PRIVACY NOTICE

Who are we? 

Mitchells & Butlers Pension Plan (‘the Plan’) 


This is a privacy notice provided on behalf of the Trustee of the Plan (the Trustee, we or us). We collect, hold and use personal information to help us run the Plan. 


Contents of this notice 

The Trustee is a data controller in respect of the personal information that we hold in relation to the Plan. Because we use your personal information, we must provide you with certain information in order to comply with the UK General Data Protection Regulation and Data Protection Act 2018. 


This notice contains information on: 

  • the personal information we collect about you, what we do with this information and why we hold it. This is explained in more detail in section one. 
  • who else we get personal information from and who else we share personal information with. This is explained in more detail in section two. 
  • what rights you have in relation to your personal information and who to contact if you have any problems. This is set out in section three. 


Where can I get more information? 

If you require any more information or further details about how and why we process your personal information, your rights under the GDPR, third parties with whom we share your personal information please contact us by email at pensions@mbplc.com or a letter to The Pensions Department, Mitchells & Butlers plc, 27 Fleet Street, Birmingham B3 1JP. 


Alternatively, you can call the Pensions Department on 0121 498 5767 or access the additional information here. We also provide printed versions (including large print versions) on request. 


We may change this notice from time to time. 

Please visit this webpage or contact us in order to receive the most up to date version of this notice. 


This notice was last updated July 2022. 


Section one 

About your personal information


What information do we collect and process? 

We collect and process your personal information because you are or were a member or are or were connected to a member of the Plan. We also collect personal information if you contact us in connection with your membership of the Plan. 

We collect and process the following categories of personal information about you:

 

  • personal contact details – names, titles, addresses, telephone numbers and email addresses. 
  • information about you – dates of birth, sex, marital status, dependents and next of kin; 
  • payroll information – National Insurance numbers, payroll numbers, bank account details, tax status, salary and employment information; and 
  • pension benefits – information about the pension benefits that you have accrued, investment choices and death benefit nomination forms. 


What sensitive personal information do we collect and process? 

Sensitive personal information also classed as special category data under UK GDPR is usually only used when it is required to help us make a decision in relation to your rights under the Plan. For example, we may request: 


  • health information / medical records – we may ask you to provide health information if you request payment of a benefit that can only be paid if you meet certain medical criteria (e.g. ill health early retirement benefits). In addition to receiving this information from you, we may receive medical information from third parties such as your doctor or a third-party occupational health provider; or 
  • other sensitive personal information – we may ask you to provide other sensitive personal information (e.g. information about your personal relationships) if it is relevant to help us decide on an internal dispute resolution procedure. In addition, certain categories of sensitive personal information (e.g. race, ethnicity, religious beliefs and sexual orientation) may be revealed on formal documentation that we process in order to identify the recipients of benefits under the Plan (e.g. birth certificates, marriage certificates, driving licenses and passports). You may also decide to provide us with sensitive personal information voluntarily (e.g. when raising queries or making a complaint). 


How do we collect your personal information? 

When you joined the Plan, you and/or your employer provided personal details so that we could create your membership record. 

This information is updated whilst you are a member of the Plan, even if you have since left service with the Plan’s employers. Updated information may come from: 


  • you (e.g. if you get in touch to let us know a new address); 
  • your employer or former employer (e.g. updated salary and payroll information); and 
  • other third parties (e.g. if you contact the Plan's administrator to update your personal information or if HMRC provides us with information so that we can deduct the correct level of tax). In addition, we may request additional information in certain circumstances (e.g. if you request to transfer your benefits to another pension scheme, if you apply for ill health benefits or when you ask for your benefits to start being paid). 


Why do we process your personal information? 

We use this information to: 

  • set up your Plan membership record; 
  • manage your Plan membership; 
  • send you information that is relevant to your membership of the Plan; 
  • calculate, pay and settle any benefits that you are entitled to from the Plan; 
  • comply with our legal and regulatory duties; 
  • help manage risks and liabilities in the Plan in order to seek to be able to pay full benefits as far as possible; 
  • help the Plan’s sponsoring employers comply with their legal and regulatory duties; 
  • communicate with members and their independent financial advisers with information about the Plan; and 
  • improve our information and knowledge of pension schemes generally. 


What are our legal grounds for processing your personal information? 

The personal data that is used and processed about you is necessary for us to fulfil our responsibilities as Trustee of the Plan. If we did not collect and process your personal information then: 


  • we would not be able to manage or administer the Plan appropriately; 
  • we would not be able to pay the benefits that you are entitled to under the relevant Plan; and 
  • we would be in breach of our legal and regulatory duties. 


Additionally, your personal data is processed: 


1. In order to comply with our legal obligations 

As the Trustee of the Plan, we are under legal obligations to process your personal information in order to comply with pensions and other relevant legislation, the Plan’s rules, court rulings and Pensions Ombudsman decisions. For example:

 

  • legislation sets out certain things trustees must do (e.g. sending certain information to the Plan’s members); and 
  • the Trustee is subject to fiduciary duties under trust law to act in line with the Plan’s governing documentation. 


It is necessary for us to process your personal information in order to comply with these legal obligations.

 

2. In order to fulfil our legitimate interests 

Processing your personal information is also lawful if it is based on our ‘legitimate interests'. The Trustee has a legitimate interest in running and managing the Plan and its risks and liabilities. In addition, certain third parties may have legitimate interests which require the processing of your personal information by the Trustee (e.g. your employer may need information in order to comply with regulatory requirements).

 

What are our legal grounds for processing your sensitive personal information?

 

There are three legal grounds that allow us to process your sensitive personal information (sometimes referred to as special categories of personal data):

 

  • when we obtain explicit consent from you (e.g. when you sign one of the Plan’s forms which contains the appropriate consent wording); 
  • when processing is necessary for carrying out obligations under employment, social security or social protection law. 


This includes obligations under pensions law. How long do we keep your personal information for? The Plan was set up to provide benefits over a very long time. The Trustee needs to maintain records in order to properly run the Plan, to determine who should receive what level of benefits and when they should receive them, and to respond to any disputes about an individual's rights under the Plan. As a result, the Trustee will generally keep your personal information for a long period of time i.e until the wind up of the Plan or the death of the last beneficiary, in either case, plus 15 years (which is the longest period of time that someone can bring a claim against the Plan). Our service providers (and former service providers) may also have similar valid grounds to keep your personal information for such long periods. 


Section two 

Using and sharing your personal information 


How do we keep your personal information secure? 

We use a range of measures to safeguard your personal information, in line with the requirements set out in the Data Protection Legislation. These apply to both paper and electronic records. We also require our third-party service providers to give certain assurances and agree to contractual terms in respect of data protection and the security of your personal information. 


What do we do with any personal information that is provided by third parties? 

We receive personal information from sources other than directly from you. This includes information shared by the Plan’s employer, the Plan’s administrator, its professional advisers, service providers and other relevant third parties. When we receive this information, we add it to the information we already hold about you in order to help us make sure that your details are as up to date and accurate as possible and so that we can manage your Plan membership. 


Who do we share your personal information with? 

For the purposes of administering and managing the Plan, managing its risks and liabilities, and paying benefits, the Trustee may need to share your personal information with third parties. 


This will include your employer (e.g., the payroll, finance, compliance, audit and HR teams). It will also include third parties who provide advice or services to the Trustee. These third parties may include actuaries, administrators, auditors, insurers, prospective insurers, lawyers, medical advisers, and any other such third parties as may be necessary for the operation of the Plan and to enable the Trustee to carry out its duties. 


Like most other Organisations we also make use of cloud service or other third-party platform to help fulfil our services. 


We've set out a list of the third parties with whom we share your personal information in the further information document that can be accessed here


Some of our suppliers and service providers will act as data processors on our behalf but some may also act as data controllers in respect of your personal information. In some circumstances, we may have to disclose your personal information by law, because a court or the police or other law enforcement agency has asked us for it. We may also need to pass your personal information to The Pensions Regulator or HM Revenue and Customs. 


We may also share your personal data with the Plan’s employers (and their professional advisers) to enable them to carry out activities in their legitimate interests (this is usually in connection with managing their business from a regulatory, HR or finance perspective). 


Sometimes, in order to improve our knowledge and information of pension schemes generally (so that we may improve our ability to run the Plan appropriately, we pool the personal data we hold with that of other pension schemes through third parties (for example, to obtain up to date and more accurate longevity data). 


How do we process information of EU Citizens or that may involve an International Data Transfers? If you are a resident of the UK or European Economic Area (EEA), all the personal data processing is undertaken in accordance with UK and European laws and regulations such as the UK and EU General Data Protection Regulation (GDPR). While it is not our intention to transfer or process data outside the UK or EEA, it may be necessary for us to do so. Should this be the case full compliance with the legal requirements ensuring appropriate safeguards and security measures are utilised. Please contact the Pensions Department if you would like more information. 


Where the Country that we use to process does not have an “adequacy decision’ approved by the UK or the EU Commission then UK & EU Standard contractual clauses and data processing agreements have been or will be completed where necessary. 


Section three 

Your rights and who to contact 


What rights do you have in respect of your personal information? 

In certain circumstances, you have the following rights in respect of your personal information:

 

  • the right to object to us processing your personal information. 
  • the right to request access to personal information relating to you. 
  • the right to request that we correct any mistakes in your personal information. 
  • rights in relation to automated decision taking. 
  • the right to request to restrict or prevent processing of your personal information. 
  • the right to request to have your personal information transferred to another data controller (e.g., if you decide to transfer your pension benefits to another pension scheme); and • the right to request to have your personal information deleted. 


We've set out more information about these rights in the further information document that can be accessed here


What should you do if you have any questions or complaints? 

If you wish to exercise any of the above rights or to review, verify, correct or question anything detailed in this policy or are unhappy with any aspect of how we use your data please contact us by email at pensions@mbplc.com or a letter to The Pensions Department, Mitchells & Butlers plc, 27 Fleet Street, Birmingham B3 1JP. 


Alternatively, you can call the Pensions Department on 0121 498 5767. 


You also have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO, so please contact us in the first instance.