PDCOB 11.1 Application
1This chapter applies to a firm which chooses to offer or provide data export.
You are viewing the version of the document as on 2024-12-10.
Timeline guidance1This chapter applies to a firm which chooses to offer or provide data export.
2A firm is not permitted to offer or provide data export, apart from:
data export to the customer; or
data export to itself.
2A firm must not permit another person to offer or provide data export from the firm’s pensions dashboard platform.
1A firm which chooses to offer data export to the firm must also offer data export to the customer.
2 Data export will involve a firm processing personal data. Accordingly, firms processing such data are data controllers or data processors and are obliged to comply with data protection legislation and, in particular, to adhere to the data protection principles.
1A firm must not provide data export to the customer or to itself unless the customer has actively elected to select that specific type of data export.
1A firm must not require the customer to agree to data export as a condition of using the qualifying pensions dashboard service.
1The information exported to the firm by data export must include the customer’s pensions dashboard view data, subject to PDCOB 11.3.4R.
1When providing data export to the customer, the firm must not export the customer’s full pension reference.
1Where a firm exports a partial pension reference in accordance with PDCOB 11.3.4R, it must make a record of the rationale for the approach taken.
1For the purposes of PDCOB 11.3.4R, a firm may choose how many and which digits to omit or obscure.
1A firm should transfer the pensions dashboard view data securely to the customer or itself (as applicable). Firms are reminded of their obligation to comply with the principle of integrity and confidentiality in article 5(1)(f) of the General data protection regulation.
1In good time before the customer elects to receive data export, a firm must provide the customer with appropriate information to help the customer make an informed choice as to whether or not to agree to data export. This information must include:
the name of the person who is the data controller;
the nature of the processing which will take place to export the data; and
the purpose for which the data will be processed.
1Before the customer agrees to data export, a firm must clearly and prominently display a warning to the customer about the risks of data export to the customer, including that:
their data is valuable;
it is important that they keep their data safe; and
if the data export is being facilitated by download, the customer should avoid downloading the data on a shared device.
1A firm must ensure that pensions dashboard view data exported to a customer is in a format which is accessible to a member of the general population.
1A firm should consider whether the format of data export engages any accessibility obligations, such as under the Equality Act 2010.
1The information exported by data export to the customer must include:
subject to PDCOB 11.3.4R, the customer’s pensions dashboard view data; and
any display explanations and contextual information which is required by PDCOB 5 and other legislation, such as the Dashboard Regulations.
1The information provided by data export to the customer must be prominently accompanied by:
the warning at PDCOB 5.5.1R(1);
a signpost to the ScamSmart campaign - such as a link to ScamSmart - Avoid investment and pension scams | FCA;
a message that the customer’s pensions dashboard view data is sensitive and valuable, and the customer should seek to keep their data safe;
a message that, if the customer is asked to share their data with a third party, the customer should think carefully about whether a third party needs to see the data, check whether the third party is who they say they are and, if they claim to be authorised or exempt, should use the Financial Services Register to check; and
signposts to impartial guidance available from MoneyHelper.
1In good time before the customer elects to data export to the firm, a firm must provide the customer with appropriate information to help the customer make an informed choice as to whether or not to agree to data export to the firm. This information must include:
the name of the persons who will be the data controllers both before and after the data is exported;
the nature of the processing which will take place to export the data and once the data is exported; and
the purpose for which the data will be processed both during data export to the firm and once the data has been exported.
1The information exported to the firm by data export must include the customer’s pensions dashboard view data, subject to PDCOB 11.3.4R.
1Depending on the nature of the post-view services which the firm is offering, a firm should consider whether it is appropriate to include any display explanations or contextual information required by PDCOB 5 and other legislation such as the Dashboard Regulations.
1Once the customer’s data has been exported to the firm, the firm must only process that data to deliver post-view services and to which the customer has consented.
1 Firms are reminded of the need to comply with data protection legislation, including in relation to pensions dashboard self-asserted data.
1Without prejudice to the application of the GDPR where data has been obtained by the firm from data export, a firm:
must obtain a customer’s express consent to store that data; and
where consent is obtained, is permitted to store that data for 30 days from the date the customer consented in accordance with (1) above, after which period it must be deleted.
1A firm is not permitted to store data obtained from data export where: