← Back to home

Data Processing Addendum

Effective: 25 February 2025 · Last Updated: 25 February 2025

1. Introduction & Scope

This Data Processing Addendum ("DPA") forms part of, and is incorporated into, the service agreement ("Agreement") between Elm Requirements Ltd T/A Elm Processing Ltd ("Processor", "we", "us") and the Client ("Controller", "you").

This DPA sets out the terms on which the Processor processes Customer Personal Data on behalf of the Controller in connection with the provision of payroll processing, HMRC compliance, Employer of Record (EOR), pension administration, and related services ("Services").

This DPA is intended to ensure compliance with:

  • The UK General Data Protection Regulation ("UK GDPR") as retained in UK law by the European Union (Withdrawal) Act 2018 and amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019
  • The Data Protection Act 2018 ("DPA 2018")
  • The Privacy and Electronic Communications Regulations 2003 ("PECR")
  • Any other applicable UK data protection legislation ("Applicable Data Protection Laws")

In the event of any conflict between this DPA and the Agreement, this DPA shall prevail with respect to the processing of Customer Personal Data.

2. Definitions

In this DPA, the following definitions apply. Terms not defined herein shall have the meaning given in the UK GDPR or the Agreement:

  • "Customer Personal Data" means any Personal Data processed by the Processor on behalf of the Controller in connection with the Services
  • "Data Subject" means an identified or identifiable natural person to whom Customer Personal Data relates
  • "Personal Data", "Processing", "Controller", "Processor", "Sub-Processor", "Data Subject", "Personal Data Breach", and "Special Category Data" have the meanings given in the UK GDPR
  • "Approved Sub-Processor" means any Sub-Processor engaged by the Processor and listed in Schedule 3
  • "Security Incident" means a Personal Data Breach as defined in Article 4(12) UK GDPR — a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Customer Personal Data
  • "UK IDTA" means the International Data Transfer Agreement issued by the ICO under Section 119A(1) DPA 2018
  • "UK Addendum" means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, issued by the ICO under Section 119A(1) DPA 2018
  • "Standard Contractual Clauses" or "SCCs" means Module Two (Controller to Processor) and/or Module Three (Processor to Processor) of the Standard Contractual Clauses annexed to Commission Implementing Decision (EU) 2021/914

3. Roles & Responsibilities

3.1 Controller

The Controller determines the purposes and means of processing Customer Personal Data. The Controller is responsible for:

  • Ensuring there is a valid legal basis for the processing of Customer Personal Data
  • Ensuring that appropriate privacy notices have been provided to Data Subjects
  • Ensuring that all necessary consents have been obtained where required
  • Providing complete, accurate, and timely instructions to the Processor
  • Complying with all obligations imposed on it by Applicable Data Protection Laws

3.2 Processor

The Processor processes Customer Personal Data solely on behalf of, and on the documented instructions of, the Controller. The Processor shall:

  • Process Customer Personal Data only in accordance with the Controller's documented instructions (including the processing described in Schedule 1), unless required to process by UK law, in which case the Processor shall inform the Controller of that legal requirement before processing (unless prohibited by law)
  • Ensure that persons authorised to process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality
  • Implement and maintain appropriate technical and organisational measures as set out in Schedule 2
  • Comply with the conditions for engaging Sub-Processors set out in section 7
  • Assist the Controller in responding to Data Subject rights requests
  • Assist the Controller in ensuring compliance with its obligations under Articles 32–36 UK GDPR
  • At the Controller's election, delete or return all Customer Personal Data upon termination of the Services, and delete existing copies unless required by law to retain them
  • Make available all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits

4. Processing Instructions

The Controller's instructions for the processing of Customer Personal Data are set out in:

  • This DPA (including Schedule 1)
  • The Agreement and any Service Agreement
  • Any additional written instructions provided by the Controller from time to time

The Processor shall immediately inform the Controller if, in its opinion, an instruction infringes Applicable Data Protection Laws. The Processor shall not be required to carry out processing that it reasonably believes infringes such laws, and shall not be liable for any delay or failure in performance resulting from such a refusal.

The details of the processing, including the subject matter, duration, nature, purpose, type of Personal Data, and categories of Data Subjects, are described in Schedule 1.

5. Confidentiality

The Processor shall ensure that all personnel who have access to Customer Personal Data:

  • Are informed of the confidential nature of the data
  • Have received appropriate training on data protection obligations
  • Are subject to enforceable obligations of confidentiality (whether contractual or statutory)
  • Process Customer Personal Data only in accordance with the Controller's instructions

The Processor shall take reasonable steps to ensure the reliability of any personnel who have access to Customer Personal Data, taking into account the nature of the processing and the risks involved.

6. Security Measures

The Processor shall implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as required by Article 32 UK GDPR. These measures are detailed in Schedule 2 and include (as appropriate):

  • The pseudonymisation and encryption of Personal Data
  • The ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services
  • The ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident
  • A process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures

The Processor shall regularly review and update these measures to ensure continued appropriateness, taking into account the state of the art, costs of implementation, and the nature, scope, context, and purposes of processing, as well as the varying likelihood and severity of risks to Data Subjects.

7. Sub-Processors

7.1 General Authorisation

The Controller provides general written authorisation for the Processor to engage Sub-Processors listed in Schedule 3. The Processor may engage additional or replacement Sub-Processors subject to the conditions in this section.

7.2 Notification of Changes

The Processor shall notify the Controller in writing at least 30 days before engaging any new Sub-Processor or replacing an existing Sub-Processor, providing the name, location, and description of the processing to be carried out.

7.3 Objection Right

The Controller may object to a new or replacement Sub-Processor by notifying the Processor in writing within 14 days of receiving notification, providing reasonable grounds for the objection.

If the Controller objects, the Processor shall use reasonable efforts to make available an alternative solution that avoids the use of the objected-to Sub-Processor. If no alternative is reasonably available within 30 days, either party may terminate the relevant portion of the Services by written notice, and the Processor shall refund any prepaid fees for the terminated Services.

7.4 Sub-Processor Obligations

The Processor shall:

  • Enter into a written agreement with each Sub-Processor that imposes data protection obligations no less onerous than those set out in this DPA
  • Carry out appropriate due diligence on each Sub-Processor's data protection practices and security measures before engagement
  • Monitor each Sub-Processor's ongoing compliance on a regular basis
  • Remain fully liable to the Controller for the performance of any Sub-Processor's obligations

8. International Transfers

The Processor shall not transfer Customer Personal Data to any country outside the United Kingdom unless:

  • The transfer is to a country or territory that is subject to an adequacy decision by the UK Secretary of State under Section 17A DPA 2018
  • The transfer is subject to appropriate safeguards in accordance with Article 46 UK GDPR, including the UK IDTA, the UK Addendum to the EU SCCs, or Binding Corporate Rules approved by the ICO
  • A derogation under Article 49 UK GDPR applies

Where transfers are made on the basis of the UK IDTA or UK Addendum, the relevant transfer mechanism documents form part of this DPA as set out in Schedule 4.

The Processor shall carry out a transfer risk assessment in accordance with ICO guidance before making any international transfer and shall implement any supplementary measures identified as necessary.

9. Data Subject Rights

The Processor shall:

  • Promptly notify the Controller if it receives any request directly from a Data Subject to exercise rights under Chapter III UK GDPR (including access, rectification, erasure, restriction, portability, or objection)
  • Not respond to any such request directly unless authorised by the Controller or required by law
  • Provide reasonable assistance to the Controller in fulfilling its obligation to respond to Data Subject requests, taking into account the nature of the processing
  • Implement appropriate technical and organisational measures to assist the Controller, insofar as this is possible, in fulfilling requests (including the ability to search, retrieve, correct, and delete Customer Personal Data)

The Controller shall be responsible for the costs of any assistance provided by the Processor in connection with Data Subject requests that are complex, excessive, or require significant additional work beyond the Processor's standard operational processes.

10. Data Breach Notification

10.1 Notification to Controller

The Processor shall notify the Controller without undue delay and in any event within 24 hours of becoming aware of a Security Incident affecting Customer Personal Data.

10.2 Content of Notification

The notification shall, to the extent possible, include:

  • A description of the nature of the Security Incident, including the categories and approximate number of Data Subjects and Personal Data records concerned
  • The name and contact details of the Processor's point of contact for the incident
  • A description of the likely consequences of the Security Incident
  • A description of the measures taken or proposed to be taken to address the Security Incident, including measures to mitigate its possible adverse effects

Where it is not possible to provide all information at the same time, the Processor shall provide information in phases without undue further delay.

10.3 Processor's Obligations

The Processor shall:

  • Take immediate steps to investigate, contain, and mitigate the effects of the Security Incident
  • Co-operate fully with the Controller in investigating and responding to the incident
  • Not make any public statement or notification to any third party (including Data Subjects, regulators, or the media) regarding the Security Incident without the Controller's prior written consent, unless required by law
  • Preserve and provide all relevant evidence and information to assist the Controller in meeting its obligations under Articles 33 and 34 UK GDPR

11. Data Protection Impact Assessments

The Processor shall provide reasonable assistance to the Controller in carrying out data protection impact assessments ("DPIAs") and prior consultations with the ICO under Articles 35 and 36 UK GDPR, taking into account the nature of the processing and the information available to the Processor.

12. Audit & Inspection Rights

The Processor shall make available to the Controller all information necessary to demonstrate compliance with Article 28 UK GDPR and this DPA, and shall allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller.

Audit conditions:

  • The Controller shall give the Processor at least 30 days' prior written notice of any audit (except in the case of a suspected or actual Security Incident, where reasonable notice is sufficient)
  • Audits shall be conducted during normal business hours, with minimal disruption to the Processor's operations
  • The Controller shall ensure that any auditor is bound by appropriate confidentiality obligations
  • The Controller shall bear the costs of any audit, unless the audit reveals a material breach of this DPA by the Processor
  • The Processor may satisfy audit requests by providing the Controller with relevant third-party audit reports or certifications (e.g., SOC 2, ISO 27001) where available
  • Audit frequency shall be limited to once per 12-month period, unless a Security Incident or material breach has occurred

13. Data Retention & Deletion

Upon termination or expiry of the Agreement, the Processor shall, at the Controller's written election:

  • Return all Customer Personal Data to the Controller in a commonly used, machine-readable format; or
  • Securely delete all Customer Personal Data and confirm deletion in writing

The above shall be completed within 30 days of termination, unless:

  • UK law requires the Processor to retain some or all of the data (in which case the Processor shall inform the Controller, isolate the data, protect it in accordance with this DPA, and delete it as soon as the legal obligation expires)
  • The data is held in backup systems that cannot be individually amended — in which case the data will be deleted when the backup cycle completes, and in the interim the Processor will continue to protect it under this DPA

The Processor shall ensure that all Sub-Processors are contractually required to return or delete Customer Personal Data on the same terms.

14. Liability

Each party's liability arising out of or in connection with this DPA shall be subject to the limitations and exclusions set out in the Agreement.

Nothing in this DPA shall limit either party's liability for breaches of Applicable Data Protection Laws to the extent that such liability cannot be limited or excluded by law.

15. Term & Termination

This DPA shall take effect on the date the Agreement is executed and shall continue in force for as long as the Processor processes Customer Personal Data on behalf of the Controller.

The obligations of the Processor under this DPA shall survive the termination or expiry of the Agreement for as long as the Processor retains any Customer Personal Data.

Schedule 1: Processing Details

This schedule should be customised for each client engagement. The following is a template.
ItemDetails
Subject Matter of ProcessingProcessing of employee and worker personal data for the purposes of payroll processing, HMRC compliance, pension administration, EOR services, and related business services
Duration of ProcessingFor the term of the Agreement, plus the period necessary to complete post-termination obligations (return/deletion of data)
Nature of ProcessingCollection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure by transmission to HMRC and pension providers, alignment, combination, restriction, erasure, and destruction
Purpose of ProcessingPayroll calculation and processing; PAYE, NIC, and student loan computation; RTI and FPS submission to HMRC; P45/P60/P11D generation; pension auto-enrolment and contribution processing; statutory payment calculation (SSP, SMP, SPP, ShPP, SPBP); BACS payment processing; holiday pay accrual and calculation; year-end reporting; EOR administration
Categories of Data SubjectsEmployees, workers, contractors, directors, and pensioners of the Controller; and any other individuals whose data the Controller instructs the Processor to process
Types of Personal DataIdentity data (name, date of birth, gender, NI number); contact data (address, email, phone); financial data (bank details, tax codes, pension details, student loan details); employment data (job title, salary, start/end dates, working hours, pay history); statutory data (SSP, SMP, SPP records, fit notes); payroll outputs (payslips, P45, P60, P11D)
Special Category DataHealth data (fit notes, SSP/SMP/SPP entitlement evidence); trade union membership (where payroll deductions apply). Processed under Article 9(2)(b) UK GDPR — employment, social security and social protection obligations
Data TransfersHMRC (RTI, PAYE, NIC); pension providers (contributions, enrolment); BACS (payment processing); cloud infrastructure providers (as per Schedule 3)

Schedule 2: Technical & Organisational Measures

The Processor implements and maintains the following measures in accordance with Article 32 UK GDPR:

Access Control

  • Role-based access control (RBAC) — access limited to authorised personnel based on job function and the principle of least privilege
  • Multi-factor authentication (MFA) required for all access to systems containing Customer Personal Data
  • Unique user credentials — shared accounts are prohibited
  • Automated account lockout after failed login attempts
  • Regular access reviews (quarterly) with prompt removal of access for leavers and role changes

Encryption

  • Data in transit encrypted using TLS 1.2 or higher
  • Data at rest encrypted using AES-256 or equivalent
  • Encryption keys managed in accordance with industry best practices

Network Security

  • Firewall protection and intrusion detection/prevention systems
  • Network segmentation to isolate sensitive data environments
  • Regular vulnerability scanning and penetration testing (at least annually, and following significant changes)
  • Secure remote access via VPN with MFA

Data Integrity & Availability

  • Regular automated backups with encrypted offsite storage
  • Documented disaster recovery and business continuity plans, tested at least annually
  • System monitoring and alerting for anomalous activity
  • Redundant infrastructure to ensure service availability

Physical Security

  • Controlled physical access to offices and data centre facilities
  • Visitor management procedures
  • Secure disposal of hardware and physical media
  • Clean desk policy

Personnel

  • Pre-employment screening (including DBS checks where appropriate)
  • Mandatory data protection training on induction and annually
  • Enforceable confidentiality agreements for all staff
  • Disciplinary procedures for data protection breaches

Incident Management

  • Documented incident response plan with defined roles and escalation procedures
  • 24-hour breach notification capability (as per section 10 of this DPA)
  • Post-incident review and lessons-learned process

Supplier Management

  • Due diligence assessments for all Sub-Processors before engagement
  • Written data processing agreements with all Sub-Processors
  • Regular review of Sub-Processor compliance and security posture

Schedule 3: Approved Sub-Processors

The following Sub-Processors are approved by the Controller as at the effective date of this DPA:

Sub-ProcessorLocationProcessing Activity
Payroll software provider (details available on request)United KingdomPayroll calculation engine and RTI submission platform
Cloud hosting provider (details available on request)United Kingdom / EEACloud infrastructure for data storage and processing
BACS bureau provider (details available on request)United KingdomElectronic payment processing (salary and HMRC payments)
Email service provider (details available on request)United Kingdom / EEAService notifications and payslip delivery
Pension provider interface (details available on request)United KingdomAuto-enrolment contribution submissions and provider communications

This list will be kept up to date and the Controller will be notified of any additions or changes in accordance with section 7.2 of this DPA.

Schedule 4: International Transfer Mechanisms

Where Customer Personal Data is transferred to a country outside the United Kingdom that is not subject to an adequacy decision, the following transfer mechanisms apply:

DestinationTransfer MechanismSupplementary Measures
European Economic Area (EEA)UK adequacy regulations for EEA member states (currently in effect)N/A — adequacy applies
United StatesUK Extension to EU-U.S. Data Privacy Framework (where recipient is certified); or UK IDTA / UK Addendum to EU SCCs (Module 2 or 3)Transfer risk assessment; encryption in transit and at rest; contractual restrictions on government access
Other countriesUK IDTA or UK Addendum to EU SCCs (Module 2 or 3)Transfer risk assessment conducted on a case-by-case basis; supplementary measures as identified by assessment

The Processor shall promptly inform the Controller if it becomes aware of any change in law or circumstance that may affect the validity of the transfer mechanism in use, and shall cooperate with the Controller to implement alternative safeguards where necessary.