Thank you for using Biznus Payroll Limited (BPL). Your privacy is extremely important to us and how we manage your personal data is something we take very seriously.
This policy explains the “what, how and why” of the information we collect when you join our team, become our client, or when you are considering using our services. It also explains the specific ways we use and disclose that information.
This policy applies to all Data Subjects whose data is processed by Biznus Payroll Limited (BPL).
Employees and prospective employees
Biznus Payroll Data Protection Officer is responsible for ensuring that existing employees are fully informed about their rights under GDPR and their employers’ obligations, and that potential new employees (Data Subjects) who may be employed by BPL, have sight of this policy so that they know how GDPR effects them prior to collecting and processing their data.
Clients and prospective clients
This policy shall be provided to existing clients in compliance with GDPR. It shall also be put in front of any potential clients before transfer of any data pertaining to payroll, pension or any other potential outsourced services between BPL and the client wishing to outsource these administrative services. It is the responsibility of the client (existing and potential), as data controllers, to ensure that this policy is available to the data subjects (their employees/workers) when collecting data for processing or initial set up.
The Personal Data we collect
Personal Data means any information that may be used to identify an individual, including, but not limited to, a first or last name, a home address or other physical address and an email address or other contact information, whether at work or at home.
The Personal Data we collect from you may be used for the following purposes:
- Fully managed payroll outsourcing service on behalf of the client
- Management of workplace pension scheme
- Internal personal records of the staff of BPL
- Submissions to HMRC, DWP, TPR and other regulatory authority deemed as lawful and correct
- Email/correspondence to inform and advise clients and potential new businesses of specific payroll duties, legislation changes and any other changes in the services we provide
- Email marketing to clients and potential new businesses to promote additional services that BPL may develop in relation to its core business
Why do we collect, process and store this data
As an employer, we are the Data Controller and it is necessary to collect and retain information relating to our employees for personal records, pay and pension processing and health and safety.
As a Payroll Bureau, managing the outsourced payroll and pension requirements of our clients we are the Data Processor. It is necessary to hold relevant information in relation the employees of our clients for whom we provide a payroll and pension service. The client is the Data Controller. BPL will act on behalf of our clients as Data Processor and use the employers’ data so that it can:
- Set up PAYE and Pension Scheme
- Process and calculate pay
- Process and calculate pension calculations
- Add new and maintain employee data held within payroll software systems
- Report to the HMRC liabilities and perform RTI submissions
- Process Attachment of Earnings Orders
- Keep employees and employer records up to date including pension information
- Setup and provide payslips to client employee and our staff
- Provide payroll and pension support to clients
- Liaise and make available employee data under legislation such as Child Maintenance Service, Court Orders and any other legal or regulatory requirements
- Make BACS and Autopay transactions to pay employee wages
- Provide a response to Regulatory Bodies eg DWP, HMRC, Child Maintenance Service and TRP requests for information
- Anti-Money Laundering ID verification
How we meet our GDPR obligations
The Personal and Special Categories of Personal Data we collect and process, is necessary to comply with our legal requirements as Data Controller for our employees, and also in the performance of our contract with our clients as Data Processor in providing a managed outsourced payroll, pension and associated administrative functions service.
We will ensure that all personal data is lawfully processed, only collected for specified, explicit and legitimate purposes and that we only collect and process adequate data to fulfil our legal and contractual responsibilities. We will make every endeavour to ensure the accuracy of the personal data we collect and process, that we retain the personal data only for the appropriate and legal periods and that all personal data will be managed securely. Personal data not retained will be appropriately destroyed or returned to the client in the manner detailed within the Standard Terms and Conditions.
How we obtain personal data
As the employer we obtain our employees, and prospective employees, personal data from them as part of the new starter process. It is the responsibility of our staff to inform us of any changes as they occur.
As the data processor for our clients, we obtain the bulk of the data subject information from the client at the commencement of our contractual relationship. Additional information necessary to process employee payroll, pensions and administrative services such as hours worked, pay rates, holiday and sickness is provided to BPL in the manner agreed with the client in the Standard Terms and Conditions. It is the responsibility of the data controller to ensure that all personal data provided is accurate, appropriate and lawful under the GDPR.
Consent must be freely given, specific, informed and unambiguous and verifiable. Consent can also be withdrawn by the Data Subject.
In accordance with the GDPR, as our Client you are the Data Controller. It is your responsibility to collect and forward, in a secure manner, the personal data of those individuals you wish BPL to process as the Data Processor in the management of your outsourced services.
It is important that all Data Subjects know their Rights under the GDPR:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to Data portability
- The right to object
- Rights in relation to automated decision making and profiling
More information on the Individual Rights of a Data Subject can be found on https://ico.org.uk/your-data-matters/
Should a Data Subject wish to exercise any of their Rights within the GDPR, they should, in the first instance, contact their respective Data Controllers Data Protection Officer.
The types of Personal Data
As our Client we will use the data you collect to manage your payroll or service as agreed in our Standard Terms and Conditions. We collect most of the necessary personal data during the initial contractual process, in which you detail your instructions on our New Company Details Form.
The Personal Data we may use include:
- Name, postal address and email address
- NI number
- HMRC information
- Bank account details
- Pension details
- Proof of identity (namely Passport Number)
- Leave records
- Contract of employment and HR details
- Next of kin details
- Date of birth
- Marital status
- Previous employment history
- Student loan information
- Client details (name, address, date of birth, NI number, passport number/driving licence number, position in organisation, telephone numbers, email and other contact details)
Sharing Personal Data
Subject to the applicable data protection law, we may share your Personal Data with:
- Subcontractors and other persons who help us provide our products and services
- Courts, to comply with legal requirements, and for the administration of justice
- Companies and other persons providing services to us
- Our legal and other professional advisors, including our auditors
- Fraud prevention agencies, credit reference agencies, and debt collection agencies when we open your account and periodically during your account or service management
- Other organisations who use shared databases for income verification and affordability checks to manage/collect arrears
- Government bodies and agencies in the UK and overseas (eg HMRC) who may in turn share it with relevant overseas tax authorities and with regulators)
- In an emergency or otherwise to protect your vital interests
- To any other parties connected with your account eg guarantors and other people named on the application including joint account holders who will see your transactions
- When we restructure or sell our business or its assets or have a merger or re-organisation
- Market research organisations who help improve our products and services
- Payment systems if we issue cards to your client account
- Anyone else where we have your consent or where the law requires it.
Retention of data
The following criteria are used to determine data retention period of personal data that may be processed for the purposes of the legitimate interest of BPL:
- Retention in case of queries. We will retain your information as long as necessary to deal with your queries;
- Retention in case of claims. We will retain your information for as long as you might legally bring claims against BPL.
- Retention in accordance with legal and regulatory requirements. We will retain your information after your client file has been closed or has otherwise come to an end based on our legal and regulatory requirements.
Your personal data may be transferred outside the UK and European Economic Area. While some countries have adequate protections for personal data under applicable laws, in other countries steps will be necessary to ensure appropriate safeguards apply to it. These include imposing contractual obligations of adequacy or requiring the recipient to subscribe or be certified with an ‘international framework’ of protection.
Identity verification and fraud prevention checks
The personal data we have collected from you at the commencement of our contract, or at any stage, will be shared with fraud prevention agencies, which will use it to prevent fraud and money laundering and to verify your identity. If fraud is detected, you could be refused certain services, finance or employment in the future. We may also search and use our internal records for these purposes. We will advise you prior to entering any such contractual obligation.
Credit reference checks
BPL does not currently undertake credit reference checks. However, should this change in the future we would request your specific consent to provide the necessary information to the appropriate credit reference agency. You would be kept fully informed throughout the process and of the outcome.
Subject to applicable laws, we will seek the monitoring and recording of your calls, emails text messages, social media messages and other communications in relation to your dealings with us. We will do this for regulatory compliance, self-regulatory practices, crime prevention and detection, to protect the security of our communications systems and procedures, to check for obscene or profane content, for quality control and staff training, and when we need to see a record of what has been said. We may also monitor activities on your account where necessary for these reasons and this is justified by our legitimate interests or our legal obligations.
Automated decision making involves processing your personal data without human intervention to evaluate your personal situation such as economic position, personal preferences, interests or behaviours. This is not a process that BPL currently undertakes neither as a Data Controller nor Data Processor. Should BPL consider it an appropriate business tool at some point in the future we will undertake and appropriate process with the GDPR.
Data anonymisation and aggregation
Appropriate personal data may be converted into statistical or aggregated data which cannot be used to identify any individuals, and then used to produce statistical research and reports. This aggregated data may be shared and used in all the ways described above.
Data Protection Officer
Tel: 01373 228300
Biznus Payroll Limited, 2nd Floor Office Suite, The Welsh Mill, Park Hill Drive, Frome, BA11 2LE
This document is dated 17th May 2018 and will be reviewed regularly.