Privacy policy

At Buck, we are committed to respecting your privacy and are committed to protecting your personal data. This Privacy Policy explains how we collect, use and disclose personal data that we receive when you visit this website, use our services, or communicate with us, both on this website and offline, as a business customer, prospective client or general contact.

It is important that you read this Privacy Policy so that you are fully aware of how and why we are using your data.

This Privacy Policy does not apply to our employee personal data or candidate recruiting practices. Please refer to other privacy notices pertaining to those activities.

About us

This Privacy Policy is issued on behalf of the Buck group of companies set out below (“Buck”, or “we“, “us” or “our“).

Buck is regulated under the General Data Protection Regulation which applies across the European Union (including in the United Kingdom). When Buck processes your personal data it is responsible as ‘controller’ of that personal data for the purposes of those laws.

Buck provides actuarial advice, pensions administration, share plan administration, investment consultancy, insurance broking and technology services through the following Buck companies:

  • Buck Consultants Limited (company number 1615055), registered office 20 Wood Street, London EC2V 7AF ;
  • Buck Consultants (Administration & Investment) Limited (company number 01034719) ), registered office 20 Wood Street, London EC2V 7AF ;
  • Buck Consultants (Healthcare) Limited (company number 172919) registered office 20 Wood Street, London EC2V 7AF ;
  • Buck Consultants Shareplan Trustees Limited (company number 926625) registered office 20 Wood Street, London EC2V 7AF ;
  • Buck Consultants (Administration & Investment) Limited London, Sucursala Iasi (company number J22/260/02.02.2016), registered office 7B-7C Palas Street, United Business Center, 3 Building C1, 5th Floor Iasi, Romania;
  • Buck Trustees (Guernsey) Limited (company number 47785) registered office is at P.O. Box 25, Regency Court, Glategny Esplanade, St Peter Port, Guernsey, GY1 3AP;
  • Buck Global Deutschland GmBH with (company number HRB 18354) its registered office Amtsgericht Aachen HRB;
  • ACS HR Solutions Nederland BV with its registered office at Capelle aan den Ussel, The Netherlands
  • Buck Global LLC whose office address is 485 Lexington Ave., 10th Floor;
  • Buck Capability Centre Private Limited (company number U74995KA2018PTC112723) whose registered address is No. 51, 3rd Cross, Brindavan L/o Horamavu, India.
  • Buck Canada HR Services Limited (company number C1185116) Suite 1700, Park Place, 666 Burrard Street, Vancouver BC V6C 2X8, Canada.
  • Concert Consulting UK Limited (company number 06328949), registered office 20 Wood Street, London EC2V 7AF.

Depending on the services that you ask us about or that you use, different companies within Buck may handle your personal data and be responsible as ‘controller’ of that personal data for the purposes of those laws. If you want further information on the specific ‘controller’ of your personal data, please contact us using the details set out below.

Contacting us

You can contact us using the contact details below about any queries you may have in relation to this Privacy Policy or your personal data, or to exercise any of your rights as described in this Privacy Policy or under data protection laws.

You can contact us as follows:

US –

UK –

Canada –

Data protection principles

Buck adheres to the following principles when processing your personal data as data controller:

  • Lawfulness, fairness and transparency – data must be processed lawfully, fairly and in a transparent manner.
  • Purpose limitation – data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
  • Data minimisation – data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
  • Accuracy – data must be accurate and, where necessary, kept up to date.
  • Storage limitation – data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
  • Integrity and confidentiality – data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage by using appropriate technical or organisational measures.

This Privacy Policy describes the personal data that we collect, and explains how we comply with these principles.

Personal data we collect

We may collect, use, store and transfer different kinds of personal data about you as follows:

  • Identity Data – includes first name, last name, username or similar identifier, title, date of birth and gender.
  • Contact Data – includes billing address, contact address, email address and telephone numbers.
  • Marketing and Communications Data – includes your preferences in receiving marketing from us and your communication preferences.
  • Usage Data includes information about how you use our website, products and services.
  • Technical Data – includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access this website.

Aggregated data

We also collect, use and share “Aggregated Data” such as statistical or demographic data for any purpose. Aggregated Data could be derived from your personal data but is not considered personal data as this data will not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific website feature. However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this Privacy Policy.

Special Categories of Personal Data

We do not collect any “Special Categories of Personal Data” about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, data about your health, and genetic and biometric data). Nor do we collect any data about criminal convictions and offences.


This website is not intended for or directed at children under the age of 16 years and we do not knowingly collect data relating to children under this age.

How we collect your personal data

We use different methods to collect data from and about you including through:

  • Direct interactions. You may give us your Identity and Contact Data by filling in a form on this website or by corresponding with us by post, phone, email or otherwise. This includes personal data you provide when you request marketing to be sent to you or give us feedback or contact us.
  • As you interact with our website, we will automatically collect Technical Data about your equipment, browsing actions and patterns. We collect this personal data by using cookies and similar technologies.
  • Third parties or publicly available sources. We will receive personal data about you from various public sources such as your company website, and LinkedIn.

How we use your personal data

Buck will only use your personal data if we have a legal basis for doing so. The purpose for which we use and process your personal data and the legal basis on which we carry out each type of processing is explained in the table below.

Purposes for which we will process the personal data Legal Basis for the processing
To carry out our obligations arising from any contracts entered into with you (or your employer) and to supply product and provide services to you (or your employer). It is necessary for us to process your personal data in this way in order to enter into a contract with you (or your employer) and to fulfil our contractual obligations to you (or your employer).
To provide you with personal data and materials that you request from us. To update you on products and services we offer. It is in our legitimate interests to respond to your queries and provide any personal data and materials requested in order to generate and develop business. To ensure we offer an efficient service, we consider this use to be proportionate and will not be prejudicial or detrimental to you.
To personalise our services and this website to you, and to improve this website. It is in our legitimate interests to enhance your experience on our Website and to better our services. We consider this use to be proportionate and will not be prejudicial or detrimental to you.

Generally, we do not rely on consent as a legal basis for processing your personal data although we may need your consent before sending direct marketing communications to you via email or text message. Where you provide consent, you can withdraw your consent at any time and free of charge, but without affecting the lawfulness of processing based on consent before its withdrawal. You can update your details or change your privacy preferences by contacting us as provided in “Contacting us” above.


We strive to provide you with choices regarding certain personal data uses, particularly around marketing and advertising.

Promotional offers from us

We may use your Identity, Contact, Technical, Usage and Profile Data to form a view on what we think you may want or need, or what may be of interest to you. This is how we decide which products, services and offers may be relevant for you (we call this marketing).

You will receive marketing communications from us if you have requested information from us or purchased [goods or services] from us and you have not opted out of receiving that marketing.

Third-party marketing

We will get your express opt-in consent before we share your personal data with any third party for marketing purposes.

Opting out

You can ask us or third parties to stop sending you marketing messages at any time.

Where you opt out of receiving these marketing messages, this will not apply to personal data provided to us as a result of a service we provide pursuant to an agreement with you or your employer.

Change of use of your personal data:

Buck will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal data for an unrelated purpose, we will notify you in a timely manner and we will explain the legal basis which allows us to do so.

Please note that we may process your personal data without your knowledge or consent, where this is required or permitted by law.

If you fail to provide personal data:

Where we need to collect personal data by law, or under the terms of a contract we have with you or your employer, and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you or your employer (for example, to provide you or your employer with goods or services). In this case, we may have to cancel a product or service you or your employer has with us but we will notify you if this is the case at the time.

Disclosure of your personal data to third parties

Buck will not sell, rent, lease or otherwise share your personal data other than as outlined in this Privacy Policy or without obtaining your consent beforehand.

We will share your personal data with our Buck group companies as necessary to carry out the purposes for which the data was supplied or collected.

Personal data will also be shared with our third party service providers and business partners who assist with the running of this website and our services including hosting providers and email service providers. Our third party service providers and business partners are subject to security and confidentiality obligations and are only permitted to process your personal data for specified purposes and in accordance with our instructions.

In addition, Buck may disclose your personal data:

  • to our professional advisers including lawyers, auditors and insurers;
  • in the event that we sell or buy any business or assets, in which case we may disclose your personal data to the prospective seller or buyer of such business or assets;
  • if all or substantially all of Buck’ assets are acquired by a third party, in which case personal data held by it about its customers will be one of the transferred assets;
  • if we are under a duty to disclose or share your personal data in order to comply with any legal or regulatory obligation;
  • if necessary to protect the vital interests of a person; and
  • to enforce or apply our terms and conditions or to establish, exercise or defend the rights of Buck, our staff, customers or others.

International transfers

To deliver services to you, it is necessary for us to transfer your personal data outside of the European Economic Area (“EEA”) to our group companies and our service providers and business partners located outside the EEA. This includes Canada, India and the US.

Whenever we transfer your personal data out of the EEA, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:

  • We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission. This includes Canada.
  • Where we use service providers, we may use standard contract clauses approved by the European Commission which give personal data the same protection it has in Europe.

If you want further information on the specific mechanism used by us when transferring your personal data out of the EEA, please contact us using the details set out above.

Security of your personal data

Buck uses appropriate technical and organisational security measures to protect personal data both online and offline from unauthorised use, loss, alteration or destruction. We use industry standard physical and procedural security measures to protect personal data from the point of collection to the point of destruction.

Only authorised personnel and third party service providers are permitted access to personal data, and that access is limited by need. Where data processing is carried out on our behalf by a third party, we take steps to ensure that appropriate security measures are in place to prevent unauthorised disclosure of personal data.

Despite these precautions, however, Buck cannot guarantee the security of personal data transmitted over the Internet or that unauthorised persons will not obtain access to personal data.

In the event of a data breach, Buck has put in place procedures to deal with any suspected data breach and will notify you and any applicable regulator of a breach where legally required to do so.

If you have any questions about security on our Website, you can contact us as provided in “Contacting us” above.

How long we keep your personal data

We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect of our relationship with you.

To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.

The criteria we use for retaining different types of personal data, includes the following:

  • General queries – when you make an enquiry or contact us by email or telephone, we will retain your personal data for as long as necessary to respond to your queries;
  • Direct marketing – where we hold your personal data on our database for direct marketing purposes, we will retain your data unless we have not had any active subsequent contact with you.
  • Legal and regulatory requirements – we may need to retain personal data where necessary to comply with our legal obligations, resolve disputes or enforce our terms and conditions.

In some circumstances we will anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this data indefinitely without further notice to you.

Your rights

Access to and updating your personal data

You have the right to access information which we hold about you (“data subject access request”).

You may also have the right to receive personal data which you have provided to us in a structured and commonly used format so that it can be transferred to another data controller (“data portability”). The right to data portability only applies where your personal data is processed by us with your consent or for the performance of a contract and when processing is carried out by automated means.

We want to make sure that your personal data is accurate and up to date. You may ask us to correct or remove information you think is inaccurate. Please keep us informed if your personal data changes during your relationship with us.

Right to object

Direct marketing

You have the right to object at any time to our processing of your personal data for direct marketing purposes.

Where we process your personal data based on our legitimate interests

You also have the right to object, on grounds relating to your particular situation, at any time to processing of your personal information which is based on our legitimate interests. Where you object on this ground, we shall no longer process your personal information unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.

Your other rights

You also have the following rights under data protection laws to request that we rectify your personal data which is inaccurate or incomplete.

In certain circumstances, you have the right to:

  • request the erasure of your personal data – this enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it (“right to be forgotten”);
  • restrict the processing of your personal data to processing in certain circumstances.

Please note that the above rights are not absolute and we may be entitled to refuse requests, wholly or partly, where exceptions under the applicable law apply.

For example, we may refuse a request for erasure of personal data where the processing is necessary to comply with a legal obligation or necessary for the establishment, exercise or defence of legal claims. We may refuse to comply with a request for restriction if the request is manifestly unfounded or excessive.

Exercising your rights

You can exercise any of your rights as described in this Privacy Policy and under data protection laws by contacting us as provided in “Contacting us” above.

Save as described in this Privacy Policy or provided under data protection laws, there is no charge for the exercise of your legal rights. However, if your requests are manifestly unfounded or excessive, in particular because of their repetitive character, we may either: (a) charge a reasonable fee taking into account the administrative costs of providing the information or taking the action requested; or (b) refuse to act on the request.

Where we have reasonable doubts concerning the identity of the person making the request, we may request additional information necessary to confirm your identity. This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

We try to respond to all legitimate requests within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.


This website may, from time to time, contain links to and from the websites of our business partners, advertisers and affiliates. If you follow a link to any of these websites, please note that these websites have their own privacy policies and Buck does not accept any responsibility or liability for these policies. Please check these policies before you submit any personal information to these websites.


If you have any questions or complaints regarding our Privacy Policy or practices, please contact us as provided in “Contacting Us” above.

If you are in located in the EEA, you also have the right to complain to the relevant supervisory authority in the EEA. In the UK, this is the Information Commissioner’s Office (

We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.

Changes to our privacy policy

Buck reserves the right to change this Privacy Policy from time to time. Any changes will be posted on this page with an updated revision date. If we make any material changes to this Privacy Policy, we will notify you by email or by means of a prominent notice on this website prior to the change becoming effective.

Updated and Effective as of 2 November 2018