GENERAL DATA PROTECTION REGULATIONS (GDPR)
Currently, organisations are required to comply with the Data Protection Act 1998. This Act governs the collection, storage and use of personal data held electronically or in paper records. It provides guidelines on how companies should create, store, handle or view personal data. From 25 May 2018, this Act will be replaced by the General Data Protection Regulations (“GDPR”) which are coming into direct effect across the EU. The UK will continue to comply with these regulations following Brexit.
Spence & Partners Limited (Spence) have a policy for meeting our obligations under GDPR and we are pleased to enclose a Privacy Notice that sets out this policy for your information. In particular, we would like to draw your attention to the following key points:
- Individuals have increased rights under the GDPR in relation to their personal data which include in certain circumstances the right of access to data and rectification and erasure. We hope you understand that we need to hold your data to be able to pay your benefits and to answer any questions about your entitlement.
- Under the GDPR, members have the right to obtain access to their personal data by way of a Subject Access Request (SAR). Members will no longer be charged for making this request and a response should be received within one month of the request.
- This notification does not affect your benefits entitlement in any way. In particular, please note that if you are currently in receipt of a pension, the above information will not affect your benefits.
If you have any queries regarding the above information, please contact our Data Protection Officer Roisin McKeever who can be contacted on telephone number 02890412023 or at the following address: Spence & Partners Limited, Linen Loft, 27-37 Adelaide Street, Belfast, BT2 8FE email firstname.lastname@example.org
Data Privacy Notice
This statement sets out how Spence handle personal information in compliance with the General Data Protection Regulations (the “Regulations”).
We recognise that the correct and lawful processing of personal data is important and integral to our successful operations and to maintaining the trust of the people we deal with. We fully endorse and adhere to the principles set out under the Regulations.
For the purposes of this statement, the term “personal data” shall refer to personal data and sensitive personal data.
Spence may act as Data Controller and a Data Processor in relation to the handling of the personal data and sensitive personal data of the persons/organisations we deal with.
Purpose and legal basis for processing the personal data
The personal data that Spence will hold includes but is not limited to your name, address, date of birth, National Insurance details and marital status, as well as details of your children or other beneficiaries. We will also hold details of your salary history, membership dates and any contributions to your pension scheme. In addition, we will retain medical history information that you supplied to us, as this may affect your pension entitlement.
The reason we need to hold and process this data is so that we can properly administer your benefits and pay your pension and other benefits when they come into payment.
Spence may from time to time share this data with the administrators, actuary, regulatory body or other professional advisers to the scheme, in order to manage your benefits. Spence may also share the personal data with insurers to ensure that we provide your benefits in the most cost effective way.
Spence may share your data with the Employer in connection to their obligation to fund certain benefits under the Scheme/Plan. The Employer may use your data for the purposes of preparing annual disclosures for its audited accounts, reviewing the funding position or providing information to the members about access to the pension freedoms (either as a one-off exercise of as a business as usual offering) or other liability management exercises.
As Data Controller, Spence have a legal obligation to administer and pay your benefits from your scheme. We will therefore hold and process your data on this legal basis. Both Spence and our advisers and administrators also have our own legitimate interests for processing your data. You may object to the processing of your personal data on this basis, but your objection may be rejected by Spence if there are compelling reasons to do so.
When Spence are required to process your sensitive personal data, such as your medical records, Spence shall seek your explicit consent to do so. You may withdraw your consent to processing on this basis at any time.
Spence will hold and process your data for as long as we are legally required to do so, responsible for payment benefits from the scheme or for protection of our legitimate interests, and in line with regulatory requirements. As pension benefits are a long term undertaking and queries can arise many years into the future, it is not possible to give a specific period for which the data will be stored.
How does the Scheme Actuary use your data?
The Scheme Actary is also a Data Controller and uses personal data to advise Spence on the financial management of the Fund. This advice helps to ensure Spence are able to meet their obligations to pay members’ benefits and is necessary to comply with obligations placed on them by legislation, including the Pensions Act 2004. The Scheme Actuary will not pass your personal data to any third party without the prior agreement of Spence.
Spence will fully respect your rights under the Regulations including:
- You have the right to make a subject access request for free and which can be made electronically
- You have the right to make a subject access request to verify the lawfulness of the processing we are carrying out
- We will respond to your subject access request within one month of you making it
- You can request to correct your personal data if it is inaccurate, incomplete or out of date or request the deletion of your personal data
- You may obtain a copy of your personal information from us, except in limited circumstances
- You have the right to complain to the supervisory authority whose contact details are set out below.
Complaints relating to breaches of the Regulations and/or complaints that an individual’s personal data is not being processed in line with the Data Protection Principles will be managed and processed by Spence.
All complaints of dissatisfaction will also be processed in accordance with Spence Complaints Process and should be sent to the Compliance Officer who can be contacted on telephone number 02890412000 or at the following address: Spence & Partners Limited, Linen Loft, 27-37 Adelaide Street, Belfast, BT2 8FE.
Without prejudice to any administrative or judicial remedy, you have the right to lodge a complaint with the supervisory authority, the Information Commissioner’s Office (ICO), if you consider that the processing of your personal data infringes the principles of the Regulations. Their address is as follows: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF.