Payroll GDPR Policy

Payroll General Data Protection Regulation Policy Statement

January 2023

As we provide you with payroll services, we act as a Data Processor for you and in these specific circumstances we are required to confirm the following. These terms don’t replace or alter the existing engagement letter or our GDPR policy and simply cover particular points that we have to confirm if we are to continue providing payroll services to you, not least as we hold and process personal information of your employees with whom we have no direct contract or contact.

Data Protection

We are committed to ensuring the protection of the privacy and security of any personal data which we process. Your attention is drawn to the following clause which details how we treat personal data received by us in the provision of our services during our engagement with you. By approving your proposal and engagement letter, you confirm that you have read and understood the clause and any privacy notice below.

In this clause:

‘client personal data’ means any personal data provided to us by you, or on your behalf, for the purpose of providing our services to you, pursuant to our engagement letter with you;

‘data protection legislation’ means all applicable privacy and data protection legislation and regulations including PECR, the GDPR and any applicable national laws, regulations and secondary legislation in the UK relating to the processing of personal data and the privacy of electronic communications, as amended, replaced or updated from time to time;

‘controller’, ‘data subject’, ‘personal data’, ‘personal data breach’, ‘processor’, ‘process’ and ‘supervisory authority’ shall have the meanings given to them in the data protection legislation;

‘GDPR’ means the General Data Protection Regulation ((EU) 2016/679); and

‘PECR’ means the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2426/2003).

We shall both comply with all applicable requirements of the data protection legislation. This clause is in addition to, and does not relieve, remove or replace, either of our obligations under the data protection legislation.

We both acknowledge that for the purposes of the data protection legislation, you are the data controller and we are the data processor. The attached schedule sets out the scope, nature and purpose of processing by us, the duration of the processing and the types of personal data and categories of data subject.

In respect of the client personal data, unless otherwise required by applicable laws or other regulatory requirements, we shall:

  1. process the client personal data only in accordance with your lawful written instructions, in order to provide you with the services pursuant to our engagement with you and in accordance with applicable data protection legislation;
  2. disclose and transfer the client personal data to our regulatory bodies or other third parties (for example HMRC or pension providers) as and to the extent necessary in order to provide you with the services pursuant to our engagement with you in relation to those services;
  3. disclose the client personal data to courts, government agencies and other third parties as and to the extent required by law;
  4. maintain written records of our processing activities performed on your behalf which shall include: (i) the categories of processing activities performed; (ii) details of any cross border data transfers outside of the European Economic Area (EEA) should this ever arise; and (iii) a general description of security measures implemented in respect of the client personal data;
  5. maintain commercially reasonable and appropriate security measures, including administrative, physical and technical safeguards, to protect against unauthorised or unlawful processing of any client personal data and against accidental loss or destruction of, or damage to, such client personal data;
  6. return or delete all the client personal data upon the termination of the engagement with you pursuant to which we agreed to provide the services;
  7. ensure that only those personnel who need to have access to the client personal data are granted access to it and that all of the personnel authorised to process the client personal data are bound by a duty of confidentiality;
  8. notify you if we appoint a sub-processor (but only if you have given us your prior written consent, such consent not to be reasonably withheld or delayed) and ensure any agreement entered into with the relevant sub-processor includes similar terms as the terms set out in this clause;
  9. where we transfer the client personal data to a country or territory outside the EEA to do so in accordance with data protection legislation;
  10. notify you promptly if:
  11. we receive a request, complaint or any adverse correspondence from or on behalf of a relevant data subject, to exercise their data subject rights under the data protection legislation or in respect of the client personal data; or
  12. we are served with an information or assessment notice, or receive any other material communication in respect of our processing of the client personal data from a supervisory body (for example, the Information Commissioner’s Office);
  13. notify you, without undue delay, in the event that we reasonably believe that there has been a personal data breach in respect of the client personal data;
  14. at your cost and upon receipt of your prior written notice, allow you, on an annual basis and/or in the event that we notify you of personal data breach in respect of the client personal data, reasonable access to the relevant records, files, computer or other communication systems, for the purposes of reviewing our compliance with the data protection laws.

Without prejudice to the generality of the above, you will ensure that you have all necessary appropriate consents and notices in place to enable the lawful transfer of the client personal data to us.

Should you require any further details regarding our treatment of personal data, please contact Tristan Wilcox-Jones, Director and Business Development Manager.


This Schedule includes certain details of the Processing of Customer Personal Data as required by Article 28(3) of the GDPR.

  1. Subject matter and duration of the processing of client personal data

The subject matter and duration of the processing of the client personal data relate to the provision of payroll services. The data held is as required to meet the compliance requirements of that service to include any pension or payroll related obligations. The information is held for the duration required to meet related legal obligations.

  1. The nature and purpose of the processing of client personal data

The provision of payroll services.

  1. The types of client personal data to be processed

Sufficient to perform the payroll service such as your employees full names, addresses, dates of birth, NI numbers, rates of pay.

Special Category Personal Data: we do not believe any is being held.

  1. The categories of data subject to whom the client personal data relates

Your employees

  1. Your obligations and rights

Your obligations and rights are set out in the engagement letter between us.

Our privacy notice can be found on our website

M J Wilcox