cipp-+-cyber-logos

PRIVACY POLICY / DATA PROTECTION POLICY

Objective

This policy sets out how much Pay-Nex Limited uses and protects any information that you give us for the provision of processing payrolls and pensions. PayNex Limited is committed to ensuring that your privacy is protected. Pay-Nex Limited is committed to protecting and respecting your privacy.

We process information given to us by other parties. In order to do this, we enter into contracts with organisations such as accountants and employers and it is those organisations that control the personal data and have responsibilities as the data controller. This policy applies to all personal information however it is collected, recorded, and used – whether on paper, in a computer storage system or recorded on other material.

The Object of this policy is to ensure Pay-New Limited comply with the UK General Data Protection Regulation (GDPR) which sets out the key principles, rights, and obligation for most processing of personal data, and the Data Protection Act 2018 (DPA) which further sets out the data protection framework in the UK.

1. GDPR

1.1 What is GDPR

GDPR codified and unifies privacy laws, and applies to:
(a) any company doing business with a citizen of the EU;
(b) all companies processing the personal data of subject residing in the EU, regardless of the company’s location.

1.2 Why does GDPR matter?

Penalties for non-compliance with the GDPR regarding the collection and using personal data are potentially devasting. Failure to comply may attracted £20 million or 4% of the total company annual turnover, whichever is greater. The most likely source of risk
is by either a data incident, a whistle-blower, or a competitor.

1.3 What is data and consent
Personal data is defined as any information related to a natural person that can be used to directly or indirectly identify that person, called data subjects.

Consent – companies must seek consent from Data Subjects to handle their personal data in a clear fashion.

1.4 Summary of the ten GDPR requirements

1. Lawful, fair, and transparent processing – this means that in processing personal data, Pay-Nex must do so:
(i) Lawfully – means all processing should be based on a legitimate purpose;
(ii) Fairly – means companies take responsibility and do not process data for any purpose other than the legitimate purposes; and
(iii) Transparently – means that companies must inform data subjects about the processing activities on their personal data.

2. Limitation of purpose, data, and storage – Pay-Nex is expected to limit the processing, collect only the data, which is necessary, and not keep personal data once the processing purpose is completed. This would effectively bring the following requirements:
(i) Forbid processing of personal data outside the legitimate purpose for which the personal data was collected;
(ii) Mandate that no personal data, other than what is necessary, be requested;
(iii) Ensure that the personal data is deleted once the legitimate purpose for which it was collected is fulfilled

3. Data Subject Rights – the Data Subjects have been assigned the right to ask the company what information it has about them, and
what the company does with this information. In addition, a data subject has the right to ask for correction, object to processing, lodge a complaint, or even ask for the deletion or transfer of his or her personal data.

4. Consent – as and when the company has the intent to process personal data beyond the legitimate process for which the data was collected, a clear and explicit consent must be asked from the data subject. Once collected, this consent must be documented, and
the data subject is allowed to withdraw his consent at any moment. Also, for the processing of children’s data, GDPR requires explicit consent from the parents or guardians if the child is under the age of 16.

5. Personal Data Breaches – organisations must maintain a Personal Data Breach Register and based on the severity, the regulator and data subjects should be informed within 72 hours of identifying the breach.

6. Privacy by Design – companies should incorporate organisational and technical mechanisms to protect personal data in the design
of new systems and processes; that is, privacy and protection aspects be included by default.

7. Data Protection Impact Assessment – this needs to be conducted when a significant change is introduced in the processing of
personal data.

8. Data Transfers – the controller of personal data has the accountability to ensure that personal data is protected and GDPR requirements respected. This means controllers have the obligation to ensure the protection and privacy of personal data

9. Data Protection Officers – when there is significant processing of personal data an organisation should assign a Data Protection Officer (DPO). When assigned, that DPO would have the responsibility of advising the company about compliance with GDPR
requirements.

10. Awareness and training – organisations must create awareness among employees about the key GDPR requirements and conduct regular training.

2. Responsibilities

Pay-Nex’s Business Director is nominated as its data protection officer, responsible for monitoring and managing the systems and processes used to share information with suppliers and for advising its management and employees on the implementation of this policy.

3. Compliance

3.1 Key Principles

The Company will apply, through appropriate management, strict application of these criteria and controls:

a) Observe fully, conditions regarding the fair collection and use of information.
b) Meet its legal obligations to specify the purposes for which information is used.
c) Collect and process appropriate information, only to the extent that it is needed to fulfil operational needs or to comply with any
legal requirements.
d) Ensure the quality of information collected and processed.
e) Apply checks to determine the length of time information is held.
f) Ensure that the rights of people about whom information is held, can be fully exercised in accordance with the data protection
legislation.
g) Take and maintain appropriate technical and organisational security measures to safeguard personal information.
h) Ensure that personal information is not transferred abroad without suitable safeguards and appropriate consents and permissions.
i) Treat people justly and fairly whatever their age, religion, disability, gender, sexual orientation, or ethnicity when dealing with
requests for information.
j) Set out clear procedures for responding to requests for information.
k) Ensure that personal information is only processed in a manner which is lawful.

3.2 Additional applications

1. There is someone with specific responsibility for Data Protection.
2. Everyone managing and handling personal information understands that they are legally and contractually responsible for following
good data protection practice.
3. Everyone managing and handling personal information is appropriately trained to do so.
4. Everyone managing and handling personal information is appropriately supervised.
5. Anybody wanting to make enquiries about handling personal information knows what to do.
6. Queries about handling personal information are promptly and courteously dealt with.
7. Methods of handling personal information are clearly described.
8. A regular review and audit is made of the way personal information is held, managed, and used.
9. Methods of handling personal information are regularly assessed and evaluated.
10. Performance of those handling personal information is regularly assessed and evaluated.

3.3 Collection and Use of Data

Pay-Nex will only collect data which is required to allow it to carry out its business. All data subjects will, at the time of collection, be notified of each purpose to which the data is put, the duration it will be held for, and the lawfulness of processing, and no additional data will be collected or stored by Pay-Nex.

3.4 Maintaining and Destroying Data

Pay-Nex will ensure that all personal data will be stored correctly and securely during the time the data is required by the company. Once the
data is no longer required the data will be returned, deleted, or destroyed.

3.5 Access Requests

Any individual has the right to access, correct, restrict, and transfer their personal information. An individual can send Pay-Nex, in its capacity as data controller a subject access request requiring Pay-Nex to advise the individual about the personal information Pay-Nex holds about them, where the information was obtained from, and who it is shared with, and to provide them with a copy of that information. Pay-Nex will ensure it responds to all requests in accordance with the GDPR. More details regarding Pay-Nex’s obligation to respond to data access requests are contained in Appendix 1.

3.6 Reporting

All staff should report immediately to their line manager in the first instance any observed or suspected incidents where this policy has been breached, so that an investigation into the potential loss can be carried out and procedures can be improved.

In the event that a breach is detected, the DPO shall, within the time-frames set out in the data protection legislation, assess the seriousness of the breach, and determine whether it is necessary to notify the Information Commissioner’s Office or the Information Commissioner’s Office and the impacted data subject(s).

pay-nex-logo-white
cipp-+-cyber-logos
guts logo
Linkedin Facebook

Our Services

Sectors

Copyright © 2024 Pay-Nex

All rights reserved.
Company registration number 09836396, registered in England and Wales

Privacy Policy
Cookie Policy
Terms & Conditions

Website by AdvantEdge Agency