Milliman Personal Data Privacy Policy

Where Milliman is Acting as a Data Controller

Milliman, Inc. and its affiliates (“Milliman” or “we”) take data privacy very seriously. This Privacy Policy sets out the principles governing the UK affiliates’ (Milliman LLP and Milliman Financial Strategies Ltd) use and protection of personal data that individuals and clients residing within the European Economic Area, the Isle of Man, Switzerland and the United Kingdom share with us ("Personal Data"”"), hereafter “you”. Milliman is committed to handling Personal Data in accordance with this Privacy Policy, the EU-U.S. Privacy Shield, any successor adequacy decision, the UK Data Protection Act 2018 together with its references to the EU General Data Protection Regulation (GDPR), and other data protection and privacy laws, as applicable.

Milliman, Inc. and its UK affiliates are joint-controllers with respect to the processing of Personal Data described in this Privacy Policy. This means that Milliman, Inc. and its UK affiliates are both responsible for the compliance with applicable data protection laws.

Collection of Data

Aggregate Data

Like many companies, Milliman monitors the use of its websites by collecting aggregate data. No Personal Data is collected in this process. Typically, Milliman collects data about the number of visitors to the website, to each web page, and the originating domain name of the visitor's Internet Service Provider. This data is used to improve the usability, performance and effectiveness of Milliman’s website.


In some instances, Milliman may collect data through cookies. A "cookie" is a text-only string of data that Milliman sends to the cookie file of the browser on a website visitor’s computer hard disk using Milliman’s web server. Cookies are used to make websites work, or work more efficiently, as well as to provide data to the owners of the website.

Milliman’s website may use both required cookies and analytics and performance cookies.

Required cookies enable a website visitor to move from page to page within the website and to use its features. These cookies are deleted when the visitor closes his/her browser.

Analytics and performance cookies allow Milliman’s third-party agents to collect data, including the number of visitors to the website, where they have come to the website from, and the length of time they have spent on the website. Milliman uses the following third-party agents for website performance tracking, and you can learn more about their privacy policies and how to opt-out of their cookies by clicking on these links:

Google Analytics:
AI Media group:  

The majority of web browsers accept cookies and similar files, but a visitor can usually change the browser settings to prevent this. However, by doing so, some functionality of the website may be lost. Please visit to learn more about cookies and how to control them. We rely on your consent, to the extent required by law, to use non-required cookies that may contain your Personal Data. To change your cookie preferences, click here.

Third-Party Embedded Content and Do Not Track

Milliman websites may feature content (such as buttons, widgets, and other embedded features or content) embedded by third parties that rely on cookies or similar technologies. You can learn more about the privacy policies of these third-party content providers and how to opt-out of their cookies by clicking the appropriate link below:

Facebook and Instagram:
Google Inc. and YouTube:

Please note that Milliman websites currently do not respond to Do Not Track signals in browsers.

Processing of Personal Data

We may collect, store and otherwise process Personal Data of:

- visitors to our websites (first name, last name, title, company, phone number, location, email address, subject of the request and message given) who request information about products or services from Milliman, for the purpose of the management of the relationship with clients and the administration of the website. If a website visitor uses a log-in to access our website, certain criteria such as user data, transactional data, session surveillance, IP data, and pattern recognition may be collected and used by Milliman for authentication purposes. The legal basis for the processing of Personal Data is Milliman’s legitimate interest (Art. 6 (1) letter (f) GDPR), consisting of the website’s management.

- clients’ representatives, officers, agents and employees, business partners, providers, parties to a contract (name, professional address, title, email and other professional contact details) for contract administration purposes. The professional contact details of clients’ representatives, their employees and business partners are also used to activate and maintain client accounts, to fulfill requests or respond to inquiries about Milliman products or services and to provide offers and information (as permitted by law) about products, services, or events offered by Milliman or that Milliman thinks may be of interest. The legal basis for the processing of Personal Data is Milliman’s legitimate interest (Art. 6 (1) letter (f) GDPR). Milliman may also rely on your consent (Art. 6 (1) letter (a) GDPR) for the sending of marketing communications when so required by data protection and privacy laws, in which case we will ask your consent prior to the sending of the communication. Milliman SAS may also use professional contact details of its clients’ employees for the purpose of sending surveys, questionnaires or for the purpose of organizing games. For those activities, the legal basis for the processing of Personal Data is Milliman SAS’ legitimate interest (Art. 6 (1) letter (f) GDPR), unless data protection and privacy law require your prior consent. We may also collect and process limited Personal Data about you from public resources (such as LinkedIn) including your name/surname, email address, telephone number, organization, title/position, profession, professional interests, to allow us to assess a potential interest in our services and to contact you for marketing purposes.

When we communicate with you regarding the products and services we offer or develop, you will be given the opportunity in each communication to unsubscribe and prevent future communications of that sort. If you do not want us to collect this information from our marketing emails, or if you wish to unsubscribe from direct marketing communications from us, you may write to us at requesting the same. We will cease using your Personal Data for direct marketing purposes once you have requested us to do so.

If you provide us with Personal Data of another individual, it is your duty to make sure that these individuals have consented to or are appropriately informed about the processing of their Personal Data by Milliman.

No automated decision-making is undertaken based on the Personal Data collected from you.


Milliman stores Personal Data on a secure server that is password protected and shielded from unauthorized access by a firewall. Milliman has in place security policies that are intended to ensure the security and integrity of all Personal Data. Milliman has appropriate technical and organisational measures in place to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data held or processed by Milliman. If Milliman forwards Personal Data to any third party, Milliman requires that those third parties have appropriate technical and organisational measures in place to comply with this Privacy Policy and applicable laws.

Data Retention

Milliman retains Personal Data only as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or not prohibited by law. Milliman will delete your Personal Data once the purpose of the collection and processing of such Personal Data has been fulfilled and the adequate duration for documentation and backup storage of such Personal Data has lapsed. If you have unsubscribed from receiving marketing information from us, we will continue to maintain your Personal Data for any other purpose for which we still have legal grounds for processing such Personal Data (such as for the purposes of complying with a legal obligation or when the processing is necessary for the purpose of our legitimate interest). In certain cases, if no other legal grounds exist, we will maintain limited Personal Data (such as your email address) about you on record, so as to be able to ensure for the future that such marketing communications are no longer sent to you.

Other Disclosures

Milliman may also disclose Personal Data and other related information in response to subpoenas, court orders, or other lawful requests by public authorities, and to meet national security or law enforcement requirements. Milliman may collect and share Personal Data in order to investigate or take action regarding illegal activities, suspected fraud, violations of Milliman's Terms of Use, or as otherwise required by law or regulation.


Milliman’s websites, products, and services are not directed to children, and Milliman does not knowingly collect Personal Data from children. If a parent or legal guardian becomes aware that his or her child has provided Milliman with Personal Data without their consent, the parent or legal guardian should contact Milliman at, and Milliman will take steps to delete any such Personal Data.

Access and Corrections

As allowed or required by law and consistent with our applicable agreements, you may contact Milliman at any time at to request a copy of any Personal Data that Milliman has about you, to request that certain Personal Data be corrected, updated, or deleted, or to express any complaints or concerns about Milliman’s use of your Personal Data. It is not technologically possible to change or delete each and every instance of the data Milliman holds on its systems, and some Personal Data may remain in non-erasable forms.

Third-party Links

Milliman’ website may contain links to websites hosted and operated by companies other than us (“Third-Party Websites”) to which you can export (part of) your Personal Data.

We do not disclose your Personal Data to these Third-Party Websites without your explicit consent. Note that any information you disclose to Third Party Websites is no longer under our control and no longer subject to Milliman Personal Data Privacy Policy.

You should review the privacy policy practices of any such Third-Party Website to understand how that Third-Party Website collects and uses your Personal Data should you have decided to disclose your Personal Information to them. We are not responsible for the content or performance of these Third-Party Websites. We are in no way responsible or liable for the manner in which a Third-Party Website treats any Personal Data that you choose to provide to such a Third-Party Website and use of Third Party Websites is strictly at your own risk.

Policy Updates

Milliman may change its Privacy Policy from time to time. Milliman therefore asks all persons concerned to check it occasionally to ensure that they are aware of the most recent version.

Affiliates and Authorized Third-Party Agents

All Milliman websites, products, and services are provided in cooperation with Milliman, Inc., located in the U.S. Any Personal Data may be shared between Milliman SAS and Milliman, Inc. or other entities controlled by or under common control with Milliman, Inc., for purposes of centralization of Milliman’s administrative, contract management, Client Relationship Management (CRM), IT maintenance, marketing and IT security practices, for the purpose of the website’s management and security, and to provide information about Milliman products, services, or events. We may also share Personal Data with affiliated entities using the MILLIMAN® mark, in which case we will require those affiliates to comply with this Privacy Policy. Please note that we may be transferring your Personal Data to a country that does not have the same data protection laws as your home country. However, Milliman ensures that itself and its affiliates will process Personal Data in compliance with this Privacy Policy.

Milliman also may share Personal Data with authorized third-party agents or contractors that perform services for Milliman. If Milliman shares Personal Data with a third party, Milliman requires that those third parties agree to process Personal Data based on Milliman’s instructions and in compliance with this Privacy Policy.

Any transfers of Personal Data are subject to appropriate safeguards that are compliant with Applicable Data Protection Laws (adequacy decision or Model Clauses of the European Commission or any successor adequacy decision and standard contractual clauses). Those can be made available at Milliman’s premises, by contacting us at

Privacy Shield

Milliman is committed to handling Personal Data in accordance with this Privacy Policy and the EU-U.S. Privacy Shield Framework (or the Swiss-U.S. Privacy Shield Framework and successor adequacy decision, as the case may be), as administered by the U.S. Department of Commerce. If there is any conflict between the terms of this Privacy Policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks, and to view Milliman’s certification, please visit

Milliman’s accountability for Personal Data that it receives under the Privacy Shield and subsequently transfers to a third party is described in the Privacy Shield Principles. In particular, Milliman remains responsible and liable under the Privacy Shield Principles if third parties engaged by Milliman process the Personal Data in a manner inconsistent with the Principles, unless Milliman proves that it is not responsible for the event giving rise to any damage. Additionally, Milliman, Inc. has put in place data protection agreements with its affiliates located in the European Economic Area and the United Kingdom based on the EU Standard Contractual Clauses issued by the European Commission (the “EU Standard Contractual Clauses”).

As further explained in the "How to Contact Us" section below, Milliman encourages any individual to contact us should they have a Privacy Shield-related (or general privacy-related) complaint. Any right of access, rectification, erasure, restriction of the processing as well as the right to data portability of individuals domiciled in the European Economic Area, the United Kingdom or Switzerland may be exercised under the conditions set forth in the GDPR by contacting Milliman at: Furthermore, these individuals will have the right to lodge a complaint with a competent supervisory authority at any time.


You have a number of rights under Applicable Data Protection Laws in relation to your Personal Data, namely:

(i) the right of access: you have the right to obtain from us confirmation as to whether or not Personal Data concerning you is being processed, and, where that is the case, access to (including by obtaining a copy of) such Personal Data and the manner in which, and the purposes for which we process your Personal Data, so that you can verify its accuracy and the lawfulness of the processing.

(ii) the right to rectification: you have the right to obtain from the us the rectification of inaccurate Personal Data concerning you, and the right to have incomplete personal data completed, including by means of providing a supplementary statement.

(iii) the right to erasure: the right to obtain from us the erasure of your Personal Data delay where (a) your Personal Data is no longer necessary for the purpose for which it was collected/processed; (b) you wish to withdraw your consent to processing (except where we have another legal ground for the processing that we may rely on); (c) where processing is based on our legitimate interests and there are no overriding legitimate grounds for processing; (d) where your Personal Data has been unlawfully processed;

(iv) the right to restriction of processing: you have the right to obtain from us the restriction of processing of your Personal Data where (a) the accuracy of such Personal Data is contested by you (for such period as will enable us to verify the accuracy of your Personal Data); (b) the processing of your Personal Data is unlawful, but you do object to the deletion of such data and request restriction of its use instead; (c) you consider that we no longer need your Personal Data for the purposes of the processing, but require such Personal Data for the establishment, exercise or defense of legal claims; (d) you have objected to the processing of your Personal Data on grounds of “legitimate interest” as per (iii) above, pending verification by us on whether our legitimate grounds override your own.

(v) the right to objection: you have the right to object, on grounds relating to your particular situation, at any time to processing of your Personal Data, which is based on point our legitimate interests, including profiling based on those provisions. We shall no longer process the Personal Data unless we have compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defense of legal claims. You may object to the processing of your Personal Data or direct marketing purposes at any time, without giving reason.

(vi) the right to data portability: you have the right to receive Personal Data concerning you, and which you have provided to us, in a structured, commonly used and machine-readable format, and to transmit such data to another data controller (please note this applies only where our processing of your Personal Data is based on your consent, and the processing is carried out by automated means).

(vii) the right to appeal to a competent data protection supervisory authority: you have the right to appeal to the competent data protection supervisory authority - in the UK, such authority is the Information Commissioner’s Office (

Please note that any processing of your Personal Data prior to the deletion of your account with us, or your request that we no longer contact you for direct marketing purposes will remain valid under the legal grounds then prevailing.

You can exercise any of your rights as stated above, by sending us a request to We will endeavor to respond to any such request as soon as possible, and in any event within the legal deadline.

How to Contact Us

Milliman’s European Data Protection Officer can be contacted at Milliman welcomes feedback and questions on this Privacy Policy. If for any reason you wish to contact us, please send an email ( Complaints will be resolved internally in accordance with Milliman’s complaints procedures.

If you live in the European Economic Area, the United Kingdom or Switzerland and you have a complaint regarding the handling of your Personal Data in accordance with the EU-U.S. or Swiss-U.S. Privacy Shield Framework and your efforts to resolve the matter internally are unsatisfactory, the complaint may be submitted to the American Arbitration Association (, which has been selected as the independent recourse mechanism to resolve complaints and disputes relating to treatment of Personal Data originating in the European Economic Area, the United Kingdom or Switzerland and transferred to the U.S. under this Privacy Policy. Under certain conditions, you may be entitled to invoke binding arbitration through the Privacy Shield Panel when other dispute resolution procedures have been exhausted. Milliman is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC).