Who are we?
(As relevant) employers and the Trustee will process your personal data and sensitive personal data as data controllers; and we will process your personal data and sensitive personal data as data controller if we are required to undertake such processing for our own independent purposes, including for the purposes of providing any specialist services to the employer or the Trustee and to the extent necessary for us to comply with our statutory role as scheme administrator, and in all other cases we will be a data processor acting on behalf of the employer and / or the Trustee.
Who is the data controller?
Who is the data controller varies depending on the purposes of the processing.
Where we are providing the Employer Services, the employer (our client) is the data controller, and we are the data processor.
Where the Trustee is providing DC Pension Services, the Trustee is the data controller. Except where we are acting in our statutory role as Scheme Administrator under the Finance Act 2004.
Where we are acting in our own rights for our own business purposes, for example for the processing of client data, we are data controller.
How we use your information
If you have a contract with us or the Trustee, please refer to the contract for more information on data protection and how we and the Trustee use your personal data. Please read the following carefully to understand how your personal data may be used and what your rights are.
Data: sources, what is collected and what do we do with it?
Data is gathered from different sources and used in different ways depending on who you are and how you interact with us. Please refer to the appropriate sub-heading below to find out more.
Visitors to our website
When you visit our website www.nowpensions.com we may collect information about your computer or other device including your IP address, operating system and browser type, for the purposes of system administration and making website and product /services improvements. This is statistical data about our users’ browsing actions and patterns and we do not use it to identify any individual. We may also collect details of your visits to our site including, but not limited to, traffic data, location data, weblogs and other communication data and the resources that you access. We use this to ensure that content from our site is presented in the most effective manner for you.
We also collect information through the contact forms on our website, and also information that you post online when you contact us on social media. Information may also be collected from cookies, please refer to the cookies section below for further information.
People who call our helpline
When you telephone us or receive a telephone call from us we may record the calls for training and quality purposes. The legal basis for processing your information in this manner is legitimate interest. Certain telephone calls are received by our third-party administrator on our behalf. We may also use Calling Line Identification information and where we do, this information will be used to provide our services and offer assistance in order to improve our efficiency.
People or organisations who contact us
When you contact us or obtain services from us, we may save your details in order that we might provide you with information you have requested from us or which we feel may interest you, where you have consented to be contacted for such purposes.
From time to time we may run a competition, in which case we will be named as the promoter of the competition. Please refer to the competition terms and conditions for specific information on how we will use your personal data in relation to the specific competition you enter. Any personal information provided by you in the competition entry may be held and used by us or our agents and suppliers in order to administer the competition in accordance with the competition terms. We will ask for you consent before processing your personal data in this manner.
If we have previously had contact with you, we may get in touch from time to time to ask you to complete a survey which we will use for research purposes. Where we send surveys to you, you do not have to respond to them. You can also let us know if you would not like to be contacted in this way at our address above or whenever you communicate with us in the usual course.
Surveys may be hosted by third party service providers, please refer to any privacy information contained on the survey invite. Any personal information provided by you in the survey entry may be held and used by us or our relevant agents and suppliers in order to manage the survey. We will ask for you consent before processing your personal data in this manner. Where we state the survey you enter is anonymous, no identifiable personal data will be included in the final survey report and where applicable, we will use data in an anonymised and aggregate format.
NOW: Pensions’ services
The information required in order to provide our pensions services, may be provided through contact with our help centre, on our website www.nowpensions.com or on Gateway or the member portal at www.nowpensions.com. The information may include personal details, family details, lifestyle and social circumstances, employment details, financial details, business activities, health details.
We, and the Trustee, together with our group companies, third party administrators and services providers, process this information in order to provide our pensions services and to facilitate your access, provide resources to you, contact you about your pension scheme and to notify you about changes to our services.
Further information if you have a Pension with us
Information for Employers
If you are an employer who has signed up to the NOW: Pensions Scheme, please refer to your Participation Agreement with us and Gateway for more information on data protection. As an employer you will provide us with your personal data or personal data relating to individuals in the scheme on your behalf; and you will also provide personal data and may provide sensitive personal data relating to your employees and workers to us and the Trustee. You and the Trustee will process personal data and sensitive personal data as data controllers, we may process personal data and sensitive personal data as data controller or in certain circumstances as data processor acting on behalf of the employer and/or the Trustee.
Information for Members
If you are an employee or worker whose employer has signed up to the NOW: Pensions Scheme, please refer to the data protection notice on your member portal for more information on data protection, or alternatively you can contact our member help centre and request a member data protection factsheet. Your personal data or sensitive personal data may be provided by you or your employer to us and the Trustee. Your employer and the Trustee process your personal data and sensitive personal data as data controllers, we may process your personal data and sensitive personal data as data controller or in certain circumstances as data processor.
Information for beneficiaries
If you are a beneficiary nominated by a member under a NOW: Pensions plan, your personal data will have been provided to us by the member. Most of the time, we only hold basic contact details for you. Then, when it becomes relevant, we may request additional information from you or the member such as bank account details or source other important information to enable us to pay the entitlement to you or assess your eligibility.
Why do we use your information?
The main reasons that we and the Trustee, together with our third party administrators and service providers, process your information are for the purposes of:
|(A)||Legal and regulatory compliance||This includes where we are required to process your information based on a legal obligation, including applicable laws relating to employment, pensions, tax, establishing, exercising or defending legal claims, and reporting to regulators such as The Pensions Regulator.|
|(B)||Contract performance and management||This includes where processing of your information is necessary to perform an agreement to provide pensions services to the employer and for the benefit of its employees (including beneficiaries), including to facilitate your access, provide resources to you, contact you about the pension scheme and to notify you about changes to our services.|
|(C)||Improving our products and services||This includes where the processing is necessary to enable us to gain insight into your use of our services and information systems (including Gateway and the member portal and the NOW: Pensions website) in order to make improvements to these, so that we can enhance your experience of using our services.|
|(D)||Managing operations||This includes the normal business practices related to our day-to-day business activities, including internal administration within our corporate group, corporate governance, effective systems and process management, planning and budgeting, financial management (including for the benefit of members), resource management, mergers and acquisitions, including due diligence and audits, internal auditing, supplier management and complaints management.|
|(E)||Managing security and preventing fraud or unlawful activities||This includes for securing our IT network and systems (including Gateway) and company information, preventing fraud or other unlawful activities such as money laundering, verification and credit risk reduction, processing carried out in accordance with regulatory guidance and reporting possible criminal acts.|
|(F)||Marketing||This includes where processing of your information is necessary to provide you with carefully selected marketing about our products and services (in accordance with legal requirements and your preferences).|
Generally, we do not rely on consent as a legal basis for processing your personal data and will only use your personal data when the law allows us to. Most commonly, we will process your personal data:
- to comply with our legal obligations, including those listed in (A) above,
- for the performance of a contract with you or for your benefit or to take steps at your request prior to entering into this contract, or
- for the purposes of our and the Trustee’s respective legitimate interests in ensuring effective operational management and internal administration, network and information security, prevention of fraud and other unlawful activities, reporting of criminal acts, verification and credit risk reduction, compliance with regulatory guidance, establishment, exercise or defence of legal claims, website, product / service improvement and for direct marketing.
We may from time to time collect sensitive personal data, such as health data, from members. Further information is provided in relation to this in the data protection notices for Gateway and the member portal.
Change of purpose
We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us. If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so. Please note that we may process your personal data without your knowledge or consent where this is required or permitted by law.
Where we store your personal data
We ensure that adequate safeguards are in place for all transfers of personal data outside the EEA that do not have an “adequacy decision” from the European Commission in the form of approved EU model clauses and / or EU-US Privacy Shield, as relevant.
Once we have received your information, we will use strict procedures and security features to safeguard against the risks that are presented by personal data processing, such as accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. All our employees and any third parties we engage to process data are obliged to respect the confidentiality of such data provided to us and as required under applicable data protection or other legislation.
However, where you have a password which enables you to access certain parts of our site, you are responsible for keeping this password confidential and it is essential that you do not share your password with anyone.
Disclosure of your information
We, the Trustee, our third party administrators and service providers have access to your personal data for the purposes stated above. We share information within our corporate group, as necessary for the effective provision of pension services, and for internal administration, corporate governance and legal and regulatory compliance purposes. For further information about our corporate structure, see: https://www.nowpensions.com/about/our-governance.
The recipients of your personal data outside our group companies may include (as relevant to the services being provided) the following:
- our third party pensions administrator;
- IT providers (including suppliers of systems, software, maintenance, rectification and hosting services);
- marketing services and solutions providers;
- third party solutions that support our customer relationship management systems and complaints processes;
- from time to time, specialist consultants (but usually on an anonymised and aggregated basis) and providers of investigation services in relation to “gone away” members; and/ or
- providers of data cleanse services to improve the quality and accuracy of the data held.
Recipients of your personal data outside our group companies may also include credit reference agencies to carry out address verification or address forwarding checks. The checks are carried out in order to verify your current address or email address. Address verification is carried out electronically and will not be visible to lenders and will not affect your credit rating. For further information, please refer to the following Credit Reference Agency Information Notice: https://www.equifax.co.uk/crain.html.
Where we have appropriate consent from you, we may use your data (or permit selected third parties to use your data), to provide you with information about goods and services which may be of interest to you and we (or the third party) may contact you about these by post, telephone or by e-mail. If you do not want us to use your data in this way, or to pass your details on to third parties for marketing purposes, please unsubscribe to the relevant marketing. You can also exercise the right at any time by contacting us at firstname.lastname@example.org.
Additionally, we or the Trustee may disclose your personal information:
- if we, the Trustee or our group companies sell or buy any business or assets, in which case we may disclose your personal data to the prospective seller or buyer of such business or assets;
- if we are under a duty to disclose or share your personal data in order to comply with any legal obligation or to protect our rights, property, or safety or that of our customers or others. This includes exchanging information with other companies and organisations for the purposes of verification, fraud protection and credit risk reduction.
How long do we retain your data?
We and the Trustee retain your personal data only for as long as necessary for the purpose for which this is being processed. Where the purpose for our processing your personal data is directly linked to your pension, or the provision of a pension to your employees, we may retain personal data until and following your retirement or the retirement of your employees, to the extent this is required in order to manage our and the Trustee’s obligations in respect of your pension. Otherwise, we retain personal data in accordance with statutory retention periods, or for so long as necessary for the establishment, exercise or defence of legal claims.
The following section explains your rights. The various rights are not absolute and each is subject to certain exceptions or qualifications.
|Rights||What does this mean?|
|3.||Right to rectification||You can ask us to take reasonable measures to correct your information if it is inaccurate or incomplete. E.g. if we have the wrong date of birth or name for you.|
|4.||Right to erasure||This is also known as ‘the right to be forgotten’ and, in simple terms, enables you to request the deletion or removal of your information where there is no compelling reason for us to keep using it or its use is unlawful. This is not a general right to erasure; there are exceptions, e.g. where we need to use the information in defence of a legal claim.|
|5.||Right to restrict processing||You have rights to ‘block’ or suppress further use of your information when we are assessing a request for rectification or as an alternative to erasure. When processing is restricted, we can still store your information, but may not use it further. We keep lists of people who have asked for further use of their information to be ‘blocked’ to make sure the restriction is respected in future.|
|6.||Right to data portability||You have rights to obtain and reuse certain personal data for your own purposes across different organisations. E.g., if you decide to move services, this enables you to move, copy or transfer your information easily between different service providers (or directly to yourself) safely and securely, without affecting its usability. This only applies to your information that you have provided that is being processed with your consent (if relevant) or to perform a contract that you are a party to, which is being processed by automated means. We do not expect this right to be relevant in the context of the services that we provide.|
|7.||Right to object||You have the right to object to certain types of processing, on grounds relating to your particular situation, at any time insofar as that processing takes place for the purposes of legitimate interests pursued by us or by a third party such as the Trustee. We will be allowed to continue to process the information if we can demonstrate “compelling legitimate grounds for the processing which override [your] interests, rights and freedoms” or we need this for the establishment, exercise or defence of legal claims.
The consequences will depend on the nature and scope of your objection and how and why we are using the information. In some circumstances, this may mean that we may need to modify our processing activities or how we interact with you in a way that overcomes the objection, or change the way in which we provide services to your employer or for your benefit, or stop providing part or all of the pensions services. In others, we may be entitled to keep processing the personal data despite your objection or at least do so in a limited way, such as where we are obliged to retain information for audit purposes. (We will always need to stop direct marketing within a reasonable time if you object to this (and note that this is only relevant to individual employers).) When we respond to your request, we will write to you and tell you where this is the case.
|8.||Right to withdraw consent||We may ask for your consent to the processing of personal data. You have the right to withdraw your consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain services to you. We will advise you if this is the case at the time you withdraw your consent.|
Third party links
Your duty to inform us of any changes
It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.
How to contact us
We have appointed a data protection officer who can be contacted at DPO@nowpensions.com if you want to make a request to exercise any of your rights above or you have any concerns about the way in which we have handled your personal data.
You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.