Framework (EU-US DPF), the UK Extension to the EU-US DPF, and the Swiss-US Data Privacy Framework (Swiss-US DPF), or any other applicable transfer mechanism deemed as adequate by applicable data protection laws. You can request a copy of any standard contractual clauses relating to your Personal Data that we may have executed by contacting us using the details below. Milliman commits to cooperate with the EU data protection authorities, the Swiss Federal Data Protection Information Commissioner, the Isle of Man Information Commissioner, the UK Information Commissioner’s Office and any other relevant data protection authority, and to comply with the advice given by such authorities, with regard to Personal Data transferred from one of our entities in the EEA, Switzerland, the Isle of Man or the United Kingdom, to countries outside of the EEA. Milliman will conduct any necessary impact assessments, following the rules under applicable data protection laws and thus guaranteeing the safe transfer of your Personal Data.

Data Privacy Framework

Milliman is committed to handling Personal Data in accordance with this Privacy Policy and the EU-US Data Privacy Framework (EU-US DPF), the UK Extension to the EU-US DPF, and the Swiss-US Data Privacy Framework (Swiss-US DPF), as administered by the U.S. Department of Commerce. Milliman has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. Milliman has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF.

If there is any conflict between the terms of this Privacy Policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view Milliman’s certification, please visit https://www.dataprivacyframework.gov/.

Milliman’s accountability for Personal Data that it receives under the DPF Principles and subsequently transfers to a third party is described in the DPF Principles. In particular, Milliman remains responsible and liable under the DPF Principles if third parties engaged by Milliman process the Personal Data in a manner inconsistent with the Principles, unless Milliman proves that it is not responsible for the event giving rise to any damage. Additionally, Milliman, Inc. has put in place data protection agreements with its affiliates located in the European Economic Area based on the EU Standard Contractual Clauses issued by the European Commission (the “EU Standard Contractual Clauses”).

As further explained in the "How to Contact Us" section below, Milliman encourages any individual to contact us should they have a DPF-related (or general privacy-related) complaint. Any right of access, rectification, erasure, restriction of the processing as well as the right to data portability of individuals domiciled in the European Economic Area or Switzerland may be exercised under the conditions set forth in the GDPR by contacting Milliman at: [email protected]. Furthermore, these individuals will have the right to lodge a complaint with a competent supervisory authority at any time.Rights

1. the right of access pursuant to Art. 15 GDPR: you have the right to obtain from us confirmation as to whether or not Personal Data concerning you is being processed, and, where that is the case, access to (including by obtaining a copy of) such Personal Data and the manner in which, and the purposes for which we process your Personal Data, so that you can verify its accuracy and the lawfulness of the processing.
2. the right to rectification pursuant to Art. 16 GDPR: you have the right to obtain from us the rectification of inaccurate Personal Data concerning you, and the right to have incomplete personal data completed, including by means of providing a supplementary statement.
3. the right to erasure pursuant to Art. 17 GDPR: the right to obtain from us the erasure of your Personal Data without undue delay where (a) your Personal Data is no longer necessary for the purpose for which it was collected/processed; (b) you wish to withdraw your consent to processing (except where we have another legal ground for the processing that we may rely on); (c) where processing is based on our legitimate interests and there are no overriding legitimate grounds for processing; (d) where your Personal Data has been unlawfully processed;
4. the right to restriction of processing pursuant to Art. 18 GDPR: (iyou have the right to obtain from us the restriction of processing of your Personal Data where (a) the accuracy of such Personal Data is contested by you (for such period as will enable us to verify the accuracy of your Personal Data); (b) the processing of your Personal Data is unlawful, but you do object to the deletion of such data and request restriction of its use instead; (c) you consider that we no longer need your Personal Data for the purposes of the processing, but require such Personal Data for the establishment, exercise or defense of legal claims; (d) you have objected to the processing of your Personal Data on grounds of “legitimate interest” as per (iii) above, pending verification by us on whether our legitimate grounds override your own.
5. the right to objection pursuant to Art. 21 GDPR: you have the right to object, on grounds relating to your particular situation, at any time to processing of your Personal Data, which is based on our legitimate interests, including profiling based on those provisions. We shall no longer process the Personal Data unless we have compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defense of legal claims. You may object to the processing of your Personal Data or direct marketing purposes at any time, without giving reason.
6. the right to data portability pursuant to Art. 20 GDPR: you have the right to receive Personal Data concerning you, and which you have provided to us, in a structured, commonly used and machine-readable format, and to transmit such data to another data controller (please note this applies only where our processing of your Personal Data is based on your consent, and the processing is carried out by automated means).
7. the right to appeal to a competent data protection supervisory authority (Art. 77 GDPR): you have the right to appeal to the competent data protection supervisory authority - in France, such authority is the “Commission Nationale de l’Informatique et des Libertés” (www.cnil.fr).

Please note that any processing of your Personal Data prior to the deletion of your account with us, or your request that we no longer contact you for direct marketing purposes will remain valid under the legal grounds then prevailing.

You can exercise any of your rights as stated above, by sending us a request to [email protected] or to: Milliman SARLData Protection Officer, 14 Avenue de la Grande Armée, F-75017 Paris.  We will endeavor to respond to any such request as soon as possible, and in any event within 30 days.

How to Contact Us

 Milliman can be contacted at [email protected]. Milliman welcomes feedback and questions on this Privacy Policy. If for any reason you wish to contact us, please send an email ([email protected]). Complaints will be resolved internally in accordance with Milliman’s complaints procedures.

If you live in the European Union, European Economic Area, or Switzerland and you have a complaint regarding the handling of your Personal Data in accordance with the DPF Principles and your efforts to resolve the matter internally are unsatisfactory, the complaint may be submitted to the American Arbitration Association (http://www.adr.org/), which has been selected as the independent recourse mechanism to resolve complaints and disputes relating to treatment of Personal Data originating in the European Union, European Economic Area, or Switzerland and transferred to the U.S. under this Privacy Policy. Under certain conditions, you may be entitled to invoke binding arbitration when other dispute resolution procedures have been exhausted. Milliman is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC).

Milliman Personal Data Privacy Policy – Milliman SAS, France

Last updated September 2023

Where Milliman is Acting as a Data Controller

Milliman, Inc. and its affiliates (“Milliman” or “we”) take data privacy very seriously. This Privacy Policy sets out the principles governing the French affiliate’s (Milliman SAS) use and protection of personal data that individuals and clients residing within the European Economic Area, the Isle of Man, Switzerland and the UK, share with us (“Personal Data”), hereafter “you”. Milliman is committed to handling Personal Data in accordance with this Privacy Policy, the EU General Data Protection Regulation (GDPR) and other data protection and privacy laws, as applicable.

Milliman, Inc. and Milliman SAS are joint-controllers with respect to the processing of Personal Data described in this Privacy Policy. This means that Milliman, Inc. and Milliman SAS are both responsible for the compliance with applicable data protection laws.

Collection of Data

Aggregate Data

Like many companies, Milliman monitors the use of its websites by collecting aggregate data. No Personal Data is collected in this process. Typically, Milliman collects data about the number of visitors to the website, to each web page, and the originating domain name of the visitor's Internet Service Provider. This data is used to improve the usability, performance and effectiveness of Milliman’s website.

Cookies, Third-Party Embedded Content and Do Not Track

For more detailed information describing how Milliman uses cookies and your choices surrounding the use and opt out of such cookies, including information about third party embedded content on Milliman’s website and how Milliman responds to Do Not Track signals in browsers, please review our Cookie Policy which can be found here.

Processing of Personal Data

The Personal Data we collect varies depending upon the nature of the services provided and our interactions with individuals. In the context of the collection of data through this website, Milliman’s marketing activities and contract administration, we may collect, store and otherwise process Personal Data of:

- visitors to our websites (first name, last name, title, company, phone number, location, email address, subject of the request and message given) who request information about products or services from Milliman, for the purpose of the management of the relationship with visitors and the administration of the website. The legal basis for the processing of Personal Data is Milliman’s legitimate interest (Art. 6 (1) letter (f) GDPR).

- clients’ representatives, officers, agents and employees, business partners, providers, parties to a contract (name, professional address, title, email and other professional contact details) for contract administration purposes. The professional contact details of clients’ representatives, their employees and business partners are also used to activate and maintain client accounts, including for billing purposes, due diligence and conflict checks, to facilitate the communication, to fulfill requests or respond to inquiries about Milliman products or services and to provide offers and information (as permitted by law) about products, services, or events offered by Milliman or that Milliman thinks may be of interest. The legal basis for the processing of Personal Data is Milliman’s legitimate interest (Art. 6 (1) letter (f) GDPR). Milliman may rely on your consent (Art. 6 (1) letter (a) GDPR) for the sending of marketing communications when so required by data protection and privacy laws, in which case we will ask your consent prior to the sending of the communication. Milliman SAS may also use professional contact details of its clients’ employees for the purpose of sending surveys, questionnaires or for the purpose of organizing contests. For those activities, the legal basis for the processing of Personal Data is Milliman SAS’s legitimate interest (Art. 6 (1) letter (f) GDPR), unless data protection and privacy laws require your prior consent. We may also collect and process limited Personal Data about you from public resources (such as LinkedIn) including your name/surname, email address, telephone number, organization, title/position, profession, professional interests, to allow us to assess a potential interest in our services and to contact you for marketing purposes.

When we communicate with you regarding the products and services we offer or develop, you will be given the opportunity in each communication to unsubscribe and prevent future communications of that sort. If you do not want us to collect your Personal Data for our marketing emails, or if you wish to unsubscribe from direct marketing communications from us, you may write to us at [email protected] requesting the same. We will cease using your Personal Data for direct marketing purposes once you have requested us to do so.

If you provide us with Personal Data of another individual, it is your duty to make sure that these individuals have consented to or are appropriately informed about the processing of their Personal Data by Milliman.

You should also ensure that all Personal Data submitted to us is complete, accurate, true and correct. Failure on your part to do so may result in our inability to provide you with the products and services you have requested.

No automated decision-making is undertaken based on the Personal Data collected from you.

Affiliates and Authorized Third-Party Agents

All Milliman websites, products, and services are provided in cooperation with Milliman, Inc., located in the U.S. Any Personal Data may be shared between Milliman SAS and Milliman, Inc. or other entities controlled by or under common control with Milliman, Inc., located in the U.S. and/or Europe, for the purposes of the centralisation of Milliman’s General Corporate Services, including: administrative services, contract management, Client Relationship Management (CRM), IT-maintenance  and security, data privacy (management of data subjects’ request) and marketing services (cookie management, inquiry tracking via Milliman’s website form, communication regarding Milliman’s products, services, or events).

We may also share Personal Data with affiliated entities using the MILLIMAN® mark, in which case we will require those affiliates to comply with this Privacy Policy. Please note that we may be transferring your Personal Data to a country that does not have the same data protection laws as your home country. However, Milliman ensures that itself and its affiliates will process Personal Data in compliance with this Privacy Policy.

Milliman also may share Personal Data with authorized third-party agents or contractors that perform services for Milliman. If Milliman shares Personal Data with a third party, Milliman requires that those third parties agree to process Personal Data based on Milliman’s instructions and in compliance with this Privacy Policy.

Any transfers of Personal Data are subject to appropriate safeguards that are compliant with the GDPR, as is described in the section “Transfer of Personal Data Across Borders”.

Other Disclosures

Milliman may also disclose Personal Data and other related information in response to subpoenas, court orders, or other lawful requests by public authorities, and to meet national security or law enforcement requirements. Milliman may collect and share Personal Data in order to investigate or take action regarding illegal activities, suspected fraud, violations of Milliman's Terms of Use, or as otherwise required by law or regulation.

Security

Milliman stores Personal Data on a secure server that is password protected and shielded from unauthorized access by a firewall. Milliman has in place security policies that are intended to ensure the security and integrity of all Personal Data. Milliman has appropriate technical and organisational measures in place to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data held or processed by Milliman. If Milliman forwards Personal Data to any third party, Milliman requires that those third parties have appropriate technical and organisational measures in place to comply with this Privacy Policy and applicable laws.

Data Retention

Milliman retains Personal Data only as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or not prohibited by law. Milliman will delete your Personal Data once the purpose of the collection and processing of such Personal Data has been fulfilled and the adequate duration for documentation and backup storage of such Personal Data has lapsed. If you have unsubscribed from receiving marketing information from us, we will continue to maintain your Personal Data for any other purpose for which we still have legal grounds for processing such Personal Data (such as for the purposes of complying with a legal obligation or when the processing is necessary for the purpose of our legitimate interest). In certain cases, if no other legal grounds exist, we will maintain limited Personal Data (such as your email address) about you on record, so as to be able to ensure for the future that such marketing communications are no longer sent to you.

Children

Milliman’s websites, products, and services are not directed to children, and Milliman does not knowingly collect Personal Data from children. If a parent or legal guardian becomes aware that his or her child has provided Milliman with Personal Data without their consent, the parent or legal guardian should contact Milliman at [email protected], and Milliman will take steps to delete any such Personal Data.

Third-party Links

Milliman’s website may contain links to websites hosted and operated by companies other than us (“Third-Party Websites”) to which you can export (part of) your Personal Data.

We do not disclose your Personal Data to these Third-Party Websites without your explicit consent. Note that any information you disclose to Third-Party Websites is no longer under our control and no longer subject to Milliman Personal Data Privacy Policy.

You should review the privacy policy practices of any such Third-Party Website to understand how that Third-Party Website collects and uses your Personal Data should you have decided to disclose your Personal Data to them. We are not responsible for the content or performance of these Third-Party Websites. We are in no way responsible or liable for the manner in which a Third-Party Website treats any Personal Data that you choose to provide to such a Third-Party Website and use of Third-Party Websites is strictly at your own risk.

Policy Updates

Milliman may change its Privacy Policy from time to time. Milliman therefore asks all persons concerned to check it occasionally to ensure that they are aware of the most recent version.

Transfers of Personal Data across National Borders

Milliman is a global company that transfers Personal Data across national borders in compliance with the laws that apply to such transfers. Milliman has put in place appropriate safeguards to ensure its data transfers are adequately protected. Milliman’s legal bases for respective data transfers are outlined in this Privacy Policy. When Personal Data is transferred from one of our entities in the European Economic Area (“EEA”), Switzerland, the Isle of Man or the United Kingdom to the United States or another country outside of the EEA, or from entities in the EEA to another country outside of the EEA, we rely on one or more of the following legal mechanisms which provide adequate safeguards for the transfers: the adequacy decisions adopted by the European Commission on the basis of Art. 45 GDPR, the European Commission-approved Standard Contractual Clauses, the EU-US Data Privacy Framework (EU-US DPF), the UK Extension to the EU-US DPF, and the Swiss-US Data Privacy Framework (Swiss-US DPF), or any other applicable transfer mechanism deemed as adequate by applicable data protection laws. You can request a copy of any standard contractual clauses relating to your Personal Data that we may have executed by contacting us using the details below. Milliman commits to cooperate with the EU data protection authorities, the Swiss Federal Data Protection Information Commissioner, the Isle of Man Information Commissioner, the UK Information Commissioner’s Office and any other relevant data protection authority, and to comply with the advice given by such authorities, with regard to Personal Data transferred from one of our entities in the EEA, Switzerland, the Isle of Man or the United Kingdom, to countries outside of the EEA. Milliman will conduct any necessary impact assessments, following the rules under applicable data protection laws and thus guaranteeing the safe transfer of your Personal Data.

Data Privacy Framework

Milliman is committed to handling Personal Data in accordance with this Privacy Policy and the EU-US Data Privacy Framework (EU-US DPF), the UK Extension to the EU-US DPF, and the Swiss-US Data Privacy Framework (Swiss-US DPF), as administered by the U.S. Department of Commerce. Milliman has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. Milliman has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF.

If there is any conflict between the terms of this Privacy Policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view Milliman’s certification, please visit https://www.dataprivacyframework.gov/.

Milliman’s accountability for Personal Data that it receives under the DPF Principles and subsequently transfers to a third party is described in the DPF Principles. In particular, Milliman remains responsible and liable under the DPF Principles if third parties engaged by Milliman process the Personal Data in a manner inconsistent with the Principles, unless Milliman proves that it is not responsible for the event giving rise to any damage. Additionally, Milliman, Inc. has put in place data protection agreements with its affiliates located in the European Economic Area based on the EU Standard Contractual Clauses issued by the European Commission (the “EU Standard Contractual Clauses”).

As further explained in the "How to Contact Us" section below, Milliman encourages any individual to contact us should they have a DPF-related (or general privacy-related) complaint. Any right of access, rectification, erasure, restriction of the processing as well as the right to data portability of individuals domiciled in the European Economic Area or Switzerland may be exercised under the conditions set forth in the GDPR by contacting Milliman at: [email protected]. Furthermore, these individuals will have the right to lodge a complaint with a competent supervisory authority at any time.

Rights

1. the right of access pursuant to Art. 15 GDPR: you have the right to obtain from us confirmation as to whether or not Personal Data concerning you is being processed, and, where that is the case, access to (including by obtaining a copy of) such Personal Data and the manner in which, and the purposes for which we process your Personal Data, so that you can verify its accuracy and the lawfulness of the processing.
2. the right to rectification pursuant to Art. 16 GDPR: you have the right to obtain from us the rectification of inaccurate Personal Data concerning you, and the right to have incomplete personal data completed, including by means of providing a supplementary statement.
3. the right to erasure pursuant to Art. 17 GDPR: the right to obtain from us the erasure of your Personal Data without undue delay where (a) your Personal Data is no longer necessary for the purpose for which it was collected/processed; (b) you wish to withdraw your consent to processing (except where we have another legal ground for the processing that we may rely on); (c) where processing is based on our legitimate interests and there are no overriding legitimate grounds for processing; (d) where your Personal Data has been unlawfully processed.
4. the right to restriction of processing pursuant to Art. 18 GDPR: you have the right to obtain from us the restriction of processing of your Personal Data where (a) the accuracy of such Personal Data is contested by you (for such period as will enable us to verify the accuracy of your Personal Data); (b) the processing of your Personal Data is unlawful, but you do object to the deletion of such data and request restriction of its use instead; (c) you consider that we no longer need your Personal Data for the purposes of the processing, but require such Personal Data for the establishment, exercise or defense of legal claims; (d) you have objected to the processing of your Personal Data on grounds of “legitimate interest” as per (iii) above, pending verification by us on whether our legitimate grounds override your own.
5. the right to objection pursuant to Art. 21 GDPR: you have the right to object, on grounds relating to your particular situation, at any time to processing of your Personal Data, which is based on our legitimate interests, including profiling based on those provisions. We shall no longer process the Personal Data unless we have compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defense of legal claims. You may object to the processing of your Personal Data or direct marketing purposes at any time, without giving reason.
6. the right to data portability pursuant to Art. 20 GDPR: you have the right to receive Personal Data concerning you, and which you have provided to us, in a structured, commonly used and machine-readable format, and to transmit such data to another data controller (please note this applies only where our processing of your Personal Data is based on your consent, and the processing is carried out by automated means).
7. the right to appeal to a competent data protection supervisory authority (Art. 77 GDPR): you have the right to appeal to the competent data protection supervisory authority - in France, such authority is the “Commission Nationale de l’Informatique et des Libertés” (www.cnil.fr).

Please note that any processing of your Personal Data prior to the deletion of your account with us, or your request that we no longer contact you for direct marketing purposes will remain valid under the legal grounds then prevailing.

You can exercise any of your rights as stated above, by sending us a request to [email protected] or to: Milliman SAS Data Protection Officer, 14 Avenue de la Grande Armée, F-75017 Paris.  We will endeavor to respond to any such request as soon as possible, and in any event within 30 days.

How to Contact Us

 Milliman can be contacted at [email protected]. Milliman welcomes feedback and questions on this Privacy Policy. If for any reason you wish to contact us, please send an email ([email protected]). Complaints will be resolved internally in accordance with Milliman’s complaints procedures.

If you live in the European Union, European Economic Area, or Switzerland and you have a complaint regarding the handling of your Personal Data in accordance with the DPF Principles and your efforts to resolve the matter internally are unsatisfactory, the complaint may be submitted to the American Arbitration Association (http://www.adr.org/), which has been selected as the independent recourse mechanism to resolve complaints and disputes relating to treatment of Personal Data originating in the European Union, European Economic Area, or Switzerland and transferred to the U.S. under this Privacy Policy. Under certain conditions, you may be entitled to invoke binding arbitration when other dispute resolution procedures have been exhausted. Milliman is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC).

Milliman Personal Data Privacy Policy – Germany

Last updated September 2023

The Switzerland privacy policy is available here.

Where Milliman is Acting as a Data Controller

Milliman, Inc. and its affiliates (“Milliman” or “we”) take data privacy very seriously. This Privacy Policy sets out the principles governing the German affiliate’s (Milliman GmbH) use and protection of personal data that individuals and clients residing within the European Economic Area, the Isle of Man, Switzerland and the UK, share with us (“Personal Data”), hereafter “you”. Milliman is committed to handling Personal Data in accordance with this Privacy Policy, the EU General Data Protection Regulation (GDPR) and other data protection and privacy laws, as applicable.

Milliman, Inc. and Milliman GmbH are joint-controllers with respect to the processing of Personal Data described in this Privacy Policy. This means that Milliman, Inc. and Milliman GmbH are both responsible for the compliance with applicable data protection laws.

Collection of Data

Aggregate Data

Like many companies, Milliman monitors the use of its websites by collecting aggregate data. No Personal Data is collected in this process. Typically, Milliman collects data about the number of visitors to the website, to each web page, and the originating domain name of the visitor's Internet Service Provider. This data is used to improve the usability, performance and effectiveness of Milliman’s website.

Cookies, Third-Party Embedded Content and Do Not Track

For more detailed information describing how Milliman uses cookies and your choices surrounding the use and opt out of such cookies, including information about third party embedded content on Milliman’s website and how Milliman responds to Do Not Track signals in browsers, please review our Cookie Policy which can be found here.

Processing of Personal Data

The Personal Data we collect varies depending upon the nature of the services provided and our interactions with individuals. In the context of the collection of data through this website, Milliman’s marketing activities and contract administration, we may collect, store and otherwise process Personal Data of:

- visitors to our websites (first name, last name, title, company, phone number, location, email address, subject of the request and message given) who request information about products or services from Milliman, for the purpose of the management of the relationship with visitors and the administration of the website. The legal basis for the processing of Personal Data is Milliman’s legitimate interest (Art. 6 (1) letter (f) GDPR).

- clients’ representatives, officers, agents and employees, business partners, providers, parties to a contract (name, professional address, title, email and other professional contact details) for contract administration purposes. The professional contact details of clients’ representatives, their employees and business partners are also used to activate and maintain client accounts, including for billing purposes, due diligence and conflict checks, to facilitate the communication, to fulfill requests or respond to inquiries about Milliman products or services and to provide offers and information (as permitted by law) about products, services, or events offered by Milliman or that Milliman thinks may be of interest. The legal basis for the processing of Personal Data is Milliman’s legitimate interest (Art. 6 (1) letter (f) GDPR). Milliman may rely on your consent (Art. 6 (1) letter (a) GDPR) for the sending of marketing communications when so required by data protection and privacy laws, in which case we will ask your consent prior to the sending of the communication. Milliman GmbH may also use professional contact details of its clients’ employees for the purpose of sending surveys, questionnaires or for the purpose of organizing contests. For those activities, the legal basis for the processing of Personal Data is Milliman GmbH’s legitimate interest (Art. 6 (1) letter (f) GDPR), unless data protection and privacy laws require your prior consent. We may also collect and process limited Personal Data about you from public resources (such as LinkedIn) including your name/surname, email address, telephone number, organization, title/position, profession, professional interests, to allow us to assess a potential interest in our services and to contact you for marketing purposes.

When we communicate with you regarding the products and services we offer or develop, you will be given the opportunity in each communication to unsubscribe and prevent future communications of that sort. If you do not want us to collect your Personal Data for our marketing emails, or if you wish to unsubscribe from direct marketing communications from us, you may write to us at [email protected] requesting the same. We will cease using your Personal Data for direct marketing purposes once you have requested us to do so.

If you provide us with Personal Data of another individual, it is your duty to make sure that these individuals have consented to or are appropriately informed about the processing of their Personal Data by Milliman.

You should also ensure that all Personal Data submitted to us is complete, accurate, true and correct. Failure on your part to do so may result in our inability to provide you with the products and services you have requested.

No automated decision-making is undertaken based on the Personal Data collected from you.

Affiliates and Authorized Third-Party Agents

All Milliman websites, products, and services are provided in cooperation with Milliman, Inc., located in the U.S. Any Personal Data may be shared between Milliman GmbH and Milliman, Inc. or other entities controlled by or under common control with Milliman, Inc., located in the U.S. and/or Europe, for the purposes of the centralisation of Milliman’s General Corporate Services, including: administrative services, contract management, Client Relationship Management (CRM), IT-maintenance  and security, data privacy (management of data subjects’ request) and marketing services (cookie management, inquiry tracking via Milliman’s website form, communication regarding Milliman’s products, services, or events).

We may also share Personal Data with affiliated entities using the MILLIMAN® mark, in which case we will require those affiliates to comply with this Privacy Policy. Please note that we may be transferring your Personal Data to a country that does not have the same data protection laws as your home country. However, Milliman ensures that itself and its affiliates will process Personal Data in compliance with this Privacy Policy.

Milliman also may share Personal Data with authorized third-party agents or contractors that perform services for Milliman. If Milliman shares Personal Data with a third party, Milliman requires that those third parties agree to process Personal Data based on Milliman’s instructions and in compliance with this Privacy Policy.

Any transfers of Personal Data are subject to appropriate safeguards that are compliant with the GDPR, as is described in the section “Transfer of Personal Data Across Borders”.

Other Disclosures

Milliman may also disclose Personal Data and other related information in response to subpoenas, court orders, or other lawful requests by public authorities, and to meet national security or law enforcement requirements. Milliman may collect and share Personal Data in order to investigate or take action regarding illegal activities, suspected fraud, violations of Milliman's Terms of Use, or as otherwise required by law or regulation.

Security

Milliman stores Personal Data on a secure server that is password protected and shielded from unauthorized access by a firewall. Milliman has in place security policies that are intended to ensure the security and integrity of all Personal Data. Milliman has appropriate technical and organisational measures in place to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data held or processed by Milliman. If Milliman forwards Personal Data to any third party, Milliman requires that those third parties have appropriate technical and organisational measures in place to comply with this Privacy Policy and applicable laws.

Data Retention

Milliman retains Personal Data only as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or not prohibited by law. Milliman will delete your Personal Data once the purpose of the collection and processing of such Personal Data has been fulfilled and the adequate duration for documentation and backup storage of such Personal Data has lapsed. If you have unsubscribed from receiving marketing information from us, we will continue to maintain your Personal Data for any other purpose for which we still have legal grounds for processing such Personal Data (such as for the purposes of complying with a legal obligation or when the processing is necessary for the purpose of our legitimate interest). In certain cases, if no other legal grounds exist, we will maintain limited Personal Data (such as your email address) about you on record, so as to be able to ensure for the future that such marketing communications are no longer sent to you.

Children

Milliman’s websites, products, and services are not directed to children, and Milliman does not knowingly collect Personal Data from children. If a parent or legal guardian becomes aware that his or her child has provided Milliman with Personal Data without their consent, the parent or legal guardian should contact Milliman at [email protected], and Milliman will take steps to delete any such Personal Data.

Third-party Links

Milliman’s website may contain links to websites hosted and operated by companies other than us (“Third-Party Websites”) to which you can export (part of) your Personal Data.

We do not disclose your Personal Data to these Third-Party Websites without your explicit consent. Note that any information you disclose to Third-Party Websites is no longer under our control and no longer subject to Milliman Personal Data Privacy Policy.

You should review the privacy policy practices of any such Third-Party Website to understand how that Third-Party Website collects and uses your Personal Data should you have decided to disclose your Personal Data to them. We are not responsible for the content or performance of these Third-Party Websites. We are in no way responsible or liable for the manner in which a Third-Party Website treats any Personal Data that you choose to provide to such a Third-Party Website and use of Third-Party Websites is strictly at your own risk.

Policy Updates

Milliman may change its Privacy Policy from time to time. Milliman therefore asks all persons concerned to check it occasionally to ensure that they are aware of the most recent version.

Transfers of Personal Data across National Borders

Milliman is a global company that transfers Personal Data across national borders in compliance with the laws that apply to such transfers. Milliman has put in place appropriate safeguards to ensure its data transfers are adequately protected. Milliman’s legal bases for respective data transfers are outlined in this Privacy Policy. When Personal Data is transferred from one of our entities in the European Economic Area (“EEA”), Switzerland, the Isle of Man or the United Kingdom to the United States or another country outside of the EEA, or from entities in the EEA to another country outside of the EEA, we rely on one or more of the following legal mechanisms which provide adequate safeguards for the transfers: the adequacy decisions adopted by the European Commission on the basis of Art. 45 GDPR, the European Commission-approved Standard Contractual Clauses, the EU-US Data Privacy Framework (EU-US DPF), the UK Extension to the EU-US DPF, and the Swiss-US Data Privacy Framework (Swiss-US DPF), or any other applicable transfer mechanism deemed as adequate by applicable data protection laws. You can request a copy of any standard contractual clauses relating to your Personal Data that we may have executed by contacting us using the details below. Milliman commits to cooperate with the EU data protection authorities, the Swiss Federal Data Protection Information Commissioner, the Isle of Man Information Commissioner, the UK Information Commissioner’s Office and any other relevant data protection authority, and to comply with the advice given by such authorities, with regard to Personal Data transferred from one of our entities in the EEA, Switzerland, the Isle of Man or the United Kingdom, to countries outside of the EEA. Milliman will conduct any necessary impact assessments, following the rules under applicable data protection laws and thus guaranteeing the safe transfer of your Personal Data.

Data Privacy Framework

Milliman is committed to handling Personal Data in accordance with this Privacy Policy and the EU-US Data Privacy Framework (EU-US DPF), the UK Extension to the EU-US DPF, and the Swiss-US Data Privacy Framework (Swiss-US DPF), as administered by the U.S. Department of Commerce. Milliman has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. Milliman has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF.

If there is any conflict between the terms of this Privacy Policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view Milliman’s certification, please visit https://www.dataprivacyframework.gov/.

Milliman’s accountability for Personal Data that it receives under the DPF Principles and subsequently transfers to a third party is described in the DPF Principles. In particular, Milliman remains responsible and liable under the DPF Principles if third parties engaged by Milliman process the Personal Data in a manner inconsistent with the Principles, unless Milliman proves that it is not responsible for the event giving rise to any damage. Additionally, Milliman, Inc. has put in place data protection agreements with its affiliates located in the European Economic Area based on the EU Standard Contractual Clauses issued by the European Commission (the “EU Standard Contractual Clauses”).

As further explained in the "How to Contact Us" section below, Milliman encourages any individual to contact us should they have a DPF-related (or general privacy-related) complaint. Any right of access, rectification, erasure, restriction of the processing as well as the right to data portability of individuals domiciled in the European Economic Area or Switzerland may be exercised under the conditions set forth in the GDPR by contacting Milliman at: [email protected]. Furthermore, these individuals will have the right to lodge a complaint with a competent supervisory authority at any time.

Rights

1. the right of access pursuant to Art. 15 GDPR: you have the right to obtain from us confirmation as to whether or not Personal Data concerning you is being processed, and, where that is the case, access to (including by obtaining a copy of) such Personal Data and the manner in which, and the purposes for which we process your Personal Data, so that you can verify its accuracy and the lawfulness of the processing.
2. the right to rectification pursuant to Art. 16 GDPR: you have the right to obtain from us the rectification of inaccurate Personal Data concerning you, and the right to have incomplete personal data completed, including by means of providing a supplementary statement.
3. the right to erasure pursuant to Art. 17 GDPR: the right to obtain from us the erasure of your Personal Data without undue delay where (a) your Personal Data is no longer necessary for the purpose for which it was collected/processed; (b) you wish to withdraw your consent to processing (except where we have another legal ground for the processing that we may rely on); (c) where processing is based on our legitimate interests and there are no overriding legitimate grounds for processing; (d) where your Personal Data has been unlawfully processed.
4. the right to restriction of processing pursuant to Art. 18 GDPR: you have the right to obtain from us the restriction of processing of your Personal Data where (a) the accuracy of such Personal Data is contested by you (for such period as will enable us to verify the accuracy of your Personal Data); (b) the processing of your Personal Data is unlawful, but you do object to the deletion of such data and request restriction of its use instead; (c) you consider that we no longer need your Personal Data for the purposes of the processing, but require such Personal Data for the establishment, exercise or defense of legal claims; (d) you have objected to the processing of your Personal Data on grounds of “legitimate interest” as per (iii) above, pending verification by us on whether our legitimate grounds override your own.
5. the right to objection pursuant to Art. 21 GDPR: you have the right to object, on grounds relating to your particular situation, at any time to processing of your Personal Data, which is based on our legitimate interests, including profiling based on those provisions. We shall no longer process the Personal Data unless we have compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defense of legal claims. You may object to the processing of your Personal Data or direct marketing purposes at any time, without giving reason.
6. the right to data portability pursuant to Art. 20 GDPR: you have the right to receive Personal Data concerning you, and which you have provided to us, in a structured, commonly used and machine-readable format, and to transmit such data to another data controller (please note this applies only where our processing of your Personal Data is based on your consent, and the processing is carried out by automated means).
7. the right to appeal to a competent data protection supervisory authority (Art. 77 GDPR): you have the right to appeal to the competent data protection supervisory authority - in Germany, such authority is the “Bundesbeauftragte für Datenschutz und Informationsfreiheit” (www.datenschutzkonferenz-online.de) and “Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen” ([email protected]).

Please note that any processing of your Personal Data prior to the deletion of your account with us, or your request that we no longer contact you for direct marketing purposes will remain valid under the legal grounds then prevailing.

You can exercise any of your rights as stated above, by sending us a request to [email protected] or t: Milliman GmbH Data Protection Officer, 14 Avenue de la Grande Armée, F-75017 Paris. We will endeavor to respond to any such request as soon as possible, and in any event within 30 days.

How to Contact Us

Milliman can be contacted at [email protected]. Milliman welcomes feedback and questions on this Privacy Policy. If for any reason you wish to contact us, please send an email ([email protected]). Complaints will be resolved internally in accordance with Milliman’s complaints procedures.

If you live in the European Union, European Economic Area, or Switzerland and you have a complaint regarding the handling of your Personal Data in accordance with the DPF Principles and your efforts to resolve the matter internally are unsatisfactory, the complaint may be submitted to the American Arbitration Association (http://www.adr.org/), which has been selected as the independent recourse mechanism to resolve complaints and disputes relating to treatment of Personal Data originating in the European Union, European Economic Area, or Switzerland and transferred to the U.S. under this Privacy Policy. Under certain conditions, you may be entitled to invoke binding arbitration when other dispute resolution procedures have been exhausted. Milliman is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC).

Data Privacy Policy - India

Last updated July 2020

Where Milliman is Acting as a Data Controller

Milliman, Inc. and its affiliates (“Milliman” or “we”) take data privacy very seriously. This Privacy Policy sets out the principles governing the Indian affiliates’ (Milliman India Private Ltd and Milliman Advisors LLP) use and protection of personal data that individuals and clients residing within India share with us (“Personal Data”), hereafter “you”. Milliman is committed to handling Personal Data in accordance with this Privacy Policy, the (Indian) Information Technology Act, 2000 and the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (“Indian data privacy laws”), and other data protection and privacy laws, as applicable.

Milliman, Inc. and the Milliman Indian affiliates are joint-controllers with respect to the processing of Personal Data described in this Privacy Policy. This means that Milliman, Inc. and the Milliman Indian affiliates are each responsible for the compliance with applicable data protection laws.

Collection of Data

Aggregate Data

Like many companies, Milliman monitors the use of its websites by collecting aggregate data. No Personal Data is collected in this process. Typically, Milliman collects data about the number of visitors to the website, to each web page, and the originating domain name of the visitor's Internet Service Provider. This data is used to improve the usability, performance and effectiveness of Milliman’s website.

Cookies, Third-Party Embedded Content and Do Not Track

For more detailed information describing how Milliman uses cookies and your choices surrounding the use and opt out of such cookies, including information about third party embedded content on Milliman’s website and how Milliman responds to Do Not Track signals in browsers, please review our Cookie Policy which can be found here.

Processing of Personal Data

The Personal Data we collect varies depending upon the nature of the services provided and our interactions with individuals. In the context of the collection of data through this website, Milliman’s marketing activities and contract administration, we may collect, store and otherwise process Personal Data of:

- visitors to our websites (first name, last name, title, company, phone number, location, email address, subject of the request and message given) who request information about products or services from Milliman, for the purpose of the management of the relationship with clients and the administration of the website. The legal basis for the processing of Personal Data is Milliman’s legitimate interest (including as provided under Art. 6 (1) letter (f) GDPR).

- clients’ representatives, officers, agents and employees, business partners, providers, parties to a contract (name, professional address, title, email and other professional contact details) for contract administration purposes. The professional contact details of clients’ representatives, their employees and business partners are also used to activate and maintain client accounts, to fulfill requests or respond to inquiries about Milliman products or services and to provide offers and information (as permitted by law) about products, services, or events offered by Milliman or that Milliman thinks may be of interest. The legal basis for the processing of Personal Data is Milliman’s legitimate interest (including as provided under Art. 6 (1) letter (f) GDPR). Milliman may rely on your consent for the sending of marketing communications when so required by data protection and privacy laws, in which case we will ask your consent prior to the sending of the communication. The Milliman Indian affiliates may also use professional contact details of their clients’ employees for the purpose of sending surveys, questionnaires or for the purpose of organizing contests. For those activities, the legal basis for the processing of Personal Data is the Milliman Indian affiliates’ legitimate interest (including as provided under Art. 6 (1) letter (f) GDPR), unless data protection and privacy law require your prior consent. We may also collect and process limited Personal Data about you from public resources (such as LinkedIn) including your name/surname, email address, telephone number, organization, title/position, profession, professional interests, to allow us to assess a potential interest in our services and to contact you for marketing purposes.

When we communicate with you regarding the products and services we offer or develop, you will be given the opportunity in each communication to unsubscribe and prevent future communications of that sort. If you do not want us to collect this information from our marketing emails, or if you wish to unsubscribe from direct marketing communications from us, you may write to us at [email protected] requesting the same. We will cease using your Personal Data for direct marketing purposes once you have requested us to do so.

If you provide us with Personal Data of another individual, it is your duty to make sure that these individuals have consented to or are appropriately informed about the processing of their Personal Data by Milliman.

No automated decision-making is undertaken based on the Personal Data collected from you.

Affiliates and Authorized Third-Party Agents

All Milliman websites, products, and services are provided in cooperation with Milliman, Inc., located in the U.S. Any Personal Data may be shared between Milliman’s Indian affiliates and Milliman, Inc., or other entities controlled by or under common control with Milliman, Inc., for purposes of centralization of Milliman’s administrative, contract management, Client Relationship Management (CRM), IT maintenance, marketing and IT security practices, for the purpose of the website’s management and security, and to provide information about Milliman products, services, or events. We may also share Personal Data with affiliated entities using the MILLIMAN® mark, in which case we will require those affiliates to comply with this Privacy Policy. Please note that we may be transferring your Personal Data to a country that does not have the same data protection laws as your home country. However, Milliman ensures that it and its affiliates will process Personal Data in compliance with this Privacy Policy.

Milliman also may share Personal Data with authorized third-party agents or contractors that perform services for Milliman. If Milliman shares Personal Data with a third party, Milliman requires that those third parties agree to process Personal Data based on Milliman’s instructions and in compliance with this Privacy Policy.

Any transfers of Personal Data are subject to appropriate safeguards that are compliant with the GDPR (adequacy decision or Model Clauses of the European Commission). Those can be made available at Milliman’s premises, by contacting us at [email protected].

Other Disclosures

Milliman may also disclose Personal Data and other related information in response to subpoenas, court orders, or other lawful requests by public authorities, and to meet national security or law enforcement requirements. Milliman may collect and share Personal Data in order to investigate or take action regarding illegal activities, suspected fraud, violations of Milliman's Terms of Use, or as otherwise required by law or regulation.

Security

Milliman stores Personal Data on a secure server that is password protected and shielded from unauthorized access by a firewall. Milliman has in place security policies that are intended to ensure the security and integrity of all Personal Data. Milliman has appropriate technical and organisational measures in place to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data held or processed by Milliman. If Milliman forwards Personal Data to any third party, Milliman requires that those third parties have appropriate technical and organisational measures in place to comply with this Privacy Policy and applicable laws.

Data Retention

Milliman retains Personal Data only as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or not prohibited by law. Milliman will delete your Personal Data once the purpose of the collection and processing of such Personal Data has been fulfilled and the adequate duration for documentation and backup storage of such Personal Data has lapsed. If you have unsubscribed from receiving marketing information from us, we will continue to maintain your Personal Data for any other purpose for which we still have legal grounds for processing such Personal Data (such as for the purposes of complying with a legal obligation or when the processing is necessary for the purpose of our legitimate interest). In certain cases, if no other legal grounds exist, we will maintain limited Personal Data (such as your email address) about you on record, so as to be able to ensure for the future that such marketing communications are no longer sent to you.

Children

Milliman’s websites, products, and services are not directed to children, and Milliman does not knowingly collect Personal Data from children. If a parent or legal guardian becomes aware that his or her child has provided Milliman with Personal Data without their consent, the parent or legal guardian should contact Milliman at [email protected], and Milliman will take steps to delete any such Personal Data.

Milliman’ website may contain links to websites hosted and operated by companies other than us (“Third-Party Websites”) to which you can export (part of) your Personal Data.

We do not disclose your Personal Data to these Third-Party Websites without your explicit consent. Note that any information you disclose to Third-Party Websites is no longer under our control and no longer subject to this Data Privacy Policy.

You should review the privacy policy practices of any such Third-Party Website to understand how that Third-Party Website collects and uses your Personal Data should you have decided to disclose your Personal Data to them. We are not responsible for the content or performance of these Third-Party Websites. We are in no way responsible or liable for the manner in which a Third-Party Website treats any Personal Data that you choose to provide to such a Third-Party Website and use of Third-Party Websites is strictly at your own risk.

Policy Updates

Milliman may change its Privacy Policy from time to time. Milliman therefore asks all persons concerned to check it occasionally to ensure that they are aware of the most recent version.

Rights

You have the following rights under the Indian data privacy laws in relation to your Personal Data, namely:

1. the right of access: you have the right to obtain from us confirmation as to whether or not Personal Data concerning you is being processed, and, where that is the case, access to (including by obtaining a copy of) such Personal Data and the manner in which, and the purposes for which we process your Personal Data, so that you can verify its accuracy and the lawfulness of the processing.
2. the right to rectification: you have the right to obtain from us the rectification of inaccurate Personal Data concerning you, and the right to have incomplete Personal Data completed, including by means of providing a supplementary statement.

Please note that any processing of your Personal Data prior to the deletion of your account with us, or your request that we no longer contact you for direct marketing purposes will remain valid under the legal grounds then prevailing.

You can exercise any of your rights as stated above, by sending us a request to [email protected]. We will endeavor to respond to any such request as soon as possible, and in any event within the legal deadline.

How to Contact Us

If you have any complaint regarding the handling of your Personal Data, you may contact Milliman’s Data Protection Officer at [email protected].

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

Milliman Personal Data Privacy Policy – Milliman Ltd, Ireland

Last updated September 2023

Where Milliman is Acting as a Data Controller

Milliman, Inc. and its affiliates (“Milliman” or “we”) take data privacy very seriously. This Privacy Policy sets out the principles governing the Irish affiliate’s (Milliman Ltd) use and protection of personal data that individuals and clients residing within the European Economic Area, the Isle of Man, Switzerland and the UK, share with us (“Personal Data”), hereafter “you”. Milliman is committed to handling Personal Data in accordance with this Privacy Policy, the EU General Data Protection Regulation (GDPR) and other data protection and privacy laws, as applicable.

Milliman, Inc. and Milliman Ltd are joint-controllers with respect to the processing of Personal Data described in this Privacy Policy. This means that Milliman, Inc. and Milliman Ltd are both responsible for the compliance with applicable data protection laws.

Collection of Data

Aggregate Data

Like many companies, Milliman monitors the use of its websites by collecting aggregate data. No Personal Data is collected in this process. Typically, Milliman collects data about the number of visitors to the website, to each web page, and the originating domain name of the visitor's Internet Service Provider. This data is used to improve the usability, performance and effectiveness of Milliman’s website.

Cookies, Third-Party Embedded Content and Do Not Track

For more detailed information describing how Milliman uses cookies and your choices surrounding the use and opt out of such cookies, including information about third party embedded content on Milliman’s website and how Milliman responds to Do Not Track signals in browsers, please review our Cookie Policy which can be found here.

Processing of Personal Data

The Personal Data we collect varies depending upon the nature of the services provided and our interactions with individuals. In the context of the collection of data through this website, Milliman’s marketing activities and contract administration, we may collect, store and otherwise process Personal Data of:

- visitors to our websites (first name, last name, title, company, phone number, location, email address, subject of the request and message given) who request information about products or services from Milliman, for the purpose of the management of the relationship with visitors and the administration of the website. The legal basis for the processing of Personal Data is Milliman’s legitimate interest (Art. 6 (1) letter (f) GDPR).

- clients’ representatives, officers, agents and employees, business partners, providers, parties to a contract (name, professional address, title, email and other professional contact details) for contract administration purposes. The professional contact details of clients’ representatives, their employees and business partners are also used to activate and maintain client accounts, including for billing purposes, due diligence and conflict checks, to facilitate the communication, to fulfill requests or respond to inquiries about Milliman products or services and to provide offers and information (as permitted by law) about products, services, or events offered by Milliman or that Milliman thinks may be of interest. The legal basis for the processing of Personal Data is Milliman’s legitimate interest (Art. 6 (1) letter (f) GDPR). Milliman may rely on your consent (Art. 6 (1) letter (a) GDPR) for the sending of marketing communications when so required by data protection and privacy laws, in which case we will ask your consent prior to the sending of the communication. Milliman Ltd may also use professional contact details of its clients’ employees for the purpose of sending surveys, questionnaires or for the purpose of organizing contests. For those activities, the legal basis for the processing of Personal Data is Milliman Ltd’s legitimate interest (Art. 6 (1) letter (f) GDPR), unless data protection and privacy laws require your prior consent. We may also collect and process limited Personal Data about you from public resources (such as LinkedIn) including your name/surname, email address, telephone number, organization, title/position, profession, professional interests, to allow us to assess a potential interest in our services and to contact you for marketing purposes.

When we communicate with you regarding the products and services we offer or develop, you will be given the opportunity in each communication to unsubscribe and prevent future communications of that sort. If you do not want us to collect your Personal Data for our marketing emails, or if you wish to unsubscribe from direct marketing communications from us, you may write to us at [email protected] requesting the same. We will cease using your Personal Data for direct marketing purposes once you have requested us to do so.

If you provide us with Personal Data of another individual, it is your duty to make sure that these individuals have consented to or are appropriately informed about the processing of their Personal Data by Milliman.

You should also ensure that all Personal Data submitted to us is complete, accurate, true and correct. Failure on your part to do so may result in our inability to provide you with the products and services you have requested.

No automated decision-making is undertaken based on the Personal Data collected from you.

Affiliates and Authorized Third-Party Agents

All Milliman websites, products, and services are provided in cooperation with Milliman, Inc., located in the U.S. Any Personal Data may be shared between Milliman Ltd and Milliman, Inc. or other entities controlled by or under common control with Milliman, Inc., located in the U.S. and/or Europe, for the purposes of the centralisation of Milliman’s General Corporate Services, including: administrative services, contract management, Client Relationship Management (CRM), IT-maintenance  and security, data privacy (management of data subjects’ request) and marketing services (cookie management, inquiry tracking via Milliman’s website form, communication regarding Milliman’s products, services, or events).

We may also share Personal Data with affiliated entities using the MILLIMAN® mark, in which case we will require those affiliates to comply with this Privacy Policy. Please note that we may be transferring your Personal Data to a country that does not have the same data protection laws as your home country. However, Milliman ensures that itself and its affiliates will process Personal Data in compliance with this Privacy Policy.

Milliman also may share Personal Data with authorized third-party agents or contractors that perform services for Milliman. If Milliman shares Personal Data with a third party, Milliman requires that those third parties agree to process Personal Data based on Milliman’s instructions and in compliance with this Privacy Policy.

Any transfers of Personal Data are subject to appropriate safeguards that are compliant with the GDPR, as is described in the section “Transfer of Personal Data Across Borders”.

Other Disclosures

Milliman may also disclose Personal Data and other related information in response to subpoenas, court orders, or other lawful requests by public authorities, and to meet national security or law enforcement requirements. Milliman may collect and share Personal Data in order to investigate or take action regarding illegal activities, suspected fraud, violations of Milliman's Terms of Use, or as otherwise required by law or regulation.

Security

Milliman stores Personal Data on a secure server that is password protected and shielded from unauthorized access by a firewall. Milliman has in place security policies that are intended to ensure the security and integrity of all Personal Data. Milliman has appropriate technical and organisational measures in place to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data held or processed by Milliman. If Milliman forwards Personal Data to any third party, Milliman requires that those third parties have appropriate technical and organisational measures in place to comply with this Privacy Policy and applicable laws.

Data Retention

Milliman retains Personal Data only as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or not prohibited by law. Milliman will delete your Personal Data once the purpose of the collection and processing of such Personal Data has been fulfilled and the adequate duration for documentation and backup storage of such Personal Data has lapsed. If you have unsubscribed from receiving marketing information from us, we will continue to maintain your Personal Data for any other purpose for which we still have legal grounds for processing such Personal Data (such as for the purposes of complying with a legal obligation or when the processing is necessary for the purpose of our legitimate interest). In certain cases, if no other legal grounds exist, we will maintain limited Personal Data (such as your email address) about you on record, so as to be able to ensure for the future that such marketing communications are no longer sent to you.

Children

Milliman’s websites, products, and services are not directed to children, and Milliman does not knowingly collect Personal Data from children. If a parent or legal guardian becomes aware that his or her child has provided Milliman with Personal Data without their consent, the parent or legal guardian should contact Milliman at [email protected], and Milliman will take steps to delete any such Personal Data.

Third-party Links

Milliman’s website may contain links to websites hosted and operated by companies other than us (“Third-Party Websites”) to which you can export (part of) your Personal Data.

We do not disclose your Personal Data to these Third-Party Websites without your explicit consent. Note that any information you disclose to Third-Party Websites is no longer under our control and no longer subject to Milliman Personal Data Privacy Policy.

You should review the privacy policy practices of any such Third-Party Website to understand how that Third-Party Website collects and uses your Personal Data should you have decided to disclose your Personal Data to them. We are not responsible for the content or performance of these Third-Party Websites. We are in no way responsible or liable for the manner in which a Third-Party Website treats any Personal Data that you choose to provide to such a Third-Party Website and use of Third-Party Websites is strictly at your own risk.

Policy Updates

Milliman may change its Privacy Policy from time to time. Milliman therefore asks all persons concerned to check it occasionally to ensure that they are aware of the most recent version.

Transfers of Personal Data across National Borders

Milliman is a global company that transfers Personal Data across national borders in compliance with the laws that apply to such transfers. Milliman has put in place appropriate safeguards to ensure its data transfers are adequately protected. Milliman’s legal bases for respective data transfers are outlined in this Privacy Policy. When Personal Data is transferred from one of our entities in the European Economic Area (“EEA”), Switzerland, the Isle of Man or the United Kingdom to the United States or another country outside of the EEA, or from entities in the EEA to another country outside of the EEA, we rely on one or more of the following legal mechanisms which provide adequate safeguards for the transfers: the adequacy decisions adopted by the European Commission on the basis of Art. 45 GDPR, the European Commission-approved Standard Contractual Clauses, the EU-US Data Privacy Framework (EU-US DPF), the UK Extension to the EU-US DPF, and the Swiss-US Data Privacy Framework (Swiss-US DPF), or any other applicable transfer mechanism deemed as adequate by applicable data protection laws. You can request a copy of any standard contractual clauses relating to your Personal Data that we may have executed by contacting us using the details below. Milliman commits to cooperate with the EU data protection authorities, the Swiss Federal Data Protection Information Commissioner, the Isle of Man Information Commissioner, the UK Information Commissioner’s Office and any other relevant data protection authority, and to comply with the advice given by such authorities, with regard to Personal Data transferred from one of our entities in the EEA, Switzerland, the Isle of Man or the United Kingdom, to countries outside of the EEA. Milliman will conduct any necessary impact assessments, following the rules under applicable data protection laws and thus guaranteeing the safe transfer of your Personal Data.

Data Privacy Framework

Milliman is committed to handling Personal Data in accordance with this Privacy Policy and the EU-US Data Privacy Framework (EU-US DPF), the UK Extension to the EU-US DPF, and the Swiss-US Data Privacy Framework (Swiss-US DPF), as administered by the U.S. Department of Commerce. Milliman has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. Milliman has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF.

If there is any conflict between the terms of this Privacy Policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view Milliman’s certification, please visit https://www.dataprivacyframework.gov/.

Milliman’s accountability for Personal Data that it receives under the DPF Principles and subsequently transfers to a third party is described in the DPF Principles. In particular, Milliman remains responsible and liable under the DPF Principles if third parties engaged by Milliman process the Personal Data in a manner inconsistent with the Principles, unless Milliman proves that it is not responsible for the event giving rise to any damage. Additionally, Milliman, Inc. has put in place data protection agreements with its affiliates located in the European Economic Area based on the EU Standard Contractual Clauses issued by the European Commission (the “EU Standard Contractual Clauses”).

As further explained in the "How to Contact Us" section below, Milliman encourages any individual to contact us should they have a DPF-related (or general privacy-related) complaint. Any right of access, rectification, erasure, restriction of the processing as well as the right to data portability of individuals domiciled in the European Economic Area or Switzerland may be exercised under the conditions set forth in the GDPR by contacting Milliman at: [email protected]. Furthermore, these individuals will have the right to lodge a complaint with a competent supervisory authority at any time.

Rights

1. the right of access pursuant to Art. 15 GDPR: you have the right to obtain from us confirmation as to whether or not Personal Data concerning you is being processed, and, where that is the case, access to (including by obtaining a copy of) such Personal Data and the manner in which, and the purposes for which we process your Personal Data, so that you can verify its accuracy and the lawfulness of the processing.
2. the right to rectification pursuant to Art. 16 GDPR: you have the right to obtain from us the rectification of inaccurate Personal Data concerning you, and the right to have incomplete personal data completed, including by means of providing a supplementary statement.
3. the right to erasure pursuant to Art. 17 GDPR: the right to obtain from us the erasure of your Personal Data without undue delay where (a) your Personal Data is no longer necessary for the purpose for which it was collected/processed; (b) you wish to withdraw your consent to processing (except where we have another legal ground for the processing that we may rely on); (c) where processing is based on our legitimate interests and there are no overriding legitimate grounds for processing; (d) where your Personal Data has been unlawfully processed.
4. the right to restriction of processing pursuant to Art. 18 GDPR: you have the right to obtain from us the restriction of processing of your Personal Data where (a) the accuracy of such Personal Data is contested by you (for such period as will enable us to verify the accuracy of your Personal Data); (b) the processing of your Personal Data is unlawful, but you do object to the deletion of such data and request restriction of its use instead; (c) you consider that we no longer need your Personal Data for the purposes of the processing, but require such Personal Data for the establishment, exercise or defense of legal claims; (d) you have objected to the processing of your Personal Data on grounds of “legitimate interest” as per (iii) above, pending verification by us on whether our legitimate grounds override your own.
5. the right to objection pursuant to Art. 21 GDPR: you have the right to object, on grounds relating to your particular situation, at any time to processing of your Personal Data, which is based on our legitimate interests, including profiling based on those provisions. We shall no longer process the Personal Data unless we have compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defense of legal claims. You may object to the processing of your Personal Data or direct marketing purposes at any time, without giving reason.
6. the right to data portability pursuant to Art. 20 GDPR: you have the right to receive Personal Data concerning you, and which you have provided to us, in a structured, commonly used and machine-readable format, and to transmit such data to another data controller (please note this applies only where our processing of your Personal Data is based on your consent, and the processing is carried out by automated means).
7. the right to appeal to a competent data protection supervisory authority (Art. 77 GDPR): you have the right to appeal to the competent data protection supervisory authority - in Ireland, such authority is the “Data Protection Commissioner” (www.dataprotection.ie).

Please note that any processing of your Personal Data prior to the deletion of your account with us, or your request that we no longer contact you for direct marketing purposes will remain valid under the legal grounds then prevailing.

You can exercise any of your rights as stated above, by sending us a request to [email protected] or to: Milliman Ltd Data Protection Officer, 14 Avenue de la Grande Armée, F-75017 Paris.  We will endeavor to respond to any such request as soon as possible, and in any event within 30 days.

How to Contact Us

 Milliman can be contacted at [email protected]. Milliman welcomes feedback and questions on this Privacy Policy. If for any reason you wish to contact us, please send an email ([email protected]). Complaints will be resolved internally in accordance with Milliman’s complaints procedures.

If you live in the European Union, European Economic Area, or Switzerland and you have a complaint regarding the handling of your Personal Data in accordance with the DPF Principles and your efforts to resolve the matter internally are unsatisfactory, the complaint may be submitted to the American Arbitration Association (http://www.adr.org/), which has been selected as the independent recourse mechanism to resolve complaints and disputes relating to treatment of Personal Data originating in the European Union, European Economic Area, or Switzerland and transferred to the U.S. under this Privacy Policy. Under certain conditions, you may be entitled to invoke binding arbitration when other dispute resolution procedures have been exhausted. Milliman is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC).

Milliman Personal Data Privacy Policy – Milliman Limited, Isle of Man

Last updated September 2023

Where Milliman is Acting as a Data Controller

Milliman, Inc. and its affiliates (“Milliman” or “we”) take data privacy very seriously. This Privacy Policy sets out the principles governing the Manx affiliate’s (Milliman Limited) use and protection of personal data that individuals and clients residing within the European Economic Area, the Isle of Man, Switzerland and the UK, share with us (“Personal Data”), hereafter “you”. Milliman is committed to handling Personal Data in accordance with this Privacy Policy, the Manx Data Protection Act of 2018 and its secondary legislation including the Data Protection (Application of the GDPR) Order 2018 (GDPR Order) and the Data Protection (Application of the LED) Order 2018 (LED Order) as amended from time to time, the GDPR and LED Implementing Regulations 2018 and the Data Protection (Application of GDPR)(Amendment) Order 2019 (together the “Legislation”) and other data protection and privacy laws, as applicable.

Milliman, Inc. and Milliman Limited are joint-controllers with respect to the processing of Personal Data described in this Privacy Policy. This means that Milliman, Inc. and Milliman Limited are both responsible for the compliance with applicable data protection laws.

Collection of Data

Aggregate Data

Like many companies, Milliman monitors the use of its websites by collecting aggregate data. No Personal Data is collected in this process. Typically, Milliman collects data about the number of visitors to the website, to each web page, and the originating domain name of the visitor's Internet Service Provider. This data is used to improve the usability, performance and effectiveness of Milliman’s website.

Cookies, Third-Party Embedded Content and Do Not Track

For more detailed information describing how Milliman uses cookies and your choices surrounding the use and opt out of such cookies, including information about third party embedded content on Milliman’s website and how Milliman responds to Do Not Track signals in browsers, please review our Cookie Policy which can be found here.

Processing of Personal Data

The Personal Data we collect varies depending upon the nature of the services provided and our interactions with individuals. In the context of the collection of data through this website, Milliman’s marketing activities and contract administration, we may collect, store and otherwise process Personal Data of:

- visitors to our websites (first name, last name, title, company, phone number, location, email address, subject of the request and message given) who request information about products or services from Milliman, for the purpose of the management of the relationship with visitors and the administration of the website. The legal basis for the processing of Personal Data is Milliman’s legitimate interest (Art. 6 (1) letter (f) of the GDPR Order).

- clients’ representatives, officers, agents and employees, business partners, providers, parties to a contract (name, professional address, title, email and other professional contact details) for contract administration purposes. The professional contact details of clients’ representatives, their employees and business partners are also used to activate and maintain client accounts, including for billing purposes, due diligence and conflict checks, to facilitate the communication, to fulfill requests or respond to inquiries about Milliman products or services and to provide offers and information (as permitted by law) about products, services, or events offered by Milliman or that Milliman thinks may be of interest. The legal basis for the processing of Personal Data is Milliman’s legitimate interest (Art. 6 (1) letter (f) of the GDPR Order). Milliman may rely on your consent (Art. 6 (1) letter (a) of the GDPR Order) for the sending of marketing communications when so required by data protection and privacy laws, in which case we will ask your consent prior to the sending of the communication. Milliman Limited may also use professional contact details of its clients’ employees for the purpose of sending surveys, questionnaires or for the purpose of organizing contests. For those activities, the legal basis for the processing of Personal Data is Milliman Limited’s legitimate interest (Art. 6 (1) letter (f) of the GDPR Order), unless data protection and privacy laws require your prior consent. We may also collect and process limited Personal Data about you from public resources (such as LinkedIn) including your name/surname, email address, telephone number, organization, title/position, profession, professional interests, to allow us to assess a potential interest in our services and to contact you for marketing purposes.

When we communicate with you regarding the products and services we offer or develop, you will be given the opportunity in each communication to unsubscribe and prevent future communications of that sort. If you do not want us to collect your Personal Data for our marketing emails, or if you wish to unsubscribe from direct marketing communications from us, you may write to us at [email protected] requesting the same. We will cease using your Personal Data for direct marketing purposes once you have requested us to do so.

If you provide us with Personal Data of another individual, it is your duty to make sure that these individuals have consented to or are appropriately informed about the processing of their Personal Data by Milliman.

You should also ensure that all Personal Data submitted to us is complete, accurate, true and correct. Failure on your part to do so may result in our inability to provide you with the products and services you have requested.

No automated decision-making is undertaken based on the Personal Data collected from you.

Affiliates and Authorized Third-Party Agents

All Milliman websites, products, and services are provided in cooperation with Milliman, Inc., located in the U.S. Any Personal Data may be shared between Milliman Limited and Milliman, Inc. or other entities controlled by or under common control with Milliman, Inc., located in the U.S. and/or Europe, for the purposes of the centralisation of Milliman’s General Corporate Services, including: administrative services, contract management, Client Relationship Management (CRM), IT-maintenance  and security, data privacy (management of data subjects’ request) and marketing services (cookie management, inquiry tracking via Milliman’s website form, communication regarding Milliman’s products, services, or events).

We may also share Personal Data with affiliated entities using the MILLIMAN® mark, in which case we will require those affiliates to comply with this Privacy Policy. Please note that we may be transferring your Personal Data to a country that does not have the same data protection laws as your home country. However, Milliman ensures that itself and its affiliates will process Personal Data in compliance with this Privacy Policy.

Milliman also may share Personal Data with authorized third-party agents or contractors that perform services for Milliman. If Milliman shares Personal Data with a third party, Milliman requires that those third parties agree to process Personal Data based on Milliman’s instructions and in compliance with this Privacy Policy.

Any transfers of Personal Data are subject to appropriate safeguards that are compliant with the Legislation, as is described in the section “Transfer of Personal Data Across Borders”.

Other Disclosures

Milliman may also disclose Personal Data and other related information in response to subpoenas, court orders, or other lawful requests by public authorities, and to meet national security or law enforcement requirements. Milliman may collect and share Personal Data in order to investigate or take action regarding illegal activities, suspected fraud, violations of Milliman's Terms of Use, or as otherwise required by law or regulation.

Security

Milliman stores Personal Data on a secure server that is password protected and shielded from unauthorized access by a firewall. Milliman has in place security policies that are intended to ensure the security and integrity of all Personal Data. Milliman has appropriate technical and organisational measures in place to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data held or processed by Milliman. If Milliman forwards Personal Data to any third party, Milliman requires that those third parties have appropriate technical and organisational measures in place to comply with this Privacy Policy and applicable laws.

Data Retention

Milliman retains Personal Data only as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or not prohibited by law. Milliman will delete your Personal Data once the purpose of the collection and processing of such Personal Data has been fulfilled and the adequate duration for documentation and backup storage of such Personal Data has lapsed. If you have unsubscribed from receiving marketing information from us, we will continue to maintain your Personal Data for any other purpose for which we still have legal grounds for processing such Personal Data (such as for the purposes of complying with a legal obligation or when the processing is necessary for the purpose of our legitimate interest). In certain cases, if no other legal grounds exist, we will maintain limited Personal Data (such as your email address) about you on record, so as to be able to ensure for the future that such marketing communications are no longer sent to you.

Children

Milliman’s websites, products, and services are not directed to children, and Milliman does not knowingly collect Personal Data from children. If a parent or legal guardian becomes aware that his or her child has provided Milliman with Personal Data without their consent, the parent or legal guardian should contact Milliman at [email protected], and Milliman will take steps to delete any such Personal Data.

Third-party Links

Milliman’s website may contain links to websites hosted and operated by companies other than us (“Third-Party Websites”) to which you can export (part of) your Personal Data.

We do not disclose your Personal Data to these Third-Party Websites without your explicit consent. Note that any information you disclose to Third-Party Websites is no longer under our control and no longer subject to Milliman Personal Data Privacy Policy.

You should review the privacy policy practices of any such Third-Party Website to understand how that Third-Party Website collects and uses your Personal Data should you have decided to disclose your Personal Data to them. We are not responsible for the content or performance of these Third-Party Websites. We are in no way responsible or liable for the manner in which a Third-Party Website treats any Personal Data that you choose to provide to such a Third-Party Website and use of Third-Party Websites is strictly at your own risk.

Policy Updates

Milliman may change its Privacy Policy from time to time. Milliman therefore asks all persons concerned to check it occasionally to ensure that they are aware of the most recent version.

Transfers of Personal Data across National Borders

Milliman is a global company that transfers Personal Data across national borders in compliance with the laws that apply to such transfers. Milliman has put in place appropriate safeguards to ensure its data transfers are adequately protected. Milliman’s legal bases for respective data transfers are outlined in this Privacy Policy. When Personal Data is transferred from one of our entities in the European Economic Area (“EEA”), Switzerland, the Isle of Man or the United Kingdom to the United States or another country outside of the EEA, or from entities in the EEA to another country outside of the EEA, we rely on one or more of the following legal mechanisms which provide adequate safeguards for the transfers: the adequacy decisions adopted by the European Commission on the basis of Art. 45 GDPR, the European Commission-approved Standard Contractual Clauses, the EU-US Data Privacy Framework (EU-US DPF), the UK Extension to the EU-US DPF, and the Swiss-US Data Privacy Framework (Swiss-US DPF), or any other applicable transfer mechanism deemed as adequate by applicable data protection laws. You can request a copy of any standard contractual clauses relating to your Personal Data that we may have executed by contacting us using the details below. Milliman commits to cooperate with the EU data protection authorities, the Swiss Federal Data Protection Information Commissioner, the Isle of Man Information Commissioner, the UK Information Commissioner’s Office and any other relevant data protection authority, and to comply with the advice given by such authorities, with regard to Personal Data transferred from one of our entities in the EEA, Switzerland, the Isle of Man or the United Kingdom, to countries outside of the EEA. Milliman will conduct any necessary impact assessments, following the rules under applicable data protection laws and thus guaranteeing the safe transfer of your Personal Data.

Data Privacy Framework

Milliman is committed to handling Personal Data in accordance with this Privacy Policy and the EU-US Data Privacy Framework (EU-US DPF), the UK Extension to the EU-US DPF, and the Swiss-US Data Privacy Framework (Swiss-US DPF), as administered by the U.S. Department of Commerce. Milliman has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. Milliman has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF.

If there is any conflict between the terms of this Privacy Policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view Milliman’s certification, please visit https://www.dataprivacyframework.gov/.

Milliman’s accountability for Personal Data that it receives under the DPF Principles and subsequently transfers to a third party is described in the DPF Principles. In particular, Milliman remains responsible and liable under the DPF Principles if third parties engaged by Milliman process the Personal Data in a manner inconsistent with the Principles, unless Milliman proves that it is not responsible for the event giving rise to any damage. Additionally, Milliman, Inc. has put in place data protection agreements with its affiliates located in the European Economic Area based on the EU Standard Contractual Clauses issued by the European Commission (the “EU Standard Contractual Clauses”).

As further explained in the "How to Contact Us" section below, Milliman encourages any individual to contact us should they have a DPF-related (or general privacy-related) complaint. Any right of access, rectification, erasure, restriction of the processing as well as the right to data portability of individuals domiciled in the European Economic Area or Switzerland may be exercised under the conditions set forth in the GDPR by contacting Milliman at: [email protected]. Furthermore, these individuals will have the right to lodge a complaint with a competent supervisory authority at any time.

Rights

You have a number of rights under the Legislation in relation to your Personal Data, namely:

1. the right of access pursuant to Art. 15  of the GDPR Order, Art. 14 of the LED Order and Art. 43 of the Implementing Regulations: you have the right to obtain from us confirmation as to whether or not Personal Data concerning you is being processed, and, where that is the case, access to (including by obtaining a copy of) such Personal Data and the manner in which, and the purposes for which we process your Personal Data, so that you can verify its accuracy and the lawfulness of the processing.
2. the right to rectification pursuant to Art. 16 of the GDPR Order, Art. 16 of the LED Order and Art. 45 (1) (a) and (b) of the Implementing Regulations: you have the right to obtain from us the rectification of inaccurate Personal Data concerning you, and the right to have incomplete personal data completed, including by means of providing a supplementary statement.
3. the right to erasure pursuant to Art. 17 of the GDPR Order, Art. 16 of the LED Order and Art. 45 (1) (c) of the Implementing Regulations: the right to obtain from us the erasure of your Personal Data without delay where (a) your Personal Data is no longer necessary for the purpose for which it was collected/processed; (b) you wish to withdraw your consent to processing (except where we have another legal ground for the processing that we may rely on); (c) where processing is based on our legitimate interests and there are no overriding legitimate grounds for processing; (d) where your Personal Data has been unlawfully processed.
4. the right to restriction of processing pursuant to Art. 18 (1) of the GDPR Order and Art. 16 of the LED Order and Art. 45 (3) of the Implementing Regulations: you have the right to obtain from us the restriction of processing of your Personal Data where (a) the accuracy of such Personal Data is contested by you (for such period as will enable us to verify the accuracy of your Personal Data); (b) the processing of your Personal Data is unlawful, but you do object to the deletion of such data and request restriction of its use instead; (c) you consider that we no longer need your Personal Data for the purposes of the processing, but require such Personal Data for the establishment, exercise or defense of legal claims; (d) you have objected to the processing of your Personal Data on grounds of “legitimate interest” as per (iii) above, pending verification by us on whether our legitimate grounds override your own.
5. the right to objection pursuant to Art.21 (1) (2) of the GDPR Order: you have the right to object, on grounds relating to your particular situation, at any time to processing of your Personal Data, which is based on our legitimate interests, including decisions based on automated processing, including profiling based on those provisions. We shall no longer process the Personal Data unless we have compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defense of legal claims. You may object to the processing of your Personal Data or direct marketing purposes at any time, without giving reason.
6. the right to data portability pursuant to Art. 20 (1) of the GDPR Order: you have the right to receive Personal Data concerning you, and which you have provided to us, in a structured, commonly used and machine-readable format, and to transmit such data to another data controller (please note this applies only where our processing of your Personal Data is based on your consent or on a contract and the processing is carried out by automated means).
7. the right to appeal to a competent data protection supervisory authority (Art. 77 of the GDPR Order) and Art. 45 (7) (a) of the Implementing Regulations: you have the right to appeal to the competent data protection supervisory authority - in the Isle of Man, such authority is the “Information Commissioner” (www.inforights.im).

Please note that any processing of your Personal Data prior to the deletion of your account with us, or your request that we no longer contact you for direct marketing purposes will remain valid under the legal grounds then prevailing.

You can exercise any of your rights as stated above, by sending us a request to [email protected] or to: Milliman Limited Data Protection Officer, 14 Avenue de la Grande Armée, F-75017 Paris.  We will endeavor to respond to any such request as soon as possible, and in any event within 30 days.

How to Contact Us

Milliman can be contacted at [email protected]. Milliman welcomes feedback and questions on this Privacy Policy. If for any reason you wish to contact us, please send an email ([email protected]). Complaints will be resolved internally in accordance with Milliman’s complaints procedures.

If you live in the European Union, European Economic Area, or Switzerland and you have a complaint regarding the handling of your Personal Data in accordance with the DPF Principles and your efforts to resolve the matter internally are unsatisfactory, the complaint may be submitted to the American Arbitration Association (http://www.adr.org/), which has been selected as the independent recourse mechanism to resolve complaints and disputes relating to treatment of Personal Data originating in the European Union, European Economic Area, or Switzerland and transferred to the U.S. under this Privacy Policy. Under certain conditions, you may be entitled to invoke binding arbitration when other dispute resolution procedures have been exhausted. Milliman is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC).

Milliman Personal Data Privacy Policy – Milliman S.R.L., Italy

Last updated September 2023

Where Milliman is Acting as a Data Controller

Milliman, Inc. and its affiliates (“Milliman” or “we”) take data privacy very seriously. This Privacy Policy sets out the principles governing the Italian affiliate’s (Milliman S.R.L.) use and protection of personal data that individuals and clients residing within the European Economic Area, the Isle of Man, Switzerland and the UK, share with us (“Personal Data”), hereafter “you”. Milliman is committed to handling Personal Data in accordance with this Privacy Policy, the EU General Data Protection Regulation (GDPR) and other data protection and privacy laws, as applicable.

Milliman, Inc. and Milliman S.R.L. are joint-controllers with respect to the processing of Personal Data described in this Privacy Policy. This means that Milliman, Inc. and Milliman S.R.L. are both responsible for the compliance with applicable data protection laws.

Collection of Data

Aggregate Data

Like many companies, Milliman monitors the use of its websites by collecting aggregate data. No Personal Data is collected in this process. Typically, Milliman collects data about the number of visitors to the website, to each web page, and the originating domain name of the visitor's Internet Service Provider. This data is used to improve the usability, performance and effectiveness of Milliman’s website.

Cookies, Third-Party Embedded Content and Do Not Track

For more detailed information describing how Milliman uses cookies and your choices surrounding the use and opt out of such cookies, including information about third party embedded content on Milliman’s website and how Milliman responds to Do Not Track signals in browsers, please review our Cookie Policy which can be found here.

Processing of Personal Data

The Personal Data we collect varies depending upon the nature of the services provided and our interactions with individuals. In the context of the collection of data through this website, Milliman’s marketing activities and contract administration, we may collect, store and otherwise process Personal Data of:

- visitors to our websites (first name, last name, title, company, phone number, location, email address, subject of the request and message given) who request information about products or services from Milliman, for the purpose of the management of the relationship with visitors and the administration of the website. The legal basis for the processing of Personal Data is Milliman’s legitimate interest (Art. 6 (1) letter (f) GDPR).

- clients’ representatives, officers, agents and employees, business partners, providers, parties to a contract (name, professional address, title, email and other professional contact details) for contract administration purposes. The professional contact details of clients’ representatives, their employees and business partners are also used to activate and maintain client accounts, including for billing purposes, due diligence and conflict checks, to facilitate the communication, to fulfill requests or respond to inquiries about Milliman products or services and to provide offers and information (as permitted by law) about products, services, or events offered by Milliman or that Milliman thinks may be of interest. The legal basis for the processing of Personal Data is Milliman’s legitimate interest (Art. 6 (1) letter (f) GDPR). Milliman may rely on your consent (Art. 6 (1) letter (a) GDPR) for the sending of marketing communications when so required by data protection and privacy laws, in which case we will ask your consent prior to the sending of the communication. Milliman S.R.L. may also use professional contact details of its clients’ employees for the purpose of sending surveys, questionnaires or for the purpose of organizing contests. For those activities, the legal basis for the processing of Personal Data is Milliman S.R.L.’s legitimate interest (Art. 6 (1) letter (f) GDPR), unless data protection and privacy laws require your prior consent. We may also collect and process limited Personal Data about you from public resources (such as LinkedIn) including your name/surname, email address, telephone number, organization, title/position, profession, professional interests, to allow us to assess a potential interest in our services and to contact you for marketing purposes.

When we communicate with you regarding the products and services we offer or develop, you will be given the opportunity in each communication to unsubscribe and prevent future communications of that sort. If you do not want us to collect your Personal Data for our marketing emails, or if you wish to unsubscribe from direct marketing communications from us, you may write to us at [email protected] requesting the same. We will cease using your Personal Data for direct marketing purposes once you have requested us to do so.

If you provide us with Personal Data of another individual, it is your duty to make sure that these individuals have consented to or are appropriately informed about the processing of their Personal Data by Milliman.

You should also ensure that all Personal Data submitted to us is complete, accurate, true and correct. Failure on your part to do so may result in our inability to provide you with the products and services you have requested.

No automated decision-making is undertaken based on the Personal Data collected from you.

Affiliates and Authorized Third-Party Agents

All Milliman websites, products, and services are provided in cooperation with Milliman, Inc., located in the U.S. Any Personal Data may be shared between Milliman S.R.L. and Milliman, Inc. or other entities controlled by or under common control with Milliman, Inc., located in the U.S. and/or Europe, for the purposes of the centralisation of Milliman’s General Corporate Services, including: administrative services, contract management, Client Relationship Management (CRM), IT-maintenance  and security, data privacy (management of data subjects’ request) and marketing services (cookie management, inquiry tracking via Milliman’s website form, communication regarding Milliman’s products, services, or events).

We may also share Personal Data with affiliated entities using the MILLIMAN® mark, in which case we will require those affiliates to comply with this Privacy Policy. Please note that we may be transferring your Personal Data to a country that does not have the same data protection laws as your home country. However, Milliman ensures that itself and its affiliates will process Personal Data in compliance with this Privacy Policy.

Milliman also may share Personal Data with authorized third-party agents or contractors that perform services for Milliman. If Milliman shares Personal Data with a third party, Milliman requires that those third parties agree to process Personal Data based on Milliman’s instructions and in compliance with this Privacy Policy.

Any transfers of Personal Data are subject to appropriate safeguards that are compliant with the GDPR, as is described in the section “Transfer of Personal Data Across Borders”.

Other Disclosures

Milliman may also disclose Personal Data and other related information in response to subpoenas, court orders, or other lawful requests by public authorities, and to meet national security or law enforcement requirements. Milliman may collect and share Personal Data in order to investigate or take action regarding illegal activities, suspected fraud, violations of Milliman's Terms of Use, or as otherwise required by law or regulation.

Security

Milliman stores Personal Data on a secure server that is password protected and shielded from unauthorized access by a firewall. Milliman has in place security policies that are intended to ensure the security and integrity of all Personal Data. Milliman has appropriate technical and organisational measures in place to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data held or processed by Milliman. If Milliman forwards Personal Data to any third party, Milliman requires that those third parties have appropriate technical and organisational measures in place to comply with this Privacy Policy and applicable laws.

Data Retention

Milliman retains Personal Data only as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or not prohibited by law. Milliman will delete your Personal Data once the purpose of the collection and processing of such Personal Data has been fulfilled and the adequate duration for documentation and backup storage of such Personal Data has lapsed. If you have unsubscribed from receiving marketing information from us, we will continue to maintain your Personal Data for any other purpose for which we still have legal grounds for processing such Personal Data (such as for the purposes of complying with a legal obligation or when the processing is necessary for the purpose of our legitimate interest). In certain cases, if no other legal grounds exist, we will maintain limited Personal Data (such as your email address) about you on record, so as to be able to ensure for the future that such marketing communications are no longer sent to you.

Children

Milliman’s websites, products, and services are not directed to children, and Milliman does not knowingly collect Personal Data from children. If a parent or legal guardian becomes aware that his or her child has provided Milliman with Personal Data without their consent, the parent or legal guardian should contact Milliman at [email protected], and Milliman will take steps to delete any such Personal Data.

Third-party Links

Milliman’s website may contain links to websites hosted and operated by companies other than us (“Third-Party Websites”) to which you can export (part of) your Personal Data.

We do not disclose your Personal Data to these Third-Party Websites without your explicit consent. Note that any information you disclose to Third-Party Websites is no longer under our control and no longer subject to Milliman Personal Data Privacy Policy.

You should review the privacy policy practices of any such Third-Party Website to understand how that Third-Party Website collects and uses your Personal Data should you have decided to disclose your Personal Data to them. We are not responsible for the content or performance of these Third-Party Websites. We are in no way responsible or liable for the manner in which a Third-Party Website treats any Personal Data that you choose to provide to such a Third-Party Website and use of Third-Party Websites is strictly at your own risk.

Policy Updates

Milliman may change its Privacy Policy from time to time. Milliman therefore asks all persons concerned to check it occasionally to ensure that they are aware of the most recent version.

Transfers of Personal Data across National Borders

Milliman is a global company that transfers Personal Data across national borders in compliance with the laws that apply to such transfers. Milliman has put in place appropriate safeguards to ensure its data transfers are adequately protected. Milliman’s legal bases for respective data transfers are outlined in this Privacy Policy. When Personal Data is transferred from one of our entities in the European Economic Area (“EEA”), Switzerland, the Isle of Man or the United Kingdom to the United States or another country outside of the EEA, or from entities in the EEA to another country outside of the EEA, we rely on one or more of the following legal mechanisms which provide adequate safeguards for the transfers: the adequacy decisions adopted by the European Commission on the basis of Art. 45 GDPR, the European Commission-approved Standard Contractual Clauses, the EU-US Data Privacy Framework (EU-US DPF), the UK Extension to the EU-US DPF, and the Swiss-US Data Privacy Framework (Swiss-US DPF), or any other applicable transfer mechanism deemed as adequate by applicable data protection laws. You can request a copy of any standard contractual clauses relating to your Personal Data that we may have executed by contacting us using the details below. Milliman commits to cooperate with the EU data protection authorities, the Swiss Federal Data Protection Information Commissioner, the Isle of Man Information Commissioner, the UK Information Commissioner’s Office and any other relevant data protection authority, and to comply with the advice given by such authorities, with regard to Personal Data transferred from one of our entities in the EEA, Switzerland, the Isle of Man or the United Kingdom, to countries outside of the EEA. Milliman will conduct any necessary impact assessments, following the rules under applicable data protection laws and thus guaranteeing the safe transfer of your Personal Data.

Data Privacy Framework

Milliman is committed to handling Personal Data in accordance with this Privacy Policy and the EU-US Data Privacy Framework (EU-US DPF), the UK Extension to the EU-US DPF, and the Swiss-US Data Privacy Framework (Swiss-US DPF), as administered by the U.S. Department of Commerce. Milliman has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. Milliman has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF.

If there is any conflict between the terms of this Privacy Policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view Milliman’s certification, please visit https://www.dataprivacyframework.gov/.

Milliman’s accountability for Personal Data that it receives under the DPF Principles and subsequently transfers to a third party is described in the DPF Principles. In particular, Milliman remains responsible and liable under the DPF Principles if third parties engaged by Milliman process the Personal Data in a manner inconsistent with the Principles, unless Milliman proves that it is not responsible for the event giving rise to any damage. Additionally, Milliman, Inc. has put in place data protection agreements with its affiliates located in the European Economic Area based on the EU Standard Contractual Clauses issued by the European Commission (the “EU Standard Contractual Clauses”).

As further explained in the "How to Contact Us" section below, Milliman encourages any individual to contact us should they have a DPF-related (or general privacy-related) complaint. Any right of access, rectification, erasure, restriction of the processing as well as the right to data portability of individuals domiciled in the European Economic Area or Switzerland may be exercised under the conditions set forth in the GDPR by contacting Milliman at: [email protected]. Furthermore, these individuals will have the right to lodge a complaint with a competent supervisory authority at any time.

Rights

1. the right of access pursuant to Art. 15 GDPR: you have the right to obtain from us confirmation as to whether or not Personal Data concerning you is being processed, and, where that is the case, access to (including by obtaining a copy of) such Personal Data and the manner in which, and the purposes for which we process your Personal Data, so that you can verify its accuracy and the lawfulness of the processing.
2. the right to rectification pursuant to Art. 16 GDPR: you have the right to obtain from us the rectification of inaccurate Personal Data concerning you, and the right to have incomplete personal data completed, including by means of providing a supplementary statement.
3. the right to erasure pursuant to Art. 17 GDPR: the right to obtain from us the erasure of your Personal Data without undue delay where (a) your Personal Data is no longer necessary for the purpose for which it was collected/processed; (b) you wish to withdraw your consent to processing (except where we have another legal ground for the processing that we may rely on); (c) where processing is based on our legitimate interests and there are no overriding legitimate grounds for processing; (d) where your Personal Data has been unlawfully processed.
4. the right to restriction of processing pursuant to Art. 18 GDPR: you have the right to obtain from us the restriction of processing of your Personal Data where (a) the accuracy of such Personal Data is contested by you (for such period as will enable us to verify the accuracy of your Personal Data); (b) the processing of your Personal Data is unlawful, but you do object to the deletion of such data and request restriction of its use instead; (c) you consider that we no longer need your Personal Data for the purposes of the processing, but require such Personal Data for the establishment, exercise or defense of legal claims; (d) you have objected to the processing of your Personal Data on grounds of “legitimate interest” as per (iii) above, pending verification by us on whether our legitimate grounds override your own.
5. the right to objection pursuant to Art. 21 GDPR: you have the right to object, on grounds relating to your particular situation, at any time to processing of your Personal Data, which is based on our legitimate interests, including profiling based on those provisions. We shall no longer process the Personal Data unless we have compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defense of legal claims. You may object to the processing of your Personal Data or direct marketing purposes at any time, without giving reason.
6. the right to data portability pursuant to Art. 20 GDPR: you have the right to receive Personal Data concerning you, and which you have provided to us, in a structured, commonly used and machine-readable format, and to transmit such data to another data controller (please note this applies only where our processing of your Personal Data is based on your consent, and the processing is carried out by automated means).
7. the right to appeal to a competent data protection supervisory authority (Art. 77 GDPR): you have the right to appeal to the competent data protection supervisory authority - in Italy, such authority is the “Garante per la Protezione dei Dati Personali” (www.garanteprivacy.it).

Please note that any processing of your Personal Data prior to the deletion of your account with us, or your request that we no longer contact you for direct marketing purposes will remain valid under the legal grounds then prevailing.

You can exercise any of your rights as stated above, by sending us a request to [email protected] or to: Milliman S.R.L. Data Protection Officer, 14 Avenue de la Grande Armée, F-75017 Paris.  We will endeavor to respond to any such request as soon as possible, and in any event within 30 days.

How to Contact Us

 Milliman can be contacted at [email protected]. Milliman welcomes feedback and questions on this Privacy Policy. If for any reason you wish to contact us, please send an email ([email protected]). Complaints will be resolved internally in accordance with Milliman’s complaints procedures.

If you live in the European Union, European Economic Area, or Switzerland and you have a complaint regarding the handling of your Personal Data in accordance with the DPF Principles and your efforts to resolve the matter internally are unsatisfactory, the complaint may be submitted to the American Arbitration Association (http://www.adr.org/), which has been selected as the independent recourse mechanism to resolve complaints and disputes relating to treatment of Personal Data originating in the European Union, European Economic Area, or Switzerland and transferred to the U.S. under this Privacy Policy. Under certain conditions, you may be entitled to invoke binding arbitration when other dispute resolution procedures have been exhausted. Milliman is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC).

Data Privacy Policy - Japan

Last updated June 2020

Where Milliman is Acting as a Data Controller

Milliman, Inc. and its affiliates (“Milliman” or “we”) take data privacy very seriously. This Privacy Policy sets out the principles governing Milliman’s and the Japan affiliate’s (Milliman Japan) use and protection of personal data that individuals and clients residing within Japan share with us (“Personal Data”), hereafter “you”. Milliman is committed to handling Personal Data in accordance with this Privacy Policy, the EU-U.S. Privacy Shield, the EU General Data Protection Regulation (GDPR), and other data protection and privacy laws, as applicable.

Milliman, Inc. and Milliman Japan are joint-controllers with respect to the processing of Personal Data described in this Privacy Policy. This means that Milliman, Inc. and Milliman Japan are both responsible for the compliance with applicable data protection laws.

Collection of Data

Aggregate Data

Like many companies, Milliman monitors the use of its websites by collecting aggregate data. No Personal Data is collected in this process. Typically, Milliman collects data about the number of visitors to the website, to each web page, and the originating domain name of the visitor's Internet Service Provider. This data is used to improve the usability, performance and effectiveness of Milliman’s website.

Cookies, Third-Party Embedded Content and Do Not Track

For more detailed information describing how Milliman uses cookies and your choices surrounding the use and opt out of such cookies, including information about third party embedded content on Milliman’s website and how Milliman responds to Do Not Track signals in browsers, please review our Cookie Policy which can be found here.

Processing of Personal Data

The Personal Data we collect varies depending upon the nature of the services provided and our interactions with individuals. In the context of the collection of data through this website, Milliman’s marketing activities and contract administration, we may collect, store and otherwise process Personal Data of:

- visitors to our websites (first name, last name, title, company, phone number, location, email address, subject of the request and message given) who request information about products or services from Milliman, for the purpose of the management of the relationship with clients and the administration of the website. The legal basis for the processing of Personal Data is Milliman’s legitimate interest (Art. 6 (1) letter (f) GDPR).

- clients’ representatives, officers, agents and employees, business partners, providers, parties to a contract (name, professional address, title, email and other professional contact details) for contract administration purposes. The professional contact details of clients’ representatives, their employees and business partners are also used to activate and maintain client accounts, to fulfill requests or respond to inquiries about Milliman products or services and to provide offers and information (as permitted by law) about products, services, or events offered by Milliman or that Milliman thinks may be of interest. The legal basis for the processing of Personal Data is Milliman’s legitimate interest (Art. 6 (1) letter (f) GDPR). Milliman may rely on your consent (Art. 6 (1) letter (a) GDPR) for the sending of marketing communications when so required by data protection and privacy laws, in which case we will ask your consent prior to the sending of the communication. Milliman Japan may also use professional contact details of its clients’ employees for the purpose of sending surveys, questionnaires or for the purpose of organizing contests. For those activities, the legal basis for the processing of Personal Data is Milliman Japan’s legitimate interest (Art. 6 (1) letter (f) GDPR), unless data protection and privacy law require your prior consent. We may also collect and process limited Personal Data about you from public resources (such as LinkedIn) including your name/surname, email address, telephone number, organization, title/position, profession, professional interests, to allow us to assess a potential interest in our services and to contact you for marketing purposes.

When we communicate with you regarding the products and services we offer or develop, you will be given the opportunity in each communication to unsubscribe and prevent future communications of that sort. If you do not want us to collect this information from our marketing emails, or if you wish to unsubscribe from direct marketing communications from us, you may write to us at [email protected] requesting the same. We will cease using your Personal Data for direct marketing purposes once you have requested us to do so.

If you provide us with Personal Data of another individual, it is your duty to make sure that these individuals have consented to or are appropriately informed about the processing of their Personal Data by Milliman.

No automated decision-making is undertaken based on the Personal Data collected from you.

Affiliates and Authorized Third-Party Agents

All Milliman websites, products, and services are provided in cooperation with Milliman, Inc., located in the U.S. Any Personal Data may be shared between Milliman Japan and Milliman, Inc. or other entities controlled by or under common control with Milliman, Inc., for purposes of centralization of Milliman’s administrative, contract management, Client Relationship Management (CRM), IT maintenance, marketing and IT security practices, for the purpose of the website’s management and security, and to provide information about Milliman products, services, or events. We may also share Personal Data with affiliated entities using the MILLIMAN® mark, in which case we will require those affiliates to comply with this Privacy Policy. Please note that we may be transferring your Personal Data to a country that does not have the same data protection laws as your home country. However, Milliman ensures that itself and its affiliates will process Personal Data in compliance with this Privacy Policy.

Milliman also may share Personal Data with authorized third-party agents or contractors that perform services for Milliman. If Milliman shares Personal Data with a third party, Milliman requires that those third parties agree to process Personal Data based on Milliman’s instructions and in compliance with this Privacy Policy.

Any transfers of Personal Data are subject to appropriate safeguards that are compliant with the GDPR (adequacy decision or Model Clauses of the European Commission). Those can be made available at Milliman’s premises, by contacting us at [email protected].

Other Disclosures

Milliman may also disclose Personal Data and other related information in response to subpoenas, court orders, or other lawful requests by public authorities, and to meet national security or law enforcement requirements. Milliman may collect and share Personal Data in order to investigate or take action regarding illegal activities, suspected fraud, violations of Milliman's Terms of Use, or as otherwise required by law or regulation.

Security

Milliman stores Personal Data on a secure server that is password protected and shielded from unauthorized access by a firewall. Milliman has in place security policies that are intended to ensure the security and integrity of all Personal Data. Milliman has appropriate technical and organisational measures in place to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data held or processed by Milliman. If Milliman forwards Personal Data to any third party, Milliman requires that those third parties have appropriate technical and organisational measures in place to comply with this Privacy Policy and applicable laws.

Data Retention

Milliman retains Personal Data only as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or not prohibited by law. Milliman will delete your Personal Data once the purpose of the collection and processing of such Personal Data has been fulfilled and the adequate duration for documentation and backup storage of such Personal Data has lapsed. If you have unsubscribed from receiving marketing information from us, we will continue to maintain your Personal Data for any other purpose for which we still have legal grounds for processing such Personal Data (such as for the purposes of complying with a legal obligation or when the processing is necessary for the purpose of our legitimate interest). In certain cases, if no other legal grounds exist, we will maintain limited Personal Data (such as your email address) about you on record, so as to be able to ensure for the future that such marketing communications are no longer sent to you.

Children

Milliman’s websites, products, and services are not directed to children, and Milliman does not knowingly collect Personal Data from children. If a parent or legal guardian becomes aware that his or her child has provided Milliman with Personal Data without their consent, the parent or legal guardian should contact Milliman at [email protected], and Milliman will take steps to delete any such Personal Data.

Third-party Links

Milliman’ website may contain links to websites hosted and operated by companies other than us (“Third-Party Websites”) to which you can export (part of) your Personal Data.

We do not disclose your Personal Data to these Third-Party Websites without your explicit consent. Note that any information you disclose to Third-Party Websites is no longer under our control and no longer subject to Milliman Personal Data Privacy Policy.

You should review the privacy policy practices of any such Third-Party Website to understand how that Third-Party Website collects and uses your Personal Data should you have decided to disclose your Personal Information to them. We are not responsible for the content or performance of these Third-Party Websites. We are in no way responsible or liable for the manner in which a Third-Party Website treats any Personal Data that you choose to provide to such a Third-Party Website and use of Third-Party Websites is strictly at your own risk.

Policy Updates

Milliman may change its Privacy Policy from time to time. Milliman therefore asks all persons concerned to check it occasionally to ensure that they are aware of the most recent version.

Privacy Shield

Milliman is committed to handling Personal Data in accordance with this Privacy Policy and the EU-U.S. Privacy Shield Framework (or the Swiss-U.S. Privacy Shield Framework, as the case may be), as administered by the U.S. Department of Commerce. If there is any conflict between the terms of this Privacy Policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks, and to view Milliman’s certification, please visit: https://www.privacyshield.gov/list. Milliman’s accountability for Personal Data that it receives under the Privacy Shield and subsequently transfers to a third party is described in the Privacy Shield Principles. In particular, Milliman remains responsible and liable under the Privacy Shield Principles if third parties engaged by Milliman process the Personal Data in a manner inconsistent with the Principles, unless Milliman proves that it is not responsible for the event giving rise to any damage.

Rights

You have a number of rights under the GDPR in relation to your Personal Data, namely:

1. the right of access pursuant to Art. 15 GDPR: you have the right to obtain from us confirmation as to whether or not Personal Data concerning you is being processed, and, where that is the case, access to (including by obtaining a copy of) such Personal Data and the manner in which, and the purposes for which we process your Personal Data, so that you can verify its accuracy and the lawfulness of the processing.
2. the right to rectification pursuant to Art. 16 GDPR: you have the right to obtain from us the rectification of inaccurate Personal Data concerning you, and the right to have incomplete personal data completed, including by means of providing a supplementary statement.
3. the right to erasure pursuant to Art. 17 GDPR: the right to obtain from us the erasure of your Personal Data delay where (a) your Personal Data is no longer necessary for the purpose for which it was collected/processed; (b) you wish to withdraw your consent to processing (except where we have another legal ground for the processing that we may rely on); (c) where processing is based on our legitimate interests and there are no overriding legitimate grounds for processing; (d) where your Personal Data has been unlawfully processed;
4. the right to restriction of processing pursuant to Art. 18 GDPR: you have the right to obtain from us the restriction of processing of your Personal Data where (a) the accuracy of such Personal Data is contested by you (for such period as will enable us to verify the accuracy of your Personal Data); (b) the processing of your Personal Data is unlawful, but you do object to the deletion of such data and request restriction of its use instead; (c) you consider that we no longer need your Personal Data for the purposes of the processing, but require such Personal Data for the establishment, exercise or defense of legal claims; (d) you have objected to the processing of your Personal Data on grounds of “legitimate interest” as per (iii) above, pending verification by us on whether our legitimate grounds override your own.
5. the right to objection pursuant to Art. 21 GDPR: you have the right to object, on grounds relating to your particular situation, at any time to processing of your Personal Data, which is based on point our legitimate interests, including profiling based on those provisions. We shall no longer process the Personal Data unless we have compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defense of legal claims. You may object to the processing of your Personal Data or direct marketing purposes at any time, without giving reason.
6. the right to data portability pursuant to Art. 20 GDPR: you have the right to receive Personal Data concerning you, and which you have provided to us, in a structured, commonly used and machine-readable format, and to transmit such data to another data controller (please note this applies only where our processing of your Personal Data is based on your consent, and the processing is carried out by automated means).
7. the right to appeal to a competent data protection supervisory authority (Art. 77 GDPR): you have the right to appeal to the competent data protection supervisory authority Please note that any processing of your Personal Data prior to the deletion of your account with us, or your request that we no longer contact you for direct marketing purposes will remain valid under the legal grounds then prevailing.

You can exercise any of your rights as stated above, by sending us a request to [email protected]. We will endeavor to respond to any such request as soon as possible, and in any event within the legal deadline.

How to Contact Us

Milliman’s Data Protection Officer can be contacted at [email protected].

Data Privacy Policy - Korea

Last updated June 2020

Where Milliman is Acting as a Data Controller

Milliman, Inc. and its affiliates (“Milliman” or “we”) take data privacy very seriously. This Privacy Policy sets out the principles governing the Korean affiliate’s (Milliman Korea) use and protection of personal data that individuals and clients residing within South Korea share with us (“Personal Data”), hereafter “you”. Milliman is committed to handling Personal Data in accordance with this Privacy Policy, the Korean Personal Information Protection Act (KPIPA), and other data protection and privacy laws, as applicable.

Milliman, Inc. and Milliman Korea are joint-controllers with respect to the processing of Personal Data described in this Privacy Policy. This means that Milliman, Inc. and Milliman Korea are both responsible for the compliance with applicable data protection laws.

Collection of Data

Aggregate Data

Like many companies, Milliman monitors the use of its websites by collecting aggregate data. No Personal Data is collected in this process. Typically, Milliman collects data about the number of visitors to the website, to each web page, and the originating domain name of the visitor's Internet Service Provider. This data is used to improve the usability, performance and effectiveness of Milliman’s website.

Cookies, Third-Party Embedded Content and Do Not Track

For more detailed information describing how Milliman uses cookies and your choices surrounding the use and opt out of such cookies, including information about third party embedded content on Milliman’s website and how Milliman responds to Do Not Track signals in browsers please review our Cookie Policy which can be found here.

Processing of Personal Data

The Personal Data we collect varies depending upon the nature of the services provided and our interactions with individuals. In the context of the collection of data through this website, Milliman’s marketing activities and contract administration, we may collect, store and otherwise process Personal Data of:

- visitors to our websites (first name, last name, title, company, phone number, location, email address, subject of the request and message given) who request information about products or services from Milliman, for the purpose of the management of the relationship with clients and the administration of the website. The legal basis for the processing of Personal Data is Milliman’s legitimate interest (Art. 15(1)(vi) of KPIPA).

- clients’ representatives, officers, agents and employees, business partners, providers, parties to a contract (name, professional address, title, email and other professional contact details) for contract administration purposes. The professional contact details of clients’ representatives, their employees and business partners are also used to activate and maintain client accounts, to fulfill requests or respond to inquiries about Milliman products or services and to provide offers and information (as permitted by law) about products, services, or events offered by Milliman or that Milliman thinks may be of interest. The legal basis for the processing of Personal Data is Milliman’s legitimate interest (Art. 15(1)(vi) of KPIPA). Milliman may rely on your consent (Art. 15(1)(i) of KPIPA) for the sending of marketing communications when so required by data protection and privacy laws, in which case we will ask your consent prior to the sending of the communication. Milliman Korea may also use professional contact details of its clients’ employees for the purpose of sending surveys, questionnaires or for the purpose of organizing contests. For those activities, the legal basis for the processing of Personal Data is Milliman Korea’s legitimate interest (Art. 15(1)(vi) of KPIPA), unless data protection and privacy laws require your prior consent. We may also collect and process limited Personal Data about you from public resources (such as LinkedIn) including your name/surname, email address, telephone number, organization, title/position, profession, professional interests, to allow us to assess a potential interest in our services and to contact you for marketing purposes.

When we communicate with you regarding the products and services we offer or develop, you will be given the opportunity in each communication to unsubscribe and prevent future communications of that sort. If you do not want us to collect this information from our marketing emails, or if you wish to unsubscribe from direct marketing communications from us, you may write to us at [email protected] requesting the same. We will cease using your Personal Data for direct marketing purposes once you have requested us to do so.

If you provide us with Personal Data of another individual, it is your duty to make sure that these individuals have consented to or are appropriately informed about the processing of their Personal Data by Milliman.

No automated decision-making, including profiling, is undertaken based on the Personal Data collected from you.

Affiliates and Authorized Third-Party Agents

All Milliman websites, products, and services are provided in cooperation with Milliman, Inc., located in the U.S. Any Personal Data may be shared between Milliman Korea and Milliman, Inc. or other entities controlled by or under common control with Milliman, Inc., for purposes of centralization of Milliman’s administrative, contract management, Client Relationship Management (CRM), IT maintenance, marketing and IT security practices, for the purpose of the website’s management and security, and to provide information about Milliman products, services, or events. We may also share Personal Data with affiliated entities using the MILLIMAN® mark, in which case we will require those affiliates to comply with this Privacy Policy. Please note that we may be transferring your Personal Data to a country that does not have the same data protection laws as your home country. However, Milliman ensures that it and its affiliates will process Personal Data in compliance with this Privacy Policy.

Milliman also may share Personal Data with authorized third-party agents or contractors that perform services for Milliman. If Milliman shares Personal Data with a third party, Milliman requires that those third parties agree to process Personal Data based on Milliman’s instructions and in compliance with this Privacy Policy.

Any transfers of Personal Data are subject to appropriate safeguards that are compliant with the KPIPA. Those can be made available at Milliman’s premises, by contacting us at [email protected].

Other Disclosures

Milliman may also disclose Personal Data and other related information in response to subpoenas, court orders, or other lawful requests by public authorities, and to meet national security or law enforcement requirements. Milliman may collect and share Personal Data in order to investigate or take action regarding illegal activities, suspected fraud, violations of Milliman's Terms of Use, or as otherwise required by law or regulation.

Security

Milliman stores Personal Data on a secure server that is password protected and shielded from unauthorized access by a firewall. Milliman has in place security policies that are intended to ensure the security and integrity of all Personal Data. Milliman has appropriate technical and organisational measures in place to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data held or processed by Milliman. If Milliman forwards Personal Data to any third party, Milliman requires that those third parties have appropriate technical and organisational measures in place to comply with this Privacy Policy and applicable laws.

Data Retention

Milliman retains Personal Data only as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or not prohibited by law. Milliman will delete your Personal Data once the purpose of the collection and processing of such Personal Data has been fulfilled and the adequate duration for documentation and backup storage of such Personal Data has lapsed. If you have unsubscribed from receiving marketing information from us, we will continue to maintain your Personal Data for any other purpose for which we still have legal grounds for processing such Personal Data (such as for the purposes of complying with a legal obligation or when the processing is necessary for the purpose of our legitimate interest). In certain cases, if no other legal grounds exist, we will maintain limited Personal Data (such as your email address) about you on record, so as to be able to ensure for the future that such marketing communications are no longer sent to you.

Children

Milliman’s websites, products, and services are not directed to children, and Milliman does not knowingly collect Personal Data from children. If a parent or legal guardian becomes aware that his or her child has provided Milliman with Personal Data without their consent, the parent or legal guardian should contact Milliman at [email protected], and Milliman will take steps to delete any such Personal Data.

Third-party Links

Milliman’s website may contain links to websites hosted and operated by companies other than us (“Third-Party Websites”) to which you can export (part of) your Personal Data.

We do not disclose your Personal Data to these Third-Party Websites without your explicit consent. Note that any information you disclose to Third-Party Websites is no longer under our control and no longer subject to this Data Privacy Policy.

You should review the privacy policy practices of any such Third-Party Website to understand how that Third-Party Website collects and uses your Personal Data should you have decided to disclose your Personal Information to them. We are not responsible for the content or performance of these Third-Party Websites. We are in no way responsible or liable for the manner in which a Third-Party Website treats any Personal Data that you choose to provide to such a Third-Party Website and use of Third-Party Websites is strictly at your own risk.

Policy Updates

Milliman may change its Privacy Policy from time to time. Milliman therefore asks all persons concerned to check it occasionally to ensure that they are aware of the most recent version.

Rights

You have a number of rights under the KPIPA and the Korean Credit Information Use and Protection Act (KCIUPA) in relation to your Personal Data and credit information, namely:

1. the right of access pursuant to Art. 35 of KPIPA: you have the right to obtain from us confirmation as to whether or not Personal Data concerning you is being processed, and, where that is the case, access to (including by obtaining a copy of) such Personal Data and the manner in which, and the purposes for which we process your Personal Data, so that you can verify its accuracy and the lawfulness of the processing.
2. the right to rectification and erasure pursuant to Art. 36 of KPIPA: you have the right to request rectification or erasure of Personal Data concerning you.
3. the right to suspension of processing pursuant to Art. 37 of KPIPA: you have the right to request suspension of processing your Personal Data. Nonetheless, such request may be denied if (a) a special provision exists in law or processing of your Personal Data is required to comply with other legal obligations; (b) there is a concern that such request might cause bodily harm or damage the life of a third party or if it could violate a third party’s property rights or other benefits; (c) a public institution cannot perform its task as prescribed in other law without processing your Personal Data; or (d) it is impossible to perform the agreed upon task without processing your Personal Data, assuming that you have not explicitly expressed your intent to terminate the contract.
4. the right to withdrawal of consent pursuant to Art. 39-7 of KPIPA: you have the right to withdraw your consent to collect, use, and provide Personal Data at any time. Said provision becomes effective as of August 5, 2020.
5. the right to transfer credit information pursuant to Art. 33-2 of KCIUPA (effective August 5, 2020): if Personal Data includes credit information, the owner of credit information has the right to request transfer of its personal credit information to (a) the owner of credit information; (b) personal credit information management company; (c) credit information provider/user prescribed by a Presidential Decree; (d) personal credit rating company; (e) other entity prescribed by a Presidential Decree.
   
   If Personal Data includes credit information, the scope of transferable personal credit information is determined by a Presidential Decree considering: (a) information directly collected from the owner of credit information by the credit information provider/user; (b) information directly provided to the credit information provider/user by the owner of credit information; and (c) information created in transactions between the credit information provider/user and the owner of credit information.
   
   If Personal Data includes credit information, transferable personal credit information shall not be information newly generated or processed by credit information provider/user.
   
   Upon receipt of transfer request of personal credit information, the credit information provider/user shall, without delay, transfer personal credit information through a secured and credible data processing unit, despite other applicable laws such as Act on Real Name Financial Transactions and Confidentiality, Framework Act on National Taxes, Framework Act on Local Taxes, KPIPA, etc.
   
   The credit information provider/user that transferred personal credit information may not need to notify the owner of credit information.
   
   The credit information provider/user may deny or suspend credit information owner’s transfer request for reasons prescribed by a Presidential Decree, such as when the identity of the credit information owner cannot be verified.
6. the right to appeal to a competent data protection supervisory authority (Art. 62 of KPIPA): anyone who suffers infringement on the rights or interests involving his/her Personal Data in the course of processing Personal Data by a controller may report such infringement to the Minister of the Interior and Safety.
   
   The Minister of the Interior and Safety may designate a specialized institution to efficiently receive and handle the claim reports, as prescribed by Presidential Decree. In such cases, such specialized institution shall establish and operate a personal information infringement call center, namely, Privacy Call Center.

Please note that any processing of your Personal Data prior to the deletion of your account with us, or your request that we no longer contact you for direct marketing purposes will remain valid under the legal grounds then prevailing.

You can exercise any of your rights as stated above, by sending us a request to [email protected]. We will endeavor to respond to any such request as soon as possible, and in any event within the legal deadline.

How to Contact Us

If you have any questions or feedback relating to your Personal Data or about this Privacy Policy, please contact Milliman’s Data Protection Officer at [email protected].

Milliman Personal Data Privacy Policy – Milliman S.A., Luxembourg

Last updated September 2023

Where Milliman is Acting as a Data Controller

Milliman, Inc. and its affiliates (“Milliman” or “we”) take data privacy very seriously. This Privacy Policy sets out the principles governing the Luxembourg affiliate’s (Milliman S.A.) use and protection of personal data that individuals and clients residing within the European Economic Area, the Isle of Man, Switzerland and the UK, share with us (“Personal Data”), hereafter “you”. Milliman is committed to handling Personal Data in accordance with this Privacy Policy, the EU General Data Protection Regulation (GDPR) and other data protection and privacy laws, as applicable.

Milliman, Inc. and Milliman S.A. are joint-controllers with respect to the processing of Personal Data described in this Privacy Policy. This means that Milliman, Inc. and Milliman S.A. are both responsible for the compliance with applicable data protection laws.

Collection of Data

Aggregate Data

Like many companies, Milliman monitors the use of its websites by collecting aggregate data. No Personal Data is collected in this process. Typically, Milliman collects data about the number of visitors to the website, to each web page, and the originating domain name of the visitor's Internet Service Provider. This data is used to improve the usability, performance and effectiveness of Milliman’s website.

Cookies, Third-Party Embedded Content and Do Not Track

For more detailed information describing how Milliman uses cookies and your choices surrounding the use and opt out of such cookies, including information about third party embedded content on Milliman’s website and how Milliman responds to Do Not Track signals in browsers, please review our Cookie Policy which can be found here.

Processing of Personal Data

The Personal Data we collect varies depending upon the nature of the services provided and our interactions with individuals. In the context of the collection of data through this website, Milliman’s marketing activities and contract administration, we may collect, store and otherwise process Personal Data of:

- visitors to our websites (first name, last name, title, company, phone number, location, email address, subject of the request and message given) who request information about products or services from Milliman, for the purpose of the management of the relationship with visitors and the administration of the website. The legal basis for the processing of Personal Data is Milliman’s legitimate interest (Art. 6 (1) letter (f) GDPR).

- clients’ representatives, officers, agents and employees, business partners, providers, parties to a contract (name, professional address, title, email and other professional contact details) for contract administration purposes. The professional contact details of clients’ representatives, their employees and business partners are also used to activate and maintain client accounts, including for billing purposes, due diligence and conflict checks, to facilitate the communication, to fulfill requests or respond to inquiries about Milliman products or services and to provide offers and information (as permitted by law) about products, services, or events offered by Milliman or that Milliman thinks may be of interest. The legal basis for the processing of Personal Data is Milliman’s legitimate interest (Art. 6 (1) letter (f) GDPR). Milliman may rely on your consent (Art. 6 (1) letter (a) GDPR) for the sending of marketing communications when so required by data protection and privacy laws, in which case we will ask your consent prior to the sending of the communication. Milliman S.A. may also use professional contact details of its clients’ employees for the purpose of sending surveys, questionnaires or for the purpose of organizing contests. For those activities, the legal basis for the processing of Personal Data is Milliman S.A.’s legitimate interest (Art. 6 (1) letter (f) GDPR), unless data protection and privacy laws require your prior consent. We may also collect and process limited Personal Data about you from public resources (such as LinkedIn) including your name/surname, email address, telephone number, organization, title/position, profession, professional interests, to allow us to assess a potential interest in our services and to contact you for marketing purposes.

When we communicate with you regarding the products and services we offer or develop, you will be given the opportunity in each communication to unsubscribe and prevent future communications of that sort. If you do not want us to collect your Personal Data for our marketing emails, or if you wish to unsubscribe from direct marketing communications from us, you may write to us at [email protected] requesting the same. We will cease using your Personal Data for direct marketing purposes once you have requested us to do so.

If you provide us with Personal Data of another individual, it is your duty to make sure that these individuals have consented to or are appropriately informed about the processing of their Personal Data by Milliman.

You should also ensure that all Personal Data submitted to us is complete, accurate, true and correct. Failure on your part to do so may result in our inability to provide you with the products and services you have requested.

No automated decision-making is undertaken based on the Personal Data collected from you.

Affiliates and Authorized Third-Party Agents

All Milliman websites, products, and services are provided in cooperation with Milliman, Inc., located in the U.S. Any Personal Data may be shared between Milliman S.A. and Milliman, Inc. or other entities controlled by or under common control with Milliman, Inc., located in the U.S. and/or Europe, for the purposes of the centralisation of Milliman’s General Corporate Services, including: administrative services, contract management, Client Relationship Management (CRM), IT-maintenance  and security, data privacy (management of data subjects’ request) and marketing services (cookie management, inquiry tracking via Milliman’s website form, communication regarding Milliman’s products, services, or events).

We may also share Personal Data with affiliated entities using the MILLIMAN® mark, in which case we will require those affiliates to comply with this Privacy Policy. Please note that we may be transferring your Personal Data to a country that does not have the same data protection laws as your home country. However, Milliman ensures that itself and its affiliates will process Personal Data in compliance with this Privacy Policy.

Milliman also may share Personal Data with authorized third-party agents or contractors that perform services for Milliman. If Milliman shares Personal Data with a third party, Milliman requires that those third parties agree to process Personal Data based on Milliman’s instructions and in compliance with this Privacy Policy.

Any transfers of Personal Data are subject to appropriate safeguards that are compliant with the GDPR, as is described in the section “Transfer of Personal Data Across Borders”.

Other Disclosures

Milliman may also disclose Personal Data and other related information in response to subpoenas, court orders, or other lawful requests by public authorities, and to meet national security or law enforcement requirements. Milliman may collect and share Personal Data in order to investigate or take action regarding illegal activities, suspected fraud, violations of Milliman's Terms of Use, or as otherwise required by law or regulation.

Security

Milliman stores Personal Data on a secure server that is password protected and shielded from unauthorized access by a firewall. Milliman has in place security policies that are intended to ensure the security and integrity of all Personal Data. Milliman has appropriate technical and organisational measures in place to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data held or processed by Milliman. If Milliman forwards Personal Data to any third party, Milliman requires that those third parties have appropriate technical and organisational measures in place to comply with this Privacy Policy and applicable laws.

Data Retention

Milliman retains Personal Data only as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or not prohibited by law. Milliman will delete your Personal Data once the purpose of the collection and processing of such Personal Data has been fulfilled and the adequate duration for documentation and backup storage of such Personal Data has lapsed. If you have unsubscribed from receiving marketing information from us, we will continue to maintain your Personal Data for any other purpose for which we still have legal grounds for processing such Personal Data (such as for the purposes of complying with a legal obligation or when the processing is necessary for the purpose of our legitimate interest). In certain cases, if no other legal grounds exist, we will maintain limited Personal Data (such as your email address) about you on record, so as to be able to ensure for the future that such marketing communications are no longer sent to you.

Children

Milliman’s websites, products, and services are not directed to children, and Milliman does not knowingly collect Personal Data from children. If a parent or legal guardian becomes aware that his or her child has provided Milliman with Personal Data without their consent, the parent or legal guardian should contact Milliman at [email protected], and Milliman will take steps to delete any such Personal Data.

Third-party Links

Milliman’s website may contain links to websites hosted and operated by companies other than us (“Third-Party Websites”) to which you can export (part of) your Personal Data.

We do not disclose your Personal Data to these Third-Party Websites without your explicit consent. Note that any information you disclose to Third-Party Websites is no longer under our control and no longer subject to Milliman Personal Data Privacy Policy.

You should review the privacy policy practices of any such Third-Party Website to understand how that Third-Party Website collects and uses your Personal Data should you have decided to disclose your Personal Data to them. We are not responsible for the content or performance of these Third-Party Websites. We are in no way responsible or liable for the manner in which a Third-Party Website treats any Personal Data that you choose to provide to such a Third-Party Website and use of Third-Party Websites is strictly at your own risk.

Policy Updates

Milliman may change its Privacy Policy from time to time. Milliman therefore asks all persons concerned to check it occasionally to ensure that they are aware of the most recent version.

Transfers of Personal Data across National Borders

Milliman is a global company that transfers Personal Data across national borders in compliance with the laws that apply to such transfers. Milliman has put in place appropriate safeguards to ensure its data transfers are adequately protected. Milliman’s legal bases for respective data transfers are outlined in this Privacy Policy. When Personal Data is transferred from one of our entities in the European Economic Area (“EEA”), Switzerland, the Isle of Man or the United Kingdom to the United States or another country outside of the EEA, or from entities in the EEA to another country outside of the EEA, we rely on one or more of the following legal mechanisms which provide adequate safeguards for the transfers: the adequacy decisions adopted by the European Commission on the basis of Art. 45 GDPR, the European Commission-approved Standard Contractual Clauses, the EU-US Data Privacy Framework (EU-US DPF), the UK Extension to the EU-US DPF, and the Swiss-US Data Privacy Framework (Swiss-US DPF), or any other applicable transfer mechanism deemed as adequate by applicable data protection laws. You can request a copy of any standard contractual clauses relating to your Personal Data that we may have executed by contacting us using the details below. Milliman commits to cooperate with the EU data protection authorities, the Swiss Federal Data Protection Information Commissioner, the Isle of Man Information Commissioner, the UK Information Commissioner’s Office and any other relevant data protection authority, and to comply with the advice given by such authorities, with regard to Personal Data transferred from one of our entities in the EEA, Switzerland, the Isle of Man or the United Kingdom, to countries outside of the EEA. Milliman will conduct any necessary impact assessments, following the rules under applicable data protection laws and thus guaranteeing the safe transfer of your Personal Data.

Data Privacy Framework

Milliman is committed to handling Personal Data in accordance with this Privacy Policy and the EU-US Data Privacy Framework (EU-US DPF), the UK Extension to the EU-US DPF, and the Swiss-US Data Privacy Framework (Swiss-US DPF), as administered by the U.S. Department of Commerce. Milliman has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. Milliman has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF.

If there is any conflict between the terms of this Privacy Policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view Milliman’s certification, please visit https://www.dataprivacyframework.gov/.

Milliman’s accountability for Personal Data that it receives under the DPF Principles and subsequently transfers to a third party is described in the DPF Principles. In particular, Milliman remains responsible and liable under the DPF Principles if third parties engaged by Milliman process the Personal Data in a manner inconsistent with the Principles, unless Milliman proves that it is not responsible for the event giving rise to any damage. Additionally, Milliman, Inc. has put in place data protection agreements with its affiliates located in the European Economic Area based on the EU Standard Contractual Clauses issued by the European Commission (the “EU Standard Contractual Clauses”).

As further explained in the "How to Contact Us" section below, Milliman encourages any individual to contact us should they have a DPF-related (or general privacy-related) complaint. Any right of access, rectification, erasure, restriction of the processing as well as the right to data portability of individuals domiciled in the European Economic Area or Switzerland may be exercised under the conditions set forth in the GDPR by contacting Milliman at: [email protected]. Furthermore, these individuals will have the right to lodge a complaint with a competent supervisory authority at any time.

Rights

1. the right of access pursuant to Art. 15 GDPR: you have the right to obtain from us confirmation as to whether or not Personal Data concerning you is being processed, and, where that is the case, access to (including by obtaining a copy of) such Personal Data and the manner in which, and the purposes for which we process your Personal Data, so that you can verify its accuracy and the lawfulness of the processing.
2. the right to rectification pursuant to Art. 16 GDPR: you have the right to obtain from us the rectification of inaccurate Personal Data concerning you, and the right to have incomplete personal data completed, including by means of providing a supplementary statement.
3. the right to erasure pursuant to Art. 17 GDPR: the right to obtain from us the erasure of your Personal Data without undue delay where (a) your Personal Data is no longer necessary for the purpose for which it was collected/processed; (b) you wish to withdraw your consent to processing (except where we have another legal ground for the processing that we may rely on); (c) where processing is based on our legitimate interests and there are no overriding legitimate grounds for processing; (d) where your Personal Data has been unlawfully processed.
4. the right to restriction of processing pursuant to Art. 18 GDPR: you have the right to obtain from us the restriction of processing of your Personal Data where (a) the accuracy of such Personal Data is contested by you (for such period as will enable us to verify the accuracy of your Personal Data); (b) the processing of your Personal Data is unlawful, but you do object to the deletion of such data and request restriction of its use instead; (c) you consider that we no longer need your Personal Data for the purposes of the processing, but require such Personal Data for the establishment, exercise or defense of legal claims; (d) you have objected to the processing of your Personal Data on grounds of “legitimate interest” as per (iii) above, pending verification by us on whether our legitimate grounds override your own.
5. the right to objection pursuant to Art. 21 GDPR: you have the right to object, on grounds relating to your particular situation, at any time to processing of your Personal Data, which is based on our legitimate interests, including profiling based on those provisions. We shall no longer process the Personal Data unless we have compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defense of legal claims. You may object to the processing of your Personal Data or direct marketing purposes at any time, without giving reason.
6. the right to data portability pursuant to Art. 20 GDPR: you have the right to receive Personal Data concerning you, and which you have provided to us, in a structured, commonly used and machine-readable format, and to transmit such data to another data controller (please note this applies only where our processing of your Personal Data is based on your consent, and the processing is carried out by automated means).
7. the right to appeal to a competent data protection supervisory authority (Art. 77 GDPR): you have the right to appeal to the competent data protection supervisory authority - in Luxembourg, such authority is the “National Commission for Data Protection (Commission Nationale pour la Protection des Données – CNPD)” (National Data Protection Commission - Luxembourg (public.lu)) .

Please note that any processing of your Personal Data prior to the deletion of your account with us, or your request that we no longer contact you for direct marketing purposes will remain valid under the legal grounds then prevailing.

You can exercise any of your rights as stated above, by sending us a request to [email protected] or to: Milliman S.A.Data Protection Officer, 14 Avenue de la Grande Armée, F-75017 Paris.  We will endeavor to respond to any such request as soon as possible, and in any event within 30 days.

How to Contact Us

 Milliman can be contacted at [email protected]. Milliman welcomes feedback and questions on this Privacy Policy. If for any reason you wish to contact us, please send an email ([email protected]). Complaints will be resolved internally in accordance with Milliman’s complaints procedures.

If you live in the European Union, European Economic Area, or Switzerland and you have a complaint regarding the handling of your Personal Data in accordance with the DPF Principles and your efforts to resolve the matter internally are unsatisfactory, the complaint may be submitted to the American Arbitration Association (http://www.adr.org/), which has been selected as the independent recourse mechanism to resolve complaints and disputes relating to treatment of Personal Data originating in the European Union, European Economic Area, or Switzerland and transferred to the U.S. under this Privacy Policy. Under certain conditions, you may be entitled to invoke binding arbitration when other dispute resolution procedures have been exhausted. Milliman is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC).

Milliman Personal Data Privacy Policy – Netherlands, Milliman B.V.

______________________________________________________________________________________________________________

Last updated September 2023

Where Milliman is Acting as a Data Controller

Milliman, Inc. and its affiliates (“Milliman” or “we”) take data privacy very seriously. This Privacy Policy sets out the principles governing the Dutch affiliate’s (Milliman B.V.) use and protection of personal data that individuals and clients residing within the European Economic Area, the Isle of Man, Switzerland and the UK, share with us (“Personal Data”), hereafter “you”. Milliman is committed to handling Personal Data in accordance with this Privacy Policy, the EU General Data Protection Regulation (GDPR) and other data protection and privacy laws, as applicable.

Milliman, Inc. and Milliman B.V. are joint-controllers with respect to the processing of Personal Data described in this Privacy Policy. This means that Milliman, Inc. and Milliman B.V. are both responsible for the compliance with applicable data protection laws.

Collection of Data

Aggregate Data

Like many companies, Milliman monitors the use of its websites by collecting aggregate data. No Personal Data is collected in this process. Typically, Milliman collects data about the number of visitors to the website, to each web page, and the originating domain name of the visitor's Internet Service Provider. This data is used to improve the usability, performance and effectiveness of Milliman’s website.

Cookies, Third-Party Embedded Content and Do Not Track

For more detailed information describing how Milliman uses cookies and your choices surrounding the use and opt out of such cookies, including information about third party embedded content on Milliman’s website and how Milliman responds to Do Not Track signals in browsers, please review our Cookie Policy which can be found here.

Processing of Personal Data

The Personal Data we collect varies depending upon the nature of the services provided and our interactions with individuals. In the context of the collection of data through this website, Milliman’s marketing activities and contract administration, we may collect, store and otherwise process Personal Data of:

- visitors to our websites (first name, last name, title, company, phone number, location, email address, subject of the request and message given) who request information about products or services from Milliman, for the purpose of the management of the relationship with visitors and the administration of the website. The legal basis for the processing of Personal Data is Milliman’s legitimate interest (Art. 6 (1) letter (f) GDPR).

- clients’ representatives, officers, agents and employees, business partners, providers, parties to a contract (name, professional address, title, email and other professional contact details) for contract administration purposes. The professional contact details of clients’ representatives, their employees and business partners are also used to activate and maintain client accounts, including for billing purposes, due diligence and conflict checks, to facilitate the communication, to fulfill requests or respond to inquiries about Milliman products or services and to provide offers and information (as permitted by law) about products, services, or events offered by Milliman or that Milliman thinks may be of interest. The legal basis for the processing of Personal Data is Milliman’s legitimate interest (Art. 6 (1) letter (f) GDPR). Milliman may rely on your consent (Art. 6 (1) letter (a) GDPR) for the sending of marketing communications when so required by data protection and privacy laws, in which case we will ask your consent prior to the sending of the communication. Milliman B.V. may also use professional contact details of its clients’ employees for the purpose of sending surveys, questionnaires or for the purpose of organizing contests. For those activities, the legal basis for the processing of Personal Data is Milliman B.V. legitimate interest (Art. 6 (1) letter (f) GDPR), unless data protection and privacy laws require your prior consent. We may also collect and process limited Personal Data about you from public resources (such as LinkedIn) including your name/surname, email address, telephone number, organization, title/position, profession, professional interests, to allow us to assess a potential interest in our services and to contact you for marketing purposes.

When we communicate with you regarding the products and services we offer or develop, you will be given the opportunity in each communication to unsubscribe and prevent future communications of that sort. If you do not want us to collect your Personal Data for our marketing emails, or if you wish to unsubscribe from direct marketing communications from us, you may write to us at [email protected] requesting the same. We will cease using your Personal Data for direct marketing purposes once you have requested us to do so.

If you provide us with Personal Data of another individual, it is your duty to make sure that these individuals have consented to or are appropriately informed about the processing of their Personal Data by Milliman.

You should also ensure that all Personal Data submitted to us is complete, accurate, true and correct. Failure on your part to do so may result in our inability to provide you with the products and services you have requested.

No automated decision-making is undertaken based on the Personal Data collected from you.

Affiliates and Authorized Third-Party Agents

All Milliman websites, products, and services are provided in cooperation with Milliman, Inc., located in the U.S. Any Personal Data may be shared between Milliman B.V.and Milliman, Inc. or other entities controlled by or under common control with Milliman, Inc., located in the U.S. and/or Europe, for the purposes of the centralisation of Milliman’s General Corporate Services, including: administrative services, contract management, Client Relationship Management (CRM), IT-maintenance  and security, data privacy (management of data subjects’ request) and marketing services (cookie management, inquiry tracking via Milliman’s website form, communication regarding Milliman’s products, services, or events).

We may also share Personal Data with affiliated entities using the MILLIMAN® mark, in which case we will require those affiliates to comply with this Privacy Policy. Please note that we may be transferring your Personal Data to a country that does not have the same data protection laws as your home country. However, Milliman ensures that itself and its affiliates will process Personal Data in compliance with this Privacy Policy.

Milliman also may share Personal Data with authorized third-party agents or contractors that perform services for Milliman. If Milliman shares Personal Data with a third party, Milliman requires that those third parties agree to process Personal Data based on Milliman’s instructions and in compliance with this Privacy Policy.

Any transfers of Personal Data are subject to appropriate safeguards that are compliant with the GDPR, as is described in the section “Transfer of Personal Data Across Borders”.

Other Disclosures

Milliman may also disclose Personal Data and other related information in response to subpoenas, court orders, or other lawful requests by public authorities, and to meet national security or law enforcement requirements. Milliman may collect and share Personal Data in order to investigate or take action regarding illegal activities, suspected fraud, violations of Milliman's Terms of Use, or as otherwise required by law or regulation.

Security

Milliman stores Personal Data on a secure server that is password protected and shielded from unauthorized access by a firewall. Milliman has in place security policies that are intended to ensure the security and integrity of all Personal Data. Milliman has appropriate technical and organisational measures in place to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data held or processed by Milliman. If Milliman forwards Personal Data to any third party, Milliman requires that those third parties have appropriate technical and organisational measures in place to comply with this Privacy Policy and applicable laws.

Data Retention

Milliman retains Personal Data only as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or not prohibited by law. Milliman will delete your Personal Data once the purpose of the collection and processing of such Personal Data has been fulfilled and the adequate duration for documentation and backup storage of such Personal Data has lapsed. If you have unsubscribed from receiving marketing information from us, we will continue to maintain your Personal Data for any other purpose for which we still have legal grounds for processing such Personal Data (such as for the purposes of complying with a legal obligation or when the processing is necessary for the purpose of our legitimate interest). In certain cases, if no other legal grounds exist, we will maintain limited Personal Data (such as your email address) about you on record, so as to be able to ensure for the future that such marketing communications are no longer sent to you.

Children

Milliman’s websites, products, and services are not directed to children, and Milliman does not knowingly collect Personal Data from children. If a parent or legal guardian becomes aware that his or her child has provided Milliman with Personal Data without their consent, the parent or legal guardian should contact Milliman at [email protected], and Milliman will take steps to delete any such Personal Data.

Third-party Links

Milliman’s website may contain links to websites hosted and operated by companies other than us (“Third-Party Websites”) to which you can export (part of) your Personal Data.

We do not disclose your Personal Data to these Third-Party Websites without your explicit consent. Note that any information you disclose to Third-Party Websites is no longer under our control and no longer subject to Milliman Personal Data Privacy Policy.

You should review the privacy policy practices of any such Third-Party Website to understand how that Third-Party Website collects and uses your Personal Data should you have decided to disclose your Personal Data to them. We are not responsible for the content or performance of these Third-Party Websites. We are in no way responsible or liable for the manner in which a Third-Party Website treats any Personal Data that you choose to provide to such a Third-Party Website and use of Third-Party Websites is strictly at your own risk.

Policy Updates

Milliman may change its Privacy Policy from time to time. Milliman therefore asks all persons concerned to check it occasionally to ensure that they are aware of the most recent version.

Transfers of Personal Data across National Borders

Milliman is a global company that transfers Personal Data across national borders in compliance with the laws that apply to such transfers. Milliman has put in place appropriate safeguards to ensure its data transfers are adequately protected. Milliman’s legal bases for respective data transfers are outlined in this Privacy Policy. When Personal Data is transferred from one of our entities in the European Economic Area (“EEA”), Switzerland, the Isle of Man or the United Kingdom to the United States or another country outside of the EEA, or from entities in the EEA to another country outside of the EEA, we rely on one or more of the following legal mechanisms which provide adequate safeguards for the transfers: the adequacy decisions adopted by the European Commission on the basis of Art. 45 GDPR, the European Commission-approved Standard Contractual Clauses, the EU-US Data Privacy Framework (EU-US DPF), the UK Extension to the EU-US DPF, and the Swiss-US Data Privacy Framework (Swiss-US DPF), or any other applicable transfer mechanism deemed as adequate by applicable data protection laws. You can request a copy of any standard contractual clauses relating to your Personal Data that we may have executed by contacting us using the details below. Milliman commits to cooperate with the EU data protection authorities, the Swiss Federal Data Protection Information Commissioner, the Isle of Man Information Commissioner, the UK Information Commissioner’s Office and any other relevant data protection authority, and to comply with the advice given by such authorities, with regard to Personal Data transferred from one of our entities in the EEA, Switzerland, the Isle of Man or the United Kingdom, to countries outside of the EEA. Milliman will conduct any necessary impact assessments, following the rules under applicable data protection laws and thus guaranteeing the safe transfer of your Personal Data.

Data Privacy Framework

Milliman is committed to handling Personal Data in accordance with this Privacy Policy and the EU-US Data Privacy Framework (EU-US DPF), the UK Extension to the EU-US DPF, and the Swiss-US Data Privacy Framework (Swiss-US DPF), as administered by the U.S. Department of Commerce. Milliman has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. Milliman has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF.

If there is any conflict between the terms of this Privacy Policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view Milliman’s certification, please visit https://www.dataprivacyframework.gov/.

Milliman’s accountability for Personal Data that it receives under the DPF Principles and subsequently transfers to a third party is described in the DPF Principles. In particular, Milliman remains responsible and liable under the DPF Principles if third parties engaged by Milliman process the Personal Data in a manner inconsistent with the Principles, unless Milliman proves that it is not responsible for the event giving rise to any damage. Additionally, Milliman, Inc. has put in place data protection agreements with its affiliates located in the European Economic Area based on the EU Standard Contractual Clauses issued by the European Commission (the “EU Standard Contractual Clauses”).

As further explained in the "How to Contact Us" section below, Milliman encourages any individual to contact us should they have a DPF-related (or general privacy-related) complaint. Any right of access, rectification, erasure, restriction of the processing as well as the right to data portability of individuals domiciled in the European Economic Area or Switzerland may be exercised under the conditions set forth in the GDPR by contacting Milliman at: [email protected]. Furthermore, these individuals will have the right to lodge a complaint with a competent supervisory authority at any time.

Rights

1. the right of access pursuant to Art. 15 GDPR: you have the right to obtain from us confirmation as to whether or not Personal Data concerning you is being processed, and, where that is the case, access to (including by obtaining a copy of) such Personal Data and the manner in which, and the purposes for which we process your Personal Data, so that you can verify its accuracy and the lawfulness of the processing.
2. the right to rectification pursuant to Art. 16 GDPR: you have the right to obtain from us the rectification of inaccurate Personal Data concerning you, and the right to have incomplete personal data completed, including by means of providing a supplementary statement.
3. the right to erasure pursuant to Art. 17 GDPR: the right to obtain from us the erasure of your Personal Data without undue delay where (a) your Personal Data is no longer necessary for the purpose for which it was collected/processed; (b) you wish to withdraw your consent to processing (except where we have another legal ground for the processing that we may rely on); (c) where processing is based on our legitimate interests and there are no overriding legitimate grounds for processing; (d) where your Personal Data has been unlawfully processed.
4. the right to restriction of processing pursuant to Art. 18 GDPR: you have the right to obtain from us the restriction of processing of your Personal Data where (a) the accuracy of such Personal Data is contested by you (for such period as will enable us to verify the accuracy of your Personal Data); (b) the processing of your Personal Data is unlawful, but you do object to the deletion of such data and request restriction of its use instead; (c) you consider that we no longer need your Personal Data for the purposes of the processing, but require such Personal Data for the establishment, exercise or defense of legal claims; (d) you have objected to the processing of your Personal Data on grounds of “legitimate interest” as per (iii) above, pending verification by us on whether our legitimate grounds override your own.
5. the right to objection pursuant to Art. 21 GDPR: you have the right to object, on grounds relating to your particular situation, at any time to processing of your Personal Data, which is based on our legitimate interests, including profiling based on those provisions. We shall no longer process the Personal Data unless we have compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defense of legal claims. You may object to the processing of your Personal Data or direct marketing purposes at any time, without giving reason.
6. the right to data portability pursuant to Art. 20 GDPR: you have the right to receive Personal Data concerning you, and which you have provided to us, in a structured, commonly used and machine-readable format, and to transmit such data to another data controller (please note this applies only where our processing of your Personal Data is based on your consent, and the processing is carried out by automated means).
7. the right to appeal to a competent data protection supervisory authority (Art. 77 GDPR): you have the right to appeal to the competent data protection supervisory authority - in Netherlands, such authority is the “Autoriteit Persoonsgegevens” (www.autoriteitpersoonsgegevens.nl).

Please note that any processing of your Personal Data prior to the deletion of your account with us, or your request that we no longer contact you for direct marketing purposes will remain valid under the legal grounds then prevailing.

You can exercise any of your rights as stated above, by sending us a request to [email protected] or to: Milliman B.V. Data Protection Officer, 14 Avenue de la Grande Armée, F-75017 Paris.  We will endeavor to respond to any such request as soon as possible, and in any event within 30 days.

How to Contact Us

Milliman can be contacted at [email protected]. Milliman welcomes feedback and questions on this Privacy Policy. If for any reason you wish to contact us, please send an email ([email protected]). Complaints will be resolved internally in accordance with Milliman’s complaints procedures.

If you live in the European Union, European Economic Area, or Switzerland and you have a complaint regarding the handling of your Personal Data in accordance with the DPF Principles and your efforts to resolve the matter internally are unsatisfactory, the complaint may be submitted to the American Arbitration Association (http://www.adr.org/), which has been selected as the independent recourse mechanism to resolve complaints and disputes relating to treatment of Personal Data originating in the European Union, European Economic Area, or Switzerland and transferred to the U.S. under this Privacy Policy. Under certain conditions, you may be entitled to invoke binding arbitration when other dispute resolution procedures have been exhausted. Milliman is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC).

Milliman Personal Data Privacy Policy – Netherlands, Milliman Financial Strategies B.V.

Last updated September 2023

Where Milliman is Acting as a Data Controller

Milliman, Inc. and its affiliates (“Milliman” or “we”) take data privacy very seriously. This Privacy Policy sets out the principles governing the Dutch affiliate’s (Milliman Financial Strategies B.V.) use and protection of personal data that individuals and clients residing within the European Economic Area, the Isle of Man, Switzerland and the UK, share with us (“Personal Data”), hereafter “you”. Milliman is committed to handling Personal Data in accordance with this Privacy Policy, the EU General Data Protection Regulation (GDPR) and other data protection and privacy laws, as applicable.

Milliman, Inc. and Milliman Financial Strategies B.V.  are joint-controllers with respect to the processing of Personal Data described in this Privacy Policy. This means that Milliman, Inc. and Milliman Financial Strategies B.V.  are both responsible for the compliance with applicable data protection laws.

Collection of Data

Aggregate Data

Like many companies, Milliman monitors the use of its websites by collecting aggregate data. No Personal Data is collected in this process. Typically, Milliman collects data about the number of visitors to the website, to each web page, and the originating domain name of the visitor's Internet Service Provider. This data is used to improve the usability, performance and effectiveness of Milliman’s website.

Cookies, Third-Party Embedded Content and Do Not Track

For more detailed information describing how Milliman uses cookies and your choices surrounding the use and opt out of such cookies, including information about third party embedded content on Milliman’s website and how Milliman responds to Do Not Track signals in browsers, please review our Cookie Policy which can be found here.

Processing of Personal Data

The Personal Data we collect varies depending upon the nature of the services provided and our interactions with individuals. In the context of the collection of data through this website, Milliman’s marketing activities and contract administration, we may collect, store and otherwise process Personal Data of:

- visitors to our websites (first name, last name, title, company, phone number, location, email address, subject of the request and message given) who request information about products or services from Milliman, for the purpose of the management of the relationship with visitors and the administration of the website. The legal basis for the processing of Personal Data is Milliman’s legitimate interest (Art. 6 (1) letter (f) GDPR).

- clients’ representatives, officers, agents and employees, business partners, providers, parties to a contract (name, professional address, title, email and other professional contact details) for contract administration purposes. The professional contact details of clients’ representatives, their employees and business partners are also used to activate and maintain client accounts, including for billing purposes, due diligence and conflict checks, to facilitate the communication, to fulfill requests or respond to inquiries about Milliman products or services and to provide offers and information (as permitted by law) about products, services, or events offered by Milliman or that Milliman thinks may be of interest. The legal basis for the processing of Personal Data is Milliman’s legitimate interest (Art. 6 (1) letter (f) GDPR). Milliman may rely on your consent (Art. 6 (1) letter (a) GDPR) for the sending of marketing communications when so required by data protection and privacy laws, in which case we will ask your consent prior to the sending of the communication. Milliman Financial Strategies B.V may also use professional contact details of its clients’ employees for the purpose of sending surveys, questionnaires or for the purpose of organizing contests. For those activities, the legal basis for the processing of Personal Data is Milliman Financial Strategies B.V ’s legitimate interest (Art. 6 (1) letter (f) GDPR), unless data protection and privacy laws require your prior consent. We may also collect and process limited Personal Data about you from public resources (such as LinkedIn) including your name/surname, email address, telephone number, organization, title/position, profession, professional interests, to allow us to assess a potential interest in our services and to contact you for marketing purposes.

When we communicate with you regarding the products and services we offer or develop, you will be given the opportunity in each communication to unsubscribe and prevent future communications of that sort. If you do not want us to collect your Personal Data for our marketing emails, or if you wish to unsubscribe from direct marketing communications from us, you may write to us at [email protected] requesting the same. We will cease using your Personal Data for direct marketing purposes once you have requested us to do so.

If you provide us with Personal Data of another individual, it is your duty to make sure that these individuals have consented to or are appropriately informed about the processing of their Personal Data by Milliman.

You should also ensure that all Personal Data submitted to us is complete, accurate, true and correct. Failure on your part to do so may result in our inability to provide you with the products and services you have requested.

No automated decision-making is undertaken based on the Personal Data collected from you.

Affiliates and Authorized Third-Party Agents

All Milliman websites, products, and services are provided in cooperation with Milliman, Inc., located in the U.S. Any Personal Data may be shared between Milliman Financial Strategies B.V and Milliman, Inc. or other entities controlled by or under common control with Milliman, Inc., located in the U.S. and/or Europe, for the purposes of the centralisation of Milliman’s General Corporate Services, including: administrative services, contract management, Client Relationship Management (CRM), IT-maintenance  and security, data privacy (management of data subjects’ request) and marketing services (cookie management, inquiry tracking via Milliman’s website form, communication regarding Milliman’s products, services, or events).

We may also share Personal Data with affiliated entities using the MILLIMAN® mark, in which case we will require those affiliates to comply with this Privacy Policy. Please note that we may be transferring your Personal Data to a country that does not have the same data protection laws as your home country. However, Milliman ensures that itself and its affiliates will process Personal Data in compliance with this Privacy Policy.

Milliman also may share Personal Data with authorized third-party agents or contractors that perform services for Milliman. If Milliman shares Personal Data with a third party, Milliman requires that those third parties agree to process Personal Data based on Milliman’s instructions and in compliance with this Privacy Policy.

Any transfers of Personal Data are subject to appropriate safeguards that are compliant with the GDPR, as is described in the section “Transfer of Personal Data Across Borders”.

Other Disclosures

Milliman may also disclose Personal Data and other related information in response to subpoenas, court orders, or other lawful requests by public authorities, and to meet national security or law enforcement requirements. Milliman may collect and share Personal Data in order to investigate or take action regarding illegal activities, suspected fraud, violations of Milliman's Terms of Use, or as otherwise required by law or regulation.

Security

Milliman stores Personal Data on a secure server that is password protected and shielded from unauthorized access by a firewall. Milliman has in place security policies that are intended to ensure the security and integrity of all Personal Data. Milliman has appropriate technical and organisational measures in place to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data held or processed by Milliman. If Milliman forwards Personal Data to any third party, Milliman requires that those third parties have appropriate technical and organisational measures in place to comply with this Privacy Policy and applicable laws.

Data Retention

Milliman retains Personal Data only as long as necessary to fulfill the purposes outlined in this Privacy Policy unless a longer retention period is required or not prohibited by law. Milliman will delete your Personal Data once the purpose of the collection and processing of such Personal Data has been fulfilled and the adequate duration for documentation and backup storage of such Personal Data has lapsed. If you have unsubscribed from receiving marketing information from us, we will continue to maintain your Personal Data for any other purpose for which we still have legal grounds for processing such Personal Data (such as for the purposes of complying with a legal obligation or when the processing is necessary for the purpose of our legitimate interest). In certain cases, if no other legal grounds exist, we will maintain limited Personal Data (such as your email address) about you on record, so as to be able to ensure for the future that such marketing communications are no longer sent to you.

Children

Milliman’s websites, products, and services are not directed to children, and Milliman does not knowingly collect Personal Data from children. If a parent or legal guardian becomes aware that his or her child has provided Milliman with Personal Data without their consent, the parent or legal guardian should contact Milliman at [email protected], and Milliman will take steps to delete any such Personal Data.

Third-party Links

Milliman’s website may contain links to websites hosted and operated by companies other than us (“Third-Party Websites”) to which you can export (part of) your Personal Data.

We do not disclose your Personal Data to these Third-Party Websites without your explicit consent. Note that any information you disclose to Third-Party Websites is no longer under our control and no longer subject to Milliman Personal Data Privacy Policy.

You should review the privacy policy practices of any such Third-Party Website to understand how that Third-Party Website collects and uses your Personal Data should you have decided to disclose your Personal Data to them. We are not responsible for the content or performance of these Third-Party Websites. We are in no way responsible or liable for the manner in which a Third-Party Website treats any Personal Data that you choose to provide to such a Third-Party Website and use of Third-Party Websites is strictly at your own risk.

Policy Updates

Milliman may change its Privacy Policy from time to time. Milliman therefore asks all persons concerned to check it occasionally to ensure that they are aware of the most recent version.

Transfers of Personal Data across National Borders

Milliman is a global company that transfers Personal Data across national borders in compliance with the laws that apply to such transfers. Milliman has put in place appropriate safeguards to ensure its data transfers are adequately protected. Milliman’s legal bases for respective data transfers are outlined in this Privacy Policy. When Personal Data is transferred from one of our entities in the European Economic Area (“EEA”), Switzerland, the Isle of Man or the United Kingdom to the United States or another country outside of the EEA, or from entities in the EEA to another country outside of the EEA, we rely on one or more of the following legal mechanisms which provide adequate safeguards for the transfers: the adequacy decisions adopted by the European Commission on the basis of Art. 45 GDPR, the European Commission-approved Standard Contractual Clauses, the EU-US Data Privacy Framework (EU-US DPF), the UK Extension to the EU-US DPF, and the Swiss-US Data Privacy Framework (Swiss-US DPF), or any other applicable transfer mechanism deemed as adequate by applicable data protection laws. You can request a copy of any standard contractual clauses relating to your Personal Data that we may have executed by contacting us using the details below. Milliman commits to cooperate with the EU data protection authorities, the Swiss Federal Data Protection Information Commissioner, the Isle of Man Information Commissioner, the UK Information Commissioner’s Office and any other relevant data protection authority, and to comply with the advice given by such authorities, with regard to Personal Data transferred from one of our entities in the EEA, Switzerland, the Isle of Man or the United Kingdom, to countries outside of the EEA. Milliman will conduct any necessary impact assessments, following the rules under applicable data protection laws and thus guaranteeing the safe transfer of your Personal Data.

Data Privacy Framework

Milliman is committed to handling Personal Data in accordance with this Privacy Policy and the EU-US Data Privacy Framework (EU-US DPF), the UK Extension to the EU-US DPF, and the Swiss-US Data Privacy Framework (Swiss-US DPF), as administered by the U.S. Department of Commerce. Milliman has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. Milliman has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF.

If there is any conflict between the terms of this Privacy Policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view Milliman’s certification, please visit https://www.dataprivacyframework.gov/.

Milliman’s accountability for Personal Data that it receives under the DPF Principles and subsequently transfers to a third party is described in the DPF Principles. In particular, Milliman remains responsible and liable under the DPF Principles if third parties engaged by Milliman process the Personal Data in a manner inconsistent with the Principles, unless Milliman proves that it is not responsible for the event giving rise to any damage. Additionally, Milliman, Inc. has put in place data protection agreements with its affiliates located in the European Economic Area based on the EU Standard Contractual Clauses issued by the European Commission (the “EU Standard Contractual Clauses”).

As further explained in the "How to Contact Us" section below, Milliman encourages any individual to contact us should they have a DPF-related (or general privacy-related) complaint. Any right of access, rectification, erasure, restriction of the processing as well as the right to data portability of individuals domiciled in the European Economic Area or Switzerland may be exercised under the conditions set forth in the GDPR by contacting Milliman at: [email protected]. Furthermore, these individuals will have the right to lodge a complaint with a competent supervisory authority at any time.

Rights

1. the right of access pursuant to Art. 15 GDPR: you have the right to obtain from us confirmation as to whether or not Personal Data concerning you is being processed, and, where that is the case, access to (including by obtaining a copy of) such Personal Data and the manner in which, and the purposes for which we process your Personal Data, so that you can verify its accuracy and the lawfulness of the processing.
2. the right to rectification pursuant to Art. 16 GDPR: you have the right to obtain from us the rectification of inaccurate Personal Data concerning you, and the right to have incomplete personal data completed, including by means of providing a supplementary statement.
3. the right to erasure pursuant to Art. 17 GDPR: the right to obtain from us the erasure of your Personal Data without undue delay where (a) your Personal Data is no longer necessary for the purpose for which it was collected/processed; (b) you wish to withdraw your consent to processing (except where we have another legal ground for the processing that we may rely on); (c) where processing is based on our legitimate interests and there are no overriding legitimate grounds for processing; (d) where your Personal Data has been unlawfully processed.
4. the right to restriction of processing pursuant to Art. 18 GDPR: you have the right to obtain from us the restriction of processing of your Personal Data where (a) the accuracy of such Personal Data is contested by you (for such period as will enable us to verify the accuracy of your Personal Data); (b) the processing of your Personal Data is unlawful, but you do object to the deletion of such data and request restriction of its use instead; (c) you consider that we no longer need your Personal Data for the purposes of the processing, but require such Personal Data for the establishment, exercise or defense of legal claims; (d) you have objected to the processing of your Personal Data on grounds of “legitimate interest” as per (iii) above, pending verification by us on whether our legitimate grounds override your own.
5. the right to objection pursuant to Art. 21 GDPR: you have the right to object, on grounds relating to your particular situation, at any time to processing of your Personal Data, which is based on our legitimate interests, including profiling based on those provisions. We shall no longer process the Personal Data unless we have compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defense of legal claims. You may object to the processing of your Personal Data or direct marketing purposes at any time, without giving reason.
6. the right to data portability pursuant to Art. 20 GDPR: you have the right to receive Personal Data concerning you, and which you have provided to us, in a structured, commonly used and machine-readable format, and to transmit such data to another data controller (please note this applies only where our processing of your Personal Data is based on your consent, and the processing is carried out by automated means).
7. the right to appeal to a competent data protection supervisory authority (Art. 77 GDPR): you have the right to appeal to the competent data protection supervisory authority - in the Netherlands, such authority is the “Autoriteit Persoonsgegevens”. (www.autoriteitpersoonsgegevens.nl).

Please note that any processing of your Personal Data prior to the deletion of your account with us, or your request that we no longer contact you for direct marketing purposes will remain valid under the legal grounds then prevailing.

You can exercise any of your rights as stated above, by sending us a request to [email protected] or to: Milliman Financial Strategies B.V. Data Protection Officer, 14 Avenue de la Grande Armée, F-75017 Paris.  We will endeavor to respond to any such request as soon as possible, and in any event within 30 days.

How to Contact Us

Milliman can be contacted at [email protected]. Milliman welcomes feedback and questions on this Privacy Policy. If for any reason you wish to contact us, please send an email ([email protected]). Complaints will be resolved internally in accordance with Milliman’s complaints procedures.

If you live in the European Union, European Economic Area, or Switzerland and you have a complaint regarding the handling of your Personal Data in accordance with the DPF Principles and your efforts to resolve the matter internally are unsatisfactory, the complaint may be submitted to the American Arbitration Association (http://www.adr.org/), which has been selected as the independent recourse mechanism to resolve complaints and disputes relating to treatment of Personal Data originating in the European Union, European Economic Area, or Switzerland and transferred to the U.S. under this Privacy Policy. Under certain conditions, you may be entitled to invoke binding arbitration when other dispute resolution procedures have been exhausted. Milliman is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC).

Milliman Personal Data Privacy Policy – Netherlands, Milliman Pensioenen B.V.

Last updated September 2023

Where Milliman is Acting as a Data Controller

Milliman, Inc. and its affiliates (“Milliman” or “we”) take data privacy very seriously. This Privacy Policy sets out the principles governing the Dutch affiliate’s (Milliman Pensioenen B.V.) use and protection of personal data that individuals and clients residing within the European Economic Area, the Isle of Man, Switzerland and the UK, share with us (“Personal Data”), hereafter “you”. Milliman is committed to handling Personal Data in accordance with this Privacy Policy, the EU General Data Protection Regulation (GDPR) and other data protection and privacy laws, as applicable.

Milliman, Inc. and Milliman Pensioenen B.V. are joint-controllers with respect to the processing of Personal Data described in this Privacy Policy. This means that Milliman, Inc. and Milliman Pensioenen B.V. are both responsible for the compliance with applicable data protection laws.

Collection of Data

Aggregate Data

Like many companies, Milliman monitors the use of its websites by collecting aggregate data. No Personal Data is collected in this process. Typically, Milliman collects data about the number of visitors to the website, to each web page, and the originating domain name of the visitor's Internet Service Provider. This data is used to improve the usability, performance and effectiveness of Milliman’s website.

Cookies, Third-Party Embedded Content and Do Not Track

For more detailed information describing how Milliman uses cookies and your choices surrounding the use and opt out of such cookies, including information about third party embedded content on Milliman’s website and how Milliman responds to Do Not Track signals in browsers, please review our Cookie Policy which can be found here.

Processing of Personal Data

The Personal Data we collect varies depending upon the nature of the services provided and our interactions with individuals. In the context of the collection of data through this website, Milliman’s marketing activities and contract administration, we may collect, store and otherwise process Personal Data of:

- visitors to our websites (first name, last name, title, company, phone number, location, email address, subject of the request and message given) who request information about products or services from Milliman, for the purpose of the management of the relationship with visitors and the administration of the website. The legal basis for the processing of Personal Data is Milliman’s legitimate interest (Art. 6 (1) letter (f) GDPR).

- clients’ representatives, officers, agents and employees, business partners, providers, parties to a contract (name, professional address, title, email and other professional contact details) for contract administration purposes. The professional contact details of clients’ representatives, their employees and business partners are also used to activate and maintain client accounts, including for billing purposes, due diligence and conflict checks, to facilitate the communication, to fulfill requests or respond to inquiries about Milliman products or services and to provide offers and information (as permitted by law) about products, services, or events offered by Milliman or that Milliman thinks may be of interest. The legal basis for the processing of Personal Data is Milliman’s legitimate interest (Art. 6 (1) letter (f) GDPR). Milliman may rely on your consent (Art. 6 (1) letter (a) GDPR) for the sending of marketing communications when so required by data protection and privacy laws, in which case we will ask your consent prior to the sending of the communication. Milliman Pensioenen B.V. may also use professional contact details of its clients’ employees for the purpose of sending surveys, questionnaires or for the purpose of organizing contests. For those activities, the legal basis for the processing of Personal Data is Milliman Pensioenen B.V.’s legitimate interest (Art. 6 (1) letter (f) GDPR), unless data protection and privacy laws require your prior consent. We may also collect and process limited Personal Data about you from public resources (such as LinkedIn) including your name/surname, email address, telephone number, organization, title/position, profession, professional interests, to allow us to assess a potential interest in our services and to contact you for marketing purposes.

When we communicate with you regarding the products and services we offer or develop, you will be given the opportunity in each communication to unsubscribe and prevent future communications of that sort. If you do not want us to collect your Personal Data for our marketing emails, or if you wish to unsubscribe from direct marketing communications from us, you may write to us at [email protected] requesting the same. We will cease using your Personal Data for direct marketing purposes once you have requested us to do so.

If you provide us with Personal Data of another individual, it is your duty to make sure that these individuals have consented to or are appropriately informed about the processing of their Personal Data by Milliman.

You should also ensure that all Personal Data submitted to us is complete, accurate, true and correct. Failure on your part to do so may result in our inability to provide you with the products and services you have requested.

No automated decision-making is undertaken based on the Personal Data collected from you.

Affiliates and Authorized Third-Party Agents

All Milliman websites, products, and services are provided in cooperation with Milliman, Inc., located in the U.S. Any Personal Data may be shared between Milliman Pensioenen B.V.and Milliman, Inc. or other entities controlled by or under common control with Milliman, Inc., located in the U.S. and/or Europe, for the purposes of the centralisation of Milliman’s General Corporate Services, including: administrative services, contract management, Client Relationship Management (CRM), IT-maintenance  and security, data privacy (management of data subjects’ request) and marketing services (cookie management, inquiry tracking via Milliman’s website form, communication regarding Milliman’s products, services, or events).

We may also share Personal Data with affiliated entities using the MILLIMAN® mark, in which case we will require those affiliates to comply with this Privacy Policy. Please note that we may be transferring your Personal Data to a country that does not have the same data protection laws as your home country. However, Milliman ensures that itself and its affiliates will process Personal Data in compliance with this Privacy Policy.

Milliman also may share Personal Data with authorized third-party agents or contractors that perform services for Milliman. If Milliman shares Personal Data with a third party, Milliman requires that those third parties agree to process Personal Data based on Milliman’s instructions and in compliance with this Privacy Policy.

Any transfers of Personal Data are subject to appropriate safeguards that are compliant with the GDPR, as is described in the section “Transfer of Personal Data Across Borders”.

Other Disclosures

Milliman may also disclose Personal Data and other related information in response to subpoenas, court orders, or other lawful requests by public authorities, and to meet national security or law enforcement requirements. Milliman may collect and share Personal Data in order to investigate or take action regarding illegal activities, suspected fraud, violations of Milliman's Terms of Use, or as otherwise required by law or regulation.

Security

Milliman stores Personal Data on a secure server that is password protected and shielded from unauthorized access by a firewall. Milliman has in place security policies that are intended to ensure the security and integrity of all Personal Data. Milliman has appropriate technical and organisational measures in place to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data held or processed by Milliman. If Milliman forwards Personal Data to any third party, Milliman requires that those third parties have appropriate technical and organisational measures in place to comply with this Privacy Policy and applicable laws.

Data Retention

Milliman retains Personal Data only as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or not prohibited by law. Milliman will delete your Personal Data once the purpose of the collection and processing of such Personal Data has been fulfilled and the adequate duration for documentation and backup storage of such Personal Data has lapsed. If you have unsubscribed from receiving marketing information from us, we will continue to maintain your Personal Data for any other purpose for which we still have legal grounds for processing such Personal Data (such as for the purposes of complying with a legal obligation or when the processing is necessary for the purpose of our legitimate interest). In certain cases, if no other legal grounds exist, we will maintain limited Personal Data (such as your email address) about you on record, so as to be able to ensure for the future that such marketing communications are no longer sent to you.

Children

Milliman’s websites, products, and services are not directed to children, and Milliman does not knowingly collect Personal Data from children. If a parent or legal guardian becomes aware that his or her child has provided Milliman with Personal Data without their consent, the parent or legal guardian should contact Milliman at [email protected], and Milliman will take steps to delete any such Personal Data.

Third-party Links

Milliman’s website may contain links to websites hosted and operated by companies other than us (“Third-Party Websites”) to which you can export (part of) your Personal Data.

We do not disclose your Personal Data to these Third-Party Websites without your explicit consent. Note that any information you disclose to Third-Party Websites is no longer under our control and no longer subject to Milliman Personal Data Privacy Policy.

You should review the privacy policy practices of any such Third-Party Website to understand how that Third-Party Website collects and uses your Personal Data should you have decided to disclose your Personal Data to them. We are not responsible for the content or performance of these Third-Party Websites. We are in no way responsible or liable for the manner in which a Third-Party Website treats any Personal Data that you choose to provide to such a Third-Party Website and use of Third-Party Websites is strictly at your own risk.

Policy Updates

Milliman may change its Privacy Policy from time to time. Milliman therefore asks all persons concerned to check it occasionally to ensure that they are aware of the most recent version.

Transfers of Personal Data across National Borders

Milliman is a global company that transfers Personal Data across national borders in compliance with the laws that apply to such transfers. Milliman has put in place appropriate safeguards to ensure its data transfers are adequately protected. Milliman’s legal bases for respective data transfers are outlined in this Privacy Policy. When Personal Data is transferred from one of our entities in the European Economic Area (“EEA”), Switzerland, the Isle of Man or the United Kingdom to the United States or another country outside of the EEA, or from entities in the EEA to another country outside of the EEA, we rely on one or more of the following legal mechanisms which provide adequate safeguards for the transfers: the adequacy decisions adopted by the European Commission on the basis of Art. 45 GDPR, the European Commission-approved Standard Contractual Clauses, the EU-US Data Privacy Framework (EU-US DPF), the UK Extension to the EU-US DPF, and the Swiss-US Data Privacy Framework (Swiss-US DPF), or any other applicable transfer mechanism deemed as adequate by applicable data protection laws. You can request a copy of any standard contractual clauses relating to your Personal Data that we may have executed by contacting us using the details below. Milliman commits to cooperate with the EU data protection authorities, the Swiss Federal Data Protection Information Commissioner, the Isle of Man Information Commissioner, the UK Information Commissioner’s Office and any other relevant data protection authority, and to comply with the advice given by such authorities, with regard to Personal Data transferred from one of our entities in the EEA, Switzerland, the Isle of Man or the United Kingdom, to countries outside of the EEA. Milliman will conduct any necessary impact assessments, following the rules under applicable data protection laws and thus guaranteeing the safe transfer of your Personal Data.

Data Privacy Framework

Milliman is committed to handling Personal Data in accordance with this Privacy Policy and the EU-US Data Privacy Framework (EU-US DPF), the UK Extension to the EU-US DPF, and the Swiss-US Data Privacy Framework (Swiss-US DPF), as administered by the U.S. Department of Commerce. Milliman has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. Milliman has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF.

If there is any conflict between the terms of this Privacy Policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view Milliman’s certification, please visit https://www.dataprivacyframework.gov/.

Milliman’s accountability for Personal Data that it receives under the DPF Principles and subsequently transfers to a third party is described in the DPF Principles. In particular, Milliman remains responsible and liable under the DPF Principles if third parties engaged by Milliman process the Personal Data in a manner inconsistent with the Principles, unless Milliman proves that it is not responsible for the event giving rise to any damage. Additionally, Milliman, Inc. has put in place data protection agreements with its affiliates located in the European Economic Area based on the EU Standard Contractual Clauses issued by the European Commission (the “EU Standard Contractual Clauses”).

As further explained in the "How to Contact Us" section below, Milliman encourages any individual to contact us should they have a DPF-related (or general privacy-related) complaint. Any right of access, rectification, erasure, restriction of the processing as well as the right to data portability of individuals domiciled in the European Economic Area or Switzerland may be exercised under the conditions set forth in the GDPR by contacting Milliman at: [email protected]. Furthermore, these individuals will have the right to lodge a complaint with a competent supervisory authority at any time.

Rights

1. the right of access pursuant to Art. 15 GDPR: you have the right to obtain from us confirmation as to whether or not Personal Data concerning you is being processed, and, where that is the case, access to (including by obtaining a copy of) such Personal Data and the manner in which, and the purposes for which we process your Personal Data, so that you can verify its accuracy and the lawfulness of the processing.
2. the right to rectification pursuant to Art. 16 GDPR: you have the right to obtain from us the rectification of inaccurate Personal Data concerning you, and the right to have incomplete personal data completed, including by means of providing a supplementary statement.
3. the right to erasure pursuant to Art. 17 GDPR: the right to obtain from us the erasure of your Personal Data without undue delay where (a) your Personal Data is no longer necessary for the purpose for which it was collected/processed; (b) you wish to withdraw your consent to processing (except where we have another legal ground for the processing that we may rely on); (c) where processing is based on our legitimate interests and there are no overriding legitimate grounds for processing; (d) where your Personal Data has been unlawfully processed.
4. the right to restriction of processing pursuant to Art. 18 GDPR: you have the right to obtain from us the restriction of processing of your Personal Data where (a) the accuracy of such Personal Data is contested by you (for such period as will enable us to verify the accuracy of your Personal Data); (b) the processing of your Personal Data is unlawful, but you do object to the deletion of such data and request restriction of its use instead; (c) you consider that we no longer need your Personal Data for the purposes of the processing, but require such Personal Data for the establishment, exercise or defense of legal claims; (d) you have objected to the processing of your Personal Data on grounds of “legitimate interest” as per (iii) above, pending verification by us on whether our legitimate grounds override your own.
5. the right to objection pursuant to Art. 21 GDPR: you have the right to object, on grounds relating to your particular situation, at any time to processing of your Personal Data, which is based on our legitimate interests, including profiling based on those provisions. We shall no longer process the Personal Data unless we have compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defense of legal claims. You may object to the processing of your Personal Data or direct marketing purposes at any time, without giving reason.
6. the right to data portability pursuant to Art. 20 GDPR: you have the right to receive Personal Data concerning you, and which you have provided to us, in a structured, commonly used and machine-readable format, and to transmit such data to another data controller (please note this applies only where our processing of your Personal Data is based on your consent, and the processing is carried out by automated means).
7. the right to appeal to a competent data protection supervisory authority (Art. 77 GDPR): you have the right to appeal to the competent data protection supervisory authority - in the Netherlands, such authority is the “Autoriteit Persoonsgegevens” (www.autoriteitpersoonsgegevens.nl).

Please note that any processing of your Personal Data prior to the deletion of your account with us, or your request that we no longer contact you for direct marketing purposes will remain valid under the legal grounds then prevailing.

You can exercise any of your rights as stated above, by sending us a request to [email protected] or to: Milliman Pensioenen B.V. Data Protection Officer, 14 Avenue de la Grande Armée, F-75017 Paris. We will endeavor to respond to any such request as soon as possible, and in any event within 30 days.

How to Contact Us

 Milliman can be contacted at [email protected]. Milliman welcomes feedback and questions on this Privacy Policy. If for any reason you wish to contact us, please send an email ([email protected]). Complaints will be resolved internally in accordance with Milliman’s complaints procedures.

If you live in the European Union, European Economic Area, or Switzerland and you have a complaint regarding the handling of your Personal Data in accordance with the DPF Principles and your efforts to resolve the matter internally are unsatisfactory, the complaint may be submitted to the American Arbitration Association (http://www.adr.org/), which has been selected as the independent recourse mechanism to resolve complaints and disputes relating to treatment of Personal Data originating in the European Union, European Economic Area, or Switzerland and transferred to the U.S. under this Privacy Policy. Under certain conditions, you may be entitled to invoke binding arbitration when other dispute resolution procedures have been exhausted. Milliman is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC).

Milliman Personal Data Privacy Policy – Milliman Sp. Z.o.o., Poland

Last updated September 2023

Where Milliman is Acting as a Data Controller

Milliman, Inc. and its affiliates (“Milliman” or “we”) take data privacy very seriously. This Privacy Policy sets out the principles governing the Polish affiliate’s (Milliman Sp. Z.o.o.) use and protection of personal data that individuals and clients residing within the European Economic Area, the Isle of Man, Switzerland and the UK, share with us (“Personal Data”), hereafter “you”. Milliman is committed to handling Personal Data in accordance with this Privacy Policy, the EU General Data Protection Regulation (GDPR) and other data protection and privacy laws, as applicable.

Milliman, Inc. and Milliman Sp. Z.o.o are joint-controllers with respect to the processing of Personal Data described in this Privacy Policy. This means that Milliman, Inc. and Milliman Sp. Z.o.o are both responsible for the compliance with applicable data protection laws.

Collection of Data

Aggregate Data

Like many companies, Milliman monitors the use of its websites by collecting aggregate data. No Personal Data is collected in this process. Typically, Milliman collects data about the number of visitors to the website, to each web page, and the originating domain name of the visitor's Internet Service Provider. This data is used to improve the usability, performance and effectiveness of Milliman’s website.

Cookies, Third-Party Embedded Content and Do Not Track

For more detailed information describing how Milliman uses cookies and your choices surrounding the use and opt out of such cookies, including information about third party embedded content on Milliman’s website and how Milliman responds to Do Not Track signals in browsers, please review our Cookie Policy which can be found here.

Processing of Personal Data

The Personal Data we collect varies depending upon the nature of the services provided and our interactions with individuals. In the context of the collection of data through this website, Milliman’s marketing activities and contract administration, we may collect, store and otherwise process Personal Data of:

- visitors to our websites (first name, last name, title, company, phone number, location, email address, subject of the request and message given) who request information about products or services from Milliman, for the purpose of the management of the relationship with visitors and the administration of the website. The legal basis for the processing of Personal Data is Milliman’s legitimate interest (Art. 6 (1) letter (f) GDPR).

- clients’ representatives, officers, agents and employees, business partners, providers, parties to a contract (name, professional address, title, email and other professional contact details) for contract administration purposes. The professional contact details of clients’ representatives, their employees and business partners are also used to activate and maintain client accounts, including for billing purposes, due diligence and conflict checks, to facilitate the communication, to fulfill requests or respond to inquiries about Milliman products or services and to provide offers and information (as permitted by law) about products, services, or events offered by Milliman or that Milliman thinks may be of interest. The legal basis for the processing of Personal Data is Milliman’s legitimate interest (Art. 6 (1) letter (f) GDPR). Milliman may rely on your consent (Art. 6 (1) letter (a) GDPR) for the sending of marketing communications when so required by data protection and privacy laws, in which case we will ask your consent prior to the sending of the communication. Milliman Sp. Z.o.o.  may also use professional contact details of its clients’ employees for the purpose of sending surveys, questionnaires or for the purpose of organizing contests. For those activities, the legal basis for the processing of Personal Data is Milliman Sp. Z.o.o. ’s legitimate interest (Art. 6 (1) letter (f) GDPR), unless data protection and privacy laws require your prior consent. We may also collect and process limited Personal Data about you from public resources (such as LinkedIn) including your name/surname, email address, telephone number, organization, title/position, profession, professional interests, to allow us to assess a potential interest in our services and to contact you for marketing purposes.

When we communicate with you regarding the products and services we offer or develop, you will be given the opportunity in each communication to unsubscribe and prevent future communications of that sort. If you do not want us to collect your Personal Data for our marketing emails, or if you wish to unsubscribe from direct marketing communications from us, you may write to us at [email protected] requesting the same. We will cease using your Personal Data for direct marketing purposes once you have requested us to do so.

If you provide us with Personal Data of another individual, it is your duty to make sure that these individuals have consented to or are appropriately informed about the processing of their Personal Data by Milliman.

You should also ensure that all Personal Data submitted to us is complete, accurate, true and correct. Failure on your part to do so may result in our inability to provide you with the products and services you have requested.

No automated decision-making is undertaken based on the Personal Data collected from you.

Affiliates and Authorized Third-Party Agents

All Milliman websites, products, and services are provided in cooperation with Milliman, Inc., located in the U.S. Any Personal Data may be shared between Milliman Sp. Z.o.o. and Milliman, Inc. or other entities controlled by or under common control with Milliman, Inc., located in the U.S. and/or Europe, for the purposes of the centralisation of Milliman’s General Corporate Services, including: administrative services, contract management, Client Relationship Management (CRM), IT-maintenance  and security, data privacy (management of data subjects’ request) and marketing services (cookie management, inquiry tracking via Milliman’s website form, communication regarding Milliman’s products, services, or events).

We may also share Personal Data with affiliated entities using the MILLIMAN® mark, in which case we will require those affiliates to comply with this Privacy Policy. Please note that we may be transferring your Personal Data to a country that does not have the same data protection laws as your home country. However, Milliman ensures that itself and its affiliates will process Personal Data in compliance with this Privacy Policy.

Milliman also may share Personal Data with authorized third-party agents or contractors that perform services for Milliman. If Milliman shares Personal Data with a third party, Milliman requires that those third parties agree to process Personal Data based on Milliman’s instructions and in compliance with this Privacy Policy.

Any transfers of Personal Data are subject to appropriate safeguards that are compliant with the GDPR, as is described in the section “Transfer of Personal Data Across Borders”.

Other Disclosures

Milliman may also disclose Personal Data and other related information in response to subpoenas, court orders, or other lawful requests by public authorities, and to meet national security or law enforcement requirements. Milliman may collect and share Personal Data in order to investigate or take action regarding illegal activities, suspected fraud, violations of Milliman's Terms of Use, or as otherwise required by law or regulation.

Security

Milliman stores Personal Data on a secure server that is password protected and shielded from unauthorized access by a firewall. Milliman has in place security policies that are intended to ensure the security and integrity of all Personal Data. Milliman has appropriate technical and organisational measures in place to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data held or processed by Milliman. If Milliman forwards Personal Data to any third party, Milliman requires that those third parties have appropriate technical and organisational measures in place to comply with this Privacy Policy and applicable laws.

Data Retention

Milliman retains Personal Data only as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or not prohibited by law. Milliman will delete your Personal Data once the purpose of the collection and processing of such Personal Data has been fulfilled and the adequate duration for documentation and backup storage of such Personal Data has lapsed. If you have unsubscribed from receiving marketing information from us, we will continue to maintain your Personal Data for any other purpose for which we still have legal grounds for processing such Personal Data (such as for the purposes of complying with a legal obligation or when the processing is necessary for the purpose of our legitimate interest). In certain cases, if no other legal grounds exist, we will maintain limited Personal Data (such as your email address) about you on record, so as to be able to ensure for the future that such marketing communications are no longer sent to you.

Children

Milliman’s websites, products, and services are not directed to children, and Milliman does not knowingly collect Personal Data from children. If a parent or legal guardian becomes aware that his or her child has provided Milliman with Personal Data without their consent, the parent or legal guardian should contact Milliman at [email protected], and Milliman will take steps to delete any such Personal Data.

Third-party Links

Milliman’ website may contain links to websites hosted and operated by companies other than us (“Third-Party Websites”) to which you can export (part of) your Personal Data.

We do not disclose your Personal Data to these Third-Party Websites without your explicit consent. Note that any information you disclose to Third-Party Websites is no longer under our control and no longer subject to Milliman Personal Data Privacy Policy.

You should review the privacy policy practices of any such Third-Party Website to understand how that Third-Party Website collects and uses your Personal Data should you have decided to disclose your Personal Data to them. We are not responsible for the content or performance of these Third-Party Websites. We are in no way responsible or liable for the manner in which a Third-Party Website treats any Personal Data that you choose to provide to such a Third-Party Website and use of Third-Party Websites is strictly at your own risk.

Policy Updates

Milliman may change its Privacy Policy from time to time. Milliman therefore asks all persons concerned to check it occasionally to ensure that they are aware of the most recent version.

Transfers of Personal Data across National Borders

Milliman is a global company that transfers Personal Data across national borders in compliance with the laws that apply to such transfers. Milliman has put in place appropriate safeguards to ensure its data transfers are adequately protected. Milliman’s legal bases for respective data transfers are outlined in this Privacy Policy. When Personal Data is transferred from one of our entities in the European Economic Area (“EEA”), Switzerland, the Isle of Man or the United Kingdom to the United States or another country outside of the EEA, or from entities in the EEA to another country outside of the EEA, we rely on one or more of the following legal mechanisms which provide adequate safeguards for the transfers: the adequacy decisions adopted by the European Commission on the basis of Art. 45 GDPR, the European Commission-approved Standard Contractual Clauses, the EU-US Data Privacy Framework (EU-US DPF), the UK Extension to the EU-US DPF, and the Swiss-US Data Privacy Framework (Swiss-US DPF), or any other applicable transfer mechanism deemed as adequate by applicable data protection laws. You can request a copy of any standard contractual clauses relating to your Personal Data that we may have executed by contacting us using the details below. Milliman commits to cooperate with the EU data protection authorities, the Swiss Federal Data Protection Information Commissioner, the Isle of Man Information Commissioner, the UK Information Commissioner’s Office and any other relevant data protection authority, and to comply with the advice given by such authorities, with regard to Personal Data transferred from one of our entities in the EEA, Switzerland, the Isle of Man or the United Kingdom, to countries outside of the EEA. Milliman will conduct any necessary impact assessments, following the rules under applicable data protection laws and thus guaranteeing the safe transfer of your Personal Data.

Data Privacy Framework

Milliman is committed to handling Personal Data in accordance with this Privacy Policy and the EU-US Data Privacy Framework (EU-US DPF), the UK Extension to the EU-US DPF, and the Swiss-US Data Privacy Framework (Swiss-US DPF), as administered by the U.S. Department of Commerce. Milliman has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. Milliman has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF.

If there is any conflict between the terms of this Privacy Policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view Milliman’s certification, please visit https://www.dataprivacyframework.gov/.

Milliman’s accountability for Personal Data that it receives under the DPF Principles and subsequently transfers to a third party is described in the DPF Principles. In particular, Milliman remains responsible and liable under the DPF Principles if third parties engaged by Milliman process the Personal Data in a manner inconsistent with the Principles, unless Milliman proves that it is not responsible for the event giving rise to any damage. Additionally, Milliman, Inc. has put in place data protection agreements with its affiliates located in the European Economic Area based on the EU Standard Contractual Clauses issued by the European Commission (the “EU Standard Contractual Clauses”).

As further explained in the "How to Contact Us" section below, Milliman encourages any individual to contact us should they have a DPF-related (or general privacy-related) complaint. Any right of access, rectification, erasure, restriction of the processing as well as the right to data portability of individuals domiciled in the European Economic Area or Switzerland may be exercised under the conditions set forth in the GDPR by contacting Milliman at: [email protected]. Furthermore, these individuals will have the right to lodge a complaint with a competent supervisory authority at any time.

Rights

1. the right of access pursuant to Art. 15 GDPR: you have the right to obtain from us confirmation as to whether or not Personal Data concerning you is being processed, and, where that is the case, access to (including by obtaining a copy of) such Personal Data and the manner in which, and the purposes for which we process your Personal Data, so that you can verify its accuracy and the lawfulness of the processing.
2. the right to rectification pursuant to Art. 16 GDPR: you have the right to obtain from us the rectification of inaccurate Personal Data concerning you, and the right to have incomplete personal data completed, including by means of providing a supplementary statement.
3. the right to erasure pursuant to Art. 17 GDPR: the right to obtain from us the erasure of your Personal Data without undue delay where (a) your Personal Data is no longer necessary for the purpose for which it was collected/processed; (b) you wish to withdraw your consent to processing (except where we have another legal ground for the processing that we may rely on); (c) where processing is based on our legitimate interests and there are no overriding legitimate grounds for processing; (d) where your Personal Data has been unlawfully processed.
4. the right to restriction of processing pursuant to Art. 18 GDPR: you have the right to obtain from us the restriction of processing of your Personal Data where (a) the accuracy of such Personal Data is contested by you (for such period as will enable us to verify the accuracy of your Personal Data); (b) the processing of your Personal Data is unlawful, but you do object to the deletion of such data and request restriction of its use instead; (c) you consider that we no longer need your Personal Data for the purposes of the processing, but require such Personal Data for the establishment, exercise or defense of legal claims; (d) you have objected to the processing of your Personal Data on grounds of “legitimate interest” as per (iii) above, pending verification by us on whether our legitimate grounds override your own.
5. the right to objection pursuant to Art. 21 GDPR: you have the right to object, on grounds relating to your particular situation, at any time to processing of your Personal Data, which is based on our legitimate interests, including profiling based on those provisions. We shall no longer process the Personal Data unless we have compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defense of legal claims. You may object to the processing of your Personal Data or direct marketing purposes at any time, without giving reason.
6. the right to data portability pursuant to Art. 20 GDPR: you have the right to receive Personal Data concerning you, and which you have provided to us, in a structured, commonly used and machine-readable format, and to transmit such data to another data controller (please note this applies only where our processing of your Personal Data is based on your consent, and the processing is carried out by automated means).
7. the right to appeal to a competent data protection supervisory authority (Art. 77 GDPR): you have the right to appeal to the competent data protection supervisory authority - in Poland, such authority is the “Office of Personal Data Protection” (www.uodo.gov.pl/).

Please note that any processing of your Personal Data prior to the deletion of your account with us, or your request that we no longer contact you for direct marketing purposes will remain valid under the legal grounds then prevailing.

You can exercise any of your rights as stated above, by sending us a request to [email protected] or to: Milliman Sp. Z.o.o. Data Protection Officer, 14 Avenue de la Grande Armée, F-75017 Paris.  We will endeavor to respond to any such request as soon as possible, and in any event within 30 days.

How to Contact Us

Milliman can be contacted at [email protected]. Milliman welcomes feedback and questions on this Privacy Policy. If for any reason you wish to contact us, please send an email ([email protected]). Complaints will be resolved internally in accordance with Milliman’s complaints procedures.

If you live in the European Union, European Economic Area, or Switzerland and you have a complaint regarding the handling of your Personal Data in accordance with the DPF Principles and your efforts to resolve the matter internally are unsatisfactory, the complaint may be submitted to the American Arbitration Association (http://www.adr.org/), which has been selected as the independent recourse mechanism to resolve complaints and disputes relating to treatment of Personal Data originating in the European Union, European Economic Area, or Switzerland and transferred to the U.S. under this Privacy Policy. Under certain conditions, you may be entitled to invoke binding arbitration when other dispute resolution procedures have been exhausted. Milliman is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC).

Milliman Personal Data Privacy Policy – Romania

Last updated September 2023

Where Milliman is Acting as a Data Controller

Milliman, Inc. and its affiliates (“Milliman” or “we”) take data privacy very seriously. This Privacy Policy sets out the principles governing the Romanian affiliate’s (Milliman S.R.L.) use and protection of personal data that individuals and clients residing within the European Economic Area, the Isle of Man, Switzerland and the UK, share with us (“Personal Data”), hereafter “you”. Milliman is committed to handling Personal Data in accordance with this Privacy Policy, the EU General Data Protection Regulation (GDPR) and other data protection and privacy laws, as applicable.

Milliman, Inc. and Milliman S.R.L. are joint-controllers with respect to the processing of Personal Data described in this Privacy Policy. This means that Milliman, Inc. and Milliman S.R.L. are both responsible for the compliance with applicable data protection laws.

Collection of Data

Aggregate Data

Like many companies, Milliman monitors the use of its websites by collecting aggregate data. No Personal Data is collected in this process. Typically, Milliman collects data about the number of visitors to the website, to each web page, and the originating domain name of the visitor's Internet Service Provider. This data is used to improve the usability, performance and effectiveness of Milliman’s website.

Cookies, Third-Party Embedded Content and Do Not Track

For more detailed information describing how Milliman uses cookies and your choices surrounding the use and opt out of such cookies, including information about third party embedded content on Milliman’s website and how Milliman responds to Do Not Track signals in browsers, please review our Cookie Policy which can be found here.

Processing of Personal Data

The Personal Data we collect varies depending upon the nature of the services provided and our interactions with individuals. In the context of the collection of data through this website, Milliman’s marketing activities and contract administration, we may collect, store and otherwise process Personal Data of:

- visitors to our websites (first name, last name, title, company, phone number, location, email address, subject of the request and message given) who request information about products or services from Milliman, for the purpose of the management of the relationship with visitors and the administration of the website. The legal basis for the processing of Personal Data is Milliman’s legitimate interest (Art. 6 (1) letter (f) GDPR).

- clients’ representatives, officers, agents and employees, business partners, providers, parties to a contract (name, professional address, title, email and other professional contact details) for contract administration purposes. The professional contact details of clients’ representatives, their employees and business partners are also used to activate and maintain client accounts, including for billing purposes, due diligence and conflict checks, to facilitate the communication, to fulfill requests or respond to inquiries about Milliman products or services and to provide offers and information (as permitted by law) about products, services, or events offered by Milliman or that Milliman thinks may be of interest. The legal basis for the processing of Personal Data is Milliman’s legitimate interest (Art. 6 (1) letter (f) GDPR). Milliman may rely on your consent (Art. 6 (1) letter (a) GDPR) for the sending of marketing communications when so required by data protection and privacy laws, in which case we will ask your consent prior to the sending of the communication. Milliman S.R.L. may also use professional contact details of its clients’ employees for the purpose of sending surveys, questionnaires or for the purpose of organizing contests. For those activities, the legal basis for the processing of Personal Data is Milliman S.R.L.’s legitimate interest (Art. 6 (1) letter (f) GDPR), unless data protection and privacy laws require your prior consent. We may also collect and process limited Personal Data about you from public resources (such as LinkedIn) including your name/surname, email address, telephone number, organization, title/position, profession, professional interests, to allow us to assess a potential interest in our services and to contact you for marketing purposes.

When we communicate with you regarding the products and services we offer or develop, you will be given the opportunity in each communication to unsubscribe and prevent future communications of that sort. If you do not want us to collect your Personal Data for our marketing emails, or if you wish to unsubscribe from direct marketing communications from us, you may write to us at [email protected] requesting the same. We will cease using your Personal Data for direct marketing purposes once you have requested us to do so.

If you provide us with Personal Data of another individual, it is your duty to make sure that these individuals have consented to or are appropriately informed about the processing of their Personal Data by Milliman.

You should also ensure that all Personal Data submitted to us is complete, accurate, true and correct. Failure on your part to do so may result in our inability to provide you with the products and services you have requested.

No automated decision-making is undertaken based on the Personal Data collected from you.

Affiliates and Authorized Third-Party Agents

All Milliman websites, products, and services are provided in cooperation with Milliman, Inc., located in the U.S. Any Personal Data may be shared between Milliman S.R.L. and Milliman, Inc. or other entities controlled by or under common control with Milliman, Inc., located in the U.S. and/or Europe, for the purposes of the centralisation of Milliman’s General Corporate Services, including: administrative services, contract management, Client Relationship Management (CRM), IT-maintenance  and security, data privacy (management of data subjects’ request) and marketing services (cookie management, inquiry tracking via Milliman’s website form, communication regarding Milliman’s products, services, or events).

We may also share Personal Data with affiliated entities using the MILLIMAN® mark, in which case we will require those affiliates to comply with this Privacy Policy. Please note that we may be transferring your Personal Data to a country that does not have the same data protection laws as your home country. However, Milliman ensures that itself and its affiliates will process Personal Data in compliance with this Privacy Policy.

Milliman also may share Personal Data with authorized third-party agents or contractors that perform services for Milliman. If Milliman shares Personal Data with a third party, Milliman requires that those third parties agree to process Personal Data based on Milliman’s instructions and in compliance with this Privacy Policy.

Any transfers of Personal Data are subject to appropriate safeguards that are compliant with the GDPR, as is described in the section “Transfer of Personal Data Across Borders”.

Other Disclosures

Milliman may also disclose Personal Data and other related information in response to subpoenas, court orders, or other lawful requests by public authorities, and to meet national security or law enforcement requirements. Milliman may collect and share Personal Data in order to investigate or take action regarding illegal activities, suspected fraud, violations of Milliman's Terms of Use, or as otherwise required by law or regulation.

Security

Milliman stores Personal Data on a secure server that is password protected and shielded from unauthorized access by a firewall. Milliman has in place security policies that are intended to ensure the security and integrity of all Personal Data. Milliman has appropriate technical and organisational measures in place to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data held or processed by Milliman. If Milliman forwards Personal Data to any third party, Milliman requires that those third parties have appropriate technical and organisational measures in place to comply with this Privacy Policy and applicable laws.

Data Retention

Milliman retains Personal Data only as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or not prohibited by law. Milliman will delete your Personal Data once the purpose of the collection and processing of such Personal Data has been fulfilled and the adequate duration for documentation and backup storage of such Personal Data has lapsed. If you have unsubscribed from receiving marketing information from us, we will continue to maintain your Personal Data for any other purpose for which we still have legal grounds for processing such Personal Data (such as for the purposes of complying with a legal obligation or when the processing is necessary for the purpose of our legitimate interest). In certain cases, if no other legal grounds exist, we will maintain limited Personal Data (such as your email address) about you on record, so as to be able to ensure for the future that such marketing communications are no longer sent to you.

Children

Milliman’s websites, products, and services are not directed to children, and Milliman does not knowingly collect Personal Data from children. If a parent or legal guardian becomes aware that his or her child has provided Milliman with Personal Data without their consent, the parent or legal guardian should contact Milliman at [email protected], and Milliman will take steps to delete any such Personal Data.

Third-party Links

Milliman’ website may contain links to websites hosted and operated by companies other than us (“Third-Party Websites”) to which you can export (part of) your Personal Data.

We do not disclose your Personal Data to these Third-Party Websites without your explicit consent. Note that any information you disclose to Third-Party Websites is no longer under our control and no longer subject to Milliman Personal Data Privacy Policy.

You should review the privacy policy practices of any such Third-Party Website to understand how that Third-Party Website collects and uses your Personal Data should you have decided to disclose your Personal Data to them. We are not responsible for the content or performance of these Third-Party Websites. We are in no way responsible or liable for the manner in which a Third-Party Website treats any Personal Data that you choose to provide to such a Third-Party Website and use of Third-Party Websites is strictly at your own risk.

Policy Updates

Milliman may change its Privacy Policy from time to time. Milliman therefore asks all persons concerned to check it occasionally to ensure that they are aware of the most recent version.

Transfers of Personal Data across National Borders

Milliman is a global company that transfers Personal Data across national borders in compliance with the laws that apply to such transfers. Milliman has put in place appropriate safeguards to ensure its data transfers are adequately protected. Milliman’s legal bases for respective data transfers are outlined in this Privacy Policy. When Personal Data is transferred from one of our entities in the European Economic Area (“EEA”), Switzerland, the Isle of Man or the United Kingdom to the United States or another country outside of the EEA, or from entities in the EEA to another country outside of the EEA, we rely on one or more of the following legal mechanisms which provide adequate safeguards for the transfers: the adequacy decisions adopted by the European Commission on the basis of Art. 45 GDPR, the European Commission-approved Standard Contractual Clauses, the EU-US Data Privacy Framework (EU-US DPF), the UK Extension to the EU-US DPF, and the Swiss-US Data Privacy Framework (Swiss-US DPF), or any other applicable transfer mechanism deemed as adequate by applicable data protection laws. You can request a copy of any standard contractual clauses relating to your Personal Data that we may have executed by contacting us using the details below. Milliman commits to cooperate with the EU data protection authorities, the Swiss Federal Data Protection Information Commissioner, the Isle of Man Information Commissioner, the UK Information Commissioner’s Office and any other relevant data protection authority, and to comply with the advice given by such authorities, with regard to Personal Data transferred from one of our entities in the EEA, Switzerland, the Isle of Man or the United Kingdom, to countries outside of the EEA. Milliman will conduct any necessary impact assessments, following the rules under applicable data protection laws and thus guaranteeing the safe transfer of your Personal Data.

Data Privacy Framework

Milliman is committed to handling Personal Data in accordance with this Privacy Policy and the EU-US Data Privacy Framework (EU-US DPF), the UK Extension to the EU-US DPF, and the Swiss-US Data Privacy Framework (Swiss-US DPF), as administered by the U.S. Department of Commerce. Milliman has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. Milliman has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF.

If there is any conflict between the terms of this Privacy Policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view Milliman’s certification, please visit https://www.dataprivacyframework.gov/.

Milliman’s accountability for Personal Data that it receives under the DPF Principles and subsequently transfers to a third party is described in the DPF Principles. In particular, Milliman remains responsible and liable under the DPF Principles if third parties engaged by Milliman process the Personal Data in a manner inconsistent with the Principles, unless Milliman proves that it is not responsible for the event giving rise to any damage. Additionally, Milliman, Inc. has put in place data protection agreements with its affiliates located in the European Economic Area based on the EU Standard Contractual Clauses issued by the European Commission (the “EU Standard Contractual Clauses”).

As further explained in the "How to Contact Us" section below, Milliman encourages any individual to contact us should they have a DPF-related (or general privacy-related) complaint. Any right of access, rectification, erasure, restriction of the processing as well as the right to data portability of individuals domiciled in the European Economic Area or Switzerland may be exercised under the conditions set forth in the GDPR by contacting Milliman at: [email protected]. Furthermore, these individuals will have the right to lodge a complaint with a competent supervisory authority at any time.

Rights

1. the right of access pursuant to Art. 15 GDPR: you have the right to obtain from us confirmation as to whether or not Personal Data concerning you is being processed, and, where that is the case, access to (including by obtaining a copy of) such Personal Data and the manner in which, and the purposes for which we process your Personal Data, so that you can verify its accuracy and the lawfulness of the processing.
2. the right to rectification pursuant to Art. 16 GDPR: you have the right to obtain from us the rectification of inaccurate Personal Data concerning you, and the right to have incomplete personal data completed, including by means of providing a supplementary statement.
3. the right to erasure pursuant to Art. 17 GDPR: the right to obtain from us the erasure of your Personal Data without undue delay where (a) your Personal Data is no longer necessary for the purpose for which it was collected/processed; (b) you wish to withdraw your consent to processing (except where we have another legal ground for the processing that we may rely on); (c) where processing is based on our legitimate interests and there are no overriding legitimate grounds for processing; (d) where your Personal Data has been unlawfully processed.
4. the right to restriction of processing pursuant to Art. 18 GDPR: you have the right to obtain from us the restriction of processing of your Personal Data where (a) the accuracy of such Personal Data is contested by you (for such period as will enable us to verify the accuracy of your Personal Data); (b) the processing of your Personal Data is unlawful, but you do object to the deletion of such data and request restriction of its use instead; (c) you consider that we no longer need your Personal Data for the purposes of the processing, but require such Personal Data for the establishment, exercise or defense of legal claims; (d) you have objected to the processing of your Personal Data on grounds of “legitimate interest” as per (iii) above, pending verification by us on whether our legitimate grounds override your own.
5. the right to objection pursuant to Art. 21 GDPR: you have the right to object, on grounds relating to your particular situation, at any time to processing of your Personal Data, which is based on our legitimate interests, including profiling based on those provisions. We shall no longer process the Personal Data unless we have compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defense of legal claims. You may object to the processing of your Personal Data or direct marketing purposes at any time, without giving reason.
6. the right to data portability pursuant to Art. 20 GDPR: you have the right to receive Personal Data concerning you, and which you have provided to us, in a structured, commonly used and machine-readable format, and to transmit such data to another data controller (please note this applies only where our processing of your Personal Data is based on your consent, and the processing is carried out by automated means).
7. the right to appeal to a competent data protection supervisory authority (Art. 77 GDPR): you have the right to appeal to the competent data protection supervisory authority - in Romania, such authority is the “National Supervisory Authority for Personal Data Processing (Autoritatea Naţională de Supraveghere a Prelucrării Datelor cu Caracter Personal)” (Home page (dataprotection.ro)).

Please note that any processing of your Personal Data prior to the deletion of your account with us, or your request that we no longer contact you for direct marketing purposes will remain valid under the legal grounds then prevailing.

You can exercise any of your rights as stated above, by sending us a request to [email protected] or to: Milliman S.R.L. Data Protection Officer, 14 Avenue de la Grande Armée, F-75017 Paris.  We will endeavor to respond to any such request as soon as possible, and in any event within 30 days.

How to Contact Us

Milliman can be contacted at [email protected]. Milliman welcomes feedback and questions on this Privacy Policy. If for any reason you wish to contact us, please send an email ([email protected]). Complaints will be resolved internally in accordance with Milliman’s complaints procedures.

If you live in the European Union, European Economic Area, or Switzerland and you have a complaint regarding the handling of your Personal Data in accordance with the DPF Principles and your efforts to resolve the matter internally are unsatisfactory, the complaint may be submitted to the American Arbitration Association (http://www.adr.org/), which has been selected as the independent recourse mechanism to resolve complaints and disputes relating to treatment of Personal Data originating in the European Union, European Economic Area, or Switzerland and transferred to the U.S. under this Privacy Policy. Under certain conditions, you may be entitled to invoke binding arbitration when other dispute resolution procedures have been exhausted. Milliman is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC).

Data Privacy Policy - Singapore

______________________________________________________________________________________________________________

Last updated June 2020

Milliman, Inc. and its affiliates (“Milliman” or “we”) take data privacy very seriously. This Privacy Policy sets out the principles governing Milliman's and the Singapore affiliate’s (Milliman Private Limited) collection, use, disclosure, processing and protection of Personal Data (as defined below) that individuals and clients residing within Singapore share with us, hereafter “you.” Milliman is committed to handling Personal Data in accordance with this Privacy Policy, Singapore's Personal Data Protection Act (Act 26 of 2012) (“PDPA”), and other data protection and privacy laws, as applicable.

Collection of Data

Aggregate Data

Like many companies, Milliman monitors the use of its websites by collecting aggregate data. No Personal Data is collected in this process. Typically, Milliman collects data about the number of visitors to the website, to each web page, and the originating domain name of the visitor's Internet Service Provider. This data is used to improve the usability, performance and effectiveness of Milliman’s website.

Cookies, Third-Party Embedded Content and Do Not Track

For more detailed information describing how Milliman uses cookies and your choices surrounding the use and opt out of such cookies, including information about third party embedded content on Milliman’s website and how Milliman responds to Do Not Track signals in browsers, please review our Cookie Policy which can be found here.

Processing of Personal Data

In this Privacy Policy, "Personal Data" means any data, whether true or not, about an individual who can be identified (a) from that data; or (b) from that data and other information to which the organisation has or is likely to have access.

The Personal Data we collect varies depending upon the nature of the services provided and our interactions with individuals. By providing any Personal Data in the course of interacting with us, including via this website, in connection with Milliman’s marketing activities or contract administration, you agree and consent to the collection, use, disclosure and processing of your Personal Data for the purposes and in the manner set out in this Privacy Policy. In the context of the collection of data through this website, Milliman’s marketing activities and contract administration, we may, to the extent permitted by law or with your consent, collect, use, disclose, store and otherwise process Personal Data of:

- visitors to our websites (first name, last name, title, company, phone number, location, email address, subject of the request and message given) who request information about products or services from Milliman, for the purpose of the management of the relationship with clients and the administration of the website;.

- clients’ representatives, officers, agents and employees, business partners, providers, parties to a contract (name, professional address, title, email and other professional contact details) for contract administration purposes. The professional contact details of clients’ representatives, their employees and business partners are also used to activate and maintain client accounts, to fulfill requests or respond to inquiries about Milliman products or services and to provide offers and information (as permitted by law) about products, services, or events offered by Milliman or that Milliman thinks may be of interest.

Furthermore, where permitted by applicable data protection and privacy laws, Milliman may also collect, use, disclose, store or otherwise process (i) your Personal Data for the sending of marketing communications; and (ii) professional contact details of its clients’ employees for the purpose of sending surveys, questionnaires or for the purpose of organizing contests. We may also collect and process limited Personal Data about you from public resources (such as LinkedIn) including your name/surname, email address, telephone number, organization, title/position, profession, professional interests, to allow us to assess a potential interest in our services and to contact you for marketing purposes.

When we communicate with you regarding the products and services we offer or develop, you will be given the opportunity in each communication to unsubscribe and prevent future communications of that sort. If you do not want us to collect this information from our marketing emails, texts and/or SMS, or if you wish to unsubscribe from direct marketing communications from us, you may write to us at [email protected] requesting the same. We will cease using your Personal Data for direct marketing purposes once you have requested us to do so.

If you provide us with Personal Data of another individual, it is your duty to make sure that these individuals have consented to or are appropriately informed about the processing of their Personal Data by Milliman.

You should also ensure that all Personal Data submitted to us is complete, accurate, true and correct. Failure on your part to do so may result in our inability to provide you with products and services you have requested.

Affiliates and Authorized Third-Party Agents

All Milliman websites, products, and services are provided in cooperation with Milliman, Inc., located in the U.S. Any Personal Data may be shared between Milliman Private Limited and Milliman, Inc. or other entities controlled by or under common control with Milliman, Inc., for purposes of centralization of Milliman’s administrative, contract management, Client Relationship Management (CRM), IT maintenance, marketing and IT security practices, for the purpose of the website’s management and security, and to provide information about Milliman products, services, or events. We may also share Personal Data with affiliated entities using the MILLIMAN® mark, in which case we will require those affiliates to comply with this Privacy Policy. Please note that we may be transferring your Personal Data to a country that does not have the same data protection laws as your home country. However, Milliman ensures that itself and its affiliates will process Personal Data in compliance with this Privacy Policy.

Milliman also may share Personal Data with authorized third-party agents or contractors that perform services for Milliman. If Milliman shares Personal Data with a third party, Milliman requires that those third parties agree to process Personal Data based on Milliman’s instructions and in compliance with this Privacy Policy.

Any transfers of Personal Data are subject to appropriate safeguards that are compliant with the PDPA and/or any other applicable data protection and privacy laws. Those can be made available at Milliman’s premises, by contacting us at [email protected].

Other Disclosures

Milliman may also disclose Personal Data and other related information in response to subpoenas, court orders, or other lawful requests by public authorities, and to meet national security or law enforcement requirements. Milliman may collect and share Personal Data in order to investigate or take action regarding illegal activities, suspected fraud, violations of Milliman's Terms of Use, or as otherwise required by law or regulation.

Security

Milliman stores Personal Data on a secure server that is password protected and shielded from unauthorized access by a firewall. Milliman has in place security policies that are intended to ensure the security and integrity of all Personal Data. Milliman has appropriate technical and organisational measures in place to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data held or processed by Milliman. If Milliman forwards Personal Data to any third party, Milliman requires that those third parties have appropriate technical and organisational measures in place to comply with this Privacy Policy and applicable laws.

Data Retention

Milliman retains Personal Data only as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or not prohibited by law. Milliman will delete your Personal Data once the purpose of the collection and processing of such Personal Data has been fulfilled and the adequate duration for documentation and backup storage of such Personal Data has lapsed. If you have unsubscribed from receiving marketing information from us, we will continue to maintain your Personal Data for any other purpose for which we still have legal grounds for processing such Personal Data (such as for the purposes of complying with a legal obligation or when the processing is necessary for the purpose of our legitimate interest). In certain cases, if no other legal grounds exist, we will maintain limited Personal Data (such as your email address) about you on record, so as to be able to ensure for the future that such marketing communications are no longer sent to you.

Children

Milliman’s websites, products, and services are not directed to children, and Milliman does not knowingly collect Personal Data from children. If a parent or legal guardian becomes aware that his or her child has provided Milliman with Personal Data without their consent, the parent or legal guardian should contact Milliman at [email protected], and Milliman will take steps to delete any such Personal Data.

Third-party Links

Milliman’ website may contain links to websites hosted and operated by companies other than us (“Third-Party Websites”) to which you can export (part of) your Personal Data.

We do not disclose your Personal Data to these Third-Party Websites without your explicit consent. Note that any information you disclose to Third-Party Websites is no longer under our control and no longer subject to this Data Privacy Policy.

You should review the privacy policy practices of any such Third-Party Website to understand how that Third-Party Website collects and uses your Personal Data should you have decided to disclose your Personal Information to them. We are not responsible for the content or performance of these Third-Party Websites. We are in no way responsible or liable for the manner in which a Third-Party Website treats any Personal Data that you choose to provide to such a Third-Party Website and use of Third-Party Websites is strictly at your own risk.

Policy Updates

Milliman may change its Privacy Policy from time to time. Milliman therefore asks all persons concerned to check it occasionally to ensure that they are aware of the most recent version.

Rights

Depending on the applicable law, you have a number of rights under the PDPA or such other applicable data protection and privacy laws in relation to your Personal Data, including:

1. the right to make an access or a correction request: If you wish to make (a) a request for access to a copy of the personal data which we hold about you or information about the ways in which we use or disclose your personal data, or (b) a request to correct or update any of your personal data which we hold about you, you may submit your request in writing or via email to our Data Protection Officer at the contact details provided below. Please note that a reasonable fee may be charged for an access request. If so, we will inform you of the fee before processing your request.
2. the right to withdraw your consent: The consent that you provide for the collection, use and disclosure of your personal data will remain valid until such time it is being withdrawn by you in writing. You may withdraw consent and request us to stop using and/or disclosing your personal data for any or all of the purposes listed above by submitting your request in writing or via email to our Data Protection Officer at the contact details provided below.
   
   If you withdraw your consent to any or all use of your Personal Data, depending on the nature of your request, Milliman may not be in a position to continue to provide its products and services to you, or administer any contractual relationship in place, which in turn may also result in the termination of any agreements with Milliman, and your being in breach of your contractual obligations or undertakings. Milliman's legal rights and remedies in such event are expressly reserved.

Please note that withdrawing consent does not affect our right to continue to collect, use and disclose Personal Data where such collection, use and disclosure without consent is permitted or required under applicable laws, and any processing of your Personal Data prior to the deletion of your account with us, or your request that we no longer contact you for direct marketing purposes will remain valid under the legal grounds then prevailing.

You can exercise any of your rights, by sending us a request to [email protected]. We will endeavor to respond to any such request as soon as possible, and in any event within the legal deadline.

How to Contact Us

If you:

1. have any questions or feedback relating to your Personal Data or about this Privacy Policy;
2. would like to withdraw your consent to any use of your Personal Data as set out in this Privacy Policy; or
3. would like to obtain access and make correction to your Personal Data records,

please contact Milliman’s Data Protection Officer at [email protected].

Please note that if your Personal Data has been provided to us by a third party (e.g. your employer), you should contact that organisation or individual to make such queries, complaints, and access and correction requests to Milliman on your behalf.

This Privacy Policy shall be governed in all respects by the laws of Singapore.

Milliman Personal Information Privacy Policy – Milliman (Pty) Limited, South Africa

______________________________________________________________________________________________________________

Last updated June 2023

Where Milliman is Acting as a Responsible Party

Milliman, Inc. and its affiliates (“Milliman” or “we”) take data privacy very seriously. This Privacy Policy sets out the principles governing the South Africa affiliate ("Milliman (Pty) Limited") use and protection of personal data that individuals and clients share with us (“Personal Information”), hereafter “you”. Milliman is committed to handling Personal Information in accordance with this Privacy Policy, the Protection of Personal Information Act, 2013 ("POPIA") and other data protection and privacy laws, as applicable.

Milliman, Inc. and Milliman (Pty) Limited are joint-responsible parties with respect to the processing of Personal Information described in this Privacy Policy. This means that Milliman, Inc. and Milliman (Pty) Limited are both responsible for the compliance with applicable data protection laws.

Collection of Data

Aggregate Data

Like many companies, Milliman monitors the use of its websites by collecting aggregate data. No Personal Information is collected in this process. Typically, Milliman collects data about the number of visitors to the website, to each web page, and the originating domain name of the visitor's Internet Service Provider. This data is used to improve the usability, performance and effectiveness of Milliman’s website.

Cookies, Third-Party Embedded Content and Do Not Track

For more detailed information describing how Milliman uses cookies and your choices surrounding the use and opt out of such cookies, including information about third party embedded content on Milliman’s website and how Milliman responds to Do Not Track signals in browsers, please review our Cookie Policy which can be found here.

Processing of Personal Information

The Personal Information we collect varies depending upon the nature of the services provided and our interactions with individuals. In the context of the collection of data through this website, Milliman’s marketing activities and contract administration, we may collect, store and otherwise process Personal Information of:

- visitors to our websites (first name, last name, title, company, phone number, location, email address, subject of the request and message given) who request information about products or services from Milliman, for the purpose of the management of the relationship with visitors and the administration of the website. The legal basis for the processing of Personal Information is Milliman’s legitimate interest (Section 11(1)(d) and (f) of POPIA).

- clients’ representatives, officers, agents and employees, business partners, providers, parties to a contract (name, professional address, title, email and other professional contact details) for contract administration purposes. The professional contact details of clients’ representatives, their employees and business partners are also used to activate and maintain client accounts, to fulfill requests or respond to inquiries about Milliman products or services and to provide offers and information (as permitted by law) about products, services, or events offered by Milliman or that Milliman thinks may be of interest. The legal basis for the processing of Personal Information is Milliman’s legitimate interest (Section 11(1) d and (f) of POPIA). Milliman may rely on your consent (Section 11(1)(a) of POPIA) for the sending of marketing communications when so required by data protection and privacy laws, in which case we will ask your consent prior to the sending of the communication. Milliman (Pty) Limited may also use professional contact details of its clients’ employees for the purpose of sending surveys, questionnaires or for the purpose of organising contests. For those activities, the legal basis for the processing of Personal Information is Milliman (Pty) Limited’s legitimate interest (Section 11(1)(f) of POPIA), unless data protection and privacy laws require your prior consent. We may also collect and process limited Personal Information about you from public resources (such as LinkedIn) including your name/surname, email address, telephone number, organisation, title/position, profession, professional interests, to allow us to assess a potential interest in our services and to contact you for marketing purposes.

When we communicate with you regarding the products and services we offer or develop, you will be given the opportunity in each communication to unsubscribe and prevent future communications of that sort. If you do not want us to collect your Personal Information for our marketing emails, or if you wish to unsubscribe from direct marketing communications from us, you may write to us at [email protected] requesting the same. We will cease using your Personal Information for direct marketing purposes once you have requested us to do so.

If you provide us with Personal Information of another individual, it is your duty to make sure that these individuals have consented to or are appropriately informed about the processing of their Personal Information by Milliman.

You should also ensure that all Personal Information submitted to us is complete, accurate, true and correct. Failure on your part to do so may result in our inability to provide you with the products and services you have requested.

No automated decision-making is undertaken based on the Personal Information collected from you.

Affiliates and Authorised Third-Party Agents

All Milliman websites, products, and services are provided in cooperation with Milliman, Inc., located in the U.S. Any Personal Information may be shared between Milliman (Pty) Limited and Milliman, Inc. or other entities controlled by or under common control with Milliman, Inc., for the purposes of the centralisation of Milliman’s General Corporate Services, including: administrative services, contract management, Client Relationship Management (CRM), IT-maintenance  and security, data privacy (management of data subjects’ request) and marketing services (cookie management, inquiry tracking via Milliman’s website form, communication regarding Milliman’s products, services, or events).

We may also share Personal Information with affiliated entities using the MILLIMAN® mark, in which case we will require those affiliates to comply with this Privacy Policy. Please note that we may be transferring your Personal Information to a country that does not have the same data protection laws as your home country. However, Milliman ensures that itself and its affiliates will process Personal Information in compliance with this Privacy Policy.

Milliman also may share Personal Information with authorised third-party agents or contractors that perform services for Milliman. If Milliman shares Personal Information with a third party, Milliman requires that those third parties agree to process Personal Information based on Milliman’s instructions and in compliance with this Privacy Policy.

Any transfers of Personal Information are subject to appropriate safeguards that are compliant with POPIA.

Other Disclosures

Milliman may also disclose Personal Information and other related information in response to subpoenas, court orders, or other lawful requests by public authorities, and to meet national security or law enforcement requirements. Milliman may collect and share Personal Information in order to investigate or take action regarding illegal activities, suspected fraud, violations of Milliman's Terms of Use, or as otherwise required by law or regulation.

Security

Milliman stores Personal Information on a secure server that is password protected and shielded from unauthorised access by a firewall. Milliman has in place security policies that are intended to ensure the security and integrity of all Personal Information. Milliman has appropriate technical and organisational measures in place to protect against unauthorised or unlawful processing of Personal Information and against accidental loss or destruction of, or damage to, Personal Information held or processed by Milliman. If Milliman forwards Personal Information to any third party, Milliman requires that those third parties have appropriate technical and organisational measures in place to comply with this Privacy Policy and applicable laws.

Data Retention

Milliman retains Personal Information only as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or not prohibited by law. Milliman will delete your Personal Information once the purpose of the collection and processing of such Personal Information has been fulfilled and the adequate duration for documentation and backup storage of such Personal Information has lapsed. If you have unsubscribed from receiving marketing information from us, we will continue to maintain your Personal Information for any other purpose for which we still have legal grounds for processing such Personal Information (such as for the purposes of complying with a legal obligation or when the processing is necessary for the purpose of our legitimate interest). In certain cases, if no other legal grounds exist, we will maintain limited Personal Information (such as your email address) about you on record, so as to be able to ensure for the future that such marketing communications are no longer sent to you.

Children

Milliman’s websites, products, and services are not directed to children, and Milliman does not knowingly collect Personal Information from children. If a parent or legal guardian becomes aware that his or her child has provided Milliman with Personal Information without their consent, the parent or legal guardian should contact Milliman at [email protected], and Milliman will take steps to delete any such Personal Information.

Third-party Links

Milliman’ website may contain links to websites hosted and operated by companies other than us (“Third-Party Websites”) to which you can export (part of) your Personal Information.

We do not disclose your Personal Information to these Third-Party Websites without your explicit consent. Note that any information you disclose to Third-Party Websites is no longer under our control and no longer subject to Milliman Personal Information Privacy Policy.

You should review the privacy policy practices of any such Third-Party Website to understand how that Third-Party Website collects and uses your Personal Information should you have decided to disclose your Personal Information to them. We are not responsible for the content or performance of these Third-Party Websites. We are in no way responsible or liable for the manner in which a Third-Party Website treats any Personal Information that you choose to provide to such a Third-Party Website and use of Third-Party Websites is strictly at your own risk.

Policy Updates

Milliman may change its Privacy Policy from time to time. Milliman therefore asks all persons concerned to check it occasionally to ensure that they are aware of the most recent version.

Rights

You have a number of rights under POPIA in relation to your Personal Information, namely:

1. the right of access pursuant to section 23(1) of POPIA: you have the right to obtain from us confirmation as to whether or not Personal Information concerning you is being processed, and, where that is the case, access to (including by obtaining a copy of) such Personal Information and the manner in which, and the purposes for which we process your Personal Information, so that you can verify its accuracy and the lawfulness of the processing.
2. the right to rectification pursuant to section 24 of POPIA: you have the right to obtain from us the rectification of inaccurate Personal Information concerning you, and the right to have incomplete Personal Information completed, including by means of providing a supplementary statement.
3. the right to erasure pursuant to section 24 of POPIA: you have the right to obtain from us the erasure of your Personal Information without undue delay where (a) your Personal Information is no longer necessary for the purpose for which it was collected/processed; (b) you wish to withdraw your consent to processing (except where we have another legal ground for the processing that we may rely on); (c) where processing is based on our legitimate interests and there are no overriding legitimate grounds for processing; (d) where your Personal Information has been unlawfully processed.
4. the right to restriction of processing pursuant to section 11(2)(b) of POPIA: you have the right to obtain from us the restriction of processing of your Personal Information where (a) the accuracy of such Personal Information is contested by you (for such period as will enable us to verify the accuracy of your Personal Information); (b) the processing of your Personal Information is unlawful, but you do object to the deletion of such data and request restriction of its use instead; (c) you consider that we no longer need your Personal Information for the purposes of the processing, but require such Personal Information for the establishment, exercise or defense of legal claims; (d) you have objected to the processing of your Personal Information on grounds of “legitimate interest” as per (iii) above, pending verification by us on whether our legitimate grounds override your own.
5. the right to objection pursuant to section 11(3) of POPIA: you have the right to object, on grounds relating to your particular situation, at any time to processing of your Personal Information, which is based on point our legitimate interests, including profiling based on those provisions. We shall no longer process the Personal Information unless we have compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defense of legal claims. You may object to the processing of your Personal Information or direct marketing purposes at any time, without giving reason.
6. the right to institute civil proceedingsregarding any alleged interference with the protection of your Personal Information as provided in section 99 POPIA.
7. the right to complain to the Information Regulator in terms of section 74 of POPIA: you have the right to complain to the competent data protection supervisory authority - in South Africa such authority is the Information Regulator .

Please note that any processing of your Personal Information prior to the deletion of your account with us, or your request that we no longer contact you for direct marketing purposes will remain valid under the legal grounds then prevailing.

You can exercise any of your rights as stated above, by sending us a request to [email protected] or to: Milliman’s Pty Limited Global Data Privacy Director, 14 Avenue de la Grande Armée, F-75017 Paris.  We will endeavor to respond to any such request as soon as possible, and in any event within 30 days.

How to Contact Us

Milliman can be contacted at [email protected]. Milliman welcomes feedback and questions on this Privacy Policy. If for any reason you wish to contact us, please send an email ([email protected]). Complaints will be resolved internally in accordance with Milliman’s complaints procedures.

Milliman Personal Data Privacy Policy – Milliman Consultants and Actuaries S.L., Spain

Last updated September 2023

Where Milliman is Acting as a Data Controller

Milliman, Inc. and its affiliates (“Milliman” or “we”) take data privacy very seriously. This Privacy Policy sets out the principles governing the Spanish affiliate’s (Milliman Consultants and Actuaries S.L.) use and protection of personal data that individuals and clients residing within the European Economic Area, the Isle of Man, Switzerland and the UK, share with us (“Personal Data”), hereafter “you”. Milliman is committed to handling Personal Data in accordance with this Privacy Policy, the EU General Data Protection Regulation (GDPR) and other data protection and privacy laws, as applicable.

Milliman, Inc. and Milliman Consultants and Actuaries S.L. are joint-controllers with respect to the processing of Personal Data described in this Privacy Policy. This means that Milliman, Inc. and Milliman Consultants and Actuaries S.L. are both responsible for the compliance with applicable data protection laws.

Collection of Data

Aggregate Data

Like many companies, Milliman monitors the use of its websites by collecting aggregate data. No Personal Data is collected in this process. Typically, Milliman collects data about the number of visitors to the website, to each web page, and the originating domain name of the visitor's Internet Service Provider. This data is used to improve the usability, performance and effectiveness of Milliman’s website.

Cookies, Third-Party Embedded Content and Do Not Track

For more detailed information describing how Milliman uses cookies and your choices surrounding the use and opt out of such cookies, including information about third party embedded content on Milliman’s website and how Milliman responds to Do Not Track signals in browsers, please review our Cookie Policy which can be found here.

Processing of Personal Data

The Personal Data we collect varies depending upon the nature of the services provided and our interactions with individuals. In the context of the collection of data through this website, Milliman’s marketing activities and contract administration, we may collect, store and otherwise process Personal Data of:

- visitors to our websites (first name, last name, title, company, phone number, location, email address, subject of the request and message given) who request information about products or services from Milliman, for the purpose of the management of the relationship with visitors and the administration of the website. The legal basis for the processing of Personal Data is Milliman’s legitimate interest (Art. 6 (1) letter (f) GDPR).

- clients’ representatives, officers, agents and employees, business partners, providers, parties to a contract (name, professional address, title, email and other professional contact details) for contract administration purposes. The professional contact details of clients’ representatives, their employees and business partners are also used to activate and maintain client accounts, including for billing purposes, due diligence and conflict checks, to facilitate the communication, to fulfill requests or respond to inquiries about Milliman products or services and to provide offers and information (as permitted by law) about products, services, or events offered by Milliman or that Milliman thinks may be of interest. The legal basis for the processing of Personal Data is Milliman’s legitimate interest (Art. 6 (1) letter (f) GDPR). Milliman may rely on your consent (Art. 6 (1) letter (a) GDPR) for the sending of marketing communications when so required by data protection and privacy laws, in which case we will ask your consent prior to the sending of the communication. Milliman Consultants and Actuaries S.L. may also use professional contact details of its clients’ employees for the purpose of sending surveys, questionnaires or for the purpose of organizing contests. For those activities, the legal basis for the processing of Personal Data is Milliman Consultants and Actuaries S.L.’s legitimate interest (Art. 6 (1) letter (f) GDPR), unless data protection and privacy laws require your prior consent. We may also collect and process limited Personal Data about you from public resources (such as LinkedIn) including your name/surname, email address, telephone number, organization, title/position, profession, professional interests, to allow us to assess a potential interest in our services and to contact you for marketing purposes.

When we communicate with you regarding the products and services we offer or develop, you will be given the opportunity in each communication to unsubscribe and prevent future communications of that sort. If you do not want us to collect your Personal Data for our marketing emails, or if you wish to unsubscribe from direct marketing communications from us, you may write to us at [email protected] requesting the same. We will cease using your Personal Data for direct marketing purposes once you have requested us to do so.

If you provide us with Personal Data of another individual, it is your duty to make sure that these individuals have consented to or are appropriately informed about the processing of their Personal Data by Milliman.

You should also ensure that all Personal Data submitted to us is complete, accurate, true and correct. Failure on your part to do so may result in our inability to provide you with the products and services you have requested.

No automated decision-making is undertaken based on the Personal Data collected from you.

Affiliates and Authorized Third-Party Agents

All Milliman websites, products, and services are provided in cooperation with Milliman, Inc., located in the U.S. Any Personal Data may be shared between Milliman Consultants and Actuaries S.L. and Milliman, Inc. or other entities controlled by or under common control with Milliman, Inc., located in the U.S. and/or Europe, for the purposes of the centralisation of Milliman’s General Corporate Services, including: administrative services, contract management, Client Relationship Management (CRM), IT-maintenance  and security, data privacy (management of data subjects’ request) and marketing services (cookie management, inquiry tracking via Milliman’s website form, communication regarding Milliman’s products, services, or events).

We may also share Personal Data with affiliated entities using the MILLIMAN® mark, in which case we will require those affiliates to comply with this Privacy Policy. Please note that we may be transferring your Personal Data to a country that does not have the same data protection laws as your home country. However, Milliman ensures that itself and its affiliates will process Personal Data in compliance with this Privacy Policy.

Milliman also may share Personal Data with authorized third-party agents or contractors that perform services for Milliman. If Milliman shares Personal Data with a third party, Milliman requires that those third parties agree to process Personal Data based on Milliman’s instructions and in compliance with this Privacy Policy.

Any transfers of Personal Data are subject to appropriate safeguards that are compliant with the GDPR, as is described in the section “Transfer of Personal Data Across Borders”.

Other Disclosures

Milliman may also disclose Personal Data and other related information in response to subpoenas, court orders, or other lawful requests by public authorities, and to meet national security or law enforcement requirements. Milliman may collect and share Personal Data in order to investigate or take action regarding illegal activities, suspected fraud, violations of Milliman's Terms of Use, or as otherwise required by law or regulation.

Security

Milliman stores Personal Data on a secure server that is password protected and shielded from unauthorized access by a firewall. Milliman has in place security policies that are intended to ensure the security and integrity of all Personal Data. Milliman has appropriate technical and organisational measures in place to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data held or processed by Milliman. If Milliman forwards Personal Data to any third party, Milliman requires that those third parties have appropriate technical and organisational measures in place to comply with this Privacy Policy and applicable laws.

Data Retention

Milliman retains Personal Data only as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or not prohibited by law. Milliman will delete your Personal Data once the purpose of the collection and processing of such Personal Data has been fulfilled and the adequate duration for documentation and backup storage of such Personal Data has lapsed. If you have unsubscribed from receiving marketing information from us, we will continue to maintain your Personal Data for any other purpose for which we still have legal grounds for processing such Personal Data (such as for the purposes of complying with a legal obligation or when the processing is necessary for the purpose of our legitimate interest). In certain cases, if no other legal grounds exist, we will maintain limited Personal Data (such as your email address) about you on record, so as to be able to ensure for the future that such marketing communications are no longer sent to you.

Children

Milliman’s websites, products, and services are not directed to children, and Milliman does not knowingly collect Personal Data from children. If a parent or legal guardian becomes aware that his or her child has provided Milliman with Personal Data without their consent, the parent or legal guardian should contact Milliman at [email protected], and Milliman will take steps to delete any such Personal Data.

Third-party Links

Milliman’ website may contain links to websites hosted and operated by companies other than us (“Third-Party Websites”) to which you can export (part of) your Personal Data.

We do not disclose your Personal Data to these Third-Party Websites without your explicit consent. Note that any information you disclose to Third-Party Websites is no longer under our control and no longer subject to Milliman Personal Data Privacy Policy.

You should review the privacy policy practices of any such Third-Party Website to understand how that Third-Party Website collects and uses your Personal Data should you have decided to disclose your Personal Data to them. We are not responsible for the content or performance of these Third-Party Websites. We are in no way responsible or liable for the manner in which a Third-Party Website treats any Personal Data that you choose to provide to such a Third-Party Website and use of Third-Party Websites is strictly at your own risk.

Policy Updates

Milliman may change its Privacy Policy from time to time. Milliman therefore asks all persons concerned to check it occasionally to ensure that they are aware of the most recent version.

Transfers of Personal Data across National Borders

Milliman is a global company that transfers Personal Data across national borders in compliance with the laws that apply to such transfers. Milliman has put in place appropriate safeguards to ensure its data transfers are adequately protected. Milliman’s legal bases for respective data transfers are outlined in this Privacy Policy. When Personal Data is transferred from one of our entities in the European Economic Area (“EEA”), Switzerland, the Isle of Man or the United Kingdom to the United States or another country outside of the EEA, or from entities in the EEA to another country outside of the EEA, we rely on one or more of the following legal mechanisms which provide adequate safeguards for the transfers: the adequacy decisions adopted by the European Commission on the basis of Art. 45 GDPR, the European Commission-approved Standard Contractual Clauses, the EU-US Data Privacy Framework (EU-US DPF), the UK Extension to the EU-US DPF, and the Swiss-US Data Privacy Framework (Swiss-US DPF), or any other applicable transfer mechanism deemed as adequate by applicable data protection laws. You can request a copy of any standard contractual clauses relating to your Personal Data that we may have executed by contacting us using the details below. Milliman commits to cooperate with the EU data protection authorities, the Swiss Federal Data Protection Information Commissioner, the Isle of Man Information Commissioner, the UK Information Commissioner’s Office and any other relevant data protection authority, and to comply with the advice given by such authorities, with regard to Personal Data transferred from one of our entities in the EEA, Switzerland, the Isle of Man or the United Kingdom, to countries outside of the EEA. Milliman will conduct any necessary impact assessments, following the rules under applicable data protection laws and thus guaranteeing the safe transfer of your Personal Data.

Data Privacy Framework

Milliman is committed to handling Personal Data in accordance with this Privacy Policy and the EU-US Data Privacy Framework (EU-US DPF), the UK Extension to the EU-US DPF, and the Swiss-US Data Privacy Framework (Swiss-US DPF), as administered by the U.S. Department of Commerce. Milliman has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. Milliman has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF.

If there is any conflict between the terms of this Privacy Policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view Milliman’s certification, please visit https://www.dataprivacyframework.gov/.

Milliman’s accountability for Personal Data that it receives under the DPF Principles and subsequently transfers to a third party is described in the DPF Principles. In particular, Milliman remains responsible and liable under the DPF Principles if third parties engaged by Milliman process the Personal Data in a manner inconsistent with the Principles, unless Milliman proves that it is not responsible for the event giving rise to any damage. Additionally, Milliman, Inc. has put in place data protection agreements with its affiliates located in the European Economic Area based on the EU Standard Contractual Clauses issued by the European Commission (the “EU Standard Contractual Clauses”).

As further explained in the "How to Contact Us" section below, Milliman encourages any individual to contact us should they have a DPF-related (or general privacy-related) complaint. Any right of access, rectification, erasure, restriction of the processing as well as the right to data portability of individuals domiciled in the European Economic Area or Switzerland may be exercised under the conditions set forth in the GDPR by contacting Milliman at: [email protected]. Furthermore, these individuals will have the right to lodge a complaint with a competent supervisory authority at any time.

Rights

1. the right of access pursuant to Art. 15 GDPR: you have the right to obtain from us confirmation as to whether or not Personal Data concerning you is being processed, and, where that is the case, access to (including by obtaining a copy of) such Personal Data and the manner in which, and the purposes for which we process your Personal Data, so that you can verify its accuracy and the lawfulness of the processing.
2. the right to rectification pursuant to Art. 16 GDPR: you have the right to obtain from us the rectification of inaccurate Personal Data concerning you, and the right to have incomplete personal data completed, including by means of providing a supplementary statement.
3. the right to erasure pursuant to Art. 17 GDPR: the right to obtain from us the erasure of your Personal Data without undue delay where (a) your Personal Data is no longer necessary for the purpose for which it was collected/processed; (b) you wish to withdraw your consent to processing (except where we have another legal ground for the processing that we may rely on); (c) where processing is based on our legitimate interests and there are no overriding legitimate grounds for processing; (d) where your Personal Data has been unlawfully processed.
4. the right to restriction of processing pursuant to Art. 18 GDPR: you have the right to obtain from us the restriction of processing of your Personal Data where (a) the accuracy of such Personal Data is contested by you (for such period as will enable us to verify the accuracy of your Personal Data); (b) the processing of your Personal Data is unlawful, but you do object to the deletion of such data and request restriction of its use instead; (c) you consider that we no longer need your Personal Data for the purposes of the processing, but require such Personal Data for the establishment, exercise or defense of legal claims; (d) you have objected to the processing of your Personal Data on grounds of “legitimate interest” as per (iii) above, pending verification by us on whether our legitimate grounds override your own.
5. the right to objection pursuant to Art. 21 GDPR: you have the right to object, on grounds relating to your particular situation, at any time to processing of your Personal Data, which is based on our legitimate interests, including profiling based on those provisions. We shall no longer process the Personal Data unless we have compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defense of legal claims. You may object to the processing of your Personal Data or direct marketing purposes at any time, without giving reason.
6. the right to data portability pursuant to Art. 20 GDPR: you have the right to receive Personal Data concerning you, and which you have provided to us, in a structured, commonly used and machine-readable format, and to transmit such data to another data controller (please note this applies only where our processing of your Personal Data is based on your consent, and the processing is carried out by automated means).
7. the right to appeal to a competent data protection supervisory authority (Art. 77 GDPR): you have the right to appeal to the competent data protection supervisory authority - in Spain, such authority is the “Agencia Española de Protección de Datos” (Agencia Española de Protección de Datos | AEPD)

Please note that any processing of your Personal Data prior to the deletion of your account with us, or your request that we no longer contact you for direct marketing purposes will remain valid under the legal grounds then prevailing.

You can exercise any of your rights as stated above, by sending us a request to [email protected] or to: Milliman Consultants and Actuaries S.L. Data Protection Officer, 14 Avenue de la Grande Armée, F-75017 Paris.  We will endeavor to respond to any such request as soon as possible, and in any event within 30 days.

How to Contact Us

Milliman can be contacted at [email protected]. Milliman welcomes feedback and questions on this Privacy Policy. If for any reason you wish to contact us, please send an email ([email protected]). Complaints will be resolved internally in accordance with Milliman’s complaints procedures.

If you live in the European Union, European Economic Area, or Switzerland and you have a complaint regarding the handling of your Personal Data in accordance with the DPF Principles and your efforts to resolve the matter internally are unsatisfactory, the complaint may be submitted to the American Arbitration Association (http://www.adr.org/), which has been selected as the independent recourse mechanism to resolve complaints and disputes relating to treatment of Personal Data originating in the European Union, European Economic Area, or Switzerland and transferred to the U.S. under this Privacy Policy. Under certain conditions, you may be entitled to invoke binding arbitration when other dispute resolution procedures have been exhausted. Milliman is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC).

Data Privacy Policy – Milliman AG, Switzerland

Last updated September 2023

Where Milliman is Acting as a Data Controller

Milliman, Inc. and its affiliates (“Milliman” or “we”) take data privacy very seriously. This Privacy Policy sets out the principles governing the Swiss affiliate’s (Milliman AG) use and protection of personal data that individuals and clients residing within the European Economic Area, the Isle of Man, Switzerland and the UK, share with us (“Personal Data”), hereafter “you”. Milliman is committed to handling Personal Data in accordance with this Privacy Policy, the New Federal Act on Data Protection as amended from time to time (the “Act”) and its ordinances and other data protection and privacy laws, as applicable.

Milliman, Inc. and Milliman AG are joint-controllers with respect to the processing of Personal Data described in this Privacy Policy. This means that Milliman, Inc. and Milliman AG are both responsible for the compliance with applicable data protection laws.

Collection of Data

Aggregate Data

Like many companies, Milliman monitors the use of its websites by collecting aggregate data. No Personal Data is collected in this process. Typically, Milliman collects data about the number of visitors to the website, to each web page, and the originating domain name of the visitor's Internet Service Provider. This data is used to improve the usability, performance and effectiveness of Milliman’s website.

Cookies, Third-Party Embedded Content and Do Not Track

For more detailed information describing how Milliman uses cookies and your choices surrounding the use and opt out of such cookies, including information about third party embedded content on Milliman’s website and how Milliman responds to Do Not Track signals in browsers, please review our Cookie Policy which can be found here.

Processing of Personal Data

The Personal Data we collect varies depending upon the nature of the services provided and our interactions with individuals. In the context of the collection of data through this website, Milliman’s marketing activities and contract administration, we may collect, store and otherwise process Personal Data of:

- visitors to our websites (first name, last name, title, company, phone number, location, email address, subject of the request and message given) who request information about products or services from Milliman, for the purpose of the management of the relationship with visitors and the administration of the website. The legal basis for the processing of Personal Data is Milliman’s legitimate interest (Art. 31 (2) of the Act).

- clients’ representatives, officers, agents and employees, business partners, providers, parties to a contract (name, professional address, title, email and other professional contact details) for contract administration purposes. The professional contact details of clients’ representatives, their employees and business partners are also used to activate and maintain client accounts, including for billing purposes, due diligence and conflict checks, to facilitate the communication, to fulfill requests or respond to inquiries about Milliman products or services and to provide offers and information (as permitted by law) about products, services, or events offered by Milliman or that Milliman thinks may be of interest. The legal basis for the processing of Personal Data is Milliman’s legitimate interest (Art. 31 (2) of the Act). Milliman may rely on your consent (Art. 6 (6) and (7) of the Act) for the sending of marketing communications when so required by data protection and privacy laws, in which case we will ask your consent prior to the sending of the communication. Milliman AG may also use professional contact details of its clients’ employees for the purpose of sending surveys, questionnaires or for the purpose of organizing contests. For those activities, the legal basis for the processing of Personal Data is Milliman AG’s legitimate interest (Art. 31 (2) of the Act), unless data protection and privacy laws require your prior consent. We may also collect and process limited Personal Data about you from public resources (such as LinkedIn) including your name/surname, email address, telephone number, organization, title/position, profession, professional interests, to allow us to assess a potential interest in our services and to contact you for marketing purposes.

When we communicate with you regarding the products and services we offer or develop, you will be given the opportunity in each communication to unsubscribe and prevent future communications of that sort. If you do not want us to collect your Personal Data for our marketing emails, or if you wish to unsubscribe from direct marketing communications from us, you may write to us at [email protected] requesting the same. We will cease using your Personal Data for direct marketing purposes once you have requested us to do so.

If you provide us with Personal Data of another individual, it is your duty to make sure that these individuals have consented to or are appropriately informed about the processing of their Personal Data by Milliman.

You should also ensure that all Personal Data submitted to us is complete, accurate, true and correct. Failure on your part to do so may result in our inability to provide you with the products and services you have requested.

No automated decision-making is undertaken based on the Personal Data collected from you.

Affiliates and Authorized Third-Party Agents

All Milliman websites, products, and services are provided in cooperation with Milliman, Inc., located in the U.S. Any Personal Data may be shared between Milliman AG and Milliman, Inc. or other entities controlled by or under common control with Milliman, Inc., located in the U.S. and/or Europe, for the purposes of the centralisation of Milliman’s General Corporate Services, including: administrative services, contract management, Client Relationship Management (CRM), IT-maintenance  and security, data privacy (management of data subjects’ request) and marketing services (cookie management, inquiry tracking via Milliman’s website form, communication regarding Milliman’s products, services, or events).

We may also share Personal Data with affiliated entities using the MILLIMAN® mark, in which case we will require those affiliates to comply with this Privacy Policy. Please note that we may be transferring your Personal Data to a country that does not have the same data protection laws as your home country. However, Milliman ensures that itself and its affiliates will process Personal Data in compliance with this Privacy Policy.

Milliman also may share Personal Data with authorized third-party agents or contractors that perform services for Milliman. If Milliman shares Personal Data with a third party, Milliman requires that those third parties agree to process Personal Data based on Milliman’s instructions and in compliance with this Privacy Policy.

Any transfers of Personal Data are subject to appropriate safeguards that are compliant with the Act, as is described in the section “Transfer of Personal Data Across Borders”.

Other Disclosures

Milliman may also disclose Personal Data and other related information in response to subpoenas, court orders, or other lawful requests by public authorities, and to meet national security or law enforcement requirements. Milliman may collect and share Personal Data in order to investigate or take action regarding illegal activities, suspected fraud, violations of Milliman's Terms of Use, or as otherwise required by law or regulation.

Security

Milliman stores Personal Data on a secure server that is password protected and shielded from unauthorized access by a firewall. Milliman has in place security policies that are intended to ensure the security and integrity of all Personal Data. Milliman has appropriate technical and organisational measures in place to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data held or processed by Milliman. If Milliman forwards Personal Data to any third party, Milliman requires that those third parties have appropriate technical and organisational measures in place to comply with this Privacy Policy and applicable laws.

Data Retention

Milliman retains Personal Data only as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or not prohibited by law. Milliman will delete your Personal Data once the purpose of the collection and processing of such Personal Data has been fulfilled and the adequate duration for documentation and backup storage of such Personal Data has lapsed. If you have unsubscribed from receiving marketing information from us, we will continue to maintain your Personal Data for any other purpose for which we still have legal grounds for processing such Personal Data (such as for the purposes of complying with a legal obligation or when the processing is necessary for the purpose of our legitimate interest). In certain cases, if no other legal grounds exist, we will maintain limited Personal Data (such as your email address) about you on record, so as to be able to ensure for the future that such marketing communications are no longer sent to you.

Children

Milliman’s websites, products, and services are not directed to children, and Milliman does not knowingly collect Personal Data from children. If a parent or legal guardian becomes aware that his or her child has provided Milliman with Personal Data without their consent, the parent or legal guardian should contact Milliman at [email protected], and Milliman will take steps to delete any such Personal Data.

Third-party Links

Milliman’s website may contain links to websites hosted and operated by companies other than us (“Third-Party Websites”) to which you can export (part of) your Personal Data.

We do not disclose your Personal Data to these Third-Party Websites without your explicit consent. Note that any information you disclose to Third-Party Websites is no longer under our control and no longer subject to Milliman Personal Data Privacy Policy.

You should review the privacy policy practices of any such Third-Party Website to understand how that Third-Party Website collects and uses your Personal Data should you have decided to disclose your Personal Data to them. We are not responsible for the content or performance of these Third-Party Websites. We are in no way responsible or liable for the manner in which a Third-Party Website treats any Personal Data that you choose to provide to such a Third-Party Website and use of Third-Party Websites is strictly at your own risk.

Policy Updates

Milliman may change its Privacy Policy from time to time. Milliman therefore asks all persons concerned to check it occasionally to ensure that they are aware of the most recent version.

Transfers of Personal Data across National Borders

Milliman is a global company that transfers Personal Data across national borders in compliance with the laws that apply to such transfers. Milliman has put in place appropriate safeguards to ensure its data transfers are adequately protected. Milliman’s legal bases for respective data transfers are outlined in this Privacy Policy. When Personal Data is transferred from one of our entities in the European Economic Area (“EEA”), Switzerland, the Isle of Man or the United Kingdom to the United States or another country outside of the EEA, or from entities in the EEA to another country outside of the EEA, we rely on one or more of the following legal mechanisms which provide adequate safeguards for the transfers: the adequacy decisions adopted by the European Commission on the basis of Art. 45 GDPR, the European Commission-approved Standard Contractual Clauses, the EU-US Data Privacy Framework (EU-US DPF), the UK Extension to the EU-US DPF, and the Swiss-US Data Privacy Framework (Swiss-US DPF), or any other applicable transfer mechanism deemed as adequate by applicable data protection laws. You can request a copy of any standard contractual clauses relating to your Personal Data that we may have executed by contacting us using the details below. Milliman commits to cooperate with the EU data protection authorities, the Swiss Federal Data Protection Information Commissioner, the Isle of Man Information Commissioner, the UK Information Commissioner’s Office and any other relevant data protection authority, and to comply with the advice given by such authorities, with regard to Personal Data transferred from one of our entities in the EEA, Switzerland, the Isle of Man or the United Kingdom, to countries outside of the EEA. Milliman will conduct any necessary impact assessments, following the rules under applicable data protection laws and thus guaranteeing the safe transfer of your Personal Data.

Data Privacy Framework

Milliman is committed to handling Personal Data in accordance with this Privacy Policy and the EU-US Data Privacy Framework (EU-US DPF), the UK Extension to the EU-US DPF, and the Swiss-US Data Privacy Framework (Swiss-US DPF), as administered by the U.S. Department of Commerce. Milliman has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. Milliman has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF.

If there is any conflict between the terms of this Privacy Policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view Milliman’s certification, please visit https://www.dataprivacyframework.gov/.

Milliman’s accountability for Personal Data that it receives under the DPF Principles and subsequently transfers to a third party is described in the DPF Principles. In particular, Milliman remains responsible and liable under the DPF Principles if third parties engaged by Milliman process the Personal Data in a manner inconsistent with the Principles, unless Milliman proves that it is not responsible for the event giving rise to any damage. Additionally, Milliman, Inc. has put in place data protection agreements with its affiliates located in the European Economic Area based on the EU Standard Contractual Clauses issued by the European Commission (the “EU Standard Contractual Clauses”).

As further explained in the "How to Contact Us" section below, Milliman encourages any individual to contact us should they have a DPF-related (or general privacy-related) complaint. Any right of access, rectification, erasure, restriction of the processing as well as the right to data portability of individuals domiciled in the European Economic Area or Switzerland may be exercised under the conditions set forth in the GDPR by contacting Milliman at: [email protected]. Furthermore, these individuals will have the right to lodge a complaint with a competent supervisory authority at any time.

Rights

You have a number of rights under the Act in relation to your Personal Data, namely:

1. the right of access pursuant to Art. 25 to 27 of the Act: you have the right to obtain from us confirmation as to whether or not Personal Data concerning you is being processed, and, where that is the case, access to (including by obtaining a copy of) such Personal Data and the manner in which, and the purposes for which we process your Personal Data, so that you can verify its accuracy and the lawfulness of the processing.
2. the right to rectification pursuant to Art. 32 (1) of the Act: you have the right to obtain from us the rectification of inaccurate Personal Data concerning you, and the right to have incomplete personal data completed, including by means of providing a supplementary statement.
3. the right to erasure pursuant to Art. 32 (2) (c) of the Act: the right to obtain from us the erasure of your Personal Data without delay where (a) your Personal Data is no longer necessary for the purpose for which it was collected/processed; (b) you wish to withdraw your consent to processing (except where we have another legal ground for the processing that we may rely on); (c) where processing is based on our legitimate interests and there are no overriding legitimate grounds for processing; (d) where your Personal Data has been unlawfully processed.
4. the right to restriction of processing pursuant to Art. 29 and 32 (2) of the Act GDPR: you have the right to obtain from us the restriction of processing of your Personal Data where (a) the accuracy of such Personal Data is contested by you (for such period as will enable us to verify the accuracy of your Personal Data); (b) the processing of your Personal Data is unlawful, but you do object to the deletion of such data and request restriction of its use instead; (c) you consider that we no longer need your Personal Data for the purposes of the processing, but require such Personal Data for the establishment, exercise or defense of legal claims; (d) you have objected to the processing of your Personal Data on grounds of “legitimate interest” as per (iii) above, pending verification by us on whether our legitimate grounds override your own.
5. the right to objection pursuant to Art. 32 (2) of the Act: you have the right to object, on grounds relating to your particular situation, at any time to processing of your Personal Data, which is based on our legitimate interests, including profiling based on those provisions. We shall no longer process the Personal Data unless we have compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defense of legal claims. You may object to the processing of your Personal Data or direct marketing purposes at any time, without giving reason.
6. the right to data portability pursuant to Art. 28 of the Act: you have the right to receive Personal Data concerning you, and which you have provided to us, in a structured, commonly used and machine-readable format, and to transmit such data to another data controller (please note this applies only where our processing of your Personal Data is based on your consent, and the processing is carried out by automated means).
7. the right to appeal to a competent data protection supervisory authority pursuant to Art. 32(2) of the Act: you have the right to appeal to the competent data protection supervisory authority – in Switzerland, such authority is the “Eidgenössischer Datenschutz-und Öffentlichkeitsbeauftraget” (www.edoeb.admin.ch).

Please note that any processing of your Personal Data prior to the deletion of your account with us, or your request that we no longer contact you for direct marketing purposes will remain valid under the legal grounds then prevailing.

You can exercise any of your rights as stated above, by sending us a request to [email protected] or to: Milliman AG Data Protection Officer, 14 Avenue de la Grande Armée, F-75017 Paris. We will endeavor to respond to any such request as soon as possible, and in any event within 30 days.

How to Contact Us

Milliman can be contacted at [email protected]. Milliman welcomes feedback and questions on this Privacy Policy. If for any reason you wish to contact us, please send an email ([email protected]). Complaints will be resolved internally in accordance with Milliman’s complaints procedures.

If you live in the European Union, European Economic Area, or Switzerland and you have a complaint regarding the handling of your Personal Data in accordance with the DPF Principles and your efforts to resolve the matter internally are unsatisfactory, the complaint may be submitted to the American Arbitration Association (http://www.adr.org/), which has been selected as the independent recourse mechanism to resolve complaints and disputes relating to treatment of Personal Data originating in the European Union, European Economic Area, or Switzerland and transferred to the U.S. under this Privacy Policy. Under certain conditions, you may be entitled to invoke binding arbitration when other dispute resolution procedures have been exhausted. Milliman is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC).

Data Privacy Policy - Milliman Aktueryal ve Stratejik Danışmanlık Limited Şirketi, Turkey

______________________________________________________________________________________________________________

Last updated June 2023

Where Milliman is Acting as a Data Controller

Milliman, Inc. and its affiliates (“Milliman” or “we”) take data privacy very seriously. This Privacy Policy sets out the principles governing the Turkish affiliate’s (Milliman Aktueryal ve Stratejik Danışmanlık Limited Şirketi) use and protection of Personal Data that individuals and clients residing in Turkey share with us (“Personal Data”), hereafter “you”. Milliman is committed to handling Personal Data in accordance with this Privacy Policy, the Turkish data protection law no 6698 (the “Law”) and other data protection and privacy laws, as applicable.

Milliman, Inc. and Milliman Aktueryal ve Stratejik Danışmanlık Limited Şirketi are joint-controllers with respect to the processing of Personal Data described in this Privacy Policy. This means that Milliman, Inc. and Milliman Aktueryal ve Stratejik Danışmanlık Limited Şirketi are both responsible for the compliance with applicable data protection laws.

Collection of Data

Aggregate Data

Like many companies, Milliman monitors the use of its websites by collecting aggregate data. No Personal Data is collected in this process. Typically, Milliman collects data about the number of visitors to the website, to each web page, and the originating domain name of the visitor's Internet Service Provider. This data is used to improve the usability, performance and effectiveness of Milliman’s website.

Cookies, Third-Party Embedded Content and Do Not Track

For more detailed information describing how Milliman uses cookies and your choices surrounding the use and opt out of such cookies, including information about third party embedded content on Milliman’s website and how Milliman responds to Do Not Track signals in browsers please review our Cookie Policy which can be found here.

Processing of Personal Data

The Personal Data we collect varies depending upon the nature of the services provided and our interactions with individuals. In the context of the collection of data through this website, Milliman’s marketing activities and contract administration, we may collect, store and otherwise process Personal Data of:

- visitors to our websites (first name, last name, title, company, phone number, location, email address, subject of the request and message given) who request information about products or services from Milliman, for the purpose of the management of the relationship with visitors and the administration of the website. The legal basis for the processing of Personal Data is Milliman’s legitimate interest (Art. 5 (2) letter (f) of the Law).

- clients’ representatives, officers, agents and employees, business partners, providers, parties to a contract (name, professional address, title, email and other professional contact details) for contract administration purposes. The professional contact details of clients’ representatives, their employees and business partners are also used to activate and maintain client accounts, to fulfill requests or respond to inquiries about Milliman products or services and to provide offers and information (as permitted by law) about products, services, or events offered by Milliman or that Milliman thinks may be of interest. The legal basis for the processing of Personal Data is Milliman’s legitimate interest (Art. 5 (2) letter (f) of the Law). Milliman may also rely on your consent (Art. 5 (1) of the Law) for the sending of marketing communications when so required by data protection and privacy laws, in which case we will ask your consent prior to the sending of the communication. Milliman Aktueryal ve Stratejik Danışmanlık Limited Şirketi may also use professional contact details of its clients’ employees for the purpose of sending surveys, questionnaires or for the purpose of organizing contests. For those activities, the legal basis for the processing of Personal Data is Milliman Aktueryal ve Stratejik Danışmanlık Limited Şirketi’s legitimate interest (Art. 5 (2) letter (f) of the Law), unless data protection and privacy law require your prior consent. We may also collect and process limited Personal Data about you from public resources (such as LinkedIn) including your name/surname, email address, telephone number, organization, title/position, profession, professional interests, to allow us to assess a potential interest in our services and to contact you for marketing purposes.

When we communicate with you regarding the products and services we offer or develop, you will be given the opportunity in each communication to unsubscribe and prevent future communications of that sort. If you do not want us to collect your Personal Data for our marketing emails, or if you wish to unsubscribe from direct marketing communications from us, you may write to us at [email protected] requesting the same. We will cease using your Personal Data for direct marketing purposes once you have requested us to do so.

If you provide us with Personal Data of another individual, it is your duty to make sure that these individuals have consented to or are appropriately informed about the processing of their Personal Data by Milliman.

You should also ensure that all Personal Data submitted to us is complete, accurate, true and correct. Failure on your part to do so may result in our inability to provide you with products and services you have requested.

No automated decision-making is undertaken based on the Personal Data collected from you.

Affiliates and Authorized Third-Party Agents

All Milliman websites, products, and services are provided in cooperation with Milliman, Inc., located in the U.S. Any Personal Data may be shared between Milliman Aktueryal ve Stratejik Danışmanlık Limited Şirketi and Milliman, Inc. or other entities controlled by or under common control with Milliman, Inc., located in the U.S. and/or Europe, for the purposes of the centralisation of Milliman’s General Corporate Services, including: administrative services, contract management, Client Relationship Management (CRM), IT-maintenance and security, data privacy (management of data subjects’ request) and marketing services (cookie management, inquiry tracking via Milliman’s website form, communication regarding Milliman’s products, services, or events). We may also share Personal Data with affiliated entities using the MILLIMAN® mark, in which case we will require those affiliates to comply with this Privacy Policy. Please note that we may be transferring your Personal Data to a country that does not have the same data protection laws as your home country. However, Milliman ensures that itself and its affiliates will process Personal Data in compliance with this Privacy Policy.

Milliman also may share Personal Data with authorized third-party agents or contractors that perform services for Milliman, located in and outside of Turkey. If Milliman shares Personal Data with a third party, Milliman requires that those third parties agree to process Personal Data based on Milliman’s instructions and in compliance with this Privacy Policy.

Any transfers of Personal Data are subject to appropriate safeguards that are compliant with the Law.

Other Disclosures

Milliman may also disclose Personal Data and other related information in response to subpoenas, court orders, or other lawful requests by public authorities, and to meet national security or law enforcement requirements. Milliman may collect and share Personal Data in order to investigate or take action regarding illegal activities, suspected fraud, violations of Milliman's Terms of Use, or as otherwise required by law or regulation.

Security

Milliman stores Personal Data on a secure server that is password protected and shielded from unauthorized access by a firewall. Milliman has in place security policies that are intended to ensure the security and integrity of all Personal Data. Milliman has appropriate technical and organisational measures in place to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data held or processed by Milliman. If Milliman forwards Personal Data to any third party, Milliman requires that those third parties have appropriate technical and organisational measures in place to comply with this Privacy Policy and applicable laws.

Data Retention

Milliman retains Personal Data only as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or not prohibited by law. Milliman will delete your Personal Data once the purpose of the collection and processing of such Personal Data has been fulfilled and the adequate duration for documentation and backup storage of such Personal Data has lapsed. If you have unsubscribed from receiving marketing information from us, we will continue to maintain your Personal Data for any other purpose for which we still have legal grounds for processing such Personal Data (such as for the purposes of complying with a legal obligation or when the processing is necessary for the purpose of our legitimate interest). In certain cases, if no other legal grounds exist, we will maintain limited Personal Data (such as your email address) about you on record, so as to be able to ensure for the future that such marketing communications are no longer sent to you.

Children

Milliman’s websites, products, and services are not directed to children, and Milliman does not knowingly collect Personal Data from children. If a parent or legal guardian becomes aware that his or her child has provided Milliman with Personal Data without their consent, the parent or legal guardian should contact Milliman at [email protected], and Milliman will take steps to delete any such Personal Data.

Third-party Links

Milliman’s website may contain links to websites hosted and operated by companies other than us (“Third-Party Websites”) to which you can export (part of) your Personal Data.

We do not disclose your Personal Data to these Third-Party Websites without your explicit consent. Note that any information you disclose to Third Party Websites is no longer under our control and no longer subject to Milliman Personal Data Privacy Policy.

You should review the privacy policy practices of any such Third-Party Website to understand how that Third-Party Website collects and uses your Personal Data should you have decided to disclose your Personal Information to them. We are not responsible for the content or performance of these Third-Party Websites. We are in no way responsible or liable for the manner in which a Third-Party Website treats any Personal Data that you choose to provide to such a Third-Party Website and use of Third Party Websites is strictly at your own risk.

Policy Updates

Milliman may change its Privacy Policy from time to time. Milliman therefore asks all persons concerned to check it occasionally to ensure that they are aware of the most recent version.

Rights

You have a number of rights under the Law in relation to your Personal Data, namely:

1. the right to learn whether Personal Data are processed or not, to request information if Personal Data are processed, to learn the purpose of the processing and to know the third parties to whom the Personal Data is transferred, pursuant to Art. 11 of the Law: you have the right to obtain from us confirmation as to whether or not Personal Data concerning you is being processed, and, where that is the case, access to (including by obtaining a copy of) such Personal Data and the manner in which, and the purposes for which we process your Personal Data, so that you can verify its accuracy and the lawfulness of the processing. You have the right to know the third parties to whom your Personal Data is transferred in country or abroad.
2. the right to rectification pursuant to Art. 11 of the Law: you have the right to obtain from the us the rectification of inaccurate Personal Data concerning you, and the right to have incomplete Personal Data completed, including by means of providing a supplementary statement. Where your Personal Data is transferred to third parties, you have a right to request from us the notification of the rectification of inaccurate Personal Data to third parties to whom your Personal Data have been transferred.
3. the right to erasure pursuant to Art. 11 of the Law: the right to obtain from us the erasure of your Personal Data without undue delay where (a) your Personal Data is no longer necessary for the purpose for which it was collected/processed; (b) you wish to withdraw your consent to processing (except where we have another legal ground for the processing that we may rely on); (c) where processing is based on our legitimate interests and there are no overriding legitimate grounds for processing; (d) where your Personal Data has been unlawfully processed; You have right to request from us the notification of the erasure of your Personal Data to third parties to whom your Personal Data have been transferred.
4. the right to object to the occurrence of a result against the person himself/herself by analyzing the data processed solely through automated systems pursuant to Art. 11 of the Law.
5. the right to request compensation for the damage arising from the unlawful processing of your Personal Data pursuant to Art. 11 of the Law before the competent data protection supervisory authority - in Turkey, such authority is the Data Protection Board “Kişisel Verileri Koruma Kurumu” or “KVKK” (www.kvkk.gov.tr).

You can exercise any of your rights as stated above, by sending us a request to [email protected] or to: Milliman Global Data Privacy Officer 14 Avenue de la Grande Armée, F-75017 Paris.  We will endeavor to respond to any such request as soon as possible, and in any event within 30 days.

Please note that any processing of your Personal Data prior to the deletion of your account with us, or your request that we no longer contact you for direct marketing purposes will remain valid under the legal grounds then prevailing.

How to Contact Us

Milliman can be contacted at [email protected].Milliman welcomes feedback and questions on this Privacy Policy. If for any reason you wish to contact us, please send an email ([email protected]). Complaints will be resolved internally in accordance with Milliman’s complaints procedures.

Data Privacy Policy – DIFC, UAE

Last updated April 2023

Where Milliman is Acting as a Data Controller

Milliman, Inc. and its affiliates (“Milliman” or “we”) take data privacy very seriously. This Privacy Policy sets out the principles governing the way in which Milliman Limited, an affiliate of Milliman located in the Dubai International Financial Centre, United Arab Emirates ("DIFC") uses and protects Personal Data that individuals share with us (“Personal Data”), hereafter “you”. Milliman is committed to handling Personal Data in accordance with this Privacy Policy, DIFC Data Protection Law No. 5 of 2020 (the "DP Law") and other data privacy legislation, as applicable.

Milliman, Inc. and Milliman Limited are joint-controllers with respect to the processing of Personal Data described in this Privacy Policy. This means that Milliman, Inc. and Milliman Limited are both responsible for the compliance with the DP Law and other applicable data privacy legislation.

Collection of Data

Aggregate Data

Like many companies, Milliman monitors the use of its websites by collecting aggregate data. No Personal Data is collected in this process. Typically, Milliman collects data about the number of visitors to: (i) the website; (ii) each web page; and (iii) the originating domain name of the visitor's Internet Service Provider. This data is used to improve the usability, performance and effectiveness of Milliman’s website.

Cookies, Third-Party Embedded Content and Do Not Track

For more detailed information describing how Milliman uses cookies and your choices surrounding the use and opt out of such cookies, including information about third party embedded content on Milliman’s website and how Milliman responds to Do Not Track signals in browsers, please review our Cookie Policy which can be found here.

Processing of Personal Data

The Personal Data we collect varies depending upon the nature of the services provided and our interactions with you. All processing (i.e., use) of your personal information is justified by a "lawful basis" for processing. In most cases, processing will be justified on the basis that:

• the processing is necessary for the performance of a contract to which you are a party, or to take steps (at your request) to enter into a contract (e.g., where you request certain services as an individual client, or where we help advise your employer or service provider on fulfilling an obligation to you under a contract);
• the processing is necessary for us to comply with a relevant legal obligation (e.g., where we are required to collect certain information about our clients for tax or accounting purposes, or where we are required to make disclosures to courts or regulators); or
• the processing is necessary for the performance of a task carried out in the public interest (e.g., background checks for anti-money laundering and terrorist financing purposes); or
• the processing is in our legitimate interests, subject to due consideration for your interests and fundamental rights (this is the basis we rely upon for the majority of our processing activities in connection with the provision of our services, the collection of Personal Data via our website, and also for the purposes of most client on-boarding, administration and relationship management activities).

In the context of the collection of data through this website, as well as through Milliman’s marketing activities and contract administration, we may collect, store and otherwise process Personal Data relating to:

• visitors to our websites who request information about products or services. This may include (but is not limited to) your first name, last name, title, company, phone number, location, email address, subject of the request and message given. We collect and process this information because we have a legitimate business interest in managing our relationship with visitors and to assist with the administration of the website.
• client representatives, officers, agents and employees, business partners, parties to a contract for contract administration purposes. This may include (but is not limited to) your name, professional address, title, email and other professional contact details. The professional contact details of clients’ representatives, their employees and business partners are also used to activate and maintain client accounts, to fulfill requests or respond to enquiries about our products or services and to provide offers and other information about our products, services, and events that we think may be of interest to you. We collect and process this information because we have a legitimate business interest in managing our relationship with you. Milliman may also rely on your consent for the sending of marketing communications when so required by applicable data privacy legislation, in which case we will ask your consent prior to our sending the communication to you. Milliman Limited may also use the professional contact details of its clients’ employees for the purpose of sending surveys or questionnaires. In all instances, we collect and process this information because we have a legitimate business interest in managing our relationship with you and for the proper administration of our business. We may also collect and process limited Personal Data about you which is collected from public resources (such as LinkedIn) including your name, email address, telephone number, organisation, title/position, profession, professional interests, to allow us to assess a potential interest in our services and to contact you for marketing purposes.

When we communicate with you regarding the products and services we offer, you will be given the opportunity to unsubscribe and prevent future communications of that sort. If you do not want us to collect your Personal Data from our marketing emails, or if you wish to unsubscribe from receiving marketing communications from us, you may write to us at [email protected] requesting the same.

If you provide us with Personal Data of another individual, it is your duty to make sure that those individuals have already consented to or are appropriately informed about the processing of their Personal Data by Milliman, in accordance with the terms of this Privacy Policy.

You should also ensure that all Personal Data submitted to us is complete, accurate, true and correct. Failure on your part to do so may result in our inability to provide you with products and services you have requested.

No automated decision-making is undertaken based on the Personal Data collected from you.

In all instances, where the basis for processing your Personal Data is based on consent, you may withdraw your consent at any time.

Affiliates and Authorised Third-Party Agents

All Milliman websites, products, and services are provided in cooperation with Milliman, Inc., located in the U.S. Any Personal Data may be shared between Milliman Limited and Milliman, Inc. or other entities controlled by or under common control with Milliman, Inc., located in the U.S. and/or Europe, for the purposes of the centralisation of Milliman’s General Corporate Services, including: administrative services, contract management, Client Relationship Management (CRM), IT-maintenance and security, data privacy (management of data subjects’ request) and marketing services (cookie management, inquiry tracking via Milliman’s website form, communication regarding Milliman’s products, services, or events).

We may also share Personal Data with affiliated entities using the MILLIMAN® mark, in which case we will require those affiliates to comply with this Privacy Policy. Please note that we may be transferring your Personal Data to a country that does not have the same data privacy protections as may be afforded in the DIFC.

However, Milliman ensures that where we do so, for such transfers we obtain contractual commitments (such as the Standard Contractual Clauses) from them in order to protect your personal information or put in place other adequate safeguards to protect your Personal Data.

Milliman also may share Personal Data with authorised third-party agents or contractors that perform services for Milliman, located in and outside of the UAE. If Milliman shares Personal Data with a third party, Milliman requires that those third parties agree to process Personal Data based on Milliman’s instructions and in compliance with this Privacy Policy.

In all cases, any transfers of Personal Data out of the DIFC are subject to appropriate safeguards that are compliant with the DP Law.

Other Disclosures

Milliman may also disclose Personal Data and other related information in response to subpoenas, court orders, or other lawful requests by public authorities, and to meet national security or law enforcement requirements. Milliman may collect and share Personal Data to investigate or to take action regarding illegal activities, suspected fraud, violations of Milliman's Terms of Use, or as otherwise required by law or regulation.

Security

Milliman stores Personal Data on a secure server that is password protected and shielded from unauthorised access by a firewall. Milliman has in place security policies that are intended to ensure the security and integrity of all Personal Data. Milliman has appropriate technical and organisational measures in place to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data held or processed by Milliman. If Milliman forwards Personal Data to any third party, Milliman requires that those third parties have appropriate technical and organisational measures in place to comply with this Privacy Policy and applicable data privacy laws.

Data Retention

Milliman retains Personal Data only as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or as directed by law. Milliman will delete your Personal Data once the purpose of the collection and processing has been fulfilled and the adequate duration for documentation and backup storage of such Personal Data has lapsed. If you have unsubscribed from receiving marketing information from us, we will continue to maintain your Personal Data for any other purpose for which we still have legal grounds for processing (such as for the purposes of complying with a legal obligation or when the processing is necessary for a legitimate interest). In certain cases, if no other legal grounds exist, we will maintain limited Personal Data (such as your email address) about you on record, so to ensure that such marketing communications are no longer sent to you in the future.

Children

Milliman’s websites, products, and services are not directed to children, and Milliman does not knowingly collect Personal Data from children. If a parent or legal guardian becomes aware that his or her child has provided Milliman with Personal Data without their consent, the parent or legal guardian should contact Milliman at [email protected], and Milliman will take steps to delete any such Personal Data.

Third-party Links

This website may contain links to websites hosted and operated by companies other than us (“Third-Party Websites”) to which you can export (all or part of) your Personal Data.

We do not disclose your Personal Data to these Third-Party Websites without your consent. Note that any information you disclose to Third Party Websites is no longer under our control and no longer subject to this Privacy Policy.

You should review the privacy policy practices of any such Third-Party Website to understand how that Third-Party Website collects and uses your Personal Data. We are not responsible for the content or performance of these Third-Party Websites. We are in no way responsible or liable for the manner in which a Third-Party Website treats any Personal Data that you choose to provide to such a Third-Party Website and use of Third-Party Websites is strictly at your own risk.

Policy Updates

Milliman may change the terms of this Privacy Policy from time to time. Milliman therefore asks all persons concerned to check it occasionally to ensure that they are aware of the most recent version.

Rights

You have a number of rights under the DP Law in relation to your Personal Data, namely:

1. the right of access: you have the right to obtain from us confirmation as to whether or not Personal Data concerning you is being processed, and, where that is the case, access to (including by obtaining a copy of) such Personal Data and the manner in which, and the purposes for which we process your Personal Data, so that you can verify its accuracy and the lawfulness of the processing.
2. the right to rectification: you may ask us to correct inaccurate Personal Data concerning you and may ask us to update or amend any incomplete Personal Data completed. You can do this by providing a supplementary statement.
3. the right to erasure: you may ask us to delete your Personal Data delay where: (a) your Personal Data is no longer necessary for the purpose for which it was collected/processed; (b) you wish to withdraw your consent to processing (except where we have another legal ground for processing that we may rely on); (c) you object to the processing of your Personal Data and we have no overriding legitimate grounds to continue to process it; or (d) where your Personal Data has been unlawfully processed.
4. the right to restrict the processing of your Personal Data: you may ask us to restrict the processing of your Personal Data where: (a) the accuracy of such Personal Data is contested by you (for such period as will enable us to verify the accuracy of your Personal Data); (b) the processing of your Personal Data is unlawful, but you do object to the deletion of such Personal Data and request restriction of its use instead; (c) you consider that we no longer need your Personal Data for the purposes of the processing, but require such Personal Data for the establishment, exercise or defense of legal claims; or (d) you have exercised the right to object, and verification of our overriding grounds is pending.
5. the right to object: you have the right to object, on grounds relating to your particular situation, at any time to the processing of your Personal Data, which is based on our legitimate interests, including profiling based on those provisions. We shall no longer process the Personal Data unless we have compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defense of legal claims. You may object to the processing of your Personal Data for direct marketing purposes at any time, without giving reason.
6. the right to data portability: you have the right to receive Personal Data concerning you, and which you have provided to us, in a structured, commonly used and machine-readable format, and to transmit such data to another data controller. Please note this applies only where our processing of your Personal Data is based on your consent, or the performance of a contract and the processing is carried out by automated means.
7. the right to appeal to a competent data protection supervisory authority: you have the right to appeal to the competent data protection supervisory authority - in the DIFC, such authority is the “DIFC Commissioner of Data Protection”.

Please note that any processing of your Personal Data which occurs prior to the deletion of your account with us, or your request that we no longer contact you for direct marketing purposes will remain valid under the legal grounds then prevailing.

You can exercise any of your rights as stated above, by sending us a request to [email protected] or to : Milliman Limited Data Protection Officer, 14 Avenue de la Grande Armée, F-75017 Paris. We will endeavor to respond to any such request as soon as possible, and in any event within 30 days.

How to Contact Us

Milliman can be contacted at [email protected]. Milliman welcomes feedback and questions on this Privacy Policy. If for any reason you wish to contact us, please send an email ([email protected]). Complaints will be resolved internally in accordance with Milliman’s complaints procedures.

Milliman Personal Data Privacy Policy – Milliman Consulting Limited, United Kingdom

Last updated September 2023

Where Milliman is Acting as a Data Controller

Milliman, Inc. and its affiliates (“Milliman” or “we”) take data privacy very seriously. This Privacy Policy sets out the principles governing the UK affiliate’s (Milliman Consulting Limited) use and protection of personal data that individuals and clients residing within the European Economic Area, the Isle of Man, Switzerland and the UK, share with us (“Personal Data”), hereafter “you”. Milliman is committed to handling Personal Data in accordance with this Privacy Policy, the EU General Data Protection Regulation (GDPR), the UK Data Protection Act 2018 (together the “UK GDPR”) and other data protection and privacy laws, as applicable.

Milliman, Inc. and Milliman Consulting Limited are joint-controllers with respect to the processing of Personal Data described in this Privacy Policy. This means that Milliman, Inc. and Milliman Consulting Limited are both responsible for the compliance with applicable data protection laws.

Collection of Data

Aggregate Data

Like many companies, Milliman monitors the use of its websites by collecting aggregate data. No Personal Data is collected in this process. Typically, Milliman collects data about the number of visitors to the website, to each web page, and the originating domain name of the visitor's Internet Service Provider. This data is used to improve the usability, performance and effectiveness of Milliman’s website.

Cookies, Third-Party Embedded Content and Do Not Track

For more detailed information describing how Milliman uses cookies and your choices surrounding the use and opt out of such cookies, including information about third party embedded content on Milliman’s website and how Milliman responds to Do Not Track signals in browsers, please review our Cookie Policy which can be found here.

Processing of Personal Data

The Personal Data we collect varies depending upon the nature of the services provided and our interactions with individuals. In the context of the collection of data through this website, Milliman’s marketing activities and contract administration, we may collect, store and otherwise process Personal Data of:

- visitors to our websites (first name, last name, title, company, phone number, location, email address, subject of the request and message given) who request information about products or services from Milliman, for the purpose of the management of the relationship with visitors and the administration of the website. The legal basis for the processing of Personal Data is Milliman’s legitimate interest (Art. 6 (1) letter (f) of the UK GDPR).

- clients’ representatives, officers, agents and employees, business partners, providers, parties to a contract (name, professional address, title, email and other professional contact details) for contract administration purposes. The professional contact details of clients’ representatives, their employees and business partners are also used to activate and maintain client accounts, including for billing purposes, due diligence and conflict checks, to facilitate the communication, to fulfill requests or respond to inquiries about Milliman products or services and to provide offers and information (as permitted by law) about products, services, or events offered by Milliman or that Milliman thinks may be of interest. The legal basis for the processing of Personal Data is Milliman’s legitimate interest (Art. 6 (1) letter (f) of the UK GDPR). Milliman may rely on your consent (Art. 6 (1) letter (a) of the UK GDPR) for the sending of marketing communications when so required by data protection and privacy laws, in which case we will ask your consent prior to the sending of the communication. Milliman Consulting Limited may also use professional contact details of its clients’ employees for the purpose of sending surveys, questionnaires or for the purpose of organizing contests. For those activities, the legal basis for the processing of Personal Data is Milliman Consulting Limited’s legitimate interest (Art. 6 (1) letter (f) of the UK GDPR), unless data protection and privacy laws require your prior consent. We may also collect and process limited Personal Data about you from public resources (such as LinkedIn) including your name/surname, email address, telephone number, organization, title/position, profession, professional interests, to allow us to assess a potential interest in our services and to contact you for marketing purposes.

When we communicate with you regarding the products and services we offer or develop, you will be given the opportunity in each communication to unsubscribe and prevent future communications of that sort. If you do not want us to collect your Personal Data for our marketing emails, or if you wish to unsubscribe from direct marketing communications from us, you may write to us at [email protected] requesting the same. We will cease using your Personal Data for direct marketing purposes once you have requested us to do so.

If you provide us with Personal Data of another individual, it is your duty to make sure that these individuals have consented to or are appropriately informed about the processing of their Personal Data by Milliman.

You should also ensure that all Personal Data submitted to us is complete, accurate, true and correct. Failure on your part to do so may result in our inability to provide you with the products and services you have requested.

No automated decision-making is undertaken based on the Personal Data collected from you.

Affiliates and Authorized Third-Party Agents

All Milliman websites, products, and services are provided in cooperation with Milliman, Inc., located in the U.S. Any Personal Data may be shared between  Milliman Consulting Limited and Milliman, Inc. or other entities controlled by or under common control with Milliman, Inc., located in the U.S. and/or Europe, for the purposes of the centralisation of Milliman’s General Corporate Services, including: administrative services, contract management, Client Relationship Management (CRM), IT-maintenance  and security, data privacy (management of data subjects’ request) and marketing services (cookie management, inquiry tracking via Milliman’s website form, communication regarding Milliman’s products, services, or events).

We may also share Personal Data with affiliated entities using the MILLIMAN® mark, in which case we will require those affiliates to comply with this Privacy Policy. Please note that we may be transferring your Personal Data to a country that does not have the same data protection laws as your home country. However, Milliman ensures that itself and its affiliates will process Personal Data in compliance with this Privacy Policy.

Milliman also may share Personal Data with authorized third-party agents or contractors that perform services for Milliman. If Milliman shares Personal Data with a third party, Milliman requires that those third parties agree to process Personal Data based on Milliman’s instructions and in compliance with this Privacy Policy.

Any transfers of Personal Data are subject to appropriate safeguards that are compliant with the GDPR, as is described in the section “Transfer of Personal Data Across Borders”.

Other Disclosures

Milliman may also disclose Personal Data and other related information in response to subpoenas, court orders, or other lawful requests by public authorities, and to meet national security or law enforcement requirements. Milliman may collect and share Personal Data in order to investigate or take action regarding illegal activities, suspected fraud, violations of Milliman's Terms of Use, or as otherwise required by law or regulation.

Security

Milliman stores Personal Data on a secure server that is password protected and shielded from unauthorized access by a firewall. Milliman has in place security policies that are intended to ensure the security and integrity of all Personal Data. Milliman has appropriate technical and organisational measures in place to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data held or processed by Milliman. If Milliman forwards Personal Data to any third party, Milliman requires that those third parties have appropriate technical and organisational measures in place to comply with this Privacy Policy and applicable laws.

Data Retention

Milliman retains Personal Data only as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or not prohibited by law. Milliman will delete your Personal Data once the purpose of the collection and processing of such Personal Data has been fulfilled and the adequate duration for documentation and backup storage of such Personal Data has lapsed. If you have unsubscribed from receiving marketing information from us, we will continue to maintain your Personal Data for any other purpose for which we still have legal grounds for processing such Personal Data (such as for the purposes of complying with a legal obligation or when the processing is necessary for the purpose of our legitimate interest). In certain cases, if no other legal grounds exist, we will maintain limited Personal Data (such as your email address) about you on record, so as to be able to ensure for the future that such marketing communications are no longer sent to you.

Children

Milliman’s websites, products, and services are not directed to children, and Milliman does not knowingly collect Personal Data from children. If a parent or legal guardian becomes aware that his or her child has provided Milliman with Personal Data without their consent, the parent or legal guardian should contact Milliman at [email protected], and Milliman will take steps to delete any such Personal Data.

Third-party Links

Milliman’s website may contain links to websites hosted and operated by companies other than us (“Third-Party Websites”) to which you can export (part of) your Personal Data.

We do not disclose your Personal Data to these Third-Party Websites without your explicit consent. Note that any information you disclose to Third-Party Websites is no longer under our control and no longer subject to Milliman Personal Data Privacy Policy.

You should review the privacy policy practices of any such Third-Party Website to understand how that Third-Party Website collects and uses your Personal Data should you have decided to disclose your Personal Data to them. We are not responsible for the content or performance of these Third-Party Websites. We are in no way responsible or liable for the manner in which a Third-Party Website treats any Personal Data that you choose to provide to such a Third-Party Website and use of Third-Party Websites is strictly at your own risk.

Policy Updates

Milliman may change its Privacy Policy from time to time. Milliman therefore asks all persons concerned to check it occasionally to ensure that they are aware of the most recent version.

Transfers of Personal Data across National Borders

Milliman is a global company that transfers Personal Data across national borders in compliance with the laws that apply to such transfers. Milliman has put in place appropriate safeguards to ensure its data transfers are adequately protected. Milliman’s legal bases for respective data transfers are outlined in this Privacy Policy. When Personal Data is transferred from one of our entities in the European Economic Area (“EEA”), Switzerland, the Isle of Man or the United Kingdom to the United States or another country outside of the EEA, or from entities in the EEA to another country outside of the EEA, we rely on one or more of the following legal mechanisms which provide adequate safeguards for the transfers: the adequacy decisions adopted by the European Commission on the basis of Art. 45 GDPR, the European Commission-approved Standard Contractual Clauses, the EU-US Data Privacy Framework (EU-US DPF), the UK Extension to the EU-US DPF, and the Swiss-US Data Privacy Framework (Swiss-US DPF), or any other applicable transfer mechanism deemed as adequate by applicable data protection laws. You can request a copy of any standard contractual clauses relating to your Personal Data that we may have executed by contacting us using the details below. Milliman commits to cooperate with the EU data protection authorities, the Swiss Federal Data Protection Information Commissioner, the Isle of Man Information Commissioner, the UK Information Commissioner’s Office and any other relevant data protection authority, and to comply with the advice given by such authorities, with regard to Personal Data transferred from one of our entities in the EEA, Switzerland, the Isle of Man or the United Kingdom, to countries outside of the EEA. Milliman will conduct any necessary impact assessments, following the rules under applicable data protection laws and thus guaranteeing the safe transfer of your Personal Data.

Data Privacy Framework

Milliman is committed to handling Personal Data in accordance with this Privacy Policy and the EU-US Data Privacy Framework (EU-US DPF), the UK Extension to the EU-US DPF, and the Swiss-US Data Privacy Framework (Swiss-US DPF), as administered by the U.S. Department of Commerce. Milliman has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. Milliman has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF.

If there is any conflict between the terms of this Privacy Policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view Milliman’s certification, please visit https://www.dataprivacyframework.gov/.

Milliman’s accountability for Personal Data that it receives under the DPF Principles and subsequently transfers to a third party is described in the DPF Principles. In particular, Milliman remains responsible and liable under the DPF Principles if third parties engaged by Milliman process the Personal Data in a manner inconsistent with the Principles, unless Milliman proves that it is not responsible for the event giving rise to any damage. Additionally, Milliman, Inc. has put in place data protection agreements with its affiliates located in the European Economic Area based on the EU Standard Contractual Clauses issued by the European Commission (the “EU Standard Contractual Clauses”).

As further explained in the "How to Contact Us" section below, Milliman encourages any individual to contact us should they have a DPF-related (or general privacy-related) complaint. Any right of access, rectification, erasure, restriction of the processing as well as the right to data portability of individuals domiciled in the European Economic Area or Switzerland may be exercised under the conditions set forth in the GDPR by contacting Milliman at: [email protected]. Furthermore, these individuals will have the right to lodge a complaint with a competent supervisory authority at any time.

Rights

1. the right of access pursuant to Art. 15 of the UK GDPR: you have the right to obtain from us confirmation as to whether or not Personal Data concerning you is being processed, and, where that is the case, access to (including by obtaining a copy of) such Personal Data and the manner in which, and the purposes for which we process your Personal Data, so that you can verify its accuracy and the lawfulness of the processing.
2. the right to rectification pursuant to Art. 16 of the UK GDPR: you have the right to obtain from us the rectification of inaccurate Personal Data concerning you, and the right to have incomplete personal data completed, including by means of providing a supplementary statement.
3. the right to erasure pursuant to Art. 17 of the UK GDPR: the right to obtain from us the erasure of your Personal Data without undue delay where (a) your Personal Data is no longer necessary for the purpose for which it was collected/processed; (b) you wish to withdraw your consent to processing (except where we have another legal ground for the processing that we may rely on); (c) where processing is based on our legitimate interests and there are no overriding legitimate grounds for processing; (d) where your Personal Data has been unlawfully processed.
4. the right to restriction of processing pursuant to Art. 18 of the UK GDPR: you have the right to obtain from us the restriction of processing of your Personal Data where (a) the accuracy of such Personal Data is contested by you (for such period as will enable us to verify the accuracy of your Personal Data); (b) the processing of your Personal Data is unlawful, but you do object to the deletion of such data and request restriction of its use instead; (c) you consider that we no longer need your Personal Data for the purposes of the processing, but require such Personal Data for the establishment, exercise or defense of legal claims; (d) you have objected to the processing of your Personal Data on grounds of “legitimate interest” as per (iii) above, pending verification by us on whether our legitimate grounds override your own.
5. the right to objection pursuant to Art. 21 of the UK GDPR: you have the right to object, on grounds relating to your particular situation, at any time to processing of your Personal Data, which is based on our legitimate interests, including profiling (Art. 22 of the UK GDPR) based on those provisions. We shall no longer process the Personal Data unless we have compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defense of legal claims. You may object to the processing of your Personal Data or direct marketing purposes at any time, without giving reason.
6. the right to data portability pursuant to Art. 20 of the UK GDPR: you have the right to receive Personal Data concerning you, and which you have provided to us, in a structured, commonly used and machine-readable format, and to transmit such data to another data controller (please note this applies only where our processing of your Personal Data is based on your consent, and the processing is carried out by automated means).
7. the right to appeal to a competent data protection supervisory authority (Art. 77 of the UK GDPR and Part 6 of the Data Protection Act): you have the right to appeal to the competent data protection supervisory authority - in the United-Kingdom, such authority is the “Information Commissioners’ Office” (www.ico.org.uk).

Please note that any processing of your Personal Data prior to the deletion of your account with us, or your request that we no longer contact you for direct marketing purposes will remain valid under the legal grounds then prevailing.

You can exercise any of your rights as stated above, by sending us a request to [email protected] or to: Milliman Consulting Limited Data Protection Officer, 14 Avenue de la Grande Armée, F-75017 Paris.  We will endeavor to respond to any such request as soon as possible, and in any event within 30 days.

How to Contact Us

Milliman can be contacted at [email protected]. Milliman welcomes feedback and questions on this Privacy Policy. If for any reason you wish to contact us, please send an email ([email protected]). Complaints will be resolved internally in accordance with Milliman’s complaints procedures.

If you live in the European Union, European Economic Area, or Switzerland and you have a complaint regarding the handling of your Personal Data in accordance with the DPF Principles and your efforts to resolve the matter internally are unsatisfactory, the complaint may be submitted to the American Arbitration Association (http://www.adr.org/), which has been selected as the independent recourse mechanism to resolve complaints and disputes relating to treatment of Personal Data originating in the European Union, European Economic Area, or Switzerland and transferred to the U.S. under this Privacy Policy. Under certain conditions, you may be entitled to invoke binding arbitration when other dispute resolution procedures have been exhausted. Milliman is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC).

Milliman Personal Data Privacy Policy – Milliman Financial Strategies Limited, United Kingdom

Last updated September 2023

Where Milliman is Acting as a Data Controller

Milliman, Inc. and its affiliates (“Milliman” or “we”) take data privacy very seriously. This Privacy Policy sets out the principles governing the UK affiliate’s (Milliman Financial Strategies Limited) use and protection of personal data that individuals and clients residing within the European Economic Area, the Isle of Man, Switzerland and the UK, share with us (“Personal Data”), hereafter “you”. Milliman is committed to handling Personal Data in accordance with this Privacy Policy, the EU General Data Protection Regulation (GDPR), the UK Data Protection Act 2018 (together the “UK GDPR”) and other data protection and privacy laws, as applicable.

Milliman, Inc. and Milliman Financial Strategies Limited are joint-controllers with respect to the processing of Personal Data described in this Privacy Policy. This means that Milliman, Inc. and Milliman Financial Strategies Limited are both responsible for the compliance with applicable data protection laws.

Collection of Data

Aggregate Data

Like many companies, Milliman monitors the use of its websites by collecting aggregate data. No Personal Data is collected in this process. Typically, Milliman collects data about the number of visitors to the website, to each web page, and the originating domain name of the visitor's Internet Service Provider. This data is used to improve the usability, performance and effectiveness of Milliman’s website.

Cookies, Third-Party Embedded Content and Do Not Track

For more detailed information describing how Milliman uses cookies and your choices surrounding the use and opt out of such cookies, including information about third party embedded content on Milliman’s website and how Milliman responds to Do Not Track signals in browsers, please review our Cookie Policy which can be found here.

Processing of Personal Data

The Personal Data we collect varies depending upon the nature of the services provided and our interactions with individuals. In the context of the collection of data through this website, Milliman’s marketing activities and contract administration, we may collect, store and otherwise process Personal Data of:

- visitors to our websites (first name, last name, title, company, phone number, location, email address, subject of the request and message given) who request information about products or services from Milliman, for the purpose of the management of the relationship with visitors and the administration of the website. The legal basis for the processing of Personal Data is Milliman’s legitimate interest (Art. 6 (1) letter (f) of the UK GDPR).

- clients’ representatives, officers, agents and employees, business partners, providers, parties to a contract (name, professional address, title, email and other professional contact details) for contract administration purposes. The professional contact details of clients’ representatives, their employees and business partners are also used to activate and maintain client accounts, including for billing purposes, due diligence and conflict checks, to facilitate the communication, to fulfill requests or respond to inquiries about Milliman products or services and to provide offers and information (as permitted by law) about products, services, or events offered by Milliman or that Milliman thinks may be of interest. The legal basis for the processing of Personal Data is Milliman’s legitimate interest (Art. 6 (1) letter (f) of the UK GDPR). Milliman may rely on your consent (Art. 6 (1) letter (a) of the UK GDPR) for the sending of marketing communications when so required by data protection and privacy laws, in which case we will ask your consent prior to the sending of the communication. Milliman Financial Strategies Limited may also use professional contact details of its clients’ employees for the purpose of sending surveys, questionnaires or for the purpose of organizing contests. For those activities, the legal basis for the processing of Personal Data is Milliman Financial Strategies Limited’s legitimate interest (Art. 6 (1) letter (f) of the UK GDPR), unless data protection and privacy laws require your prior consent. We may also collect and process limited Personal Data about you from public resources (such as LinkedIn) including your name/surname, email address, telephone number, organization, title/position, profession, professional interests, to allow us to assess a potential interest in our services and to contact you for marketing purposes.

When we communicate with you regarding the products and services we offer or develop, you will be given the opportunity in each communication to unsubscribe and prevent future communications of that sort. If you do not want us to collect your Personal Data for our marketing emails, or if you wish to unsubscribe from direct marketing communications from us, you may write to us at [email protected] requesting the same. We will cease using your Personal Data for direct marketing purposes once you have requested us to do so.

If you provide us with Personal Data of another individual, it is your duty to make sure that these individuals have consented to or are appropriately informed about the processing of their Personal Data by Milliman.

You should also ensure that all Personal Data submitted to us is complete, accurate, true and correct. Failure on your part to do so may result in our inability to provide you with the products and services you have requested.

No automated decision-making is undertaken based on the Personal Data collected from you.

Affiliates and Authorized Third-Party Agents

All Milliman websites, products, and services are provided in cooperation with Milliman, Inc., located in the U.S. Any Personal Data may be shared between Milliman Financial Strategies Limited and Milliman, Inc. or other entities controlled by or under common control with Milliman, Inc., located in the U.S. and/or Europe, for the purposes of the centralisation of Milliman’s General Corporate Services, including: administrative services, contract management, Client Relationship Management (CRM), IT-maintenance  and security, data privacy (management of data subjects’ request) and marketing services (cookie management, inquiry tracking via Milliman’s website form, communication regarding Milliman’s products, services, or events).

We may also share Personal Data with affiliated entities using the MILLIMAN® mark, in which case we will require those affiliates to comply with this Privacy Policy. Please note that we may be transferring your Personal Data to a country that does not have the same data protection laws as your home country. However, Milliman ensures that itself and its affiliates will process Personal Data in compliance with this Privacy Policy.

Milliman also may share Personal Data with authorized third-party agents or contractors that perform services for Milliman. If Milliman shares Personal Data with a third party, Milliman requires that those third parties agree to process Personal Data based on Milliman’s instructions and in compliance with this Privacy Policy.

Any transfers of Personal Data are subject to appropriate safeguards that are compliant with the GDPR, as is described in the section “Transfer of Personal Data Across Borders”.

Other Disclosures

Milliman may also disclose Personal Data and other related information in response to subpoenas, court orders, or other lawful requests by public authorities, and to meet national security or law enforcement requirements. Milliman may collect and share Personal Data in order to investigate or take action regarding illegal activities, suspected fraud, violations of Milliman's Terms of Use, or as otherwise required by law or regulation.

Security

Milliman stores Personal Data on a secure server that is password protected and shielded from unauthorized access by a firewall. Milliman has in place security policies that are intended to ensure the security and integrity of all Personal Data. Milliman has appropriate technical and organisational measures in place to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data held or processed by Milliman. If Milliman forwards Personal Data to any third party, Milliman requires that those third parties have appropriate technical and organisational measures in place to comply with this Privacy Policy and applicable laws.

Data Retention

Milliman retains Personal Data only as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or not prohibited by law. Milliman will delete your Personal Data once the purpose of the collection and processing of such Personal Data has been fulfilled and the adequate duration for documentation and backup storage of such Personal Data has lapsed. If you have unsubscribed from receiving marketing information from us, we will continue to maintain your Personal Data for any other purpose for which we still have legal grounds for processing such Personal Data (such as for the purposes of complying with a legal obligation or when the processing is necessary for the purpose of our legitimate interest). In certain cases, if no other legal grounds exist, we will maintain limited Personal Data (such as your email address) about you on record, so as to be able to ensure for the future that such marketing communications are no longer sent to you.

Children

Milliman’s websites, products, and services are not directed to children, and Milliman does not knowingly collect Personal Data from children. If a parent or legal guardian becomes aware that his or her child has provided Milliman with Personal Data without their consent, the parent or legal guardian should contact Milliman at [email protected], and Milliman will take steps to delete any such Personal Data.

Third-party Links

Milliman’s website may contain links to websites hosted and operated by companies other than us (“Third-Party Websites”) to which you can export (part of) your Personal Data.

We do not disclose your Personal Data to these Third-Party Websites without your explicit consent. Note that any information you disclose to Third-Party Websites is no longer under our control and no longer subject to Milliman Personal Data Privacy Policy.

You should review the privacy policy practices of any such Third-Party Website to understand how that Third-Party Website collects and uses your Personal Data should you have decided to disclose your Personal Data to them. We are not responsible for the content or performance of these Third-Party Websites. We are in no way responsible or liable for the manner in which a Third-Party Website treats any Personal Data that you choose to provide to such a Third-Party Website and use of Third-Party Websites is strictly at your own risk.

Policy Updates

Milliman may change its Privacy Policy from time to time. Milliman therefore asks all persons concerned to check it occasionally to ensure that they are aware of the most recent version.

Transfers of Personal Data across National Borders

Milliman is a global company that transfers Personal Data across national borders in compliance with the laws that apply to such transfers. Milliman has put in place appropriate safeguards to ensure its data transfers are adequately protected. Milliman’s legal bases for respective data transfers are outlined in this Privacy Policy. When Personal Data is transferred from one of our entities in the European Economic Area (“EEA”), Switzerland, the Isle of Man or the United Kingdom to the United States or another country outside of the EEA, or from entities in the EEA to another country outside of the EEA, we rely on one or more of the following legal mechanisms which provide adequate safeguards for the transfers: the adequacy decisions adopted by the European Commission on the basis of Art. 45 GDPR, the European Commission-approved Standard Contractual Clauses, the EU-US Data Privacy Framework (EU-US DPF), the UK Extension to the EU-US DPF, and the Swiss-US Data Privacy Framework (Swiss-US DPF), or any other applicable transfer mechanism deemed as adequate by applicable data protection laws. You can request a copy of any standard contractual clauses relating to your Personal Data that we may have executed by contacting us using the details below. Milliman commits to cooperate with the EU data protection authorities, the Swiss Federal Data Protection Information Commissioner, the Isle of Man Information Commissioner, the UK Information Commissioner’s Office and any other relevant data protection authority, and to comply with the advice given by such authorities, with regard to Personal Data transferred from one of our entities in the EEA, Switzerland, the Isle of Man or the United Kingdom, to countries outside of the EEA. Milliman will conduct any necessary impact assessments, following the rules under applicable data protection laws and thus guaranteeing the safe transfer of your Personal Data.

Data Privacy Framework

Milliman is committed to handling Personal Data in accordance with this Privacy Policy and the EU-US Data Privacy Framework (EU-US DPF), the UK Extension to the EU-US DPF, and the Swiss-US Data Privacy Framework (Swiss-US DPF), as administered by the U.S. Department of Commerce. Milliman has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. Milliman has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF.

If there is any conflict between the terms of this Privacy Policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view Milliman’s certification, please visit https://www.dataprivacyframework.gov/.

Milliman’s accountability for Personal Data that it receives under the DPF Principles and subsequently transfers to a third party is described in the DPF Principles. In particular, Milliman remains responsible and liable under the DPF Principles if third parties engaged by Milliman process the Personal Data in a manner inconsistent with the Principles, unless Milliman proves that it is not responsible for the event giving rise to any damage. Additionally, Milliman, Inc. has put in place data protection agreements with its affiliates located in the European Economic Area based on the EU Standard Contractual Clauses issued by the European Commission (the “EU Standard Contractual Clauses”).

As further explained in the "How to Contact Us" section below, Milliman encourages any individual to contact us should they have a DPF-related (or general privacy-related) complaint. Any right of access, rectification, erasure, restriction of the processing as well as the right to data portability of individuals domiciled in the European Economic Area or Switzerland may be exercised under the conditions set forth in the GDPR by contacting Milliman at: [email protected]. Furthermore, these individuals will have the right to lodge a complaint with a competent supervisory authority at any time.

Rights

1. the right of access pursuant to Art. 15 of the UK GDPR: you have the right to obtain from us confirmation as to whether or not Personal Data concerning you is being processed, and, where that is the case, access to (including by obtaining a copy of) such Personal Data and the manner in which, and the purposes for which we process your Personal Data, so that you can verify its accuracy and the lawfulness of the processing.
2. the right to rectification pursuant to Art. 16 of the UK GDPR: you have the right to obtain from us the rectification of inaccurate Personal Data concerning you, and the right to have incomplete personal data completed, including by means of providing a supplementary statement.
3. the right to erasure pursuant to Art. 17 of the UK GDPR: the right to obtain from us the erasure of your Personal Data without undue delay where (a) your Personal Data is no longer necessary for the purpose for which it was collected/processed; (b) you wish to withdraw your consent to processing (except where we have another legal ground for the processing that we may rely on); (c) where processing is based on our legitimate interests and there are no overriding legitimate grounds for processing; (d) where your Personal Data has been unlawfully processed.
4. the right to restriction of processing pursuant to Art. 18 of the UK GDPR: you have the right to obtain from us the restriction of processing of your Personal Data where (a) the accuracy of such Personal Data is contested by you (for such period as will enable us to verify the accuracy of your Personal Data); (b) the processing of your Personal Data is unlawful, but you do object to the deletion of such data and request restriction of its use instead; (c) you consider that we no longer need your Personal Data for the purposes of the processing, but require such Personal Data for the establishment, exercise or defense of legal claims; (d) you have objected to the processing of your Personal Data on grounds of “legitimate interest” as per (iii) above, pending verification by us on whether our legitimate grounds override your own.
5. the right to objection pursuant to Art. 21 of the UK GDPR: you have the right to object, on grounds relating to your particular situation, at any time to processing of your Personal Data, which is based on our legitimate interests, including profiling (Art. 22 of the UK GDPR) based on those provisions. We shall no longer process the Personal Data unless we have compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defense of legal claims. You may object to the processing of your Personal Data or direct marketing purposes at any time, without giving reason.
6. the right to data portability pursuant to Art. 20 of the UK GDPR: you have the right to receive Personal Data concerning you, and which you have provided to us, in a structured, commonly used and machine-readable format, and to transmit such data to another data controller (please note this applies only where our processing of your Personal Data is based on your consent, and the processing is carried out by automated means).
7. the right to appeal to a competent data protection supervisory authority (Art. 77 of the UK GDPR and Part 6 of the Data Protection Act): you have the right to appeal to the competent data protection supervisory authority - in the United-Kingdom, such authority is the “Information Commissioners’ Office” (www.ico.org.uk).

Please note that any processing of your Personal Data prior to the deletion of your account with us, or your request that we no longer contact you for direct marketing purposes will remain valid under the legal grounds then prevailing.

You can exercise any of your rights as stated above, by sending us a request to [email protected] or to: Milliman Financial Strategies Limited Data Protection Officer, 14 Avenue de la Grande Armée, F-75017 Paris.  We will endeavor to respond to any such request as soon as possible, and in any event within 30 days.

How to Contact Us

 Milliman can be contacted at [email protected]. Milliman welcomes feedback and questions on this Privacy Policy. If for any reason you wish to contact us, please send an email ([email protected]). Complaints will be resolved internally in accordance with Milliman’s complaints procedures.

If you live in the European Union, European Economic Area, or Switzerland and you have a complaint regarding the handling of your Personal Data in accordance with the DPF Principles and your efforts to resolve the matter internally are unsatisfactory, the complaint may be submitted to the American Arbitration Association (http://www.adr.org/), which has been selected as the independent recourse mechanism to resolve complaints and disputes relating to treatment of Personal Data originating in the European Union, European Economic Area, or Switzerland and transferred to the U.S. under this Privacy Policy. Under certain conditions, you may be entitled to invoke binding arbitration when other dispute resolution procedures have been exhausted. Milliman is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC).

Milliman Personal Data Privacy Policy – Milliman LLP, United Kingdom

Last updated September 2023

Where Milliman is Acting as a Data Controller

Milliman, Inc. and its affiliates (“Milliman” or “we”) take data privacy very seriously. This Privacy Policy sets out the principles governing the UK affiliate’s (Milliman LLP) use and protection of personal data that individuals and clients residing within the European Economic Area, the Isle of Man, Switzerland and the UK, share with us (“Personal Data”), hereafter “you”. Milliman is committed to handling Personal Data in accordance with this Privacy Policy, the EU General Data Protection Regulation (GDPR), the UK Data Protection Act 2018 (together the “UK GDPR”) and other data protection and privacy laws, as applicable.

Milliman, Inc. and Milliman LLP are joint-controllers with respect to the processing of Personal Data described in this Privacy Policy. This means that Milliman, Inc. and Milliman LLP are both responsible for the compliance with applicable data protection laws.

Collection of Data

Aggregate Data

Like many companies, Milliman monitors the use of its websites by collecting aggregate data. No Personal Data is collected in this process. Typically, Milliman collects data about the number of visitors to the website, to each web page, and the originating domain name of the visitor's Internet Service Provider. This data is used to improve the usability, performance and effectiveness of Milliman’s website.

Cookies, Third-Party Embedded Content and Do Not Track

For more detailed information describing how Milliman uses cookies and your choices surrounding the use and opt out of such cookies, including information about third party embedded content on Milliman’s website and how Milliman responds to Do Not Track signals in browsers, please review our Cookie Policy which can be found here.

Processing of Personal Data

The Personal Data we collect varies depending upon the nature of the services provided and our interactions with individuals. In the context of the collection of data through this website, Milliman’s marketing activities and contract administration, we may collect, store and otherwise process Personal Data of:

- visitors to our websites (first name, last name, title, company, phone number, location, email address, subject of the request and message given) who request information about products or services from Milliman, for the purpose of the management of the relationship with visitors and the administration of the website. The legal basis for the processing of Personal Data is Milliman’s legitimate interest (Art. 6 (1) letter (f) of the UK GDPR).

- clients’ representatives, officers, agents and employees, business partners, providers, parties to a contract (name, professional address, title, email and other professional contact details) for contract administration purposes. The professional contact details of clients’ representatives, their employees and business partners are also used to activate and maintain client accounts, including for billing purposes, due diligence and conflict checks, to facilitate the communication, to fulfill requests or respond to inquiries about Milliman products or services and to provide offers and information (as permitted by law) about products, services, or events offered by Milliman or that Milliman thinks may be of interest. The legal basis for the processing of Personal Data is Milliman’s legitimate interest (Art. 6 (1) letter (f) of the UK GDPR). Milliman may rely on your consent (Art. 6 (1) letter (a) of the UK GDPR) for the sending of marketing communications when so required by data protection and privacy laws, in which case we will ask your consent prior to the sending of the communication. Milliman LLP may also use professional contact details of its clients’ employees for the purpose of sending surveys, questionnaires or for the purpose of organizing contests. For those activities, the legal basis for the processing of Personal Data is Milliman LLP’s legitimate interest (Art. 6 (1) letter (f) of the UK GDPR), unless data protection and privacy laws require your prior consent. We may also collect and process limited Personal Data about you from public resources (such as LinkedIn) including your name/surname, email address, telephone number, organization, title/position, profession, professional interests, to allow us to assess a potential interest in our services and to contact you for marketing purposes.

When we communicate with you regarding the products and services we offer or develop, you will be given the opportunity in each communication to unsubscribe and prevent future communications of that sort. If you do not want us to collect your Personal Data for our marketing emails, or if you wish to unsubscribe from direct marketing communications from us, you may write to us at [email protected] requesting the same. We will cease using your Personal Data for direct marketing purposes once you have requested us to do so.

If you provide us with Personal Data of another individual, it is your duty to make sure that these individuals have consented to or are appropriately informed about the processing of their Personal Data by Milliman.

You should also ensure that all Personal Data submitted to us is complete, accurate, true and correct. Failure on your part to do so may result in our inability to provide you with the products and services you have requested.

No automated decision-making is undertaken based on the Personal Data collected from you.

Affiliates and Authorized Third-Party Agents

All Milliman websites, products, and services are provided in cooperation with Milliman, Inc., located in the U.S. Any Personal Data may be shared between Milliman LLP and Milliman, Inc. or other entities controlled by or under common control with Milliman, Inc., located in the U.S. and/or Europe, for the purposes of the centralisation of Milliman’s General Corporate Services, including: administrative services, contract management, Client Relationship Management (CRM), IT-maintenance  and security, data privacy (management of data subjects’ request) and marketing services (cookie management, inquiry tracking via Milliman’s website form, communication regarding Milliman’s products, services, or events).

We may also share Personal Data with affiliated entities using the MILLIMAN® mark, in which case we will require those affiliates to comply with this Privacy Policy. Please note that we may be transferring your Personal Data to a country that does not have the same data protection laws as your home country. However, Milliman ensures that itself and its affiliates will process Personal Data in compliance with this Privacy Policy.

Milliman also may share Personal Data with authorized third-party agents or contractors that perform services for Milliman. If Milliman shares Personal Data with a third party, Milliman requires that those third parties agree to process Personal Data based on Milliman’s instructions and in compliance with this Privacy Policy.

Any transfers of Personal Data are subject to appropriate safeguards that are compliant with the GDPR, as is described in the section “Transfer of Personal Data Across Borders”.

Other Disclosures

Milliman may also disclose Personal Data and other related information in response to subpoenas, court orders, or other lawful requests by public authorities, and to meet national security or law enforcement requirements. Milliman may collect and share Personal Data in order to investigate or take action regarding illegal activities, suspected fraud, violations of Milliman's Terms of Use, or as otherwise required by law or regulation.

Security

Milliman stores Personal Data on a secure server that is password protected and shielded from unauthorized access by a firewall. Milliman has in place security policies that are intended to ensure the security and integrity of all Personal Data. Milliman has appropriate technical and organisational measures in place to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data held or processed by Milliman. If Milliman forwards Personal Data to any third party, Milliman requires that those third parties have appropriate technical and organisational measures in place to comply with this Privacy Policy and applicable laws.

Data Retention

Milliman retains Personal Data only as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or not prohibited by law. Milliman will delete your Personal Data once the purpose of the collection and processing of such Personal Data has been fulfilled and the adequate duration for documentation and backup storage of such Personal Data has lapsed. If you have unsubscribed from receiving marketing information from us, we will continue to maintain your Personal Data for any other purpose for which we still have legal grounds for processing such Personal Data (such as for the purposes of complying with a legal obligation or when the processing is necessary for the purpose of our legitimate interest). In certain cases, if no other legal grounds exist, we will maintain limited Personal Data (such as your email address) about you on record, so as to be able to ensure for the future that such marketing communications are no longer sent to you.

Children

Milliman’s websites, products, and services are not directed to children, and Milliman does not knowingly collect Personal Data from children. If a parent or legal guardian becomes aware that his or her child has provided Milliman with Personal Data without their consent, the parent or legal guardian should contact Milliman at [email protected], and Milliman will take steps to delete any such Personal Data.

Third-party Links

Milliman’s website may contain links to websites hosted and operated by companies other than us (“Third-Party Websites”) to which you can export (part of) your Personal Data.

We do not disclose your Personal Data to these Third-Party Websites without your explicit consent. Note that any information you disclose to Third-Party Websites is no longer under our control and no longer subject to Milliman Personal Data Privacy Policy.

You should review the privacy policy practices of any such Third-Party Website to understand how that Third-Party Website collects and uses your Personal Data should you have decided to disclose your Personal Data to them. We are not responsible for the content or performance of these Third-Party Websites. We are in no way responsible or liable for the manner in which a Third-Party Website treats any Personal Data that you choose to provide to such a Third-Party Website and use of Third-Party Websites is strictly at your own risk.

Policy Updates

Milliman may change its Privacy Policy from time to time. Milliman therefore asks all persons concerned to check it occasionally to ensure that they are aware of the most recent version.

Transfers of Personal Data across National Borders

Milliman is a global company that transfers Personal Data across national borders in compliance with the laws that apply to such transfers. Milliman has put in place appropriate safeguards to ensure its data transfers are adequately protected. Milliman’s legal bases for respective data transfers are outlined in this Privacy Policy. When Personal Data is transferred from one of our entities in the European Economic Area (“EEA”), Switzerland, the Isle of Man or the United Kingdom to the United States or another country outside of the EEA, or from entities in the EEA to another country outside of the EEA, we rely on one or more of the following legal mechanisms which provide adequate safeguards for the transfers: the adequacy decisions adopted by the European Commission on the basis of Art. 45 GDPR, the European Commission-approved Standard Contractual Clauses, the EU-US Data Privacy Framework (EU-US DPF), the UK Extension to the EU-US DPF, and the Swiss-US Data Privacy Framework (Swiss-US DPF), or any other applicable transfer mechanism deemed as adequate by applicable data protection laws. You can request a copy of any standard contractual clauses relating to your Personal Data that we may have executed by contacting us using the details below. Milliman commits to cooperate with the EU data protection authorities, the Swiss Federal Data Protection Information Commissioner, the Isle of Man Information Commissioner, the UK Information Commissioner’s Office and any other relevant data protection authority, and to comply with the advice given by such authorities, with regard to Personal Data transferred from one of our entities in the EEA, Switzerland, the Isle of Man or the United Kingdom, to countries outside of the EEA. Milliman will conduct any necessary impact assessments, following the rules under applicable data protection laws and thus guaranteeing the safe transfer of your Personal Data.

Data Privacy Framework

Milliman is committed to handling Personal Data in accordance with this Privacy Policy and the EU-US Data Privacy Framework (EU-US DPF), the UK Extension to the EU-US DPF, and the Swiss-US Data Privacy Framework (Swiss-US DPF), as administered by the U.S. Department of Commerce. Milliman has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. Milliman has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF.

If there is any conflict between the terms of this Privacy Policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view Milliman’s certification, please visit https://www.dataprivacyframework.gov/.

Milliman’s accountability for Personal Data that it receives under the DPF Principles and subsequently transfers to a third party is described in the DPF Principles. In particular, Milliman remains responsible and liable under the DPF Principles if third parties engaged by Milliman process the Personal Data in a manner inconsistent with the Principles, unless Milliman proves that it is not responsible for the event giving rise to any damage. Additionally, Milliman, Inc. has put in place data protection agreements with its affiliates located in the European Economic Area based on the EU Standard Contractual Clauses issued by the European Commission (the “EU Standard Contractual Clauses”).

As further explained in the "How to Contact Us" section below, Milliman encourages any individual to contact us should they have a DPF-related (or general privacy-related) complaint. Any right of access, rectification, erasure, restriction of the processing as well as the right to data portability of individuals domiciled in the European Economic Area or Switzerland may be exercised under the conditions set forth in the GDPR by contacting Milliman at: [email protected]. Furthermore, these individuals will have the right to lodge a complaint with a competent supervisory authority at any time.

Rights

1. the right of access pursuant to Art. 15 of the UK GDPR: you have the right to obtain from us confirmation as to whether or not Personal Data concerning you is being processed, and, where that is the case, access to (including by obtaining a copy of) such Personal Data and the manner in which, and the purposes for which we process your Personal Data, so that you can verify its accuracy and the lawfulness of the processing.
2. the right to rectification pursuant to Art. 16 of the UK GDPR: you have the right to obtain from us the rectification of inaccurate Personal Data concerning you, and the right to have incomplete personal data completed, including by means of providing a supplementary statement.
3. the right to erasure pursuant to Art. 17 of the UK GDPR: the right to obtain from us the erasure of your Personal Data without undue delay where (a) your Personal Data is no longer necessary for the purpose for which it was collected/processed; (b) you wish to withdraw your consent to processing (except where we have another legal ground for the processing that we may rely on); (c) where processing is based on our legitimate interests and there are no overriding legitimate grounds for processing; (d) where your Personal Data has been unlawfully processed.
4. the right to restriction of processing pursuant to Art. 18 of the UK GDPR: you have the right to obtain from us the restriction of processing of your Personal Data where (a) the accuracy of such Personal Data is contested by you (for such period as will enable us to verify the accuracy of your Personal Data); (b) the processing of your Personal Data is unlawful, but you do object to the deletion of such data and request restriction of its use instead; (c) you consider that we no longer need your Personal Data for the purposes of the processing, but require such Personal Data for the establishment, exercise or defense of legal claims; (d) you have objected to the processing of your Personal Data on grounds of “legitimate interest” as per (iii) above, pending verification by us on whether our legitimate grounds override your own.
5. the right to objection pursuant to Art. 21 of the UK GDPR: you have the right to object, on grounds relating to your particular situation, at any time to processing of your Personal Data, which is based on our legitimate interests, including profiling (Art. 22 of the UK GDPR) based on those provisions. We shall no longer process the Personal Data unless we have compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defense of legal claims. You may object to the processing of your Personal Data or direct marketing purposes at any time, without giving reason.
6. the right to data portability pursuant to Art. 20 of the UK GDPR: you have the right to receive Personal Data concerning you, and which you have provided to us, in a structured, commonly used and machine-readable format, and to transmit such data to another data controller (please note this applies only where our processing of your Personal Data is based on your consent, and the processing is carried out by automated means).
7. the right to appeal to a competent data protection supervisory authority (Art. 77 of the UK GDPR and Part 6 of the Data Protection Act 2018): you have the right to appeal to the competent data protection supervisory authority - in the United-Kingdom, such authority is the “Information Commissioners’ Office” (www.ico.org.uk).

Please note that any processing of your Personal Data prior to the deletion of your account with us, or your request that we no longer contact you for direct marketing purposes will remain valid under the legal grounds then prevailing.

You can exercise any of your rights as stated above, by sending us a request to [email protected] or to: Milliman LLP Data Protection Officer, 14 Avenue de la Grande Armée, F-75017 Paris.  We will endeavor to respond to any such request as soon as possible, and in any event within 30 days.

How to Contact Us

 Milliman can be contacted at [email protected]. Milliman welcomes feedback and questions on this Privacy Policy. If for any reason you wish to contact us, please send an email ([email protected]). Complaints will be resolved internally in accordance with Milliman’s complaints procedures.

If you live in the European Union, European Economic Area, or Switzerland and you have a complaint regarding the handling of your Personal Data in accordance with the DPF Principles and your efforts to resolve the matter internally are unsatisfactory, the complaint may be submitted to the American Arbitration Association (http://www.adr.org/), which has been selected as the independent recourse mechanism to resolve complaints and disputes relating to treatment of Personal Data originating in the European Union, European Economic Area, or Switzerland and transferred to the U.S. under this Privacy Policy. Under certain conditions, you may be entitled to invoke binding arbitration when other dispute resolution procedures have been exhausted. Milliman is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC).

California

California Consumer Privacy Policy

CCPA Business Contact Notice at Collection