HOME / COMMUNITY Switch to knowledge base

Data Protection Compliance with GDPR

Hi @JonC

There’s no email function within QuickFile for your clients, but you could export your client list and use a tool such as MailChimp or similar.

All our policies are available through our community forum, and linked from our main website (https://www.quickfile.co.uk).

I’ve posted a link above to the privacy policy, but for your convenience, you can find it here.

Hi Glen
Because we are a Data Controller who uses a Data Processor (you guys) the GDPR states that we must have a Controller to Processor agreement in place with you.

The below is from the ICO website. It means that each of your customers as the Data Controller must ask you to sign a Data Processing agreement - that could mean that you have 1000’s of differently worded contracts to go through. I work for a payment gateway and we are a processor for many controllers to that end we’ve put together the Data Processing Agreement as a “self-serve” document that all our customers can sign and return to us. It’s their responsibility but we are making compliance easy for them. A sub-processor is different - if you are using Sub-processors to process our data we, as the Controllers, need to agree to that sub-processing so you would lay it all out in the agreement too.

So that was the type of contract that I was looking for. Do you think that’s something you might put together or have maybe already? See below extract from the ICO. - Many thanks.

Whenever a controller uses a processor it needs to have a written contract in place.

The contract is important so that both parties understand their responsibilities and liabilities.

The GDPR sets out what needs to be included in the contract.

Controllers are liable for their compliance with the GDPR and must only appoint processors who can provide ‘sufficient guarantees’ that the requirements of the GDPR will be met and the rights of data subjects protected.

Processors must only act on the documented instructions of a controller. They will however have some direct responsibilities under the GDPR and may be subject to fines or other sanctions if they don’t comply.

The checklist of what the agreement must legally contain can be found here.

https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/contracts/

All the terms relating to our GDPR compliance are contained within our current privacy policy. Some companies have filed an addendum to their existing privacy statements, i.e. where they are operating in different jurisdictions and wish to append specific data processing terms affecting their customers based in Europe. We have instead completely rewritten our privacy policy from scratch to adhere to GDPR.

There is no requirement (to my knowledge) for a privacy statement to be signed, as long as the customer provides consent in a clear affirmative act.

Hi Glen

It’s not related to the Privacy Statement. It’s a completely different contract and unless I have the agreement in place with you I cannot be seen to be complying with GDPR. I’ll draw one up and maybe email it over? Below is what the regulation says. It really is a “thing” - complete overkill for a sole trader but nevertheless.

The GDPR requires that all data processing carried out by a data processor on behalf of a data controller is carried out under a written contract.

This Data Processing Agreement (UK/EEA) is designed for use in situations where a data controller in the UK collects and uses personal data (about its customers or staff, for example), and wishes to engage a data processor within the UK or EEA to hold and/or process that personal data on its behalf.

Data processing agreements are designed to carefully regulate the activities of data processors with respect to personal data, with a particular emphasis on their compliance with – in this case – the GDPR

A Privacy Policy is a legally binding contract, providing the customer has formally issued consent. I’m not a lawyer, however we did seek legal guidance in advance of GDPR and we were not advised to issue individual contracts with every free and paid user. Also I’ve not encountered this practice elsewhere.

Relevant provisions in the GDPR - Recitals 32

"Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her,
such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. If the data subject’s consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided."

Sorry Glen I feel like im being a right troblesome old whatsit! But… your privacy policy is perfect when you are acting as a Data Controller. You are taking my data and I can choose or not choose to interact with you based on your Privacy Policy.

But… you are also a Data Processor. I’m entrusting you with my customers’ details and you are keeping that data on your servers and I “The Controller” of my customers’ data am legally obliged to keep that data safe. The law states that where I use a processor (Quick File) I must have a contract in place with them to ensure that any data I entrust with them is dealt with according to the GDPR. That contract is not your Privacy Policy. It’s a specific data processing agreemebt.

You are not obliged to send us a contract to comply with the above. We, as Data Contollers, engaging with a Data Processor (you) are obliged to present you with a contract to sign which lays down the rules as to how we agree that you will processs our customers data. For large organisations thats a nightmare. Who wants loads of different contracts to sign? So typically we are seeing self service Data Controller to Data Processor Agreements being issued by the Data Processor not the controller because its easy to manage this way.

Im not an expert here so I will contact the ICO on Tuesday for clarification. More than happy to admit that I’m wrong. Im still learning about this law but this is a great chance to atttract new business by being forward thinking wirh the GDPR in mind and anything that makes compliance easier from a Controllers point of view is a great selling point.

Have a lovely Bank Holiday weekend.
Kind regards
Alison

1 Like

It’s no problem at all, and I think I know where you’re coming from now. By all means have a chat with the ICO, if this is a matter of compliance then we will certainly review our current position. I will discuss this with our own adviser to see where we stand.

1 Like

Hi Glenn and Alison

Have you guys managed to get to the bottom of what is required?

Thanks

How can we sign the DPA ( Data Processing Agreement)? It’s a required document (as Alison mention above), and we need to sign it if we want to work with QuickFile and store our customer data (in invoices for example)!

Glenn, the privacy policy is enough for us to be your client, but it doesn’t enough for all companies to store EU customers personal data in QuickFile.

We did take professional advice on this subject and we believe our GDPR processes to be compliant. There is no requirement to physically sign a data processing agreement (see my response further up), it can be agreed by checkbox. You would then in turn have a data processing agreement with your clients where you would list all your sub-processors (i.e. QuickFile).

Hi, I need to find a new accounting suite for my small business. I wanted to ask about GDPR compliance and have read all of the articles and strings with interest.

In short, I am with Alison on her excellent points.
Your privacy policy is great for handling my data, thanks. Where you are Data Controller.
But it doesn’t look so great for handling the contact data of my clients. Where I am Data Controller and you are Data Processor.

So, I am sorry if I am digging up old discussions. However, I need really clear guidance on how you act as Data Processor. There are specific obligations on Data Processors, including (but not just):

  1. what processing you do (which can only be at my instruction). I know this is obvious but it must be written down and agreed between you (processor) and me (controller).
  2. what you do in the event of a data breach. What is your process?
  3. what is the process for me to enact GDPR Rights requests I get from my clients. I know I can search and (probably) delete data. But that ability and process must be written down somewhere, as a GDPR process.

There also must be a Processing Agreement in place between you and I. So I am guessing that for sheer scaleability on your part, you must have a standard agreement otherwise you will get swamped with Controllers sending you their own contracts.

So, sorry if this is revisiting old discussions. But I really need to understand how you enable your Data Processing obligations with respect to my Data Controller requirements.

Thanks for any help and guidance. And sorry if I have the wrong end o the wrong stick.

Perhaps joint-controllership is the path to take (Art. 26)

@RJL - Under GDPR we act as a Data Processor in regards to the way in which we process the data of your Data Subjects (e.g. clients and suppliers). We are not acting as a joint-controller as we are not deciding the means in which that personal data is used.

@simonthewebman - I appreciate the points you raise although I question how much of that should be included in the actual “Privacy Notice”. I will defer to our legal advisors who drafted our public statements for further clarification.

  1. It would be impossible to state every action that involves some processing of a Data Subject. By virtue of you for example creating a client record, sending an invoice / statement is very much an acknowledgement that you are aware of the consequences of those actions. The accompanying documentation in our knowledge base will further clarify the nature in which that Data Subject’s personal information is used. We further state in our privacy notice that the personal data you supply to us will not be shared with any third party (notwithstanding legal the obligations imposed upon us in regards to law enforcement disclosures).

  2. We have internal controls for handling a data breach. The timings and procedures are already stipulated by GDPR legislation and I do not believe need to be reproduced in our privacy statement. I am however waiting for clarification on this from our legal advisors.

  3. I believe we could do more here to expand upon our knowledge base guidance around purging personal data and obtaining exportable documents, along with other procedures within the software to help you fulfill yours and your data subject’s GDPR rights. We will review this shortly.

Hi Glenn,
I really appreciate you taking the time to respond, and promptly too.

I am not a legal expert - merely someone who has been (perhaps overly) submerged in last year’s GDPR introduction. However, I do have a follow-on to your response if that’s OK:

  1. I agree, you cannot possible know everything I might do with data I collect. But that is my responsibility.
    But GDPR states that you (QF) must only process data in line with the Processor’s instruction. So, I’m guessing you could state that in the context of what QF allows the Controller to do in your software.
    I note that even simply storing and backing up the data (on your servers) is also classed as “processing” even though you are not actually changing the data yourselves.

Again, re your privacy notice, I read this as being related to MY data. NOT the data of my clients. Sorry.

  1. I would like to refer you to the ICO site: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/personal-data-breaches/
    Specifically there is a section titled “What role do processors have?” relating to Article 33(2).
    This is a key requirement.

So - although you have internal controls on how you handle data breaches, you must have a process that deals with breached of processed data (where you are the processor). Which much include notification policies, at least as I read it.

3). Gotcha. Thanks. I look forward to that.

Overall, it is my belief that a standardised DPA (Data Processor Agreement) which exposes the necessary protocols would help enormously. Referring back to the ICO, please see the “At a glance” introduction. This kinda says it all, and I suppose was the reason for me making my posting here.
https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/contracts/

Again, I know that a specific DPA “per client” would be impossible.
However, if you were to look at how other organisations have approached this (and there are some excellent examples out there) - they have created either an addendum to their policies or created a standard DPA that their clients must agree to. In other words, you retain control over those agreements.
But I take the view that without an appropriate DPA (or clauses) - it cannot meet the GDPR requirements as set out my the ICO.

Again, thanks you for your response to my posting.

Regards

Morning Simon,

I’m currently waiting for clarification from our legal advisor on a few of the points you raise here. We will update you as soon as we’ve had a chance to fully review.

@simonthewebman just to update you here. We have taken on-board your comments and we’re just waiting on some feedback from our legal advisor. We haven’t forgotten about this and the wheels are in motion.

Glenn, Hi I hope you are well?
I was just pinging a note back here to ask if there had been any progress from you legal chaps?

Although I accept I may have the wrong end of the stick here, I still think that I there needs to be some sort of DPA between QF (the data processor) and me (the data controller).

I’d also be interested to hear from anyone who has implemented a compliant business solution for GDPR when using QF.

Thanks

Hi @simonthewebman

I believe this was being reviewed, but I will chase this today for you.

@simonthewebman - We’ve just uploaded the below which should hopefully be suitable: EU Data Processing Addendum

Hi Mathew, thanks you for chasing this along.
As far as I can see, this DPA meets the requirements I had set-out and maybe those as requested by others too.

The only minor “point” is that under GDPR I don’t think you can charge for access to data (as per your document paragraph 2.7) except where there are reasonable grounds that you can justify.
However, for me this is not a point of significance.

As/when I swap over to QF (which now might be our next FY), I will sign the DPA and sent that over.

Finally, I would be interested to know if this meets the requirements of @Alison ??? Because she speaks a lot of sense on this matter and seems to know her stuff.

Thanks again for your work on this.