General Data Protection Regulation

One of the biggest changes to UK data privacy law comes into effect on 25 May 2018. The General Data Protection Regulation, also known as GDPR, means that you’ll have more control over how your data is used and it ensures that organisations protect your personal data better.

PurePayroll is committed to protecting and respecting your privacy and adhering to all relevant Data Protection Legislation.  To reflect these changes and new obligations, we’ve updated our privacy policy which now tells you what we do with your personal data, how it’s used and your rights as an individual under the new law.  <Privacy Policy>

The updates are designed to provide greater transparency and clarity around how we collect and use your information.  The new version also includes some important updates that are required for us to comply with the new European General Data Protection Regulation (GDPR) and other international laws which are championing the privacy rights of individuals.

PurePayroll has spent the last 6 months auditing and amending all our company documents, implementing staff training and have taken all the necessary steps to ensure complies with the new GDPR legislation coming into effect on the 25th May 2018.

As defined by the new regulations, PurePayroll Ltd is a legal entity which determines the purposes and means of processing personal data therefore PurePayroll will meets its requirements as a data controller.


Data Retention


Where candidates have been processed (paid), we will save their data for 7 years from the end of the last tax year in which they received payment.

Where candidates have voluntarily provided us with their personal data and have not been paid, we will keep their data for 12 months after which it will be deleted. Candidates can request deletion of their data at an earlier time.

Where we have received personal information about an individual(s) from an external organisation (eg recruitment agency) and they have not returned a signed PP agreement, we will delete their data after 6 weeks. Candidates can request deletion of their data at an earlier time by writing to:- The Data Controller, Pure Payroll Ltd, 15 Queens Square, Leeds, LS2 8AJ.


Where a candidate updates their data with us, the above terms apply from the date their data was updated.


Access Control

PP will ensure that clear controls are in place at both physical and virtual for the operation of procedures covering the correct operation of information processing.  Our procedures ensure:-

  • Management of access rights in a network environment.
  • Information distribution and authorisation policies.
  • User registration and de registration
  • Password controls, use, removal
  • Contractual and legal obligations for protection of access to data
  • Access rights overview
  • Physical access ports and networks configuration
  • Rules requiring administrator approval.


Network Security

  • Company network access to authorised users only
  • Authentification, security and management of remote users
  • User network segregation
  • User network access rights


Data Minimisation & Accuracy

  • PP collects most of its data in pre required fields usually via email or website. These fields relate directly to the needs of the contract in place with the candidate.   Further documents may be uploaded (eg passport) to further facilitate lawful obligations.
  • Corrections to personal data can be corrected by candidates by writing to:- The Data Controller, Pure Payroll Ltd, 15 Queens Square, Leeds, LS2 8AJ.


Assets Policy

  • Document the rules for acceptable information use for assets and processing facilities.
  • Ensure employee awareness of these rules.
  • Identify and document asset register
  • Ensure updated asset manager list



PP can document its data processing through our secures systems and be able to confirm compliance confirmation to relevant bodies as requested to do so.


User Registration

  • Computer access rights are given on an access requirement basis.
  • All staff have unique login and security ID’s via a formal appointment process.
  • Access rights are removed immediately on an employee departing.
  • Audit requests are readily available.


Candidate Access Rights

PP has systems in place to notify candidates as soon as personal data has been received.  Where data is received via online submission the candidate will receive a completed copy of the information submitted. Candidates will further be able to receive a copy of this information via email request. In order to correct or delete data please write to:-  The Data Controller, Pure Payroll Ltd, 15 Queens Square, Leeds, LS2 8AJ.


Systems operation and control

  • Computer access rights are given on an access requirement basis.
  • All password entries are hidden.
  • No systems information is provided prior to login.
  • All systems are dedicated administer controlled for access rights.

Information confidentiality

PP has in place procedures to prevent cyber hacking, unlawful alteration of personal data, dissemination of personal data and has in place regular end to end vulnerability testing.

PP has appointed Dan Brier as its data protection officer / controller.

For all questions relating to GDPR, please email