A. Who are we?
- We are the LifeSight Foundation. We are a pension provider. We process the pension scheme that your employer or former employer has awarded you.
- We administer (process) your (personal) data so that you, your surviving relatives or your former partner can receive a pension, as arranged in your pension scheme. We are responsible for processing within the meaning of the General Data Protection Regulation (GDPR). The GDPR is a privacy law that applies throughout the European Union (EU). The GDPR ensures that the protection of personal data is regulated in the same way in all EU countries and that the same rules apply in each Member State. The GDPR provides, among other things, for strengthening and extending the privacy rights of individuals.
B. Scope of this privacy statement
In this privacy statement we explain how we collect, use and share personal data with other parties to execute your pension scheme. In this statement you can read more about how we collect these personal data, among others through the employer’s and member’s portal and the mobile app MijnLifeSight. You can also read more about how we receive personal data from other sources.
D. Changes to this privacy statement
If we change this privacy statement, we will inform you about the changes through our website. We will inform you well in advance if the changes in this statement have a major influence on you or on the processing of your personal data. This will enable you to exercise your rights in good time, such as the right to access the processing of your personal data.
E. Why do we collect personal data about you?
Personal data are data that relate to you, either directly or indirectly. We collect or process this personal data for a specific purpose, namely for the execution of the pension scheme that your employer or former employer has awarded to you. We also do this in order to respond to your questions, complaints or requests or to provide you with pension support. And we also do this in order to meet our legal obligations.
F. What personal data do we collect and how do we collect it?
We receive personal data directly from you and from various other sources. Because we are a pension provider, we have a link to the Municipal Personal Records Database (BRP1). This gives us access to personal data such as your name, your Citizen Service Number (BSN), your partner relationship and your place of birth. We also receive personal data from your employer, such as your email address, your salary and your part-time percentage. We also receive personal data from SUAG (fitness for work status database)2. In addition, you may voluntarily provide other personal data to us if you become a member of a pension scheme we execute or if you contact us. Such as your telephone number or your private email address. We also register the IP address of your computer when you visit our website or when you use the mobile app MijnLifeSight. This is all data that directly or indirectly tells us something about you. Below is an overview of the data we possess or may possess:
Delivered by employer, BRP or SUAG
1. Name (first name/first names, prefix to surname);
2. Citizen Service Number (BSN);
3. Date of birth;
6. Date (start and end) and type of relationship (marriage or registered partnership);
7. Data of any partner or former partner (name, BSN, date of birth and gender);
8. Address (street name, house number (+ extension), postal code, town, country);
9. Date of death;
10. Employee number (personnel number);
11. Cost centre (if applicable);
12. Start date of employment contract;
14. Bonus (if applicable);
15. Part-time percentage (if applicable);
16. Average part-time percentage for the period prior to the date of membership (if applicable);
17. Partner’s and orphan’s pensions for the period prior to the date of membership (if applicable);
18. Partner’s and orphan’s pensions insured elsewhere (if applicable);
19. (work) email addresses;
20. Preferred language of communication (Dutch or English);
21. Chronically ill at the start of membership (yes/no) and, if so, the date of onset of the illness3;
22. Degree of disability (if applicable)4;
23. Percentage of continuation of non-contributory pension accrual from previous pension scheme (if applicable);
24. Participation in voluntarily ANW shortfall pension (if applicable);
25. Waiver agreement net pension (if applicable).
2 SUAG: Fitness for work status database
Delivered by you
26. Contact details (email address, preferred language for communication, method of communication);
27. Correspondence address (street, house number, postcode, town, country);
28. Date (start and end) and type of relationship (marriage abroad or cohabitation);
29. Data of any partner (name, BSN, date of birth and gender);
30. Request for value transfer;
31. Expenses at retirement age;
32. Pension accrued elsewhere;
33. Employee own funds;
34. Resided and worked abroad;
35. Choice supplementary contribution amount (if applicable);
36. Choice retirement age;
37. Choice expected income;
38. Choice preparing for a variable pension;
39. Choice investments;
40. Choice participation in ANW shortfall pension (if applicable);
41. Data on risk profile with regard to your pension investments (by answering questions);
42. IP address of your computer when you visit our website and when you use our mobile app MijnLifeSight;
43. Questions you ask the service desk by email;
44. Information you voluntary provide to the service desk by email;
45. Information you provide when you use our mobile app MijnLifeSight.
Data processing minimisation
We may not have more personal data than is strictly necessary for the proper execution of your pension scheme. The law stipulates that the personal data we process must be adequate, relevant and limited to that which is necessary.
We make every effort to ensure that data in our pension administration are correct and continue to be correct. For this we have, among other things, a link to the Municipal Personal Records Database. We assume the accuracy of the data in the Municipal Personal Records Database. In addition, the employer can submit changes online. We are not (always) able to check the correctness of the data entered by the employer and by yourself.
3 For the sake of completeness, we note that chronic illness and the degree of disability are considered as health data and therefore fall under the special categories of personal data for which special processing requirements apply. For this we refer to the General Data Protection Regulation (Implementation) Act (Uitvoeringswet Algemene verordening gegevensbescherming).
G. Our rights and obligations regarding your personal data
Special personal data
Some of the data we process is covered by the special categories of personal data or sensitive personal data. Such as chronic illness or any degree of occupational disability. Under the General Data Protection Regulation (Implementation) Act, we are authorised, as a pension provider, to process these data.
Because we have your personal data at our disposal for executing your pension scheme and the pension benefit payments are connected to your lifespan, we store your data for as long as is necessary for the purposes for which we process your data. We will address this further in paragraph j below.
Integrity and confidentiality
We handle your personal data carefully. By carefully we mean that your data are well protected and remain confidential. We devote considerable attention to safeguarding our systems and personal data. We will address this further in paragraph j below. Has something unexpectedly gone wrong? Then we will take action immediately. We resolve data leaks as quickly as possible and we register them. We also report them to the regulator and to you, if necessary. And we adapt our procedures and/or systems, insofar as necessary
What else do we do?
- We create a register in which we keep track of what personal data we have, which parties provided us with these data and the parties to which we provide these data.
- When setting up the processing, we adhere to the principles of ‘privacy by design’ and ‘privacy by default’.
Privacy by design means that we as an organisation pay attention to privacy-enhancing measures, also known as privacy-enhancing technologies (PET), during the development of products and services (such as information systems). In this way we can technically enforce careful and responsible handling of personal data. Privacy by default means that we take technical and organisational measures to ensure that we, as standard practice, only process personal data that are necessary for the specific purpose we want to achieve. This is why we implement a policy of data minimisation: we process as little personal data as possible. In paragraph f we already pointed out that we are also legally obliged to minimise data processing.
- We make agreements with all processors with whom we work to ensure they also comply with the GDPR
- If requested, we will cooperate with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens)
H. Legal basis for processing your personal data
According to the GDPR, we must have a legal basis for processing your personal data. This legal basis follows from the pension scheme you have under your employment contract with your employer or former employer. The execution of this pension scheme has been placed with us by your employer or former employer. When executing the scheme, we must comply with the obligations in accordance with the Pensions Act (Pensioenwet). The pension administration agreement between your employer or former employer and us and the obligations stipulated in the Pensions Act constitute the legal basis upon which we process your personal data.
I. With whom do we share your personal data?
LifeSight shares your personal data with other parties if this is necessary for the execution of the pension scheme and/or to comply with legal obligations.
Cooperation partners and business service providers
In order to execute the pension scheme, we share your personal data with the following cooperation partners:
- Athora Netherlands N.V., which provides administration services for LifeSight;
- InAdmin RiskCo, which provides pension administration services for LifeSight;
- eBenefits B.V., which manages the employer and participant portals for LifeSight.
In addition, when necessary for the provision of services, LifeSight may use the following categories of business service providers that may need to process personal data in the course of their work:
- Accounting firms;
- Postal and printing companies;
- ICT service providers;
- Law firms;
- (Pension) consultants.
All partners who have access to your personal data as part of their services do so on behalf of LifeSight for specifically defined purposes and in accordance with our instructions and this privacy statement. LifeSight makes agreements with them about how they will handle your data, with whom they may share your data and how they must secure your data. In principle, LifeSight uses business service providers based in the Netherlands.
We share your personal data with the following insurers:
- elipsLife, which insures death and disability risks within the pension scheme;
- Zwitserleven, our partner for purchasing pension in the benefits phase.
If these insurers process your personal data, they do so as independent data controllers.
LifeSight is sometimes obliged to provide personal data to authorised (government) agencies, such as:
- Regulators such as the Dutch Central Bank, the Netherlands Authority for the Financial Markets and the Netherlands Authority for the Protection of
- Personal Data;
- UWV benefits agency;
- Dutch Tax authority;
- Central Bureau of Statistics;
- Investigation agency FIU;
- National Pension Register;
- Complaints bodies KiFid and Ombudsman for Pensions.
If these bodies process your personal data, they do so as independent data controllers.
Other pension providers
LifeSight exchanges personal data with other pension providers if this is necessary for value transfers of pension entitlements or for purchase of a pension benefit on the retirement date.
J. Security and retention obligation
We have already discussed the security and the storage of your personal data above. When processing your personal data, we look after your interests and ensure that there is appropriate security and confidentiality to prevent any unauthorised access to or unauthorised use of your personal data and the equipment used for processing. We do this by implementing appropriate technical and organisational measures to protect your personal data against loss, misuse, unauthorised access, disclosure and modification. These measures ensure that we can continuously guarantee the integrity and confidentiality of your personal data. We will store your personal data for as long as this is in your interests or those of your survivors, in order to comply with the legal retention obligations and for such a period as is practicable for us and our partners. Where we see reason to keep your personal data for a longer period, for example to resolve an outstanding claim, investigation or complaint, we will keep your personal data for such longer period until the claim, investigation or complaint has been settled. We have made further agreements with our partners about our retention policy
K. Cross-border traffic of personal data to countries outside the European Union
When transferring personal data from the European Union to controllers, processors or other recipients in third countries, this should not be at the expense of the level of protection that individuals in the European Union enjoy in accordance with the GDPR. Transfer of personal data by us to third countries may in any case only take place in full compliance with the GDPR.
L. Your rights
Under the GDPR you have various rights, such as
• Right of access;
• Right to rectification and supplementation;
• Right to erasure;
• Right to restriction;
• Right to transferability;
• Right to object.
We will now briefly discuss these rights for the sake of completeness, although some rights have already been discussed.
Right of access
You have the right to view the data we have about you. This privacy statement contains the data we process. Please contact the service desk if you would like more information.
Right to rectification and supplementation
You have the right to have the data we have about you modified by us (rectified) or to supplement it. We do note, however, that the data from the Municipal Personal Records Database and the data provided by your employer or SUAG cannot be modified by us. You can only do this yourself through the Municipal Personal Records Database, your employer or SUAG. You can modify other data yourself through the member’s portal.
Right to erasure (right to be forgotten)
This right means that in a number of cases we are obliged to delete personal data if you request this. Please contact the service desk for this. The right to erasure does not always apply. You can invoke this right only in certain situations and after weighing your interests against the interests of a possible partner and/or our interests.
Right to restriction
The right to restriction of processing applies in situations that meet one of the following criteria: the data may be incorrect or no longer required or you object to the processing. Please contact the service desk for this.
Right to transferability (data portability)
This right means that you have the right to receive the personal data of you that we have. You can also ask for your data to be transferred directly to another organisation.
Right to object
This right only applies if we process your personal data on the basis of a task carried out in the general interest or on the basis of a legitimate interest.
Further rules for exercising your rights
If you want:
- access to your personal data;
- to check, correct, update, withhold or restrict your data; or
- a copy of your data in our system in a structured, standard and machine-readable form,
you can use the contact details at the end of this privacy statement. Please state in your request which personal data you wish to view or modify, which personal data you wish to remove from our database or otherwise let us know which restrictions you wish to make to your personal data.
You also have the right to protest against the processing of your personal data as described above in the Legal Basis for processing of your personal data on the understanding that certain data are not processed by us directly and cannot be changed by us for this reason. Please contact the service desk for this.
You are obliged to contact us before you submit a complaint to the Dutch Data Protection Authority.
Please contact us if you have any questions or comments about this privacy statement or if you wish to exercise your aforementioned rights. Our contact details are:
P.O. Box 802, 3500 AV Utrecht, The Netherlands
Phone number: +31 (0) 20 208 5106
Email service desk: firstname.lastname@example.org