Introduction
This Privacy Notice describes how Mercer Mettl (collectively, "Mettl", the "Company", or "Us"), collects, uses, accesses, shares, retains, transfers and otherwise processes information relating to identified or identifiable individuals (Personal Data), and the rights you may have regarding your Personal Data.
We believe that it is important for you to understand how we process Personal Data and encourage you to take a moment to familiarize yourself with our privacy practices outlined below.
Mettl is operated and provided by the Marsh & McLennan Companies Inc. ("Marsh") group and is administered through Induslynk Training Services Private Limited, with its registered office at 1201-02, Tower 2, One World Centre, Jupiter Mills, Centre, Senapati Bapat Marg, Elphinstone Road, Mumbai, Mumbai City, Maharashtra, India, 400013 and operating from 8th Floor, Good Earth Business Bay, Sector 58, Gurgaon, India 122101.
Mettl operates a proprietary platform (the "Platform") through which Mettl provides or procures the provision of assessments, interviews & simulations, tests, or personality evaluations (each an "Assessment").
Please note that in some instances we act on behalf of and under the instructions of clients, or other partners who act as controllers. Please refer to their respective privacy policies for more information regarding the processing of your Personal Data in these contexts.
Identity of Controller
You may have been asked by a third party to complete an Assessment on the Mettl Platform. That third party is our client and may be your employer, potential employer, educational institute or another related party that has requested you to complete an Assessment.
As described below, Mettl collects Personal Data through any Assessments that you take or your interaction with the Platform. Mettl generally acts as a Processor of your Personal Data and follows the instructions of our client, who acts as the third party Controller of your data. In most cases, this Controller is your employer, educational institute, or other entity who has requested your participation in an Assessment and provided your Personal Data to us.
Mettl may also act as a Controller as necessary to conduct our business, including to verify your identity, respond to your queries, communicate with you and when we de-identify and aggregate Personal Data for use in analytics for the purpose of benchmarking data and improving our products and services.
If you want further information about whether we act as a Controller or Processor of your Personal Data, please contact us at privacy@mmc.com.
What Personal Data Do We Collect
To create an account and/or to register you on our Platform, we require the collection of your first name and email address. Often, the Controller (i. e. , our client) provides us with this data and may also request that we collect additional categories of Personal Data from you. When acting as a Processor, we collect such Personal Data only upon the instruction of the Controller.
As Controller, acting independently, or Processor, as instructed by the client, we may collect the following categories of Personal Data where appropriate to fulfil our intended business purposes:
| Category | Examples |
|---|---|
| Biographical identifiers | Name, date of birth, age, place of birth, gender. |
| Contact information | Home address, telephone number, personal email address. |
| Professional or employment-related information | Employer or group, relationship to our company, job title, business contact details, employee ID. |
| Protected Classifications | Race, citizenship, physical or mental health or disability, gender, gender identity, pregnancy or childbirth and related medical conditions. |
| Biometric and physical data | Facial scans and facial monitoring via photo or video as part of proctoring options. |
| Data concerning your physical environment | Photo, audio or video of your specific localized area as part of proctoring options. The specific data collected regarding your physical environment will vary based on what is visible to the proctoring cameras. |
| Inferred Information | Profile reflecting a person's preferences, characteristics, predispositions, behaviour, attitudes, intelligence, abilities, and aptitudes. |
| Internet or other similar network activity | Browsing and search history, interaction with a website, application, or advertisement, data from cookies or web beacons, login credentials, domain names, and interactions with our emails, including when you read and respond to emails, ISP (Internet Service Provider), browser details, other website activity, online identifiers (including IP address or device ID). |
| Any other voluntarily-provided information | General survey information, including information voluntarily provided in response to ‘free-text’ comment boxes. |
Our surveys may offer you the opportunity to provide written comments or elaborate about certain responses. We request that you do not provide information that may personally identify you or others when writing in the comment section. It is your responsibility to refrain from posting or sharing such information.
Mettl strives to adhere to the concept of data minimization and seeks to collect only the Personal Data that is strictly necessary for the provision of services to you or to our client. However, we are unable to control the information requested by our clients or the information you voluntarily provide.
How We Collect Personal Data
We may collect Personal Data from the following sources:
Information Provided by You, Your Representatives or Third Parties
Directly from you, for example when you visit the Platform, create an account, complete an Assessment, or otherwise provide us with Personal Data.
Your representatives, including your employer, potential employer educational institute, association, or third party requesting your engagement with a Platform or Assessments.
If you supply us with Personal Data about other people (e. g. , colleagues, managers, family members, beneficiaries, or dependents), you represent that you have the authority to provide this information and that you have shared this Privacy Notice where appropriate. We do not knowingly collect or process Personal Data directly about minors.
Collection by Automated Means
We use cookies and related tracking technologies ("Cookies") on our company-owned websites. If available based on your jurisdiction, website users can opt-out of our use of certain Cookies using the Manage Cookies link at the bottom of the website and find out more about how we use Cookies by selecting the Cookie Notice link.
Interactions with Third Parties
External Links
Our websites may include links to websites that are operated by organizations other than the Company. If you access another organization’s website using a hyperlink on our website, the other organization may collect information from you. The Company is not responsible for the content or privacy practices of linked websites or their use of your Personal Data. If you leave a Company website via such a link (you can tell where you are by checking the URL in the location bar on your browser), you should refer to that website’s privacy policies, terms of use, and other notices to determine how the other organization will handle any Personal Data they collect from you.
Collection by Third Parties
If you interact with a third party on the Platform, that third party may collect and process Personal Data about you, including through Cookies. In those instances, and for any other arrangement where we receive information from your employer, association or other third party, we encourage you to read the third party’s privacy policy to learn more about how your information will be used and disclosed by them.
How We Use the Personal Data We Collect
As a Processor, we use Personal Data as instructed by our client, the Controller (often your employer, potential employer, educational institute, or other entity requiring or requesting you to take an Assessment) for the purposes of providing services to that Controller. If you have any questions or concerns about the legal basis under which your Personal Data is being processed, please contact your relevant Controller.
As a Controller, we use Personal Data as necessary to conduct our business, including to verify your identity, respond to your queries, communicate with you, establish an online account, or carry out our contractual obligations. Specifically, we may use your Personal Data in the following ways:
| Purpose | Description of Use | Legal Basis |
|---|---|---|
| To conduct our business | We use Personal Data as necessary to conduct our business, including to verify your identity, respond to your queries, communicate with you, process transactions, establish an online account, or carry out our contractual obligations. | Consent (which you can refuse or withdraw), Contract performance and, where applicable, legitimate interests (to enable us to perform our obligations and provide our services to you and our clients). |
| To provide you with marketing material where permissible under applicable law | We may use your contact details to send you information about products, services, and insights we think might be of interest to you. These communications may be sent by email, text, post, or phone in accordance with your marketing preferences and applicable global laws, including those relating to data protection and electronic communication. As a result, the basis on which we contact you will vary depending on who you are, our relationship with you, and where you are located. Please note that we do not generally use contact details of individual Assessment takers for the purpose of sending marketing materials, except where those individual participants have requested or opted-in to such marketing. Regardless of the basis on which we share our marketing communications with you, we will comply with local law and provide an option for you to unsubscribe at any time in which case we will stop sending you our marketing communications. You can also change your marketing preferences by contacting us at privacy@mmc.com or using a 'Contact Us' form on one of our websites. Please note that, even if you opt-out of receiving marketing communications, we may still send you communications in connection with the services we provide to you. | Consent (which you can refuse or withdraw), legal obligation, and, where applicable, legitimate interest (to keep you updated with news in relation to our products and services). |
| For research, data analytics and development purposes | We may use your de-identified Personal Data together with information from other clients or individuals to create insights, reports, and to conduct other analytics to better understand and improve the quality of our offering; market our advice, products, and services; and evaluate the effectiveness of our marketing activities, websites, and overall service. De-identified Personal Data is not associated with any particular client or individual. | Where applicable, legitimate interests (to allow us to improve our services). |
| To log and monitor certain activities and maintain network security and performance, and protect against cyber attacks | We log and monitor communications and transactions to ensure service quality, compliance with procedures and legal requirements, and to combat fraud. We also use Personal Data as necessary to maintain network security, monitor website performance, and protect our systems against cyber-attacks. | Legal obligation, and, where applicable, legitimate interests (to ensure the quality and legality of our services). |
| To maintain the Platform, our websites and ensure website content is relevant | We use Personal Data as necessary to maintain our websites (including the Platform) and ensure that content from our websites is presented in the most effective manner for you and for your device. | Contract performance and, where applicable, legitimate interests (to allow us to provide you and our clients with content and services). |
| To reorganise or make changes to our business | As necessary if we: (i) are subject to negotiations for the sale of our business or part thereof to a third party; (ii) are sold to a third party; or (iii) undergo a re-organisation. | Legal obligation or, where applicable, legitimate interests (to allow us to change our business). |
| In connection with legal or regulatory obligations | We use Personal Data to comply with our regulatory disclosure requirements or as part of dialogue with our regulators as applicable. | Legal obligation. |
| For Fraud, Anti-Money Laundering and Sanctions Screenings | When establishing or maintaining client relationships for the provision of certain services we use Personal Data for the purposes of carrying out fraud, anti-money laundering or sanctions checks. | Legal obligations. |
Most of our studies are conducted with data that has been aggregated and/or de-identified.
We may also use the Personal Data we collect and receive as otherwise described to you at the point of collection.
Profiling and Automated Decision Making
Depending on the Assessment you take, Mettl Assessments are designed to assess a variety of characteristics about you, including cognitive, behavioral, or emotional characteristics or your grasp on specific hard skills, such as coding. Using the information you provide as part of the Assessment, We create a report analyzing the Assessment results that is provided to our client. Under many global regulations, this may constitute profiling.
These ultimate reports analyze the Personal Data that you provide via the Assessment and may incorporate de-identified benchmarking or normative data. We provide these reports as part of our service to our clients. These reports do not in any way constitute a decision taken by Mettl. These reports are factual points provided to our clients based on responses provided by you, and our clients are instructed that each report should be one element in any decision made about you.
While Mettl does incorporate elements of artificial intelligence (AI) into its platform, there are no automated decisions made about you. For example, Mettl has implemented proctoring mechanisms that incorporate AI models to assist in the efficient proctoring of our assessments. However, these AI models do not make any decisions about you and all AI output is reviewed by a human.
Marketing
We may use your Personal Data to send you information about products, services and insights we think might be of interest to you. These communications may be sent by email, text, post, or phone in accordance with your marketing preferences and applicable global laws, including those relating to data protection and electronic communication. As a result, the basis on which we contact you will vary depending on who you are, our relationship with you, and where you are located. For example, if you have an existing or recent business relationship with us or if you have completed a form on one of our websites, including in connection with downloading a report or registering for event or webinar, we will use your preferred work contact details to provide you with information that we think might be of interest. Where necessary, we rely on consent for marketing communications. If we are relying on your consent, you will have the option to refuse or withdraw it.
Regardless of the basis on which we share our marketing communications with you, we will provide an option for you to unsubscribe at any time in which case we will stop sending you our marketing communications. You can also change your marketing preferences by contacting us using the contact details in this notice.
Please note that, even if you opt out of receiving marketing communications, we may still send you communications in connection with the services we provide to you.
Right to Opt in or out of Sale or Sharing for Cross-Context Advertising
If you visit one of our websites, we may disclose your internet or other electronic network activity information, biographical identifiers, geolocation data, and professional information (to the extent it can be derived from your activity on our website) to website analytic and advertising providers for cross-context behavioral or targeted advertising purposes utilizing advertising cookies. Under some laws in jurisdictions such as the United States, this activity may be considered a sale or sharing of information, and you may have the right to opt in or out of these types of disclosures. To opt-in or out of our selling or sharing your Personal Data on our websites or to view the names of specific third parties with whom we have sold or shared your information, please click on the 'Manage Cookies' link at the bottom of our webpage. If you would like to opt out of the sale or sharing of your information, ensure the toggles for 'Advertising' and 'Analytics' trackers are set to 'No' or, where available, enable the Do Not Sell or Share My Personal Data toggle.
You may also implement a browser setting or extension to communicate your selling and sharing preferences automatically to the websites you visit. Our websites process such 'opt-out preference signals' in a frictionless manner by recognizing the Global Privacy Control (GPC). If you want to use GPC, you can download and enable it via a participating browser or browser extension. More information about downloading GPC is available.
Direct Marketing and Do Not Track Signals
In certain jurisdictions, you may have a right to request and obtain a notice once a year about the Personal Data we disclosed to other businesses for their own direct marketing purposes, where permitted by law. If applicable, such a notice will include a list of the categories of Personal Data that were disclosed (if any) and the names and addresses of all third parties to whom the Personal Data was disclosed (if any). The notice will cover the preceding calendar year. You may contact us as provided below if you would like to learn if this right applies to you and, if so, exercise that right.
Please note that some of these rights may be limited where we have an overriding legitimate interest or legal, regulatory, or contractual obligation to continue to process the Personal Data, or where the Personal Data may be exempt from disclosure or erasure under to applicable law. Some of these rights can be exercised only in certain circumstances or may otherwise be limited by data protection legislation in your jurisdiction.
Who We Disclose Personal Data To
We may disclose Personal Data to the following categories of third parties:
| Categories of third parties | Purpose for Disclosure |
|---|---|
| Our clients, which may be your employer, potential employer, educational institute, or another third party who has requested you participate in an Assessment. | To provide services to our clients as described above. |
| Affiliates | Assist in providing the services and enable them to provide services to you or contact you regarding additional products and services. |
| Third party assessment providers | To provide services to our clients. Specifically, where our client has requested you to participate in specific third party assessments, you may be redirected to their proprietary websites from our Platform. All information about how these third parties process your data will be contained within a separate privacy notice on the website to which you are redirected. |
| Agents or third-party service providers | Perform functions or services for us or on our behalf. Such third parties are contractually restricted from using Personal Data for purposes other than providing services for us or on our behalf. |
| Marketing partners, including affiliates and third parties engaged by us or our clients in connection with the services. | As permitted by law to provide you with information about our products, services, events, or insights. |
| Potential partners or successor entities | In the context of mergers, acquisitions, bankruptcies, asset sales or other transactions where a third party assumes control of all or part of our assets. |
| Website analytics and advertising companies | To improve our services, for general operations and business needs, and to help us to improve user experiences on our websites and personalize content, measure the performance and use of content on our websites, and derive insights about the audiences who visit our websites and review content. |
| Anti-fraud databases, supervisory or regulatory authorities, law enforcement and other third parties | As necessary to prevent fraud, communicate with supervisory or regulatory authorities, protect, enforce and defend the legal rights, safety, and security of our Company, our affiliates and business partners, and users of any website; respond to claims of suspected or actual illegal activity; respond to an audit or inquiry, or investigate a complaint or security threat; or comply with applicable law, regulation, legal process, or governmental request. |
We may also disclose de-identified information for commercially legitimate and lawful business purposes. Where we have de-identified information, we will maintain and use it without attempting to re-identify the data other than as permitted under law.
Steps We Take to Protect Personal Data
Our company strives to comply with all applicable cybersecurity and data protection laws. With these goals in mind, Marsh McLennan has a dedicated Chief Information Security Officer (CISO) and a Global Chief Privacy Officer (GCPO). The CISO is responsible for managing a Global Information Security team and a comprehensive cybersecurity program. As part of our cybersecurity program, we have implemented commercially reasonable physical, administrative, and technical safeguards to protect your Personal Data from unauthorized access, use, alteration, and deletion.
The GCPO leads and oversees a Privacy Center of Excellence and a Data Protection Officer Network responsible for implementing our comprehensive global privacy program. The Data Protection Officer Network connects our Data Protection Officers across the world and seeks to implement our privacy program consistently and thoroughly wherever we process data. You can find the name and contact information for the Data Protection Officer in your jurisdiction by emailing us at privacy@mmc.com.
Your Data Protection Rights
Where we act as a Processor, we process Personal Data based on the instructions of our corporate clients who act as the Controller of that information, and you should contact them to exercise any rights you may have under applicable privacy laws.
Where we act as the Controller, we are primarily responsible for deciding how your Personal Data is processed. In such case, you may have some or all the rights listed below, depending on the jurisdiction and our reason for processing your information.
Please note that we may need to use your Personal Data to verify your identity prior to fulfilling any of the below rights:
Right to Information
You have the right to information concerning the processing of your Personal Data. This Privacy Notice provides such information.
Right of Access
You may ask us to provide you with further details on how we make use of your Personal Data, the sources, the categories or specific pieces of Personal Data we have collected, the categories of third parties to whom we have disclosed the information, and to request a copy of the Personal Data that we hold about you.
Right to Correction
You may ask us to update any inaccuracies in the Personal Data we hold. If we disclose your Personal Data to others, we will tell them about the correction where possible.
Right to Deletion
You may ask us to delete any unnecessary or excessive data processed in non-compliance with the law, where we no longer have lawful grounds to process it.
Right to Anonymization
You have the right to request that your Personal Data be anonymized, blocked, or deleted if it is unnecessary, excessive, or not lawfully processed.
Right to Revoke Consent
If we rely on your consent as our legal basis for processing your Personal Data, you have the right to withdraw that consent.
Right to Block
You have the right to block the processing of Personal Data that is unnecessary, excessive, or processed in non-compliance with the law. Blocking is the temporary suspension of processing of Personal Data.
Right to Oppose Processing
You have the right to oppose the processing of your Personal Data in circumstances where it was collected without your consent and in non-compliance with the law.
Right to Data Portability
You may have the right, where it is technically feasible, to ask that we transfer to a third party of your choice a copy of Personal Data we have obtained from you, in a structured, commonly used, and machine-readable format.
Right not to be Subject to Automated Decision-Making
You have the right to request the review of decisions made solely on automated processing of your Personal Data affecting your interests, , including decisions intended to define your personal, professional, consumer, and credit profile.
Right to Obtain Confirmation of the Existence of Processing
You have the right to request that we confirm whether we are processing your Personal Data.
If you wish to exercise any of the above rights or request review of a decision or denial, please contact us using the applicable contact information:
Cross Border Transfers
As a global company operating across more than 80 countries, there are circumstances in which we will have to transfer Personal Data out of the country, province, or territory in which it was collected for the purposes outlined in this Privacy Notice. Specifically, we may transfer data to offer, administer, and manage the Services provided to you, and to enhance the efficiency of our business operations. We will make every effort to ensure that these transfers adhere to all relevant data protection legislation, and that the rights and freedoms of individuals under such laws are appropriately safeguarded.
Where the need for such a transfer arises, we will take steps to ensure that there are appropriate safeguards in place to protect Personal Data such as an impact assessment, adequacy decision by the appropriate supervisory authority, the use of approved binding corporate rules or standard contractual clauses, or your consent.
For information regarding how Marsh & McLennan Companies’ EU (European Union) Binding Corporate Rules (EU BCRs) operate, click here. For a list of entities that have agreed to be bound by the EU BCRs, click here.
For information regarding how Marsh & McLennan Companies’ UK Binding Corporate Rules (UK BCRs) operate, click here. For a list of entities that have agreed to be bound by the UK BCRs, click here.
Retention of Your Personal Data
Our products, services, and regulatory obligations are complex, and thus our retention periods for Personal Data vary. We consider the following obligations when setting retention periods for Personal Data and the records we maintain:
the need to retain information to accomplish the business purposes or contractual obligations for which it was collected;
our duties to effectuate our clients’ instructions with respect to Personal Data we process on their behalf;
our duties to comply with mandatory legal and regulatory record-keeping requirements;
our backup and disaster recovery procedures; and
other legal impacts such as the applicable statute of limitations periods.
Based on the factors above, we may retain Personal Data beyond the period for which we provide services to you. When we no longer need to retain Personal Data, our company policies require that we follow the instructions of our third-party Controller and/or de-identify or aggregate the information such that it is no longer considered Personal Data.
Questions or Concerns
To submit questions or requests regarding this Privacy Notice or our privacy practices, please email us at privacy@mmc.com.
If you would prefer to contact us by post, please write to your local Mercer office and mark the correspondence as for the attention of the Data Protection Officer, courtesy of the Privacy Center of Excellence. If you prefer to contact us by phone, please call your local Mercer office and they will provide you with further details of your local Data Protection Office. You can find the contact information for your local Mercer office on our website, here: Mercer office locations
