Privacy Notice
Data Classification: Public Data
Author: Regulatory Compliance Manager
Approval: Legal Director
Last updated February 2024
We take data protection seriously and this Privacy Notice explains how we use any personal information we collect about you.
Background
This Privacy Notice explains how we hold, collect and process your personal information in accordance with data protection laws. It explains why we collect personal information, what we collect, how we use it, who we share it with and how we protect it. It also details the rights available to you in relation to your personal information, how to exercise those rights and what to do if more information is required.
It is important that you read and retain this notice, together with any other notice we provide on specific occasions when we are collecting or processing personal information about you, so that you are aware of how and why we are using that information and your rights. We shall keep this notice under regular review.
This notice applies to all personal information we collect and process in the context of providing to our end clients and recruitment business partners (“Clients”) our umbrella employment, CIS, accountancy, personal tax, payroll, employment Screening and any other services we may choose to offer from time to time (“Services”). It describes our independent privacy and data processing practices as a Data Controller (as defined by Article 4(7) of the UK GDPR) with respect to the Services provided to our Clients.
This notice does not apply to personal information provided or collected by us in respect of employees, workers or contractors being referred or otherwise by our Clients (“Worker Information”).
Any reference to “personal information” in this notice means any information relating to a living individual, from which that living individual can be identified directly or indirectly (in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person). We do not consider anonymous data, or data where the identity of the individual has been irretrievably removed, personal information.
Who are we?
PayStream Accounting Services Limited (“PAS”) is the entity which employs internal staff to provide Services to its Clients. PAS is part of the PayStream group of companies at Mansion House, Manchester Road, Altrincham, WA14 4RW, which we refer to as ‘us’ and ‘we’ in this Privacy Notice.
How do we obtain your personal information?
You may have provided personal information to us directly. Alternatively, another recruitment business or end client may provide and confirm personal information to us such as your name and contact details in order for us to offer to you our Services.
Typically, personal information is collected and stored within our internal IT system, or on our online portal(s). In some instances, personal information may also be provided to us via email, post or over the phone. We endeavour to keep safe any personal information that we collect, however it is obtained.
What personal information do we hold?
We may collect and hold a range of personal information about you which is relevant to the provision of our Services and we may need to continue to collect additional personal information throughout the period of time our Services are offered. The type and volume of data we hold is dependent on the Services and contract we hold with our Client. During our onboarding processes and in some instances throughout the engagement with our Clients, we may collect personal information about you which is relevant to the provision of the Services including but not limited to:
- Personal details, including name or job title;
- Contact details and preferences, including postal address, email address, mobile and phone numbers (these usually relate to the employment with your employer i.e. your work email address and contact details (unless you provide otherwise and where applicable);
- Information relating to the engagement (for instance, contract start and end dates and related information)
- Any disputes such as complaints or claims (where applicable);
- All incoming and outgoing calls;
- All incoming and outgoing emails that you send to us from a known email address;
- Information about the Internet Protocol (IP) address of devices used to access our website, online software and/or app, along with user information where certain actions are performed (such as when a user selects a certain option during the registration process for instance). Where you use the online software or app, certain anonymous information about the device you are using is also recorded automatically, such as the operating system, device settings, unique device identifiers and crash data (data analytics). The type of information collected depends on the type of device you are using. To learn more about what information your device makes available to us, please check the policies of your device manufacturer or software provider.
Why do we need your personal information?
There are various reasons why we need to collect, store and use your personal information. Typically, we need your personal information for us to discharge our contractual duties and for our legitimate interests.
Generally:
- Prior to Services being provided, we need personal information in order to arrange any contract we may hold with you. Where necessary, we may email you reminders to complete contractual documentation for instance.
- We need to retain your personal information securely to comply with our contractual obligations, manage the contract with our Client, provide the agreed Services and respond to queries for instance. Depending on the Services requested by our Client, we need personal information to:
- Carry out processing required to fulfil our contractual obligations;
- Supply any additional services that our Client may purchase from time to time;
- Send statements and invoices as necessary;
- Take details and manage complaints;
- Keep you informed on updates relating to any aspect of the Service(s);
- Send marketing communications (in accordance with your contact preferences).
- When the Services have been provided and our contract with our Client has terminated, we retain your personal information in our legitimate interests, in accordance with our Retention Schedule (See the “How long do we hold your personal data for?” section below).
In all cases, we only collect, store and/or process your personal data where we have a lawful basis to do so. The lawful basis for our collection and use of your personal information may vary depending on the manner and purpose for which we collected it. Most commonly, we will collect, store and/or process personal information where it is necessary for our legitimate interests in a way that you might reasonably expect to be a part of running our business and that does not significantly impact your interests, rights, and freedoms. For example:
- We may, for instance, ask you to participate in surveys, although this will be voluntary. We use surveys, reviews and marketing tools to get your feedback and make continuous improvements.
- The website and portal uses cookies to help provide you with the best experience we can. Cookies are small text files that are placed on your computer or mobile phone when you browse websites. For more information see here: https://www.paystream.co.uk/footer/cookie-policy/
Further detail regarding why we require personal information is recorded below:
| Personal Information | Primary Reason Obtained | Lawful Basis |
|---|---|---|
| Personal details, such as name, job title, address | To contact you, in respect of Services being provided. | Performance of a contract Legitimate Interests |
| Contact details and preferences, including postal address, email address, mobile, home and work phone numbers (where applicable); | So that we (and in certain circumstances, our third-party providers) can contact you in relation to the Services and in our legitimate interests. We may for instance send marketing to you. If you don’t want to receive marketing contact from us you can let us know at any time. | Performance of a contract Legitimate Interests |
| Any disputes such as investigations or complaints; | In our legitimate interests | Performance of a contract Legitimate Interests |
| All incoming and outgoing calls and all incoming and outgoing emails that you send to us from a known email address; | For quality and audit purposes and for use where necessary in dealing with queries, complaints and legal issues if they arise | Legitimate Interests |
| Cookies and information about the Internet Protocol (IP) address of devices used to access our website, online software, along with user information where certain actions are performed (such as when a user selects a certain option during the registration process for instance); and anonymous information about the device you are using, such as the operating system, device settings, unique device identifiers and crash data (data analytics). | In order for us to monitor the level of activity and service we provide and to improve the portal. See our Cookie Policy for more information around our use of cookies | Legitimate Interests |
Note, the lists provided in this section are not exhaustive. Some of the above grounds for processing will overlap and there may be several grounds which justify our use of your personal information. There may also be additional or new legal requirements for instance that we or you need to adhere to from time to time which mean we are required to obtain and process your personal information.
We may also need to process your personal information without your knowledge or consent where this is required or permitted by law, and may use your personal information in the following situations; however, these are likely to be rare:
- Where have your explicit consent
- Where we need to protect your interests (or someone else’s interests)
- Where it is needed in the public interest or for official purposes
How long do we hold your personal data for?
Personal information collected by us will be held for as long as it is required to fulfil the purpose it was collected and to protect our business and our rights.
Under some circumstances we may anonymise your personal information so that it can no longer be associated with you. We reserve the right to use such anonymous and de-identified data for any legitimate business purpose without further notice to you or your consent.
How will we use the information about you?
We have an internal IT system which our internal staff use to make notes. If for example, we are awaiting certain information from you, we may record this activity on the system.
In certain circumstances, we may also need to share your information with others including third-party providers who provide services to us or on our behalf. We will do so where we are required by law, to assist us with administering the contract with our Client, or where it is otherwise in our legitimate interests to do so. We only permit third parties to process your personal information for specified purposes in accordance with our instructions. Where we share data externally, we do this securely so as to reduce the likelihood of any data breach and we require third parties to respect the security of your data and to treat it in accordance with the law.
The most common reasons we may disclose your personal information are outlined in the table below:
| Who may receive your personal information? | Reason | Lawful Basis |
|---|---|---|
| Approved 3rd parties: | To provide information to third parties, where you have notified us that you wish us to provide do so. We will share the required information in accordance with your instructions. | |
| Business Partners | We may pass your details on to business partners where believe there could be a benefit to you | |
| External organisations as necessary for the purposes of the detection and prevention of crime (including financial crime and fraud) and credit risk reduction; insurance and other claims | To comply with any legal obligation or duty, to enforce or apply our contract with you, terms of use or other agreements, or, to protect the rights, property, or safety of us, our subcontractors, employees, clients, customers or others. This may include, but is not limited to, sharing information with our insurance broker, insurance underwriters or other third parties who may be investigating debt, legal and/or tax issues. In the unlikely event that you owe us money, we will take steps to recover our funds which may involve sending your information to an external debt collection agency. Where you owe us money but we cannot locate you, we may send relevant information relating to you to an external tracing service. | |
| Professionals and other advisers | We may share or disclose personal information to professional advisers we engage for any reasonable purpose in connection with our business, including assistance in protecting our rights | |
| Other external bodies | In limited circumstances, we may be required by law to disclose personal information to external bodies, such as local authorities and government departments. In these cases, we will only disclose the minimum amount of information required to satisfy our legal obligation. However, once the information is disclosed, we will not be able to control how it is used by those bodies. | |
| Our subsidiaries, our ultimate holding company and its subsidiaries, as defined in section 1159 of the UK Companies Act 2006. | To comply with our legal obligations, to manage and fulfil our contract and or otherwise for our legitimate interests, we may disclose your personal information to any member of our group | Legal Obligation Legitimate Interests |
| Auditors and/or compliance assessors | In order to demonstrate our compliance, we may need to share your personal information in response to requests we receive from third parties, such as external auditors and compliance assessors . Depending on the circumstances, this may be a legal obligation and/or in our legitimate interests. Where we do disclose personal information for such purposes, we will do this securely where possible so as to reduce the likelihood of any data breach | Legal Obligation Legitimate Interests |
| Prospective seller(s) or buyer(s) of our business or assets | In the event that we sell or buy any business or assets, we may disclose your personal information to the prospective seller and/or buyer. If our company, or substantially all of its assets are acquired by a third party, personal information held by it will be one of the transferred assets | Legitimate Interests |
| Social Media followers and/or other individuals we engage or employ | In the event you win one of our competitions for example, we may share your name (only) within a marketing campaign, either on social media or by email to our social media followers or other individuals we engage or employ | Legitimate Interests |
| Third Party Software and Service Providers/Other Suppliers | ||
| In some instances, we use external providers, persons or companies who provide products or services to allow us to operate as a business and fulfill our contract with you, including administering or managing our contract. For example, we use: | ||
| Workflow Management and Sales Software | To ensure alignment, efficiency, and productivity in respect to our Services and sales. | Legitimate Interests |
| Online payment software | To allow us to take payments from you where needed by card or online. | Legitimate Interests |
| VAT verification software | We may use the HMRC site to validate VAT information for UK companies by passing in a VAT registration number and returning that companies details, to make sure that they match up. We may also use an external company to validate VAT information for non-UK companies by passing in a VAT registration number and a country to ensure the company’s details match up. This requires a company registration number and a country code. | Legitimate Interests |
| Online form filling and document signing software providers | To allow us to collect data and information from you in order to provide our services. Data provided to us via such software is forwarded to us securely. | Legitimate Interests |
| Text Message provider | To allow us to send text messages to you. The data required for this includes the receiving phone number, and any information contained in the text message | Legitimate Interests |
| Data Storage Providers (Including cloud providers) | To back up and store data and documents we hold (including expense receipts, timesheet attachments, and invoices/credit notes). All data is stored in UK data centres and sensitive documents will have additional encryption | Legitimate Interests |
| Data Sanitisation, Security and Destruction providers | To sanitise, secure and archive all inbound, internal and outbound emails. All emails undergo various best-practice checks / processes and the content is scanned for malicious content / markers. We also use an external company for document destruction services. They help ensure that client and confidential business information is kept secure at all times as legally required. | Legitimate Interests Legal Obligation |
| HTML to PDF software | We may use a self-hosted service which converts HTML pages to a PDF document which can be downloaded by the end user. It is used to generate audit reports, timesheets and invoices. This includes all the data on the audit report, timesheet or invoice. For the audit report, this includes personal information, case information and the information on each step. For timesheets, this includes assignment data. For invoices, this includes bank account and address information. | Legitimate Interests |
| Postcode checking software | We may use software from time to time to return valid addresses based on incomplete search terms, such as company name, postcode or first line of an address. This involves sharing a search term, usually a postcode. | Legitimate Interests |
| Email Software | We use an external software provider to send emails from within the portal, or as part of other actions, such as notifying users when the status of a case changes. This involves the email address of the recipient(s), any attachments, the subject line and the content of the email. | Legitimate Interests |
| Document display software | We may from time to time use a self-hosted service that displays documents in a viewer, adds form elements on top of existing documents and allows users to fill in form data, and then “burn” the data into a final document. If we do, then this will involve sharing the document which is being viewed or turned into a form. | Legitimate Interests |
| Marketing and Analytics | ||
| We may also share personal information with third parties in our legitimate interests for marketing and business analysis purposes. For instance, we may share personal information with: | ||
| Marketing software provider(s): | To manage and send out emails and marketing campaigns, in an efficient, targeted, secure and easy way via email and marketing automation software in line with our legitimate interests. This may involve uploading your name, email address and the internal ID we have allocated you. | Legitimate Interests |
| Review and Feedback provider(s) | To collect your feedback and to improve our services and products. We will share your name, email address and reference number with them in order for them to contact you via email to invite you to review any services and/or products you received from us. In some instances, your IP address may be collected, stored and/or accessed by us and our external supplier where you complete a survey that has been sent to you. We may also use such reviews in other promotional material and media for our advertising and promotional purposes. | Legitimate Interests |
| Data Analytics Software provider(s) | To allow us to attribute generated revenue to each website channel. We use an external supplier to provide Marketing Analytics Software via the use of a tracking cookie on our website. The processing involves matching data (such as your name, email address or telephone number) with data that the provider gathers and stores via the tracking cookie. We may use software to look up a geographical location of a user based on their IP address. | Legitimate Interests |
| Web Journey Tracking Software provider(s) | To identify the webpage(s) a user has visited on our website before calling our business, via the use of a tracking cookie. The software supplies information of a user’s web journey, and passes the contact number that calls our office via the website into the call tracking platform, where a copy of the number along with the web page the call was made from is stored. | Legitimate Interests |
As well as within the United Kingdom, personal information may be transferred to and processed in other jurisdictions where our third-party suppliers have operations. Whilst it is expected that any transfer of personal data will usually remain within the EEA in the vast majority of cases, on the rare occasion personal information is required to be transferred to a country outside the EEA without adequate data protection laws, then unless an exemption for restricted transfers apply, we will ensure such transfers are made in compliance with the requirements of relevant data protection laws (for example, by putting in place Standard Contractual Clauses where applicable).
How we protect your Personal Data
We take data protection seriously and we recognise the importance of personal information entrusted to us. We are committed to safeguarding the privacy and security of the information that we gather concerning our prospective, current and former Clients.
We have implemented appropriate physical, technical, and organisational security measures designed to secure your personal information against accidental loss and unauthorised access, use, alteration, or disclosure. We keep our computer systems, files and buildings secure by following legal requirements and security guidance, make sure that all staff are trained on how to protect personal information and that our processes clearly identify the requirements for managing personal information. We regularly audit our systems and processes to ensure that we remain compliant with our policies and legal obligations.
All personal information will be treated with the utmost care and we take steps to ensure that all information we collect about you is adequate, relevant, not excessive, and processed for limited purposes.
Whilst we may not seek explicit consent from you for processing your personal information, we will only do so in accordance with this Privacy Notice, unless otherwise required by applicable law. In the unlikely event that we need to use it in a significantly different way, we will provide you with an updated Privacy Notice.
Your rights
You have a number of rights in respect of your personal information.
Right of access: You have the right to request a copy of the information that a data controller holds about you. There are some limitations (for example, if the data also relates to another person and we do not have that person’s consent, or if the data is subject to legal privilege).
If you request a copy of information held by us, and there is data that we cannot disclose, we will explain this to you. We may refuse to comply or charge a reasonable fee if your request is clearly unfounded or excessive. We may need to request specific information to help us confirm your identity and ensure your right to access the information. This is an appropriate security measure to ensure that information is not disclosed to any person who has no right to receive it. If you would like a copy of some or all of your personal information, please email our Privacy Team.
Right to rectification: We want to make sure that your personal information is accurate and up to date. Please ask us to correct or remove information you think is inaccurate.
Right to erasure: In certain circumstances, you may have the right to have some or all of your personal information deleted from our records. This does not provide an absolute ‘right to be forgotten’ and applies only in these specific circumstances: where your personal information is no longer necessary in relation to the purpose for which it was originally collected/processed, you withdraw consent, you object to the processing and there is no overriding legitimate interest for continuing the processing, we unlawfully processed your personal information and, where your personal information has to be erased in order to comply with a legal obligation. You can request deletion of your personal information, by contacting our Privacy Team.
Right to restrict processing: Where a data controller has based processing on its legitimate interests, you have the right to object to the processing or restrict processing of your information in this way. The legitimate interests will need to be shown as sufficiently compelling to override your interests or rights, or that purpose is to establish or defend legal claims.
Right to data portability: Where a data controller has based processing on the performance of a contract, you will have the right to receive information from them in a structured, commonly used way and have the right to send this to someone else.
Right to object: You have the right to object to processing of your personal data in certain circumstances. If you have provided consent to the collection, processing and transfer of your personal data for a specific purpose, you can withdraw consent for that specific processing and data will no longer be processed for the purpose(s) you originally agreed to, unless there is another legitimate basis for doing so in law.
Rights related to automated decision-making including profiling: We do not envisage that any decisions will be taken about you using solely automated means. Should this change, you will not be subject to decisions that will have a significant impact on you based solely on automated decision-making, unless we have a lawful basis and have notified you. If we make an automated decision based on any sensitive personal information, we will request your explicit written consent unless this is justified in the public interest, with appropriate measures in place to safeguard your right.
How to contact us
It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal information changes. If you fail to provide certain information when requested, we may not be able to perform the contract we have with you, or we may be prevented from complying with our legal obligations.
If you want to review, verify, correct or request erasure of your personal information, object to the processing of your personal data (including if you wish to opt out of direct marketing), want to request that we transfer a copy of your personal information to another party, or, if you have any questions about our Privacy Notice or the information we hold about you, please contact the Privacy Team:
- By Email: privacyteam@paystream.co.uk, or
- By Post: Privacy Team, PayStream, Mansion House, Manchester Road, Altrincham, WA14 4RW.
If you are unhappy with the way we use your personal information, we would appreciate the opportunity to respond to your concerns directly in the first instance. You also have the right to complain to the Information Commissioner’s Office (ICO) via their website: Information Commissioner’s Office (ICO).