Data Processing Agreement


Categories of Data Subject:  the employees of UNW LLP’s clients.

Contract: our engagement letter (Letter of Engagement) with you to provide payroll services and the associated terms of business.

Controller, Processor, Data Subject, Personal Data, Special Category Personal Data, Personal Data Breach, processing and appropriate technical and organisational measures: as defined in the Data Protection Legislation.

Data Protection Legislation: all applicable data protection and privacy legislation in force from time to time in the UK including the UK GDPR; the Data Protection Act 2018 (DPA 2018) (and regulations made thereunder) and the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended and all other legislation and regulatory requirements in force from time to time which apply to a party relating to the use of Personal Data (including, without limitation, the privacy of electronic communications).

Duration of Processing: for so long as UNW provide the payroll services and during UNW’s retention period for client data, typically seven years after the end of an engagement.

Nature: UNW receives and processes data submitted by You, on Your employees for the purpose of delivering the services under the Contract, namely payroll services.

Purpose: to provide the payroll services set out in the Letter of Engagement.

Scope: Personal Data relating to Your employees in order to provide the services outlined under the Letter of Engagement.

Special Category Personal Data (“SCPD”): nine separate categories of data are recognised as SCPD under the Data Protection Legislation.  We anticipate that two categories of SCPD might be processed by Us when providing You with payroll services, namely:

  1. personal data revealing trade union membership – to enable us to deduct weekly/monthly trade union subscriptions
  2. data concerning health – to enable us to process statutory or other sickness payments.

Types of Personal Data: name, home address, email address, date of birth, employment status, National Insurance Number, tax code, bank details, days worked/sick, fit note information, trade union information, maternity/paternity/adoption leave details, salary and deductions.  This list is not exhaustive and other Personal Data may be provided to Us by You to enable Us to provide the payroll services.

UK GDPR: has the meaning given to it in section 3(10) (as supplemented by section 205(4)) of the Data Protection Act 2018.

We/Us/Our: UNW LLP (“UNW”).

You/Your:  UNW client.

Data protection

1.1 Both parties will comply with all applicable requirements of the Data Protection Legislation. This paragraph is in addition to, and does not relieve, remove or replace, a party’s obligations or rights under the Data Protection Legislation.

1.2 In respect of relevant services set out in the Letter of Engagement and subject to the matters set out in the Terms of Business, the parties acknowledge that for the purposes of the Data Protection Legislation You are the Controller and We are the Processor.

1.3 Without prejudice to the generality of paragraph 1, You will ensure you have all necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data to Us for the duration and purposes of the Contract (as defined in the Terms of Business). The details of the duration, nature, purposes and scope of processing are set out in the definitions above.

1.4 Without prejudice to the generality of paragraph 1, We shall, in relation to any Personal Data processed in connection with the performance by Us of services under the Letter of Engagement:

a) process that Personal Data only on Your documented written instructions unless We are required by any applicable law, regulation or professional obligations to otherwise process that Personal Data;

b) Ensure We have in place suitable technical and organisational measures to protect the personal data from unauthorised or unlawful processing, accidental loss, damage or destruction. Such measures shall be proportionate to the potential harm resulting from such events, taking into account the current state of the art in technology and the cost of implementing those measures;

c) ensure that all personnel who have access to and/or process Personal Data are obliged to keep the Personal Data confidential; and

d) not transfer any Personal Data outside of the UK or EEA unless we have notified you in writing in advance and the following conditions are fulfilled:

  • i. one of the parties hereto has provided appropriate safeguards in relation to the transfer;
  • ii. the data subject has enforceable rights and effective legal remedies;
  • iii. We comply with our obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred; and
  • iv. We comply with reasonable instructions notified to us in advance by You with respect to the processing of the Personal Data;

e) provide You with reasonable assistance, at Your cost, in responding to any request from a Data Subject and in ensuring compliance with Your obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;

f) notify You without undue delay on becoming aware of a Personal Data Breach;

g) at Your written direction, delete or return Personal Data and copies thereof to You on termination of the agreement unless required by applicable laws, regulations or professional obligations to store the Personal Data; and

h) maintain complete and accurate records and information to demonstrate Our compliance with this paragraph.

1.5 You consent to Us appointing any suitable providers as a third-party processor of Personal Data under this Contract. We confirm that where We appoint third-party processors We have entered or (as the case may be) will enter with the third-party processor into a written agreement substantially on that third party’s standard terms of business and in either case which We confirm reflect and will continue to reflect the requirements of the Data Protection Legislation. As between You and Us, We shall remain fully liable for all acts or omissions of any third-party processor appointed by it pursuant to this paragraph. However, the foregoing does not extend to any third party public cloud service provider e.g. Microsoft Office 365.

1.6 We may, at any time on not less than 30 (thirty) days’ notice, revise this Data Processing Agreement by replacing it with any applicable controller to processor standard clauses or similar terms adopted under the Data Protection Legislation or forming part of an applicable certification scheme (which shall apply when replaced by attachment to the Contract).

This page was last updated on 05 June 2023