You are viewing the version of the document as on 2024-12-18.

PDCOB 11.6 Data retention

Obligations on firms under general privacy laws

PDCOB 11.6.1G

1Firms are reminded of the need to comply with data protection legislation, including in relation to pensions dashboard self-asserted data.

PDCOB 11.6.2R

1Without prejudice to the application of the GDPR where data has been obtained by the firm from data export, a firm:

  1. (1)

    must obtain a customer’s express consent to store that data; and

  2. (2)

    where consent is obtained, is permitted to store that data for 30 days from the date the customer consented in accordance with (1) above, after which period it must be deleted.

PDCOB 11.6.3R

1A firm is not permitted to store data obtained from data export where:

  1. (1)

    the customer does not expressly consent; or

  2. (2)

    the customer elected to export the data to themselves only.