Data Privacy Policy – DIFC, UAE

Last updated October 2020

Where Milliman is Acting as a Data Controller

Milliman, Inc. and its affiliates (“Milliman” or “we”) take data privacy very seriously. This Privacy Policy sets out the principles governing the way in which Milliman LLC, an affiliate of Milliman located in the Dubai International Financial Centre, United Arab Emirates ("DIFC") uses and protects Personal Data that individuals share with us (“Personal Data”), hereafter “you”. Milliman is committed to handling Personal Data in accordance with this Privacy Policy, DIFC Data Protection Law No. 5 of 2020 (the "DP Law") and other data privacy legislation, as applicable.

Milliman, Inc. and Milliman LLC are joint-controllers with respect to the processing of Personal Data described in this Privacy Policy. This means that Milliman, Inc. and Milliman LLC are both responsible for the compliance with the DP Law and other applicable data privacy legislation.

Collection of Data

Aggregate Data

Like many companies, Milliman monitors the use of its websites by collecting aggregate data. No Personal Data is collected in this process. Typically, Milliman collects data about the number of visitors to: (i) the website; (ii) each web page; and (iii) the originating domain name of the visitor's Internet Service Provider. This data is used to improve the usability, performance and effectiveness of Milliman’s website.

Cookies, Third-Party Embedded Content and Do Not Track

For more detailed information describing how Milliman uses cookies and your choices surrounding the use and opt out of such cookies, including information about third party embedded content on Milliman’s website and how Milliman responds to Do Not Track signals in browsers, please review our Cookie Policy which can be found here.

Processing of Personal Data

The Personal Data we collect varies depending upon the nature of the services provided and our interactions with you. All processing (i.e. use) of your personal information is justified by a "lawful basis" for processing. In the majority of cases, processing will be justified on the basis that:

  • the processing is necessary for the performance of a contract to which you are a party, or to take steps (at your request) to enter into a contract (e.g. where you request certain services as an individual client, or where we help advise your employer or service provider on fulfilling an obligation to you under a contract);
  • the processing is necessary for us to comply with a relevant legal obligation (e.g. where we are required to collect certain information about our clients for tax or accounting purposes, or where we are required to make disclosures to courts or regulators); or
  • the processing is necessary for the performance of a task carried out in the public interest (e.g. background checks for anti-money laundering and terrorist financing purposes); or
  • the processing is in our legitimate interests, subject to due consideration for your interests and fundamental rights (this is the basis we rely upon for the majority of the processing of personal information in connection with the provision of our services, the collection of Personal Data via our website, and also for the purposes of most client on-boarding, administration and relationship management activities).

In the context of the collection of data through this website, as well as through Milliman’s marketing activities and contract administration, we may collect, store and otherwise process Personal Data relating to:

  • visitors to our websites who request information about products or services. This may include (but is not limited to) your first name, last name, title, company, phone number, location, email address, subject of the request and message given. We collect and process this information because we have a legitimate business interest to manage our relationship with visitors and to assist with the administration of the website.
  • client representatives, officers, agents and employees, business partners, parties to a contract for contract administration purposes. This may include (but is not limited to) your name, professional address, title, email and other professional contact details. The professional contact details of clients’ representatives, their employees and business partners are also used to activate and maintain client accounts, to fulfill requests or respond to enquiries about our products or services and to provide offers and other information about our products, services, and events that we think may be of interest to you. We collect and process this information because we have a legitimate business interest to manage our relationship with you. Milliman may also rely on your consent for the sending of marketing communications when so required by applicable data privacy legislation, in which case we will ask your consent prior to our sending the communication to you. Milliman LLC may also use the professional contact details of its clients’ employees for the purpose of sending surveys or questionnaires. In all instances, we collect and process this information because we have a legitimate business interest to manage our relationship with you and for the proper administration of our business. We may also collect and process limited Personal Data about you which is collected from public resources (such as LinkedIn) including your name, email address, telephone number, organisation, title/position, profession, professional interests, to allow us to assess a potential interest in our services and to contact you for marketing purposes.

When we communicate with you regarding the products and services we offer, you will be given the opportunity to unsubscribe and prevent future communications of that sort. If you do not want us to collect your Personal Data from our marketing emails, or if you wish to unsubscribe from receiving marketing communications from us, you may write to us at data.protection@milliman.com requesting the same.

If you provide us with Personal Data of another individual, it is your duty to make sure that those individuals concerned have consented to or are appropriately informed about the processing of their Personal Data by Milliman, in accordance with the terms of this Privacy Policy.

You should also ensure that all Personal Data submitted to us is complete, accurate, true and correct. Failure on your part to do so may result in our inability to provide you with products and services you have requested.

No automated decision-making is undertaken based on the Personal Data collected from you.

In all instances, where the basis for processing your Personal Data is based on consent, you may withdraw your consent at any time.

Affiliates and Authorised Third-Party Agents

All Milliman websites, products, and services are provided in cooperation with Milliman, Inc., located in the U.S. Any Personal Data may be shared between Milliman LLC and Milliman, Inc. or other entities controlled by or under common control with Milliman, Inc., located in the U.S. and/or Europe, for the purposes of the centralisation of Milliman’s administrative, contract management, Client Relationship Management, IT maintenance, marketing and IT security practices, for the purpose of the website’s management and security, and to provide information about Milliman products, services, or events.

We may also share Personal Data with affiliated entities using the MILLIMAN® mark, in which case we will require those affiliates to comply with this Privacy Policy. Please note that we may be transferring your Personal Data to a country that does not have the same data privacy protections as may be afforded in the DIFC.

However, Milliman ensures that where we do so, for such transfers we obtain contractual commitments (such as the Standard Contractual Clauses) from them in order to protect your personal information, or put in place other adequate safeguards to protect your Personal Data.

Milliman also may share Personal Data with authorised third-party agents or contractors that perform services for Milliman, located in and outside of Turkey. If Milliman shares Personal Data with a third party, Milliman requires that those third parties to agree to process Personal Data based on Milliman’s instructions and in compliance with this Privacy Policy.

In all cases, any transfers of Personal Data out of the DIFC are subject to appropriate safeguards that are compliant with the DP Law.

Other Disclosures

Milliman may also disclose Personal Data and other related information in response to subpoenas, court orders, or other lawful requests by public authorities, and to meet national security or law enforcement requirements. Milliman may collect and share Personal Data in order to investigate or take action regarding illegal activities, suspected fraud, violations of Milliman's Terms of Use, or as otherwise required by law or regulation.

Security

Milliman stores Personal Data on a secure server that is password protected and shielded from unauthorised access by a firewall. Milliman has in place security policies that are intended to ensure the security and integrity of all Personal Data. Milliman has appropriate technical and organisational measures in place to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data held or processed by Milliman. If Milliman forwards Personal Data to any third party, Milliman requires that those third parties have appropriate technical and organisational measures in place to comply with this Privacy Policy and applicable data privacy laws.

Data Retention

Milliman retains Personal Data only as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or as directed by law. Milliman will delete your Personal Data once the purpose of the collection and processing has been fulfilled and the adequate duration for documentation and backup storage of such Personal Data has lapsed. If you have unsubscribed from receiving marketing information from us, we will continue to maintain your Personal Data for any other purpose for which we still have legal grounds for processing (such as for the purposes of complying with a legal obligation or when the processing is necessary for a legitimate interest). In certain cases, if no other legal grounds exist, we will maintain limited Personal Data (such as your email address) about you on record, so to ensure that such marketing communications are no longer sent to you in the future.

Children

Milliman’s websites, products, and services are not directed to children, and Milliman does not knowingly collect Personal Data from children. If a parent or legal guardian becomes aware that his or her child has provided Milliman with Personal Data without their consent, the parent or legal guardian should contact Milliman at data.protection@milliman.com, and Milliman will take steps to delete any such Personal Data.

Third-party Links

This website may contain links to websites hosted and operated by companies other than us (“Third-Party Websites”) to which you can export (all or part of) your Personal Data.

We do not disclose your Personal Data to these Third-Party Websites without your consent. Note that any information you disclose to Third Party Websites is no longer under our control and no longer subject to this Privacy Policy.

You should review the privacy policy practices of any such Third-Party Website to understand how that Third-Party Website collects and uses your Personal Data. We are not responsible for the content or performance of these Third-Party Websites. We are in no way responsible or liable for the manner in which a Third-Party Website treats any Personal Data that you choose to provide to such a Third-Party Website and use of Third Party Websites is strictly at your own risk.

Policy Updates

Milliman may change the terms of this Privacy Policy from time to time. Milliman therefore asks all persons concerned to check it occasionally to ensure that they are aware of the most recent version.

Rights

You have a number of rights under the DP Law in relation to your Personal Data, namely:

  1. the right of access: you have the right to obtain from us confirmation as to whether or not Personal Data concerning you is being processed, and, where that is the case, access to (including by obtaining a copy of) such Personal Data and the manner in which, and the purposes for which we process your Personal Data, so that you can verify its accuracy and the lawfulness of the processing.
  2. the right to rectification you may ask us to correct inaccurate Personal Data concerning you, and may ask us to update or amend any incomplete Personal Data completed. You can do this by providing a supplementary statement.
  3. the right to erasure: you may ask us to delete your Personal Data delay where: (a) your Personal Data is no longer necessary for the purpose for which it was collected/processed; (b) you wish to withdraw your consent to processing (except where we have another legal ground for processing that we may rely on); (c) you object to the processing of your Personal Data and we have no overriding legitimate grounds to continue to process it; or (d) where your Personal Data has been unlawfully processed.
  4. the right to restrict the processing of your Personal Data: you may ask us to restrict the processing of your Personal Data where: (a) the accuracy of such Personal Data is contested by you (for such period as will enable us to verify the accuracy of your Personal Data); (b) the processing of your Personal Data is unlawful, but you do object to the deletion of such Personal Data and request restriction of its use instead; (c) you consider that we no longer need your Personal Data for the purposes of the processing, but require such Personal Data for the establishment, exercise or defense of legal claims; or (d) you have exercised the right to object, and verification of our overriding grounds is pending.
  5. the right to object: you have the right to object, on grounds relating to your particular situation, at any time to the processing of your Personal Data, which is based on our legitimate interests, including profiling based on those provisions. We shall no longer process the Personal Data unless we have compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defense of legal claims. You may object to the processing of your Personal Data for direct marketing purposes at any time, without giving reason.
  6. the right to data portability: you have the right to receive Personal Data concerning you, and which you have provided to us, in a structured, commonly used and machine-readable format, and to transmit such data to another data controller. Please note this applies only where our processing of your Personal Data is based on your consent, or the performance of a contract and the processing is carried out by automated means.
  7. (vii) the right to appeal to a competent data protection supervisory authority: you have the right to appeal to the competent data protection supervisory authority - in the DIFC, such authority is the “DIFC Commissioner of Data Protection”.

Please note that any processing of your Personal Data which occurs prior to the deletion of your account with us, or your request that we no longer contact you for direct marketing purposes will remain valid under the legal grounds then prevailing.

You can exercise any of your rights as stated above, by sending us a request to data.protection@milliman.com. We will endeavour to respond to any such request as soon as possible, and in any event within 30 days.

How to Contact Us

Milliman can be contacted at data.protection@milliman.com. Milliman welcomes feedback and questions on this Privacy Policy. If for any reason you wish to contact us, please send an email (data.protection@milliman.com). Complaints will be resolved internally in accordance with Milliman’s complaints procedures.