← Back to home

Privacy Policy

Effective: 25 February 2025 · Last Updated: 25 February 2025

1. Who We Are

Elm Requirements Ltd T/A Elm Processing Ltd ("Elm Processing", "we", "us", or "our") is a company registered in England and Wales that provides professional data processing, payroll management, HMRC compliance, Employer of Record (EOR), pension administration, and business consultancy services to businesses across the United Kingdom.

Data Controller Details Company Name: Elm Requirements Ltd T/A Elm Processing Ltd
Registered Address: 167-169 Great Portland Street, London, W1W 5PF, United Kingdom
Company Number: 16578892
VAT: GB498363633
ICO Registration Number: Available on request
Email: privacy@elmprocessing.co.uk
Phone: 03330 495 551

For the purposes of the UK General Data Protection Regulation ("UK GDPR") and the Data Protection Act 2018 ("DPA 2018"), Elm Requirements Ltd T/A Elm Processing Ltd is the data controller responsible for your personal data when you visit our website, make enquiries, or engage with our marketing.

Where we process personal data on behalf of our clients — for example, employee payroll data, pension records, or HMRC submissions — we act as a data processor. Such processing is governed by our Data Processing Addendum and the service agreement with each client. The client remains the data controller in those circumstances.

2. Information We Collect

We may collect, use, store, and transfer different categories of personal data depending on how you interact with us:

2.1 Data Provided Directly by You

CategoryExamples
Identity DataFirst name, last name, title, date of birth, gender, National Insurance number (where required for payroll or EOR services)
Contact DataPostal address, email address, telephone numbers (home, work, mobile)
Financial DataBank account and sort code details, payment card details, tax codes, pension scheme details, student loan repayment plan details
Employment DataEmployer name, job title, salary and wage information, employment start/end dates, P45/P60/P11D records, working hours, statutory pay entitlements
Communication DataContent of emails, enquiry form submissions, live chat transcripts, telephone call notes, feedback and survey responses
Account & Profile DataUsername, password, account preferences, service selections, billing history
Consent DataRecords of consents given or withdrawn, marketing preferences, cookie preferences

2.2 Data Collected Automatically

CategoryExamples
Technical DataIP address, browser type and version, operating system, device type, screen resolution, time zone setting, language preferences
Usage DataPages visited, links clicked, time spent on pages, access dates and times, page response times, navigation paths, download errors, referring/exit URLs
Cookie DataData collected through cookies and similar tracking technologies — see our Cookie Policy for full details

2.3 Data Received from Third Parties

We may also receive personal data about you from third parties and public sources, including:

  • Your employer or their representatives — when they instruct us to process payroll, pension, or statutory payment data on their behalf
  • HMRC — tax code notifications (P6/P9), tax refund information, and other statutory correspondence
  • Pension providers — enrolment confirmations, contribution records, and opt-out notifications
  • Analytics and advertising partners — such as Google Analytics (see our Cookie Policy)
  • Referral partners — business introductions and referrals made with your knowledge
  • Publicly available sources — Companies House, professional directories, LinkedIn (business contact details only)

2.4 Special Category Data

In the course of providing payroll and EOR services, we may process limited special category data on behalf of our clients, including:

  • Health-related data necessary for calculating Statutory Sick Pay (SSP), Statutory Maternity/Paternity Pay (SMP/SPP/ShPP/SPBP), or managing fit notes
  • Trade union membership data where payroll deductions are required

Such data is processed under explicit legal obligations (Article 9(2)(b) UK GDPR — employment, social security, and social protection law) and/or with appropriate safeguards in place as set out in our Data Processing Addendum.

3. How We Collect Your Data

We collect personal data through the following methods:

  • Direct interactions — when you fill in forms on our website, request a consultation, subscribe to our newsletter, correspond with us by email, telephone, post, or live chat, or enter into a service agreement
  • Client instructions — when your employer or their agent provides your data for payroll processing, pension administration, or EOR services
  • Automated technologies — as you interact with our website, we automatically collect Technical Data and Usage Data through cookies, server logs, and similar technologies
  • Third parties — we may receive data from HMRC, pension providers, analytics providers, referral partners, and publicly available registers as described in section 2.3

4. Legal Bases for Processing

Under UK GDPR, we must have a lawful basis for processing your personal data. The legal bases we rely on depend on the nature and purpose of the processing:

Lawful BasisWhen We Rely on It
Performance of a contract
(Art. 6(1)(b))		Processing necessary to perform our contract with you or your employer, including payroll processing, pension administration, HMRC submissions, EOR services, and related service delivery
Legal obligation
(Art. 6(1)(c))		Processing required to comply with UK law, including HMRC Real-Time Information (RTI) submissions, tax reporting, auto-enrolment obligations, statutory record-keeping, and anti-money laundering requirements
Legitimate interests
(Art. 6(1)(f))		Processing necessary for our (or a third party's) legitimate interests, provided these are not overridden by your rights. This includes website analytics and improvement, fraud prevention and security, direct marketing to existing clients, business development, and quality assurance
Consent
(Art. 6(1)(a))		Where you have given clear, affirmative consent — marketing communications to non-clients, optional cookies and analytics, and any processing not covered by the bases above. You may withdraw consent at any time (see section 11)

Where we process special category data (e.g., health data for SSP calculations), we rely on Article 9(2)(b) UK GDPR — processing necessary for the purposes of carrying out obligations in the field of employment and social security law, authorised by DPA 2018 Schedule 1.

5. How We Use Your Data

5.1 Service Delivery

  • Processing payroll (PAYE, NIC, student loan, attachment of earnings)
  • Submitting Real-Time Information (RTI) and Full Payment Submissions (FPS) to HMRC
  • Generating and distributing payslips, P45s, P60s, and P11Ds
  • Managing pension auto-enrolment, contributions, and provider communications
  • Calculating and processing statutory payments (SSP, SMP, SPP, ShPP, SPBP)
  • Processing BACS payments and direct credits
  • Year-end reporting and submissions
  • EOR services — acting as the legal employer for HMRC purposes
  • Administering tax code changes (P6/P9) from HMRC
  • Managing holiday pay accruals and calculations

5.2 Business Operations

  • Responding to enquiries and providing consultations
  • Onboarding new clients and setting up services
  • Invoicing and collecting payment for our services
  • Internal record-keeping and administration
  • Quality assurance, audits, and service improvement
  • Reporting and analytics for management purposes

5.3 Legal & Compliance

  • Complying with legal and regulatory obligations (including HMRC, The Pensions Regulator, and ICO requirements)
  • Establishing, exercising, or defending legal claims
  • Fraud prevention and detection
  • Responding to lawful requests from public authorities

5.4 Website & Communications

  • Administering and improving our website
  • Delivering relevant content and measuring its effectiveness
  • Sending marketing communications (where consent has been given or soft opt-in applies)
  • Analysing website usage patterns through cookies and analytics tools

6. Marketing Communications

We may send you marketing communications about our services, industry updates, and regulatory changes where:

  • You have given explicit consent (e.g., by ticking an opt-in box on our website); or
  • You are an existing client and the communications relate to similar services to those you have previously engaged us for (soft opt-in under the Privacy and Electronic Communications Regulations 2003 ("PECR"))

Every marketing email we send contains a clear unsubscribe link. You can also opt out at any time by emailing privacy@elmprocessing.co.uk or contacting us by telephone or post.

Opting out of marketing will not affect communications that are necessary for the performance of our services (e.g., service updates, payroll notifications, regulatory alerts).

7. Disclosure of Your Data

We may share your personal data with the following categories of recipients:

7.1 Required by Law or Regulation

  • HMRC — RTI submissions, PAYE, NIC, tax code processing, year-end filings, and statutory reporting
  • The Pensions Regulator — auto-enrolment compliance and reporting
  • Courts and law enforcement — in response to lawful requests, court orders, or statutory obligations

7.2 Service Providers & Processors

  • Payroll software providers — technology platforms used to process payroll data
  • BACS payment service providers — to facilitate electronic salary and payment transfers
  • Pension providers — to manage auto-enrolment contributions and communications
  • Cloud hosting and IT infrastructure providers — who store data securely on our behalf
  • Email and communication service providers — to deliver service notifications and marketing
  • Website analytics providers — such as Google Analytics (in anonymised/pseudonymised form)
  • Professional advisors — including accountants, auditors, and legal counsel

All third-party processors are bound by written data processing agreements requiring them to process data only on our instructions and maintain appropriate security measures, in compliance with Article 28 UK GDPR.

7.3 Your Employer (Our Client)

Where we act as a data processor, we share payroll outputs, reports, and related data with our client (your employer) as instructed under our service agreement.

7.4 Business Transfers

In the event of a merger, acquisition, restructuring, or sale of assets, your personal data may be transferred as part of that transaction. We will notify you of any change in controller and ensure the recipient is bound by equivalent data protection standards.

We will never sell, rent, or trade your personal data to third parties for their own marketing purposes.

8. International Transfers

Your personal data is primarily stored and processed within the United Kingdom and the European Economic Area (EEA).

Where we transfer personal data outside the UK to a country not covered by an adequacy decision, we ensure appropriate safeguards are in place, including:

  • UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses approved by the ICO
  • Adequacy regulations — transfers to countries the UK Government has determined provide adequate data protection
  • Binding Corporate Rules — where applicable, for intra-group transfers

Some third-party service providers (e.g., cloud infrastructure, analytics tools) may process data outside the UK. In each case, we carry out a transfer risk assessment and ensure lawful transfer mechanisms are in place.

You may request a copy of the safeguards applied to international transfers by contacting privacy@elmprocessing.co.uk.

9. Data Security

We have implemented appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction, including:

  • Encryption — data encrypted in transit (TLS/SSL) and at rest
  • Access controls — role-based access restrictions; only authorised personnel may access personal data relevant to their role
  • Multi-factor authentication — required for systems containing sensitive data
  • Regular security assessments — vulnerability scanning, penetration testing, and security audits
  • Employee training — data protection and information security training upon joining and annually
  • Incident response — documented procedures for detecting, reporting, and responding to personal data breaches in accordance with Article 33 UK GDPR
  • Business continuity — regular backups and disaster recovery planning
  • Physical security — controlled access to premises where personal data is stored or processed
  • Supplier due diligence — third-party processors assessed for security posture before engagement and monitored ongoing

No method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security but are committed to promptly addressing any breach in accordance with our legal obligations.

10. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law:

Data TypeRetention PeriodBasis
Payroll records (PAYE, NIC, statutory payments)6 years after end of the tax year to which they relateHMRC requirements; Taxes Management Act 1970; Limitation Act 1980
Pension auto-enrolment records6 years from the end of the scheme yearThe Pensions Regulator requirements
P45/P60/P11D records6 years after end of relevant tax yearHMRC statutory record-keeping
Client contracts and service agreements6 years after termination of agreementLimitation Act 1980
Enquiry and consultation records2 years from last meaningful contact (6 years if a contract results)Legitimate interest
Marketing consent recordsDuration of consent + 2 years after withdrawalICO accountability
Website analytics data26 months (or as configured)Legitimate interest / consent
Cookie consent records12 months from the date consent is givenPECR / ICO guidance

At the end of the applicable retention period, personal data is securely deleted or anonymised. Every twelve months, we conduct a data retention review to identify and securely dispose of data no longer required.

11. Your Rights Under UK GDPR

Under UK data protection law, you have the following rights:

Your RightWhat This Means
Right of access (Art. 15)Request a copy of the personal data we hold about you (Subject Access Request). We will respond within one month.
Right to rectification (Art. 16)Request correction of inaccurate or incomplete personal data.
Right to erasure (Art. 17)Request deletion of your personal data where there is no compelling reason for continued processing. Does not apply where we have a legal obligation to retain data.
Right to restrict processing (Art. 18)Request that we limit processing of your data in certain circumstances, such as while verifying accuracy.
Right to data portability (Art. 20)Request your data in a structured, commonly used, machine-readable format, or transfer to another controller where technically feasible.
Right to object (Art. 21)Object to processing based on legitimate interests or for direct marketing. We will stop direct marketing immediately upon objection.
Right to withdraw consent (Art. 7(3))Withdraw consent at any time. Withdrawal does not affect lawfulness of processing before withdrawal.
Rights related to automated decision-making (Art. 22)Right not to be subject to decisions based solely on automated processing with legal or similarly significant effects (see section 12).

How to Exercise Your Rights

Contact us at privacy@elmprocessing.co.uk or write to: Data Protection, Elm Requirements Ltd T/A Elm Processing Ltd, 167-169 Great Portland Street, London, W1W 5PF.

We will respond within one calendar month, extendable by a further two months for complex requests (with notification). No fee is charged unless requests are manifestly unfounded or excessive. We may verify your identity before processing your request. If we receive a request from an employee of a client (where we act as processor), we will refer it to the client unless otherwise instructed.

12. Automated Decision-Making & Profiling

We do not currently carry out solely automated decision-making or profiling that produces legal or similarly significant effects as defined under Article 22 UK GDPR.

Our payroll calculations involve automated computation of wages, deductions, and statutory entitlements, but these are system-assisted processes subject to human review and oversight. If this changes, we will update this policy accordingly.

13. Children's Privacy

Our website and services are not directed at individuals under the age of 18. We do not knowingly collect personal data from children.

In the course of payroll processing, we may process limited data relating to dependants (e.g., for childcare voucher schemes or shared parental leave calculations) as instructed by clients, subject to the protections in our Data Processing Addendum.

14. Third-Party Links

Our website may contain links to third-party websites (including HMRC, The Pensions Regulator, and pension provider portals). We have no control over and accept no responsibility for the privacy practices or content of third-party websites. We encourage you to read the privacy policy of every website you visit.

15. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will update the "Last Updated" date, post the revised policy on our website, and where appropriate, notify you by email or prominent website notice.

Previous versions are available on request.

16. Contact Us & Complaints

If you have questions about this Privacy Policy or our data protection practices:

Data Protection Contact Elm Requirements Ltd T/A Elm Processing Ltd
Email: privacy@elmprocessing.co.uk
Phone: 03330 495 551
Post: Data Protection, Elm Requirements Ltd T/A Elm Processing Ltd, 167-169 Great Portland Street, London, W1W 5PF, United Kingdom

If you are not satisfied with our response, you have the right to lodge a complaint with the UK supervisory authority:

Information Commissioner's Office (ICO) Website: ico.org.uk
Helpline: 0303 123 1113
Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

We would appreciate the opportunity to address your concerns before you approach the ICO, so please contact us in the first instance.