Data Processing Addendum for Customers

This data processing addendum (“Addendum”) includes the Data Processing Terms and attached Appendices and is incorporated into, and forms part of, the agreement between FreeAgent Central Limited (“FreeAgent”) and the account holder (the “Account Holder”) comprising the Terms of Service (the “Agreement”), governing the Account Holder’s use of the FreeAgent Service.

Data Processing terms

1. Definitions

Unless otherwise defined in the Agreement, all capitalised terms used in this Addendum will have the meanings given to them below:

Controller” has the meaning given to it in Data Protection Law.

Processor” has the meaning given to it in Data Protection Law.

Data Protection Impact Assessment” has the meaning given to it in Data Protection Law.

Data Security Breach” means any known potential or actual breach of the Minimum IS Requirements or any obligations or duties owed by FreeAgent to the Account Holder relating to the confidentiality, integrity or availability of Personal Data.

Data Subject” has the meaning given to it in Data Protection Law.

Data Protection Law” all applicable laws relating to privacy and data protection including but not limited to (a) the GDPR, and (b) the UK GDPR, and (c) Directive on privacy and electronic communications (2002/58/EC, as amended), as well as all laws implementing each of (a) to (c) above, including the UK Data Protection Act 2018, as amended and updated from time to time. In the event, any such Directive, Regulation or laws are repealed or replaced, the successor legislation to such repealed or replaced Directive, Regulation and/or law shall be deemed to constitute Applicable Data Protection Law.

GDPR” means the General Data Protection Regulation (EU) 2016/679.

Personal Data” means any personal data (as defined by Data Protection Law) Processed by FreeAgent on behalf of the Account Holder pursuant to or in connection with the Agreement.

Processing” has the meaning given to it in Data Protection Law, and “Process” will be construed accordingly.

Regulator” means any regulator or regulatory body (including the Prudential Regulation Authority, the Financial Conduct Authority, the Information Commissioner’s Office and the Bank of England or their successors or equivalent authorities outside of the UK) to which the Account Holder is subject from time to time or whose consent, approval or authority is required so that the Account Holder can lawfully carry on its business or other competent data privacy authorities.

EU SCCs” means the relevant module of the standard contractual clauses adopted by the European Commission on 4th June 2021 in Commission Implementing Decision (EU) 2021/914, for the transfer of Personal Data to third countries not otherwise recognised as offering an adequate level of protection for Personal Data by the European Commission (as amended or replaced from time to time).

Standard Contractual Clauses” means the EU SCCs and the UK Addendum.

UK Addendum” means Part 1: Tables and Part 2: Mandatory Clauses of the template Addendum B.1.0, issued by the Information Commissioner’s Office and laid before Parliament in accordance with Section 119A of the Data Protection Act, 2018 on 2nd February 2022, as it is revised under Section 18 thereof, in respect of any Restricted Transfers of Personal Data that is subject to the applicable Data Protection Law in the United Kingdom.

UK GDPR” has the meaning ascribed to it section 3(10) of the UK Data Protection Act 2018.

2. Data protection

  • 2.1 FreeAgent acts as a Processor with respect to the Personal Data and shall comply with its obligations as a Processor under Data Protection Law. FreeAgent shall Process the Personal Data as necessary to perform the Services and otherwise in accordance with (a) Appendix 1 (Description of Processing of Personal Data) and (b) any instructions given by the Account Holder as the Controller (which shall include the performance of its obligations under, and the instructions set out in, this Addendum). Unless prohibited by law, FreeAgent shall inform the Account Holder if, in FreeAgent’s opinion, any instructions relating to the Processing of Personal Data would be in breach of the Data Protection Law.
  • 2.2 The Account Holder is a Controller in respect of the Personal Data and shall comply with its obligations as a Controller under Data Protection Law.
  • 2.3 FreeAgent agrees that it will acquire no rights or interest in the Personal Data, will only Process the Personal Data in accordance with this Agreement and any other written instructions of the Account Holder, unless Processing of the Personal Data is required by applicable law to which FreeAgent is subject, in which case FreeAgent shall inform the Account Holder of that legal requirement before Processing, unless such applicable law prohibits the provision of such information on important grounds of public interest.
  • 2.4 To the extent possible for FreeAgent to do so, taking into account the nature of the Processing of Personal Data, and without requiring FreeAgent to incur any additional costs, FreeAgent agrees to assist the Account Holder within such reasonable timescale as may be specified by the Account Holder with the fulfilment of the Account Holder’s obligations to respond to Data Subject rights requests received from the Data Subjects of the Personal Data Processed in connection with this Agreement. Should FreeAgent receive any such requests directly, FreeAgent will without undue delay inform the Account Holder that it has received the request and forthwith forward the request to the Account Holder. FreeAgent will not respond in any way to such a request, except on the instructions of the Account Holder.
  • 2.5 FreeAgent agrees to provide the Account Holder with reasonable assistance to conduct Data Protection Impact Assessments and prior consultation requests to Regulators in relation to Personal Data Processing under this Agreement.
  • 2.6 FreeAgent will ensure that its personnel who process Personal Data under this Agreement are subject to obligations of confidentiality in relation to such Personal Data.
  • 2.7 The Account Holder hereby generally authorises FreeAgent to engage third parties to carry out Processing of the Personal Data (“Subprocessors”) provided that FreeAgent shall ensure that the Processing is carried out under a written contract imposing on the Subprocessors equivalent obligations as are imposed on FreeAgent under this Agreement in respect of the Processing and protection of Personal Data. FreeAgent will maintain a list of Subprocessors at:  www.freeagent.com/company/subprocessors. If FreeAgent wishes to make changes to Subprocessors, FreeAgent will provide notice of this by adding the names of new and replacement Subprocessors to the list at least thirty (30) days prior to the date on which those Subprocessors commence processing of Personal Data. The Account Holder may, within fourteen working (14) days of receipt of such notice, give notice in writing, objecting to FreeAgent disclosing Personal Data to such Subprocessors. If the Account Holder does not object within such period, the addition of the new Subprocessor shall be deemed accepted. If the Account Holder does object to the addition of a new Subprocessor and FreeAgent, in its reasonable opinion, cannot reasonably accommodate the Account Holder’s objection, the Account Holder may terminate the affected service(s) upon written notice to FreeAgent. 
  • 2.8 FreeAgent will also make available to the Account Holder, any Regulator or their representatives all information necessary to demonstrate compliance with its obligations under this Addendum and allow for and contribute to audits conducted by the Account Holder or another auditor mandated by the Account Holder, at the Account Holder’s cost.
  • 2.9 FreeAgent will notify the Account Holder without undue delay upon becoming aware of a Data Security Breach following the procedure set out in Appendix 3 (and follow-up with a detailed description in writing, including the cause of the breach, remedial action taken and the potential consequences of the breach) and support the Account Holder in any notification of the breach to Regulators and/or Data Subjects.
  • 2.10 Upon termination of the Agreement, FreeAgent shall delete Personal Data as set out in Sections 5 and 7 of the FreeAgent’s General Privacy Notice, unless otherwise required under applicable laws (including any Data Protection Law), to comply with our legal obligations, or as expressly permitted under the Agreement.
  • 2.11 The provisions of this Clause 2 shall survive the term of this Agreement until FreeAgent has returned or destroyed all Personal Data in accordance with Clause 2.10.
  • 2.12 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing of the Personal Data as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, FreeAgent shall, in relation to the Personal Data, implement appropriate technical and organisational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR. In assessing the appropriate level of security, FreeAgent shall take account in particular of the risks that are presented by Processing of the Personal Data, in particular from a Data Security Breach.

3. Data exports

  • 3.1 The Account Holder acknowledges that FreeAgent may Process, or permit the Processing, of Personal Data outside the United Kingdom and/or European Economic Area provided that:

    • 3.1.1 FreeAgent is Processing, or permitting the Processing, of Personal Data in a territory deemed to have an adequate level of protection of Personal Data under applicable Data Protection Law; or
    • 3.1.2 the transfer is subject to a derogation, or a valid cross-border transfer mechanism under the Data Protection Laws (including without limitation the Standard Contractual Clauses), to ensure that appropriate safeguards are in place to provide an adequate level of protection with respect to the privacy rights of individuals as required by Data Protection Laws

Appendix 1

Description of the Processing of Personal Data

1. Subject matter

FreeAgent provides an accounting software service for the Customer (“Account Holder”) to manage their tax obligations, business finances, invoices, expenses and payroll.

2. Nature of Processing

Where FreeAgent is used by Account Holders (who are the Data Controller) to process personal information of their contacts, contractors, customers, employees, partners, suppliers or workers in the FreeAgent software, or to process the personal data of any individual not considered the Account Holder as entered into the software by the Account Holder.

3. Purpose of Processing

Personal Data is processed by the Account Holder during their use of the software and using its features, including but not limited to the following:

  • management of outbound estimates and invoices
  • management of inbound bills and expenses
  • project management and associated time tracking
  • payroll management, including PAYE and NI filing
  • import of banking transactions
  • building real-time business accounts
  • generation and submission of VAT returns
  • Self Assessment calculation and submission
  • Corporation Tax forecast and deadline

4. Categories of Personal Data

FreeAgent may process any personal data entered into the software by the Account Holder, most likely to be the following categories of Personal Data:

  • user, customer, supplier and/or employee contact details (name, email address)
  • payroll details including tax code, National Insurance number and date of birth
  • bank account(s) name, sort code, account number
  • financial transaction and bank feed information
  • IP addresses and other online identifiers

5. Special categories of Personal Data

FreeAgent has limited requirements to collect or process any special categories of Personal Data, as defined under GDPR and the Data Protection Act 2018, in order to provide the service.

We may record information about Data Subjects that considers their welfare or vulnerability needs including any adjustments, support or different products or services which might be suitable for protections to put in place. This could in some cases be considered as Health Data.

6. Categories of Data Subjects

FreeAgent processes the data of contacts, contractors, customers, employees, partners, suppliers or workers who are individuals, or any other individual who is not the Account Holder, on behalf of the Account Holder.

7. Recipients of the Personal Data

On request, initiated by the Account Holder, FreeAgent will send PAYE, NI, VAT and tax return filings for the Account Holder, to and as required by HMRC, and which may include necessary Personal Data of the Account Holder’s contacts, contractors, customers, employees, partners, suppliers or workers who are individuals, or any other individual who is not the Account Holder, on behalf of the Account Holder.

FreeAgent may also be obliged to share data with law enforcement or similar entities, under Legal Obligation.

8. Contact

All queries around GDPR and the processing of Personal Data should be sent to privacy@freeagent.com or in writing to FreeAgent Support, One Edinburgh Quay, 133 Fountainbridge, Edinburgh EH3 9QG.

Appendix 2

Security measures

Information regarding the technical and organisational measures FreeAgent has implemented to protect Personal Data in accordance with clause 2.12 of this Addendum is available on our website, available at: www.freeagent.com/features/security.

Appendix 3

Template breach notification form

Data Security Breach notifications in accordance with Clause 2.14 above must be made electronically and shall contain at least the following minimum details regarding the Data Security Breach:

1. Nature of the breach

[FreeAgent to insert a description of the breach, including the categories and approximate number of affected data subjects.]

2. Likely consequences

[FreeAgent to insert a description of the likely consequences of the breach, e.g., risk of identity theft, media coverage, etc.]

3. Mitigating measures

[FreeAgent to insert description of the measures taken/to be taken to address the breach and mitigate its effects.]