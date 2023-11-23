Articles 13 and 14 of the GDPR require trustees to provide comprehensive information to members about the processing of their personal data, including: the categories of personal data processed; the purposes of processing; the lawful basis for each purpose of processing; categories of recipients of personal data and information regarding retention, individuals' rights and international transfers of personal data. This is usually presented by way of a privacy notice. Trustees need to be aware of recent enforcement decisions regarding privacy notices e.g. the Irish Data Protection Commissioner's findings in respect of WhatsApp's privacy notice1 and the Information Commissioner Office's monetary penalty notice against TikTok2. In summary, the regulators expect privacy notices to provide information in a lot more detail and granularity. For example: There needs to be a link between the categories of personal data processed and the processing activity performed on them. Each processing activity should be ascribed a lawful basis and trustees should avoid ascribing multiple lawful bases per processing activity. In practice, a tabular format may be more suitable in presenting this information in this more granular manner.

If legitimate interests are being used as a lawful basis, the specific legitimate interests should be set out. If legal obligations are being used as the lawful basis, the specific law/regulation should be cited.

Categories of recipients should be as specific as possible and additional information should be provided about retention periods, including the criteria to determine these.

Further detail about international transfers should be provided, including the specific transfer mechanism relied on. There is also an expectation that countries to which personal data is transferred are listed.

Trustees should therefore consider whether their privacy notices need to be updated to take into account these requirements. In addition to the above, trustees should also consider whether the purposes of processing set out in these notices remain accurate and comprehensive. We are, for example, seeing a number of trustees interested in undertaking (or instructing service providers to undertake) more detailed analysis on personal data, including by using AI technologies or sharing with third parties to facilitate bank transfers or insurance solutions. These use cases may not have been contemplated in 2018 and may need to be added to privacy notices. Similarly, they will need to be added to records of processing activities (ROPAs), which all data controllers (including trustees) are required to maintain and update under Article 30 of the GDPR. Finally, privacy notices need to be "accessible". This is particularly important in the pensions sector as a number of members may be vulnerable or may not possess the appropriate technical expertise or equipment to access online notices. Consider therefore the provision of updated notices as part of hard-copy newsletters that are provided to members.