Data Processing Addendum

Last updated: January 2025

INTRODUCTION

This Data Processing Addendum ("DPA") forms part of the Terms of Use between Alpine Payroll Limited ("Processor", "we", "us", "our") and you ("Controller", "you", "your") and governs the processing of personal data by the Processor on behalf of the Controller.

This DPA applies where the Processor processes personal data on the Controller's behalf in connection with payroll processing, HR support, and related services.

This DPA is supplemental to, and must be read in conjunction with, the Terms of Use. In the event of any conflict between this DPA and the Terms of Use, this DPA will prevail with respect to the processing of personal data.

1. DEFINITIONS AND INTERPRETATION

1.1 Definitions

In this DPA, the following terms have the meanings set out below:

  • "Controller" means the entity that determines the purposes and means of processing personal data. In the context of our services, this is typically our client.
  • "Data Protection Laws" means all applicable laws and regulations relating to data protection and privacy, including:
    • The UK General Data Protection Regulation (UK GDPR)
    • The Data Protection Act 2018 (DPA 2018)
    • The Privacy and Electronic Communications Regulations 2003 (PECR)
    • Any successor or replacement legislation
  • "Data Subject" means an identified or identifiable natural person whose personal data is processed under this DPA.
  • "Personal Data" means any information relating to an identified or identifiable natural person as defined in the UK GDPR.
  • "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
  • "Processing" means any operation or set of operations performed on personal data, including collection, recording, organisation, structuring, storage, adaptation, retrieval, use, disclosure, erasure, or destruction.
  • "Processor" means Alpine Payroll Limited, which processes personal data on behalf of the Controller.
  • "Special Category Data" means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, or data concerning sex life or sexual orientation.
  • "Subprocessor" means any third party appointed by the Processor to process personal data on behalf of the Controller.

1.2 Interpretation

  • References to "Appendix" mean the Appendix to this DPA
  • Headings are for convenience only and do not affect interpretation
  • References to clauses are to clauses of this DPA unless otherwise stated
  • Words in the singular include the plural and vice versa

2. ROLES AND SCOPE OF PROCESSING

2.1 Controller and Processor Relationship

The parties acknowledge and agree that:

  • (a) The Controller is the data controller in respect of personal data processed under this DPA
  • (b) The Processor is the data processor acting on behalf of and on the instructions of the Controller
  • (c) Each party shall comply with its respective obligations under Data Protection Laws

2.2 Scope of Processing

The Processor shall process personal data only:

  • (a) On the documented instructions of the Controller, unless required to do so by applicable law (in which case, the Processor shall inform the Controller of that legal requirement before processing, unless prohibited by law);
  • (b) For the purposes specified in the Appendix (Processing Details); and
  • (c) In accordance with this DPA and Data Protection Laws.

2.3 Details of Processing

The subject matter, nature, purpose, duration, types of personal data, and categories of data subjects are set out in the Appendix to this DPA.

3. PROCESSOR OBLIGATIONS

3.1 Compliance with Instructions

The Processor shall process personal data only on documented instructions from the Controller, except where required by applicable law.

3.2 Confidentiality

The Processor shall ensure that persons authorised to process personal data are subject to appropriate obligations of confidentiality.

3.3 Security Measures

The Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:

  • Encryption of personal data
  • Regular security assessments
  • Access controls and authentication
  • Backup and disaster recovery procedures
  • Staff training on data protection

3.4 Assistance to Controller

The Processor shall assist the Controller in responding to requests from data subjects and regulatory authorities, and in ensuring compliance with Data Protection Laws.

4. SUBPROCESSORS

4.1 Authorisation

The Controller authorises the Processor to engage Subprocessors, provided that:

  • The Processor maintains a list of Subprocessors
  • Subprocessors are bound by equivalent data protection obligations
  • The Processor remains liable for Subprocessor compliance

4.2 Current Subprocessors

Current Subprocessors are listed in the Appendix. The Processor will notify the Controller of any intended changes to Subprocessors.

5. DATA SUBJECT RIGHTS

The Processor shall assist the Controller in responding to data subject requests, including:

  • Right of access
  • Right to rectification
  • Right to erasure
  • Right to restrict processing
  • Right to data portability
  • Right to object

6. PERSONAL DATA BREACHES

In the event of a Personal Data Breach, the Processor shall:

  • Notify the Controller without undue delay
  • Provide all relevant information to assist the Controller
  • Take reasonable steps to mitigate the effects of the breach
  • Cooperate with the Controller in any investigation

7. INTERNATIONAL TRANSFERS

Personal data is primarily processed and stored in the United Kingdom. Any transfers outside the UK/EEA will be subject to appropriate safeguards as required by Data Protection Laws.

8. DATA RETENTION AND DELETION

Upon termination of services, the Processor shall, at the Controller's option:

  • Return all personal data to the Controller, or
  • Delete all personal data, unless retention is required by law

9. AUDIT RIGHTS

The Controller may audit the Processor's compliance with this DPA, subject to reasonable notice and confidentiality obligations.

10. LIABILITY

Each party's liability under this DPA is subject to the limitations set out in the Terms of Use, except that nothing in this DPA shall limit either party's liability for breaches of Data Protection Laws.

11. TERM AND TERMINATION

This DPA shall remain in effect for as long as the Processor processes personal data on behalf of the Controller, and shall survive termination of the Terms of Use to the extent necessary to comply with Data Protection Laws.

12. GENERAL PROVISIONS

12.1 Governing Law

This DPA is governed by the laws of England and Wales, and the courts of England and Wales have exclusive jurisdiction over any disputes.

12.2 Amendments

This DPA may only be amended or modified by a written agreement signed by authorised representatives of both parties.

12.3 Severability

If any provision of this DPA is held to be invalid, illegal, or unenforceable, that provision shall be deemed modified to the minimum extent necessary to make it valid and enforceable.

13. CONTACT DETAILS

For all matters relating to this DPA, please contact:

Alpine Payroll Limited
5 Brayford Square
London
England
E1 0SG

Phone: 03030 0332 14
Email: cs@alpine-payroll.com
Attention: Data Protection Officer

APPENDIX: PROCESSING DETAILS

Subject Matter of Processing:

Provision of payroll processing, RTI submissions to HMRC, auto-enrolment pension administration, year-end reporting (P60s, P11Ds), HR support, and business consultancy services.

Nature and Purpose of Processing:

  • Processing payroll data to calculate wages, salaries, and deductions
  • Preparing and submitting Real Time Information (RTI) returns to HMRC
  • Administering workplace pension auto-enrolment and contributions
  • Generating payslips and payment instructions
  • Preparing year-end tax and National Insurance reports
  • Providing HR advisory and consultancy support
  • Maintaining payroll records and historical data

Duration of Processing:

Processing will continue for the duration of the contract between the parties, plus up to 60 days for data return or deletion (subject to legal retention requirements).

Categories of Data Subjects:

  • Current employees, workers, and contractors of the Controller
  • Former employees, workers, and contractors of the Controller
  • Directors, officers, and partners of the Controller
  • Prospective employees and job applicants (where applicable)

Categories of Personal Data:

  • Personal identifiers: name, address, date of birth, National Insurance number, employee ID
  • Contact details: email address, telephone number
  • Financial data: salary, wages, bonuses, commissions, deductions, tax codes, bank account details, sort codes
  • Employment data: job title, department, start date, end date, hours worked, absence records, leave entitlements
  • Pension information: pension scheme membership, contribution rates, opt-in/opt-out records
  • Tax and National Insurance information: tax codes, tax bands, National Insurance category, student loan deductions
  • Statutory payments: statutory sick pay, maternity/paternity pay, other statutory payments
  • Payroll history: previous payments, cumulative figures, year-to-date totals

Special Category Data:

The Processor may process special category data (e.g., health data for statutory sick pay) only where the Controller provides it for legitimate payroll purposes. The Controller is responsible for ensuring a lawful basis for processing special category data under Article 9 of the UK GDPR.

Subprocessors:

  • GoDaddy UK Limited – Website hosting and infrastructure (United Kingdom)

International Transfers:

Personal data is primarily processed and stored in the United Kingdom. Any transfers outside the UK/EEA will be subject to appropriate safeguards as set out in clause 7 of this DPA.

Document version: 1.35
Last updated: January 2025