This Policy applies to all members, former members, employers, advisers, and beneficiaries of the workplace pension scheme (the Scheme) and Smart Retire. It also applies to visitors to our websites and other individuals who contact us or interact with us through our websites.
If you would like further information on our pension products you can visit: https://www.smartpension.co.uk/.
For information specific to members, please visit: https://www.member.smart.co/.
Platform as a Service (PaaS)
If you would like further information about our platform as a service, please visit: https://www.smart.co/.
In this Policy, the ‘Data Protection Laws’ means the General Data Protection Regulation (the GDPR) together with all other applicable legislation relating to privacy or data protection in force from time to time. You should share this Policy with your family and dependants where you have provided us with personal information about them (and where it is reasonable to do so).
As defined by the GDPR, a Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
A Processor means a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the Controller.
Smart and the Trustee are both Controllers for the purposes of the Data Protection Laws.
This Policy explains how Smart, the Trustee and the Scheme uses and protects the personal information that they hold about you.
Smart, registered in the Information Commissioner’s Office (ICO) registration number ZA070575 provides the platform (the Smart Platform), propositions and services for members and employers, and provides Data Protection Officer (DPO) duties on behalf of the Scheme, including the delivery of your rights in relation to your personal information.
The Trustee is responsible for governance in relation to the Scheme. The Trustee’s ICO registration number is ZA135972.
Smart Governance Limited (SGL) provides pensions administration services to EC2 Master Limited as Trustee of the Smart Pension Master Trust. SGL acts as a processor of the Trustee for the purposes of the Data Protection Laws. SGL is a wholly owned subsidiary of Smart. SGL’s ICO registration number is ZA655267.
The Smart Technology Holdings Limited ICO registration number is ZB048532. The Smart Platform Limited ICO reference number is ZB281891.
Contact details for Smart and the Trustee are set out at the end of this Policy.
Personal information broadly means information that identifies (or which could, with other information that we hold or are likely to hold, identify) a living individual. This includes any information provided to us by or on behalf of you, the Scheme's employers or third parties including government agencies including HM Revenue & Customs in relation to your membership of the Scheme.
We collect and process the information about you that you provide:
We also collect and process information about you that is provided to us by the Scheme's employers or by HM Revenue & Customs. We may hold and process any or all the following personal information about you:
Some of the Trustee’s information comes directly from you. The Trustee may also get information directly from your employer or their representative/adviser.
In addition, Smart, which runs the Scheme on the Trustee’s behalf, may have got information from you, and passed it to the Trustee. Sometimes the Trustee gets information from other sources: for example, another scheme if you have transferred benefits from that scheme; government departments such as HMRC and DWP; and publicly accessible sources (e.g., the electoral roll) if the Trustee has lost touch with you and is trying to find you.
Sometimes the Trustee will obtain your personal data from trustees of other pension schemes who are considering making a ‘bulk transfer’ of assets and liabilities from those other schemes into the Scheme. Before that kind of transfer could happen, the Trustee would need to evaluate, negotiate, and prepare for it.
This would include testing that the personal data coming across is sufficient for the transfer to happen properly in accordance with the rules of the Scheme, checking for inaccuracies in the personal data, and checking whether there are missing parts to the personal data. This testing would be necessary for the legitimate interests of the Trustee in deciding whether to give effect to the transfer.
The Trustee has carefully balanced its legitimate interests against your own rights and freedoms under data protection laws. The categories of personal data shared with the Trustee for this testing are as described in the section “Information the Trustee holds”. If the transfer doesn’t proceed after completion of the testing, the Trustee will securely return or destroy your personal data, unless a copy must be retained to defend legal claims or for other reasons in relation to legal claims.
Personal data in beneficiary nominee forms will come from you as the member. Personal data about members’ dependants, other beneficiary nominees, and death-in-service nominees, will also come from you or your representative. If we ask you for other information in future (for example, about your health), the Trustee will explain whether you have a choice about providing it and any consequences if you don’t do so.
Smart may receive personal data about you when you contact Smart by doing any of the following:
Smart works with several third parties from whom we may receive information about you, including:
The Trustee must by law provide benefits in line with the Scheme’s governing documents and must also meet other legal requirements when looking after the Scheme.
The Trustee will use your personal data to comply with these legal obligations, to establish and defend its legal rights, and to prevent and detect crimes such as money laundering and fraud. The Trustee may need to share your personal data with other people for this reason, such as courts, law-enforcement agencies, and providers of anti-money laundering services.
The Trustee also has a legitimate interest in properly looking after the Scheme. This includes paying benefits as they fall due; buying insurance contracts; direct-debit instruction checks; communicating with you; and ensuring that correct levels of contributions are paid, that benefits are correctly calculated, and that the expected standards of Scheme governance are met (including standards set out in The Pensions Regulator guidance).
The Trustee holds your personal information because we need it to administer the Scheme. Without your personal information, we cannot provide you and your dependants with the correct benefits, at the right time. For example, we may need this information to verify your membership of the Scheme, to calculate your benefits or to assess whether you are entitled to a specific benefit or how the tax rules apply to you.
We may use unique identifier information, such as your National Insurance number, passport number, pension or member reference number and employee number (where applicable) for the purposes of sending communications to you and verifying your identity.
In some instances, we may need to hold and process information relating to your physical or mental health, for example if you are applying for a pension on grounds of ill-health. We will ask for your explicit consent to this, unless there is an alternative legal basis for processing this information under the Data Protection Laws. Once you have given your consent, you can withdraw it at any time by writing to us using the contact details below.
Smart holds your personal information in connection with its role as provider of the Scheme, for example, it may need this information to process your queries, verify your identity or carry out business processes. Smart may also provide you with information in relation to other products and services available on the Smart Platform which you have asked for or which we think may be of interest to you.
Data Protection Laws require us to meet certain conditions before we are allowed to use your personal information in the way described in this Policy.
Smart and the Trustee rely on a condition that allows us to use your personal information to comply with our legal obligations in relation to the Scheme.
We will keep the amount of personal information collected and the extent of any processing to a minimum.
We will only process 'sensitive' or 'special categories' of personal information under the Data Protection Laws (e.g., information about your health) where you have explicitly consented to this or where there is an alternative legal basis for processing this information under the Data Protection Laws (e.g., it is required by law). This may mean that you will be asked to sign consent forms in the future. If you don't consent to our processing this information when asked to do so, it may mean that we are unable to pay benefits to you or your dependants. Once you have given your consent, you can withdraw it at any time by writing to us using the contact details below.
We will only process information about criminal convictions if these relate to money owed to the Scheme's employers in circumstances where they are entitled to be reimbursed from your benefits and either you consent to this, or the processing is necessary for the exercise of a legal claim.
We may use your personal information for a number of purposes relating to the administration of the Scheme, including the following:
In addition, Smart may use your information:
The Trustee will not use your personal data for marketing purposes.
However, Smart will request your consent for marketing purposes and to collect your preferences by which channels of communication you would like to be contacted by Smart.
If we have received your express consent to do so and you have agreed to receive marketing from us, we may send you marketing communications. You can stop receiving marketing messages from us at any time.
You can do this by:
Employers and advisers
Smart will rely on its existing commercial relationship with our employer customers, to provide limited communications in respect of similar products or services (known as the 'soft-opt-in' under Data Protection Laws).
Our customers are provided with the opportunity to opt out (unsubscribe) on each communication.
We will hold your personal information on our systems for as long as is necessary for the Scheme to provide benefits to you or your dependants.
So, for example, if your pension is paid from the Scheme when you retire, we will hold your information for the rest of your life, until your pension ceases on your death. If a pension is payable to any of your dependants after your death, we will then continue to hold your information until their pensions cease. We will then continue to hold your information for an indefinite period after all benefits payable to you and your dependants have ceased in case there are any further queries about your membership of the Scheme.
If you cease to be a member of the Scheme (e.g., because you transfer your benefits to another pension arrangement), we will hold your information while you are a member and then for an indefinite period after you cease to be a member, in case any further queries arise about your membership of the Scheme.
Where appropriate for the purposes of administering the Scheme and providing other products and services on the Smart Platform we may share your information with:
The entities listed above may also share personal data with their own business suppliers, for example in relation to the operation of IT systems or where they outsource part of their services.
Smart may also share personal data with third party service providers to process your information on our behalf. These third parties will be required to strictly comply with the instructions of Smart.
Some of these entities may also be controllers under the Data Protection Laws. However, in the first instance you should contact Smart and the Trustee using the contact details below if you have any queries about how they use your personal information.
Please note that some of the Scheme's former service providers may continue to hold information about you for their own record keeping purposes once they have ceased to be involved with the Scheme.
The data that we collect from you may be transferred outside the UK or the EEA where the Scheme's service providers host data outside the UK or the EEA. This will be governed by the Data Protection Laws.
Further, if you live or work outside of the UK or the EEA, we may need to transfer your personal data outside of the UK or the EEA to respond to any queries that you may have. Where this applies, we will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this Policy.
The Schrems II decision of the European Court of Justice (ECJ) in July 2020, found that the Privacy Shield is no longer a valid way to transfer personal data outside of the EEA. However, Standard Contractual Clauses (SCCs) are still valid.
In accordance with ICO guidance, Smart has undertaken a review of our contractual arrangements to ensure that SCCs are in place where personal data may be processed in the United States. If we become aware that a supplier relies solely on the Privacy Shield, then we will work with them to ensure that SCCs are in place, or there is an alternative legal basis for the transfer.
In the meantime, Smart will continue to monitor its international transfers and react promptly as regulatory guidance and advice is updated.
The following section explains your rights. The various rights are not absolute, and each is subject to certain exceptions or qualifications. Please note that we may be unable to delete or remove your data whilst we still need this to administer the Scheme.
1. Right to be informed
2. Right of access
You have the right to obtain a copy of your information (if we’re processing it), and certain other information (similar to that provided in this information notice) about how it is used. This is so you’re aware and can check that we are using your information in accordance with data protection law. We can refuse to provide information where to do so may reveal personal data about another person or would otherwise negatively impact another person’s rights.
3. Right to rectification
You can ask us to take reasonable measures to correct your information if it’s inaccurate or incomplete. E.g., if we have the wrong date of birth or name for you.
4. Right to erasure
This is also known as ‘the right to be forgotten’ and, in simple terms, enables you to request the deletion or removal of your information where there’s no compelling reason for us to keep using it or its use is unlawful. This is not a general right to erasure; there are exceptions, e.g., where we need to use the information, in defence of a legal claim.
5. Right to restrict processing
You have rights to ‘block’ or suppress further use of your information when we are assessing a request for rectification or as an alternative to erasure. When processing is restricted, we can still store your information, but may not use it further. We keep lists of people who have asked for further use of their information to be ‘blocked’ to make sure the restriction is respected in future.
6. Right to data portability
You have rights to obtain and reuse certain personal data for your own purposes across different organisations. E.g., if you decide to move services, this enables you to move, copy or transfer your information easily between different service providers (or directly to yourself) safely and securely, without affecting its usability. This only applies to your information that you have provided that is being processed with your consent (if relevant) or to perform a contract that you are a party to, which is being processed by automated means. We do not expect this right to be relevant in the context of the services that we provide.
7. Right to object
You have the right to object to certain types of processing, on grounds relating to your situation, at any time insofar as that processing takes place for the purposes of legitimate interests pursued by us or by a third party such as the Trustee. We will be allowed to continue to process the information if we can demonstrate “compelling legitimate grounds for the processing which override [your] interests, rights and freedoms” or we need this for the establishment, exercise, or defence of legal claims.
We will use strict procedures and security features to safeguard against the risks that are presented by personal data processing, such as accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed.
All our employees and any third parties we engage to process data are obliged to respect the confidentiality of such data provided to us and as required under applicable data protection or other legislation.
Smart became ISO/IEC 27001 certified on 12 October 2021. The scope of this Information Security Management System (ISMS) is information security arrangements associated with the provision of pension and retirement technology services by Smart.
If you are not happy with the way in which your personal information is held or processed, please contact us using the details below. You also have the right to complain about data protection matters to the ICO.
The ICO is the UK's independent body set up to uphold information rights. You can find out more about the ICO on its website. The ICO can be contacted by calling 0303 123 1113.
We keep this Policy under regular review and may change it at any time. We will tell you about any significant changes. Any changes we may make to this Policy in the future will be posted on this page. Please check frequently to see any update or changes to this Policy. This Policy is current as of 30 November 2021.
Our Data Protection Officer is Joanne Zhang. If you have any queries about this Policy, or wish to exercise any of the rights above, please contact [email protected] or complete this form.
If you have any other questions about the Scheme, please visit https://www.smartpension.co.uk/contact-us to find out the best way of contacting us for your question.
If you have any security related issues about our website, please contact [email protected].