Last Updated at 2025-Sep

1.1 Purpose

This policy aims to ensure that Customer Data processed by BrainPayroll is disclosed only in compliance with applicable laws, including the UK Data Protection Act 2018 and the GDPR. As a data processor, BrainPayroll will only act on documented instructions from Customers (data controllers) and limit disclosures to situations legally required and properly authorised.

1.2 Scope

This policy applies to all Brain Payroll employees, contractors, and sub-processors engaged in processing personal data on behalf of Customers. It covers all services and entities where Brain Payroll acts as a data processor or sub-processor globally.

1.3 Policy

BrainPayroll may receive requests from government agencies, individuals, or third parties seeking disclosure of Customer Data. This policy outlines BrainPayroll’s role and obligations in responding to such requests.

Where there is a conflict between this policy and the Customer’s written agreement with BrainPayroll, the Customer agreement will prevail.

1.4 Requests for Customer Data by individuals

Brain Payroll recognizes the rights of data subjects under GDPR Articles 12–23, including the rights of access, rectification, erasure, restriction, portability, objection, and rights related to automated decision-making.

• Data Subject Rights requests should be directed to the relevant Customer (controller).
• If BrainPayroll receives a request directly from a Data Subject, it will promptly notify the relevant Customer and provide reasonable assistance to enable them to fulfil their obligations under the GDPR.
• Brain Payroll will support customers by ensuring that requests are handled without undue delay and within one calendar month. Where requests are complex or numerous, the response period may be extended by up to two additional months. In such cases, the Customer must inform the Data Subject of the extension and reasons for delay within the initial one-month period.

1.5 Requests for Customer Data by a legal authority

Brain Payroll will not disclose Customer Data to any third party, including law enforcement or government authorities, unless:

• Instructed by the Customer in writing, or
• Legally required to do so under UK/EU law.

Key principles:

• Valid legal process (e.g., a court order or warrant issued by a competent UK/EEA authority) is required before disclosure.
• In accordance with GDPR Article 48, BrainPayroll will not disclose Customer Data to authorities outside the UK/EEA unless such disclosure is based on an international agreement (e.g., mutual legal assistance treaty) or otherwise required under UK/EU law.
• Brain Payroll does not provide direct or indiscriminate access to Customer Data for surveillance purposes.
• All requests must be submitted to dataofficer@brainpayroll.co.uk. and include details of the requesting authority, the legal basis, and the scope of the data requested.
• Requests must be narrowly focused. Overly broad or invalid requests will be challenged or rejected.

1.6 Customer notice

Unless prohibited by law, Brain Payroll will notify the Customer of any request for Customer Data before disclosure so that the Customer may decide how to respond.

• Notification will be made without undue delay.
• If prohibited from notifying the Customer prior to disclosure, Brain Payroll will notify them once the restriction is lifted.
• If subject to an indefinite non-disclosure requirement, BrainPayroll will, where feasible, challenge that restriction in court.

1.7 Domestication and international requests

All legal requests must be properly domesticated.

• For data stored in the UK, Brain Payroll does not accept direct legal requests from non-UK/EEA law enforcement.
• Foreign authorities must rely on established international agreements, such as mutual legal assistance treaties, or other recognized legal channels.

1.8 Record-Keeping and Accountability

Brain Payroll will maintain a secure log of all data disclosure requests, including:

• The requesting authority and legal basis,
• The scope of the request,
• Actions taken,
• Notifications provided to Customers.