You are viewing the version of the document as on 2024-12-18.

PDCOB 11.1 Application

PDCOB 11.1.1 R

1This chapter applies to a firm which chooses to offer or provide data export.

PDCOB 11.2 Permitted data export functionality

PDCOB 11.2.1 R

2A firm is not permitted to offer or provide data export, apart from:

  1. (1)

    data export to the customer; or

  2. (2)

    data export to itself.

PDCOB 11.2.2 R

2A firm must not permit another person to offer or provide data export from the firm’s pensions dashboard platform.

PDCOB 11.2.3 R

1A firm which chooses to offer data export to the firm must also offer data export to the customer.

PDCOB 11.2.4 G

2 Data export will involve a firm processing personal data. Accordingly, firms processing such data are data controllers or data processors and are obliged to comply with data protection legislation and, in particular, to adhere to the data protection principles.

PDCOB 11.3 Restrictions on providing data export

PDCOB 11.3.1 R

1A firm must not provide data export to the customer or to itself unless the customer has actively elected to select that specific type of data export.

PDCOB 11.3.2 R

1A firm must not require the customer to agree to data export as a condition of using the qualifying pensions dashboard service.

Restrictions on the content, format and manner of data export

PDCOB 11.3.3 R

1The information exported to the firm by data export must include the customer’s pensions dashboard view data, subject to PDCOB 11.3.4R.

PDCOB 11.3.4 R

1When providing data export to the customer, the firm must not export the customer’s full pension reference.

PDCOB 11.3.5 R

1Where a firm exports a partial pension reference in accordance with PDCOB 11.3.4R, it must make a record of the rationale for the approach taken.

PDCOB 11.3.6 G

1For the purposes of PDCOB 11.3.4R, a firm may choose how many and which digits to omit or obscure.

PDCOB 11.3.7 G

1A firm should transfer the pensions dashboard view data securely to the customer or itself (as applicable). Firms are reminded of their obligation to comply with the principle of integrity and confidentiality in article 5(1)(f) of the General data protection regulation.

PDCOB 11.4 Restrictions on providing data export to the customer

Specific disclosures prior to the provision of data export to the customer

PDCOB 11.4.1 R

1In good time before the customer elects to receive data export, a firm must provide the customer with appropriate information to help the customer make an informed choice as to whether or not to agree to data export. This information must include:

  1. (1)

    the name of the person who is the data controller;

  2. (2)

    the nature of the processing which will take place to export the data; and

  3. (3)

    the purpose for which the data will be processed.

PDCOB 11.4.2 R

1Before the customer agrees to data export, a firm must clearly and prominently display a warning to the customer about the risks of data export to the customer, including that:

  1. (1)

    their data is valuable;

  2. (2)

    it is important that they keep their data safe; and

  3. (3)

    if the data export is being facilitated by download, the customer should avoid downloading the data on a shared device.

Restrictions on the content, format and manner of data export to the customer

PDCOB 11.4.3 R

1A firm must ensure that pensions dashboard view data exported to a customer is in a format which is accessible to a member of the general population.

PDCOB 11.4.4 G

1A firm should consider whether the format of data export engages any accessibility obligations, such as under the Equality Act 2010.

PDCOB 11.4.5 R

1The information exported by data export to the customer must include:

  1. (1)

    subject to PDCOB 11.3.4R, the customer’s pensions dashboard view data; and

  2. (2)

    any display explanations and contextual information which is required by PDCOB 5 and other legislation, such as the Dashboard Regulations.

Specific disclosures when providing information by data export to the customer

PDCOB 11.4.6 R

1The information provided by data export to the customer must be prominently accompanied by:

  1. (1)

    the warning at PDCOB 5.5.1R(1);

  2. (2)

    a signpost to the ScamSmart campaign - such as a link to ScamSmart - Avoid investment and pension scams | FCA;

  3. (3)

    a message that the customer’s pensions dashboard view data is sensitive and valuable, and the customer should seek to keep their data safe;

  4. (4)

    a message that, if the customer is asked to share their data with a third party, the customer should think carefully about whether a third party needs to see the data, check whether the third party is who they say they are and, if they claim to be authorised or exempt, should use the Financial Services Register to check; and

  5. (5)

    signposts to impartial guidance available from MoneyHelper.

PDCOB 11.5 Data export to the firm

Specific disclosures prior to the provision of data export to the firm

PDCOB 11.5.1 R

1In good time before the customer elects to data export to the firm, a firm must provide the customer with appropriate information to help the customer make an informed choice as to whether or not to agree to data export to the firm. This information must include:

  1. (1)

    the name of the persons who will be the data controllers both before and after the data is exported;

  2. (2)

    the nature of the processing which will take place to export the data and once the data is exported; and

  3. (3)

    the purpose for which the data will be processed both during data export to the firm and once the data has been exported.

PDCOB 11.5.2 R

1Once the data is exported to the firm, the firm must not share the data with any other entities.

Restrictions on the content, format and manner of data export to the firm

PDCOB 11.5.3 R

1The information exported to the firm by data export must include the customer’s pensions dashboard view data, subject to PDCOB 11.3.4R.

PDCOB 11.5.4 G

1Depending on the nature of the post-view services which the firm is offering, a firm should consider whether it is appropriate to include any display explanations or contextual information required by PDCOB 5 and other legislation such as the Dashboard Regulations.

PDCOB 11.5.5 R

1Once the customer’s data has been exported to the firm, the firm must only process that data to deliver post-view services and to which the customer has consented.

PDCOB 11.6 Data retention

Obligations on firms under general privacy laws

PDCOB 11.6.1 G

1 Firms are reminded of the need to comply with data protection legislation, including in relation to pensions dashboard self-asserted data.

PDCOB 11.6.2 R

1Without prejudice to the application of the GDPR where data has been obtained by the firm from data export, a firm:

  1. (1)

    must obtain a customer’s express consent to store that data; and

  2. (2)

    where consent is obtained, is permitted to store that data for 30 days from the date the customer consented in accordance with (1) above, after which period it must be deleted.

PDCOB 11.6.3 R

1A firm is not permitted to store data obtained from data export where:

  1. (1)

    the customer does not expressly consent; or

  2. (2)

    the customer elected to export the data to themselves only.