Following a clear mandate from senior management, Mercer | Mettl, in 2018, constituted a dedicated cross-functional compliance team and defined the roadmap to GDPR compliance.

What is GDPR?

The General Data Protection Regulation (GDPR), which came into effect from May 25, 2018, empowers European Union (EU) residents by placing them in control of their personal information and upholding strict protocols for organizations that collect and process this information.

The GDPR lays down seven core principles. They are: 

  • Lawfulness, fairness, and transparency
  • Purpose limitation
  • Data minimization
  • Accuracy
  • Storage limitation
  • Integrity and confidentiality (security)
  • Accountability

The Data We Collect

GDPR defines Data Controllers as an entity that determines the purposes for which and the means by which personal data is processed. Data Controllers decide 'why' and 'how' the personal data should be processed. The data processor processes personal data only on behalf of the Controller.

Mercer | Mettl is a data processor and processes data for its clients who are data controllers. The data controllers specify the kind of data required from the data subject, i.e., the assessment taker. Mercer | Mettl acts as a mediator between the data controller and the data subject by collecting the specified data before or during the assessment and then processing it as per Data Controller's instructions.

This data can be of three types:

A. Personal Information (PI): That can identify a person. For instance, email id, mobile number, ID card number, and photo, etc.

B. Non-Personal Information (non PI): Such as the first name, last name, and test scores, etc.

C. Sensitive Personal Information (SPI): Such as biometrics, genetic data, sexual orientation, race, and ethnicity, etc.

Explicit Consent from Data Subjects

Our clients (Data Controllers) may require additional information to be collected from assessment takers, and it is the Controllers who define what this information could be (PI, SPI). To ensure that assessment takers are made aware of why such information is being collected, there is a provision of configuring and enabling 'explicit consent' which can be obtained from candidates before administering an assessment.

Moreover, our privacy policy clearly states 'what,’ 'why' and 'how' candidate personal data is processed.

Data Subject Rights

Mercer | Mettl has implemented processes to acknowledge and respect Data Subject Rights. A data subject can email us at ‘’ and request to exercise Data Subject Rights. Since Mercer | Mettl is a Data Processor processing data at the behest of Data Controllers, it is the Controllers (our Clients) who determine if the candidate's Data Subject Right request is valid and actionable.

Data Subject Rights consist of:

1. The right to be informed
2. The right of access
3. The right to rectification
4. The right to erasure
5. The right to restrict processing
6. The right to data portability
7. The right to object
8. Rights related to automated decision-making and profiling

Data Management

  1. Data Storage and Security: Mercer | Mettl is a cloud-based SaaS platform and is hosted on AWS. All the data in transit and at rest is secured using industry-standard mechanisms.
  2. Data retention: Given Mercer | Mettl’s wide-ranging engagement with clients across diverse industries and verticals, such as education, government agencies, and corporate entities, we understand and appreciate the need to provide flexibility to Data Controllers to define data retention periods for their candidates. Such provisions are agreed and defined in the contract between the Client (Data Controller) and Mercer | Mettl (Data Processor). The time-frames can be specified in the contract based on the client’s specific requirements. The client can choose to have the data deleted from our cloud-based servers as desired. After the termination or expiry of the contract, the client can place a request to remove all data by writing to us at ‘’. We validate the request and, if needed, seek confirmation from the client before processing the request.
  3. Data Breach Management:  We continually monitor and upgrade our systems and processes to maintain the highest standards of data management and privacy practices. In an unlikely event of a data breach, we intend to notify our clients (Data Controllers) immediately and no later than 24 hours after becoming aware of such a breach.

Our commitment to world-class standards

Mercer | Mettl is not only General Data Protection Regulation (GDPR) compliant, but also ISO 27001:2013 and 9001:2015 certified. The company also conducts internal and external assessments for Privacy regulations (Web). Mercer | Mettl is committed to aligning itself with global best practices in data compliance and is dedicated to infosec and data privacy. To that end, the company has a dedicated head of information security and data privacy.

Siddhartha Gupta-1

Asset 32-8

We, at Mercer | Mettl, see GDPR as an opportunity to reinforce our values of transparency and customer focus. These values are driving us to build robust systems, ensuring our customers data privacy and their trust.

Siddhartha Gupta
Chief Executive Officer

Asset 32-8



What is personal data or Personally Identifiable Information (PII)?
Any data identifying with a living, distinguished or identifiable individual constitutes personal data. It can be anything from a name, a photograph, an email address, bank details, medicinal data or an IP address.
What are the mandatory fields required by Mercer | Mettl to administer a test-taker?
As a default setting, Mercer | Mettl only requires the first name (non PI) and email ID (PI) as mandatory fields to administer a test-taker’s assessment. If needed, these two parameters can be obfuscated by the data controller or the data subject. For instance, a test-taker named Elrich Bachman, with an email id ‘’ can be provided with the first name as ‘abcde’ and email ID as ‘’ by the data controller while mapping at the controller’s end.
What is the difference between a data controller and processor?

A controller is the entity that decides the reasons, conditions and methods for processing of personal data, while the processor is an entity which actually stores and processes personal data on behalf of the controller. Both Controllers and Processors of information need to comply with the GDPR.

What will happen if a business is not GDPR compliant?
GDPR with its objective to expand the data privacy rights of individuals in various imperative ways, subjects both data controllers and processors that fail to comply with the GDPR requirements to potentially hefty fines.
Can data of an EU data subject be transferred outside the EU?
Yes. GDPR stipulates that if appropriate safeguards are in place, then the data can be transferred outside of the EU.
Does Mercer | Mettl take explicit consent from test takers?

Mercer | Mettl has provision to obtain Explicit Consent from test takers(Data Subjects) submitting their personal information on the platform.

The ‘Explicit Consent’ is both configurable and customizable i.e.

  • A client(Data Controller) can enable Explicit Consent to be shown to all test takers in it’s account AND
  • The client can also customize the wording/language of Explicit Consent as per its need.

Mercer | Mettl keeps a record of ALL explicit consents received on its platform for auditing purpose.

What if the client wants to request data deletion?
The data subject can request via an email sent to for data deletion.
Where can I get more information on GDPR?
You can write to us at to get more information regarding GDPR.