Running a pension fund is inevitably connected with the collection and handling of the personal data of employees who participate in the fund as members. Personal data flows in both directions between the pension fund and the employer relating to new joiners, employees who are leaving, retirees and current employees, among others.
This personal data is likely to include:
As the above makes clear, the data held by a pension fund is personal data not only relating to a member (or ex-member) but also relating to individuals other than the member, for example, the member’s spouse, children or dependants. The data may also be a combination of personal data and special category data (i.e. data about the member’s physical or mental health or sexual orientation).
Some of the above information will be provided by the member directly through a member participation form they complete. However some other data may be obtained from their employer.
At a minimum, the administrative committees of pension funds should already have conducted a data audit to identify what personal data is held in relation to the fund, the source of this data and the individuals or entities it is shared with. They should also have issued members and beneficiaries with privacy notices. Further, they should have a data protection policy and a procedure for dealing with potential data breaches in place. The administrative committee should also ensure that they have compliant contracts in place with all their data processors and have arrangements with any joint controllers.
But what happens with the data sharing that inevitably takes place between a pension fund and an employer? In our opinion, taking into consideration how pension funds and Cypriot employers are ‘connected’ and the extent to which personal data is shared between them, in most cases, they should be considered as data controllers. It is therefore important to have a data sharing agreement in place between them.
A data sharing agreement should include clauses that will guide the administrative committee and employers on how to ensure compliance with GDPR and with any Guidelines issued by the Cyprus Commissioner for the Protection of Personal Data. It should define the categories of data shared and the purposes for which the personal data is processed as well as the principles and procedures that the parties must adhere to and the responsibilities the parties have towards each other.