The Council of the European Union has published a cover note containing the opinion of the European Data Protection Supervisor (EDPS) on the proposed revision of the Institutions for Occupational Retirement Provision (IORP II) Directive and the Insurance Distribution Directive. The opinion, dated 1 December 2026, focuses on ensuring that any new data processing obligations for pension providers fully comply with the General Data Protection Regulation (GDPR). This marks a procedural step in the legislative process, as the Council considers the EDPS's recommendations before finalising its position.
EDPS Opinion on Data Processing Safeguards
The EDPS opinion examines the legislative proposal's data protection implications, particularly where the revised directives would require pension institutions to collect, process, or share personal data of scheme members and beneficiaries. The EDPS recommends that the text explicitly reference GDPR principles, including data minimisation, purpose limitation, and storage limitation. It also calls for clear provisions on data subjects' rights, such as access, rectification, and erasure, and for robust security measures to prevent breaches. The opinion likely stresses that any data processing for cross-border pension services must be justified and proportionate, avoiding unnecessary data flows.
Policy Context and Trade-offs
The revision of the IORP II Directive aims to strengthen the occupational pension framework, enhance member protection, and facilitate cross-border activity. However, the EDPS's intervention highlights a tension between enabling efficient pension administration and safeguarding personal data. Stricter data protection requirements could increase compliance costs for pension providers, potentially discouraging smaller institutions from offering cross-border services. Conversely, robust safeguards build trust among scheme members, whose sensitive financial and health data may be processed. The opinion thus represents a push for stronger privacy protections, which may slow the legislative process if the Council and Parliament need to reconcile data protection with market integration goals.
Impact on Stakeholders
- Pension providers (IORPs): Will face new compliance obligations if the EDPS's recommendations are adopted, including conducting data protection impact assessments and implementing privacy-by-design measures. This could raise operational costs, particularly for smaller funds. - Scheme members and beneficiaries: Benefit from enhanced data protection, reducing risks of misuse or breaches of their personal and financial information. - National supervisory authorities: Will need to enforce the new data protection requirements, potentially requiring additional resources and coordination with data protection authorities. - EU data protection authorities: Gain a stronger role in overseeing pension data processing, aligning with GDPR enforcement structures.
Next Steps
The Council will now consider the EDPS opinion as it continues its examination of the legislative proposal. The European Parliament is also expected to adopt its position, after which trilogue negotiations will begin. The final text must balance the objectives of a more integrated occupational pension market with the fundamental right to data protection.
← Atlas › News › Economy & Taxation