1 policy statement

All individuals have rights with regard to the way in which their personal data is handled. During the course of our activities we may collect, store and process personal data about our employees, customers, suppliers and other third parties, and we recognise that the correct and lawful treatment of this personal data will maintain confidence in our organisation and will provide for successful business operations. This document sets out the principles that payescape (we, us, our) with a registered address at 18-20 church street, ballymoney,bt53 6 dl, `must follow when processing personal data to help ensure compliance with the general data protection regulation (gdpr) eu 2016/679. data users are obliged to comply with this policy and any other documents referred to in this policy when processing personal data on our behalf. Payescape takes all breaches of this policy very seriously. Violations may result in disciplinary action, up to and including termination.

2 about this policy
The types of personal data that payescape may be required to handle include information about current, past and prospective employees, customers, suppliers, and others that we communicate with. The personal data, which may be held on paper or on a computer or other media, is subject to certain legal safeguards specified in the gdpr this policy any other documents referred to in it sets out the basis on which we will process any personal data we 

Collect from data subjects, or that is provided to us by data subjects or other sources.This policy sets out rules on data protection and the legal conditions that must be satisfied when we collect, handle, process, transfer and store personal data. This policy does not form part of any employee’s contract of employment and may be amended at any time.

3 definition of terms used in this policy

• 3.1 data is information, which is stored electronically, on a computer, or in certain paper-based structured filing systems.
• 3.2 data privacy laws for the purpose of this policy means applicable european union and member state data protection laws,regulations, and rules.
• 3.3 data subjects for the purpose of this policy include all living individuals about whom we hold personal data. Data subjects need not be a national of, or resident in, the countries in which we operate all data subjects have legal rights in relation to their personal data.
• 3.4 personal data means data relating to a living individual who can be identified directly from that data, or indirectly from that data in conjunction with other information.
• 3.5 data controllers are the people who or organisations who, alone or jointly with others, determine the purposes for which, and the manner in which, any personal data is processed. They are responsible for, and must be able to demonstrate compliance with the data protection principles. We are the data controller of all personal data used in our business for our own commercial purposes.
• 3.6 data users are those of our employees whose work involves processing personal data. Data users must protect the personal data they handle in accordance with this data protection policy and any applicable data security procedures at all times.
• 3.7 data processors include any person or organisation that processes personal data on our behalf and on our instructions.
• 3.8 processing is any activity that involves use of the personal data. It means carrying out any operation or set of operations on the personal data including collecting, recording, organising, structuring, storing, amending, retrieving, using, consulting, disclosing by transmission, disseminating or otherwise making available, combining, restricting, erasing or destroying it.
• 3.9 special categories of personal data includes information about a person’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, physical or mental health, sex life, sexual orientation, biometric or genetic data.

4 criminal data
Includes personal data relating to criminal convictions and offences. This may only be processed where permitted by law.

5 data protection principles
As a data controller, we are responsible for, and must be able to demonstrate compliance with the six data protection principles. These principles provide that personal data must be:

• (a) obtained and processed fairly and lawfully;
• (b) collected for specified and lawful purposes, and shall not be further processed in any
  Manner incompatible with that purpose or those purposes;
• (c) adequate, relevant and not excessive;
• (d) accurate and up-to-date;
• (e) not kept for longer than necessary; and
• (f) processed in accordance with the rights of data subjects.

The gdpr is not intended to prevent the processing of personal data, but to ensure that it is done fairly and transparently.

6 what personal data does payescape collect?

6.1 we collect personal data relating to:

• 6.1.1 employees and applicants for employment, including an employee’s job application, records of training, documentation of performance appraisals, salary increases, expense claims, next of kin contact details and other employment records;
• 6.1.2 clients who instruct us to provide payroll services to them (user personal data);
• 6.1.3 supplier contacts, industry professionals, and other individuals who provide goods and/or services to payescape (supplier personal data).

7 why do we collect personal data from data subjects?

We use personal data to manage our business including legal, personnel, administrative and management purposes and the following explains the limited purposes for which payescape holds and processes different types of personal data.

• 7.1 employee personal data:
• 7.1.1 administration and management of its employees and their contracts;
• 7.1.2 administration of employee benefits and entitlements;
• 7.1.3 protection of the legitimate interests of payescape, including investigation of acts or defaults
• 7.1.4 compliance with applicable laws, regulations, and rules.
• 7.2 customer personal data:
• 7.2.1 personal data related our client’s employees in order that we can provide payroll services to them;
• 7.2.2 administration and management of our relationships with our customers;
• 7.2.3 customer enquiries relating to our services;
• 7.2.4 marketing, promotion and supply of goods to customers, including as described in our privacy policy set forth at Www.payescape.Com/privacy-policy.
• 7.3 user personal data:
• 7.3.1 supply of marketing and promotional material;
• 7.3.2 administration and improvement of our websites and related purposes, including as described in our privacy policy set forth at Www.payescape.Com/privacy-policy;
• 7.3.3 compliance with applicable laws, regulations, and rules; and
• 7.3.4 tracking website usage and hits.
• 7.4 supplier personal data:
• 7.4.1 administration of the receipt of goods and services from its suppliers;
• 7.4.2 administration and management of its relationships with its suppliers; and
• 7.4.3 compliance with applicable laws, regulations, and rules.
• 7.5 payescape may share the personal data it collects with its corporate affiliates and third parties operating

On its behalf. Payescape will only share personal data with companies that are required to protect personal data in accordance with relevant data privacy laws, and subject to any appropriate security

Measures and directions from payescape.

8 how do we process personal data?

Payescape processes all personal data in accordance with the data protection principles below. All payescape personnel must follow these principles if they process personal data:

• 8.1 processing must be fair, lawful and transparent. For personal data to be processed fairly and transparently, payescape (as a data controller) must inform data subjects, when payescape processes personal data directly from them, about all of the following:
  • (a) that we are the data controller in regard to their personal data and our contact details;
  • (b) the purpose or purposes for which we intend to process the personal data and the legal basis;
  • (c) the legitimate interests pursued by us or by a third party and an explanation of those interests (where processing is based on this ground);
  • (d) where the processing is based on consent their right to withdraw it at any time;
  • (e) the third parties or categories of third parties, if any, to whom we will disclose the personal data;
  • (f) details of any transfers out of the eea, the safeguards we have in place and the means by which to obtain a copy of them;
  • (g) the personal data retention period or criteria used to determine same;
  • (h) the existence of the right to request access to their personal data; rectification or erasure of their personal data; restrict or object to processing, and the right to data portability; (i) the right to complain to the information commissioner’s office if they are unhappy with how we are handling their personal data;
  • (j) details of any automated decision-making, including profiling, and the logic involved, as well as the significance and consequences of such processing for the data subject; and
  • (k) whether the provision of personal data is a statutory or contractual requirement, and the

Consequences of failing to provide such personal data.
Where we intend to process the personal data for a further purpose such as for our clients in providing payroll services, other than that for which the personal data were collected, we will provide the data subject prior to that further processing with information on that purpose.

If we receive personal data about a data subject from other sources, we will provide the data subject with the information described in this section, as well as the categories of personal data concerned, from which source the personal data originated and, if applicable, whether it came from publicly accessible sources. 

We will provide this information to the data subject within one month of obtaining the personal data; or at the time of the first communication to the data subject (where applicable), or if a disclosure to another recipient is envisaged, when the personal data are first disclosed. When processing personal data in the course of our business, we will ensure that these information requirements are met. for personal data to be processed lawfully, it must be processed on the basis of one of the legal grounds set out in the gdpr. These grounds include: where the data subject has given his/her free, informed and unambiguous consent; or if necessary for the performance of a contract with the data subject; or for compliance with a legal obligation to which the data controller is subject; or for the legitimate interests of the data controller or a third party to whom the personal data is disclosed, except where those interests are overridden by the interests of the data subject. The processing of special categories of personal data is prohibited unless one of another set of legal grounds set out in the gdpr applies including: the data subject has given his/her explicit consent; or the personal data have been made public by the data subject; or if necessary for the establishment or defence of legal claims, or to protect the vital interests of the data subject where the data subject is physically or legally incapable of giving his/her consent. In most cases the data subject’s explicit consent to the processing of such personal data will be
Required.

• 8.2 processing for limited purposes
  Personal data must generally only be processed for the specific purposes notified to the data subject when the personal data was first collected or for any other purposes specifically permitted by data privacy laws. This means that personal data cannot be collected for one purpose and then used for another. If it becomes necessary to change the purpose for which the personal data is processed, the data subject must generally be informed of the new purpose before any processing occurs, and their consent may be required.
• 8.3 adequate, relevant and not excessive
  We will only collect personal data to the extent that it is required for the specific purpose(s) notified to the data subject. Any personal data that is not necessary for that purpose should not be collected in the first place.
• 8.4 accurate and up-to-date data
  We will ensure that personal data we hold is accurate and kept up-to-date. We will check the accuracy of any personal data at the point of collection and at regular intervals afterwards. Inaccurate or out-of-date personal data must be corrected, destroyed or erased from our systems, as appropriate
• 8.5 storage limitation
  We will only retain data subject’s personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of data subject’s personal data, the purposes for which we process data subject’s personal data and whether we can achieve those purposes through other means, and the applicable legal requirements. By law, we have to keep basic information about our data subjects (including contact, identity, financial and transaction data) for six years after such data subjects cease being our customers for tax purposes.
• 8.6 personal data must be processed in line with the rights of data subjects.
  Data subjects have a number of rights under data privacy laws, as further set forth in section 9 below.
• 8.7 personal data must be kept secure.
• 8.7.1 appropriate security measures must be taken against unlawful or unauthorised processing of personal data, and against the accidental loss of, or damage to, personal data. Data privacy laws require us to put in place procedures, technologies, and other measures to maintain the security of all personal data from the point of collection to the point of destruction. Appropriate security measures may include
  • (a) pseudonymisation and encryption of personal data;
  • (b) the ability to confirm the ongoing confidentiality, integrity and availability and resilience of
    Processing systems and services;
  • (c) the ability to restore the availability and access to personal data in a timely manner in the
    Event of a physical or technical incident;
  • (d) a process for testing, assessing and evaluating the effectiveness of technical and organismal
    Measures for ensuring the security of the processing.
  • (e) payescape will put in place procedures and technologies to maintain the security of all
    Personal data from the point of collection to the point of destruction.
• 8.7.2 security procedures include entry controls (e.g. strangers seen in entry-controlled areas should be reported), secure lockable desks and cupboards (e.g. desks and cupboards should be kept locked if they hold confidential information of any kind), methods of disposal (e.g. paper documents should be shredded and digital storage devices should be physically destroyed when they are no longer required) and in relation to equipment, data users must ensure that individual monitors do not show confidential information to passersby and that they log off from their pc when it is left unattended. 
• 8.7.3 any data security breaches that do, or may, involve personal data must be immediately reported to the operations manager.
• 8.7.4 where processing is to be carried out on our behalf, we shall only engage processors who provide sufficient guarantees to implement appropriate technical and organisational security measures in such a manner that processing will meet the requirements of the gdpr and ensure the protection of the rights of the data subject.
• 8.7.5 as a data controller, we are required to enter into a written contract with the processor (including in electronic form), which will set out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and the categories of data subjects. The contract shall set out, in particular, the specific mandatory obligations of processors laid down in the gdpr, including to:
  • (a) process the personal data only on documented instructions from the data controller, including with regard to non-eea transfers;
  • (b) ensure the processor’s staff are committed to confidentiality;
  • (c) take all appropriate technical and organisational security measures;
  • (d) sub-contract only with prior written authorisation of the data controller;
  • (e) assist the data controller in complying with the rights of data subjects;
  • (f) assist the data controller in complying with its security, data breach notification, data privacy impact assessment and prior consultation obligations;
  • (g) delete or return all personal data to the data controller, if requested, at the end of provision of processing services; and
  • (h) make available to the data controller all information necessary to demonstrate compliance with its processing obligations and allow audits, including inspections, to be conducted by the data controller, and immediately inform the data controller if an instruction infringes the gdpr, or other eu or member state law.
• 8.8 personal data must not be transferred to people or organisations situated outside the eea unless it will be adequately protected.
• 8.8.1 data privacy laws impose restrictions on when personal data can be transferred outside the eea, including to the usa. payescape may transfer personal data they hold to a third party outside the eea, provided that one of the following conditions applies:
  • (a) the non-eea country to which the personal data is transferred ensures an adequate level of protection for the data subjects’ rights and freedoms. The european commission deems the
    Following countries to have an adequate level of data protection: switzerland, guernsey, argentina, isle of man, faroe islands, jersey, andorra, israel, new zealand and uruguay. The usa is deemed as providing an adequate level of protection where the usa recipient of the personal data is privacy shield certified.
  • (b) adequate safeguards are in place, such as the model clauses; binding corporate rules (“bcr”); an approved code of conduct or approved certification mechanism with binding and enforceable commitments of the data controller or data processor in the third country to apply the appropriate safeguards, including as regards data subjects’ rights.
  • (c) the transfer is lawful pursuant to one of the derogations in the gdpr, such as the data subject has given their explicit consent; the transfer is necessary for the performance of a contract; for public interest reasons; authorised by law; necessary for the defence of legal claims, or to protect the vital interests of the data subject.
  • (d) where none of the above safeguards or derogations apply, a transfer to a non-eea country may take place if the transfer is not repetitive, concerns only a limited number of data subjects, and is necessary for the legitimate interest of the data controller which are not overridden by the rights of data subjects. The data controller must inform the data protection commissioner and the data subject of such a transfer, and the legitimate interests pursued.
  • (e) payescape will inform data subjects of any data transfers to third parties outside the eea, the safeguards we have in place and the means by which to obtain a copy of them.

9 rights of data subjects

• 9.1 data subjects have the following rights under data privacy laws regarding the processing of their personal data. Notify the operations manager immediately if a data subject contacts you to:
• 9.1.1 request access to a copy of, or certain information about, any personal data we hold about them;
• 9.1.2 request any inaccurate or incomplete personal data to be rectified;
• 9.1.3 request the erasure of their personal data;
• 9.1.4 object to or request restriction of processing in specified circumstances;
• 9.1.5 request that their personal data be transferred to another data controller or provided in a format that will permit this transfer (i.e. right to data portability);
• 9.1.6 not to be subject to a decision based solely on automated processing, including profiling, which produces a legal effect or other significant effect on the data subject, except where the decision is necessary for the performance of a contract; authorised by law, or based on the data subject’s consent;
• 9.1.7 prevent the processing of their personal data for certain purposes.

10 dealing with subject access requests

• 10.1 data subjects may make a request for information we hold about them. This request may be made in writing or orally. When receiving telephone enquiries, we will only disclose personal data we hold on our systems if the caller’s identity can be verified. If their identity cannot be verified, we will request the caller to put their request in writing. Data users who receive a request should forward it to operations manager immediately because we must respond to the request within prescribed time limits.
• 10.2 a data subject has a right of access to a copy of the personal data we hold about him/her, as well as the following information:
• 10.2.1 the purposes of the processing;
• 10.2.2 the categories of the personal data concerned;
• 10.2.3 the recipient to whom the personal data have been or will be disclosed;
  10.2.4 the personal data retention period or criteria used to determine same;
• 10.2.5 the existence if the right to request rectification or erasure of personal data or restriction of processing of personal data concerning that data subject or to object to such processing;
• 10.2.6 the right to lodge a complaint with the data protection commissioner;
• 10.2.7 where the personal data are not collected from the data subject any available information as to their source;
• 10.2.8 the existence of automated decision-making, including profiling; the logic involved, and the envisaged consequences of such processing for the data subject; and
• 10.2.9 where personal data are transferred out of the eea, the data subject must be informed of the appropriate safeguards in place.
• 10.2.10 we will provide a copy of the personal data (i) free of charge, but may charge a reasonable fee, based on administrative costs, for any further copies the data subject requests and (ii) without undue delay, and at the latest within one month of receipt of the data subject’s request. This period may be extended by two further months where requests are numerous or complex. We will provide the data subject with information on action taken in response to the exercise of any of these rights
• 10.3 where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information will be provided in a commonly used electronic form.

11 dealing with requests For any inaccurate or incomplete personal data to be rectified
Where a data subject has requested the rectification of their personal data, we must inform recipients to whom that personal data have been disclosed, unless this proves impossible or involves disproportionate effort. We must also inform the data subject about the recipients to whom the personal data has been disclosed, if he/she requests it.

12 dealing with objections to or requests for erasure or restriction of processing in specified circumstances

• 12.1 where a data subject has requested the erasure or restriction of their personal data, we must inform recipients to whom that personal data have been disclosed, unless this proves impossible or involves disproportionate effort. We must also inform the data subject about the recipients to whom the personal data has been disclosed, if he/she requests it.
• 12.2 the following methods may be used to restrict processing the personal data:
• 12.2.1 temporarily moving the selected personal data to another processing system,
• 12.2.2 making the selected personal data unavailable to other users, or
• 12.2.3 temporarily removing the published personal data from a website.
• 12.3 in automated filing systems, the restriction of processing should, in principle, be ensured by technical means in such a manner that the personal data are not subject to further processing operations and cannot be changed. The fact that the processing of personal data is restricted should be clearly indicated in the system.
• 12.4 where a data subject has exercised their right to restrict processing of their personal data we are permitted to store it but not further process it. we can only continue to process the personal data where
• 12.4.1 the data subject consents;
• 12.4.2 the processing is necessary for the exercise or defence of legal claims;
• 12.4.3 the processing is necessary for the protection of the rights of other individuals or legal persons; or
• 12.4.4 the processing is necessary for public interest reasons. We must notify the data subject before lifting the restriction.

13 dealing with objections to processing

Where a data subject has objected to payescape processing their personal data for one of the following purposes (i) public interest or legitimate interest grounds (including profiling based on those grounds); (ii) direct marketing (including profiling to the extent that it is related to such marketing) or (iii) scientific, historical research or statistical purposes (unless the processing is necessary for the performance of a public interest task) we must stop processing the personal data, unless the we can demonstrate compelling legitimate grounds for the processing which override the rights of the data subject; or the processing is necessary for the defence of legal claims. There are no grounds to refuse to comply with a data subject’s objection to processing for direct marketing purposes. The right to object must be explicitly brought to the attention of the data subject, at the latest at the time of first communication with them, and must be presented clearly and separately from other information.

14 record keeping

• 14.1 payescape shall properly demonstrate its compliance with data privacy laws. This includes maintaining accurate and detailed records of the following:
• 14.1.1 all processing activities carried out by payescape involving personal data, including details of (i) the controller; (ii) any joint controllers, their representatives and data protection officers; (iii) purposes of the processing; (iv) categories of personal data and data subjects; (v) categories of recipients of the personal data; (vi) transfers of the personal data to countries or organisations outside the eea and the appropriate safeguards put in place; (vii) envisaged time limits for retention of the personal data; and (viii) a description of the technical and organisational security measures in place to protect the personal data;
• 14.1.2 any consents provided by data subjects to the processing of their personal data;
• 14.1.3 all data protection related policies and procedures.
• 14.2 employees who process personal data on behalf of payescape shall retain adequate notes and records of all of the above in relation to such processing activities.

15 breaches of this policy

Any actual or suspected breach of this policy should be immediately notified to operations manager.

16 changes to this policy

We reserve the right to change this policy at any time. Where appropriate, we will notify data users of those changes by mail or email.