When looking for an alternative to our current software, Payroll Manager - it handles Auto Enrolment dreadfully - we considered cloud-based payroll bureau software.
The PrimoPayroll (12 page) T&Cs has a clause where you, as the accountant or payroll provider, agree that you have the permission of your clients to share their payroll information outside of the EU - which we definitely don't and, even if we did, it would be madness to do so.
In response to my obvious concerns, PrimoPayroll emailed me to say that they sometimes share with India and that it isn’t a breach of GDPR. Rather patronisingly, they also added that, just because data is held within the EU, that doesn't make it safe.
This is an extract from the Information Commissioners Website concerning International Transfers:
- The GDPR primarily applies to controllers and processors located in the EU (with some exceptions).
- Individuals risk losing the protection of the GDPR if their personal data is transferred outside of the EU.
- On that basis, the GDPR restricts transfers of personal data outside the EU, or the protection of the GDPR, unless the rights of the individuals in respect of their personal data is protected in another way, or one of a limited number of exceptions applies.
- A transfer of personal data outside the protection of the GDPR (which we refer to as a ‘restricted transfer’), most often involves a transfer from inside the EU to a country outside the EU.
So it would appear that I am able to give away my clients’ GDPR rights and that of their employees by blindly accepting 12-page T&Cs. Possibly thousands of people’s rights given away because of an un-noticed clause in a 12-page document.
A plea for diligence...