Skip to main content

Data Subject Rights

Pension scheme members are data subjects. As data controllers, trustees carry direct legal responsibility for responding to members’ GDPR rights requests. Failure to respond correctly — within the statutory timeframe, with the required information, and through a documented process — constitutes a GDPR infringement and may result in DPC enforcement action, member complaints, or civil claims. PensionPortal.ai embeds data subject rights handling into the operational workflow of the platform, providing trustees with structured request management, automated data exports, audit trails, and response templates.
Trustee responsibility: Trustees are data controllers. PensionPortal.ai is a data processor. Rights requests from members must be directed to and responded to by the trustees. PensionPortal.ai facilitates this — it does not respond to member rights requests on trustees’ behalf.

Response Timeframes and Obligations

All rights requests must be acknowledged and responded to within one calendar month of receipt (GDPR Article 12). This period can be extended by a further two months where the request is complex or numerous — but the data subject must be informed of the extension and its reasons within the first month. Responses must be:
  • Free of charge (Article 12(5) — unless requests are manifestly unfounded or excessive)
  • Provided in a clear, plain language format accessible to the data subject
  • In the same format as the request where feasible (e.g. electronic requests should receive electronic responses)
PensionPortal.ai tracks all rights requests with automated deadline monitoring, escalation alerts, and a complete audit trail of actions taken.

Right of Access — Article 15

A member may request confirmation of whether their personal data is being processed and, if so, access to that data along with supplementary information about the processing. What trustees must provide:
  • Confirmation of whether processing is taking place
  • A copy of the personal data being processed
  • The purposes of processing
  • The categories of data involved
  • The recipients or categories of recipients
  • The retention period (or criteria used to determine it)
  • The existence of the member’s other rights (rectification, erasure, restriction, objection)
  • The right to lodge a complaint with the DPC
  • Where data was not collected directly from the member — information about the source
  • Whether automated decision-making is in use (Article 22)
How PensionPortal.ai supports this:
  • One-click member data export generating a complete, structured PDF of all personal data held for a named member
  • Export includes: identification data, employment history, contribution records, benefit data, communication logs, and audit trail of data access events relating to that member
  • The export can be reviewed and redacted (where third-party data is included) before release to the data subject
  • Deadline tracker with 30-day and final-day alerts
Subject Access Requests cannot be refused on the basis that the data is “too complex” or “in multiple systems.” The obligation is on the trustee (as controller) to compile the response. PensionPortal.ai consolidates member data from all modules into a single SAR export to support this.

Right to Rectification — Article 16

A member has the right to have inaccurate personal data corrected without undue delay. Where data is incomplete, the member has the right to have it completed. Typical scenarios in pension context:
  • Member’s name or address is incorrect on scheme records
  • Pensionable service dates are recorded incorrectly (this can materially affect benefit entitlement)
  • Contribution records show discrepancies with payslip data
  • Beneficiary or next-of-kin details are out of date
How PensionPortal.ai supports this:
  • Structured rectification request workflow: member or trustee initiates correction request, providing the current value and the correct value
  • Correction is not applied automatically — it goes through a dual-authorisation review (administrator + trustee sign-off) to ensure accuracy
  • Full audit trail: the original value, the requested value, the reviewer, and the approval date are all logged immutably
  • Where a correction affects a benefit calculation, the platform flags the affected downstream records for review
  • The member is notified of the outcome within the Article 16 timeframe

Right to Erasure — Article 17

The right to erasure (the “right to be forgotten”) allows a member to request deletion of their personal data in certain circumstances. This right is not absolute and is subject to important exceptions in the pension context. When Article 17 applies:
  • The data is no longer necessary for the purpose for which it was collected
  • The member withdraws consent (where consent was the legal basis — rare in pension context)
  • The member objects to processing based on legitimate interests (Article 21) and there are no overriding grounds
  • The data has been unlawfully processed
When Article 17 does NOT apply (the pension exception):
  • Article 17(3)(b) exempts erasure where processing is necessary for compliance with a legal obligation. For pension scheme data, this applies extensively:
    • Member benefit records must be retained for 6 years post-discharge (Pensions Act)
    • Revenue records must be retained for 6 years (TCA 1997, s.886)
    • IORP II data strategy obligations require ongoing data governance
Do not delete pension records in response to an erasure request without legal review. The legal hold mechanism in PensionPortal.ai prevents accidental deletion of mandatory retention data. Any erasure of records subject to a legal hold requires DPO review and documented justification.
How PensionPortal.ai handles erasure requests: See Data Retention and Deletion for the full workflow. In summary:
  1. Request logged in rights request tracker
  2. System identifies which data elements are under legal hold
  3. Held elements are retained; non-held elements queued for deletion with DPO review
  4. Structured response generated explaining what was deleted and what was retained, with legal basis for retention
  5. All actions logged immutably

Right to Restriction — Article 18

A member can request restriction of processing in four circumstances:
  1. The member contests the accuracy of the data (restriction applies while accuracy is verified)
  2. Processing is unlawful but the member prefers restriction over erasure
  3. The trustee no longer needs the data but the member requires it for legal claims
  4. The member has objected under Article 21 and a decision is pending
During restriction, the data may be stored but not otherwise processed without the member’s consent, or for the establishment of legal claims, or to protect others’ rights. How PensionPortal.ai supports this:
  • Restriction flag applied to member record at data field level — flagged records remain visible to authorised users but are locked against editing or use in processing workflows
  • Automated alerts when a restriction is in place and an action (e.g. benefit calculation) would normally trigger processing of restricted data
  • Restriction lifted only following documented review and member notification

Right to Data Portability — Article 20

Members have the right to receive their personal data in a structured, commonly used, machine-readable format (Article 20(1)), and to transmit that data to another controller, where the processing is based on consent or contract and carried out by automated means. Scope in the pension context: The right to portability applies primarily to data the member has provided to the scheme — name, contact details, nominated beneficiaries. It does not apply to data generated by the trustee through their own processing activities (e.g. actuarial calculations, scheme-generated benefit projections). For pension transfers, the relevant mechanism is the statutory transfer value process under the Pensions Act — not GDPR portability. However, PensionPortal.ai supports clean data exports in structured JSON and CSV formats to support both GDPR portability requests and operational data transfer needs.

Right to Object — Article 21

Members may object to processing based on legitimate interests (Article 6(1)(f)) or public task (Article 6(1)(e)) grounds. If the trustee cannot demonstrate compelling legitimate grounds that override the member’s interests, processing must cease. In the pension context: Where processing relies on Article 6(1)(c) (legal obligation), the right to object does not apply — the processing is required by law. The right to object is most relevant where trustees rely on legitimate interests for activities such as:
  • Proactive member communication
  • Scheme analytics and profiling
  • Marketing of additional voluntary contribution products
PensionPortal.ai logs all legitimate-interests processing activities and enables trustees to manage objection requests against each processing purpose individually.

Rights Related to Automated Decision-Making — Article 22

GDPR Article 22 gives data subjects the right not to be subject to a decision based solely on automated processing that produces a legal or similarly significant effect for them. This includes decisions affecting financial entitlements, employment terms, or other significant outcomes. In the PensionPortal.ai context: PensionPortal.ai uses AI and LLM-assisted tools for:
  • ORA document drafting and compliance gap analysis
  • Member data quality alerting
  • Risk flagging and governance workflow suggestions
All AI-generated outputs in PensionPortal.ai are advisory only. No benefit calculation, entitlement decision, or regulatory submission is finalised by the AI without explicit human review and trustee or administrator sign-off. This design ensures compliance with Article 22 and protects members from AI-driven errors that could affect their retirement income.
Where trustees use any automated tools that make or materially influence benefit decisions, they must:
  • Document the automated decision-making in their RoPA and DPIA
  • Provide members with meaningful information about the logic, significance, and envisaged consequences in their privacy notice
  • Ensure a mechanism for human review is available upon request

Rights Request Management in PensionPortal.ai

Centralised Request Tracker

All rights requests are logged in a centralised tracker with requestor, date received, request type, assigned handler, and deadline. No request can be lost or fall through the cracks.

Automated Deadline Monitoring

The platform calculates and tracks the Article 12 response deadline (one month from receipt). Alerts are triggered at 14 days and 7 days before the deadline. Extension procedures are documented and logged.

DPO Review Queue

Requests involving legal holds, erasure of retained data, or complex balancing assessments are automatically routed to the DPO’s review queue before the response is finalised.

Response Templates

Pre-drafted response templates for each rights type, compliant with DPC plain language guidance. Templates are customisable per scheme and include all mandatory information elements under Article 13/14.

DPC Complaints and Escalation

Where a member is dissatisfied with a trustee’s response to a rights request, they have the right to lodge a complaint with the Data Protection Commission (dataprotection.ie) or to seek a judicial remedy. Trustees should:
  • Document every rights request and their response — PensionPortal.ai’s audit trail supports this
  • Respond within the statutory timeframe, even if the response is a partial refusal with a legal explanation
  • Ensure their privacy notice accurately describes members’ rights and how to exercise them
  • Designate a named contact for data subject rights requests and publicise this in scheme communications
The DPC’s Annual Reports consistently identify failure to respond to SARs within the statutory timeframe as one of the most common grounds for complaints from Irish data subjects. Timely, complete responses are both a legal obligation and a demonstration of trustee competence.