At our company, privacy begins with trust.

In 2001, Merck & Co., Inc. (Kenilworth, NJ, USA), which operates as MSD outside of the U.S. and Canada, established a Privacy Office to develop and oversee a global privacy program for our operations around the world. Our program is based on four privacy values that provide the foundation for responsible engagement, interactions and use of information about people:

  • respect for individual privacy expectations,
  • building and preserving trust,
  • preventing privacy harms, and
  • compliance with the letter and spirit of privacy and data protection laws around the world.

Our privacy program is built on a platform of organizational accountability for privacy, stewardship of the data we use to operate our business, consistent global privacy practices and standards that carry on our tradition of upholding high ethical standards across our business practices, and ongoing oversight to ensure that we continue to respond to changes in privacy expectations as technology and our business continue to evolve. For more information about our program, please see the global privacy program section of our corporate responsibility report.

Our Approach to Privacy Trust

Since we believe that trust is a core privacy value and essential to our corporate mission to discover, develop and provide innovative products and services that save and improve lives around the world, our global privacy program strategy is centered on two primary goals that aim to drive trust in how we engage with people and how we access, use and transfer information about people around the world:

Consistent Global Standards

Since we established our global privacy program in 2001, we have worked to implement and uphold consistent global privacy standards to provide assurance for how we manage our privacy and data protection obligations across countries and regions and to support our certifications under the following privacy frameworks recognized by regulators:

  • US-EU Safe Harbor (2001)
  • US-Swiss Safe Harbor (2009)
  • APEC Cross Border Privacy Rules (2013)

Each of our certifications is based on our Cross Border Privacy Rules Policy


We recognize that it can be difficult and overwhelming for people to understand all of the different ways that information about them can be observed, sensed, collected, shared, used, analyzed and transferred, so we use a variety of approaches to support our goal of making our practices transparent both to people about whom we process information as well as the regulators and their agents who review our practices. Key examples include:

  • Online Privacy – our Internet Privacy Policy describes the ways in which we process information about people online;
  • Cookies – our Cookie Privacy Commitment supports our Internet and describes the ways in which our web sites and online services use cookies and other online trackers;
  • Comprehensive Privacy Notices – these are intended to provide a thorough perspective on how our privacy practices apply to specific stakeholders.;
  • Mobile App Privacy as a supplement to our Internet Privacy Policy we provide certain mobile app privacy disclosures below;
    • Protection of Social Security Numbers and other government-issued identification numbers; and
    • Contextual Notices – which we provide at the time you use or participate in our services.

For more information, please see Transparency and Privacy.

APEC Privacy Certification

On October 31, 2013, our global privacy program was certified as compliant with the requirements of the Asia Pacific Economic Cooperation (APEC) Cross-Border Privacy Rules (CBPR) system. The APEC CBPR system provides a framework for organizations to ensure protection of personal information transferred among participating APEC economies. We were the first healthcare company in the world, and the second multinational company, to achieve this certification. Achievement of APEC certification demonstrates to our customers, patients, and other stakeholders our strong commitment to accountable, values-based, privacy and data protection practices in every region of the world in which we operate.

Our certification by the U.S. APEC Accountability Agent, TRUSTe, applies to our business processes across our operations that transfer personal information from our affiliates in the U.S. to our affiliates in other countries. Since all of our operations globally participate in our global privacy program and adhere to a common set of privacy practice and standards, we anticipate that our affiliates in other APEC member economies will be recognized as CBPR-certified for transfers of personal information that originate in those economies after those economies are approved as participants in the APEC CBPR system.

For more information, please read our Cross Border Privacy Rules Policy.

Safe Harbor Certification

On November 5, 2001, we certified our adherence to the Safe Harbor Agreement between the European Commission and the U.S. Department of Commerce for transfers of personal information from the European Economic Area to the U.S. We have reaffirmed our adherence to the Safe Harbor annually.

On October 31, 2007, we extended our Safe Harbor standards to personal information transferred from Switzerland to the U.S. In 2009, we certified our adherence to the Safe Harbor Framework agreed upon by the Federal Data Protection and Information Commissioner of Switzerland and the U.S Department of Commerce for transfers of personal information from Switzerland to the U.S.

For more information, please read our Cross Border Privacy Rules Policy. To review our certification, please see the Safe Harbor List on the U.S. Department of Commerce Web site.




Transparency in our Privacy Program

Our privacy notices are an important part of our approach to transparency in what we do with personal information.

More information about Transparency and Privacy at our company

Questions About Privacy?

Write to us at:
Privacy Office
351 N. Sumneytown Pike
North Wales, PA 19454

Privacy Office

Or in the U.S. call:

If you are a healthcare professional in the U.S., call: