SoS (607-609) Payroll, AE and Benefits

SCHEDULE OF SERVICES (607) PAYROLL (608), AUTO-ENROLMENT (609), BENEFITS-IN-KIND AND THE DATA PROCESSOR AGREEMENT

This schedule should be read alongside your letter of engagement (LoE) and the (300) Standard Terms & Conditions.

This document covers payroll services, auto-enrolment, payrolled benefits-in-kind and the associated data processor agreement. Not all sections will apply to every client. The sections relevant to your engagement are those covering the services we have agreed with you to undertake. Where your circumstances change and additional sections become relevant — for example, if you take on employees who meet the auto-enrolment criteria, or you begin providing benefits-in-kind — those sections will apply as and when relevant to the services we have agreed to provide, without the need for a new letter of engagement.

607 — Payroll Services

Recurring compliance work

We will prepare your UK payroll for each payroll period to meet UK employment tax requirements, specifically:

calculating pay as you earn (PAYE) deductions, including at the Scottish and Welsh rates of income tax where applicable
calculating employees’ national insurance contributions (NIC) deductions
calculating employer’s NIC liabilities
calculating statutory sick pay (SSP)
calculating student loan and postgraduate loan deductions where applicable
calculating employee and employer pension contributions for employees and workers who are members of workplace pension schemes (including those who are auto-enrolled), based on the information you provide
claiming employment allowance, where your business is eligible
calculating apprenticeship levy, where applicable
calculating other statutory and non-statutory deductions
submitting information online to HMRC under real time information (RTI) for PAYE

We will prepare and send to you the following documents before the time of payment through the payroll or the due date for delivering information to HMRC:

a payroll summary report showing the reconciliation from gross to net for each employee and all relevant payroll totals
a P45 for each leaver
a note showing your PAYE and NIC liability and due date for payment
a note showing pension contributions payable in respect of each employee to the respective workplace pension scheme(s) and the due date(s) for payment

We will submit full payment submissions (FPS) online to HMRC on the basis of the data provided by you. FPSs must reach HMRC on or before the payday. You must ensure that the data provided to us is complete and accurate, and your attention is drawn to your legal responsibilities set out below.

For each tax month we will prepare, where appropriate, an employer payment summary (EPS) from the information and explanations you provide. Examples of EPS data include statutory payments, employment allowance, Construction Industry Scheme deductions, apprenticeship levy allowance, and confirmation that no payments were made to employees. EPSs must reach HMRC by the 19th of the month following the tax month to which they relate. You must ensure that the data provided to us is complete and accurate.

At the end of the payroll year we will:

prepare the final FPS (or EPS) and submit it to HMRC on the basis of the data provided by you — the final FPS (or EPS) must reach HMRC by 19 April following the end of the tax year
prepare and send to you a P60 for each employee on the payroll at the year-end, for you to give to employees by the statutory due date of 31 May following the end of the tax year

We will submit national insurance number (NINO) verification requests as appropriate to verify or obtain a NINO for a new employee.

We will only deal with the nominated person within your organisation. Any enquiries from individual employees about their wages or other payroll details will be referred back to that responsible person.

Ad hoc and advisory work

Where a query requires work or time spent outside the scope of your recurring compliance, we will let you know and agree a fee with you before proceeding where practicable. Where prior agreement is not practicable, we reserve the right to charge for the work or time involved and will notify you as soon as reasonably possible.

Ad hoc queries by, for example, telephone or email are not part of routine compliance and may result in additional fees. Where possible, we will discuss and agree any additional fees in advance, but this is not always practicable and we reserve the right to charge for such work.

Examples of ad hoc and advisory work include:

advising on termination payments and other ad hoc payroll queries, including calculating any related tax and NIC liabilities
dealing with statutory maternity pay (SMP), statutory paternity pay (SPP), shared parental pay (ShPP), and other family-related statutory payments and reclaims
dealing with any compliance check or enquiry by HMRC into the payroll returns
preparing and submitting amended returns or data for previous tax years and corresponding with HMRC as necessary
where the off-payroll working rules apply, helping you to determine deemed employment status, prepare employment status determination statements, and account for tax and NIC through the payroll
assisting with the operation of the Construction Industry Scheme (CIS) for subcontractors
conducting PAYE, benefits and expenses health checks
helping you allocate apprenticeship levy allowance across different PAYE schemes

Where specialist advice is required, we may need to seek this from or refer you to appropriate specialists. We will only do this when instructed by the nominated person.

Out of scope

The following services are not included in this engagement and are not provided by us: employment law advice, HR consultancy, flexible working requests, and carer’s leave administration. Where these services are required, we recommend you seek specialist advice.

Your responsibilities

You are legally responsible for:

ensuring that the data in your payroll submissions is correct and complete
making any submissions by the due date
paying tax and NIC on time

Failure to meet these responsibilities may lead to penalties and/or interest charges. You cannot delegate this legal responsibility to us or any other agent.

You agree to check that submissions we have prepared are correct and complete before we submit them.

You are responsible for maintaining your employees’ information, including any changes to bank account details.

To enable us to carry out our work, you agree:

to provide full information necessary for dealing with your payroll affairs and workplace pension scheme contributions; we will rely on the information and documents being true, correct and complete, and will not audit them
to confirm with us the names of the persons authorised to notify us of changes in employees and rates of pay; we will process changes only if notified by those individuals
to advise us in writing of changes to payroll pay dates and workplace pension scheme contribution dates
to notify us at least five working days before the payroll date of all transactions or events that may need to be reflected in the payroll for the period, including:
- details of all new employees, including full name, address, date of birth, gender, and national insurance number
- details of all leavers and any termination payments
- all changes to remuneration packages
- all pension scheme changes
- all changes to benefits and expenses under an existing payrolled benefits registration
- irregular and/or ad hoc payments and the dates to be paid
to provide the data required to complete:
- in-year FPS at least five working days before payroll pay dates
- in-year EPS at least five working days before the 19th of the following month
- the final FPS (or EPS) at least five working days before 19 April following the end of the tax year
to authorise us to approach such third parties as may be appropriate for information we consider necessary to deal with your affairs

You will keep us informed of material changes in your circumstances that could affect the payroll. If you are unsure whether a change is material, please let us know so we can assess its significance.

Where you want us to deal with HMRC communications, please forward all correspondence to us promptly. HMRC is not obliged to copy us in on communications sent directly to you, so it is essential that you pass these to us in time for us to act within any statutory time limits.

Our fees for payroll work must be paid in full before we make any submission to HMRC, including monthly RTI submissions. Where work is complete but our fee remains unpaid, we reserve the right to withhold submission.

If information required to complete the payroll is received later than agreed, we will endeavour to process it in time, but we will not be liable for any losses arising from a late payroll or late filing in those circumstances.

As part of our normal procedures, we may ask you to provide written confirmation of any oral information and explanations given to us during the course of our work.

Please also refer to the Data Processor Agreement below, which forms part of this document.

Limitation of Liability

Our services are subject to the limitations on our liability set out in your letter of engagement (LoE) and in the (300) Standard Terms & Conditions. These are important provisions and you should read them carefully.

608 — Auto-Enrolment

Recurring compliance work

As part of the preparation of your UK payroll, and using the data you provide, we will:

assess your workers against the auto-enrolment eligibility criteria each pay period and help you establish which category each worker falls into: entitled worker, non-eligible jobholder, or eligible jobholder
calculate the contributions to be deducted from each worker’s pay and the employer contributions due to the pension scheme
process any refunds from the pension scheme through the payroll
include pension contribution information in the payroll summary report and a separate report showing total contributions due and the payment due date
prepare and send to you required statutory communications for eligible jobholders, non-eligible jobholders, and entitled workers, for you to issue within the statutory timeframes
send the relevant worker and contribution information to your pension provider
assist you in making your declaration of compliance with The Pensions Regulator and subsequent re-declarations every three years

Ad hoc and advisory work

Examples of ad hoc and advisory work include:

dealing with any enquiry from The Pensions Regulator
assisting with initial auto-enrolment set-up for new employers, including establishing the duties start date, identifying worker categories, and registering with a qualifying pension scheme

Where specialist advice is required, we may need to seek this from or refer you to appropriate specialists. We will only do this when instructed by the nominated person.

Your responsibilities

Auto-enrolment is a legal obligation on you as an employer. You are responsible for:

choosing a pension scheme that meets the automatic enrolment qualifying criteria; we recommend you take independent financial advice on scheme selection
enrolling all eligible jobholders into the scheme on the appropriate date
providing required statutory information to workers within the statutory timeframes
monitoring your workers’ age and earnings and advising us of any change in their categorisation or status
monitoring opt-in and opt-out requests and processing them correctly
re-enrolling eligible jobholders every three years and choosing a re-enrolment date within the permitted window
making your declaration of compliance to The Pensions Regulator within five calendar months of your duties start date, and making re-declarations on each three-year cycle
maintaining all records relating to your workers and the pension scheme for the periods required by law and by The Pensions Regulator

The Pensions Regulator has powers to issue civil penalties for non-compliance with auto-enrolment duties. You should not assume that our involvement in preparing your payroll reduces or removes your obligations as employer. It is your responsibility to ensure compliance.

To enable us to carry out our work, you agree:

to provide full information about your workers and the pension scheme; we will rely on the information being true, correct and complete, and will not audit it
to confirm the name(s) of the person(s) authorised to notify us of changes; we will act only on instructions from those individuals
to advise us in writing of changes to payroll pay dates
to notify us at least five working days before the payroll date of all transactions or events relevant to auto-enrolment obligations for the period, including:
- details of all new workers and their remuneration packages
- details of all leavers and termination arrangements
- changes in the categorisation or status of any workers
- opt-in and opt-out requests
- remuneration changes
- pension scheme changes

You will keep us informed of material changes in your circumstances that could affect the pension scheme or your workers’ auto-enrolment status. If you are unsure whether a change is material, please let us know so we can assess its significance.

Where you want us to deal with correspondence from The Pensions Regulator, please forward all communications to us promptly. The Pensions Regulator is not obliged to copy us in on communications sent directly to you, so it is essential that you pass these to us in time for us to act within any statutory time limits.

If information required to complete the services is received less than five working days before the payroll date, we will endeavour to process it in time, but we will not be liable for any losses arising from a late payroll in those circumstances.

As part of our normal procedures, we may ask you to provide written confirmation of any oral information and explanations given to us during the course of our work.

Please also refer to the Data Processor Agreement below, which forms part of this document.

Limitation of Liability

609 — Payrolled Benefits-in-Kind

The services in this section are subject to a separate fee as agreed with you, and are not included in your standard payroll fee.

Recurring compliance work

Where you have instructed us to payroll benefits-in-kind (BiK) for your employees, we will:

agree with you which benefits are to be payrolled and for which employees
register the PAYE scheme with HMRC to payroll benefits-in-kind, where not already registered
calculate the cash equivalent of each payrolled benefit for each employee and process the notional amounts through the payroll each pay period
report payrolled benefits to HMRC through the full payment submission (FPS)
advise on the associated Class 1A NIC liability and the amounts due
process mid-year adjustments to benefit values as notified by you; where exact values are not available, we will use reasonable estimates based on the information you provide and make corrections when final values are known
prepare and send to you year-end statements for each employee identifying every benefit provided and the cash equivalent treated as PAYE income, for distribution to employees by 31 May following the end of the tax year

Beneficial loans and living accommodation cannot currently be payrolled and are excluded from the scope of this section.

Ad hoc and advisory work

Examples of ad hoc and advisory work include:

preparing and submitting forms P11D and P11D(b) for any benefits that cannot be payrolled or are otherwise reportable, and advising on the associated Class 1A NIC
advising on salary sacrifice arrangements and their interaction with payrolled benefits
dealing with any compliance check or enquiry by HMRC into benefits reporting
assisting with voluntary registration to payroll benefits in advance of a new tax year

Where specialist advice is required, we may need to seek this from or refer you to appropriate specialists. We will only do this when instructed by the nominated person.

Your responsibilities

You are responsible for:

identifying all taxable benefits provided to employees and notifying us of each benefit, its value or basis of valuation, and any mid-year changes, as they arise
where benefits are provided through third-party arrangements, obtaining and supplying us with the information required from those providers
retaining records of all benefits provided to employees for the period required by HMRC

If you do not notify us of a benefit, or notify us after the relevant payroll has been processed, we will not be responsible for any additional tax, interest, or penalties arising from the late or omitted reporting.

The responsibilities set out in section 607 apply equally to the payrolled benefits-in-kind service.

As part of our normal procedures, we may ask you to provide written confirmation of any oral information and explanations given to us during the course of our work.

Please also refer to the Data Processor Agreement below, which forms part of this document.

Limitation of Liability

The Data Processor Agreement

1. Introduction

1.1 This agreement regarding the processing of personal data (the “Data Processor Agreement” or “DPA”) governs the processing of personal data by Massey Accounting Company Limited (the “Data Processor”) on behalf of the client (the “Data Controller”) in connection with the payroll, auto-enrolment, and payrolled benefits-in-kind services provided under the letter of engagement and the applicable schedules of services (together, the “Main Services”).

2. Legislation

2.1 This DPA shall ensure that the Data Processor processes personal data in compliance with applicable data protection legislation, including the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018), as amended or superseded from time to time (together, “Applicable Law”).

3. Processing of personal data

3.1 Purpose: The purpose of the processing under this DPA is the provision of the Main Services by the Data Processor, as described in the letter of engagement and the applicable schedules of services.

3.2 In connection with the delivery of the Main Services, the Data Processor will process certain categories and types of personal data belonging to or relating to the Data Controller’s employees and workers on behalf of the Data Controller.

3.3 “Personal data” means any information relating to an identified or identifiable natural person, as defined in UK GDPR, Article 4(1). The categories and types of personal data processed by the Data Processor on behalf of the Data Controller are listed in Sub-Appendix A. The Data Processor will only perform processing activities that are necessary and relevant to perform the Main Services. The parties shall update Sub-Appendix A whenever changes occur that require an update.

3.4 The Data Processor shall maintain a register of processing activities in accordance with UK GDPR, Article 30.

4. Instruction

4.1 The Data Processor may only act and process personal data in accordance with documented instructions from the Data Controller (the “Instruction”), unless required by law to act without such instruction. The Instruction at the time of entering into this DPA is that the Data Processor may only process personal data for the purpose of delivering the Main Services. Subject to the terms of this DPA and with the mutual agreement of the parties, the Data Controller may issue additional written instructions consistent with the terms of this Agreement. The Data Controller is responsible for ensuring that all individuals who provide written instructions are authorised to do so.

4.2 The Data Controller warrants that it will process personal data in accordance with the requirements of Applicable Law. The Data Controller’s instructions for the processing of personal data shall comply with Applicable Law. The Data Controller will have sole responsibility for the accuracy, quality, and legality of personal data and the means by which it was obtained.

4.3 The Data Processor will inform the Data Controller of any instruction that it considers to be in violation of Applicable Law and will not execute the instruction until it has been confirmed or modified.

5. The Data Processor’s obligations

5.1 Confidentiality

5.1.1 The Data Processor shall treat all personal data as strictly confidential. Personal data shall not be copied, transferred or otherwise processed in a manner inconsistent with the Instruction, unless the Data Controller has agreed otherwise in writing.

5.1.2 The Data Processor’s staff shall be subject to an obligation of confidentiality ensuring that all personal data processed under this DPA is treated as strictly confidential.

5.1.3 Personal data will only be made available to personnel who require access to it for the delivery of the Main Services.

5.2 The Data Processor shall ensure that staff processing personal data do so only in accordance with the Instruction.

5.3 Security

5.3.1 The Data Processor shall implement appropriate technical and organisational measures to protect personal data against unauthorised or unlawful processing and against accidental loss, destruction, or damage, in accordance with UK GDPR, Article 32. The Data Processor may update or modify these security measures from time to time, provided that any such changes do not result in a degradation of the overall level of security.

5.4 The Data Processor shall provide documentation of its security measures if requested in writing by the Data Controller.

5.5 Data protection impact assessments and prior consultation

5.5.1 Where the Data Processor’s assistance is necessary and relevant, the Data Processor shall assist the Data Controller in carrying out data protection impact assessments in accordance with UK GDPR, Article 35, and any required prior consultation with the Information Commissioner’s Office in accordance with UK GDPR, Article 36.

5.6 Rights of data subjects

5.6.1 If the Data Controller receives a request from a data subject to exercise their rights under Applicable Law and requires the Data Processor’s assistance to respond, the Data Processor shall provide the necessary information and documentation within a reasonable time to enable the Data Controller to respond in accordance with the applicable statutory timeframes.

5.6.2 If the Data Processor receives a request from a data subject that relates to personal data processed on behalf of the Data Controller, the Data Processor shall promptly forward the request to the Data Controller and shall not respond to the data subject directly.

5.7 Personal data breaches

5.7.1 The Data Processor shall notify the Data Controller without undue delay, and in any event within 72 hours of becoming aware of a personal data breach affecting personal data processed on behalf of the Data Controller, to enable the Data Controller to comply with its obligations under UK GDPR, Article 33.

5.7.2 The Data Processor shall take reasonable steps to identify the cause of any such breach and to prevent it from recurring, and shall cooperate with the Data Controller in any required notification to the Information Commissioner’s Office.

5.8 Documentation of compliance and audit rights

5.8.1 Upon written request by the Data Controller, the Data Processor shall make available all information reasonably necessary to demonstrate compliance with this DPA and shall cooperate with audits or inspections conducted by the Data Controller or an auditor mandated by the Data Controller. The Data Controller shall give reasonable prior written notice of at least 30 days of any audit or inspection, and shall not conduct more than one audit or inspection per year. Any audit shall be conducted in a manner that avoids causing undue disruption to the Data Processor’s operations.

5.8.2 The Data Controller may be required to sign a non-disclosure agreement in a form reasonably acceptable to the Data Processor before being given access to the above information.

5.9 Data transfers

5.9.1 The Data Processor will not ordinarily transfer personal data to countries outside the United Kingdom. Where personal data is stored using cloud-based services whose servers may be located outside the United Kingdom, the Data Processor will use only those services that provide adequate safeguards for international data transfers in accordance with UK GDPR, Chapter 5.

6. Sub-processors

6.1 The Data Processor is given general authorisation to engage third-party sub-processors (“Sub-Processors”) to assist in processing personal data, without obtaining further specific written authorisation for each engagement, provided that the Data Processor notifies the Data Controller in writing of the identity of any new Sub-Processor before that Sub-Processor begins processing personal data. If the Data Controller wishes to object, it must do so in writing within ten business days of receiving notification. Absence of any objection within that period shall be deemed consent to the engagement of the relevant Sub-Processor.

6.2 If the Data Controller objects to a new Sub-Processor and the Data Processor cannot accommodate that objection, the Data Controller may terminate the Services by providing written notice to the Data Processor.

6.3 The Data Processor shall enter into a written agreement with each Sub-Processor imposing data protection obligations no less protective than those in this DPA. The Data Processor shall on an ongoing basis monitor Sub-Processors’ compliance with Applicable Law and shall provide documentation of such monitoring if requested in writing by the Data Controller.

6.4 The Data Processor shall be accountable to the Data Controller for the acts and omissions of each Sub-Processor to the same extent as for its own acts and omissions.

6.5 A list of the Data Processor’s current Sub-Processors is available to the Data Controller on request. The Data Processor will update this list when a new Sub-Processor is engaged and will notify the Data Controller in accordance with clause 6.1 above.

7. Remuneration and costs

7.1 The Data Controller shall pay the Data Processor for time spent fulfilling the obligations under clauses 5.5, 5.6, 5.7, and 5.8 of this DPA, based on the Data Processor’s hourly rates.

7.2 The Data Processor is also entitled to remuneration for time and resources required to adapt processing activities in order to comply with changes to the Data Controller’s Instruction. The Data Processor will not be liable for non-performance where compliance with the Main Services would be in conflict with a changed Instruction, or where delivery in accordance with a changed Instruction is not technically, practically, or legally possible.

8. Limitation of liability

8.1 The total aggregate liability of the Data Processor under or in connection with this DPA is subject to the limitation of liability clause in the (300) Standard Terms & Conditions.

8.2 Nothing in this DPA relieves the Data Processor of its own direct responsibilities and liabilities under UK GDPR and the DPA 2018.

9. Duration

9.1 This DPA shall remain in force for as long as the Main Services are provided and shall terminate automatically on the termination or expiry of the engagement.

10. Data protection officer

10.1 The Data Processor will appoint a Data Protection Officer where such appointment is required by Applicable Law.

11. Termination

11.1 Following termination or expiry of this DPA, the Data Processor will, at the Data Controller’s written request, either delete or return all personal data in its possession, except to the extent that the Data Processor is required by Applicable Law to retain it. Where retention is required by law, the Data Processor will archive the data and implement reasonable measures to prevent further processing. The obligations in this DPA shall continue to apply to any retained personal data.

12. Contact

12.1 Contact details for the Data Processor and the Data Controller are as provided in the letter of engagement.

Sub-Appendix A: Categories of Personal Data and Data Subjects

This Sub-Appendix sets out the categories of personal data and categories of data subjects that the Data Processor processes on behalf of the Data Controller under this DPA.

Categories of data subjects

Employees and workers of the Data Controller (current and former) whose data is required to process payroll, auto-enrolment, and payrolled benefits-in-kind obligations
Former employees where processing is required in connection with prior-period submissions, P45s, or HMRC enquiries

Categories of personal data

Identity and contact data:

Full name
Home address
Date of birth
Gender
National insurance number

Employment and payroll data:

Employment start and end dates
Job title and payroll reference number
Gross pay and all components of remuneration
Tax code and income tax due
National insurance contribution category and amounts (employee and employer)
Student loan and postgraduate loan plan type and deductions
Bank account details for salary payment

Pension and auto-enrolment data (where section 608 services are engaged):

Pension scheme membership and contribution rates
Worker categorisation (entitled worker, non-eligible jobholder, eligible jobholder)
Opt-in and opt-out records
Contribution and refund records

Benefits-in-kind data (where section 609 services are engaged):

Description and cash equivalent value of benefits provided to each employee
Changes to benefit values during the tax year

Special category data

Where statutory sick pay (SSP) is processed, basic information about an employee’s absence from work due to illness or injury may be processed (for example, start and end dates of qualifying periods of incapacity for work). No clinical records or medical reports are processed. This data is processed on the basis of compliance with a legal obligation under UK GDPR, Article 9(2)(b).