BAC UK Privacy Notice
Who is this Privacy Notice Provided For?
- What personal data do we process
- Where the personal data has been obtained
- The reasons why and lawful basis to process your personal data
- How long do we store your personal data?
- Who has access to your personal data?
- International transfers
- Your rights
- Contact details
Who is this Privacy Notice Provided For?
You should read this privacy notice if you are a member of a pension scheme and the trustees of your scheme have purchased an insurance policy from Blumont Annuity Company UK Ltd (“BAC UK”) under which we have an obligation to pay specified benefits to the trustees in respect of you.
About BAC UK
BAC UK is an insurance company established in the UK under company registration number 14130490.
Address: Blumont Annuity Company UK Ltd, Level 26, One Canada Square, Canary Wharf, London, E14 5AB.
Email address: DPO@blumontannuity.co.uk
We are a controller of personal data under UK data protection law. This privacy notice explains how we collect, use and look after your personal data. This privacy notice also tells you about your rights as a data subject.
If we are provided with the personal data of any individuals connected to you for any reason relating to your membership of a pension scheme insured by BAC UK (such as dependants and next of kin), this privacy notice will be relevant for those individuals and you should provide it to them or otherwise advise them of its content.
About this Privacy Notice
This privacy notice contains information about:
- The personal data that we process as a controller;
- Where the personal data has been obtained;
- The reasons why we process your personal data and the lawful bases we use to do so;
- The security measures that we have in place to keep your personal data secure;
- The length of time we store your personal data for;
- The organisations, or categories of organisation, with whom we might share your personal data;
- Details on international transfers of your personal data; and
- The rights you have under UK data protection law in relation to our processing of your personal data.
1. What personal data do we process
The categories of personal data we process include the following:
Scheme member personal information: Personal data relating to each individual insured under a policy, which may include:
- Name;
- Address (email and postal which may include postcodes);
- Date of birth and age;
- Gender;
- National Insurance Number;
- Policy number and other reference numbers;
- Marital status, dependants and next of kin;
- Retirement age;
- Retirement date; and
- Any further information necessary for our administration of the scheme.
Scheme member financial information: Financial information relating to each individual insured under a policy, which may include:
- Details about payments to and from your accounts;
- Financial position, status and history;
- Bank details;
- National Insurance Number;
- Tax code; and
- Any further information necessary for our administration of the scheme.
Scheme member employment information: Personal data relating to the employment that is relevant to the benefits payable to each individual insured under a policy, which may include:
- Employer (or former employer) name and length of employment;
- Job title, job codes, job location, and length of service; and
- Pension benefits.
Sensitive personal data: This may include, for example, medical information to the extent necessary to determine eligibility for any ill-health benefits.
Additional personal data may be sent to us from the trustees of your scheme which they believe is necessary to enable us to service your needs.
2. Where the personal data has been obtained
Personal data will usually be obtained from the trustees of your scheme.
There will be instances where we collect personal data from other sources. The sources include:
- Tracing agencies and mortality screening companies
We engage tracing agencies to check whether we hold the correct contact information for an individual insured under a policy with us.
We engage mortality screening companies to check whether an individual insured under an insurance policy is alive.
- Financial sanctions screening companies
We engage financial screening companies to ensure that we follow laws and regulations when making payments under a policy to individuals. We will not be able to make payments to an individual who appears on a financial sanctions list and/or is subject to a sanctions programme as determined by a government or law enforcement agency.
- Other sources
In specific cases, we may also receive personal data from other organisations or companies, including employers or former employers, regulatory bodies and statutory bodies (e.g. the Pension Protection Fund).
3. The reasons why and lawful basis to process your personal data
Types of personal data | Why we need it | Lawful basis for processing |
| Administering policies and fulfilling our obligations
We process personal data in order to fulfil our contractual or legal obligations under our policies and ensure that we are paying the right amounts under those policies.
| Legitimate interests pursued by us or by a third party.
It is in our interest to ensure that we fulfil our contractual obligations and ensure that we are paying the right amounts under each of our policies.
We may process sensitive personal data, for example, where we have a substantial public interest to do so such as preventing or detecting unlawful acts or if we have your explicit consent. |
| Managing our risks
We process personal data to manage the risks to our business that are associated with the policies we have issued. | Legitimate interests pursued by us or by a third party
It is in our interest to manage the risks to our business associated with our policies. We need to manage our risks to operate our business. |
| Meeting legal obligations and supporting legal and regulatory compliance
Fulfilling our legal and regulatory obligations and supporting legal and regulatory compliance in relation to administering our policies, managing our customers, and operating our business. This will include a range of activities involving the processing of personal data such as producing and issuing required regulatory documentation, conducting KYC, AML and sanctions checks.
We process personal data to identify and support customers with vulnerable characteristics as required by the FCA to meet our obligations under the FCA’s Consumer Duty. | Compliance with a legal obligation to which we are subject
We need to ensure that we operate in accordance with relevant laws in the UK, including meeting our legal obligations in relation to customers with vulnerable characteristics.
Legitimate interests pursued by us or by a third party
Our processing activities are also undertaken to support wider legal and regulatory compliance, for example, processing to support compliance with the FCA’s Consumer Duty more broadly.
We may process sensitive personal data, for example, where we have a substantial public interest to do so such as preventing or detecting unlawful acts or if we have your explicit consent. |
| Operating our business
We may process personal data by providing it (or, depending on the circumstances, anonymising it to provide) to third parties who collate such data from a wide variety of sources and publish reports on how long people in the UK live and other demographic trends. We use this information in connection with the performance of our business. | Legitimate interests pursued by us or by a third party
It is in our interest to estimate how long people in the UK are likely to live as accurately as possible and to understand other demographic trends. This helps us to understand our liabilities in respect of our current and future obligations under the policies we have issued. |
| Preparing to issue individual policies
In preparation for issuing individual policies the trustees of your scheme will provide us with all of the relevant information that they hold about you, which will include personal data. | Legitimate interests pursued by us or by a third party.
It is in our interest, as well as yours and the trustees of your scheme, to ensure that we can issue you with an individual policy that accurately reflects the benefits purchased by the trustees of your scheme. |
| Establishment, exercise or defence of legal claims
We store personal data in case we need it to exercise our legal rights, and to defend ourselves against potential legal claims that might be brought against us under the terms of any of our policies, and/or laws and regulations. | Legitimate interests pursued by us or by a third party
It is in our interest to ensure that we are able to exercise our legal rights and defend ourselves against potential legal claims. |
4. How long do we store your personal data?
We will only keep your personal data for so long as it is necessary for our purposes of processing and, in any event, only for as long as our internal rules and policies allow; for example, in order for us to fulfil our business purposes of processing or legal and regulatory obligations.
The period for which we store personal data concerning individuals insured under a policy will generally depend upon how that policy terminates. A policy normally terminates as a result of the trustees who purchased it asking us to issue an individual pension annuity policy to each of the individuals insured under the policy. Following termination of a policy in these circumstances, we will keep required personal data relating to individuals insured under the policy for as long as necessary and will process it in accordance with this privacy notice.
There are only limited circumstances in which a policy could terminate other than those set out above. However, if a policy does terminate in other circumstances, we will keep personal data relating to individuals insured under the policy for so long as it is necessary to operate our business, fulfil our legal and regulatory obligations or establish, exercise or defend legal claims.
5. Who has access to your personal data?
We share personal data with a variety of other companies to operate our business. However, we only share the personal data necessary for the relevant companies to provide their services to us. We have detailed the types of companies with whom we currently share personal data below.
The companies fall into two categories: (i) processors with whom we share personal data and (ii) controllers with whom we share personal data.
(i) Processors with whom we share personal data
For these companies, we determine the purposes for which the personal data we pass to them is processed and they may not process that personal data other than in accordance with our written instructions. They include:
A. Third Party Administrators, the Scheme Actuary and actuarial team
We use a specialist third party pension administration company to help us administer the benefits insured under our policies. This enables us to meet our obligations in accordance with the terms of those policies. To enable them to do this, we need to provide them with all personal data that is relevant for this purpose.
The Scheme Actuary (who may also act as a controller) uses your personal data to advise the trustees on the financial management of the scheme. This advice helps to ensure the trustees are able to meet their obligations to pay member’s benefits.
B. Tracing agencies, mortality screening companies and financial sanctions screening companies
We may use third party providers in order to process personal data to determine the following:
- Whether an individual insured under a policy is alive and that the individual’s address remains current; and
- Whether an individual appears on a list of financial sanctions targets or is subject to a sanctions programme.
C. IT service providers
We have an IT infrastructure and core software provider. This means that personal data we process is stored on the provider’s IT systems.
D. Other service providers to our business
Other companies who process personal data on our behalf include those who provide day-to-day operational business services such as emails, archiving, document scanning and copying, document destruction and printing.
(ii) Controllers with whom we share personal data
These companies are separately responsible for their processing activities. To understand how the other controllers process your personal data, you should refer to their privacy notices. Controllers with whom we share personal data include:
A. Reinsurers
We provide information about the liabilities insured under our policies to reinsurers with whom we reinsure some of the risks to which we are exposed under those policies. The main risk is that individuals whose benefits we insure live longer than we anticipated. You can request a list of reinsurers to whom we disclose personal data using the contact details contained in this privacy notice.
B. Professional advisers
We sometimes must share personal data with our professional advisers (including accountants, lawyers and actuaries) where it is necessary for the purposes of their advice.
C. Regulators, law enforcement and auditors
We may also share personal data with other third parties, for example, when we are under a duty to do so to comply with a legal or regulatory obligation. We may share personal data with regulators, law enforcement agencies or other third parties.
Where personal data is transferred to and processed in a country outside of the UK, we take steps to provide appropriate safeguards to protect your personal data, including by entering into approved standard contractual clauses obliging recipients to protect your personal data and only transferring personal data to the extent that an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data is ensured.
If you want further information on the specific mechanisms used by us when transferring your personal data outside of the UK, please contact us using the contact details contained in this privacy notice.
In certain circumstances, you have the following rights under data protection law:
- The right to access personal data relating to you (known as making a Subject Access Request);
- The right to correct any mistakes in your personal data;
- The right to require us to delete your personal data;
- The right to restrict our processing of your personal data;
- The right to object to us processing your personal data, including for marketing purposes;
- The right to have your personal data provided to another controller; and
- In cases in which consent is relied upon to process your personal data, you have the right to withdraw your consent at any time.
How to exercise your rights
If you wish to exercise any of your rights, please contact us using the contact details in this privacy notice.
You may want to contact us to:
- Ask any questions you have in relation to the information contained in this privacy notice;
- Exercise any of your rights under data protection laws;
- Request a printed copy of this privacy notice;
- Request a version of this privacy notice printed in large print or braille;
- Request an audio version of this privacy notice; or
- Make a complaint (see below).
To contact us, you can:
- Call us on 0207 7076 6802; or
- Email our Data Protection Officer at DPO@blumontannuity.co.uk; or
- Write to us at the following address: BAC UK Data Protection Officer, Level 26, One Canada Square, Canary Wharf, London, E14 5AB.
How to make a complaint
If you believe there is a problem or have a concern relating to how we process your personal data or the contents of this privacy notice, please contact us in the first instance. We hope that we will be able to address any problem or concern to your satisfaction. However, you also have the right to make a complaint to the Information Commissioner’s Office (“ICO”). The process for making a complaint to the Information Commissioner’s Office is set out here: https://ico.org.uk/make-a-complaint
The ICO’s contact details are as follows:
Address: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Phone: 0303 123 1113
Website: https://ico.org.uk
