Bulk Purchase Annuity privacy notice
This notice describes how we collect, store, use and share personal data. It also explains the rights you have in relation to the personal data that we hold about you. It applies to personal data provided to us, directly and indirectly, both by you or by others on your behalf. This privacy notice applies if you are a member of a pension scheme (“scheme”) and the trustees of the scheme (“trustees”) have chosen to secure pension benefits with us, in the form of a bulk purchase annuity, or ‘buy-in’.
1. What is a Bulk Purchase Annuity, or ‘buy-in’?
A bulk purchase annuity is an insurance agreement between defined benefit pension schemes and insurers. It is an investment of the pension scheme, providing guaranteed cashflows from the insurer to the scheme, matching all or part of the scheme’s pension promises to members.
This type of policy supports the security of pension scheme members’ benefits and reduces risk to companies supporting the pension scheme. It is also known as a ‘buy-in’, which is a form of bulk purchase annuity.
If your pension scheme has purchased a buy-in policy with Royal London, you will continue to receive your pension benefits in the usual way from your pension scheme. There will be no change to the way in which your pension scheme benefits are administered and you should continue to contact your scheme administrator in the usual manner, including if you have any questions about the scheme’s bulk annuity policy.
2. Who we are
Throughout this notice, when we say ‘we’ or ‘us’ we’re referring to the Royal London Mutual Insurance Society Limited, a company registered in England and Wales, and authorised by the FCA. (registration number: 99064, registered office: 80 Fenchurch Street, London, EC3M 4BY).
3. What is personal data and why do we collect and process it?
Personal data is defined under the UK General Data Protection Regulation (UK GDPR) as any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
In essence, personal data is your personal information. Please see section 4 below for the type of personal data that we collect. We collect and process personal data primarily in order to administer an insurance policy held by your pension scheme. Section 5 of this privacy notice tells you what you can expect us to do with your personal data as an independent data controller.
4. What kinds of personal data do we hold about you?
We may process the following personal data about you, as provided to us by your pension scheme’s trustees:
- Information about you - such as your name, age, gender, date of birth, country of residence and postcode.
- Special category data - this is personal data that needs more protection because it is sensitive. Where it is relevant to the trustee’s policy, we may process information relating to your medical history and health.
- Employment details such as pensionable pay, length of service and occupation.
- Benefit information – for example, details about the amount and timing of your benefits due from the pension scheme.
- Family & beneficiaries’ information – for example, your marital status, dependants or other nominated beneficiaries, including their date of birth and gender. Their personal data will be processed in accordance with this Privacy Notice.
- Telephone calls or example, voice recording if you contact us (although please note, as described in section 1, you should continue to contact your pension scheme administrator with any enquiries in the usual manner).
5. How we use your personal data
We use the personal data provided to us by your pension scheme’s trustees for a number of reasons:
- Administering any arrangements between us and your pension scheme trustees in relation to the buy-in, including making and receiving payments in respect of your pension benefits.
- Assessing, developing and managing our products, systems, prices, our business and brand. This includes understanding and inferring your socio-demographic group – for example, where you sit within the UK’s social and income groups.
- Preventing fraud and financial crime.
- Fulfilling any other legal or regulatory obligations.
- Monitoring the use of our websites – for further information, please see our Cookie Policy.
Additionally, we may use any personal data that you provide through optional financial tools and calculators, which are available on our website.
6. Where do we get your personal data from?
Most of the personal data we receive comes directly from your pension scheme trustees, or companies appointed by the pension scheme trustees to manage the scheme on their behalf (for example, your pension scheme administrator).
We may also obtain personal data about you from:
- Trusted third-party companies that support the management of the bulk annuity product, such as tracing providers (who confirm limited personal or marital information), or sanctions checking providers, to prevent financial crime.
- ‘Third party’ cookies - collect information on how visitors use our website. Our Cookie policy can give you more information.
8. What are our legal grounds for using personal data?
The UK GDPR and associated legislation set outs specific grounds under which your personal data may be lawfully processed. The legal grounds for the processing of personal data by us will depend on the purpose for which the processing is being carried out.
We’ll only use your personal data when one of these grounds has been satisfied. You can see how we use your personal data and the legal grounds for processing this:
Uses of your Personal Data | Legal Grounds |
Setting up and administering the trustee’s bulk purchase annuity policy This covers all the activities necessary to administer the policy, such as:
Completing any requests that your pension scheme trustees make This includes:
Management of the bulk annuity policy We may use trusted third-party companies to support the management of the bulk annuity product, such as tracing providers to confirm some limited personal or marital information. |
Necessary for the performance of a contract The personal data that your pension scheme trustees provide may be processed when it is necessary to enter into or perform a contract. E.g. where we process your personal data to calculate the policy premium or pay cashflows to your pension scheme. |
We use your personal data & special category data, where necessary, to comply with legal obligations including:
|
Necessary for compliance with a legal obligation
Your personal data may be processed where Royal London has a legal obligation to perform such processing. |
In certain cases, and where necessary, the special category data provided may be processed for the following purposes:
|
Necessary to provide legal advice and legal proceedings The 2018 UK Data Protection Act provides legal grounds for processing special category data (medical information) for legal advice and legal proceedings. |
The medical information you, or your medical practitioner, or GP provided to the pension scheme trustees will be used, where necessary, for assessing payment of ill-health policy benefits to your pension scheme trustees. We may also share your information with our Chief Medical Officer if we need further help to check whether HM Revenue & Custom’s rules are met in this regard. |
Necessary for an insurance product The 2018 UK Data Protection Act also provides legal grounds for processing your special category data (medical information) in connection with an insurance or occupational pension. |
Online tools and calculators We have tools and calculators available on our website designed to help you and / or your adviser to assess your finances. Any information you submit to these tools and calculators is optional and we explain, in detail, how it’s used.
On our website, we use ‘third party’ cookies that collect information about how visitors use our website. Please see our Cookie policy for further information. |
Consent Your personal data may be processed when we receive your consent. The consent you provide must be freely given, informed, specific, unambiguous and given with a positive affirmative action. Your consent can be withdrawn at any time. |
Necessary for legitimate interests We also use your personal data when we have a ‘legitimate interest’ and that interest isn’t outweighed by your privacy rights. Each activity is assessed, and your rights and freedoms are considered to ensure that we’re not being intrusive or doing anything beyond your reasonable expectation. We’ll assess the information we need, so we only use the minimum. If you want further information about processing under legitimate interests, you can contact us using the details below. You also have the right to object to any processing done under legitimate interests. We’ll re-assess the balance between our interests and yours, considering your particular circumstances. If we have a compelling reason, we may still continue to use your personal data.
|
|
Use of your personal data
In order to make sure the trustee’s policy is priced accurately and fairly, we combine your information with that of customers across Royal London to analyse it. This includes understanding and inferring your socio-demographic group. We also combine your information with other policies to assess how much money we need to have available at any time.
|
Legitimate interest(s) To assess and develop our products, systems, prices, business and brand We need to develop those products and services, and make sure our product prices are fair. We need to make sure we are treating pension schemes fairly and check the product is suitable for them. We need to make sure that we have enough money to pay our customers when the time comes. |
We financially assess the performance of our business, conduct risk management exercises and carry out long-term statistical modelling. We manage our network and information security (for example, developing, testing and auditing our websites and other systems, dealing with accidental events or unlawful or malicious actions.) We share your personal data with Royal London Group and our service providers. |
To manage our business: To help us understand our risks, provide management information and help us to manage our business. To ensure that our systems are always secure and that your data is always protected. To prevent and detect fraud, dishonesty and other crimes (for example, to prevent someone trying to steal your identity). For internal administrative, audit and statistical purposes. Your data will only be transmitted within the Group and to our service providers when appropriate safeguards, including contractual provisions, are in place |
9. Overseas Transfers
We sometimes use third parties located in other countries to provide support services. As a result, your personal data may be processed in countries outside the European Economic Area (EEA).
These services will be carried out by experienced and reputable organisations on terms which safeguard the security of your information and comply with the European data protection requirements. Some countries have been assessed by the European Commission (EC) as being ‘adequate’, including the UK, which means their legal system offers a level of protection for personal data which is equal to the EC’s protection. Where the country hasn’t been assessed as adequate, the method we have chosen to safeguard your information is ‘standard contractual clauses’ within the legal agreement to safeguard the processing of your personal data.
The European Commission and the UK have recognised ‘standard contractual clauses’ as offering adequate safeguards to protect your rights and we’ll use these where required ensuring adequate protection for your personal data as prescribed by the GDPR. You can access and read the European Commission approved standard contractual clauses (opens in a new window).
We use ‘standard contractual’ clauses for the below activities, to help us provide:
- IT support and technology development
- Reassurance services with our global reassurance
- Services with other providers/suppliers, research partners and administrators
We will always ensure your personal data is provided with adequate protection and all transfers of personal information outside the EEA are done lawfully.
10. Security
We have put in place security measures designed to prevent your personal data and special categories of personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed.
We use Transport Layer Security (TLS) to encrypt and protect email traffic with our suppliers and other parties transferring data as part of the management of the bulk annuity policy, as well as other approved Secure File Sharing Platforms. We also use the Clearswift Managed Email Security Service to protect our outgoing email traffic. However, if your email service doesn’t support TLS or if you do not wish to use our Clearswift Managed Email Security Service, we may not be able to communicate with you by email, and any emails we do send or receive will not be protected by encryption, and could be intercepted. We may also change our Email Security Service provider at any time without notice and without changing the provision in this notice.
Once we receive your information, we use strict procedures and security features to protect it from unauthorised access.
In the event of a potential data security breach, we will notify your pension scheme trustees and Information Commissioner’s Office if we are legally required to do so, or if there is a risk to your rights and freedoms as a result of the breach.
11. How long do we keep personal data for?
We will retain your personal data for as long as it is considered necessary for the purpose for which it was collected, and to comply with our legal and regulatory requirements. This will involve retaining your personal data for a reasonable period of time after the benefits payable in relation to you, to the pension scheme’s trustees, have ended.
This period will be compliant with any specific legal, regulatory, contractual requirements or technical reasons.
12. Do we make solely automated decisions about you or profile you?
Automated Decisions
Automated decisions are where a computer makes a decision about you without a person being involved. This includes profiling pension scheme members, which means we make assumptions about you to help us price our products fairly.
Crime Prevention
We will undertake checks for the prevention and detection of crime as we are required by law to do so. These checks use solely automated means to make decisions about you. This may result in stopping payments made to the trustees in respect of your pension scheme’s benefits. Please see section 13 “What are my rights?” for further information.
13. What are my rights?
Your rights are outlined below. The easiest way to exercise any of your rights would be to contact our Data Protection Officer at the contact details provided. We will provide a response within one month, if not sooner. There is normally no charge for exercising any of your rights. We may ask you for proof of identity when you request to exercise some of these rights to ensure we are dealing with the correct individual.
Access to your personal data
You have the right to find out what personal data we hold about you, in many circumstances. Please see section 15 below for our contact details.
Correcting or adding to your personal data
Your pension scheme trustees are responsible for providing your personal data to us and ensuring that any of your details provided to us (usually via your pension scheme administrator, or another party appointed to manage the scheme) are correct, accurate and complete. You should contact your pension scheme administrator in the usual way to correct or add any information.
Withdrawing your consent
If you have provided consent for us to use your personal data and is stated to be a legal ground in this privacy notice, you have the right to withdraw it at any time. If you withdraw consent, then we are not allowed to use your personal data going forward. However, it would not invalidate processing that was carried out before you withdrew consent.
Transferring your personal data to another organisation (Data portability)
In some circumstances, you can ask us to send an electronic copy of the personal data you have provided to us, either to you or to another organisation.
Objecting to the use of your personal data for legitimate interests
You also have the right to object to any processing done under legitimate interests. We will re-assess the balance between our interests and yours, considering your particular circumstances. If we have a compelling reason, we may still continue to use your personal data if that interest is not deemed to be outweighed by your privacy rights. However, we will inform you of that decision and reasoning for continuation of processing.
Objecting to automated decision making
You have a right to object if we have made an automated decision, including profiling, which has legal and significant effect against you. You may also have the right to challenge the decision and ask for a human review. These rights do not apply if we are authorised by the law to make such decisions and appropriate safeguards are in place to protect your rights.
Restricting the use of your personal data
If you are uncertain about the accuracy or our use of your personal data, you can ask us to stop using your personal data until your query is resolved. We will let you know the outcome before we take any further action in relation to this personal data.
Right to Erasure
You can ask us to delete your personal data in some circumstances, however, it is likely that we will need to retain it in order to correctly manage the bulk purchase annuity policy held by your scheme’s trustees and perform the necessary activities set out in this privacy notice. If that is the case, we will inform you of that decision and reasoning for continuation of processing.
We would ask that you speak to your pension scheme trustees or scheme administrator in the first instance, if you have any concerns regarding erasure of your data.
15. Changes to our Privacy Notice
Making sure that we keep you up to date with privacy information is a continuous responsibility and we keep this notice under review. We will update our notice as changes are required.
This privacy notice was last updated on 29 July 2024.
16. Contact us
If you have any questions or comments regarding this privacy notice, or if you are unhappy about the way Royal London uses your personal data, please contact us using these details:
Post: Data Protection Officer, Royal London, Royal London House, Alderley Park, Congleton Road, Nether Alderley, Macclesfield, SK10 4EL.
Email: GDPR@Royallondon.com