UK GDPR Compliance Statement

1. Our Commitment

PAYCORE Group is committed to protecting the privacy and security of all personal data we process. We comply with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003 (PECR). This statement sets out how we meet our obligations as both a data controller and a data processor.

2. Our Roles Under UK GDPR

2.1 Data Controller

Paycore acts as a data controller when we process personal data for our own business purposes, including managing client relationships and commercial contracts, operating our website and responding to enquiries, marketing communications (with consent), conducting AML and KYC compliance oversight of EOR providers in our network, and managing our own employees and contractors.

2.2 Data Processor

Paycore acts as a data processor when we process personal data on behalf of our EOR network providers and their clients, including processing payroll data (PAYE, NIC, CIS), managing pension auto enrolment and contribution submissions, handling HMRC reporting and real time information filings, processing statutory payments, and managing worker onboarding data. In this capacity, we process data strictly in accordance with the instructions of the data controller and under a formal data processing agreement.

3. Data Processing Agreements

In accordance with Article 28 of UK GDPR, Paycore enters into data processing agreements (DPAs) with every EOR provider and client for whom we process personal data. Our DPAs set out the subject matter and duration of the processing, the nature and purpose of the processing, the types of personal data and categories of data subjects, and the obligations and rights of both the controller and processor. Our DPAs include commitments to process data only on documented instructions, ensure confidentiality, implement appropriate security measures, assist with data subject rights, and delete or return data at the end of the engagement subject to legal retention requirements.

4. The Six Data Protection Principles

We adhere to all six principles of UK GDPR:

• Lawfulness, fairness, and transparency
• Purpose limitation
• Data minimisation
• Accuracy
• Storage limitation
• Integrity and confidentiality

5. Technical and Organisational Measures

We implement encryption (TLS 1.2+ in transit, AES 256 at rest), role-based access controls, MFA, staff training, documented breach procedures (including 72-hour ICO notification where required), sub-processor due diligence, and business continuity measures. Full details are in our Privacy Policy and Information Security Policy.

6. Data Breach Procedures

We have a documented procedure covering identification and containment, assessment, ICO notification within 72 hours where required, notification to affected individuals and to data controllers where we act as processor, documentation in a breach register, and post-incident review.

7. DPIAs, ROPA and Sub-Processors

We conduct DPIAs for high-risk processing, maintain a Record of Processing Activities (Article 30), and manage sub-processors with written contracts and prior consent or objection rights from controllers.

8. AML and KYC Oversight

We conduct monthly AML and KYC compliance reviews on every EOR provider in our network under legal obligation and legitimate interests. Full details are in our Privacy Policy and ROPA.

9. Contact

For data protection enquiries, contact the Compliance Department on compliance@paycoregroup.co.uk. Address: PAYCORE Group, 50 Princes Street, Ipswich, IP1 1RJ, United Kingdom.

10. Annual Review

This statement is reviewed at least annually and updated to reflect changes to our processing, structure, or regulation. Revisions are approved by the DPO and senior management.