Updated September 2020
Who are we?
This Policy applies to all members (both active and deferred), former members, employers, advisers and beneficiaries of the workplace pension scheme (the Scheme). It also applies to visitors to our websites and other individuals who contact us or interact with us through our website at smart.co.
Data Protection Laws
In this Policy, the ‘Data Protection Laws’ means the General Data Protection Regulation (the GDPR) together with all other applicable legislation relating to privacy or data protection in force from time to time. You should share this Policy with your family and dependants where you have provided us with personal information about them (and where it is reasonable to do so).
Who is the Controller and the Processor?
As defined by the GDPR, a Controller means the natural or legal person, public authority, agency or other body which alone or jointly with others, determines the purposes and means of the processing of personal data.
A Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the Controller.
Smart Pension and the Trustee are both Controllers for the purposes of the Data Protection Laws.
This Policy explains how Smart Pension, Smart Governance Limited (SGA) and Smart Pension Master Trust (the Trustee) of the Scheme, uses and protects the personal information that they hold about you.
Smart Pension is a Controller in respect of the Scheme data. It is registered with the Information Commissioner’s Office (ICO) registration number ZA070575 and provides the platform (the Smart Pension Platform), propositions and services for members and employers, and provides Data Protection Officer (DPO) duties on behalf of the Scheme, including the delivery of your rights in relation to your personal information.
The Trustee is responsible for governance in relation to the Scheme. The ICO registration number is ZA135972.
SGA is registered as a Controller and the ICO registration number is ZA655267. SGA is responsible for the administration and servicing of the Scheme.
Contact details for Smart Pension and the Trustee are set out at the end of this Policy.
What is personal information?
Personal information broadly means information that identifies (or which could, with other information that we hold or are likely to hold) a living individual. This includes any information provided to us by or on behalf of you, the Scheme's employers or HM Revenue & Customs (HMRC) in relation to your membership of the Scheme.
What types of personal information about you might we hold?
We collect and process the information about you that you provide:
- To calculate and pay benefits. This includes providing you with details of your benefits and options under the Scheme and dealing with any queries that you have about these.
- To carry out our obligations arising from any agreement that we have with, or concerning, you and to provide you with the information, benefits and services that you request from us.
- To notify you about services provided to members of the Scheme and any changes to those services or to enable you to access those services.
- For statistical, financial modelling, funding, accounting and reference purposes.
- For internal record keeping.
- For risk management purposes, including the insurance or management of risks or of the Scheme's benefits.
- Complying with our legal obligations, any relevant industry or professional rules and regulations or any applicable voluntary codes.
- Complying with demands or requests made by any relevant regulators, government departments and law enforcement or tax authorities or in connection with any disputes or litigation.
- In connection with any sale, merger, acquisition, disposal, reorganisation or similar change of Smart Pension Limited's business.
In addition, Smart Pension may use your information:
- To ensure that our website is as fast and efficient as possible, and compatible with your software and settings.
- To enable our sub-contractors to provide aspects of our services to you.
- To analyse and improve the services we provide.
- To allow you to use different resources and materials on our website.
- To allow you to access certain details about your benefits via Alexa skill or Google Home (please also see our Terms and Conditions).
- To personalise the way information on our website is presented to you.
- To allow you to share content and materials on our website via social media or other communication means.
- To give you information on products and services which you have asked for or which we think may be of interest to you.
- To track the use of referral links you have shared.
If we have received your express consent to do so and you have agreed to receive marketing from us, we may send you marketing communications. You can stop receiving marketing messages from us at any time.
You can do this by:
- By clicking on the 'unsubscribe' link in any email.
- By contacting us at contact firstname.lastname@example.org.
- Once you do this, we will update your profile to ensure that you do not receive further marketing messages.
- Stopping marketing messages will not stop service communications (such as pension updates).
Smart Pension will rely on its existing commercial relationship with our employer customers, to provide limited communications in respect of similar products or services (known as the 'soft-opt-in' under Data Protection Laws).
Our customers are provided with the opportunity to opt out (unsubscribe) on each and every communication.
How long do we keep your information for?
We will hold your personal information on our systems for as long as is necessary for the Scheme to provide benefits to you or your dependants.
So, for example, if your pension is paid from the Scheme when you retire, we will hold your information for the rest of your life, until your pension ceases on your death. If a pension is payable to any of your dependants after your death, we will then continue to hold your information until their pensions cease. We will then continue to hold your information for an indefinite period after all benefits payable to you and your dependants have ceased, in case there are any further queries about your membership of the Scheme.
If you cease to be a member of the Scheme (e.g. because you transfer your benefits to another pension arrangement), we will hold your information while you are a member and then for an indefinite period after you cease to be a member, in case any further queries arise about your membership of the Scheme.
Who do we share the information with?
Where appropriate for the purposes of administering the Scheme and providing other products and services on the Smart Pension Platform we may share your information with:
- The Scheme's administrator, which is currently Smart Governance Limited, company number 12295061 with a registered office at 10 Eastbourne Terrace Paddington, London, W2 6LG. The administrator uses the information to administer the Scheme, including to calculate and pay benefits.
- The Scheme's professional advisers. These organisations use the information when advising the Trustee and carrying out their professional obligations.
- The Scheme's insurers and annuity providers (and other insurers or brokers for the purpose of obtaining quotations relating to the Scheme or its benefits), investment managers, banks and other service providers.
- Any financial adviser or other organisation appointed by the Trustee or Smart Pension to advise you about your options under the Scheme or any adviser appointed by you where you have asked us to provide them with details of your benefits under the Scheme.
- Any other person who is authorised to act on your behalf.
- Companies within the Smart Pension Group and their professional advisers.
- Regulators, government departments, law enforcement authorities, tax authorities and insurance companies.
- Any relevant ombudsman, dispute resolution body or the courts.
- Persons in connection with any sale, merger, acquisition, disposal, reorganisation or similar change in the Smart Pension business.
- Third parties who provide products and services available through the Smart Pension Platform.
- Third party suppliers who provide tracing services in order to enable better accuracy of our member records.
- Pension industry bodies, such as the Pensions Policy Insititute (PPI), in order to enable research-related initiatives to provide pension data analysis, including developing better evidence of people’s savings habits, with the purposes of optimising individuals’ decison-making and improving the outcomes for members and industry stakeholders.
The entities listed above may also share personal data with their own business suppliers, for example in relation to the operation of IT systems or where they outsource part of their services.
Smart may also share personal data with third party service providers to process your information on our behalf. These third parties will be required to strictly comply with the instructions of Smart.
Some of these entities may also be Controllers under the Data Protection Laws. However, in the first instance you should contact Smart and the Trustee using the contact details below if you have any queries about how they use your personal information.
Please note that some of the Scheme's former service providers may continue to hold information about you for their own record keeping purposes once they have ceased to be involved with the fund.
Where we store your personal data
The data that we collect from you may be transferred outside the UK or the EEA where the Scheme's service providers host data outside the UK or the EEA. This will be governed by the Data Protection Laws.
Further, if you live or work outside of the UK or the EEA, we may need to transfer your personal data outside of the UK or the EEA to respond to any queries that you may have. Where this applies, we will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this Policy.
Schrems II Privacy Shield statement
The Schrems II decision of the European Court of Justice (ECJ) in July 2020, found that the Privacy Shield is no longer a valid way to transfer personal data outside of the EEA. However, Standard Contractual Clauses (SCCs) are still valid.
In accordance with ICO guidance, Smart Pension has undertaken a review of our contractual arrangements to ensure that SCCs are in place where personal data may be processed in the United States. If we become aware that a supplier relies solely on the Privacy Shield, then we will work with them to ensure that SCCs are in place, or there is an alternative legal basis for the transfer.
In the meantime Smart Pension will continue to monitor its international transfers and react promptly as regulatory guidance and advice is updated.
Your rights in relation to your personal information
The following section explains your rights. The various rights are not absolute and each is subject to certain exceptions or qualifications. Please note that we may be unable to delete or remove your data whilst we still need this to administer the Scheme.
Your rights and what they mean.
1. Right to be informed
You have the right to be provided with clear, transparent and easily understandable information about how we use your information and your rights. This is why we are providing you with the information in this information notice.
2. Right of access
You have the right to obtain a copy of your information (if we’re processing it), and other certain other information (similar to that provided in this information notice) about how it is used. This is so you’re aware and can check that we are using your information in accordance with data protection law. We can refuse to provide information where to do so may reveal personal data about another person or would otherwise negatively impact another person’s rights.
3. Right to rectification
You can ask us to take reasonable measures to correct your information if it’s inaccurate or incomplete. For example, if we have the wrong date of birth or name for you.
4. Right to erasure
This is also known as ‘the right to be forgotten’ and, in simple terms, enables you to request the deletion or removal of your information where there’s no compelling reason for us to keep using it or its use is unlawful. This is not a general right to erasure; there are exceptions, for example, where we need to use the information in defence of a legal claim.
5. Right to restrict processing
You have rights to ‘block’ or suppress further use of your information when we are assessing a request for rectification or as an alternative to erasure. When processing is restricted, we can still store your information, but may not use it further. We keep lists of people who have asked for further use of their information to be ‘blocked’ to make sure the restriction is respected in future.
6. Right to data portability
You have rights to obtain and reuse certain personal data for your own purposes across different organisations. For example, if you decide to move services, this enables you to move, copy or transfer your information easily between different service providers (or directly to yourself) safely and securely, without affecting its usability. This only applies to your information that you have provided that is being processed with your consent (if relevant) or to perform a contract that you are a party to, which is being processed by automated means. We do not expect this right to be relevant in the context of the services that we provide.
7. Right to object
You have the right to object to certain types of processing, on grounds relating to your particular situation, at any time insofar as that processing takes place for the purposes of legitimate interests pursued by us or by a third party such as the Trustee. We will be allowed to continue to process the information if we can demonstrate “compelling legitimate grounds for the processing which override [your] interests, rights and freedoms” or we need this for the establishment, exercise or defence of legal claims.
We will use strict procedures and security features to safeguard against the risks that are presented by personal data processing, such as accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
All our employees and any third parties we engage to process data are obliged to respect the confidentiality of such data provided to us and as required under applicable data protection or other legislation.
If you are not happy with the way in which your personal information is held or processed, please contact us using the details below. You also have the right to complain about data protection matters to the ICO.
Changes to this Policy
We keep this Policy under regular review and may change it at any time. We will tell you about any significant changes. Any changes we may make to this Policy in the future will be posted on this page. Please check frequently to see any update or changes to this Policy. This Policy is current on 1st October 2020.
How to contact us?
Our Data Protection Officer is Michael Mulholland. If you have any queries about this Policy, or wish to exercise any of the rights above, please contact email@example.com or complete this form.
If you have any other questions about the Scheme, please contact firstname.lastname@example.org.
If you have any security related issues about our website, please contact email@example.com.