GDPR Article Crosswalk
Pension trustees are data controllers under EU Regulation 2016/679 (GDPR). They determine the purposes and means of processing member personal data — including sensitive financial data, benefit records, PPS numbers, and health information where relevant to ill-health retirement or death-in-service claims. PensionPortal.ai acts as a data processor on behalf of each trustee client. We process personal data only on the documented instructions of the trustee-controller, as governed by the Data Processing Agreement (DPA) executed at onboarding. The Irish supervisory authority for GDPR is the Data Protection Commission (DPC), which has jurisdiction over schemes established in Ireland and over data processors with their EU establishment in Ireland.Controller vs. Processor distinction matters. GDPR obligations fall primarily on the controller (the trustee). PensionPortal.ai, as processor, has specific obligations under GDPR Articles 28, 29, and 32 that are distinct from — and in addition to — the controller’s obligations. This crosswalk covers both.
Dual-Role Mapping Table
The table below maps each material GDPR Article to both the trustee’s obligation as controller and PensionPortal.ai’s support as processor.| GDPR Article | Requirement | Controller (Trustee) Obligation | Processor (PensionPortal.ai) Support |
|---|---|---|---|
| Article 5 | Data protection principles | Ensure all processing of member data is lawful, fair, and transparent; purpose-limited (IORP II administration only); data minimised; accurate and kept up to date; stored no longer than necessary; processed securely | Data minimisation implemented at platform design level; AES-256 encryption; immutable audit logging of all processing operations; retention periods enforced automatically |
| Article 6 | Lawful basis for processing | Document the legal basis for each processing activity. Primary basis for IORP II administration: Article 6(1)(c) (legal obligation) and Article 6(1)(e) (public task). For ancillary processing: Article 6(1)(f) (legitimate interests) | Processing carried out only per documented controller instructions; legal basis recorded in RoPA export; no secondary use of member data |
| Article 9 | Special category data | Where processing special category data (e.g., health data for ill-health retirement), ensure an Article 9(2) condition applies — typically Article 9(2)(b) (employment, social protection law) with an explicit policy document | Special category data fields flagged and subject to additional access restrictions; audit logging of all access to special category data |
| Article 13/14 | Transparency and privacy notices | Issue a GDPR-compliant privacy notice to scheme members covering: identity of controller, purposes and legal bases, data subject rights, retention periods, third-party recipients, and DPO details (if applicable) | Privacy notice templates provided; member data inventory supports identification of all processing activities to be disclosed; data flow mapping documentation available |
| Article 17 | Right to erasure | Handle member erasure requests; apply retention exceptions where legal obligation exists (e.g., revenue records, IORP II 6-year record-keeping requirement) | Erasure workflow built into platform; legal hold mechanism prevents deletion where regulatory retention obligation applies; erasure request log for accountability |
| Article 18 | Right to restriction | Restrict processing where member contests accuracy or objects to processing | Processing restriction flag available per member record; restricted records excluded from standard processing workflows |
| Article 20 | Data portability | Where processing is based on consent or contract and carried out by automated means, provide data in machine-readable format on request | Structured data export in JSON/CSV format available for member records subject to portability |
| Article 21 | Right to object | Where processing is based on legitimate interests, handle and document objections | Objection log with outcome documentation; legal basis review workflow |
| Article 25 | Data protection by design and by default | Implement technical and organisational measures ensuring data protection principles are embedded from the outset — not bolted on | RBAC with principle of least privilege; data minimisation in platform data model; purpose limitation enforced by module-level access controls; privacy-by-design applied in all feature development |
| Article 28 | Processor contracts | Execute a GDPR-compliant Data Processing Agreement (DPA) with PensionPortal.ai before any personal data processing begins | Standard DPA provided at onboarding; Standard Contractual Clauses (SCCs) for any international transfers outside EEA; sub-processor list maintained and updated on 30-day notice |
| Article 30 | Records of processing activities (RoPA) | Maintain a RoPA as controller documenting all processing activities, purposes, data categories, recipients, international transfers, retention periods, and security measures | RoPA export tool generates a structured, controller-ready RoPA document based on scheme data configuration; supports trustee DPC accountability obligations |
| Article 32 | Security of processing | Implement appropriate technical and organisational measures for the risk — considering pseudonymisation, encryption, resilience, and restoration capability | AES-256 encryption at rest; TLS 1.3 in transit; MFA; WAF; independent penetration testing; geo-redundant backup; RTO 4 hours / RPO 1 hour; annual BCP test |
| Article 33 | Breach notification to DPC | Notify the DPC within 72 hours of becoming aware of a personal data breach, unless the breach is unlikely to result in risk to individuals | Incident detection and alerting; 72-hour notification workflow with DPC notification template; breach register with all required Article 33(3) information |
| Article 34 | Communication of breach to data subjects | Communicate a high-risk data breach to affected data subjects without undue delay | Member notification workflow; high-risk breach classification guidance; communication templates |
| Article 35 | Data Protection Impact Assessment (DPIA) | Conduct a DPIA before processing that is likely to result in high risk to individuals’ rights and freedoms — pension data processing is likely to require a DPIA | DPIA template and methodology guidance available in platform documentation; pre-processing checklist identifies DPIA triggers; completed DPIA can be stored and versioned in the platform |
Data Processing Agreement
The PensionPortal.ai Data Processing Agreement (DPA) is executed as part of the standard Terms of Service. It covers all mandatory Article 28(3) requirements:Processing Instructions
PensionPortal.ai processes personal data only on the documented instructions of the trustee-controller. Instructions are documented in the DPA and supplemented by platform configuration.
Confidentiality
All PensionPortal.ai personnel with access to member data are subject to contractual confidentiality obligations. Background checks conducted for roles with production data access.
Sub-Processors
Sub-processor list maintained. Trustees receive 30-day advance notice of any sub-processor changes. Current sub-processors include GCP (hosting), Sentry (error monitoring), and email delivery providers (communications module only).
International Transfers
All primary processing within the EU/EEA. Where sub-processors involve international transfers, Standard Contractual Clauses (SCCs — 2021 Commission Decision) are in place. Transfer Impact Assessments available on request.
Security Measures
Technical and organisational measures are documented in the DPA Annex, aligned with Article 32 requirements. Updated when material changes occur to platform security architecture.
Assistance
PensionPortal.ai assists the controller in responding to data subject rights requests and in fulfilling Article 32-36 obligations (security, breach notification, DPIA) to the extent that the obligation relates to processing by PensionPortal.ai.
Special Category Data: Pension Scheme Considerations
Pension schemes frequently process special category personal data under GDPR Article 9. Common categories in a pension context:- Health data: Ill-health early retirement applications; death-in-service claims; enhanced transfer values linked to health conditions
- Trade union membership: Where scheme membership is linked to employment with a union
- Biometric data: If used for member identity verification (not current platform functionality)
- Flagged at the data model level with enhanced access restrictions
- Subject to mandatory audit logging of all access
- Excluded from general data exports unless the requesting user has explicit authorised access
DPC Notifications and Record-Keeping
All interactions with the Irish DPC — including data breach notifications, Data Protection Officer (DPO) correspondence, and subject access request responses — should be logged and retained. PensionPortal.ai’s compliance module includes:- Breach register: Records all assessed incidents, whether or not they crossed the notification threshold, with documented rationale
- DSR log: Records all data subject rights requests (SAR, erasure, rectification, restriction, portability, objection), the date received, response issued, and outcome
- DPO register: If the scheme has appointed a DPO, contact details and appointment record maintained in the governance module