GDPR Data Processor Policy

1. Introduction

1.1 This policy re processing of personal data (the “Data Processor Policy”) regulates FHM Accountants (the “Data Processor”) processing of personal data on behalf of the client (the “Data Controller”).

2. Legislation

2.1 The Data Processor Policy seeks to ensure that the Data Processor complies with the applicable data protection and privacy legislation (the “Applicable Law”), including in particular The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679)

3. Processing of personal data

3.1 Purpose: The purpose of the processing is the provision of services by the Data Processor as specified in the Engagement letter and / or in accordance with client instructions, whether written or verbal.

3.2 In connection with the Data Processor’s delivery of services to the Data Controller, the Data Processor will or may process certain categories and types of the Data Controller’s personal data on behalf of the Data Controller.

3.3” Personal data” includes “any information relating to an identified or identifiable natural person” as defined in GDPR, article 4 (1) (1) (the ”Personal Data”). The categories and types of Personal Data processed by the Data Processor on behalf of the Data Controller are listed in sub-appendix A (this list is intended to be indicative but not necessarily exhaustive). The Data Processor only intends to perform processing activities that are necessary and relevant to perform the agreed services.

4. Instruction

4.1 The Data Processor only intends to process the Personal Data in accordance with instructions from the Data Controller, unless required by law to act without such instruction.  Subject to the terms of this Policy and with mutual agreement of the parties, the Data Controller may issue additional instructions consistent with the terms of this Policy and the Engagement letter. The Data Controller is responsible for ensuring that all individuals who provide instructions are authorised to do so.

4.2 The Data Controller guarantees to process Personal Data in accordance with the requirements of Data Protection Laws and Regulations. The Data Controller’s instructions for the processing of Personal Data shall comply with Applicable Law. The Data Controller will have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which it was obtained.

4.3 The Data Processor, however, will inform the Data Controller of any instruction that it deems to be in violation of Applicable Law and will not execute the instructions until they have been confirmed or modified.


5. The Data Processor’s obligations

5.1 Confidentiality

5.1.1 The Data Processor shall treat all the Personal Data as strictly confidential information.

5.1.2 The Data Processor’s employees shall be subject to an obligation of confidentiality that ensures that the employees shall treat all the Personal Data with strict confidentiality.

5.1.3 Personal Data will only be made available to personnel that require access to such Personal Data for the delivery of the services to be provided.

5.2 The Data Processor shall also ensure that employees processing the Personal Data only process the Personal Data in accordance with the instructions from the client.

5.3 Security

5.3.1 The Data Processor shall implement appropriate technical and organizational measures as set out in this Policy. The security measures are subject to technical progress and development. The Data Processor may update or modify the security measures from time-to-time provided that such updates and modifications do not result in the degradation of the overall security.

5.4 Rights of the data subjects

5.4.1 If the Data Controller receives a request from a data subject for the exercise of the data subject’s rights under the Applicable Law and the correct and legitimate reply to such a request necessitates the Data Processor’s assistance, the Data Processor shall assist the Data Controller by providing the necessary information and documentation. The Data Processor shall be given reasonable time to assist the Data Controller with such requests in accordance with the Applicable Law.

5.4.2 If the Data Processor receives a request from a data subject for the exercise of the data subject’s rights under the Applicable Law and such request is related to the Personal Data of the Data Controller, the Data Processor will forward the request to the Data Controller without undue delay and must refrain from responding to the person directly.

5.5 Personal Data Breaches

5.5.1 Upon becoming aware of same and without undue delay, the Data Processor shall give notice to the Data Controller if a breach occurs, that can lead to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to, personal data transmitted, stored or otherwise processed on behalf of the Data Controller (a “Personal Data Breach”).

5.5.2 The Data Processor shall make reasonable efforts to identify the cause of such a breach and take those steps as they deem necessary to establish the cause, and to prevent such a breach from reoccurring.

5.6 Data Transfers

5.6.1 Ordinarily, the Data Processor will not transfer your data to countries outside the European Economic Area. In some cases, personal data may be saved on storage solutions that have servers outside the European Economic Area (EEA), [for example, Dropbox or Google]. Only those storage solutions that provide secure services with adequate relevant safeguards will be employed.

6. Sub-Processors

6.1 The Data Processor is given general authorisation to engage third-parties to process the Personal Data (“Sub-Processors”) without obtaining any further written, specific authorization from the Data Controller.

6.2 The Data Processor is accountable to the Data Controller for any Sub-Processor in the same way as for its own actions and omissions.

6.3 The Data Processor may use the Sub- Processors listed in sub-appendix B. This list is indicative but not exhaustive.

7. Limitation of Liability

7.1 The total aggregate liability to the Client, of whatever nature, whether in contract, tort or otherwise, of FHM Accountants for any losses whatsoever and howsoever caused arising from or in any way connected with this Policy shall be subject to the “Limitation of Liability” clause set out in the Main Engagement letter.

8. Data Protection Officer

8.1 The Data Processor will appoint a Data Protection Officer where such appointment is required by Data Protection Laws and Regulations.

9. Termination

9.1 Following expiration or termination of the appointment and upon receipt of written request, the Data Processor will delete or return to the Data Controller all Personal Data in its possession except to the extent the Data Processor is required by Applicable law to retain some or all of the Personal Data (in which case the Data Processor will archive the data and implement reasonable measures to prevent the Personal Data from any further processing). The terms of this Policy will continue to apply to such Personal Data.


Sub-appendix A (The list below is intended to be indicative but not necessarily exhaustive)

1. Personal Data

1.1 The Data Processor processes (or may process) the following types of Personal Data in connection with its delivery of services:

  1. Information on the Data Controller, the ultimate beneficial owner(s) of the data controller and relevant employees from the Data Controller relevant for the processing of payroll and any other services to be supplied. Namely:
    1. Name, postal address and email address
    2. PPS numbers
    3. Revenue information
    4. Bank account details
    5. Pension details
    6. Proof of identity
    7. Leave records
    8. Contract of employment & HR details
    9. Next of kin details
    10. Any other relevant information
    11. Categories of data subjects

2.1 The Data Processor processes (or may process) personal data about the following categories of data subjects on behalf of the Client:

  1. The Data Controller
  2. Employees of the Data Controller (if any)
  3. Any other relevant parties.

Sub-appendix B (The list below is intended to be indicative but not necessarily exhaustive)

    • The following Sub-Processors shall be considered approved by the Data Controller:
  • Accounts and Payroll software providers who supply technical support and accounting and payroll software and services to FHM Accountants.
  • IT support personnel who provide IT support to FHM Accountants.
  • Any other sub-processors that may reasonably be engaged from time to time by FHM Accountants.