General Terms and Conditions

Agreed terms

1. Interpretation and definitions

1.1 Definitions:

Business Day: a day other than a Saturday, Sunday or public holiday in England, when banks in London are open for business.

Charges: the charges payable by the Client for the supply of the Services by the Supplier, as set out in the Contract Details.

Confidential Information means:

(a) the existence or terms of this Contract (including the prices and charges);

(b) any information regarding the performance of the Services; or

(c) any information that may come to a party’s knowledge in the course of carrying out this
Contract as to the operations, business dealings or financial affairs of the other party.

Contract: the contract between the Client and the Supplier for the supply of the Services in accordance with the Contract Details, these Conditions and any Schedules.

Control: has the meaning given in section 1124 of the Corporation Tax Act 2010, and the expression change of control shall be construed accordingly.

Client Materials: all materials, , data, applicable documentation supplied by the Client to the Supplier, including all payroll data and holiday calculations.

Deliverables: all documents, developed by the Supplier or its agents, subcontractors and
personnel as part of or in relation to the Services in any form, including without limitation computer programs, data, reports and specifications (including drafts) and the Key Deliverables set out in the Contract Details.

Conditions means these general terms and conditions.

HMRC means Her Majesty’s revenue and customs.

Intellectual Property Rights: patents, rights to inventions, copyright and related rights trademarks, business names and domain names, rights in get-up , goodwill and the right to sue for passing off, rights in designs, database rights, rights to use, and protect the  confidentiality of, confidential information (including know-how and trade secrets) and all other intellectual property rights, in each case whether registered or unregistered and including all applications and rights to apply for and be granted, renewals or extensions of, and rights to claim priority from, such rights and all similar or equivalent rights or forms of protection which subsist or will subsist
now or in the future in any part of the world.

PAYE means pay as you earn.

Services: the services,  including without limitation any Deliverables, to be provided by the Supplier
pursuant to the Contract, as described in Schedule 1.

Services Start Date: the day on which the Supplier is to start provision of the Services, as set out in the Contract Details.

Supplier IPRs: all Intellectual Property Rights subsisting in the Deliverables excluding any Client Materials incorporated in them.

1.2 Interpretation:

(a) In this Agreement, unless the context requires otherwise:

(i) The singular includes the plural and vice versa;
(ii) a reference to a person includes a reference to an individual, a body corporate,
an association or a partnership;
(iii) the headings are for ease of reference only and shall not affect its interpretation;
(iv) the words “include”, “including” and “in particular” are to be construed without
limitation to the generality of the preceding words;
(v) a reference to any statute or statutory provision includes any subordinate
legislation made under it, any provision which it has modified or re-enacted, and
any provision which subsequently supersedes or re-enacts it (with or without
modification);
(vi) a reference to any agreement, code, licence or other document is to such
agreement, code, licence or other document as amended, supplemented,
novated or replaced from time to time (and includes all subsidiary agreements
entered into under it); and

2. Commencement and term

The Contract shall commence on the date when it has been signed by both parties and shall continue, unless terminated earlier in accordance with its terms, until either party gives to the other not less than three months’ written notice to terminate.

3. Supply of services

3.1 The Supplier shall supply the Services to the Client from the Services Start Date in accordance with
the Contract.

3.2 In supplying the Services, the Supplier shall:

(a) perform the Services with reasonable care and skill;
(b) perform the Services in accordance with the service description set out in Schedule 1;
(c) ensure that the Deliverables, and all goods, materials, standards and techniques used in providing the Services are of satisfactory quality and are fit for purpose;
(d) comply with all applicable laws, statutes, regulations and codes from time to time in force provided that the Supplier shall not be liable under the Contract if, as a result of such compliance, it is in breach of any of its obligations under the Contract;
(e) observe all reasonable health and safety rules and regulations and security requirements that apply at any of the Client’s premises and have been communicated to the Supplier, provided that the Supplier shall not be liable under the Contract if, as a result of such observation, it is in breach of any of its obligations under the Contract; and
(f) take reasonable care of all Client Materials in its possession and make them available for collection by the Client on reasonable notice and request, always provided that the Supplier may destroy the Client Materials if the Client fails to collect the Client Materials within a reasonable period after termination of the Contract.

3.3 Other than the warranties in clause 3.2, the Supplier makes no express warranties in respect of the Services and excludes all implied warranties terms or conditions from this Contract.

4. Client’s obligations

4.1 The Client shall:

(a) co-operate with the Supplier in all matters relating to the Services;
(b) if applicable, provide, for the Supplier, its agents, subcontractors, consultants and employees, in a timely manner and at no charge, access to the Client’s premises, office accommodation, data and other facilities as reasonably required by the Supplier;
(c) provide, in a timely manner, such information as the Supplier may reasonably require, and ensure that it is accurate and complete in all material respects;
(d) check all reports submitted by the Supplier and the Supplier will not accept liability for any overpayment or underpayment of wages or salaries resulting from an error in processing the Client’s payroll; and
(e) provide the Supplier with accurate and up to date Client Material on the dates as advised by the Supplier;
(f) supply all relevant information within the agreed time relating to:
i. relevant tax information;
ii. new starter and leaver information;
iii. holiday pay details;
iv. holiday calculations;
v. time Sheets where relevant to include all hours for payment for the relevant period to be paid;
vi. wage/salary information;
vii. any changes to personal data e.g. change of name, address;
viii. all documentation and information relating to any Statutory payments, attachments of earnings or court orders
ix. relevant pension information.

(g) check all reports to ensure the accuracy of the data processed by the Supplier. Any errors should immediately be notified to the Supplier.
(h) confirm the appointment of the Supplier as its agent for the purpose of processing the Client’s payroll and dealing with any third parties such as HMRC, to whom the Supplier will provide real time information as required, provided always that the Supplier, in acting as such agent, shall not incur (without prejudice to any other provisions of its terms and conditions), any liability to any employee of the Client or any other third parties in any capacity whatsoever whether as agent or principal.

4.2 If the Supplier’s performance of its obligations under the Contract is prevented or delayed by any act or omission of the Client, its agents, subcontractors, consultants or employees, the Supplier shall:

(a) not be liable for any costs, charges or losses sustained or incurred by the Client that arise directly or indirectly from such prevention or delay;
(b) be entitled to payment of the Charges despite any such prevention or delay; and
(c) be entitled to recover any additional costs, charges or losses the Supplier sustains or incurs that arise directly or indirectly from such prevention or delay.

5. Data protection

The parties shall comply with their data protection obligations as set out in Schedule 2 (Data
Protection).

6. Intellectual property

6.1 The Supplier and its licensors shall retain ownership of all Supplier IPRs. The Client and its licensors shall retain ownership of all Intellectual Property Rights in the Client Materials.

6.2 The Supplier grants the Client, or shall procure the direct grant to the Client of, a fully paid-up, worldwide, non-exclusive, royalty-free, licence to copy the Supplier IPRs for the purpose of receiving and using the Services and the Deliverables in the Client’s business during the term of the Contract.

6.3 The Client grants the Supplier a fully paid-up, worldwide, non-exclusive, royalty-free, nontransferable licence to copy and modify the Client Materials for the term of the Contract for the purpose of providing the Services to the Client in accordance with the Contract.

7. Charges and payment

7.1 In consideration for the provision of the Services, the Client shall pay the Supplier the Charges in accordance with this clause 7.

7.2 All amounts payable by the Client exclude amounts in respect of value added tax (VAT), which the Client shall additionally be liable to pay to the Supplier at the prevailing rate (if applicable), subject to receipt of a valid VAT invoice.

7.3 The Supplier shall submit invoices for the Charges plus VAT, if applicable to the Client as detailed in the payment terms of the Contract Details. Each invoice shall include all reasonable supporting information required by the Client.

7.4 The Client shall pay each invoice due and submitted to it by the Supplier, within 30 days of receipt, to a bank account specified in the Contract Details by the Supplier.

7.5 The Supplier shall have the right to increase the charges made to the Client for the Service on at least an annual basis or as determined by the Supplier where necessary to reflect market rates or other relevant factors.

7.6 If the Client fails to make any payment due to the  supplier under the Contract by the due date for payment, then, without limiting the Supplier’s remedies under clause 9 (Termination):

(a) the Client shall pay interest on the overdue sum from the due date until payment of the overdue sum, whether before or after judgment. Interest under this clause will accrue each day at 4% a year above the Bank of England’s base rate from time to time, but at
4% a year for any period when that base rate is below 0%.
(b) the Supplier may suspend all Services until payment has been made in full.

7.7 All amounts due under the Contract from the Client to the Supplier shall be paid by in full without any set-off, counterclaim, deduction or withholding (other than any deduction or withholding of tax as required by law).

8. Indemnity and limitation of liability Indemnity

8.1 Each party (Indemnifying Party) indemnifies the other party (Indemnified Party) against any loss, expense, liability or proceeding resulting from:
(a) death or personal injury; or
(b) fraud or fraudulent misrepresentation; only if, and to the extent that the loss, expense, liability or proceeding is directly or naturally caused by the Indemnifying Party’s negligence, intentional misconduct or breach of this Contract.

8.2 Indirect or consequential losses excluded To the extent the law permits and notwithstanding any other term of this Contract, neither party shall be liable to the other party for indirect or consequential loss or damage of any kind, loss of business revenue, loss of profits, failure to realise expected profits or savings, overhead costs, loss of reputation and goodwill, loss of value in any intellectual property, damages for business interruption, damages or liquidated sums payable pursuant to other agreements or for lost opportunities (including opportunities to enter into or complete arrangements with third parties) and commercial or economic loss of any kind arising out of or in any way connected with this Contract.

Cap on liability

8.3 The Supplier has obtained insurance cover in respect of its own legal liability for individual claims not exceeding £45,000 per claim in aggregate to the purchase price of the Services giving rise to the liability, for the avoidance of doubt, the maximum extent of the liability by the Supplier to the Client will not exceed one month’s fees charged by the Supplier to the Client. The limits and exclusions in this clause reflect the insurance cover the Supplier has been able to arrange, and the Client is responsible for making its own arrangements for the insurance of any excess loss.

Reduction in liability
The Supplier’s liability to the Client for loss or damage of any kind, whether claimed under an indemnity in this Contract or otherwise, arising from or relating to this Contract or its subject matter, is reduced to the extent that the Client or a third-party causes or contributes to the loss or damage.

Exclusion of liability

(a) The Supplier accepts no liability for a Client’s PAYE employer scheme and its employees or any of the Client’s payments to HMRC.
(b) The Supplier shall not be liable for any outcome, including but not limited to any penalties, surcharge or additional tax liabilities, that may arise from incorrect or incomplete information provided by the Client, or by the Client’s failure to supply appropriate information or its failure to act on the Supplier’s advice or respond promptly to communication from the Suppliers or the tax authority.
(c) The Supplier shall not be liable or responsible to the terms and conditions included in the Client’s contract or statement of employment with the Client’s employees.
(d) If the Client fails to provide Client Material to the Supplier which would result in a delay in the submission to HMRC of statutory returns by any due date, the Supplier will not be responsible for any penalties or interest charges.
(e) The Supplier will not accept any responsibility or accept any liability for errors which may occur during the payroll processing service to the Client, and/or after the end of a payroll provider service to the Client with respect to carrying out their payroll processing service pertaining to year end FPS submissions and its relevant forms, together with any communication with HMRC on the Client’s behalf.
(f) The Supplier shall not accept any liability for any errors that have occurred prior to the Supplier having been appointed as agent for the purposes of HMRC.
(g) The Supplier will not accept any responsibility for any liability which may arise due to the Client’s unfamiliarity with or lack of understanding of how the PAYE system works in terms of their own employment arrangements. The Supplier will not be held responsible for any additional Tax or National Insurance liability incurred as a consequence of the Client’s failure to follow advice given by the Supplier, or if the Client receives information from the Supplier where the Supplier has no direct control over such failure.
(h) The Supplier will not be responsible for any penalties or interest charges imposed by HMRC to the Client for its failure to make Income Tax and/or National Insurance contributions liability payments by their due dates where such liabilities and deadlines have been advised to the Client, either by the Supplier or HMRC. The Supplier will not bear any responsibility for any penalties imposed by HMRC that may arise as a result of employment arrangements which existed prior to the Supplier being appointed. The Supplier will not bear any responsibility for any penalties or interest charged for any previous late filing declarations where these were incurred before the
date on which the Client appointed the Supplier.

9. Termination

9.1 Without affecting any other right or remedy available to it, either party to the Contract may terminate it with immediate effect by giving written notice to the other party if:
(a) the other party commits a material breach of any term of the Contract which breach is irremediable or (if such breach is remediable) fails to remedy that breach within a period of 7 days after being notified in writing to do so;
(b) the other party takes any step or action in connection with its entering administration, provisional liquidation or any composition or arrangement with its creditors (other than in relation to a solvent restructuring), applying to court for or obtaining a moratorium under Part A1 of the Insolvency Act 1986, being wound up (whether voluntarily or by order of the court, unless for the purpose of a solvent restructuring), having a receiver appointed to any of its assets or ceasing to carry on business;
(c) the other party suspends, or threatens to suspend, or ceases or threatens to cease to carry on all or a substantial part of its business; or
(d) the other party’s financial position deteriorates to such an extent that in the terminating party’s reasonable opinion the other party’s capability to adequately fulfil its obligations under the Contract has been placed in jeopardy.
9.2 Without affecting any other right or remedy available to it, the Supplier may terminate the Contract with immediate effect by giving written notice to the Client if the Client fails to pay any amount due under the Contract on the due date for payment.
9.3 On termination of the Contract for whatever reason:
(a) the Client shall immediately pay to the Supplier all of the Supplier’s outstanding unpaid invoices and interest and, in respect of Services supplied, but for which no invoice has been submitted, the Supplier may submit an invoice, which shall be payable immediately
on receipt;
(b) any provision of the Contract that expressly or by implication is intended to come into or continue in force on or after termination or expiry of the Contract shall remain in full force and effect; and
(c) termination or expiry of the Contract shall not affect any of the rights, remedies, obligations or liabilities of the parties that have accrued up to the date of termination or expiry, including the right to claim damages in respect of any breach of the Contract
which existed at or before the date of termination or expiry.

10. General

10.1 Force majeure. Neither party shall be in breach of the Contract nor liable for delay in performing, or failure to perform, any of its obligations under the Contract if such delay or failure result from events, circumstances or causes beyond its reasonable control.

10.2 Assignment and other dealings.
(a) The Client shall not assign, transfer, charge, subcontract, declare a trust over or deal in any other manner with any or all of its rights and obligations under the Contract without the Supplier’s prior written consent.
(b) The Supplier may at any time assign, transfer, charge, subcontract, declare a trust over or deal in any other manner with any or all of its rights under the Contract.

10.3 Confidentiality.
(a) No disclosure of Confidential Information
During the term of this Contract and for a period of five (5) years after its termination, Confidential Information received by one party from another party may not be disclosed by the recipient to any other person except:
i. to the recipient’s employees, professional advisers and agents solely for the purpose of the performance of this Agreement or to make or defend any claim under this Contract;
ii. with the consent of the discloser;
iii. if required by law.

(b) Information in the public domain
The provisions of clause 10.3(a) do not apply to information which:
i. the recipient can show by written evidence was known to it prior to being obtained from the discloser and was not subject to obligations of confidentiality to the discloser or a third party;
ii. is or becomes public knowledge through no action of the recipient; or
iii. is disclosed to the recipient by a third party with a legal right to do so.

(c) Employee, agents and contractors
The parties must inform their employees, agents and contractors of the provisions of clause 10.3(a) and must ensure that those persons comply with that clause to the same extent that the Parties are required to comply with it.

10.4 Entire agreement.
(a) The Contract constitutes the entire agreement between the parties and supersedes and extinguishes all previous agreements, promises, assurances, warranties, representations and understandings between them, whether written or oral, relating to its subject
matter.
(b) Each party acknowledges that in entering into the Contract it does not rely on and shall have no remedies in respect of any statement, representation, assurance or warranty (whether made innocently or negligently) that is not set out in the Contract.

10.5 Variation. No variation of the Contract shall be effective unless it is in writing and signed by the parties (or their authorised representatives).

10.6 Waiver.
(a) A waiver of any right or remedy under the Contract or by law is only effective if given in writing and shall not be deemed a waiver of any subsequent right or remedy.
(b) A failure or delay by a party to exercise any right or remedy provided under the Contract or by law shall not constitute a waiver of that or any other right or remedy, nor shall it prevent or restrict any further exercise of that or any other right or remedy. No single or
partial exercise of any right or remedy provided under the Contract or by law shall prevent or restrict the further exercise of that or any other right or remedy.

10.7 Severance. If any provision or part-provision of the Contract is or becomes invalid, illegal or unenforceable, it shall be deemed modified to the minimum extent necessary to make it valid, legal and enforceable. If such modification is not possible, the relevant provision or part-provision shall be deemed deleted. Any modification to or deletion of a provision or part-provision under this clause 10.7 shall not affect the validity and enforceability of the rest of the Contract.

10.8 Notices.
(a) Any notice given to a party under or in connection with the Contract shall be in writing and shall be:
(i) delivered by hand or by pre-paid first-class post or other next working day delivery service at its registered office (if a company) or its principal place of business (in any other case); or
(ii) sent by email to the address provided for in the Contract Details.
(b) Any notice shall be deemed to have been received:
(i) if delivered by hand, at the time the notice is left at the proper address;
(ii) if sent by pre-paid first-class post or other next working day delivery service, at 9.00 am on the second Business Day after posting; or
(iii) if sent by email, at the time of transmission, or, if this time falls outside business hours in the place of receipt, when business hours resume. In this clause 10.8(b)(iii), business hours means 9.00am to 5.00pm Monday to Friday on a day that is not a public holiday in the place of receipt.
(c) This clause 10.8 does not apply to the service of any proceedings or other documents in any legal action or, where applicable, any arbitration or other method of dispute resolution.

10.9 Third party rights.
the Contract does not give rise to any rights under the Contracts (Rights of Third Parties) Act 1999 to enforce any term of the Contract.

10.10 Governing law. The Contract, and any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with it or its subject matter or formation, shall be governed by, and construed in accordance with the law of England and Wales.

10.11 Jurisdiction. Each party irrevocably agrees that the courts of England and Wales shall have exclusive jurisdiction to settle any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with the Contract or its subject matter or formation.

10.12 Relationship of the parties. The parties are independent contracting parties and nothing in this Contract makes either party the agent or representative of the other for any purpose whatsoever.

Schedule 1 Services

The Supplier agrees to provide the following Services to the Client:

1) Payroll runs in monthly cycles. If an employee starts or ends their employment during any payroll cycle their first or last payment will be processed to or from the date advised by the Client.
2) Agree deadlines for all payroll input data to be received for each pay date. The Supplier requires all input data to be received by this deadline. After the deadline the Supplier will process the wages for the forthcoming pay date as per the previous pay date instruction. Any instructions received after the deadline where the Client requires another payroll to be processed will result in the Client being invoiced for a further pay run.
3) Process payrolls at the rate agreed with the Client and as detailed in the Contract Details. The Client will be invoiced in accordance with the payment terms provided for in the Contract Details and the charge will be calculated in accordance with their employee numbers, the frequency of their pay runs and any additional sums which have been previously agreed between both parties. If a Client requires additional services, these will be quoted for and a rate agreed prior to the commencement of any work relating to these additional services.
4) If the Client implements changes in employment arrangements with any of its employees at a time later than the agreed cut off dates and times, and where these changes result in a significant amount of extra work, the Supplier reserves the right to charge an additional fee to cover the cost of the additional work.
5) In the sole opinion of the Supplier, where a Client’s circumstances result in a considerable increase in work for the Supplier subject to notification by the Supplier to the Client, the Supplier reserves the right to make an additional charge for the increased work.
6) Should a dispute arise between the Client and one of its employees, the Supplier will act on the Client’s instructions. The Supplier will not withhold any information from the employee if that employee has a statutory right to that information.
7) The Supplier reserves the right to inform an employer if their intended course of action in any dispute contravenes any employee’s statutory rights and will refuse to carry out such instructions if this is the case.
8) The Supplier shall not be responsible for any inaccurate and incomplete Client Material, including the holiday calculations.
9) The Supplier will only provide a payroll processing service subject to the regulations as directed by HMRC at the relevant time. This includes employee employment regulations and rules governing director PAYE status.
10) The Supplier will not enter into discussions with any of its Client employees. Any such queries will only be discussed with the Client director or nominated payroll administrator.
11) The Supplier will contact HMRC to de-register the Client’s PAYE scheme at the end of the Client’s final employment of staff, only at the request of the Client in writing either by letter or email. The Supplier will not cancel a Client’s PAYE scheme without this instruction and will not accept any consequences arising from the Client’s failure to notify the Supplier of its closing instructions.
12) Check that the Client has submitted all data due to be processed for each relevant pay period.
13) The Client shall be required, in order for the Services to be performed, upload all payroll data to the
e-PayWindow portal to ensure the security of their employee data. If data is emailed, security of such data shall be at the Client’s own risk. The Supplier shall contact the Clientr by telephone or by any other reasonable means if data has not been received from the Client by the agreed time and will seek to ensure that all relevant data is received after having requested that the Client submits the said data.
14) The Client’s data will be transferred to the Supplier by no later than 25th day of the month in respect of monthly paid employees if the payment date falls at the end of each calendar month. In the event of a difference in the pay date, the deadline will change as agreed between the parties.
15) Process the Client’s data via their payroll system.
16) All payroll reports will be sent securely to the Client via the Supplier’s e-PayWindow portal.
17) Any queries from the Client arising from the processed data and reports will be dealt with in a timely manner.
18) Comply with HMRC’s RTI reporting requirements on behalf of the Client.
19) All tax year-end processing will be returned electronically to HMRC and the P60’s will be sent to the Client and its employees by the due date set by HMRC. The Supplier will treat all employee data received from the Client in strict confidence, with full reference to applicable data protection legislation from time to time.
20) Respond to queries from the Client, HMRC or any third parties which are relevant to the processing and administration of the Client’s payroll.
21) Process the Client’s pension in accordance with the rules of their pension scheme and the legislation on auto enrolment.
22) Ensure that there is a compliant audit trail for the Client’s pension scheme, but the Client accepts that the onus for compliance rests with the Client.

Payroll and auto-enrolment processing

1) Payroll

The Supplier shall:

1. Receive payroll information from the Client on a monthly basis and input all data required tocalculate the net pay for all employees.
2. Production of payslips on a monthly basis.
3. If applicable, preparation of submission for payment to the employees’ bank accounts or any other payment method.
4. Calculate the PAYE, including all statutory deduction,
5. Receive New Starter sheets and add any new employees to the Client’s payroll.
6. Terminate any leavers via the Client’s payroll.
7. Process P45’s and submit to relevant employees, and HMRC.
8.
9. Respond to any general queries relating to payroll processing on the same day if the query is received before noon, or the following working day if the query is received after noon. Any queries on holiday pay or statutory payments will be responded to within 2 working days.

2) Auto Enrolment

The Supplier shall:

1. Complete and check and set up the Client’s pension scheme in the payroll software by their Staging Date.
2. Transfer existing information relating to the Client’s pension scheme if the Client has already staged.
3. Assist in the completion of the Declaration of Compliance, or in the re-Declaration of Compliance
4. Process pensions within payroll or independent of payroll where relevant.
5. Assess employees on an ongoing basis.
6. Process opt-outs and opt-ins.
7. Provide pension provider feeds.
8. Upload pension provider feeds.
9. Manage re-enrolment.
10. If applicable, provide pension documentation to employees.

3) Reporting

The Supplier shall:

After processing each payroll period, provide reports to the Client in a pre-agreed format by 5pm on the working day following the payroll processing day.

Schedule 2 Data Protection Policy

1) Objective

This policy sets out how much Pay-Nex Limited uses and protects any information that you give us for the provision of processing payrolls and pensions. Pay-Nex Limited is committed to ensuring that your privacy is protected. Pay-Nex Limited is committed to protecting and respecting your privacy.

We process information given to us by other parties. In order to do this, we enter into contracts with organisations such as accountants and employers and it is those organisations that control the personal data and have responsibilities as the data controller. This policy applies to all personal information however it is collected, recorded and used – whether on paper, in a computer storage system or recorded on other material.

The Object of this policy is to ensure Pay-New Limited comply with the UK General Data Protection Regulation (GDPR) which sets out the key principles, rights and obligation for most processing of personal data, and the Data Protection Act 2018 (DPA) which further sets out the data protection framework in the UK.

1. GDPR

2.1 What is GDPR

GDPR codified and unifies privacy laws, and applies to:
(a) any company doing business with a citizen of the EU;
(b) all companies processing the personal data of subject residing in the EU, regardless of the company’s location.

2.2 Why does GDPR matter?

Penalties for non-compliance with the GDPR regarding the collection and using personal data are potentially devasting. Failure to comply may attracted €20 million or 4% of the total company annual turnover, whichever is greater. The most likely source of risk is by either a data incident, a whistle-blower or a competitor.

2.3 What is data and consent?

Personal data is defined as any information related to a natural person that can be used to directly or indirectly identify that person, called data subjects.

Consent – companies must seek consent from Data Subjects to handle their personal data in a clear fashion.

2.4 Summary of the 10 GDPR requirements

(a) Lawful, fair and transparent processing – this means that in processing personal data, PayNex must do so:
(i) Lawfully – means all processing should be based on a legitimate purpose;
(ii) Fairly – means companies take responsibility and do not process data for any purpose other than the legitimate purposes; and
(iii) Transparently – means that companies must inform data subjects about the processing activities on their personal data.

(b) Limitation of purpose, data and storage – Pay-Nex is expected to limit the processing, collect only the data which is necessary, and not keep personal data once the processing purpose is completed. This would effectively bring the following requirements:
i. Forbid processing of personal data outside the legitimate purpose for which the personal data was collected;
ii. Mandate that no personal data, other than what is necessary, be requested;
iii. Ensure that the personal data is deleted once the legitimate purpose for which it was collected is fulfilled

(c) Data Subject Rights – the Data Subjects have been assigned the right to ask the companywhat information it has about them, and what the company does with this information. In addition, a data subject has the right to ask for correction, object to processing, lodge a
complaint, or even ask for the deletion or transfer of his or her personal data.

(d) Consent – as and when the company has the intent to process personal data beyond the legitimate process for which the data was collected, a clear and explicit consent must be asked from the data subject. Once collected, this consent must be documented, and the
data subject is allowed to withdraw his consent at any moment.

Also, for the processing of children’s data, GDPR requires explicit consent from the parents or guardians if the child is under the age of 16.

2.5 Personal Data Breaches – organisations must maintain a Personal Data Breach Register and based on the severity, the regulator and data subjects should be informed within 72 hours of identifying the breach.

2.6 Privacy by Design – companies should incorporate organisational and technical mechanisms to protect personal data in the design of new systems and processes; that is, privacy and protection aspects be included by default.

2.7 Data Protection Impact Assessment – this needs to be conducted when a significant change is introduced in the processing of personal data.

2.8 Data Transfers – the controller of personal data has the accountability to ensure that personal data is protected and GDPR requirements respected. This means controllers have the obligation to ensure the protection and privacy of personal data

2.9 Data Protection Officers – when there is significant processing of personal data an organisation should assign a Data Protection Officer (DPO). When assigned, that DPO would have the responsibility of advising the company about compliance with GDPR requirements.

2.10 Awareness and training – organisations must create awareness among employees about the key GDPR requirements and conduct regular training.

3 Responsibilities

Pay-Nex’s Business Director is nominated as its data protection officer, responsible for monitoring and managing the systems and processes used to share information with suppliers and for advising its management and employees on the implementation of this policy.

4 Compliance

4.1 Key Principles

The Company will apply, through appropriate management, strict application of these criteria and controls:

a) Observe fully, conditions regarding the fair collection and use of information.
b) Meet its legal obligations to specify the purposes for which information is used.
c) Collect and process appropriate information, only to the extent that it is needed to fulfil operational needs or to comply with any legal requirements.
d) Ensure the quality of information collected and processed.
e) Apply checks to determine the length of time information is held.
f) Ensure that the rights of people about whom information is held, can be fully exercised in accordance with the data protection legislation.
g) Take and maintain appropriate technical and organisational security measures to safeguard personal information.
h) Ensure that personal information is not transferred abroad without suitable safeguards and appropriate consents and permissions.
i) Treat people justly and fairly whatever their age, religion, disability, gender, sexual orientation or ethnicity when dealing with requests for information.
j) Set out clear procedures for responding to requests for information.
k) Ensure that personal information is only processed in a manner which is lawful.

4.2 Additional applications

a) There is someone with specific responsibility for Data Protection.
b) Everyone managing and handling personal information understands that they are legally and contractually responsible for following good data protection practice.
c) Everyone managing and handling personal information is appropriately trained to do so.
d) Everyone managing and handling personal information is appropriately supervised.
e) Anybody wanting to make enquiries about handling personal information knows what to do.
f) Queries about handling personal information are promptly and courteously dealt with.
g) Methods of handling personal information are clearly described.
h) A regular review and audit is made of the way personal information is held, managed and used.
i) Methods of handling personal information are regularly assessed and evaluated.
j) Performance of those handling personal information is regularly assessed and evaluated.

4.3 Collection and Use of Data

Pay-Nex will only collect data which is required to allow it to carry out its business. All data subjects will, at the time of collection, be notified of each purpose to which the data is put, the duration it will be held for, and the lawfulness of processing, and no additional data will be collected or stored by Pay-Nex.

4.4 Maintaining and Destroying Data

Pay-Nex will ensure that all personal data will be stored correctly and securely during the time the data is required by the company. Once the data is no longer required the data will be returned, deleted or destroyed.

4.5 Access Requests

Any individual has the right to access, correct, restrict, and transfer their personal information. An individual can send Pay-Nex, in its capacity as data controller a subject access request requiring Pay-Nex to advise the individual about the personal information Pay-Nex holds about them, where the information was obtained from, and who it is shared with, and to provide them with a copy of that information. Pay-Nex will ensure it responds to all requests in accordance with the GDPR. More details regarding Pay-Nex’s obligation to respond to data access requests are contained in Appendix 1.

4.6 Reporting

All staff should report immediately to their line manager in the first instance any observed or suspected incidents where this policy has been breached, so that an investigation into the potential loss can be carried out and procedures can be improved. In the event that a breach is detected, the DPO shall, within the time-frames set out in the data protection legislation, assess the seriousness of the breach and determine whether it is necessary to notify the Information Commissioner’s Office or the Information Commissioner’s Office and the impacted data subject(s).

Appendix 1

Requests for Information

Data Subjects (individuals about whom data is held on record) can request access to, rectification, deletion, transfer, and confirmation of the personal information processed by Pay-Nex, outside of normal business processes.

Upon receipt of such request, Pay-Nex will take reasonable steps to confirm that identity of the Data Subject, and Pay-Nex shall, without undue delay, and in any case within 30 days, respond to the request.

Such information will be provided free of charge, unless the requests are manifestly unfounded, excessive or repetitive, in which case Pay-Nex shall be entitled to;

a) Charge a reasonable fee, considering the administrative costs providing the information or communication or taking the action requested; or

b) Refuse to act on the request.

Data access request should be passed for handling to the Pay-Nex’s Director who will ensure that it is processed fairly in accordance with the Data Protection Legislation.

Responses to data access requests shall be concise, transparent, intelligible and in an easily accessible form, using clear and plain language, considering the specific characteristics of the data subject (e.g., a vulnerable customer or minor). The information shall be provided in writing, or by other means, including, where appropriate, by electronic means. When requested by the data subject, the information may be provided orally, provided that the identity of the data subject is proven by other means.