Global Privacy Program

Global Privacy Program

In all that we do, we strive to be good data stewards to balance our data needs with our responsibilities to the people and communities we serve.



Data about people—whether our employees, patients, physicians, veterinarians and other health professionals, customers, business partners, or other stakeholders—is essential to fulfilling our corporate mission and to operating our global research-intensive biopharmaceutical and animal-health businesses.

Over the past 16 years, we have developed and continually improved a comprehensive global privacy program that promotes organizational accountability for privacy, data governance and data protection across our business, and with our collaborative partners and suppliers. On March 1, 2016, we became the first company in the world to obtain regulatory approval in the European Union (EU) for Binding Corporate Rules (BCR) based in part on our existing Asia Pacific Economic Cooperation (APEC) Cross-Border Privacy Rules (CBPR) certified program.

This achievement demonstrates that organizations can rely on common internal standards and processes to govern international data transfers across both the EU and APEC regions to simplify their ability to address the growing regulatory challenges in this area.

In November 2016, we self-certified to the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks. These frameworks were designed by the U.S. Department of Commerce, and the European Commission and Swiss Administration, respectively, following the invalidation of the EU-U.S. and Swiss-U.S. Safe Harbor programs.

Throughout 2017, we further improved organizational accountability and governance by expanding our cross-organizational/functional governance body to guide the overall privacy program and establish a set of privacy standards and specifications tied directly to the company privacy policy and based upon new external requirements.

Our holistic approach to privacy has its origins in biomedical research ethics and the protection of participants in the research studies that we sponsor and conduct. We have adapted human subject research ethics standards for risk-benefit analysis, transparency, anonymization, coding and prior review to other activities and processes involving data about people. We also have established a set of privacy values to guide all of our privacy, data stewardship and data protection decisions. These core tenets serve as the foundational ethical framework for our comprehensive global privacy program and our compliance with the continually evolving legal and regulatory standards for privacy and data protection.


PRIVACY DATA20122013201420152016
Number of countries in which we conducted privacy compliance verification and risk assessment137137137137137
Number of concerns regarding privacy practices, breaches of privacy and losses of personal data that were substantiated168212151143227
Percentage of reported concerns regarding privacy practices, breaches of privacy and losses of personal data that were substantiated223%26%18%96%98%
Number of privacy breaches requiring notification by our company to individuals or government authorities00101
Number of privacy breaches requiring notification by third parties working for our company to individuals or government authorities21130
1. Privacy concerns include all concerns about our privacy practices escalated to our company’s Privacy Office. Substantiated concerns are those that are determined to be inconsistent with our own privacy standards or that involve loss of, theft or unauthorized access to personal data.
2. In 2015, because of the scope of lost or stolen devices known to be encrypted, we ceased inclusion of lost or stolen MSD devices in our incident metrics.

This is the corporate responsibility report of Merck & Co., Inc., Kenilworth, N.J., U.S.A., which is known as MSD outside the U.S. and Canada.