Privacy Policy

Privacy Notice

1. Introduction

Brightwell¹ are registered at One America Square, 17 Crosswall, London, England, EC3N 2LB (we, us, our) and are the data controllers for any relevant Data Protection Regulations, including EU GDPR, UK GDPR and DPA 2018.  

This Privacy Notice (Notice) sets out the basis on which we will process any personal data we collect from you, or that you or third parties provide to us.   

Please read this Notice carefully so that you understand your rights in relation to your personal data, and how we will collect, use, and process your personal data.  

In a situation where you provide us with your personal data to share with a third party who will provide a service to you directly, they are the data controller of that personal data and you are strongly advised to review their own privacy notice for details as to how they handle your personal data.  

We are committed to protecting and respecting your privacy and this Notice explains our policy in relation to:  

• what information we collect about you, 
• how we use your information, 
• who we share your information with, 
• where and how long we will keep your data, 
• how we keep your information safe, 
• your rights regarding the personal information you provide to us, 
• technical information that we collect about you (including via the use of cookies on our website), and 
• who you can contact if you have questions or complaints about how we process your personal data. 

2. What types of information do we collect about you? 

We hold the following information about you: 

• personal details such as your name, gender, age, date of birth, email address, postal address, telephone or mobile number and identifiers such as national insurance number, 
• marriage, partnerships and marital history, details of family and dependants, 
• employment details such as pensionable pay, length of service, employment and career history, recruitment and termination details, attendance record, health and safety records, security records, job title and job responsibilities, financial details such as income, salary, assets and investments, bank account details to process pension payments, voluntary deduction choices, benefits, grants and insurance details, 
• information on your trade union membership, (if relevant),  
• details in relation to your physical and mental health, (if relevant) and 
• technical information and other information about your visits to our website and the Pensions Portal. When using the online pensions portal, we may also obtain certain information which enables members to manage their membership by contacting us online, by phone, email, post or any other engagement or correspondence that you or your employer may have with us. 

If you provide us with information about someone else, for example your family members and dependants, we will assume that you have their permission to do so. We will process their personal data in accordance with this Notice. Please let them know you have provided their information to us and encourage them to read this Notice. 

3. How do we use your information 

We will use your personal information for the purposes of administering and managing your pension. We may receive information from third parties who collect your personal data and pass it on to us. For example, a claim organisation contacts us on your behalf. Where this is the case, the third party is responsible for obtaining the relevant consents from you to ensure you are happy with the ways in which your personal data will be used.  

More information on the purposes for which we process your data and the legal bases for this processing can be found in section 14 of this Notice – ‘Additional Information’. 

4. Who we share your personal data with 

We do not sell, rent, or lease your personal information. We share your information with selected recipients as set out in this Notice. This includes sharing information with those who may have a legal or regulatory right to request such information. Please see section 14.2 for more information about who your personal data is shared with. 

5. Where do we store your personal data 

The information that we collect from you will be transferred to and stored at/processed in the UK/EEA. We will take all steps reasonably necessary to ensure that your personal data is treated securely and in accordance with this Notice. 

We will only transfer your information outside of the UK/EEA where we have your consent and there are adequate measures in place to provide appropriate safeguards such as Model Clauses (Standard Contractual Clauses (SCCs) produced by the EU Commission) and other appropriate safeguards such as (Code of Conduct and Certification). Please see section 14.5 for more information about Transfer Mechanisms. 

6. Keeping your information safe 

The transmission of information via the internet or email is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your information transmitted through this website or over email; any transmission is at your own risk. Once we have received your information, we will take appropriate technical and organisational measures to safeguard your personal data against loss, theft and unauthorised use, access, or modification.  

Where we have given you (or where you have chosen) a password which enables you to access certain parts of our site, you are responsible for keeping such password confidential. Please do not share your password with anyone. 

7. How long will we keep your personal data 

Pension benefits are paid over a long period and your right to benefits payable is based on information that may date back many years. We will decide to delete some of the data held in relation to you after 6 years.  

However, your personal information may be held for longer where:  

1. it is required by law or a court order, 
2. it is needed to establish, exercise, defend or pursue legal claims, 
3. we consider it is necessary to ensure benefits are paid correctly,  
4. to deal with any queries relating to your benefits as they may arise after that time, and 
5. to protect the rights of another natural or legal person. 

After the retention periods have elapsed, we will store your information in an aggregated and anonymised format. 

8. Your rights regarding the personal information you provide to us 

You have certain rights in relation to the personal information we hold about you, which we detail below. Some of these only apply in certain circumstances as set out below. We also set out how to exercise those rights. Please note that we will require you to verify your identity before we respond to any of your requests. We must respond to a request by you to exercise those rights without undue delay and at least within one calendar month (although this may be extended by a further two months in certain circumstances). To exercise any of your rights, please complete the Data Subject Rights Request Form.  

Name of Rights	Right Description
Right of information	You have the right to know the personal information we hold about you, how we use it, who we share it with and how long we keep your personal data.
Right of access	You have the right to know whether we process your personal information, and if we do, to access information we hold about you, how we use it and who we share it with.  If you require more than one copy of information, we hold about you, it is free of charge, unless we deem it necessary to charge you an administration fee. We may not provide you with certain personal information if providing it would interfere with a person’s rights and freedom (e.g., where providing the personal information would reveal information about another person) or where another exemption applies. Please See “how long will we keep your personal data”.
Right to rectification	The accuracy of the information we hold about you is important to us. Under the DPA 2018 and EU GDPR, you have the right to access the information we hold about you and have any inaccuracies corrected. Where you request correction, please explain in detail why you believe the personal data we hold about you to be inaccurate or incomplete so that we can assess whether a correction is required. Please note that whilst we assess whether the personal data, we hold about you is inaccurate or incomplete, you may exercise your right to restrict our processing of the applicable data.
Right to erasure	This is also known as the “right to be forgotten”. Please see section 15.3 for more information about the circumstances in which you may request that we erase the personal data we hold about you.
Right to data portability	You have the right to receive a subset of the personal data we collect from you in a structured, commonly used, and machine-readable format and a right to request that we transfer such personal data to another third party. Please section 15.1 for more information on the data we hold.  If you wish for us to transfer the personal data to another third party, please ensure you detail that third party and note that we can only do so where it is technically feasible. We are not responsible for the security of the personal data or it’s processing once received by the third party. We also may not provide you with certain data if providing it would interfere with right and freedom of another person (e.g. where providing the personal data we hold about you would reveal information about another person or our trade secrets or intellectual property).
Restriction of processing to storage only	You have a right to require us to stop processing the personal data we hold about you other than for storage purposes in certain circumstances. Please note, however, that if we stop processing the personal data, we may use it again if there are valid grounds under data protection laws for us to do so (e.g. for the defence of legal claims or to protect to right and freedom of another person. Please See “how long will we keep your personal data”.   Please see section 15.4 for more information on the circumstances in which you may request that we stop processing and just store the personal data we hold about you.
Make a complaint	You have a right to lodge a complaint with relevant data protection supervisory authorities. In the UK, it is the Information Commissioner’s Office (ICO).

9. Third Parties 

We may share your personal data with a third party where it is necessary  

1. for the performance of the services, you have requested  
2. for us to comply with our legal obligations or  
3. for our legitimate business interest. 

10. Technical information (including cookies) that we collect about you 

When you visit our website, we collect technical information about your computer, such as your internet protocol address (which is a number that can uniquely identify a specific computer on the internet), time zone setting, your login information, browser type and version, browser plug-in types and versions, operating systems and platforms. 

We use cookies to collect information about your browsing activities over time following your use of our services. This allows us to recognise and count the number of users and to see how users navigate on our website when they are using it. This helps us to improve the services we provide to you and the way our website works.  

11. Complaints 

If you wish to make a complaint about how we process your personal data, please contact us using the contact details below and we will endeavour to deal with your request as soon as possible. This does not interfere with your right to raise a complaint with a relevant data protection supervisory authority. 

12. Changes to our Privacy Notice 

We keep this notice under regular review and may change it from time to time. When we make changes, the date at the bottom of this notice will be updated accordingly. Any amendment to this notice will be applied as of that date. We encourage you to check this from time to time for any updates or changes. 

13. Contact 

If you have any questions, comments, or requests regarding any aspect of this Notice, please do not hesitate to contact us as soon as possible at: 

• By email: dpqueries@brightwellpensions.com 
• By post: The Data Governance Officer,  

                One America Square,  
                17 Crosswall,  
                 London  
                 EC3N 2LB 

14. Additional Information 

14.1 Legal Bases of Processing 

Category of Personal Data	Purpose for Processing	Legal Basis of Processing
Personal details such as your name, gender, age, date of birth, email address, postal address, telephone or mobile number and identifiers such as national insurance number	In relation to any correspondence for the purpose of administration of the Scheme  To notify you about our services and changes to our services  To conduct member satisfaction surveys For internal record keeping  To verify your identity, to prevent and detect fraud and to comply with our legal and regulatory obligations	Performance of a contract as required.   Legitimate interest to run an effective business
Personal details and family, lifestyle and social circumstances such as details about current marriage and partnerships and marital history, details of family and dependents	To carry out our obligations arising from any agreement that we have with, or concerning you and to provide you with the information, benefits and services that you request from us  Risk management including credit risk analysis and the insurance of longevity risks and related demographic risks	Performance of a contract as required.   Legitimate interests to run an effective business
Personal details and employment details such as pensionable pay, length of service, employment and career history, recruitment and termination details, attendance record, health and safety records, security records, job title and job responsibilities, financial details such as income, salary, assets and investments, bank account details to process pension payments, benefits, grants and insurance details	Processing of data to calculate and pay benefits.  To comply with any present or future law, rule, regulation, guidance, or directive, and complying with any industry or professional rules and regulations or any applicable voluntary codes  To comply with requests made by local and foreign regulators, governments, and law enforcement authorities, and complying with any subpoena or court process, or in connection with any litigation	Performance of a contract as required.   Legitimate interests to run an effective business
Personal details and pension entitlement	To comply with and carry out your instructions in relation to your benefits and investment choices including in relation to additional voluntary contributions and voluntary deductions, (e.g. charities and trade unions) where applicable	Performance of a contract  Legitimate interests to run an effective business
Personal details and details in relation to your physical and mental health	Compliance with our legal obligations  Necessary for carrying out our legal obligations in the field of social security law	Legitimate interests to run an effective business Explicit consent
Technical information and other information about your visits to our website/Pensions Portal	To improve the services, we provide to you and the way our website and Pensions Portal works	Legitimate interest to ensure our website and Pensions Portal is operating effectively
Voice recordings of calls made to or from Brightwell	For training and quality purposes to improve the services we provide to you.	Performance of a contract   Legitimate interests to run an effective business

14.2 Who Do We Share Your Personal Data With 

Who do we share your personal data with

Our affiliate companies to manage and administer the Scheme and your pension.  IT Services providers, including but not limited to identification & verification services, cloud-based voice, contact centre, risk software, member communications, satisfaction surveys, member feedback and google analytics  Cloud and other data storage providers, to store the personal data you provide and for disaster recovery services, as well as for the performance of any contract we enter into with you.  External printing and office support providers, such as postal and scanning services.   Payment providers including banks, located in the UK and, if you are not resident in the UK and are in receipt of a pension, the country of your residence.  Insurance companies and their affiliates with member data being retained within EEA.  External providers of additional voluntary contribution funds only if you have chosen to make such contributions.  Annuity provider, to provide annuity quotes for members who hold residual additional voluntary contributions.  UK trade unions you are a member of, if you have chosen to make contributions to a trade union from your pension receipts. Other voluntary deduction societies, only if you have chosen to make such deductions directly from your pension receipts.  Legal and other professional advisers located in UK / EEA, to provide us with legal and other professional services (who in certain circumstances will also be ‘data controllers’).  Actuarial administration and consultancy services providers located in UK / EEA (who in certain circumstances will also be ‘data controllers’)   The Pensions Advisory Service and the Pensions Ombudsman, to deal with complaints and resolve disputes.   HMRC to account for payments made to you and other government agencies when requested for example but not limited to court production orders, fraud investigations.  Financial Advisers if you have given us authority to share data to enable them to provide you with financial advice.  Independent audit bodies for the purpose of financial and organisational reporting, and maintenance of certifications and standards.  Member or beneficiary tracing services

We will share your information with law enforcement agencies, public authorities or other organisations if legally required to do so, or if we have a good faith belief that such use is reasonably necessary to

Comply with a legal obligation, process, or request.  Enforce our terms and conditions and other agreements, including investigation of any potential violation thereof.  Detect, prevent, investigate, or otherwise address security, fraud or technical issues; or  Protect the rights, property or safety of us, our users, a third party or the public as required or permitted by law (exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction).

We will also disclose your information to third parties

If we sell any business or assets, in which case we will disclose your data to the prospective buyer of such business or assets; or If we or a significant number of our assets are acquired by a third party, in which case information held by us about our users will be one of the transferred assets.

14.3 Your Right to Erasure 

You may request that we erase the personal data we hold about you in the following circumstances

You believe that it is no longer necessary for us to hold the personal data we hold about you.  We are processing the personal data we hold about you based on your consent (please contact us via our contact details above, and you wish to withdraw your consent and there is no other ground under which we can process the personal data.  We are processing the personal data we hold about you based on our legitimate interest (please contact us via our contact details above), and you object to such processing. Please provide us with details as to your reasoning via our contact details above so that we can assess whether there is an overriding interest for us to retain such personal data; or  You believe the personal data we hold about you is being unlawfully processed by us.   Also note that you may exercise your right to restrict our processing the data whilst we consider your request as described below.    Please provide as much detail as possible on your reasons for the request to assist us in determining whether you have a valid basis for us to erase your personal data. Please note, however, that we may retain the personal data if there are valid grounds under law for us to do so (e.g., for the defence of legal claims or freedom of expression) but we will let you know if that is the case. Where you have requested that we erase your personal data that we have made public and there are grounds for erasure, we will use reasonable steps try to tell others that are displaying the data or providing links to the data to erase the personal data too.

14.4 Restriction of Processing to Storage Only

You have a right to require us to stop processing the personal data we hold about you other than for storage purposes in certain circumstances. Please note, however, that if we stop processing the personal data, we may use it again if there are valid grounds under data protection law for us to do so (e.g. for the defence of legal claims or to protect the rights and freedom of another person).

You may request we stop processing and just store the personal data we hold if  You believe the personal data is not accurate for the period it takes for us to verify your claim.  We wish to erase the personal data as the processing we are doing is unlawful, but you want us to retain the personal data for storage but not further process it.  We wish to erase the personal data as it is no longer necessary for our purposes, but you require it to be stored for the establishment, exercise, or defence of legal claims; or  You have objected to us processing personal data we hold about you based on our legitimate interest (please contact us via our contact details above), and you wish us to stop processing the personal data whilst we determine whether there is an overriding interest in us retaining such personal data.   You may object where:  We are processing the data we hold about you based on our legitimate interest or public interest (please contact us via our contact details above and you object to such processing. Please provide us with detail as to your reasoning so that we can assess whether there is a compelling overriding interest in us continuing to process such data or we need to process it in relation to legal claims. Also note that you may exercise your right to request that we stop processing the data whilst we make the assessment on an overriding interest by ticking the box for that purpose on the Data Subject Rights Form.  We are processing the data based on historical/scientific research or statistics and you have a particular reason to object. Your right would not apply where we have been tasked with and it is necessary for us to undertake such processing in the public interest.

14.5 Transfer Mechanism  

• Model Clauses: The personal data that we collect from you will be transferred to, stored at and/or processed by the relevant recipient under a written agreement incorporating the EU Commission’s model clauses for the transfer of personal data to third countries (the “Model Clauses”), pursuant to Decision 2010/87/EU. A copy of these Model Clauses is available upon request.  

• Please see section “Contact” of this Privacy Notice on how to request a copy. 

---

Cookies

1. Type of Cookies

1. The site brightwellpensions.com uses cookies to make the user’s browsing experience easier and more intuitive: cookies are small strings of text used to store some information that may concern the user, his preferences or the Internet access device (computer, tablet or mobile phone) and are mainly used to adapt the operation of the site to the user’s expectations, offering a more personalised browsing experience and remembering choices made previously.
2. A cookie consists of a small set of data transferred to the user’s browser from a web server and can only be read by the server that made the transfer. It is not executable code and does not transmit viruses.
3. Cookies do not record any personal information and any identifiable data will not be stored. If you wish, you can prevent the saving of some or all cookies. However, in this case the use of the site and the services offered may be compromised. To proceed without changing the options relating to cookies, simply continue browsing.

Below are the types of cookies that the site uses:

2. Technical cookies

1. This website uses small text files called ‘cookies’ which are placed on your computer or device whenever you visit our website. This allows the site to remember who you are and serves several purposes. Below is a list of the cookies used on this website:

Purpose	Name	Description
Strictly Necessary	ASP.NET_SessionId	Our cookie ensures that you are logged in securely and only you see your information for the duration of your visit.
Security	__AntiXsrfToken	Used as a security measure against hackers to stop cross site scripting.
Security	AuthCode	Used as a security token during login and registration.
Site Appearance	ComplianceCookie	Used to indicate that you have read this notice.
Analytical	_ga; _gat (Google Analytics)	We use Google Analytics to help us understand how users use our web site. This allows us to improve the quality and content on our site for our visitors. The aggregated statistical data cover items such as total visits or page views, and referrers to our web site. Click here to learn more about Google Analytics and deleting or rejecting the Google cookies.

2. The settings to manage or disable cookies may vary depending on the internet browser used. In any case, the user can manage or request the general deactivation or deletion of cookies by changing the settings of his Internet browser. This deactivation may slow down or prevent access to some parts of the site.
3. The use of technical cookies allows the safe and efficient use of the site.
4. The cookies that are inserted in the browser and retransmitted through Google Analytics or through the statistics service of bloggers or similar are technical only if used for site optimisation purposes directly by the owner of the site, which can collect information in aggregate form on the number of users and how they visit the site. Under these conditions, the same rules apply to analytics cookies, in terms of information and consent, provided for technical cookies.
5. From the point of view of duration, temporary session cookies can be distinguished that are deleted

---