Bulk Purchase Annuity privacy notice

This notice describes how we collect, store, use and share personal data.  It also explains the rights you have in relation to the personal data that we hold about you. It applies to personal data provided to us, directly and indirectly, both by you or by others on your behalf. This privacy notice applies if you are a member of a pension scheme (“scheme”) and the trustees of the scheme (“trustees”) have chosen to secure pension benefits with us, in the form of a bulk purchase annuity, or ‘buy-in’.  

A bulk purchase annuity is an insurance agreement between defined benefit pension schemes and insurers. It is an investment of the pension scheme, providing guaranteed cashflows from the insurer to the scheme, matching all or part of the scheme’s pension promises to members.

This type of policy supports the security of pension scheme members’ benefits and reduces risk to companies supporting the pension scheme. It is also known as a ‘buy-in’, which is a form of bulk purchase annuity.

If your pension scheme has purchased a buy-in policy with Royal London, you will continue to receive your pension benefits in the usual way from your pension scheme. There will be no change to the way in which your pension scheme benefits are administered and you should continue to contact your scheme administrator in the usual manner, including if you have any questions about the scheme’s bulk annuity policy.

Throughout this notice, when we say ‘we’ or ‘us’ we’re referring to the Royal London Mutual Insurance Society Limited, a company registered in England and Wales, and authorised by the FCA. (registration number: 99064, registered office: 80 Fenchurch Street, London, EC3M 4BY).

Personal data is defined under the UK General Data Protection Regulation (UK GDPR) as any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

In essence, personal data is your personal information. Please see section 4 below for the type of personal data that we collect. We collect and process personal data primarily in order to administer an insurance policy held by your pension scheme. Section 5 of this privacy notice tells you what you can expect us to do with your personal data as an independent data controller.

We may process the following personal data about you, as provided to us by your pension scheme’s trustees:

  • Information about you - such as your name, age, gender, date of birth, country of residence and postcode.
  • Special category data - this is personal data that needs more protection because it is sensitive.  Where it is relevant to the trustee’s policy, we may process information relating to your medical history and health.
  • Employment details such as pensionable pay, length of service and occupation.
  • Benefit information – for example, details about the amount and timing of your benefits due from the pension scheme.
  • Family & beneficiaries’ information – for example, your marital status, dependants or other nominated beneficiaries, including their date of birth and gender. Their personal data will be processed in accordance with this Privacy Notice.
  • Telephone calls or example, voice recording if you contact us (although please note, as described in section 1, you should continue to contact your pension scheme administrator with any enquiries in the usual manner).

We use the personal data provided to us by your pension scheme’s trustees for a number of reasons: 

  • Administering any arrangements between us and your pension scheme trustees in relation to the buy-in, including making and receiving payments in respect of your pension benefits.
  • Assessing, developing and managing our products, systems, prices, our business and brand. This includes understanding and inferring your socio-demographic group – for example, where you sit within the UK’s social and income groups.
  • Preventing fraud and financial crime.
  • Fulfilling any other legal or regulatory obligations.
  • Monitoring the use of our websites – for further information, please see our Cookie Policy.

Additionally, we may use any personal data that you provide through optional financial tools and calculators, which are available on our website.

Most of the personal data we receive comes directly from your pension scheme trustees, or companies appointed by the pension scheme trustees to manage the scheme on their behalf (for example, your pension scheme administrator).

We may also obtain personal data about you from:

  • Trusted third-party companies that support the management of the bulk annuity product, such as tracing providers (who confirm limited personal or marital information), or sanctions checking providers, to prevent financial crime.
  • ‘Third party’ cookies - collect information on how visitors use our website.  Our Cookie policy can give you more information.

As you’d expect, our employees will access your records for the purposes mentioned above.  However, only those employees who need access to that information are given it. For example, our administration staff need access to your policy details to support management of the policy internally, and our pricing and reporting teams will need access to a subset of your information to perform their analysis.  We regularly check who has access to our systems.

We may also share your personal data with these third parties:

  • Trustees – we’ll need to share information with your pension scheme’s trustees (often via your pension scheme’s administrator) so that they can meet their legal obligations in running the pension scheme.
  • Our service providers, e.g.  those who perform some underwriting activities for us, offsite storage, confidential waste disposal companies and approved IT specialists who support our technology.
  • Our professional advisers: including auditors, consultants and legal advisers.
  • Identity authentication, law enforcement and fraud prevention agencies.
  • Legal and Regulatory bodies e.g. HM Revenue & Customs, The Financial Conduct Authority, Information Commissioner`s Office and the UK Financial Services Compensation Scheme.
  • Companies within the Royal London Group.
  • Our Reinsurers, to the extent we use any, who require data including policy details, medical and suspected fraud and other financial crime data.
  • In the event Royal London was to merge or sell any part of its business or assets, it will be necessary to pass your personal data to the prospective buyer/party.

Please note that any third parties will only process your personal data on our instructions and where they have agreed to treat the data confidentially and to keep it secure.

We sometimes use third parties located in other countries to provide support services.  As a result, your personal data may be processed in countries outside the European Economic Area (EEA). 

These services will be carried out by experienced and reputable organisations on terms which safeguard the security of your information and comply with the European data protection requirements.  Some countries have been assessed by the European Commission (EC) as being ‘adequate’, including the UK, which means their legal system offers a level of protection for personal data which is equal to the EC’s protection.   Where the country hasn’t been assessed as adequate, the method we have chosen to safeguard your information is ‘standard contractual clauses’ within the legal agreement to safeguard the processing of your personal data.

The European Commission and the UK have recognised ‘standard contractual clauses’ as offering adequate safeguards to protect your rights and we’ll use these where required ensuring adequate protection for your personal data as prescribed by the GDPR. You can access and read the European Commission approved standard contractual clauses (opens in a new window).

We use ‘standard contractual’ clauses for the below activities, to help us provide:

  • IT support and technology development
  • Reassurance services with our global reassurance
  • Services with other providers/suppliers, research partners and administrators

We will always ensure your personal data is provided with adequate protection and all transfers of personal information outside the EEA are done lawfully.

We have put in place security measures designed to prevent your personal data and special categories of personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed.

We use Transport Layer Security (TLS) to encrypt and protect email traffic with our suppliers and other parties transferring data as part of the management of the bulk annuity policy, as well as other approved Secure File Sharing Platforms. We also use the Clearswift Managed Email Security Service to protect our outgoing email traffic.  However, if your email service doesn’t support TLS or if you do not wish to use our Clearswift Managed Email Security Service, we may not be able to communicate with you by email, and any emails we do send or receive will not be protected by encryption, and could be intercepted. We may also change our Email Security Service provider at any time without notice and without changing the provision in this notice.  

Once we receive your information, we use strict procedures and security features to protect it from unauthorised access. 

In the event of a potential data security breach, we will notify your pension scheme trustees and Information Commissioner’s Office if we are legally required to do so, or if there is a risk to your rights and freedoms as a result of the breach.

We will retain your personal data for as long as it is considered necessary for the purpose for which it was collected, and to comply with our legal and regulatory requirements. This will involve retaining your personal data for a reasonable period of time after the benefits payable in relation to you, to the pension scheme’s trustees, have ended.

This period will be compliant with any specific legal, regulatory, contractual requirements or technical reasons.

Automated Decisions

Automated decisions are where a computer makes a decision about you without a person being involved.  This includes profiling pension scheme members, which means we make assumptions about you to help us price our products fairly.

Crime Prevention

We will undertake checks for the prevention and detection of crime as we are required by law to do so. These checks use solely automated means to make decisions about you.  This may result in stopping payments made to the trustees in respect of your pension scheme’s benefits.  Please see section 13 “What are my rights?” for further information.

Your rights are outlined below. The easiest way to exercise any of your rights would be to contact our Data Protection Officer at the contact details provided.  We will provide a response within one month, if not sooner.  There is normally no charge for exercising any of your rights. We may ask you for proof of identity when you request to exercise some of these rights to ensure we are dealing with the correct individual.
 
Access to your personal data

You have the right to find out what personal data we hold about you, in many circumstances. Please see section 15 below for our contact details.

Correcting or adding to your personal data

Your pension scheme trustees are responsible for providing your personal data to us and ensuring that any of your details provided to us (usually via your pension scheme administrator, or another party appointed to manage the scheme) are correct, accurate and complete. You should contact your pension scheme administrator in the usual way to correct or add any information.

Withdrawing your consent

If you have provided consent for us to use your personal data  and is  stated to be a legal ground in this privacy notice, you have the right to withdraw it at any time.  If you withdraw consent, then we are not allowed to use your personal data going forward.  However, it would not invalidate processing that was carried out before you withdrew consent.

Transferring your personal data to another organisation (Data portability)

In some circumstances, you can ask us to send an electronic copy of the personal data you have provided to us, either to you or to another organisation.

Objecting to the use of your personal data for legitimate interests

You also have the right to object to any processing done under legitimate interests.  We will re-assess the balance between our interests and yours, considering your particular circumstances.  If we have a compelling reason, we may still continue to use your personal data if that interest is not deemed to be outweighed by your privacy rights. However, we will inform you of that decision and reasoning for continuation of processing.

Objecting to automated decision making

You have a right to object if we have made an automated decision, including profiling, which has legal and significant effect against you. You may also have the right to challenge the decision and ask for a human review.  These rights do not apply if we are authorised by the law to make such decisions and appropriate safeguards are in place to protect your rights.

Restricting the use of your personal data

If you are uncertain about the accuracy or our use of your personal data, you can ask us to stop using your personal data until your query is resolved.  We will let you know the outcome before we take any further action in relation to this personal data. 

Right to Erasure

You can ask us to delete your personal data in some circumstances, however, it is likely that we will need to retain it in order to correctly manage the bulk purchase annuity policy held by your scheme’s trustees and perform the necessary activities set out in this privacy notice. If that is the case, we will inform you of that decision and reasoning for continuation of processing. 

We would ask that you speak to your pension scheme trustees or scheme administrator in the first instance, if you have any concerns regarding erasure of your data.

If you are dissatisfied with how we are using your personal data, you have the right to complain to the Information Commissioner.  We would encourage you to contact us first so we can deal with your concerns.

The Information Commissioner`s office can be contacted by

  • Visiting their website www.ico.org.uk
  • Phone on 0303 123 1113
  • Write to Information Commissioner`s Office Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Making sure that we keep you up to date with privacy information is a continuous responsibility and we keep this notice under review.  We will update our notice as changes are required.

This privacy notice was last updated on 29 July 2024.

If you have any questions or comments regarding this privacy notice, or if you are unhappy about the way Royal London uses your personal data, please contact us using these details:

Post: Data Protection Officer, Royal London, Royal London House, Alderley Park, Congleton Road, Nether Alderley, Macclesfield, SK10 4EL.

Email: GDPR@Royallondon.com