Online Documentation - Updated Appendix

I - Services liable to be provided by PayFit

II - Personal data protection

I - Services liable to be provided by PayFit

The PayFit Product is continuously evolving and new Service features are regularly developed, which the Client accepts and acknowledges. 

The Client expressly acknowledges that temporary or extended access to Services not included in the subscribed Plan but belonging to another Plan does not grant the Client any right to use such Services in the future, and acknowledges that any such access to Services not included in its Plan may be discontinued at any time. The Client commits to read and comply with any specific terms and conditions applicable to it, as accessible at the bottom of this page.

* Only accessible to Client with 25+ Staff Members

Payroll Core

• Core payroll software

• Automated bank files

• Automated pension sync with standard pensions providers

• Declarations (RTI submissions, tax code changes)

• Help center access

• Automated P11Ds

• Access to in-house payroll experts

• Supported onboarding & video training

• Live chat

• Access to PayFit OpenAPI

• HR Integrations

• Automated pensions & integrations

Payroll & HR

Everything in Payroll Core, plus:

• E-signature module

• People management

• Leaves & Absence management

• HR document generation

• Employee On & Offboarding

• Organisation Chart

• Project & time tracking

Premium

Everything in Payroll & HR, plus:

• Managed P11Ds

• Performance reviews (including 1-2-1s)

• Payroll re-runs and corrections

• Faster access to support

• Engagement surveys

• Custom payroll journals

• Book a call option(i)

• Quaterly business reviews(i)

• Dedicated account manager(i)

(i) Only accessible to Client with 25+ Staff Members

II - Personal Data Protection

1. Contact details of the Data Protection Officer

2. Personal data protection rules

These Personal data protection rules (the "Rules") are established pursuant to Article 28 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016. They define the conditions under which:

• PayFit undertakes, as a Data processor, to carry out the Personal data processing operations, as defined herein, within the framework of the Subscription agreement entered into with the Client;

• The Client and PayFit each process Personal data independently, as Data controllers.

Article 1. Definitions

For the purposes hereof, the following terms shall have the meanings set forth below:

Auditability period means the period during which the Client is entitled to exercise its audit rights as set forth in Section 14 of these Rules. The Auditability period shall commence on May 1st and expire on July 31st of each calendar year; provided, however, that such period shall not apply to any audit requested or required by a competent regulatory authority, Supervisory body, or administrative or social organisation, nor in the event of a suspected Personal data breach, subject to the following conditions: (i) the grounds for suspecting such Personal data breach are duly substantiated; (ii) the Client provides PayFit with no less than ten (10) Business Days' prior written notice; and (iii) the conduct of such audit does not unreasonably interfere with or disrupt PayFit's ordinary course of business.

Authorised purpose(s) means the purpose of the Personal data Processing implemented by PayFit in accordance with the Online documentation.

Authorised recipient(s) means a director, employee, Sub-processor or Third party who has a legitimate need to access Personal data in connection with the performance of the Contract.

Contract means the contract defining the terms and conditions under which PayFit undertakes to provide the Services to the Client.

Controller or Client means the entity who determines the means and purposes of the Processing described in the Online documentation.

Data protection regulation means the regulations in force applicable to the Personal data Processing and, in particular:

i. The UK General Data protection regulation;

ii. The UK Data Protection Act 2018; 

iii. Any legislation coming into force that may affect the Processing covered by these Rules.

Data subject means any natural person whose Personal data is subject to Processing under these Rules.

Instructions means all instructions written by the Controller to PayFit. These instructions may take the form of these Rules and the Online documentation, or written exchanges, including electronically.

Integration means the interfacing of the application edited by PayFit with one or more solution(s) edited by a Third party under the conditions set forth in the Contract and according to the Services subscribed by the Client.

Online documentation means the contractual documentation made available to the Client by PayFit on the page https://payfit.com/general-conditions-appendix/ and in the administrator account of the Client, which is an integral part of these Rules and may be amended as defined herein. The Online documentation includes, but is not limited to: 

• These Rules;

• The description of the Processing;

• The list of Authorised purposes; 

• The list of Sub-processors.

Party in the singular refers to PayFit or Client. In the plural refers to both Parties.

Personal data means any information relating to a natural person who is identified or can be identified as such, directly or indirectly by aggregation of information, by reference to an identification number or to elements that are specific to that person.

Personal data breach means a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal data submitted by or for Client.

Privacy policy means the privacy policy made available to the Client by PayFit on the page https://payfit.com/privacy-policy/ and in the administrator account of the Client, which is an integral part of these Rules and may be amended as defined herein.

Processing means any operation or set of operations which is performed on Personal data or on sets of Personal data, whether or not carried out using automated means and applied to Personal data. The Processing is detailed in the Online documentation.

Processor means PayFit which processes Personal data on behalf of the Controller and according to the Instructions described in the Online documentation.

Sensitive data means special categories of Personal data, as defined in article 9 of the UK General Data protection regulation. Sensitive Data are expressly excluded from Processing.

Services means the services provided by PayFit to the Client pursuant to the Contract.

Sub-processor means PayFit's subcontractor who performs Personal data Processing strictly in accordance with the Instructions issued by the Controller.

Supervisory authority means any competent authority for the protection of Personal data.

Third country means any country outside the European Union or the United Kingdom.

Third party means any third party authorised by the Client to receive Personal data for the Authorised purposes and which processes Personal data as a separate Controller or separate Processor. In these Rules, Third Parties include, but are not limited to, administrative and social bodies receiving social declarations or third-party publishers to whom Personal data is communicated in the context of an Integration. PayFit is not responsible for the Processing of Personal data by Third Parties.

Article 2 – Object and contractual documents

2.1. The purpose of these Rules is to define the respective roles and obligations of each of the Parties in relation to the Personal data Processing described:

• in the Online documentation for which PayFit acts as Processor ;

• In the Privacy policy, for which PayFit acts as a Controller. 

2.2. These Rules supersede any provisions relating to the protection of Personal Data that may be contained in the Contract. In the event of any conflict, the Parties expressly agree that these Rules shall prevail over the Contract. The Parties expressly acknowledge that the Rules form an integral part of the Online Documentation, which itself forms an integral part of the Contract.

Article 3 – Modification of the Rules and the Online documentation

The Client acknowledges that the information in the Online documentation may be changed during the course of the Contract, including: 

• These Rules ;

• The Authorised purposes, which depend directly on the Services subscribed to by the Client and any updates to the Services by PayFit;

• The Client also acknowledges that the Services are likely to evolve during the Contract, which would thus constitute new processing operations justified by their purposes;

• The list of Sub-processors. 

Article 4 – Duration 

These Rules shall come into force as of the t date of signature of the Contract by the Client and shall remain applicable for the entire duration of the Contract.

Article 5 – Designation and role of the Parties

5.1. PayFit as Processor

5.1.1. The Parties agree that the Client is the Controller for the Processing described in the Online documentation.

5.1.2. The Client appoints PayFit as a Processor to process the Personal data on its behalf in the context of the Processing described in the Online documentation, and in order to achieve the Authorised purposes.

5.2. Processing performed by the Parties as independent Controllers

5.2.1. Under the Rules, each Party processes, on its own behalf, as a separate and independent controller, Personal data for its own purposes relating to the management of the commercial relationship with the other Party and the provision of the Services, on the legal basis of its legitimate interests.

In particular, without prejudice to article 5.1., PayFit, acting as Data controller, collects and processes certain Personal data concerning the Client's employees who interact with PayFit, the Client's employees and other individuals whose Personal data is processed in connection with the use of the Services (including, without limitation, employees who interact with PayFit as users or administrators), for the following purposes (hereinafter the "Purposes", as further detailed in PayFit's Privacy policy):, and notably for the purposes set out below :

• archiving for legal purposes, including in particular the management of litigation and pre-litigation matters;

• The optimisation, reliability, monitoring and improvement of the quality of the Services provided (routing, error reduction, etc.), provided that the Data is at minimum pseudonymised prior to any use;

• The continuous improvement and development of the Services offered by PayFit through performance monitoring and usage data analysis, provided that the Data is at minimum pseudonymised prior to any use;

• The development and creation of new services and/or features, in connection with the Services, provided that the Data is at minimum pseudonymised prior to any use.

5.2.2. To this end, PayFit undertakes to:

• Ensure that the Purposes are not incompatible with the Authorised purposes;

• Failing that, obtain the prior consent of the Data subjects to the processing of their Personal data for the Purposes.

5.2.3. In the context of the processing of Personal data performed by PayFit as Data controller, PayFit undertakes to comply with its obligations under the Data protection regulation. 

Article 6 – General obligations of the Parties

6.1. As a Processor, PayFit undertakes to:

• Comply with the Data protection regulation;

• Process Personal data in accordance with the Authorised purposes and the Instructions;

• Raise awareness among its staff on issues relating to the protection of Personal data;

• Inform the Client immediately if, in its opinion, an Instruction infringes Data protection regulation.

6.2. The Client, as Controller, undertakes to:

• Comply with the Data protection regulation, notably by providing complete information to the Data subjects and making sure it relies on appropriate lawful basis for the Processing, including, where applicable, by collecting consent;

• Provide PayFit with the Personal data described in the Online documentation in order to enable it to achieve the Authorised purposes; 

• Document in writing any Instructions regarding the Processing described in the Online documentation.

6.3. PayFit is not intended to host Sensitive Data Processing and in particular health data. The Client who will proceed to the Processing of Sensitive Data, and in particular health data, will assume the full and entire responsibility of its acts, without PayFit's liability being engaged in this respect.

Article 7 – Cooperation and assistance

7.1. PayFit undertakes to: 

• Designate a privileged interlocutor to represent it with the Client: the Data Protection Officer as indicated in the Online documentation;

• Adhere to and participate in a spirit of cooperation to ensure compliance with the Data protection regulation and the Instructions;

• Inform the Client without undue delay:

• If a Personal data breach occurs, as provided in Article 8.2 of these Rules;

• in the event that PayFit or a further Sub-processor receives a complaint relating to a Processing carried out by PayFit in its capacity as Data Processor:

• lodged by a Data Subject who is or was an employee of the Client, or

• lodged by a Supervisory Authority and giving rise to a risk of sanction.

7.2. PayFit undertakes to assist the Client in complying with the obligations set forth in Articles 32 to 36 of the UK General Data protection regulation taking into account the nature of the Processing and the information made available to PayFit. It is specified that within the framework of this assistance, certain measures requested by the Client may be subject to additional billing proportional to the time spent by PayFit's teams in handling the Client's request.

Article 8 – Security and Personal data breach

8.1. PayFit undertakes to the Client to implement technical and organisational measures appropriate to the nature of the Personal data and the risks inherent in the Processing against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to the Personal data held or processed by it, including all measures necessary to ensure compliance with the data security requirements in the Data protection regulation. The security measures implemented by PayFit in connection with the Processing are detailed on its website at https://payfit.com/appendice-security-measures/. The Client acknowledges that PayFit may update its organisational and technical security measures, including for the purpose of complying with any new requirements under the Data protection regulation, during the term of the Rules, provided that the update does not deteriorate them. 

8.2. In the event of the occurrence of a Personal data breach affecting the Services of PayFit or a Sub-processor, PayFit will:

• Notify the Client of any Personal data breach without undue delay;

• To the extent possible and with regard to the information brought to its attention, attach to the notification any useful documentation in order to allow the Client, if necessary, to notify the Supervisory authority or the Data subject.

In this regard, PayFit will indicate the following:

• A description of the nature of the Personal data breach including, if possible, the categories and approximate number of Data subjects affected by the Personal data breach and the categories and approximate number of Personal data records affected;

• If applicable, the name and contact details of the Data Protection Officer or other point of contact from whom additional information may be obtained;

• To the extent possible, a description of the likely consequences of the Personal data breach; and

• A description of the steps taken or proposed to be taken by PayFit to remedy the Personal data breach, including, if applicable, steps to mitigate any negative consequences.

In the event that it is not possible to provide at the same time all of the information specified in this section, PayFit will provide it in phase and without undue delay. 

8.3. This Article is without prejudice to the Controller's own obligations regarding the security of Personal data.

Article 9– Authorised recipients

9.1. General terms

PayFit warrants to Client that it will: 

• Limit access to Personal data to only those Authorised recipients who need to access it;

• Not disclose any Personal data to any other person without first notifying the Client, except as required by law or court order.

9.2. Sub-processors

9.2.1. PayFit can subcontract part of the Service to Sub-processors. The Client accepts this use of Sub-processors and, by accepting these Rules and signing the Contract, authorises PayFit to use the Sub-processors listed in the Online documentation. 

9.2.2. With respect to Sub-processors, PayFit warrants to the Client that: 

• It will conduct reasonable due diligence on the data privacy and security measures of Sub-processors before providing them with access to Personal data;

• It will ensure it puts a contract in place with any appointed Sub-processor which imposes on the Sub-processor, in substance, the same obligations as imposed on PayFit by these Rules;

• It shall remain fully responsible to the Client for the performance of the Sub-processors’ obligations under these Rules with PayFit; 

• In the event of the addition or replacement of a Sub-processor, PayFit will notify the Client, who will have a period of ten (10) days from the notification to present its objections on a valid ground relating to the protection of Personal data. If the Client fails to object within this period, the Sub-processor shall be deemed to have been accepted by the Client.

9.2.3. If the Controller objects to the appointment of a Sub-processor under the conditions detailed in this Article 9.2, either Party may terminate the Contract in application of article 5 of the Terms and Conditions.

9.2.4. Until the termination of the Contract, PayFit reserves the right to suspend access to the Services concerned by the objection of the Controller without the Controller being entitled to any reimbursement in this respect. 

9.2.5. The fact that PayFit, as a Processor, subcontracts all or part of the Processing to a Sub-processor does not relieve PayFit of its responsibilities and obligations to the Client under the Rules. PayFit shall remain fully liable to the Controller for the performance by the Sub-processor of its obligations.

9.3. Third parties

9.3.1. In order to perform the Services subscribed to under the Contract and/or upon Instruction from the Client, PayFit may transfer Personal data to Third Parties, and in particular: 

• To administrative and social organisations in the context of the management of social statements; 

• To third party publishers in the context of an Integration or partnership. 

9.3.2. In the case of an Integration, the Client acknowledges that PayFit may also receive Personal data from the Third Parties. This Personal data shall be processed by PayFit for the Authorised purposes. The Client undertakes to ensure that its Personal data provided by the Third Parties is accurate, up-to-date and complete. PayFit shall not be liable for any errors in the provision of the Services due to inaccurate, outdated or incomplete data.

Article 10 – Data subjects rights

In the event that PayFit receives a request from a Data subject wishing to exercise their rights under the Data protection regulation in connection with the Processing operations listed in the Online documentation, PayFit will reasonably support the Client in responding to the request, being agreed that: 

• PayFit will only act upon written instructions from the Client;

• The Client, acting as a Controller, will respond to the Data subject within the time limits set forth in the Data protection regulation, under its sole responsibility;

• Any operation performed by PayFit in connection with a request for the exercise of rights may, if necessary, result in additional billing, in particular due to the technical investigations carried out at the request of the Client.

Article 11 – Transfer of Personal data to Third countries

11.1. PayFit undertakes to comply with the Instructions issued by the Client regarding transfers of Personal data to Third countries, except in the event that PayFit is required by applicable law to transfer Personal data to a Third country. In such a case, PayFit will inform the Client before such transfer takes place, unless applicable law prohibits such information.

11.2. The Client authorises the transfer of Personal data to Third countries for the purpose of the provision of Services, provided that:

• The Third country has been recognised by the relevant authority as providing an adequate level of protection of Personal data; or

• PayFit meets one of the following conditions:

• The transfer is covered by a data transfer agreement incorporating the model International Data Transfer Addendum to the EU Standard Contractual Clauses, issued by the Information Commissioner and any amendments thereto;

• The transfer is subject to the regime of appropriate safeguards referred to in Article 46 of the UK General Data protection regulation and/or any other subsequent appropriate safeguards deemed adequate by the relevant authority;

• The transfer falls within the exception regime referred to in Article 49 of the UK General Data protection regulation.

Article 12 – Liability 

PayFit's liability in connection with Processing operations on behalf of the Client is subject to the limitation of liability set forth in the Contract.

Article 13 – Disposition of Personal data upon termination

Upon termination of the Contract for any reason, PayFit, at the choice of the Client, returns or deletes the Personal data. 

Article 14 – Information and audit

14.1. PayFit undertakes to provide upon request and as soon as possible, such information as the Client may reasonably request to confirm that PayFit is acting in accordance with the Data protection regulation.

14.2. The Client acknowledges that conducting an audit during certain busy periods is likely to interfere with PayFit's proper performance of the Services and substantially disrupt its business with all of its clients. Therefore, the Client may only exercise its right to audit during the Auditability period. 

14.3. The Client may order document audits to ensure the compliance of the Processing performed by PayFit as a Processor by sending a registered letter with acknowledgement of receipt to PayFit, up to a limit of one (1) audit per year and during the Auditability period. PayFit shall have a period of three (3) months to send the Client the requested documents. Confidential information entrusted to PayFit by other clients is not subject to the audit. 

14.4. The Client may order objective audits of compliance with the Data protection regulation on the Processing performed by PayFit as a Processor in the performance of the Services under the conditions defined below: 

• The audit must be preceded by a document audit under the conditions of Article 14.3. which revealed substantial points of non-compliance of PayFit; 

• The audit shall be conducted by an external auditor jointly selected by the Parties for its expertise, independence and impartiality and which is, in any event, not a competitor of PayFit;

• The selected auditor is bound to the Party by a non-disclosure agreement and/or professional secrecy;

• The Client notifies PayFit, in writing and with a minimum of thirty (30) business days' notice, of its intention to conduct a compliance audit;

• Under no circumstances shall the audit performed deteriorate or slow down the Services offered by PayFit or affect the organisational management of PayFit;

• An identical copy of the audit report is given to the Client as well as to PayFit following the completion of the audit mission. The Parties may comment on this audit report. This report may, if necessary, be subject to further review by a steering committee;

• The costs of the compliance audit will be borne solely by the Client;

• The Client may only order compliance audits up to one (1) audit per year; and

• PayFit shall have a period of six (6) months from the communication of the audit report to correct at its own expense any deficiencies and/or non-conformities found. If necessary, PayFit may exceptionally extend this period by three (3) months after expressly informing the Client and objectively justifying such extension.

14.5. PayFit agrees to allow the selected auditors access to sites, facilities, documents and information necessary to assess its compliance, and shall cooperate fully with them in the performance of their assignment.

14.6. In the event of an audit by a competent Supervisory authority that may relate to Client Processing, PayFit undertakes to cooperate fully with the Supervisory authority.

14.7. In the event of an audit by a competent Supervisory authority having jurisdiction over the Client, PayFit undertakes to fully assist the Client in relation to the Processing performed.

14.8. All data collected in the course of audits, inspections and controls are considered as confidential data protected by professional secrecy.

These Rules are subject to the applicable law and jurisdiction identified in the Contract.

Article 15 – Applicable law and jurisdiction 

These Rules are subject to the applicable law and jurisdiction identified in the Contract.

3. Definition of the Processing carried out by PayFit as a Data Processor

4. Sub-processors