The Data Protection Act 2018 (“DPA 2018”) and the General Data Protection Regulation (“GDPR”) impose certain legal obligations in connection with the processing of personal data. We have put together this privacy notice as part of our commitment to safeguarding your personal data and to ensure you are aware of what information we hold for you, how we store the data and what we do with it.

Stonebridge is a data controller within the meaning of the GDPR and we process personal data. We are required under data protection legislation to issue this notice to all individuals for which we hold personal data

We may amend this privacy notice from time to time. If we do so, we will supply you with and/or otherwise make available to you a copy of the amended privacy notice.

What is personal data?

The GDPR defines personal data as: “any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.

What personal data do we store and what legal bases do we rely on?

GDPR sets out six lawful processing conditions. These are:

  • Consent

  • Legal obligation

  • Contractual necessity

  • Vital interest

  • Public interest

  • Legitimate interest

The ones we rely on are:


If you’re a Non-EU citizen and don’t have your eligibility to work to provide to us, but have a pending application with the Home Office, we will need to do an ECS check with the Home Office. We may also need to check your Biometric Residence Permit (“BRP”). In both cases you will need to provide us with your consent to do the check, as well as your case number for the ECS check.

Compliance with a legal obligation

If we are required to by law, we may need to collect and pass on your personal data. We must provide information when requested by certain government agencies, such as the Department for Work and Pensions (“DWP”) and Her Majesty’s Revenue and Customs (“HMRC”). This is for reasons such as in order to process your pay and for agencies to calculate things like whether you are entitled to benefits or not, or if a case of fraud is being investigated.

Legitimate interest and contractual necessity

We will need to collect and process your personal data so that we are able to comply with our contractual obligations to you, such as to pay you. The type of personal data we need to collect includes:

  • Personal contact details such as name, title, addresses, email addresses and telephone numbers

  • Date of Birth

  • Gender

  • NI Number

  • UTR Number

  • Company details such as name, address, company bank details, company UTR and VAT number

  • Bank details, payroll records and tax status information

  • Salary, annual leave and pension information for employees only

  • Disciplinary and grievance information for employees only

  • Start date and location of workplace

  • Nationality

  • Next of kin details

  • Eligibility to work in the UK

  • Training records


When do we collect your personal data?

We usually collect personal information about employees and subcontractors through the engagement process before you start working, either directly from the individual or sometimes from our client. We will also collect data from you when:

  • You register with us before you start an assignment – we will take down the details we have noted above

  • You contact us with queries or complaints

  • You visit our website and fill out an online form such as a ‘Request a Call-back’ form

  • When you ask one of our team to email you information about a service, such as an umbrella pay illustration

  • When you have given a third-party permission to share with us the information they hold about you, for example your recruitment agency

  • We collect data from publicly available sources when you have given your consent to share information or where the information is made public as a matter of law.

If you are working under a contractor for services and have the right to send a substitute or engage helpers, we may need to collect some personal data from them too. This is for health and safety purposes and to ensure the substitute or helper has the necessary skills to provide the services.

How do we use your personal data and why?

In order to provide you with the service you have signed up for and to get you paid correctly and on time, we will need to process your personal data. We will only request the information that’s vital for getting you signed up to the service you have chosen. We will endeavour to keep your information as accurate and up to date as possible. We may also need to process your personal data to:

  • Comply with a legal obligation

  • Help answer your queries and send you non-marketing emails and texts such as your payslip, pay information, opening hours, complaints procedures and updates to this Privacy Notice

  • To send you service messages such as updates to relevant legislation which applies to you and any changes to the services we provide to you.

  • Ensure compliance with tax and employment law

  • To check you are legally entitled to work in the UK

  • Liaise with your pension provider

  • Comply with health and safety obligations

  • Prevent fraud

  • Manage sickness absence and ascertain your fitness for work

We need to use your personal data in this manner, so we can comply with legal obligations and administer the contract we have with you. If you fail to provide personal information, then we may not be able to perform the contract we have entered into with you or may be prevented from complying with our legal obligations.

We will only use your personal data for the purposes for which we have collected it or another reason which we reasonable consider that we need to use it for which is compatible with the original purpose. If we need to use your personal data for an unrelated purpose, then we will notify you at the time and explain the legal grounds for doing so.

Where we are required to or permitted by law, we can process your personal data without your consent, such as if required to do so by a government department.

Keeping your data secure

We have put in place robust physical, technical and managerial security measures to prevent your personal information from being used or accessed without authorisation, lost, altered or disclosed to unauthorised parties. We use industry standard TLS certificates to provide encryption of data in transit and our data centres are covered by numerous accreditations, including, but not limited to, PCI DSS, ISO 27001:2013, ISO 14001:2015 and PAS 99:2012.

We require third parties to respect the security of your data and to treat it in accordance with the law and do not allow them to use your personal data for their own purposes.

We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.

How long will we keep your data for?

We will retain your personal data for as long as is necessary to fulfil the purposes we collected it for. We are also required to retain information in accordance with the law, for legal, accounting and reporting requirements. You can request details of different retention periods by emailing

Who do we share your personal data with?

We may need to pass your personal data to the following third parties where there is a legitimate interest need as well as so we can meet legal and contractual obligations:

  • Government agencies such as HMRC, DWP, Home Office

  • Your recruitment agency/ our client

  • Companies who host our server and provide our software and business systems

  • Your pension provider

  • SMS service provider

  • Approved accountancy partners

  • Legal and tax advisers

We require third parties to respect the security of your data and to treat it in accordance with the law and do not allow them to use your personal data for their own purposes.

​​What are your rights regarding your personal data?

The GDRP provides individuals with the following rights:

  • The right to be informed – you can request to be informed about the collection and use of your personal data

  • The right of access – you have the right to access your personal data and can make a request verbally or in writing

  • The right to rectification – you have the right to have inaccurate personal data rectified

  • The right to erasure – you have the right to have personal data erased, in certain circumstances

  • The right to restrict processing – you have the right to request the restriction or suppression of your personal data, in certain circumstances

  • The right to data portability – you have the right to obtain and reuse your personal data for your own purposes across different services

  • The right to object – you have the right to object to the processing of your personal data, in certain circumstances

  • Rights in relation to automated decision making and profiling – you can object to automated processing or profiling


​​Automated decision-making and profiling

Automated decision-making is making a decision solely by automated means without any human involvement and profiling is automated processing of personal data to evaluate certain things about an individual, which can be part of an automated decision-making process. This type of decision-making can only be carried out when the decision is:

  • necessary for the entry into or performance of a contract; or

  • authorised by Union or Member state law applicable to the controller; or

  • based on the individual’s explicit consent.

We do not make any decisions using automated means and do not envisage so, however we will inform you in this position changes.

Requesting personal data we hold about you (subject access requests)

You have a right to request access to your personal data that we hold. Such requests are known as ‘subject access requests’ (“SARs”).

Please provide all SARs in writing marked for the attention of the Data Protection Officer. If you email us, the email must come from the email address we have on file for you and must be sent to

You can ask for your personal information to be rectified by speaking to our customer services team on 02037 892 490.

To help us provide the information you want and deal with your request more quickly, you should include enough details to enable us to verify your identity and locate the relevant information. For example, you should tell us:

  • your date of birth

  • your National Insurance number

  • your previous addresses in the past five years

  • personal reference number(s) that we may have given you

  • what type of information you want to know

DPA 2018 requires that we comply with a SAR promptly and in any event within one month of receipt. There are, however, some circumstances in which the law allows us to refuse to provide access to personal data in response to a SAR (e.g. if you have previously made a similar request and there has been little or no change to the data since we complied with the original request).

We will not charge you for dealing with a SAR.

You can ask someone else to request information on your behalf – for example, a friend, relative or solicitor. We must have your authority to respond to a SAR made on your behalf. You can provide such authority by signing a letter which states that you authorise the person concerned to write to us for information about you, and/or receive our reply.

​​Right to withdraw consent

If you have provided your consent for the process of your personal data for a specific purpose, you have the right to withdraw your consent at any time. To do so, please email and we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate reason for doing so in law.


If you have requested details of the information we hold about you and you are not happy with our response, or you think we have not complied with the GDPR or DPA 2018 in some other way, you can complain to us. Please send any complaints in writing marked for the attention of the Data Protection Officer. If you email us, the email must come from the email address we have on file for you and must be sent to

If you are not happy with our response, you have a right to lodge a complaint with the ICO (

Our tax, legal and insurance services partner

© 2018 Stonebridge Payment Solutions Ltd