Last Updated at 2025-Jan-12

1.1 Purpose

The purpose of this policy to ensure that customer data should not disclose to any government/public authority and third party until unless it's necessary according to GDPR.

1.2 Scope

This policy applies to all BrainPayroll employees and all third parties responsible for the processing of personal data on behalf of BrainPayroll services/entities. The content of this policy also applies to our processors and sub processors globally.

1.3 Policy

BrainPayroll receives requests from government agencies, users and other third parties to disclose data other than in the ordinary operation and provision of the Services. This Data Request Policy outlines BrainPayroll's policies and procedures for responding to such requests for Customer Data. Any capitalised terms used in this Data Request Policy that are not defined will have the meaning set out in the Customer Terms of Service. In the event of any inconsistency between the provisions of this Data Request Policy and the Customer Terms of Service or written agreement with the Customer, as the case may be, the Customer Terms of Service or written agreement will prevail.

1.4 Requests for Customer Data by individuals

Third parties seeking Customer Data should contact the Customer regarding such requests. The Customer controls the Customer Data and generally has the right to decide what to do with all Customer Data.

1.5 Requests for Customer Data by a legal authority

BrainPayroll is committed to the importance of trust and transparency for the benefit of our customers. Except as expressly permitted by the Contract or as described in this policy, BrainPayroll will only disclose Customer Data in response to valid legal process. BrainPayroll requires a search warrant issued by a court of competent jurisdiction or the equivalent legal process in the applicable jurisdiction to disclose the contents of Customer Data. BrainPayroll does not voluntarily disclose any data to government entities unless: (a) there is an emergency involving imminent danger of death or serious physical injury to any person, or (b) to prevent harm to the Services or Customers. BrainPayroll also does not voluntarily provide governments with access to any data about users for surveillance purposes.

• All requests by governmental entities or parties involved in litigation seeking content data associated with Customers who are under contract with BrainPayroll UK Ltd. A UK/EEA base company should be sent to dataofficer@brainpayroll.co.uk.
• All requests by government entities or parties involved in litigation seeking content data associated with Customers who are under contract with BrainPayroll UK Limited, outside of a UK/EEA, should be sent to dataofficer@brainpayroll.co.uk. These requests will be processed by personnel located in London, UK.
• All requests should include the following information: (a) the requesting party, (b) the relevant criminal or civil matter, and (c) a description of the specific Customer Data being requested, including the relevant Customer's name and relevant Authorised User's name (if applicable),
• Requests should be prepared and served in accordance with applicable law. All requests should be focused on the specific Customer Data sought. All requests will be interpreted narrowly by BrainPayroll, so please do not submit unnecessarily broad requests. If legally permitted, the Customer will be responsible for any costs arising from BrainPayroll's response to such requests.

1.6 Customer notice

If a request concerns personal information for which a customer is the controller, BrainPayroll will ordinarily ask the Requesting Authority to make the Data Disclosure Request directly to the relevant Customer. If the Requesting Authority agrees, BrainPayroll will support the Customer in accordance with the terms of its contract to respond to the Data Disclosure Request.

Unless BrainPayroll is prohibited from doing so or there is a clear indication of illegal conduct or risk of harm, BrainPayroll will notify the Customer of the request before disclosing any of the Customer's Data so that the Customer may seek legal remedies.

If BrainPayroll is legally prohibited from notifying the Customer prior to disclosure, BrainPayroll will take reasonable steps to notify the Customer of the demand after the non-disclosure requirement expires. In addition, if BrainPayroll receives legal process subject to an indefinite non-disclosure requirement, BrainPayroll will challenge that non-disclosure requirement in court.

1.7 Domestication and international requests

BrainPayroll requires that any individual or entity issuing legal process or legal information requests (e.g. discovery requests, warrants or subpoenas) ensure that the process or request is properly domesticated. For data stored in the United Kingdom, BrainPayroll does not accept legal process or requests directly from law enforcement entities outside the UK or EEA. Foreign law enforcement agencies seeking data stored within the UK should proceed through a mutual legal assistance treaty or other diplomatic or legal means to obtain data through a court where BrainPayroll is located.