Last updated: 07/02/2024

On behalf of our directors, we are delighted to welcome you to The HR Company. As your soon-to-be HR provider, it is our aim to help you manage a host of HR activities. This document is designed to give you a brief, non-exhaustive overview of our services, and how we intend to work with you.

This first section covers some of the basic terms and conditions, while the remainder of the document contains details on our Data Processing Activities and obligations. You should carefully review, and these terms and you will need to access them during the signup process before being able to continue to use the services.

• You will be provided with your own dedicated HR Account Manager, and he/she will be available to you from 9:00am until 5:00pm Monday to Friday. You will also have access to 24/7 support outside of these hours via our advice line – all of which will happen within two working days of joining us.
• You don’t need to sign up for a minimum duration, however out of courtesy and goodwill please consider the fact that we are going to invest substantial time reviewing and updating your HR policies (amongst other things) in the first few months. Therefore, to keep everyone happy we require that you consider 12 months as an appropriate minimum term.

• If you wish to cancel from our services, we require a minimum notification of 30 days, after the first 12 months.
• Some of our documentation is developed using custom built software. Therefore, it may only be possible to send your documentation in ‘Adobe PDF’ format.
• Our service operates primarily as ‘remote/virtual’ based subscription.
• If you require an on-site consultancy at your premises this may incur additional charges.

• If you are planning to pay for this service by Direct Debit or Credit Card, your bill be issued on the 19th of every month. Details on how to pay can be found in the previous email.
• Your first bill will include a once off sign-up fee, as agreed.

• You can submit feedback at any stage using the feedback buttons at the end of all our e-mails.
• You can contact us by Phone, e-Mail, Microsoft Teams, Post and/or in-person at our offices.
• Our calls are recorded and retained for a period to help us with training our staff, reviewing advice issued, and for quality purposes. Occasionally we will review what we’ve discussed on the phone to ensure you get the best advice possible.

Below you will find our Data Processor Agreement which outlines how our two organisations can process and share information within the context of the GDPR and Data Protection Act, 2018.

This is an agreement between the two organisation with regards to the processing and retention of data by The HR Company and the client who has provided their details while entering their payment information. In this agreement, the client as named, is the ‘Data Controller’ and The HR Company is the ‘Data Processor’.

1.1 This agreement re processing of personal data (the “Data Processor Agreement”) regulates B2E Limited’s (the “Data Processor”) processing of personal data on behalf of the client (the “Data Controller”) and forms part of the Main Service Agreement in which the parties have agreed the terms for the Data Processor’s delivery of services to the Data Controller.

2.1 The Data Processor Agreement shall ensure that the Data Processor complies with the applicable data protection and privacy legislation (the “Applicable Law”), including in particular The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679).

3.1 Purpose: The purpose of the processing under this Agreement is the provision of HR Services by the Data Processor as specified in the brochures and e-mails sent by the service provider.

3.2 In connection with the Data Processor’s delivery of the Main Services to the Data Controller, the Data Processor will process certain categories and types of the Data Controller’s personal data on behalf of the Data Controller.

3.3 ” Personal data” includes “any information relating to an identified or identifiable natural person” as defined in GDPR, article 4 (1) (1) (the ”Personal Data”). The categories and types of Personal Data processed by the Data Processor on behalf of the Data Controller are listed in sub-appendix A. The Data Processor only performs processing activities that are necessary and relevant to perform the Main Services. The parties shall update sub-appendix A whenever changes occur that necessitates an update.

3.4 The Data Processor shall have and maintain a register of processing activities in accordance with GDPR, article 32 (2).

4.1 The Data Processor may only act and process the Personal Data in accordance with the documented instruction from the Data Controller (the “Instruction”), unless required by law to act without such instruction. The Instruction at the time of entering into this Data Processor Agreement (DPA) is that the Data Processor may only process the Personal Data with the purpose of delivering the Main Services as described in service brochures and verbally between both parties. Subject to the terms of this DPA and with mutual agreement of the parties, the Data Controller may issue additional written instructions consistent with the terms of this Agreement. The Data Controller is responsible for ensuring that all individuals who provide written instructions are authorised to do so.

4.2 The Data Controller guarantees to process Personal Data in accordance with the requirements of Data Protection Laws and Regulations. The Data Controller’s instructions for the processing of Personal Data shall comply with Applicable Law. The Data Controller will have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which it was obtained.

4.3 The Data Processor will inform the Data Controller of any instruction that it deems to be in violation of Applicable Law and will not execute the instructions until they have been confirmed or modified.

5.6.1 If the Data Controller receives a request from a data subject for the exercise of the data subject’s rights under the Applicable Law and the correct and legitimate reply to such a request necessitates the Data Processor’s assistance, the Data Processor shall assist the Data Controller by providing the necessary information and documentation. The Data Processor shall be given reasonable time to assist the Data Controller with such requests in accordance with the Applicable Law.

5.6.2 If the Data Processor receives a request from a data subject for the exercise of the data subject’s rights under the Applicable Law and such request is related to the Personal Data of the Data Controller, the Data Processor must immediately forward the request to the Data Controller and must refrain from responding to the person directly.

5.7 Personal Data Breaches

5.7.1 The Data Processor shall give immediate notice within 72 hours, and in writting to the Data Controller if a breach occurs, that can lead to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to, personal data transmitted, stored or otherwise processed re the Personal Data processed on behalf of the Data Controller (a “Personal Data Breach”).

5.7.2 The Data Processor shall make reasonable efforts to identify the cause of such a breach and take those steps as they deem necessary to establish the cause, and to prevent such a breach from reoccurring.

5.8 Documentation of compliance and Audit Rights

5.8.1 Upon request by a Data Controller, the Data Processor shall make available to the Data Controller all relevant information necessary to demonstrate compliance with this DPA, and shall allow for and reasonably cooperate with audits, including inspections by the Data Controller or an auditor mandated by the Data Controller. The Data Controller shall give notice of any audit or document inspection to be conducted and shall make reasonable endeavours to avoid causing damage or disruption to the Data Processors premises, equipment and business in the course of such an audit or inspection. Any audit or document inspection shall be carried out with reasonable prior written notice of no less than 30 days and shall not be conducted more than once a year.

5.8.2 The Data Controller may be requested to sign a non-disclosure agreement reasonably acceptable to the Data Processor before being furnished with the above.

5.9 Data Transfers

5.9.1 Ordinarily, the Data Processor will not transfer your data to countries outside the European Economic Area. In some cases, personal data will be saved on storage solutions that have servers outside the European Economic Area (EEA), [for example, Google or Office 365]. Only those storage solutions that provide secure services with adequate relevant safeguards will be employed. In such a situation, any data transferred outside of the EEA will be processed in compliance with all Applicable Laws.

6.1 The Data Processor is given general authorisation to engage third-parties to process the Personal Data (“Sub-Processors”) without obtaining any further written, specific authorisation from the Data Controller, provided that the Data Processor notifies the Data Controller in writing about the identity of a potential Sub-Processor (and its processors, if any) before any agreements are made with the relevant Sub-Processors and before the relevant Sub-Processor processes any of the Personal Data. If the Data Controller wishes to object to the relevant Sub- Processor, the Data Controller shall give notice hereof in writing within ten (10) business days from receiving the notification from the Data Processor. Absence of any objections from the Data Controller shall be deemed consent to the relevant Sub-Processor.

6.2 In the event the Data Controller objects to a new Sub-Processor and the Data Processor cannot accommodate the Data Controller’s objection, the Data Controller may terminate the Services by providing written notice to the Data Processor.

6.3 The Data Processor shall complete a written sub-processor agreement with any Sub-Processors. Such an agreement shall at minimum provide the same data protection obligations as the ones applicable to the Data Processor, including the obligations under this Data Processor Agreement. The Data Processor shall on an ongoing basis monitor and control its Sub- Processors’ compliance with the Applicable Law. Documentation of such monitoring and control shall be provided to the Data Controller if so requested in writing.

6.4 The Data Processor is accountable to the Data Controller for any Sub-Processor in the same way as for its own actions and omissions.

6.5 The Data Processor is at the time of entering into this Data Processor Agreement using the Sub- Processors listed in sub-appendix B. If the Data Processor initiates sub-processing with a new Sub-Processor, such new Sub-Processor shall be added to the list in sub-appendix B under paragraph 2.

7.1 The Data Controller shall remunerate the Data Processor based on time spent to perform the obligations under section 5.5, 5.6 and 5.8 of this Data Processor Agreement based on the Data Processor’s hourly rates.

7.2 The Data Processor is also entitled to remuneration for any time and material used to adapt and change the processing activities in order to comply with any changes to the Data Controller’s Instruction, including implementation costs and additional costs required to deliver the Main Services due to the change in the Instruction. The Data Processor is exempted from liability for non-performance with the Main Agreement if the performance of the obligations under the Main Agreement would be in conflict with any changed Instruction or if contractual delivery in accordance with the changed Instruction is impossible. This could for instance be the case; (i) if the changes to the Instruction cannot technically, practically or legally be implemented; (ii) where the Data Controller explicitly requires that the changes to the Instruction shall be applicable before the changes can be implemented; and (iii) in the period of time until the Main Agreement is changed to reflect the new Instruction and commercial terms thereof.

8.1 Nothing in this DPA will relieves the processor of its own direct responsibilities and liabilities under the GDPR or the Data Protection Act, 2018.

9.1 The Data Processor Agreement shall remain in force until the service is terminated as per the terms agreed between the Service Provider and the Client.

10.1 The Data Processor will appoint a Data Protection Officer where such appointment is required by Data Protection Laws and Regulations.

11.1 Following expiration or termination of the Agreement, the Data Processor will delete or return to the Data Controller all Personal Data in its possession as provided in the Agreement except to the extent the Data Processor is required by Applicable law to retain some or all of the Personal Data (in which case the Data Processor will archive the data and implement reasonable measures to prevent the Personal Data from any further processing). The terms of this DPA will continue to apply to such Personal Data.

12.1 The contact information for the Data Processor and the Data Controller is provided on page 1 of this agreement and is also available on both the Controllers and Processors websites.

This agreement is in line with The Data Protection Act, 2018, and the General Data Protection Regulation (GDPR) / (Regulation (EU) 2016/679). By clicking accept in the previous screen you are agreeing to these Terms and Conditions.

1. Personal Data

1.1 The Data Processor processes the following types of Personal Data in connection with its delivery of the main services:

Information on relevant employees from the Data Controller relevant for the processing of Human Resources documentation. Namely:

1. Name, postal address and email address
2. Pension details
3. Proof of identity
4. Leave records
5. Contract of employment & HR details
6. Next of kin details
7. Grievance & Disciplinary records

1.2 The Data Processor processes the following types of Special Personal Data in connection with its delivery of the Main Services:

1.2.1 Information on relevant employees from the Data Controller relevant for the processing of Human Resources documentation. Namely:

• Union Representation, if applicable.
• Categories of data subjects

2.1 The Data Processor processes personal data about the following categories of data subjects on behalf of the Client:

1. Employees of the Data Controller

1. Approved Sub-Processors

1.1 The following Sub-Processors shall be considered approved by the Data Controller at the time of entering into this Agreement:

• Data software provider: Office 365, Microsoft Corporation.
• Go Cardless (Payment Gateway)
• Stripe Inc (Payment Gateway)
• Maxio (Finance and Billing Portal)
• Natural HR (only where the HR system add-on service has been purchased).
• Register365 (Hosting Provider)
• CSR Professional Services (only where the GDPR service has been purchased).
• VT Experts (IT Contractor (CRM))

2. New Sub-Processors

2.1 The following Sub-Processors have been added and communicated to the Data Controller prior to the relevant sub-processing:

• No new sub processors.