digiID PAY is committed to upholding and maintaining the most up to date data protection good practices.
We have a dedicated cross function General Data Protection Regulation (GDPR) team headed up by partner, Steve South. Steve is responsible for digiID PAY’s IT and data security and compliance matters. The other team members represent the areas of HR, payroll and marketing. The team meets regularly to consider and discuss practical issues and any additional guidance, which has become available.
Since GDPR came in to force on 25 May 2018, we’ve reviewed all of our data for clients (current and ceased), employees, suppliers, prospects etc to ensure that we are compliant. With this in mind, we maintain commercially reasonable and appropriate security measures, including administrative, physical and technical safeguards to protect against unauthorised or unlawful processing of the client personal data and against accidental loss or destruction of, or damage to, the client personal data.
For the purpose of this policy document, ‘client personal data’ means any personal data provided to us by our clients, or on their behalf, for the purpose of providing our services to them in accordance with the terms of our engagement with them. ‘Data protection legislation’ means all applicable privacy and data protection legislation and regulations including the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2426/2003) known as PECR, the GDPR and any applicable national laws, regulations and secondary legislation in the UK relating to the processing of personal data and the privacy of electronic communications as amended, replaced or updated from time to time.
In respect of client personal data, provided that we are legally permitted to do so, we shall promptly notify clients in the event that:
a. we receive a request, complaint or any adverse correspondence from or on behalf of a relevant data subject, to exercise their data subject rights under the data protection legislation or in respect of our processing of their personal data;
b. we are served with an information, enforcement or assessment notice (or any similar notices), or receive any other material communication in respect of our processing of the client personal data from a supervisory authority as defined in the data protection legislation (for example in the UK, the Information Commissioners Office); or
c. we reasonably believe that there has been any incident which resulted in the accidental or unauthorised access to, or destruction, loss, unauthorised disclosure or alternation of, the
client personal data.
We are independent data controllers in relation to client personal data and we only process this type of data for the following reasons:
a. in order to provide our services to our clients and perform any other obligations in
accordance with our engagement with them;
b. in order to comply with our legal or regulatory obligations; and
c. where it is necessary for the purposes of our legitimate interests and those interests are not
overridden by the data subjects’ own privacy rights. Our privacy notice [hyper link] contains further details as how we may process client personal data.
d. For the purpose of providing our services to our clients, in accordance with the terms of our engagement, we may disclose client personal data to our regulatory bodies or other third parties (for example, our professional advisers or service providers). The third parties to whom we disclose such personal data may be located outside of the European Economic Area (EEA). We will only disclose client personal data to the third party (including a third
party outside of the EEA) provided that the transfer is undertaken in compliance with the data protection legislation.
Full names, dates of birth, addresses, nationalities, unique tax payer references, PAYE codes and National Insurance numbers.
The categories of data subject to whom the client personal data relates
Client employees, client customers and client suppliers.
In respect of client personal data, unless otherwise required by applicable laws or other regulatory requirements, we shall:
a. process the client personal data only in accordance with our clients’ lawful written instructions, in order to provide them with the services pursuant to our engagement with them and in accordance with applicable data protection legislation;
b. disclose and transfer the client personal data to our regulatory bodies or other third parties (for example, our professional advisers or service providers) as and to the extent necessary
in order to provide our clients with the services pursuant to our engagement with them in relation to those services;
c. disclose the client personal data to courts, governments agencies and other third parties as
and to the extent required by law;
d. maintain written records of our processing activities performed on behalf of our clients which shall include:
i) the categories of processing activities performed;
ii) details of any cross border data transfers outside of the European Economic Area (EEA);
iii) a general description of security measures implemented in respect of the client personal
e. return or delete all the client personal data upon the termination of our engagement with a client pursuant to which we agreed to provide services;
f. ensure that only those staff who need to have access to the client personal data are granted access to it and that all of the staff authorised to process the client personal data are bound
by a duty of confidentiality;
g. where we transfer the client personal data to a country or territory outside the EEA to do so in accordance with data protection legislation;
h. with prior written notice, we allow clients on an annual basis and /or in the event that we notify them of a personal data breach in respect of the client personal data, reasonable
access to the relevant records, files, computer or other communication systems, for the purposes of reviewing our compliance with the data protection laws.
We work on the basis that our clients have all the necessary appropriate consents and notices in place to enable the lawful transfer of client personal data to us.
In common with other professional services firms, we are required by the Proceeds of Crime Act 2002 and the Money Laundering Regulations 2017 to:
a. maintain identification procedures for clients, beneficial owners of clients and persons purporting to act on behalf of clients;
b. maintain records of identification evidence and the work undertaken for the client; and
c. report, in accordance with the relevant legislation and regulations.
Should you require any further detail regarding our treatment of personal data, please contact service@digiID.com.
Copyright © 2023 digiID PAY - All Rights Reserved.