Equiniti Paymaster (1836) Limited portals – Privacy Notice
Last updated: June 2018
We understand how important your personal data is and are committed to protecting and respecting your privacy.
‘Personal Data’ means any information relating to or which identifies you. This can include items such as your name, address, phone number, identification numbers (such as an account number or your national insurance number), location data or online identifiers. Personal data can be held electronically or in certain paper records.
The General Data Protection Regulation (GDPR) and the 2018 Data Protection Act regulate the processing of personal data. The GDPR seeks to protect your rights to your personal data by setting out, amongst other things, the conditions under which the processing of personal data is lawful, the rights of data subjects and the standards that organisations that handle personal data must adopt. This Privacy Notice is issued in compliance with these regulations and seeks to explain:
- Who we are;
- All website addresses covered by this Privacy Notice;
- How we collect your personal data;
- Why we collect your personal data;
- How long we hold the personal data;
- The conditions under which we may share it with others;
- Overseas processing;
- How we keep your personal data secure;
- Your personal data rights and how to exercise them;
- Useful information; and
- Any further questions.
- 1. Who we are
Equiniti Paymaster(1836) Limited (EQP) is one company within the Equiniti Group. Our main business is pension administration services and HR administration services. Our registered address is Sutherland House, Russell Way, Crawley, West Sussex, RH10 1UH and our ICO registration number is: Z4790890.
EQP is a ‘Data Controller’ for the website portal services described in section two. This means that we are responsible for deciding how and why we hold and use personal data about you.
In this Privacy Notice, ‘we’, ‘us’ and ‘our’ will always mean EQP, as Data Controller.
- 2. All website addresses covered by this Privacy Notice
This Privacy Notice relates only to the webpages that you log into as part of our portal services listed below to enable you to access a range of products and services.
- Pension portals
- HR Solutions including the Payroll and Flexible Benefit suite of portals – HR portal services
The products and services you access each have their own privacy notices issued by the offering company. For example:
- Pension schemes are offered by Trustees’ and you will need to see the Privacy Notices of the Trustee or Corporate for details on how your personal data is managed as part of your pension administration.
- HR Services are offered by your employer and third parties who they have selected to work in partnership with. You will need to see the Privacy Notice of your employer and / or of any benefits that you select to participate in.
- 3. How we collect your personal data
We using our portal services we may collect and process the following personal data about you:
Information you provide to us
- By filling in forms on our website(s) so that we may contact you;
- By corresponding with us by phone, e-mail, live-chat, social media channels or otherwise;
- Application/registration forms/identification documentation;
- Entering competitions, promotions or surveys; and
- When you report any problem or complaints with our website, products and services.
Information we collect about you
- If you contact us via social media, we may collect details from your social media account.
Information we receive from third parties
- As part of our identity and financial crime checking procedures with credit reference agencies, fraud detection agencies and registration or stockbroking industry exchanges;
- From third parties when you have instructed or agreed for them to pass information to us or as part of their offering services to you.
Special types of data
The law and other regulations treat some types of personal information as special. We will only collect and use this information if the law allows us to do so. Special types of data are:
- Criminal convictions and offences;
- Genetic and bio-metric data;
- Health data including gender;
- Racial or ethnic origin;
- Religious or philosophical beliefs; and
- Trade union membership.
Keeping your personal data up to date
The personal data we hold may include your name, postal address, email address and phone number, date of birth, and for our HR Services your employment details, to enable us to contact you and respond to your enquiries as well as provide you with access to your chosen products and services.
It is important to us that the personal data we hold about you remains accurate and up to date at all times, but we need your help in doing this. Please let us know as soon as anything needs updating or correcting.
Other people’s personal data
The information you give us, or that we collect through your use of our services, may contain your or another person’s personal data. If you provide us with information about another person, you confirm that they have appointed you to act for them, they consent to you providing their personal data to us and any processing of their personal data and that you have informed them of our identity and the purpose for which their personal data will be processed – as set out in this Privacy Notice.
- 4. Why we collect your personal data
In the table below we demonstrate why and how we use your personal data as well as providing the legal reasons which we rely upon.
Under Data Protection legislation we must always have a legal reason for processing your personal data. One of the legal reasons is when we use your personal data for our legitimate interests, this is usually when we have a business reason. However, we must always ensure that we take your interests into consideration too, and ensure that the use is fairly balanced. We tell you below when we rely on legitimate interests and what our legitimate interests are.
Type of processing
Purpose of the processing
Lawful basis for the processing of personal data
Provision of services, including the administration and management of customer records
To manage and operate your online account with us to facilitate the provision of services, this includes retaining records of your instructions and telephone calls and keeping your online account records up to date.
To respond to any data rights that you invoke.
To complete any transaction or instructions that you provide us, and any legal obligations we have in relation to the transactions / instructions.
To keep our websites and portals secure and permit you safe access to our services.
Enforcing or obtaining a settlement of debts owed to us or in relation to investments made on your behalf.
The performance of a contract between you and us and/or taking steps, at your request, to enter into such a contract.
To comply with legal requirement placed upon us, such as Data Protection legislation
Our legitimate interests, such as the proper administration of our service and business, for example:
With your consent.
Marketing our products and services - some HR Portal Services only
To allow you to participate in interactive features of our website, when you choose to do so.
You can withdraw from marketing at any time, please use the unsubscribe button in our emails or via the ‘your details’ section in the Flexible Benefits portal.
With your consent.
When we have collected your personal data as part of a transaction with us
To meet our regulatory requirements.
Improving our products and services
To identify service improvements such as when troubleshooting, undertaking data analysis, testing new products, using your personal data for research, statistical and survey purposes.
With your consent.
To comply with legal requirements placed upon us, such as the Data Protection legislation.
Our legitimate interests, such as the proper administration of our service and business, for example:
If you choose not to give personal information
We need to collect personal information required by law or under the terms of service you have elected to use. If you choose not to give us the personal data we need, it can mean that we have to cancel or decline a service that you request or have with us. So that you know what information is optional, we make it clear at the time we collect your personal data.
- 5. How long we hold your personal data for
Personal data will not be retained for longer than necessary for us to achieve the purpose for which we obtained your personal data. We will then either securely delete it or anonymise it so that it cannot be linked back to you. We review our retention periods for personal data on a regular basis.
We will retain personal data for:
- Pension portals –as long as is necessary for you to access your pension records.
- HR portals services - Access controls to our services – 3 months after the point you are no longer eligible for benefits
for the reasons noted below:
- To respond to enquiries and complaints;
- To demonstrate that your instructions were carried out properly; and
- To maintain records to meet rules and regulatory requirements that are applicable to the request you made or the service you were using.
We can keep your data for longer than stated above if we cannot delete it for legal, regulatory or technical reasons. We can also keep it for research or statistical purposes. If we do, we will make sure that your privacy is protected and only use it for those purposes
For full details of our retention policies, please contact us using the contact details noted above.
- 6. The conditions under which we may share your personal data with others
The personal data we hold about you is confidential, and we will only share your personal data to enable us to deliver our product(s) or service(s), examples are as follows:
- At your request, or with your consent;
- Other Equiniti Group companies who help us deliver our products and services; for some of our HR portal services this will include Equiniti India Private Limited.
- Non-Equiniti entities, in connection with running accounts and services for you, including:
- Service suppliers to facilitate website, email, IT and administration services;
- Our professional advisors, for example, our lawyers and technology consultants, when they need it to provide advice to us;
- For Pension portals - Your Pension Trustee in accordance with any specific instruction you provide to us.
- For HR portal services - Your employer and / or their appointed providers, in accordance with any specific instructions you provide to us;
- For some HR portal services - Market Research Agencies to measure or understand the effectiveness of advertising we serve to you and others. We may do this ourselves or appoint an agency to do this on our behalf. This will include your use of social media sites;
- Credit reference agencies and fraud detection agencies as part of our identification procedures;
- Fraud prevention agencies who will use it to prevent fraud and money-laundering and to verify your identity. If fraud is detected, you could be refused certain services, finance, or employment. Further details of how your information will be used by us and these fraud prevention agencies, can be obtain by contacting the Equiniti Data Protection Officer using the details noted below; and
- Your Official Receiver or appointed insolvency practitioner if we receive notice of your insolvency, bankruptcy or insolvency proceedings / arrangement
We will only transfer your personal information to trusted third parties who provide sufficient security guarantees and who demonstrate a commitment to compliance with applicable law and this policy. Where third parties are processing personal information on our behalf, they will be required to agree, by contractual means, to process the personal information in accordance with the applicable law. This contract will stipulate, amongst other things, that the third party and its representatives shall act only on our instructions, or as permitted by law.
We are also required to share your personal data with external third parties as follows (but not limited to):
- Regulators and supervisory authorities e.g. Information Commissioner’s Office (ICO), Credit Industry Fraud Avoidance System (Cifas) - as part of our legal obligations;
- Where the law requires or permits disclosure, or there is a duty to the public to reveal it;
- When we need to defend or exercise our legal rights or those of a third party;
- Debt collecting, debt chasing or another agent for enforcing payment of monies owed to us;
- Efforts to trace you if we lose contact with you;
- Police and other law enforcement agencies for the prevention and detection of crime and where a valid permission is applicable;
- As a result of a court order or other regulatory instruction; and
- Our insurers and insurance brokers where required for underwriting our risks and as part of ongoing risk assessments
We may transfer your personal data to a third party as part of a sale of some or all of our business and assets to any third party or as part of any business restructuring or reorganisation. At all times, we take steps to ensure your privacy rights continue to be protected as per this Privacy Notice.
- Overseas Processing (applicable to some of HR Portal Services only)
Personal data will be shared with members of the Equiniti Group outside of the European Economic Area and the European Union (EU), including Equiniti India Private Limited which is based in India. For transfers to Equiniti India, we utilise Model Clauses recognised by the European Commission.
When we contact you via email, one of our service providers uses services outside of the EEA and EU. For these transfers, we utilise Model Clauses recognised by the European Commission.
If you would like to obtain a copy of the Model Clauses we use to share personal information within the Equiniti Group or our email service provider, please contact our Data Protection Officer using the details provided in this Privacy Notice.
Please note that information protection laws do vary from country to country. In particular, the law of the country in which you are resident or domiciled may offer a higher standard of protection than the laws in the United Kingdom and / or those other countries in which we store and use the personal data we collect. Our transfer of personal data to other countries could result in that personal data being available to governments and other authorities in those countries under their laws.
By using our Service, you agree to this international transfer, storing and processing.
- 8. How we keep your personal data secure
We understand how important your personal data is to you and we take its security very seriously. We safeguard your personal data across all our computer systems, networks, websites and offices as much as possible through appropriate procedures and technical security measures (including strict encryption, anonymisation and archiving techniques).
We also use secure ways of communicating with you such as when collecting your personal data or providing your account information:
- online through the use of ‘‘https’’ and other security and encryption protocols. This is indicated by a lock icon on the bottom of the web browser, or the address will include the letters https in the top left-hand corner; and
- before we discuss matters relating to your account(s) by telephone we will always ask you security questions to confirm your identity
Where we have given you (or where you have chosen) a password or unique identifier (PIN) which enables you to access certain parts of online services, you are responsible for keeping this password / PIN confidential, along with any username. We will never ask for your full password or PIN, and you must not divulge your full password to us or anyone else. We recommend that any password or PIN you set is not easily guessable, and changed frequently.
Because we cannot guarantee the confidentiality of personal data sent on the internet you should never send your login details via email.
If you ever receive a communication from us by post, email or by phone that you are concerned it is not genuine, please contact us using the contact details in Section 11.
You must immediately inform us if you become aware, or suspect, that someone else has knowledge of your account details.
If you have any concerns about the security of your own personal computers and mobile devices, we suggest you read the advice of Get Safe Online, which can be accessed at www.getsafeonline.org.
- 9. Your personal data rights and how to exercise them
You have rights in respect of the personal data that we hold about you. They include the right to request a copy of the information that we hold about you, to know about any automated decisions that are made about you and to change your marketing preferences at any time. Details about all of your rights are provided below.
Some of these rights are conditional and depend upon why we are processing your personal data. This means that we cannot always be able to respond to your request in the way that you want. For example:
- If you ask us to erase your personal data and we are processing the information because we are required to do so because of a legal requirement, we will not be able to delete your personal data; however,
- If you ask us to erase your personal data and we are processing the information because you provided us with consent (for example as part of a survey response), we will be able to consider and respond to your request.
The right to be informed about how we use your personal data.
This Privacy Notice provides you with the details on how we use and process your data.
The right of access to a copy of any personal data processed about you, together with certain additional information.
If you request to see your personal data, your initial request will be free of charge; subsequent requests may attract an administration fee. The additional information includes details of the categories and recipients of the personal data. Providing the rights and freedoms of others are not affected, we will supply to you a copy of your personal data.
The right to request us to rectify or update it.
This will be relevant where the personal data we hold is or has become inaccurate or incomplete, taking into account the purposes of the processing. Please explain why you consider the data inaccurate or incomplete.
The right to request us to erase your personal data in certain circumstances.
The circumstances when erasure can apply include when we no longer need it to meet a lawful basis for processing unless that basis is consent and you withdraw your consent or you object to the processing or the processing is unlawful.
However, certain exclusions apply - where the processing is necessary for compliance with a legal obligation or to establish, exercise or defend legal claims.
The right to request us to restrict processing it.
This request can be used to stop us processing your personal data: if you disagree over the accuracy of the personal data until we have verified the data; the reason for processing; or if you wish us to retain your personal data for longer than our retention period, e.g. to establish, exercise or defend a legal claim.
The right to request a copy of your information for data portability purposes.
If you have provided personal data to us under contract or because you consented to the processing and if we use the data by automated means, then you have the right to instruct us to transmit that personal data to you or another data controller in a machine-readable format.
The right to object to us processing your personal data.
You have a right to object to us processing your data where we are processing it for the purpose of legitimate interests.
You can also object to direct marketing communications from us about products, offers, competitions, or services and any profiling that we can perform in relation to direct marketing (this applies to some of our HR portal services only). You can do this at the point of data collection, through the use of any opt-out functionality on text and emails, via your preference centre or by contacting the helpline service.
You can update your marketing preferences at any time through the use of the opt-out functionality.
You have the right to withdraw your consent at any time. However, this will not affect the lawfulness of processing before the withdrawal.
If you would like to receive the marketing described above, please ensure you have indicated your preferences accordingly.
Rights related to decisions based solely on automated processing.
Where this processing produces legal effects or significantly affects you, you can object to this processing unless the processing is necessary as part of our contract, or is required by legislation.
Right to lodge a complaint with a supervisory authority.
If you wish to raise a complaint on how we have handled your personal data, please contact our Data Protection team who will investigate the matter and report back to you.
If you remain unsatisfied with our response or believe we are not processing your personal data in accordance with the law, you are able to contact the data protection authority in your country. In the UK, it is the Information Commissioner’s Office (ICO) who regulates Data Controllers compliance with data protection legislation. They can be contacted by email: firstname.lastname@example.org, post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF or by telephone: 0303 123 1113.
- 10. Useful information
10.1 - Children (16 years and under) and Vulnerable Adults
We are committed to the privacy protection of children and vulnerable adults. If you are aged 16 or under‚ and we need to process your personal data you must obtain the permission of your parent/guardian before you share your personal data with us. If we are notified that you are a vulnerable adult we will liaise with your authorised representative, once we are in receipt of the appropriate permissions.
10.2 - Use of ‘cookies’
10.3 - Links to other websites
Our websites can contain links to other websites run by other organisations, or other Equiniti Group companies. When you are on another website, we encourage you to read their privacy policies as they will take precedence over this Privacy Notice.
10.4 – Social media, blogs, reviews, and similar services
Any social media posts or comments you make to us (e.g. on our own Facebook page) will be shared under the terms of the relevant social media platform (e.g. Facebook or Twitter) on which they are made and could be made public by that platform. These platforms are controlled by other organisations, and so we are not responsible for this sharing. You should review the terms and conditions and privacy policies of the social media platforms you use to ensure you understand how they will use your information, what information relating to you they will place in the public domain and how you can stop them from doing so if you are unhappy about it.
Any blog, review or other posts or comments you make about us, our products and Services on any of our blog, review or user community services will be shared with all other members of that service and the public at large.
You are responsible for ensuring that any comments you make comply with any relevant policy on acceptable use of those services
10.5 Changes to this Privacy Notice
We review our use of your personal data regularly. In doing so, we can change what personal data we collect, how we keep it and what we do with it. As a result, we can change this Privacy Notice from time to time to keep it relevant and up to date.
We will endeavour to alert you to these changes so that you can check you are happy with it before proceeding any further. Please look out for notices from us alerting you to these changes, via our websites or other timely communications. If you use our websites and see such an alert, please take a moment to ensure that you’re happy with any changes.
By continuing to use our products and services, you will be bound by this Privacy Notice.
However, we will also tell you of the changes where required by law to do so.
This policy was issued on 15.06.18. If you require copies of previous versions of the Equiniti Paymaster (1836) Limited Privacy Notices, please contact the Data Protection Officer using the contact details noted below.
- 11. Any further questions about this Privacy Notice
We hope that this Privacy Notice has been helpful in setting out how we handle your personal data and your rights to control it. If you have any questions that remain unanswered, please visit our Customer Privacy Centre or contact our Data Protection Officer:
- Online at https:\\privacy.equiniti.com where you will find general information about your rights and how Equiniti safeguards your data;
- By email at DPO@equiniti.com;
- By post at Data Protection Officer, Equiniti, Highdown House, Yeoman Way, Worthing, BN99 3HH; or
- By telephone UK: 0333 207 5962 International: +44 121 415 0196
Lines are open 8.30am to 5.30pm (UK time), Monday to Friday (excluding public holidays in England and Wales).