INDIVIDUAL EMPLOYERS AND THEIR CONTACTS AND THOSE OF THIRD PARTIES ACTING ON BEHALF OF AN EMPLOYER
This section of this data protection notice is aimed at providing general information to employers and specific privacy information to individuals who are:
- employers (e.g. sole traders); or
- the representative or contact point for an employer or other relevant third party.
Employers will provide personal data and may provide sensitive personal data relating to their employees and workers. Employers may engage third parties to act on their behalf, such as a financial adviser or payroll bureau.
Identity of the data controllers / responsible entities
Employers and the Trustee will process your and members’ personal data and sensitive personal data as data controllers; and we will process personal data and sensitive personal data as data controller if we are required to undertake such processing for our own independent purposes, including for the purposes of providing any specialist services to an employer or the Trustee and to the extent necessary for us to comply with our statutory role as scheme administrator, and in all other cases we will be a data processor acting on behalf of the employer and/or the Trustee. Further details are set out in our Participation Agreement with the employer.
What information is processed (e.g. collected, used, disclosed, stored)?
We collect a range of personal data, either:
- directly from you when you enter information via the employer portal (and this may be combined with other information collected when you complete a form on our website, or a paper form)
- from third parties acting on behalf of the employer such as payroll bureaus
- from information that you post online when you contact us on social media, or
- from third parties from time to time.
The information provided by you will include personal data and may include sensitive personal data relating to:
- you (where you are an individual employer, such as where you are a sole trader, or the representative or contact point for an employer or other relevant third party); or
- your employees and workers, or those of the organisation that you represent and / or in relation to which you are providing services.
Information will be provided by you to us regularly whilst the employer’s pension scheme remains with us, and whilst the relevant employees or workers remain in employment with the employer and remains an active member of our pension scheme. Additionally, you / your employer will provide us with your personal data in order for us to manage the pension scheme on behalf of the employer. For example, we may have your personal and contact details as representative(s) of an employer under the Participation Agreement.
You may also provide us with the contact details of other individuals who may be managing the administrative aspects of the pension scheme on your behalf. Where you are providing personal data relating to someone else, you / the employer is responsible for obtaining and maintaining the necessary consent of such individuals or satisfy an alternative legal basis to enable us to process their personal data on the employer’s behalf.
We process (e.g. collect, use, disclose, store) the following information for the purposes explained below:
(see “Why do we use your information?”)
|Your contact details including name, business address, telephone and e-mail address||(A), (B), (D), (E) and (F)|
|Your identification details, including (where relevant) a copy of your ID||(A), (B), (D) and (E)|
|Job title / role details||(A), (B) and (D)|
|Bank account details||(B), (D) and (E)|
|Information about your use of our information systems (including the employer portal and the NOW: Pensions website)||(C) and (F)|
Why do we use your information?
The main reasons that we, together with our third party administrators and service providers, process your information are for the purposes of:
|(A)||Legal and regulatory compliance||This includes where we are required to process your information based on a legal obligation, including applicable laws relating to employment, pensions, tax, establishing, exercising or defending legal claims, and reporting to regulators such as The Pensions Regulator.|
|(B)||Contract performance and management||This includes where processing of your information is necessary to perform the Participation Agreement to provide pensions services to the employer and / or its employees, including to facilitate your access, provide resources to you, contact you about your pension scheme and to notify you about changes to our services.|
|(C)||Improving our products / services||This includes where the processing is necessary to enable us to gain insight into your use of our services and information systems (including the employer portal and the NOW: Pensions website) in order to make improvements to these, so that we can enhance your experience of using our services.|
|(D)||Managing operations||This includes the normal business practices related to our day-to-day business activities, including internal administration within our corporate group, corporate governance, effective systems and process management, planning and budgeting, financial management (including for the benefit of members), resource management, mergers and acquisitions, including due diligence and audits, internal auditing, supplier management and complaints management.|
|(E)||Managing security and preventing fraud or unlawful activities||This includes for securing our IT network and systems (including the employer portal) and company information, preventing fraud or other unlawful activities such as money laundering, verification and credit risk reduction, processing carried out in accordance with regulatory guidance and reporting possible criminal acts.|
|(F)||Marketing||This includes where processing of your information is necessary to provide you with carefully selected marketing about our products and services (in accordance with legal requirements and your preferences).|
NOW: Pensions relies on the following legal basis to process your information:
- to comply with our legal obligations, including those listed in (A) above
- for the performance of a contract with you (where you are an individual employer) or to take steps at your request prior to entering into this contract, or
- for the purposes of our and the Trustee’s respective legitimate interests in ensuring effective operational management and internal administration, network and information security, prevention of fraud and other unlawful activities, reporting of criminal acts, verification and credit risk reduction, compliance with regulatory guidance, establishment, exercise or defence of legal claims, product / service improvement and for direct marketing.
Do we disclose personal and sensitive data outside the European Economic Area?
We ensure that adequate safeguards are in place for all transfers of personal data outside the EEA that do not have an “adequacy decision” from the European Commission in the form of approved EU model clauses and / or EU-US Privacy Shield, as relevant.
Do we disclose personal and sensitive data to others within or outside of our group companies?
We, the Trustee, our third party administrators and service providers have access to your personal and sensitive personal data for the purposes stated above. We share information within our corporate group, as necessary for the effective provision of pension services, and for internal administration, corporate governance and legal and regulatory compliance purposes. For further information about our corporate structure, see Our Governance.
The recipients of your personal data outside our group companies may include (as relevant to the services being provided) our third party pensions administrator, IT providers (including suppliers of systems, software, maintenance and hosting services), marketing services and solutions providers and third party solutions that support our customer relationship management systems and complaints processes and, from time to time, specialist consultants (but usually on an anonymised and aggregated basis) and providers of investigation services in relation to “gone away” members.
Additionally, we or the Trustee may disclose your personal information:
- if we, the Trustee or our group companies, sell or buy any business or assets, in which case we may disclose your personal data to the prospective seller or buyer of such business or assets;
- in order to enforce other agreements you may have with us;
- if we are under a duty to disclose or share your personal data in order to comply with any legal obligation or to protect our rights, property or our safety or the safety of our customers or others. This includes exchanging information with other companies and organisations for the purposes of verification, fraud protection and credit risk reduction.
How long do we retain your data?
We and the Trustee retain your personal data only for as long as necessary for the purpose for which this is being processed. As the purpose for our processing your personal data is directly linked to your pension, or the provision of a pension to your employees, we may retain personal data until and following your retirement or the retirement of your employees, to the extent this is required in order to manage our and the Trustees obligations in respect of your pension. Otherwise, we retain personal data in accordance with statutory retention periods, or for so long as necessary for the establishment, exercise or defence of legal claims.
How do we protect personal and sensitive data?
We take appropriate steps to protect the data provided to us both online and off-line. We use up to date storage and security techniques to protect your personal and sensitive personal data from unauthorised access, improper use or disclosure, unauthorised modification or destruction or accidental loss. All our employees and any third parties we engage to process data are obliged to respect the confidentiality of such data provided to us and as required under applicable data protection or other legislation.
How can you contact us?
For customer service queries please go to: www.nowpensions.com.
We have appointed a data protection officer who can be contacted at DPO@nowpensions.com if you want to make a request to exercise any of your rights above or you have any concerns about the way in which we have handled your personal data.
You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.
Last Updated: October 2019