This privacy notice explains how Railpen Limited collects and processes your information.
This privacy notice explains how Railpen Limited, with its registered address at 100 Liverpool Street, London EC2M 2AT and its group companies (“Railpen”, “we”, “our” or “us”) collects and processes your information that we receive in the following ways:
- information we receive as a result of the services that we offer;
- information we receive through our websites; and
- information we receive when we engage in business-to-business activities with you.
There are separate privacy notices which explain the personal information which we collect and process when administrating the pension schemes we are responsible for. These can be found at: member.railwayspensions.co.uk and btppensions.co.uk.
Railpen is a controller of your personal data for the purposes of applicable data protection legislation. This privacy notice describes what personal data we collect about you, the basis upon which we process it, with whom it is shared, how it is stored and certain other important information relating to the protection of your personal data.
Information we collect from or about you
We may collect and process the following types of personal data about you depending on the services we have been engaged to provide and your relationship with Railpen:
- Information that you provide to us. This includes information about you that you provide to us such as by filing in forms or by communicating with us whether by phone, email of otherwise. The nature of our relationship with you will determine the kind of personal data we might ask for, though such information may include (by way of a non-exhaustive list):
- basic personal data (such as name and job title; email address; phone number, address (including city and postcode); date of birth; occupation and job title; ID documentation).
- Information that we collect or generate about you. This includes (by way of non-exhaustive list):
- files that we may produce as a record of our relationship with you, including contact history; and/or
- any personal data that you provide during telephone and email communications with us which we may monitor and record in order to resolve complaints, improve our service and in order to comply with our legal and regulatory requirements.
- Information we obtain from other sources. This includes (by way of non-exhaustive list):
- information from publicly available sources (including third party agencies such as fraud prevention agencies; law enforcement agencies; public databases; registers and records (such as Companies House); other publicly accessible sources); and/or
- information obtained from sanctions checking and background screening providers.
How we use your data
We collect and process your personal data for the following reasons:
- to allow you to use and access our services;
- to set up / on-board prospective users of our services;
- to communicate with you about new products and services, and other information which we believe you may find interesting;
- to undertake market research;
- to fulfil our obligations under any contracts we have entered into with you, and exercise our rights under them;
- to keep our records up to date;
- to monitor our IT systems in order to protect against cyber threats or malicious activity including abuse and misuse;
- to administer or maintain IT and communications systems in order to uphold standards of service;
- for the ongoing review and improvement of the information provided on our websites to ensure they are user friendly and to prevent any potential disruptions or cyber-attacks;
- to comply with our legal obligations, any relevant industry or professional rules and regulations or any applicable voluntary codes;
- to maintain compliance with internal policies and procedures;
- for the management and administration of our business; and/or
- to comply with court orders and/or in connection with legal proceedings or disputes.
What is our lawful basis for processing your personal data
Under applicable data protection legislation, we must have a legal basis to process your personal data and this will be:
- to comply with our legal and regulatory obligations;
- to establish, exercise or defend our legal rights or for the purpose of legal proceedings;
- where we have obtained your consent;
- to perform our contractual obligations; or
- for our legitimate business interests, such as:
- to allow us to manage and administer our business;
- to communicate with you about our services and other information related to our business;
- to improve and maintain our websites and IT and communication systems; and/or
- to maintain compliance with internal policies and procedures.
We may ask you to consent to us processing your personal data in some circumstances. If we are processing your data on the basis of your consent, you can withdraw your consent at any time by contacting Railpen’s Data Protection Officer (details set out in the “How to contact us” section below).
Disclosure of your information to third parties
From time to time, we may need to share your information with third parties. The types of third parties we may need to share some of your information with include:
- companies that provide services to us, such as IT and communication providers, including providers of cloud services and cyber security services;
- our business partners who are contractually obliged to comply with appropriate data protection obligations;
- our professional advisors (for example, our accountants; legal advisors; background screening providers; credit reference agencies);
- third parties in order to verify your identity as well as to prevent and detect fraud; and/or
- if we sell any part of our business or our assets, in which case we may need to disclose your personal data to the prospective buyer for due diligence purposes.
Your personal data will also be disclosed to third parties:
- if we are under a duty to disclose or share your personal data in order to comply with any legal obligation, or any lawful request from any legal or regulatory authority; and/or
- to respond to any claims, and to establish, exercise or defend our legal rights.
Most third parties with whom we share your personal data are limited (by law and by contract) in their ability to use your personal data for the specific purposes identified by us.
Transferring information outside the UK
In certain circumstances, your personal data may be transferred outside of the UK.
If we transfer personal data outside of the UK (for example to one or more of our service providers), we will take appropriate measures to ensure that your personal data is adequately protected in a manner which is consistent with this privacy notice and in accordance with data protection law. This can be done in a number of ways, for instance:
- the country that we send your personal data to might be approved by the UK Government as having adequate level of protection; or
- the recipient might have signed up to a contract based on “model contractual clauses” approved by the Information Commissioner’s Office, obliging them to protect your personal data.
In other circumstances the law may permit us to otherwise transfer your personal data outside the UK. In all cases, however, we will ensure that any transfer of your personal data is compliant with applicable data protection legislation.
You can obtain more details of the protection given to your personal data when it is transferred outside the UK (including a copy of the model contractual clauses which we have entered into with recipients of your personal data) by contacting us in accordance with the “How to contact us” section below.
How long do we retain your information
How long we hold your personal data for will vary. The retention period will be determined by various criteria including:
- the purpose for which we are using it – we will need to keep the data for as long as is necessary for that purpose; and
- legal obligations – laws or regulation may set a minimum period for which we have to keep your personal data.
When we no longer need your personal data, we will ensure that it is securely destroyed.
You have a number of legal rights in relation to the personal data that we hold about you. These rights include:
- the right to obtain information regarding the processing of your personal data and access to the personal data which we hold about you;
- the right to withdraw your consent to our processing of your personal data at any time. Please note, however, that we may still be entitled to process your personal data if we have another legitimate reason (other than consent) for doing so;
- the right to receive your personal data (in a structured, commonly used and machine-readable format) and to request that we transfer your data to another service provider or data controller where technically feasible. This right applies where your data is being processed on the basis of your consent or in line with a contract to which you are party;
- the right to request that we rectify your personal data if it is inaccurate or incomplete;
- the right to request that we erase your personal data in certain circumstances. Please note that there may be circumstances where you ask us to erase your personal data, but we are legally entitled to retain it;
- the right to object to, and the right to request that we restrict, our processing of your personal data in certain circumstances. Again, there may be circumstances where you object to or ask us to restrict, our processing of your personal data but we are legally entitled to continue processing your personal data and/or to refuse that request; and
- the right to lodge a complaint with the data protection regulator (details of which are provided below) if you think that any of your rights have been infringed by us.
You can exercise your rights by contacting our Data Protection Officer using the details set out in the “How to contact us” section below.
You can find out more information about your rights by contacting the Information Commissioner’s Office, or by searching their website at ico.org.uk.
We are committed to ensuring that your information is secure. We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.
Our websites may contain links to other websites. Our privacy notice applies only to our websites, so if you click on a link to another website, you should exercise caution and look at the privacy notice applicable to the website in question.
How to contact us
If you wish to exercise any of your rights or have concerns about the processing of your personal data or wish to raise any issues in relation to data protection, including in relation to the use of it by Railpen, please contact the Data Protection Officer at:
Data Protection Officer
If you are unhappy with how your personal information is being handled, you also have the right to make a complaint to the Information Commissioner’s Office (www.ico.org.uk), an independent body set up to uphold information rights, which will investigate your complaint.
Changes to this privacy notice
We may update this privacy notice from time to time by updating this page. Please check this page periodically to see any changes or updates to this privacy notice.
This privacy notice was last updated in September 2021.