This section describes our privacy notice as it applies to personal data where we are acting as the data processor. This is where you are our client for the provision of our services, and you require us to process personal data, on your behalf.
In this context you are the data controller, with the relationship with the data subject and we are the data processor
Information provided by you about others
You as a Data Controller, will provide ExcluServ (Data Processor) with personal data relating to your data subjects, which then enables us to process it on your behalf.
Purpose and Lawful Basis
This section states the purpose, the categories of data that will be held and processed, and the lawful basis under which ExcluServ will handle that personal data
| Purpose | Categories of data | Lawful basis |
| Accounting Services | Supplier and staff: name, contact details, account information, billing information | Contract |
| Payroll Services | Staff: name, contact details, bank account information, tax status, maternity, sickness, pay level | Contract |
| Statutory Returns | Officers: name, length of service | Contract |
| Gift Aid Claims | Supporters: name, address, donation value | Contract |
| Recruitment Support | Applicants: names, address, employment history | Contract |
In most cases (outsourcing, consulting and software services), we are required to collect and process information about others from you as part of our service delivery. This makes us a data processor in these cases, and the lawful basis in each case is contract.
When you provide personal data to us, for processing on your behalf, you are responsible for ensuring that you have a lawful basis to provide that personal data to us. The lawful basis stated in the table above, is ExcluServ’s lawful basis under contract with you.
Responsibilities
Our responsibilities (Data Processor)
ExcluServ will process all data in accordance with the instructions explicitly provided by the data controller. We will establish processes and procedures that keep the data secure and we will not share it with any other third parties, nor use it for any other purposes except as required by law.
Where we act as a processor, consistent with Article 28 UK GDPR our processing will be governed by a written contract and/or data processing agreement that sets out the required terms, including any use of sub-processors.
We will work with you fully to support any GDPR compliance requirements, and where appropriate change our working practice to meet your needs. Per the terms of the governing contract or data processing agreement and consistent with Article 28(3)(h) UK GDPR, we will advise you of areas that we become aware of within your own processing, that in our opinion compromise adherence to relevant data protection legislation.
We will not use the data outside of the intended and agreed purpose.
We will only retain the data in line with our stated retention policy.
Your responsibilities (Data Controller)
It remains your responsibility, as the data controller, to comply fully with GDPR in relation to this data, including:
- You must ensure you are authorised to disclose such information and for it to be processed by ExcluServ in the manner requested.
- You must ensure that the individuals concerned are aware that their personal information is being collected and for what purpose, who the intended recipients of the information are and of their right to obtain access to that information.
- You must ensure that your own systems and processes in relation to such data are compliant.
Data Subject Rights under GDPR
The data subjects whose data you instruct us to process, have rights (access, rectification, erasure, restriction, etc). These rights are exercised between the data subject and you as the data controller.
Where you are the data controller who has the primary relationship with the data subject, and we act as a processor:
- All Data Subject Access Requests (or exercising of other rights) should be directed to you, as the data controller.
- When we receive a request directly from an individual in relation to personal data we process on your behalf:
- we will notify you without undue delay
- we will not respond to the request unless instructed by you or required by law.
Data Breach
In the unlikely event that a breach of data privacy occurs, ExcluServ will inform you without undue delay after becoming aware of a personal data breach affecting personal data we process on your behalf.
Where the breach affects data that is owned by you as the data controller it will be your responsibility to notify the data subjects affected and where required, the appropriate supervisory authority such as the Information Commissioner’s Office.