Privacy Policy

Offshore Payroll Limited

1.  Privacy Statement

Offshore Payroll Limited (“Offshore Payroll”, “OP”, “us”, “we”, “our”) is a Jersey registered company (No 112188). Offshore Payroll take the privacy of your personal data very seriously, and we do so in accordance with The Data Protection (Jersey) Law 2018 (“DPJL”).

Offshore Payroll is a payroll web application and API used by employers or their appointed representatives to process personal data of their employees in order to facilitate their legal payroll and pension obligations. Note: some existing OP customers utilise our OP Legacy desktop-based software to achieve the same purpose.

The following Privacy Policy is designed to help you (our employees, customers and employees of customers, marketing contacts / enquirers, website visitors and suppliers) understand how and why we collect, use and safeguard personal information.

We act as a data controller (as defined by DPJL) for the personal data we process about our employees, customer contacts, suppliers (current and prospective), our visitors, enquirers and those who engage with our website and directly with us.

We act as a data processor (as defined by DPJL) for the personal data we process on behalf of our data controller clients in relation to their employees, in the course of providing our payroll services.

If you are using our software as an employer (or an appointed representative):

OP shall be the data processor (as defined by DPJL) of the payroll information and personal data of employees that you provide to us through our software, and you, as the employer, shall remain the data controller of such information and be responsible for this data. We will only process this data in accordance with your instructions (unless otherwise required by law) and in accordance with the terms of this Privacy Policy and our terms of business available on our website.

If you are using our software as an employee:

Your employer shall remain the data controller of the information you have provided to them and also to us through the use of our application. This Privacy Policy sets out how we process your personal data on behalf of your employer(s) and the rights that you have in relation to such information.

Our site may, from time to time, contain links to and from third-party websites. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies.

Where your personal data is shared with other parties, for example, in order to fulfil our contractual agreement with you, the privacy policies of those parties will also apply to your personal data and the way in which it is processed. For example:

  • OP use HubSpot as our CRM system, you can find HubSpot’s privacy policy here.

  • OP use Xero as our accounting system (where we store your billing information), you can find Xero’s privacy policy here.

  • OP use Microsoft Azure for business continuity services. You can find Microsoft’s privacy policy here

Please ensure you read the individual privacy policy of each party for further information.

Please note, we may amend this Privacy Policy from time to time. Please continue to visit our website to stay up to date as we will post any changes or updates there: https://www.offshorepayroll.com/PrivacyPolicy

Version 1.1

Released December 2021

2.  Contact information

Offshore Payroll Limited, a company registered in the Island of Jersey with company number 112188. Our data protection registration number is 58474.

Address:                           No 9 Hope Street, St Helier, Jersey, JE2 3NS

Data Protection Officer: Julie Heaven 

Email:                              mydata@offshorepayroll.com

Telephone:                     +44 (0)7829 930 000

3.  What type of personal data do we collect?

The following are examples of types of personal data that we may collect. The specific kind of information collected by us will depend on the services provided or the purpose for which data is processed:

3.1.  Customers:

  • Contact information (first name, last name, email address, phone number, address, company)

  • Billing information (billing address, billing contact details)

  • User profile data (e.g. username and password)

  • OP purchase or service history

  • Your interests, preferences, feedback and survey responses

  • Usage data about how you use our software

  • Number of employees

  • Demographic information (e.g. occupation)

3.2.  Marketing contacts/enquirers:

  • Your preferences in receiving marketing communications from us 

  • Contact information (first name, last name, email address, phone number, address, company)

  • Number of employees 

  • Demographic information (e.g. occupation)

3.3.  Website visitors:

  • Details about your computer, devices, applications and networks (including IP address, browser characteristics, device ID, operating system, or language preferences)

  • Activities on our website (including referring URLs or dates and times of website visits)

3.4.  Suppliers:

Payment information (contact details, billing address, bank account information)

3.5.  OP employees:

  • Information required to manage our employment relationship with you, including (but not limited to) name, address, contact details, date of birth, bank account information, ITIS number and social security number.

3.6. Personal data processed on behalf of data controller clients in relation to their employees in the course of providing our payroll services:

  • Information required to provide our contractual payroll services to your employer including (but not limited to) name, date of birth, address, bank details, ITIS number, social security number, email address, employee number and tax reference number.

4.  How is the data collected?

OP may collect data (which may include personal data about you) in a variety of ways:

4.1.  Customers:

  • When you complete the contact form or use the chatbot on our website

  • When you speak to our customer support team over the phone, via email, via chat software, via remote access software or at events (e.g. workshops, fairs)

  • Via explicit data capture measures, for example by entering competitions and completing surveys

  • When you purchase a product or service from us

4.2.  Marketing contacts/enquirers:

  • When you complete the contact form or use the chatbot on our website

  • When you speak to our customer service team over the phone, via email, via chat software or at events (e.g. workshops, fairs)

  • When you opt-in to our marketing communications

  • Via explicit data capture measures, for example by entering competitions and completing surveys

  • Via implicit data capture measures such as when you visit our website (e.g. information that we collect automatically relating to your movement throughout the website and information collected automatically via cookies)

4.3.  Website visitors:

  • When you visit our website (e.g. information that we collect automatically relating to your movement throughout the website and information collected automatically via cookies)

4.4.  Suppliers:

  • Information provided directly by you (e.g. contact and payment details)

4.5.  OP employees:

  • When you provide us with your personal data during the course of your employment with us, in order for us to manage our employment relationship with you (e.g. bank details to pay you)

4.6. Personal data processed on behalf of data controller clients in relation to their employees in the course of providing our payroll services:

  • When your employer provides us with personal data through using our system in order to enable us to process your payroll on their behalf.

4.7.  Cookies:

  • When you browse our website, we will collect information about how and when you use the website and information that is collected automatically via cookies. A cookie is a small file placed on your computer’s hard drive. It enables our website to identify your computer as you view different pages on our website. Collecting this data allows us to improve our website and ultimately your user experience. For information, please refer to our Cookie Policy.

  • OP may use other information gathering tools such as hyperlink tracking and tracking pixels for the purpose of email tracking. 

5.  The legal basis for processing data

Under the DPJL there are a number of legal bases that we rely on in order to lawfully process your personal data where we act as data controller:

Contractual: in many circumstances we rely on the lawful basis of “performance of a contract”. For example, in the case of a customer, this enables us to process your personal data to provide the services you buy from us (or in preparation for the contract) or in the case of OP employees, this enables us to pay you as per your employment contract.

Consent: in some circumstances we rely on your specific consent, whereby you actively agree and “opt-in”. You can withdraw you consent at any time and we will always make it clear how to do so. 

Legal Obligation: there will be circumstances under which we are legally obliged to hold your personal data or required to disclose it to a third party by law. 

Legitimate Interests: for some of our activities we rely on our legitimate business interests to collect and use your personal data. In such cases, we have balanced our interests with yours and do not believe these activities will have an overriding negative impact on your privacy rights and freedoms.

We specifically rely on Legitimate Interests to:

  • send you marketing communications about our legislative updates, webinar programme, and our products and services (or updates to them)

  • personalise the marketing content we provide you

  • undertake business sales and advertising activities

  • research publicly available business contact details

  • customise the content you see on our websites

You can always object to our marketing messages by opting out, either by clicking ‘unsubscribe’ or ‘manage preferences’ link in the footer of every marketing email we send or by contacting mydata@offshorepayroll.com

Where we act as a data processor, we will only process your personal data on instructions from your employer (the data controller) in order to provide our payroll services (unless otherwise required by law). In these cases, your employer (the data controller) will be responsible for ensuring that they have a legal basis for processing your personal data.

6.  Why and how we use your personal data

6.1.  Your personal data may be processed in any of the following ways:

  • Information that you provide by filling in forms on any of our sites; this includes information provided at the time of registering to use our site, subscribing to our services, posting material, any inquiry through the “Contact Us” or chatbot section of our site or requesting further services

  • Establish and manage user accounts and billing accounts

  • Communicate changes to our services

  • Provide customer support, troubleshooting, manage subscriptions and respond to requests, questions and comments

  • Ensure that the content of our site is presented in the most effective manner

  • Communicate about, and administer participation, in special events, surveys, prize draws, webinars, and other offers and promotions

  • Analyse users’ behaviour when using our services to customise preferences, and develop new products, services and advertising

  • Enable posting on our communication channels (such as social media)

  • Comply with and enforce applicable legal requirements, agreements, and policies

  • For Offshore Payroll customers, see our online Terms for further information on how we use your data 

  • Any other activity consistent with this Privacy Policy

6.2.  Specific examples of why and how we process your personal data:

6.2.1.  Service delivery

OP processes the data we collect to provide you the services we offer, which includes using the data to improve and personalise your experience. We may also use that information to communicate with you, for service provisions or product updates. We usually process information not collected directly by us, but by way of our customers, which includes general payroll information. When processing data for this purpose, we rely on contractual agreements with our customers who are the Data Controllers of your data and this data is processed on behalf of your employer for the purpose of providing our payroll services.

6.2.2.  Engaging suppliers

In order for us to engage you to provide us with certain services, we collect information such as contact details of individual contacts at your organisation (including their names, telephone numbers and e-mail addresses) in addition to bank details so that we can pay you for the services that you provide, in accordance with our contractual obligations.

6.2.3.  HR and staff administration purposes

In order to manage our employment relationship with our own staff and for general HR and staff administration purposes, we need to process certain information such as contact details and bank details.

6.2.4.  IP addresses

We may collect information about your computer that does not, by itself, identify you by name, including where available your IP address, operating system and browser type, for system administration and to report on aggregate information. This is statistical data about our users’ browsing actions and patterns. The purpose of the data is to improve effectiveness of the site, to help diagnose problems and to administer the site.

6.2.5.  Cookies and information gathering tools

Our website uses cookies to distinguish you from other users of our website. This helps us to provide you with a good experience when you browse our website and also allows us to improve our site. 

7.  Data transfers

OP is headquartered in the Island of Jersey. Data may also be stored with a cloud service provider (e.g. Amazon Web Services) and therefore located across those provider’s cloud UK and European environments. 

OP will take reasonable steps necessary to ensure that your data is treated securely, with appropriate technical and organisational measures, and in accordance with this Privacy Policy. 

8.  Your rights as a data subject

Under the DPJL, greater rights are afforded to individuals in respect of their personal data and you can exercise these rights in relation to us (where we act as data controller of the data) even after you have provided us with your personal data. We have set out information regarding these rights below, but if you would like any further information or clarification in respect of any of these rights, please do not hesitate to contact us. We will aim to deal with your request as soon as possible and in any event within 4 weeks (subject to any extensions that we are lawfully entitled to). Please note that any communications which you make in relation to such a request may be recorded in order to enable us to resolve any issues efficiently.

Please note that in circumstances where OP is acting as the data processor, the below rights would be exercised in relation to your employer (as the data controller) rather than OP.

8.1.  Your right to object to the processing of your personal data

You have the right to object to our processing of your personal data where the processing is carried out for one of the following reasons:

  • our legitimate interests;

  • to enable us to perform a task in the public interest or exercise official authority;

  • for direct marketing purposes; or

  • for scientific, historical, research, or statistical purposes.

The “legitimate interests” and “direct marketing purposes” categories above are the most relevant here.

If you object to us processing your personal data for direct marketing purposes, we are obliged to stop the processing. If you object to us processing your personal data because we deem it necessary for our legitimate interests, we will be obliged to stop the processing unless we can show that we have compelling legitimate grounds for processing which override your interests or that the processing is necessary for the establishment, exercise or defence of a legal claim.

9.  Other rights

9.1.  Your right to request access (data subject access requests)

You have the right to request confirmation from us as to whether your personal data is being processed by us as the data controller (or on behalf of us) and if so, you have the right to request information regarding certain aspects of the processing and access to your personal data. We will not charge you for providing you with access to the personal data which we hold for you, unless your request is “manifestly unfounded or excessive” or if you are requesting further copies of information that we have already provided to you. In such cases, we may charge you a reasonable administrative cost where legally permissible. We may also request further information from you in order to verify your identity. Where we are legally permitted to do so, we may refuse to act on your request but we will always provide reasons if we do so. 

9.2.  Your right to rectification

You have the right to ask us to rectify information you think is inaccurate or incomplete. This right always applies.

9.3.  Your right to erasure

You have the right to ask us to erase your personal information in certain circumstances.

9.4.  Your right to restriction of processing

You have the right to ask us to restrict the processing of your information in certain circumstances.

9.5.  Your right to object to processing

You have the right to object to the processing of your information in certain circumstances.

9.6.  Your right to data portability

You have the right to ask that we transfer the information you gave us from one organisation to another or to give it to you. This right of data portability applies where the personal data:

·      has been provided to us by you;

·      is processed based on your consent or in order to fulfil a contract; and

·      is processed automatically (i.e. without any human intervention).

9.7.  Withdrawal of consent

Where personal data is being processed on the lawful basis of your consent, you have the right to withdraw this consent at any time. You can do this by contacting OP directly.

9.8.  Your right to complain

We work to high standards when it comes to processing your personal information. If you have queries or concerns, please contact us at mydata@offshorepayroll.com and we will respond. Please note that we may keep a record of your communications to help us resolve any issues which you raise.

If you remain dissatisfied, you can make a complaint with the Data Protection Authority through the Office of the Information Commissioner. The Office of the Information Commissioner can be contacted in the following ways:

Telephone:              +44 (0)1534 716530

Email:                        enquiries@jerseyoic.org

Address:                   Office of the Information Commissioner, 2nd Floor, 5 Castle Street, St Helier JE2 3BT

Website:                  https://oicjersey.org

10.  How we protect your personal data

In accordance with OP policies, we are committed to protect any personal data divulged to us. OP have implemented appropriate security measures, technologies and organisational procedures in order to protect your personal data from loss, misuse, alteration or destruction. Our directors, employees and partners are required to keep personal data confidential.

Unfortunately, the transmission of information via the internet (by way of an email or other) is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our site; any transmission is at your own risk. Once we have received your information, we will use internal procedures and security features trying to prevent unauthorised access.

The data you provide to us is stored on cloud-based systems.

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

10.1.  Software Platform (OP Legacy and OP Cloud)

Our software allows employee data to be minimised and/or erased to match a customer’s own retention policies. For information on how to do so please contact the OP support team via info@offshorepayroll.com

10.2.  Hosting Platform (OP Legacy)

Some existing OP clients host their OP Legacy software with a professionally managed service provider in the UK. Delivering enterprise class security, reliability and 24/7 system monitoring.

10.3.  SaaS Cloud-Based Platform (OP Cloud)

OP Cloud is built on an Amazon Web Services (AWS) platform one of the most secure cloud computing environments available. OP Cloud data is stored in AWS data centers and on a network architected to protect your information, identities, applications, and devices. AWS regularly achieves third-party validation for thousands of global compliance requirements. Find out more about AWS security here.

Other ways in which we secure data on OP Cloud:

  • System login is secured by password controls and optional multi-factor authentication;

  • Integration with third-party applications (e.g. Xero and government submissions) are customer driven and all external API communications are encrypted;

  • Customer controlled user permission access; and

  • OP Cloud is encrypted via https.

For more information see our Security Statement on our website (https://www.offshorepayroll.com/security-statement?rq=security%20statement)

11.  Data retention information

We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. Once we have deleted your personal data we will no longer hold this data and you will therefore be unable to exercise your rights of access, erasure, rectification and data portability after this time.

Any information held on the back-up systems will be deleted within 12 months of request. 

12.  Glossary

12.1.   OP Cloud

Payroll web application and API hosted on Amazon Web Services as a SaaS (cloud-based).

12.2.   OP Legacy

Microsoft Access application installed onto a customer’s PC, server (internal or external) or on a hosted platform provided by a third party.

12.3.   Third Party 

  • Service providers acting as processors based in the United Kingdom who provide IT and system administration services.

  • Professional advisers acting as processors or joint controllers including lawyers, bankers, auditors and insurers based in the United Kingdom who provide consultancy, banking, legal, insurance and accounting services.

  • Jersey/Guernsey tax and social regulators and other authorities acting as processors or joint controllers based in Jersey/Guernsey who require reporting of processing activities in certain circumstances including to comply with legal payroll and reporting obligations.

  • Pension providers as applicable.