Data Protection | Practical HR

This data protection policy applies generally to any data held by Practical HR and for data relating to clients.

Practical HR places the highest importance on personal data, information security and confidentiality; and we are committed to complying with Data Protection laws and regulations.

We will process data relating to clients on the terms set out in this document that forms our Data Protection policy. This policy will act as a written agreement between Practical HR and the Client for the purposes of EU Regulation 2016/679 General Data Protection Regulation (“the GDPR”) (Article 28, paragraph 3).

We will act as a Data Processor for clients, for any personal data provided to Practical HR relating to the employees of clients. Such data (referred to as Personal Data in this agreement) may be provided to Practical HR to enable advice to be provided and to carry out our contractual obligations to the Client. This may include personal data (e.g., name, address, contact details, dates of birth, sensitive personal data) as well as employment data (e.g., terms of employment, salary, absence records etc).

Please note that Practical HR record telephone conversations with clients for quality and training purposes. These will be managed in line with the Practical HR data protection policy and recordings will generally be deleted after 12 months unless there is an ongoing case relating to the call.

The Client may provide Personal Data in relation to any of the services outlined above (see general terms).

Practical HR (the Data Processor) will only process such data from clients (the Data Controller):

for the purposes of providing Services and not for any other purpose.
to the extent and in such a manner as is necessary for those purposes; and
strictly in accordance with the authorisation and instructions of the Client (the Data Controller), which may be specific instructions or instructions of a general nature or as otherwise notified by the Client to Practical HR.

Data Protection Compliance

Practical HR shall act only on instructions from the Data Controller unless required by law to do otherwise (as per Article 29 of the GDPR).

Practical HR will promptly comply with any request from the Data Controller requiring Practical HR to amend, transfer, delete, or otherwise dispose of the Personal Data. Practical HR will transfer all Personal Data to the Client (or make data available) on the Client’s request in the format agreed.

Both Parties shall always comply with GDPR and other applicable laws and shall not perform their obligations under this Agreement or any other agreement or arrangement between themselves in such way as to cause either Party to breach any of its applicable obligations under GDPR.

The Client hereby warrants, represents, and undertakes that the Personal Data shall comply with GDPR in all respects including, but not limited to, its collection, holding, and processing.

Practical HR will provide reasonable assistance to the Client in complying with its obligations under GDPR with respect to the security of processing, the notification of personal data breaches and in dealings with the Information Commissioner’s Office (ICO). Costs associated with complying with such obligations shall be met by the Client and will be invoiced at the current consultancy rates.

When processing the Personal Data on behalf of the Client, Practical HR will:

not process Personal Data outside the United Kingdom or European Economic Area (all EU member states, plus Iceland, Liechtenstein, and Norway) (“EEA”) without the prior written consent of the Client;
not transfer any of the Personal Data to any third party without the written consent of the Client (save for third parties notified in this agreement – see sub-processors);
implement appropriate technical and organisational measures and take all steps necessary to protect the Personal Data against unauthorised or unlawful processing, accidental loss, destruction, damage, alteration, or disclosure;
make available to the Client a compliance statement outlining Practical HR’s steps to ensure compliance with GDPR.

Data Subject Access, Complaints and Breaches

Practical HR will, at the Client’s cost, assist the Client and co-operate fully with the Client in complying with its obligations under GDPR with regard to data subject access requests, complaints and data breaches.

Practical HR will notify the Client without undue delay if it receives:

a subject access request from a data subject and provide the Client with full details of the complaint or request;
provide information and assistance in order to comply with a subject access request;
provide the Client with any Personal Data it holds in relation to a data subject (within the timescales required by the Client); and
advise the Client of any complaint or requests relating to the processing of the Personal Data.

Practical HR will notify the Client immediately if it becomes aware of any form of Personal Data breach, including any unauthorised or unlawful processing, loss of, damage to, or destruction of any of the Personal Data.

Responsible Person for Data Protection

The Data Processor has appointed Fiona Haworth to be responsible for Data Protection relating to clients’ Personal Data. Paula Fisher is responsible for all other areas of Data Protection within Practical HR.

Liability and Indemnity

The Client shall be liable for, and shall indemnify (and keep indemnified) Practical HR in respect of any and all action, proceeding, liability, cost, claim, loss, expense (including reasonable legal fees), or damage suffered or incurred by, awarded against, or agreed to be paid by, Practical HR and any Sub-Processor arising directly or in connection with:

any non-compliance by the Client with the GDPR or other applicable legislation;
any Personal Data processing carried out by Practical HR or Sub-Processor in accordance with instructions given by the Client that infringe the GDPR or other applicable legislation; or
any breach by the Client of its obligations under this Agreement, except to the extent that the Data Processor (or Sub-Processor) is liable.

Practical HR shall be liable for, and shall indemnify (and keep indemnified) the Client in respect of any and all action, proceeding, liability, cost, claim, loss, expense (including reasonable legal fees and payments on a solicitor and client basis), or damage suffered or incurred by, awarded against, or agreed to be paid by, the Client arising directly or in connection with Practical HR’s Personal Data processing activities that are subject to this Agreement:

only to the extent that the same results from Practical HR’s or a Sub-Processor’s breach of this Agreement.

Nothing in this Agreement shall relieve either Party of, or otherwise affect, the liability of either Party to any data subject, or for any other breach of that Party’s direct obligations under GDPR. Furthermore, Practical HR hereby acknowledges that it shall remain subject to the authority of the Information Commissioner’s Office (ICO) and shall co-operate fully therewith, as required, and that failure to comply with its obligations as a data processor under the GDPR may render it subject to the fines, penalties, and compensation requirements.

Confidentiality

Practical HR shall maintain the Personal Data provided by the Client in confidence. All employees and Associates of Practical HR are subject to confidentiality agreements in respect of GDPR and Personal Data. Practical HR shall not process or make any use of any Personal Data supplied to it by the Client other than in connection with the provision of the Services.

Nothing in this Agreement shall prevent either Party from complying with any requirement to disclose Personal Data where such disclosure is required by law. In such cases, the Party required to disclose shall notify the other Party of the disclosure requirements prior to disclosure, unless such notification is prohibited by law.

Appointment of Sub-Processors

Practical HR shall not sub-contract any of its obligations or rights under this Agreement without the prior written consent of the Client (such consent should not be unreasonably withheld).

Practical HR will use the following Sub-Processors and third parties to deliver products and services:

Associates to Practical HR;
Developers who build and maintain the Practical HR products (e.g., YourHR.space, Professional Templates), third parties used for technical services relating to IT, storage/servers etc; third parties used for communication and administration purposes e.g., Mailchimp, Adobe Sign, in-house database and CMS systems, online accounts packages, accountants).

If Practical HR appoints other Sub-Processors, the Data Processor shall:

ensure the Sub-Processor (or third party) has provided a clear statement to confirm they fully comply with their obligations under GDPR.

Deletion and/or Disposal of Personal Data

Practical HR shall delete (or otherwise dispose of) the Personal Data (and any copies of Personal Data held) in line with the Practical HR Data Retention Policy or as required by law.

Practical HR will not retain data for longer than is required and in order to fulfil our contractual obligations with the Client. There will be varying retention periods for different data. As a general rule, PAYG clients’ data will only be held for 6-12 months following the end of any Service (which may be support with a particular employment situation). For Retained clients, data will be held for 2 years. The Practical HR Data Retention policy is available on request.

All Personal Data to be deleted or disposed of under this Agreement shall be deleted or disposed of securely.

Data Subject Access Request

Please note that if a Data Subject Access Request is made to Practical HR as a result of Practical HR providing services to the Client, the time associated with responding to the request and providing information will be charged to the Client.

Data Protection Policy May 2024