Hi @Alison
As we are acting as your Data Controller we have an obligation to inform you how we collect, store and process your personal data in line with GDPR. Our privacy policy does not extend any specific rights or remedies to your client and therefore we do not include any addendum to our privacy policy that addresses this question.
Typically what you would do here is publish a list of your own sub-processors, where QuickFile would feature. We have our own list of sub-processors here, although I don’t believe this is a strict requirement under GDPR, it does help to better inform customers on where data is stored and processed.
We will also be providing additional tools to help you comply with any exercising of rights posed by your customers under GDPR. Although as my colleague has mentioned, due to the types of documents we process on your behalf (e.g. invoices and financial transaction) the scope for requesting erasure is trumped by your obligation to retain financial records for tax purposes.
Another thing to note is that when clients are removed from QuickFile, the associated contacts (name, email, telephone number) are physically deleted. We will also be providing some additional tools to allow export of personal data from the client control panel.
I hope that answers your question, but please get back to us if you have any doubts.