WELCOME TO DAIRY CREST PENSION TRUSTEES LIMITED

Report and Accounts 2023 Download

GDPR Full Data Privacy Notice

UK GDPR Full Data Privacy Notice

UK GDPR FULL DATA PRIVACY NOTICE

Issued by Dairy Crest Pension Trustees Limited as Trustee of the Dairy Crest Group Pension Fund (the “Fund”)

Date: May 2024

1. This Policy is designed to address the requirements of the UK General Data Protection Regulation (the “GDPR”) and the Data Protection Act 2018, as they apply to the Trustee. It was originally put in place in May 2018, when the predecessor to the GDPR took effect in the UK as an EU regulation, supplemented by the Data Protection Act 2018. This Policy was updated in February 2022 to take account of changes following the UK’s withdrawal from the European Union.

2. The Trustee holds personal data about you as a member of the Fund and may hold some personal data about your potential beneficiaries. This is needed for us to operate the Fund and comply with our legal obligations.

3. This is the Full Privacy Notice. It gives you details of how the Trustee (and anyone acting on our behalf) processes your personal data and the arrangements which are in place to protect it. This notice supplements the shorter notice you will have received. It is for information – you do not need to take any action.

HOW WE COLLECT AND USE YOUR PERSONAL DATA

Collection of personal data

4. We need certain personal data about you as a member of the Fund. This may include, for example:

• your name, address, date of birth, telephone number and email address;

• your National Insurance number;

• your service history while employed by Dairy Crest Limited (or other companies in the Dairy Crest Group or former employers in predecessor schemes and schemes which merged into the Fund), including details of your salary and other benefits, details of salary sacrifice arrangements and details of any period of absence and working hours;

• your marital status and details of any dependants and/or potential beneficiaries;

• your bank details (typically this information is only held where you are in receipt of a pension or your Fund benefits are due to come into payment shortly);

• in certain cases, information relating to your health (considered “sensitive” personal data); and

• any other personal data which may be needed to process Fund benefits in respect of you; for the proper running and administration of the Fund; and/or in connection with a request made by you to transfer your Fund benefits to another pension arrangement.

5. Some of this data is or will have been collected directly from you (for example, when filling in forms about your Fund membership, or when corresponding with us or our representatives by telephone, post, email or otherwise). If you visit the Fund’s website, it will automatically collect some data about you and your visit, including the Internet protocol address used to connect your device to the Internet and some other data such as your browser type and version and the pages on the site that you visit.

6. We may also collect some data from third parties. For example:

• some data is or will have been collected from Dairy Crest Limited, Dairy Crest Group Limited, other companies in the Dairy Crest Group and from employers, trustees and administrators of predecessor schemes and schemes which have merged into the Fund; and

• we may also occasionally obtain or have obtained data about you from other external sources (for example, the Fund administrators, Dairy Crest’s payroll provider, HM Revenue and Customs, and a receiving scheme (or an employer of that scheme) in respect of a request from you to transfer your Fund benefits to that scheme).

7. Except where we indicate that provision of information is voluntary, you are required to provide the personal data we request from time to time so that we can use it for the purposes set out below. Failure to provide it could mean we are unable to process Fund benefits. If you have any questions about our need for your information, please raise your questions with the person making the request – typically Isio Group Limited (Isio) at / , or Legal & General Assurance Society Limited (LGAS) for individuals for whom LGAS pays out pension benefits at 1 / .

Use of personal data

8. We may use your personal data for the following purposes: to fulfil our legal obligations including making sure benefits are paid correctly, to run and administer the Fund properly and efficiently and to administer the benefits provided in respect of you from the Fund.

9. We are legally entitled to process your personal data as described in this notice because we need to do so to operate the Fund. In some circumstances the processing is also justified because it is necessary for us to comply with our regulatory and legal obligations as Trustee of the Fund, or as otherwise required by law.

Keeping your personal data

10. We keep your personal data for as long as reasonably necessary for the proper running and administration of the Fund and the performance of our legal obligations and the pursuit of our legitimate interests. Our current retention policy is to keep personal data about you for so long as you are entitled or may become entitled to benefits under the Fund, and, because trustees of pension schemes can commonly face complaints or questions from members, former members, other individuals or regulatory authorities many years after a member / beneficiary has ceased to be entitled or prospectively entitled to benefits, some personal data may need to be kept indefinitely. However, we will not retain personal data for longer than is necessary having regard to the purpose for which it is held. We will keep this data retention policy subject to review and may update it from time to time to ensure it remains appropriate.

Sharing your personal data

11. It is our policy to protect your right to privacy and we will ensure that adequate technical and security measures, confidentiality obligations and compliance procedures are at all times in place to prevent inappropriate use of personal data.

12. We may share data with the Dairy Crest Group and to third parties for the above purposes, subject to the policies and procedures we have in place to keep your data safe.

13. In particular, data may be disclosed to the following third parties:

• the administrators of the Fund (the current administrators are Isio);

• the Fund actuary (the current Fund actuary is Paul McGlone) and the actuarial and investment advisers, Aon Solutions UK Limited;

• our legal and other professional advisers;

• insurance companies in certain circumstances where insurance cover for particular benefit entitlements is being considered or has been put in place (e.g. LGAS);

• any other service providers who hold or process your data on our behalf; and

• third parties to whom we are required to transfer data by law or regulatory requirements (e.g. government and regulatory authorities).

14. However, we will only disclose personal data where this is reasonably necessary for the purposes of the proper running and administration of the Fund, including the provision of benefits in respect of you from the Fund, or where otherwise required by law or regulatory requirements.

15. These disclosures may involve transferring your personal data overseas. This may include transfers to countries outside the UK, which do not have similarly strict data privacy laws. In those cases, we will ensure that our arrangements with any relevant third parties are governed by data transfer agreements, designed to ensure that your personal data is protected, on terms approved for this purpose in accordance with the GDPR. You can ask for copies of these agreements at any time (see below).

16. Aon Solutions UK Limited and the Scheme Actuary are also data controllers under the Data Protection Laws. Details of how they use your personal information is available online at: http://www.aon.com/unitedkingdom/products-and-services/human-capital-consulting/aon-hewitt-actuarial-services-privacy-statement.jsp, or you can request details by writing to Data Protection Officer, Aon Solutions UK Limited (Retirement and Investment UK), PO Box 730, Redhill, RH1 9FH. Information about how other third parties connected with the Fund process your personal data may be provided on the relevant party’s website. If you require further information or would like to be provided with details of the relevant party’s data protection contact, please contact Isio or LGAS (as applicable) at / or Legal & General | Pension Risk Transfer | Privacy policy (legalandgeneral.com) in the first instance.

Consent

17. We do not generally rely on your consent to justify processing your personal data.

18. If we need your consent (for example, in certain cases requiring sensitive personal data (e.g. medical information) to support an ill-health early retirement application), we will ask you for it separately – you are not obliged to consent and if you do consent, you can withdraw it at any time where we are relying on your consent to justify our processing (although it may be necessary to retain some or all of the information provided where we need to for the defence of legal claims). Please note that not providing or withdrawing consent could mean that we have insufficient evidence to assess your eligibility or continued eligibility for certain Fund benefits.

YOUR RIGHTS AND WHO TO CONTACT

19. Subject to the relevant legal rules, you have the right to ask us to: (1) provide you with access to your personal data; (2) correct any inaccurate personal data; (3) erase your personal data; and (4) restrict or stop processing your personal data. However, in certain circumstances we may be permitted to continue processing your personal data where this is justified. To exercise any of these rights contact Isio or LGAS (as applicable) at / , or / . Please note that a request for us to erase your personal data or to restrict / stop us processing your personal data could impact our ability to provide your Fund benefits.

20. You also have the right to lodge a complaint with the Information Commissioner’s Office (www.ico.org.uk) if you are unhappy with the way your personal data is being processed. However, we do encourage you to contact Isio or LGAS (as applicable) at / , or / in the first instance in order to raise any queries and resolve any concerns.

21. If you have any questions about this notice, please contact Isio or LGAS (as applicable).

22. In order to enable us to comply with our legal obligations, please notify Isio or LGAS (as applicable) of any changes to your personal details (e.g. address or other contact details) as soon as possible.

MISCELLANEOUS

Expressions used in this notice

23. Where we talk about data “relating to you” or “about you” in this notice, this includes data about third parties such as your spouse, civil partner, co-habitee and/or children (if any) which you provide to us on their behalf. Where you provide such data (for example, when completing or updating an expression of wish form / death benefit nomination form), you should inform the third party that you are doing this and share a copy of this notice with them so they also understand how this data is processed.

24. This notice refers to health data as “sensitive” personal data. “Sensitive” personal data covers various categories of personal data identified by law as requiring special treatment. These categories comprise personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetics, health, sexual life, sexual orientation, biometric data and data relating to criminal convictions and offences or related security measures. In the context of the Fund, the only sensitive data we are likely to hold about you (if at all) is data relating to your health.

25. The “Dairy Crest Group” means Dairy Crest Group Limited2 and its associated companies.

Future changes

26. The Trustee of the Fund may change over time and your personal data will be held by any replacement trustee in the same way as it is held by the current Trustee.

Any changes we make to this notice in the future will be posted to the Trustee’s website at https://dairycrestpensiontrustees.co.uk and available on request from Isio or LGAS (as applicable) at / , or / . Please check for any changes if you are using a printed copy of this notice.

DATA PROTECTION POLICY

TRUSTEE DATA PROTECTION POLICY RELATING TO THE DAIRY CREST GROUP PENSION FUND (THE FUND)

1. INTRODUCTION AND SCOPE

1.1 This is the data protection policy (the Policy) of Dairy Crest Pension Trustees Limited in its capacity as trustee of the Fund (the Trustee).

1.2 The administration of the Fund requires Personal Data (and, occasionally, Sensitive Personal Data) in respect of members of the Fund and other individuals who are beneficiaries / potential beneficiaries of the Fund (referred to in this Policy as Data Subjects) to be Processed. The Trustee, as a data controller, is committed to protecting the privacy of these individuals.

1.3 This Policy regulates the “Processing” of “Personal Data” and “Sensitive Personal Data”. For these purposes:

1.3.1 Personal Data1 means, broadly, information that:

(a) relates to an identified or identifiable living individual; and

(b) is held either (i) on a computer or in other electronic or automatically Processable form; or (ii) in a paper filing system arranged to be accessible according to specified criteria.

1.3.2 Processing means, broadly, collecting, storing, analysing, using, disclosing, archiving, deleting or doing absolutely anything else with Personal Data (and Process, Processed and Processable should be read accordingly).

1.3.3 Sensitive Personal Data means, broadly:

(a) Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership;

(b) genetic data and biometric data Processed for the purpose of uniquely identifying a living individual;

(c) Personal Data concerning a living individual’s health, sex life or sexual orientation; and

1 Note the following points:

  • This Policy does not apply to information relating to companies and other legal persons (e.g. governmental agencies) unless it also relates to individuals.
  • Information does not have to be particularly “personal” or “private” in nature to be Personal Data. Relatively trivial information, and information relating to individuals in their professional rather than their personal capacity, can be regulated by the GDPR and therefore by this Policy.
  • Truly anonymised information is not personal data (the Data Subject must be either identified or identifiable). However this does not mean that, for example, removing the names of the Data Subjects is sufficient so that the information will not be Personal Data – if the Trustee can identify the individuals to whom the information relates, including by taking account of other information in its possession or to which it could reasonably get access, the information will be Personal Data.

(d) Personal Data relating to criminal convictions and offences or related security measures.

1.4 The Trustee has put in place this Policy to ensure and demonstrate compliance with applicable data protection laws regulating the use of personal information it holds relating to the Data Subjects. In particular, the Trustee (along with any person who Processes Personal Data for or on its behalf) is obliged to comply with the requirements and restrictions of the UK General Data Protection Regulation (GDPR) and the related Data Protection Act 2018. This Policy was originally put in place in May 2018, when the predecessor to the GDPR took effect in the UK as an EU regulation, supplemented by the Data Protection Act 2018. This Policy was updated in February 2022 and now takes account of changes following the UK’s withdrawal from the European Union.

1.5 This Policy may be supplemented by additional documents or policies from time to time to ensure the Trustee meets its obligations under the GDPR and/or any other data protection laws to the extent applicable to the Trustee.

2. COMPLIANCE WITH THIS POLICY

2.1 Where this Policy refers to the manner in which the Trustee Processes Personal Data, it is intended that any third party Processing Personal Data on behalf of or on the instruction of the Trustee will do so in accordance with this Policy. Prior to putting this Policy in place, the Trustee has liaised with third parties who Process Personal Data on behalf of the Trustee to understand how they currently hold and manage Personal Data relating to the Fund.

The Trustee has outsourced the day to day administration of the Fund to a third party administrator, currently Isio Group Limited (“Isio”).

2.2 The Trustee has entered into an agreement with Isio which, among other things, requires Isio to Process Personal Data in a manner which complies with the GDPR and the Trustee has provided Isio with a copy of this Policy.

2.3 Aon Solutions UK Limited (who provides actuarial and investment services to the Trustee) and L&G Assurance Society (with whom the Trustee has certain buy-in policies and who administers the payroll for pensioners covered by those buy-in policies) have confirmed to the Trustee that they will act as data controller in respect of any Fund Personal Data they hold from time to time.

2.4 Having considered the requirements of the GDPR and the available guidance, the Trustee has concluded that a Data Protection Officer is not required in respect of the Fund on the basis that the Trustee’s core activities do not involve the “regular and systematic monitoring” of Data Subjects or the Processing of Sensitive Personal Data on a “large scale”. While Personal Data of Fund members will be used for the purposes of operating the Fund, and, where necessary, will be kept up-to-date, the Trustee does not consider that this amounts to the “regular and systematic monitoring” envisaged by the GDPR. In addition, while the Trustee (or a person on its behalf) may be Processing health information (Sensitive Personal Data) in the circumstances set out in section 6 below, the Trustee does not consider that this amounts to Processing on a “large scale”.

2.5 The Trustee board as a whole, rather than a nominated individual or committee, will be responsible for GDPR compliance in relation to the Fund. The Trustee board has received training regarding the requirements imposed by the GDPR. The Trustee is also aware that most, if not all, of the third parties who Process Personal Data on behalf of the Trustee have appointed a Data Protection Officer.

3. PERSONAL DATA COLLECTED BY OR ON BEHALF OF THE TRUSTEE

3.1 The Personal Data which may be collected or have been collected and processed by or on behalf of the Trustee includes, for example (and where relevant):

3.1.1 members’ names, addresses, dates of birth, telephone numbers and email addresses;

3.1.2 members’ National Insurance numbers;

3.1.3 members’ service history while employed by any Fund employer, including historical details of salary and other benefits, historical details of salary sacrifice arrangements and historical details of any period of absence and working hours;

3.1.4 members’ gender, marital status and details of any dependants or potential beneficiaries as well as expression of wish forms, copies of birth, death, marriage certificates and passports;

3.1.5 benefit related information such as benefit elections, pension details, dates of retirement and any relevant matters impacting members’ benefits such as AVCs, pension sharing orders, tax protections or other adjustments, retained benefits in other pension arrangements;

3.1.6 members’ bank details (typically this information is only held where benefits under the Fund are in payment or due to come into payment shortly);

3.1.7 in certain cases, information relating to members’ health; and

3.1.8 any other personal information which may be:

(a) required to calculate the benefits provided from the Fund;

(b) necessary for the proper running and administration of the Fund; and/or

(c) required to process a benefit option, for example, in connection with a member’s request to transfer Fund benefits to another pension arrangement (in which case personal information may include information regarding the member’s employment with an employer in the receiving scheme; the member’s salary; any contributions paid to the receiving scheme; and/or information relevant to the member’s residency status).

3.2 Some of this information is or has been collected directly from Fund members (for example, by them filling in forms in relation to their membership of the Fund, or corresponding with the Trustee or a representative of the Trustee by telephone, post, email or otherwise). In addition, if members visit the Fund’s website, it will automatically collect some information, including the Internet protocol address used to connect the member’s device to the Internet and some other information such as browser type and version and the pages on the site that they visit.

3.3 The Trustee (or others on its behalf) may also collect (or have collected) some information from other sources. For example:

  • some information is or has been collected from Dairy Crest Limited, Dairy Crest Group Limited, other companies in the Dairy Crest group and from employers, trustees and administrators of predecessor schemes and schemes which have merged into the Fund; and
  • the Trustee may also occasionally obtain (or have obtained) data from third party sources (for example, the Fund administrators, Dairy Crest’s payroll provider, HM Revenue and Customs and a receiving scheme (or an employer of that scheme) in respect of a request from you to transfer your Fund benefits to that scheme).

3.4 The Trustee of the Fund may change over time and Personal Data will be held by any replacement trustee/s in the same way as it is held by the current Trustee in accordance with this Policy.

4. TRANSPARENCY

4.1 Except as provided in section 4.2, Fund members were provided with the information set out in Annex 1 to this Policy, to the extent they did not already have it, as soon as practicable after this Policy originally took effect.

4.2 The Trustee has determined that Data Subjects need not be provided with the information in Annex 1 in the following circumstances:

4.2.1 if the Trustee, or a person on its behalf, is Processing the relevant Personal Data in order to investigate an alleged or actual crime, regulatory breach or disciplinary issue and to provide the information would prejudice the investigation; or

4.2.2 if the relevant Personal Data are not obtained by the Trustee directly from the Data Subject but from a third party (e.g. from the Fund member, being the spouse or parent of the Data Subject), where the Trustee will generally take the view that to contact and inform the Data Subject would be impossible or would require effort disproportionate to the value to the Data Subject of being informed2.

2 The Trustee notes that where it (or any person on its behalf) receives from a Fund member Personal Data relating to his or her spouse, civil partner, co-habitee, child(ren) or any other dependant / potential beneficiary of the Fund, it will generally take the view that as long as the Trustee has asked the member to pass the relevant information on to said person, it would involve disproportionate effort (and, may in some cases conflict with the Trustee’s duties) for the Trustee to contact said person directly and provide him or her with the information set out in Annex 1. Furthermore, the Trustee will publish the information on the Fund’s website, such that it is publicly available to such Data Subjects in any event.

4.3 The information in Annex 1 should be provided in writing, in a concise, transparent, intelligible and easily accessible form, using clear and plain language. A copy of the high level notice issued to members as soon as reasonably practicable after this Policy originally took effect and the fuller notice published on the Fund’s website (and to be made available in hard copy on request) is included at Annex 2.

5. FAIRNESS, LEGITIMACY AND PROPORTIONALITY

5.1 The Trustee will only Process Personal Data fairly and for specified and explicit purposes.

5.2 In particular, the Trustee will generally only Process Personal Data if:

5.2.1 the Processing is Necessary for the purposes of the legitimate interests that the Trustee, and the other persons with which it co-operates in fulfilling its role as Trustee, pursue (and by Necessary we mean that those purposes could not reasonably be achieved without the relevant Processing) and

5.2.2 either the Processing does not prejudice the privacy of the affected Data Subjects or, if there is some prejudice, it is sufficiently trivial or minor that it does not override the need to pursue those legitimate interests (where the above conditions are satisfied, the “Legitimate Interests Condition” shall be met); or

5.2.3 the Processing is Necessary so that the Trustee can comply with its legal obligations.

5.3 The Trustee has considered the requirements above and concluded that the Processing of Personal Data it currently undertakes (as at the date of this Policy) is for one or both of the following purposes:

5.3.1 the Processing is required in order to administer the Fund on an ongoing basis and, where possible in due course, ultimately, through securing Fund benefits with an insurance company (which may involve considering or implementing risk mitigation options in relation to the Fund such as liability management exercises and buy-ins and buy-outs); and

5.3.2 the Processing is Necessary so that the Trustee can comply with its regulatory and legal obligations to which it is subject as trustee of the Fund and where otherwise required by law.

5.4 The Trustee will not Process Personal Data which are irrelevant or inadequate or go beyond what is necessary given the purposes of the Processing.

5.5 Having collected Personal Data for a particular purpose, the Trustee will not then Process those Personal Data in a way which is incompatible with that purpose unless it first obtains the Data Subject’s Consent.

6. SENSITIVE PERSONAL DATA

6.1 In practice the Trustee expects that the only Sensitive Personal Data likely to be collected (by the Trustee or on its behalf) in relation to any Data Subjects is health data, where this is necessary for the Trustee and the Fund administrators to process, review or otherwise administer benefits under the Fund (for example, assessing eligibility (or continued eligibility, as applicable) for retirement on the grounds of ill-health or a serious ill-health lump sum). In such cases, the Trustee will need to see evidence from a registered medical practitioner regarding the particular Data Subject’s health in order to assess whether the individual meets the criteria under the Fund rules and/or legislation.

6.2 Under Articles 6 and 9 of the GDPR, the Trustee may only process Sensitive Personal Data where:

6.2.1 a lawful basis under Article 6 GDPR applies; and

6.2.2 the Processing satisfies a condition under Article 9.

6.3 The Trustee considers that its Processing of Sensitive Personal Data is necessary for the purposes of its legitimate interests under Article 6(1)(f) GDPR.

6.4 The Trustee has been advised that its Processing of Sensitive Personal Data satisfies Article 9.2(b) and/or Article 9.2(f) GDPR because it is necessary for the purposes of carrying out its obligations and giving effect to specific rights of members in the field of employment, social security and social protection law and/or for the purposes of establishing, exercising, or defending a legal claim. For the purposes of Article 9.2(b) GDPR, this Processing is also authorised by the Data Protection Act 2018 as processing of special categories of data in the field of “employment, social security or social protection law“. By relying on these conditions to process Sensitive Personal Data, the explicit consent of the Data Subject is not required.

6.5 However, there may be circumstances in which the Trustee decides to base its Processing of particular Sensitive Personal Data on the member’s explicit consent. Where this is the case, the Trustee will comply with the requirements of section 6.6 below. In particular, the relevant Data Subject will be informed that his or her explicit Consent is needed to the Processing for the purposes described above and that such Personal Data may be Transferred to the Trustee’s legal and professional advisers, the Fund administrators and/or the Fund actuary accordingly. The Data Subject will be informed that he / she may withdraw his / her Consent to the Processing of such Sensitive Personal Data at any time. However, he / she will be made aware that if Consent is not given / is withdrawn, the Trustee may have insufficient evidence to assess the Data Subject’s eligibility or continued eligibility for benefits under the Fund.

6.6 For the purposes of this Policy, Consent means a freely given, specific, informed and unambiguous indication of the Data Subject’s wishes by which he or she, by a statement or a clear affirmative action (such as ticking a box), signifies agreement to the Processing of his or her Personal Data. Mere failure to respond does not amount to Consent. The Trustee notes that:

6.6.1 Consent can be withdrawn at any time. The Trustee does not rely on Consent where Processing is not genuinely optional from the perspective of the Data Subject.

6.6.2 If the Trustee wishes to obtain the Consent (including the explicit Consent) of a Data Subject for the purposes of this Policy, it will:

(a) request the Consent in an intelligible and easily accessible form, using clear and plain language;

(b) make sure that the Data Subject understands, when he or she Consents, that he or she is free to withhold the requested Consent without suffering any adverse consequence, and that the Consent can be withdrawn at any time, with information as to a straightforward way in which the Data Subject can withdraw the Consent;

(c) if the Consent is obtained in written form, and the relevant document also concerns other matters, make sure that the Consent is clearly distinguishable from the other matters; and

(d) make sure that the Trustee has an appropriate record of the Consent having been given.

6.6.3 Where explicit Consent is required, the Trustee will need to explain in specific terms the nature of the Processing to be carried out and the Personal Data to be Processed, as well as providing all the information set out in Annex 1, and the Data Subject will then need to make an explicit written statement (or expressly agree to an explicit statement provided by the Trustee) agreeing that the Processing can go ahead.

6.7 A copy of the form currently used to request explicit Consent from individuals in connection with retirement on the grounds of ill-health or a serious ill-health lump sum is attached at Annex 3. The circumstances in which explicit Consent is required and the form of consent request at Annex 3 shall be reviewed from time to time and updated where necessary.

7. ACCURACY AND CURRENCY

Where the Trustee Processes Personal Data, or allows Personal Data to be Processed on its behalf, it will take every reasonable step to ensure that those Personal Data are accurate and, where relevant, up to date, and to correct inaccurate Personal Data without delay.

8. RETENTION AND DESTRUCTION

The Trustee will retain Personal Data for such period as is reasonably necessary for the proper running and administration of the Fund and the performance of the Trustee’s legal obligations and the pursuit of the Legitimate Interests Condition. The Trustee’s current retention policy is that Personal Data will be retained by the Fund for so long as the Data Subject is entitled or may become entitled to benefits under the Fund, and, because trustees of pension schemes can commonly face complaints or questions from members, former members, other individuals or regulatory authorities many years after a member / beneficiary has ceased to be entitled or prospectively entitled to benefits, some Personal Data may need to be kept indefinitely. However, the Trustee will not retain Personal Data for longer than is Necessary having regard to the purpose for which it is held.

9. DATA SECURITY

9.1 The Trustee will have technical and organisational security measures in place to protect all Personal Data that it Processes.

9.2 The Trustee will take reasonable steps to achieve data minimisation. For example, anonymising Personal Data where appropriate in Trustee minutes, reports on member activity and where Transferring this to service providers, to the extent reasonably possible.

9.3 Where the Trustee outsources the Processing of Personal Data to any third party service provider it will have regard to the matters listed in section 12 below.

10. DATA BREACHES AND NOTIFICATION

10.1 The Trustee is obliged to report certain breaches of security affecting Personal Data to competent data protection authorities, and in some circumstances it is obliged to inform affected Data Subjects. Any trustee director or service provider who becomes aware of or suspects such a breach in connection with the Fund must inform Zedra Inside Pensions immediately so that Zedra Inside Pensions can disseminate the information to the Trustee board and/or otherwise deal with the request in accordance with the protocol agreed from time to time.

11. AUTOMATED DECISION-TAKING TECHNIQUES (INCLUDING PROFILING)

The Trustee will not use Processing Systems (as defined in section 14.1) to take decisions producing legal effects concerning living individuals, or otherwise significantly affecting them, based solely on automated Processing of Personal Data, unless the Trustee has considered the proposed Processing System in a particular case and concluded that it meets the requirements of the GDPR and other applicable laws.

12. DISCLOSURE AND INTERNATIONAL PERSONAL DATA TRANSFER

12.1 The Trustee may share Personal Data with Dairy Crest Limited, Dairy Crest Group Limited or another company in the Dairy Crest group, their advisers and with third parties for the purposes described in section 5 above. In particular, information may be disclosed to the following third parties:

12.1.1 the administrators of the Fund;

12.1.2 the Fund actuary and investment advisers;

12.1.3 the Trustee’s legal and other professional advisers;

12.1.4 insurance companies in certain circumstances where insurance cover for particular benefit entitlements is being considered or has been put in place;

12.1.5 any other service providers who hold or Process Personal Data on the Trustee’s behalf;

12.1.6 third parties to whom the Trustee is required to transfer data by law or regulatory requirements (e.g. government and regulatory authorities).

12.2 The key service providers who Process Personal Data on the Trustee’s behalf are the Fund administrators – the current administrators are Isio Group Limited.

12.3 Where the Trustee outsources the Processing of Personal Data to any third party service provider it will:

12.3.1 ask for confirmation that the provider has appropriate technical and organisational security arrangements in place to protect Personal Data;

12.3.2 ensure that the arrangement is governed by a written agreement imposing obligations on the service provider as described in Annex 4 to this Policy; and

12.3.3 take reasonable steps (for example by exercising audit rights and/or making enquiries of the service provider) to ensure that the security measures required of the service provider are in place in practice over time during the life of the relevant Processing arrangement.

12.4 These disclosures may involve Transferring Personal Data outside the UK. The Trustee will only Transfer Personal Data outside the UK:

12.4.1 where the Transfer is to a country or other territory which has been assessed as ensuring an adequate level of protection for Personal Data in accordance with the GDPR. (The Trustee notes that transfers of Personal Data (subject to limited exceptions which should not be relevant to the Personal Data Processed by the Trustee) from the UK to the European Economic Area currently remain permitted without further arrangements or safeguards needing to be established following the UK’s withdrawal from the European Union);

12.4.2 where the Transfer is governed by a data transfer agreement, designed to ensure that the Personal Data is protected, in accordance with the GDPR; or

12.4.3 where the Trustee has approved the Transfer on the basis that it is compliant with the GDPR and other applicable laws.

12.5 For the purposes of this Policy, a Transfer is any transfer of Personal Data. This includes arrangements through which a person outside the UK has remote access to Personal Data stored within the UK.

13. DATA SUBJECTS’ RIGHTS

13.1 Data Subjects have the right:

13.1.1 to be provided with a copy of any Personal Data that the Trustee holds about them, with certain related information;

13.1.2 to require the Trustee, without undue delay, to update or correct any inaccurate Personal Data, or complete any incomplete Personal Data, concerning them;

13.1.3 to require the Trustee to stop processing their Personal Data for direct marketing Purposes (not applicable here); and

13.1.4 to object to the processing of their Personal Data more generally.

13.2 Data Subjects may also have the right, in certain circumstances:

13.2.1 to require the Trustee, without undue delay, to delete their Personal Data;

13.2.2 to “restrict” the Trustee’s Processing of their Personal Data, so that it can only continue subject to very tight restrictions; and

13.2.3 to require Personal Data which they have provided to the Trustee, and which are Processed based on their Consent or the performance of a contract with them, to be “ported” to them or a replacement service provider.

13.3 If any trustee director or service provider receives a communication from any Data Subject in which he or she seeks to exercise any of these rights, that communication should be passed to Zedra Inside Pensions as soon as is reasonably practicable so that Zedra Inside Pensions can disseminate the information to the Trustee board and/or otherwise deal with the request in accordance with any protocol in place from time to time.

14. DESIGN AND ASSESSMENT OF PROCESSING ARRANGEMENTS

14.1 Generally speaking it is not envisaged that there will be significant changes to the technological arrangements or processing systems in place in relation to Fund Personal Data. However, where a new information technology system or other arrangement involving the Processing of Personal Data (a Processing System) is to be implemented on behalf of the Trustee or a significant change is to be made to an existing Processing System, the person with overall responsibility for that Processing System should follow the approach set out in Annex 5 (as amended or updated from time to time).

15. CO-OPERATION WITH DATA PROTECTION AUTHORITIES

The Trustee is obliged to co-operate with the Information Commissioner’s Office. Any communication received from the Information Commissioner’s Office or other competent data protection authority should be passed to Zedra Inside Pensions (to arrange dissemination to the Trustee board) as soon as is reasonably practicable.

16. CHANGES TO THIS POLICY

The Trustee reserves the right to review and change this Policy at any time and intends to review the Policy annually.

Original date of Policy: May 2018

Last update to Policy: May 2024

ANNEX 1 INFORMATION TO BE PROVIDED TO DATA SUBJECTS (SEE SECTION 4)

The information referred to in section 4.1 of this Policy is:

1. the identity and contact details of the Trustee controlling the Processing of the relevant Personal Data (i.e. in its capacity as data controller);

2. where relevant, the contact details of the Trustee’s Data Protection Officer;

3. the purposes for which the Trustee intends to Process the Personal Data;

4. the legal basis for the Processing (for example, the Legitimate Interests Condition – generally, see section 5);

5. where the Processing is justified on the basis of the Legitimate Interests Condition, the relevant legitimate interests pursued by the Trustee or another person which the Trustee relies upon to justify the Processing;

6. where the Trustee is not collecting the Personal Data directly from the Data Subject but from a third party, the categories of Personal Data collected and the sources from which they are collected (including, if relevant, the fact that Personal Data are obtained from publicly accessible sources);

7. any intended recipients or categories of recipient of the Personal Data (this means recipients outside the Trustee, such as third party service providers);

8. where applicable (see also section 12.4), the fact that the Trustee intends to Transfer the Personal Data to a country or territory outside the UK, together with information as to:

8.1 whether the relevant country has been determined to ensure an adequate level of protection for Personal Data; and

8.2 where this is not the case, and if the Trustee justifies Transferring the Personal Data to that country or territory on the basis that it has put in place adequate safeguards to protect the Transferred Personal Data (for example, an appropriate data transfer agreement), the nature of those safeguards and that a copy can be obtained from the Trustee;

9. the period for which the Personal Data will be stored, or if that is not possible, the criteria used to determine that period (see also section 8);

10. the existence of the legal right to request from the Trustee access to and rectification or erasure of Personal Data or restriction of Processing concerning the Data Subjects or to object to Processing as well as the right to data portability (see also section 13), and that these rights can be exercised by contacting the Trustee;

11. that the Data Subjects can, if they so wish, lodge a complaint about the Trustee’s Processing of his or her Personal Data with the relevant national or regional data protection authority;

12. where the Trustee is collecting the Personal Data directly from the Data Subjects, whether provision of the requested Personal Data is a statutory or contractual requirement, or a requirement Necessary to enter into a contract, and whether the Data Subject is obliged to provide the Personal Data and the possible consequences of failure to provide it; and

13. detailed information about any automated decision-taking techniques that may be used, if applicable (see section 11).