1. Purpose
Looking after the personal data we hold for you as a member of the Scheme is hugely important to us. We want you to be confident that your data is safe and secure with us, understand how we use it, and who we share it with.
We are committed to doing the right thing when it comes to how we collect, use and protect your personal data. That's why we've developed this Data Protection Notice, which does all of the following:
a) sets out the types of personal data held by Tesco Stores Limited on behalf of the Trustees
b) explains why we hold and how we use your personal data
c) explains when and why we will share your personal data within the Tesco Group and with other organisations
d) explains the rights and choices you have when it comes to your personal data
It is the responsibility of Data Controllers to explain their data processing activities to affected individuals. This Data Protection Notice provides information regarding the data processing activities of both the Trustees and the Scheme Actuary, as both entities are Data Controllers.
The Trustees and the Scheme Actuary will sometimes decide jointly about how your personal data is used. If you want to exercise your rights under applicable data protection law about that joint use, you can contact the Trustees (see section 4.12 below). Sometimes the Scheme Actuary has to use your personal data for its own reasons, eg compliance with regulations which aren’t relevant to the Trustees. A copy of the Scheme Actuary’s privacy notice about this is available here.
2. Scope
This policy applies to all deferred and pensioner members of the Scheme. It applies regardless of whether or not you still work for Tesco.
Where applicable, we also collect information about members' ex-spouses (in a divorce settlement), dependants or next of kin. Before providing us with any such information, you should provide a copy of the information in this notice to those individuals.
3. Definitions
This section sets out the definitions of key words and phrases that will be referred to throughout the policy.
Data Controllers
Data Controllers
Care organisations that decide how personal data will be processed. The Data Controllers for this Data Protection Notice are the Trustees of the Tesco PLC Pension Scheme and the Scheme Actuary (see definition below).
Data Processors
Data Processors
Organisations that process personal data on the instructions of Data Controllers.
Information Commissioner's Office (ICO)
Information Commissioner's Office (ICO)
The UK's independent body, set up to uphold information rights in the public interest. In 2026 the ICO will change its name to the Information Commission. in this notice ICO means the same as Information Commission.
Personal Data
Personal Data
The term we use to describe your personal information. Further details of the personal data that we hold are contained in section 4.4 below. Personal data may be available in different formats, eg electronic or paper.
Scheme Actuary
Scheme Actuary
The Pensions Act 1995 requires certain valuations and advice to be provided by a scheme actuary. This is an individual actuary (who will be an employee of Willis Towers Watson), appointed by the Trustees (the "Scheme Actuary"). The name of the Scheme Actuary for the Tesco PLC Pension Scheme will be set out in the Scheme's annual report, which can be obtained from the Trustees (see section 4.11 below for their contact details).
Some of the advice that Willis Towers Watson provide to the Trustees is provided by the Scheme Actuary, while other advice may be provided by other individuals who work for Willis Towers Watson.
Service providers
Some of the advice that Willis Towers Watson provide to the Trustees is provided by the Scheme Actuary, while other advice may be provided by other individuals who work for Willis Towers Watson.
Service providers
Organisations appointed by:
a) the Trustees, to help them fulfil their duties - such as printers (for member communications), tracing agencies (for locating missing addresses), other IT and data storage providers' software, software support providers and providers of support relating to benefit reports etc
b) Tesco Stores Limited, to support the administration of the Scheme (eg, Aquila Heywood, which provides the administration IT system, and Tesco's shared service centre in Bengaluru - for pension data processing).
4. Policy Requirements
4.1 Identifying Purpose
We use your information for the following purposes:
a) communicating with you in relation to your pension and benefits (including disclosures to service providers for printing and other communication services), handling requests for transfers and allocation of death benefits, dealing with complaints, and making disclosures at your request, such as providing retirement quotations, or to help financial advisors appointed to help you with decisions under the Scheme from time to time
b) for general administration of the Scheme by the Trustee and its service providers, including:
- to record and pay benefits
- for actuarial valuations completed by the Scheme Actuary
- for checks, communications and disclosures of information in response to legal and other regulatory requests (including disclosures to HMRC for reconciliation or tax purposes)
- for reviews we or our administrators conduct for statistical and reference purposes
- for other administrative activities that may become necessary from time to time, like member tracing (should we happen to lose contact with you) and to prevent fraud (which require disclosures to tracing agencies)
c) when we disclose information to other members of the Tesco Group and their service providers, such as for administration and audit purposes; in relation to corporate and financial transactions initiated by the Group; to enable you to receive an annual benefit report
d) when we disclose information to Tesco Stores Limited and trustees of other pension and death benefit arrangements for Tesco employees (such as the Tesco Retirement Savings Plan and the excepted life policy), where information you have provided to us is relevant to the administration of those other schemes, eg to calculate benefits under those schemes, or where we share Expression of Wish forms because they may inform how those benefits will be paid
e) if we undertake activities to help us manage the liabilities of the Scheme, which may involve disclosures to insurers, administrators and financial advisors
4.2 Basis for processing Personal Data
Our use of your information as described above is permitted by applicable data protection law because it is:
a) necessary for our legitimate interests in pursuing the purposes set out in (a), (b) and (e) above, and for the Tesco Group's legitimate interests (and those of its other pension and death benefit arrangements) in pursuing the purposes set out in (c) and (d) above
b) in some cases, necessary to meet our legal or regulatory responsibilities, such as disclosures referred to in (b) above in response to legal and other regulatory requests; or
c) in limited circumstances, processed with your consent which we obtain from you from time to time, such as when you ask us to make disclosures (eg to IFAs or new pension providers) or allocate benefits (eg in the context of a divorce), or where the Scheme Rules require you to provide information which we cannot otherwise process without your consent. For example, if you apply for ill health early retirement, or if your ex-spouse, dependents or next of kin share their own health data with us, consent can be relevant to this
d) sometimes there may be reasons of substantial public interest which enable us to use sensitive information about you, such as your health or criminal convictions data where that is necessary to run the Scheme in a sensible way.
4.3 Sources of Personal Data
Personal data can be sourced:
4.3 Sources of Personal Data
Personal data can be sourced:
- Directly - ie personal data we receive directly from you, or
- Indirectly - ie personal data we collect from Tesco Group, or receive from third parties such as tracing agencies if we have lost contact with you. We might also obtain it from government departments such as HMRC and DWP and from public sources (eg the electoral roll) if we have lost contact with you. It can also be obtained from the Scheme Actuary by the Trustees. We might obtain your personal data from your independent financial advisor, solicitor, personal representative, doctor, family members or people helping with your affairs.
4.4 Personal Data we collect and how we collect it
We collect personal data directly and indirectly as described above. We then retain personal data including: contact details, gender, name (including former names and alternative names), age, date of birth, national insurance number and details of your pension entitlement. Additionally, we retain details of your bank/payment details (if your pension is in payment), copies of communications/ correspondence and certain sensitive information, such as medical/health records and details of your relationships, if applicable. We process electronic pension identifiers (this is data unique to users of dashboards searching for their pensions). We retain copies of your identity documents such as passports or birth certificates, where appropriate.
4.5 How and why we use Personal Data
We collect and use personal data about you throughout your membership of the Scheme in order to:
- Maintain our relationship with you
- Make sure we can calculate and pay your pension at the right time
- Comply with applicable laws
This may involve, amongst other things, the following:
- Administering payroll for your pension
- In order for the Trustees and the Scheme Actuary to comply with their legal and regulatory obligations or good practice; eg, in relation to taxation and submitting reports to the Pensions Regulator.
- For research, statistical or analytical purposes; eg producing reports that tell us:
o At what age members die
o The pension options members select (although before we use it for this purpose, we’d usually anonymise your data so it doesn’t identify you).
4.6 Sharing your Personal Data
We may share your personal data with third parties. Where any instances of sharing data will include sensitive information that is not legally required to be shared, we will obtain consent from you prior to doing so. We may share your data with the following parties:
- Service providers, such as suppliers that provide us with IT support or professional service companies to give us advice (such as law firms, auditors, accountants and consultants)
- Government, public and regulatory bodies, eg the Pensions Ombudsman and the Pensions Regulator, law enforcement agencies, eg the police, or as otherwise permitted or obliged by law, eg to Courts
- The organisations and people we mention in sections 4.1 and 4.5
- Dashboard providers, Money and Pensions Service, and integrated service providers who help us plug into the dashboards
4.7 Collection, Use, Disclosure and Storage of Personal Data outside the UK to countries and territories which need safeguards and mechanisms for transfers to happen
The use and disclosure of your information for the purposes described above may involve transferring your information outside of the UK and European Economic Area (eg, to Tesco's shared service centre in Bengaluru).
Transfers from the UK to Europe and the wider European Economic Area, and to some other countries deemed to provide adequate protections by law, do not at the moment require additional steps and safeguards. In other cases, we will ensure that the transferred information is protected by a data transfer agreement in the appropriate standard contractual clauses (SCC) form approved for this purpose by the UK Secretary of State. This includes the UK’s addendum to the SCC. Alternatively, we might make transfers using the UK’s International Data Transfer Agreement and so might our service providers.
4.8 How we protect your Personal Data
We know how important it is to protect and manage your personal data and have the following measures in place to do this:
We know how important it is to protect and manage your personal data and have the following measures in place to do this:
- We use computer safeguards such as firewalls and data encryption, and we enforce physical access controls to our buildings and files to keep this data safe. We only authorise access to colleagues who need it to carry out their job responsibilities. We protect the security of your information while it is being transmitted by encrypting it
- We enforce physical, electronic and procedural safeguards in connection with the collection, storage and disclosure of personal data. We will ask for proof of identity before we share your personal data with you.
4.9 How long your Personal Data is retained
We need to store Personal Data about you. Eg, we'll need to keep your bank details so we can pay your pension, and your address so we can contact you.
We will keep your information in accordance with the Trustees’ Data Retention Policy, which is modified or amended from time to time and is available on request. Documents subject to legal or regulatory hold are retained as long as the legal or regulatory hold remains in place.
The criteria we apply (which is set out in that Policy) is as follows:
We will keep your personal data only for as long as is necessary. This means we will keep it:
- For as long as we need to in order to meet the requirements of UK pensions law; and
- For the member’s lifetime, or for as long as they have an entitlement under the Scheme before transferring out (whichever trigger applies) and then for a period after that, so that we have a record of when they stopped having that entitlement in case of queries from dependants or next of kin, or from the member who transferred out of the Scheme.
Specifically, we will keep Personal Data for the following lengths of time:
- for members who have built up benefits in the Scheme (we call these “deferred members”), their Personal Data will be kept until they reach age 120
- for individuals receiving a pension, their Personal Data will be kept so that we can manage the Scheme and pay out the benefits
- for individuals who don’t have any more benefits owed to them under the Scheme and aren’t covered above (eg, an individual who has transferred out), their Personal Data, which is critical for the purposes of addressing queries, complaints and claims, will be kept until they reach age 120; and all other data (which isn’t needed to answer queries, complaints or for claims) will be deleted 6 years after the date when the individuals’ benefits from the Scheme have been fully paid out.
It's really important that we hold accurate Personal Data for you, and that you notify us of any changes to your data so it can be updated as soon as it changes. This would include things like:
- Address
- Name (we'll need proof of this such as marriage, civil partnership, or deed poll certificate)
- Bank details, if your pension is already in payment.
4.11 Enquiries
If you have any questions regarding the processing of your personal data by either of the Data Controllers (Trustees of the Tesco PLC Pension Scheme or the Scheme Actuary) please contact:
Head of Pension Operations
Shire Park
Kestrel Way
Welwyn Garden City
Hertfordshire
AL7 1GA
Email: Pensions.dept@tesco.com
Alternatively, you can contact:
The Data Protection Officer (Tesco Group)
c/o Group Legal
Shire Park
Kestrel Way
Welwyn Garden City
Hertfordshire
AL7 1GA
Email: DPO@tesco.com
Any complaints should be addressed to the Pensions Benefits Manager, Pensions Department at the above address. You can also lodge a complaint about our processing of your personal information with the office of the Information Commissioner (ico.org.uk).
4.12 Exercising Your Rights
You have rights of access to, and rectification or erasure of, your personal data in certain circumstances. You can also restrict or object to its processing, and request that certain of your information be transferred to you or a third party. In the near future in some circumstances you’ll have a right to complain to us if you think data protection laws aren’t complied with. You can exercise these rights by contacting us using the details set out above.
In some cases, it may be necessary to obtain additional information from you, such as in order to carry out your request for a transfer or allocation of benefits. We will notify you when your information is required for this purpose.
You also have the right to withdraw your consent to the use of your information, to the extent such use is based on your consent.
5. Policy Review and Update
The Data Protection Notice is non-contractual. It is maintained by the Trustees. They will contact you regarding any material change that is made to the Notice. You can request a printed copy of this Notice at any time.