A couple of points of interest for employers, sectoral organisers and pension funds concerning the application of the GDPR
On 25 May 2016, the General Data Protection Regulation (“GDPR”) entered into force. After a transitional period of two years, these new European rules will also apply in Belgium. In our 4 May 2016 newsletter, we covered the ten things you need to know as an employer about the GDPR, followed by several newsflashes, among others about some important positions of the Privacy Commission and the Article 29 Working Party concerning the practical implementation of the GDPR. With regard to the general framework of the GDPR, we refer you to our website (www.gdprbelgium.be).
In this newsletter, we focus on some specific points of interest for employers and sectoral organisers (both referred to here as “organisers”) and also for pension funds (IORPs) in the context of data processing while implementing pension plans.
After all, a pension plan cannot be managed and executed without the processing of the personal data of the plan members and their beneficiaries. Just think for instance of the calculation of the vested pension rights, the preparation of the annual benefit statements, the payment of the retirement or death benefits.
The GDPR is applicable in all European companies, institutions and organisations and has been drafted in general terms, which sometimes makes it difficult to apply these new rules to this specific context of pension plans and pension funds. Indeed, there is no one-to-one relationship. Instead, we start from a three-party relationship between the organiser, the pension institution (pension fund or insurer) and the plan members. In addition, not only the plan members that enjoy the pension promise but also their beneficiaries are to be considered as “data subjects” within the meaning of the GDPR. Even though the latter are in fact third parties with regard to the pension promise, their personal data will also be processed, which makes them data subjects in the sense of the GDPR.
Furthermore, we do not need to start from scratch. Over the past few years, organisers and pension funds have taken numerous measures in the context of the secure processing of personal data. It is important to take this into account as much as possible, and by doing so avoid additional administrative burden for the pension funds, as well as over-engineering.
In this newsletter, we focus on a couple of the specific themes that have a particular relevance for the application of the GDPR in the context of occupational pensions. In this respect, some questions will remain unanswered as a common position of the pensions sector is still to be reached. We also briefly explain which documents should be reviewed in order to be GDPR-proof in time.
We hope you enjoy the read.