APositive Limited (company number 16817993)
This document sets out our policy on the management of personal information which we have about individuals. Those individuals include our client organisation or their employees, members of staff or workers and we process their personal data as a processor for our client organisation (who are the data controller) when providing payroll services to them. As such, you should also refer to their privacy notice and any other information or documentation relating to their use of your personal data which they may have issued to you.
Your privacy has always been important to us. As our client, or an employee, member of staff, or worker engaged by our client we respect your right to be aware of who has information about you, what they are doing with it and why, and who else they are sharing it with. We have adopted a privacy compliance culture that cements this relationship with you. Its foundation is the Data Protection Act 2018 and the UK GDPR (as that term is defined the Data Protection Act 2018) – together the Data Protection Legislation.
This privacy notice explains how we manage personal information. In particular it explains, in relation to that personal information:
We collect and process personal information from individuals who are clients or their employees, members of staff, workers, contractors or consultants (“Associates”).
We collect and hold the following types of personal data when providing payroll services to our client:
We may also process special category personal data but only where necessary and as instructed by our client and in accordance with the law.
We collect personal information from our client organisation (your employer or customer).
We act as a data processor when providing payroll services on behalf of our client (the data controller). We do not determine the purposes or lawful bases for processing personal data; these are set by the controller in accordance with the Data Protection Legislation. Our processing is carried out strictly under the controller’s documented instructions and governed by a written agreement which is compliant with Article 28 UK GDPR. We implement appropriate technical and organisational measures to ensure the security and confidentiality of personal data and assist the controller in meeting its obligations, including responding to data subject rights requests and reporting personal data breaches.
We do not send marketing communications to employees, staff, workers, or consultants of our clients. Marketing communications are only sent to client contacts or individuals who have separately and independently requested information from us.
We take all reasonable steps to ensure that an individual’s personal information which we hold is protected from misuse, interference or loss and from unauthorised access, modification or disclosure. We do this by having physical, electronic and procedural safeguards which protect the personal information we hold. For example, the personal information is stored in secure office premises or in secure archiving facilities and logins, passwords and multi-factor authentication are required to access electronic databases. Our staff are required to maintain the confidentiality of personal information and access to personal information is restricted to persons who require access to perform their duties. We regularly review our security policies and procedures and train staff in respect of their personal data and security obligations to ensure your data is safe.
To provide our facilities in the most cost effective and efficient way we may utilise the services of others and we may share personal information with those parties. The parties we currently share personal information with is set out below, this list is subject to change via this privacy notice and it is recommended that you check this privacy notice regularly for updates.
We require all third parties to respect the security of personal information and to treat it in accordance with the law. We do not allow our third-party service providers to use personal information for their own purposes and only permit them to process your personal information for specified purposes and in accordance with our instructions. All sub-processors are bound by contractual obligations to protect your personal data.
We share your personal with another company in our group, APositive Pty Ltd (see above) and they share your personal information with their sub processor VA Platinum Pty Ltd (see also above). This will involve transferring personal information outside the UK to Australia and the Philippines.
Whenever we transfer personal information out of the UK to countries which have laws that do not provide the same level of data protection as the UK law, we always ensure that a similar degree of protection is afforded to it using specific standard contractual terms approved for use in the UK which give the transferred personal information the same protection as it has in the UK, namely the International Data Transfer Agreement. To obtain a copy of these contractual safeguards, please contact us at the details set out below.
We will only retain personal information for as long as reasonably necessary to fulfil the purposes we collected it for, including to provide payroll services to our client and for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements.
To determine the appropriate retention period for personal information, we consider the amount, nature and sensitivity of the personal information, the potential risk of harm from unauthorised use or disclosure of personal information, the purposes for which we process personal information and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.
Typically, payroll records are retained for six years after the end of the tax year to which they relate, in line with HMRC requirements. We may retain data for longer if required to resolve disputes, enforce agreements, or where we reasonably believe there is a prospect of litigation
Individuals have rights under UK data protection law, including the right to access, correct, erase, restrict, object to processing, and request portability of their personal data. As a payroll provider, we act as a data processor on behalf of our client (your employer). This means we do not determine the purposes or lawful bases for processing and cannot respond directly to rights requests unless instructed by your employer. If you wish to exercise your rights, please contact your employer (the data controller). We will assist them in responding to any rights requests in accordance with our contractual and legal obligations.
An individual may contact our data protection officer at mark.wood@apositive.com.au
Individuals have the right to make a complaint to the Information Commissioner’s Office (ICO), the UK regulator for data protection issues (www.ico.org.uk). However, before doing so please make sure you have first made your complaint to us or asked us for clarification if there is something you do not understand. The ICO will expect you to have done this before reviewing your complaint. Complaints can be made using the contact details above.
In this privacy notice: “client” means a person (such as a company, sole trader or partnership) to whom we provide payroll services; and “we”, “us” and “our” means APositive Limited (company number 16817993). Words which are defined in the Data Protection Legislation have the same meaning in this privacy notice.
Our consultants have extensive experience assisting the growth of hundreds of businesses like yours. Get in touch with us today and see how we can make a positive difference.