Client Login
Get a Quote
Speak to Us

Privacy Policy

Our website address is: https://hewittspayroll.co.uk.

This Privacy Notice explains how we handle personal data when providing payroll processing services to our clients. It describes what data we collect, how we use and share it, how we keep it secure, how long we keep it, and the rights of individuals under UK data protection law, including the UK GDPR and the Data Protection Act 2018.

Who we are and how to contact us

Hewitts Consulting, [registered address], is a payroll services provider. For most payroll processing carried out for our clients, the client is the data controller and we act as a data processor. The parties acknowledge that, in providing the Services, the Bureau acts as Processor and the Client acts as Controller in respect of Personal Data processed under the Agreement, save where the Bureau determines the purposes and means of limited processing necessary to comply with legal obligations, in which case the Bureau acts as Controller for that processing.

If you have questions about this notice or our data practices, please contact: info@hewittspayroll.co.uk, 01923 283833,

Hewitts Consulting Limited
Tanglewood House
Sarratt Lane
Rickmansworth
Herts
WD3 4AS.

The personal data we collect

We process personal data provided by our clients about their personnel and related individuals to run payroll. Types of Personal Data include identification and contact details, employment details, hours worked, pay and deductions, bank details, tax codes, starter/leaver data, statutory payment information, student loan status, court orders and attachment of earnings, and pension membership and contribution data. Categories of Data Subjects include employees and workers, directors, agency workers, contractors paid via payroll where applicable, and relevant beneficiaries.

Where necessary for payroll, we may process limited special category data provided by the client, such as trade union subscriptions or health information for statutory pay calculations [only where required and instructed by the client]. Special Category Data may be processed where provided by the Client and necessary for payroll purposes, for example trade union subscriptions and health-related data necessary for statutory pay calculations.

How we use personal data

We use personal data strictly to provide payroll services to our clients and to meet legal and regulatory requirements relating to payroll. The subject matter, nature and purpose of processing include the calculation of pay, deductions, statutory payments, HMRC RTI submissions, pension contribution reporting, production of payslips and payroll reports, and related activities necessary to provide the Services and comply with law.

We process personal data only on the documented instructions of the client, unless required by law. The Bureau shall process Personal Data only on documented instructions from the Client, including with regard to transfers, unless required to do so by law.

Lawful bases

For processing undertaken for the client, the client, as controller, determines the lawful bases. Lawful bases typically include processing necessary for performance of the employment contract and for compliance with legal obligations, with special category data processed under appropriate UK GDPR conditions determined by the Client.

Where we act as a controller for limited purposes to meet our own legal obligations, we rely on compliance with legal obligations and our legitimate interests in operating secure and compliant services.

Data sharing

We share personal data only as necessary to deliver payroll and to meet legal obligations. Disclosures include transmission to HMRC via RTI, pension providers, court order recipients and other authorised recipients as required. We use sub‑processors for hosting, payroll software, secure portals, archival/backup, and print and fulfilment, appointed under written terms imposing data protection obligations no less protective than our own, and we remain responsible for their acts and omissions.

We do not sell personal data.

International transfers

We will not transfer personal data outside the UK (or permit access from outside the UK) without appropriate safeguards in place under UK data protection law, such as the UK International Data Transfer Agreement or Addendum, and we maintain records of such transfers.

Data security

We implement appropriate technical and organisational measures to ensure a level of security appropriate to risk, including access controls, encryption in transit and at rest for payroll files, secure transmission of payment files, logging and monitoring, and staff training. All files and approvals are exchanged through a secure portal with multi‑factor authentication, with bank files encrypted and provided with checksum verification, and access rights provisioned on a least‑privilege basis.

If we become aware of a personal data breach affecting data we process for a client, we will notify the client without undue delay and provide information reasonably available to assist the client with any required notifications.

Data retention

We retain personal data for as long as necessary to provide services and as required by law. Upon termination or on request, we will, at the client’s choice, delete or return personal data and delete existing copies, unless retention is required by law or for legitimate business record‑keeping for [6] years; where deletion is not reasonably possible, data will be put beyond use. Payroll records processed on behalf of a client may be retained for six complete tax years or longer if required by law, after which records will be securely deleted unless otherwise instructed by the client and permissible by law.

Your rights

Individuals whose data we process in providing services to a client should usually contact the employer (the client) to exercise their rights, because the client is the controller. We will assist the client, taking into account the nature of processing, with appropriate technical and organisational measures to respond to data subject requests and to ensure compliance with obligations relating to security, data protection impact assessments, prior consultations and breach notifications.

Depending on the circumstances and applicable law, rights may include access, rectification, erasure, restriction, objection, portability, and the right to complain to the Information Commissioner’s Office (ICO). To contact the ICO, visit www.ico.org.uk.

If you contact us directly about your rights, we may refer your request to the relevant client.

Our role as processor and audits

We ensure that persons authorised to process personal data are under appropriate confidentiality obligations and we will make available to the client information reasonably necessary to demonstrate compliance and allow for and contribute to audits on reasonable notice, subject to confidentiality and cost reimbursement limits.

Changes to this notice

We may update this notice from time to time to reflect changes in our practices or legal requirements. Material changes will be highlighted on our website or notified to clients. 

[Last updated: 07/04/2026]