This notice explains how BES Trustees plc (“BESTrustees”) uses and protects the personal information that it holds about contacts and that held in relation to clients.
BESTrustees is a "controller" for the purposes of the data protection laws. The current data protection laws are set out in the Data Protection Act 1998. These will be replaced by new data protection laws with effect from 25 May 2018. In this privacy notice, there is reference to both the current and the new data protection laws as the “Data Protection Laws”.
Personal data (or information) broadly means information that identifies (or which could, with other information that could be held, identify) a living individual. This includes any information provided to us by an individual or another party. BESTrustees may hold information for the purposes of the management of its own business and in connection with the services it provides to clients.
For client contacts, advisers to clients and third party contacts, the personal information held and processed is limited to the name and contact details.
As BESTrustees provides governance services to pension schemes and arrangements, personal information will also be held in relation to the members of clients and former clients. This information may include salary information, service and status details relevant to the provision of pensions by current and former clients. BESTrustees’ data protection policy requires each current client scheme to have its own data protection policy and privacy statement. Other than by exception and where stated, this privacy statement does not, therefore, apply to personal data held in respect of current clients.
A later section of this statement covers specific matters in relation to former clients.
Reasons for holding personal information
BESTrustees will only use the information held in connection with the legitimate purposes of BESTrustees and in the furtherance of its objectives.
The legitimate purposes of BESTrustees includes:
|Client contacts and advisers to clients||Third party contacts|
|For the furtherance of good service delivery and relationship management||The information is held to enable mutual business development activity, the invitation of individuals to vents and to advise of new services or initiatives.|
The legal basis for holding and processing personal data in connection with clients and former clients is the legitimate interest of BESTrustees which includes the discharge of obligations in connection with the fiduciary responsibilities of trustees.
BESTrustees cannot identify visitors to its website by using IP addresses.
BESTrustees will retain personal data for no longer than necessary.
Contact details for advisers, consultants and other individuals who either act for clients or with whom BESTrustees engages in business development activities will be deleted within a reasonable period of there being no on-going commercial relationship with either BESTrustees or any of its clients. Where contact details are held in relation to other third parties in similar or related industries, personal information will be deleted once notification is received that the individual is no longer employed by such a third party.
As explained above, current client data will be retained in accordance with the individual policy applicable to that client.
Processing and sharing of data
BESTrustees will not process data obtained for one purpose for any unconnected purpose unless the individual concerned has either agreed or would otherwise reasonably expect this. Personal information will, therefore, only be disclosed to third parties if there is either a legal requirement to do so or it is necessary to comply with contractual requirements to our stakeholders.
All the personal data held by BESTrustees for the management of its own business is processed in the UK. However, for the purposes of IT hosting and maintenance this information may be located on servers within the EEA. BESTrustees may also make use of third party providers with servers located outside the EEA. Any transfer or processing of data outside of the EEA will be protected by an adequacy decision by the European Commission or by standard data protection clauses adopted by the European Commission or, before 25 May 2018, by a self-assessment of adequacy.
Personal data will normally only be held on BESTrustees servers or suitably secured/encrypted computers, laptops, tablets or mobile devices. Any transfer of personal data will only be in an encrypted form or subject to appropriate safeguards. Separate policies have been established by BESTrustees for IT and Cyber security and hardcopy information.
Data Accuracy and Rectification
BESTrustees will take reasonable steps to ensure data for its own management purposes is kept accurate. It is however the responsibility of directors and employees to advise the relevant member of head office staff of any changes in their own personal details.
When advised of any legitimate inaccurate or incomplete personal data, BESTrustees will correct that data and, if applicable, advise relevant third parties of that correction.
Individuals have a number of rights under the Data Protection Laws in relation to the way BESTrustees processes their personal data, namely:
- to access their data;
- to have their data rectified if it is inaccurate or incomplete;
- in certain circumstances, to have their data deleted or removed;
- in certain circumstances, to restrict the processing of their data; and
- to claim compensation for damages caused by a breach of the Data Protection Laws.
If an individual wishes to exercise any of these rights, they should use the contact details set out at the end of this notice.
The aim is that a response to any request will be sent within one month from the request being received. Access to data will usually be provided free of charge, although in certain circumstances a small charge may be made where entitled to do so under the Data Protection Laws.
It should be noted that it may not be possible to delete or remove data which is needed to manage BESTrustees’ business.
Subject Access Requests and Complaints
Individuals may request to see the information that is held about them to check its accuracy.
Any complaints about how an individual’s personal data has been handled may be made by contacting the Director of Operations at the address below. Individuals also have the right to complain about data protection matters to the Information Commissioner's Office (ICO). The ICO is the UK's independent body set up to uphold information rights. More details about the ICO can be found on its website (https://ico.org.uk/). The ICO can be contacted by calling 0303 123 1113.
For any personal data held by BESTrustees for the purposes of the management of its business, the principle of portability is supported when applicable.
Changes to this privacy notice
This privacy notice is current as at 25 May 2018. This privacy notice is kept under regular review, and it may change at any time.
In respect of former clients, as well as recognising the need to retain information for pension schemes which have been wound up, the legitimate interests of BESTrustees includes the ability to refer to data in the event of litigation, claims or complaints.
In this context, in the absence of acceptable access to information, data will be held by BESTrustees for a period of at least 12 years following the end of the financial year in which the client ceased to be a client.
BESTrustees can be contacted at:
Five Kings House
1 Queen Street Place