Canada: Getting Ready For GDPR - Part Four - Legal Issues And Trustee Decisions (Video)

In part four of our GDPR and pensions series, our experts focus on the important decisions trustees need to make in terms of the legal grounds for processing the scheme's personal data.

Download as a podcast.

Download this article as a PDF.


As data controllers, pension scheme trustees will need to consider a range of issues and take some important decisions. The most important of these decisions is to decide what legal grounds they have for processing their scheme's personal data.


1. Trustees will need to take some important decisions

As data controllers, trustees are ultimately responsible for the processing of their scheme's personal data. They will need to take decisions on important issues such as the legal grounds for processing the scheme's personal data

2. Trustees will need to document their decision making

One of the important overriding principles set out in the GDPR is accountability. Trustees will need to demonstrate: (a) that they have complied; and (b) how they have complied. For decision making, this means keeping records of how decisions were reached.

3. Trustees will need to establish the legal grounds for processing

Processing personal data is only lawful under the GDPR if one or more of six legal grounds applies. Trustees will need to determine the legal grounds for the processing of the scheme's personal data.

4. Trustees will need to think about sensitive personal data

There is a general prohibition against the processing of personal data. There are a range of exceptions to this general prohibition, and trustees will need to determine which exceptions apply in order to continue to process sensitive personal data.


As data controllers, Trustees will need to take important decisions on a range of issues relating to data protection. For example, many trustees will need to consider:

  • what are the legal grounds for processing my scheme's personal data?
  • what is the exception that will allow me to process sensitive personal data?
  • do we need to appoint a data protection officer (DPO)?
  • how long do we keep the scheme's personal data for? Will this need to change under the GDPR?
  • if we choose not to delete some of the scheme's personal data, should we at least remove it from online and office-based systems into secure archives?
  • what should we put in the scheme's privacy notices? Who do we need to send these notices to and when do we need to send them?
  • does my scheme have a data protection policy? Does it need to be reviewed and updated? If we don't have a policy, do we need to adopt one?
  • how do we share information with employers and related third parties? Do we have an information sharing agreement? If not, do we need to adopt one?

Trustees will also need to document their decision making process and ensure that they have a written record so that they can demonstrate compliance and accountability.

This chapter of the Guide focuses on the legal grounds for processing, but also sets out some guidelines that will apply for trustees approaching any decisions on data protection.


Under the GDPR, processing of personal data is only lawful if one or more of legal grounds (also referred to as lawful bases) applies. The Information Commissioner's Office (ICO) has been clear on the importance for data controllers of determining the correct legal ground(s) for processing personal data.

"You must determine your lawful basis before you begin processing, and you should document it. Take care to get it right first time - you should not swap to a different lawful basis at a later date without good reason."

Guide to the General Data Protection Regulation (Information Commissioner's Office)


There are six legal grounds set out in the GDPR. Most of them will not, however, apply in the context of private sector occupational pension schemes. Necessary is used repeatedly in the legal grounds, which serves as a reminder of the GDPR's principle of data minimisation.

1. Consent

Data subject has provided consent for one or more specific purposes of data processing.

2. Contract

The processing is necessary for the performance of a contract to which the data subject is party.

3. Legal obligation

The processing is necessary for compliance with a legal obligation to which the controller is subject.

4. Vital interests

The processing is necessary in order to protect the vital interests of the data subject or of another natural person.

5. Public interest

The processing is necessary for the performance of a task carried out in the public interest.

6. Legitimate interests

The processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party. This ground is subject to a balancing test (see 'What is the legitimate interests balancing test' below).

Which of the legal grounds will apply for private sector occupational pension schemes?

Trustees will need to review their scheme's personal data and the processing activities that take place. They may also seek professional advice before taking a decision.

It is clear, however, that trustees of private sector occupational pension schemes will not be able to rely on all of the legal grounds.

Consent is unlikely to be a practical ground for the general processing of pension scheme's personal data (although it might continue to play a role in the processing of sensitive personal data - see Exemptions for processing sensitive personal data below).

Contract-based pension providers may process on the legal ground that it is necessary for the performance of the contract, but this is unlikely to be as useful for trust-based pension arrangements.

Similarly, private-sector pension schemes will not typically be able to rely on the legal ground of carrying out tasks in the public interest or protecting vital interests.

This leaves compliance with a legal obligation and legitimate interests.


Under the GDPR, data controllers can process personal data if such processing is necessary for compliance with a legal obligation. The ICO has, in its Guide to the General Data Protection Regulation (GDPR), confirmed that this ground can apply if "you need to process the personal data to comply with a common law or statutory obligation".

Pension trustees have a wide range of common law and statutory obligations. A lot of the scheme's personal data is processed in order to comply with these obligations.

For example, the trustee's fiduciary duties are set out in trust law, which is part of the common law. When trustees exercise their powers of discretion on a member query, they are expected to do so in line with their fiduciary duties. Amongst other things, this requires the trustees to take account of all of the relevant facts. In order for the trustees to do this, they are likely to need to request, sort, file and review personal data relating to the member. The trustee's legal ground for this processing is that it is necessary for them to comply with a legal obligation.

UK legislation also requires trustees to process personal data. For example, in order to comply with a member's statutory right to request a transfer, the trustee will need to process that member's personal data. Again, this is necessary in order for them to comply with a legal obligation.

Trustees will, however, still need to consider carefully what personal data they process and why they process it. Not all processing is done in order to comply with a legal obligation. In addition, the processing may not be necessary to comply with a legal obligation. If the processing is an unreasonable and disproportionate way of achieving compliance, this legal ground will not apply.

Trustees may therefore decide to take legal advice on what processing activities are necessary for compliance with legal obligations before they decide whether or not this is an appropriate legal ground for the processing of their scheme's personal data.


Legitimate interests provides one of the most flexible legal grounds for the processing of personal data. In order to protect individuals, the GDPR therefore adds additional wording that requires data controllers consider the rights and freedoms of data subjects.


When the full text of Article 6(f) of the GDPR is taken together, it is clear that data controllers need to carry out a balancing test in order to determine whether their legitimate interests are outweighed by risks to individuals. There are three tests that trustees will need to apply in order to determine if the legitimate interests ground can apply in respect of the processing of the scheme's personal data.


1. Purpose test: Are you pursuing a legitimate interest?

For example, the payment of the correct level of pension benefits to the scheme's beneficiaries is a legitimate interest for a pension scheme trustee to pursue.

2. Necessity test: Is the processing necessary in order for you to pursue your legitimate interest?

For example, do you need to process the personal data in the way that you do in order to fulfil the purpose? Or, is there a more proportionate or reasonable way of fulfilling the purpose?

3. Balancing test: Do the individual's interests override the legitimate interest?

As a trustee, you may have determined that you are pursuing a legitimate interest (i.e. the payment of the correct level of pension benefits). You may have also determined that your processing (i.e. the storage and retrieval of bank information) is necessary to fulfil that purpose. But do the individual's interests override the legitimate interest? If you keep the bank information on a secure, password protected system, this is unlikely to be a problem. If, however, you have decided to keep the bank information in an open folder (either online or in the office), then the individual's risk of being a victim of fraud might outweigh your legitimate interests.


Legitimate interests of the trustee or other third party

Exercising discretion

Complying with the law

Paying benefits

Running the scheme

Rights and freedoms of the data subject

How secure is the data

Adverse impact of processing?

How sensitive is the data?


Trustees should consider their legitimate interests and set them out in writing. They should also consider the rights and freedoms of the data subjects and make sure that these considerations are also set out in writing. In most cases, this should be straightforward - unlike in many online and commercial situations, the interests of trustees and members are more fully aligned. Both parties want to ensure the full and correct payment of benefits to the right people at the right time.


The rights and freedoms of individuals are far less likely to be infringed if the trustee, as the data controller, takes appropriate data security measures. This might, for example, involve the trustee:

  • putting in place or reviewing their scheme's data protection policies;
  • applying industry standard data and cyber security measures; and
  • ensured that third party service providers and professional advisers also comply with the GDPR.


Under the GDPR, there is a general prohibition on processing of sensitive personal data (called special categories of personal data in the legislation).

For pension scheme trustees, the most common form of sensitive personal data will be medical information. Other forms, such as information revealing race, ethnicity, religious beliefs or trade union membership or data concerning an individual's sexual orientation may also be encountered.

In order to continue to process sensitive personal data, trustees will need to:

  • establish a legal ground for processing the personal data; and
  • determine which exemption applies to override the general prohibition


The most relevant exception conditions for trustees of occupational pension schemes are:

  • that the individual has provided explicit and valid consent;
  • that the processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment, social security and social protection law; and
  • that the processing is necessary for reasons of substantial public interest as authorised by Union or Member State law.


The GDPR sets a high standard for consent, and this is even more important when sensitive personal data is involved. Explicit consent under the GDPR needs to be clear, freely given, and in writing. The ICO has stated that consent should be:

"Consent should be obvious and require a positive action to opt in. Consent requests must be prominent, unbundled from other terms and conditions, concise and easy to understand, and user-friendly.

Consent must specifically cover the controller's name, the purposes of the processing and the types of processing activity."

Guide to the General Data Protection Regulation (Information Commissioner's Office)

Consent is likely to remain as an important part of the process of gathering sensitive personal information in respect of ill-health early retirement requests, death benefit decisions and IDRPs. Trustees should, however, ensure that how they obtain and record consent complies with the GDPR and seek legal advice if in doubt. If consent cannot be used, trustees should consider whether any of the other exemptions are available.

When do the other exceptions apply?

There are two exceptions set out in the Data Protection Bill 2017 - 19 that could be useful for trustees of private sector occupational pension schemes:

  • employment, social security and social protection law; and
  • substantial public interest - occupational pension schemes.

These exceptions are currently being debated as part of the parliamentary process. There are questions as to how they would apply in practice which may be resolved as the Bill progresses. Trustees should seek legal advice as to whether they will apply in their circumstances and may have to wait for the final version of the Data Protection Bill and/or guidance from the ICO.


As outlined above, pension scheme trustees will need to consider a wide range of issues relating to data protection and take decisions. The principles set out for establishing legal grounds for processing can be applied to taking other decisions. In particular, trustees should:

1. Make sure that you understand the issues

Ensure that you fully understand the issues. This might come from training, such as reading this Guide or attending training sessions or seminars. In addition, the ICO has produced a lot of guidance that can help trustees get to grips with their legal duties as data controllers. Where appropriate, trustees should also seek additional professional advice.

2. Schedule time for decision making

Make time for discussion and decision making. Trustees will need time to consider the information and make informed decisions. Set aside plenty of time for this at trustee meetings and consider whether having a standalone meeting on data protection would be the most efficient way of dealing with the issues.

3. Document compliance - that you've complied and how you've complied

Document the decision and the decision making process. As part of the principle of accountability, trustees will need to be able to evidence both that they have complied with the law and how they have complied with the law. A record of the relevant factors and the steps taken to reach a decision will be helpful if the trustee is challenged in the future.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on

Click to Login as an existing user or Register so you can print this article.

In association with
Related Topics
Related Articles
Up-coming Events Search
Font Size:
Mondaq on Twitter
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
Email Address
Company Name
Confirm Password
Mondaq Topics -- Select your Interests
 Law Performance
 Law Practice
 Media & IT
 Real Estate
 Wealth Mgt
Asia Pacific
European Union
Latin America
Middle East
United States
Worldwide Updates
Registration (you must scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of

To Use you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.


The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.


Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions