HOME / COMMUNITY Switch to knowledge base

Data Protection Compliance with GDPR


#14

Hi @Jenii_Lowe

Everything regarding this should be covered above or in the privacy policy (also linked above). But please don’t hesitate to let us know if you have any additional questions.


#15

Thank you, but your privacy policy only informs users of their own rights to erasure, portability, etc that I would expect from any EU provider. I’m more curious as to what QF allows me to do if a client of mine wishes to exercise those rights? And how to perform those actions in QF? I know you’re GDPR compliant, but I need to make sure I am too in using QF - if that makes sense!
Thanks
Jen


#16

AIUI you aren’t prevented from holding normal accounting information in any way. The only issue that I can think of as a layman is with named contacts within a client organisation and, as long as you are only holding those that are required for the performance of your contract with them then there shouldn’t be an issue.

If that wasn’t the case you could have people demanding to have their unpaid invoices deleted. (I suspect that some chancer in this world will try though)

Memo to self - I still need to write my own privacy policy,


#17

Hi @Jenii_Lowe

As @FolkLondon points out, with accounting records you’re actually required to keep these for a minimum of 6 years by HMRC (see here) so data like invoices (with client details) shouldn’t be deleted as such.

All data within your account is exportable to a .CSV format which is a common machine readable format and supported by many different packages (for portability). The client portal would also allow your clients to view the data you store related to them.

If the time comes that you wish to use a different package and delete your data from QuickFile, then upon request, we will delete any data held on your account.

However, if you are uncertain on any aspect of GDPR in regards to the data you hold, I would advise you to seek professional advise on this to ensure everything is correct.

I hope this helps!


#18

Hi
I’ve checked the new updated policies as above but it talks about the data you hold as a Data Controller and I can’t find anything about you acting as a Data Processor.

I would understand that you are the Data Controller for the details you hold on our account with you, but where I enter my client details onto your software I am the Controller and Quickfile is the Processor. Do you have a Controller to Processor Data Processing Addendum to your main TCs and Cs.

As a controller who uses a processor we need that in place with you to ensure that we are adhering to the new legislation. Sorry if I’m misunderstanding this.
Thank you.


#19

Hi @Alison

As we are acting as your Data Controller we have an obligation to inform you how we collect, store and process your personal data in line with GDPR. Our privacy policy does not extend any specific rights or remedies to your client and therefore we do not include any addendum to our privacy policy that addresses this question.

Typically what you would do here is publish a list of your own sub-processors, where QuickFile would feature. We have our own list of sub-processors here, although I don’t believe this is a strict requirement under GDPR, it does help to better inform customers on where data is stored and processed.

We will also be providing additional tools to help you comply with any exercising of rights posed by your customers under GDPR. Although as my colleague has mentioned, due to the types of documents we process on your behalf (e.g. invoices and financial transaction) the scope for requesting erasure is trumped by your obligation to retain financial records for tax purposes.

Another thing to note is that when clients are removed from QuickFile, the associated contacts (name, email, telephone number) are physically deleted. We will also be providing some additional tools to allow export of personal data from the client control panel.

I hope that answers your question, but please get back to us if you have any doubts.


#20

Thank you everybody for your responses cc: @QFSupport

@FolkLondon - I know I’m probably going overboard in worrying about this, one would think that keeping essential accounting stuff comes under “legitimate use”. I did crack a smile at your hypothetical chancer though! Hopefully nobody’s going to try that!

Great question @Alison, and great response @Glenn. Please keep us updated as to the additional tools you’re planning!


#21

Hi wondered if you could assist us with how we are to comply with GDPR


#22

Hello @Asmaa

I’ve moved your post to the existing thread for this. All the information you require should be above in regards to QuickFile to help you determine how you would need to comply yourself.

If you have any questions about QuickFile’s side of things, please don’t hesitate to ask.


#23

Forgive me if I have missed it, but is there a way in which those with access to their records (typically when an invoice is raised our customers can look at their account) can see the Quickfile privacy policy? Alternatively, is there a straightforward way in which we can email the privacy policy to our customers as a single mailshot using the resources within Quickfile?
JonC


#24

Hi @JonC

There’s no email function within QuickFile for your clients, but you could export your client list and use a tool such as MailChimp or similar.

All our policies are available through our community forum, and linked from our main website (https://www.quickfile.co.uk).

I’ve posted a link above to the privacy policy, but for your convenience, you can find it here.


#25

Hi Glen
Because we are a Data Controller who uses a Data Processor (you guys) the GDPR states that we must have a Controller to Processor agreement in place with you.

The below is from the ICO website. It means that each of your customers as the Data Controller must ask you to sign a Data Processing agreement - that could mean that you have 1000’s of differently worded contracts to go through. I work for a payment gateway and we are a processor for many controllers to that end we’ve put together the Data Processing Agreement as a “self-serve” document that all our customers can sign and return to us. It’s their responsibility but we are making compliance easy for them. A sub-processor is different - if you are using Sub-processors to process our data we, as the Controllers, need to agree to that sub-processing so you would lay it all out in the agreement too.

So that was the type of contract that I was looking for. Do you think that’s something you might put together or have maybe already? See below extract from the ICO. - Many thanks.

Whenever a controller uses a processor it needs to have a written contract in place.

The contract is important so that both parties understand their responsibilities and liabilities.

The GDPR sets out what needs to be included in the contract.

Controllers are liable for their compliance with the GDPR and must only appoint processors who can provide ‘sufficient guarantees’ that the requirements of the GDPR will be met and the rights of data subjects protected.

Processors must only act on the documented instructions of a controller. They will however have some direct responsibilities under the GDPR and may be subject to fines or other sanctions if they don’t comply.

The checklist of what the agreement must legally contain can be found here.


#26

All the terms relating to our GDPR compliance are contained within our current privacy policy. Some companies have filed an addendum to their existing privacy statements, i.e. where they are operating in different jurisdictions and wish to append specific data processing terms affecting their customers based in Europe. We have instead completely rewritten our privacy policy from scratch to adhere to GDPR.

There is no requirement (to my knowledge) for a privacy statement to be signed, as long as the customer provides consent in a clear affirmative act.


#27

Hi Glen

It’s not related to the Privacy Statement. It’s a completely different contract and unless I have the agreement in place with you I cannot be seen to be complying with GDPR. I’ll draw one up and maybe email it over? Below is what the regulation says. It really is a “thing” - complete overkill for a sole trader but nevertheless.

The GDPR requires that all data processing carried out by a data processor on behalf of a data controller is carried out under a written contract.

This Data Processing Agreement (UK/EEA) is designed for use in situations where a data controller in the UK collects and uses personal data (about its customers or staff, for example), and wishes to engage a data processor within the UK or EEA to hold and/or process that personal data on its behalf.

Data processing agreements are designed to carefully regulate the activities of data processors with respect to personal data, with a particular emphasis on their compliance with – in this case – the GDPR


#28

A Privacy Policy is a legally binding contract, providing the customer has formally issued consent. I’m not a lawyer, however we did seek legal guidance in advance of GDPR and we were not advised to issue individual contracts with every free and paid user. Also I’ve not encountered this practice elsewhere.

Relevant provisions in the GDPR - Recitals 32

"Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her,
such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. If the data subject’s consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided."


#29

Sorry Glen I feel like im being a right troblesome old whatsit! But… your privacy policy is perfect when you are acting as a Data Controller. You are taking my data and I can choose or not choose to interact with you based on your Privacy Policy.

But… you are also a Data Processor. I’m entrusting you with my customers’ details and you are keeping that data on your servers and I “The Controller” of my customers’ data am legally obliged to keep that data safe. The law states that where I use a processor (Quick File) I must have a contract in place with them to ensure that any data I entrust with them is dealt with according to the GDPR. That contract is not your Privacy Policy. It’s a specific data processing agreemebt.

You are not obliged to send us a contract to comply with the above. We, as Data Contollers, engaging with a Data Processor (you) are obliged to present you with a contract to sign which lays down the rules as to how we agree that you will processs our customers data. For large organisations thats a nightmare. Who wants loads of different contracts to sign? So typically we are seeing self service Data Controller to Data Processor Agreements being issued by the Data Processor not the controller because its easy to manage this way.

Im not an expert here so I will contact the ICO on Tuesday for clarification. More than happy to admit that I’m wrong. Im still learning about this law but this is a great chance to atttract new business by being forward thinking wirh the GDPR in mind and anything that makes compliance easier from a Controllers point of view is a great selling point.

Have a lovely Bank Holiday weekend.
Kind regards
Alison


#30

It’s no problem at all, and I think I know where you’re coming from now. By all means have a chat with the ICO, if this is a matter of compliance then we will certainly review our current position. I will discuss this with our own adviser to see where we stand.


#31

Hi Glenn and Alison

Have you guys managed to get to the bottom of what is required?

Thanks


#32

How can we sign the DPA ( Data Processing Agreement)? It’s a required document (as Alison mention above), and we need to sign it if we want to work with QuickFile and store our customer data (in invoices for example)!

Glenn, the privacy policy is enough for us to be your client, but it doesn’t enough for all companies to store EU customers personal data in QuickFile.


#33

We did take professional advice on this subject and we believe our GDPR processes to be compliant. There is no requirement to physically sign a data processing agreement (see my response further up), it can be agreed by checkbox. You would then in turn have a data processing agreement with your clients where you would list all your sub-processors (i.e. QuickFile).