We work hard to keep all our legal mumbo jumbo as simple as possible, but we still have to have it.


The General Data Protection Regulation (GDPR) is a cornerstone of EU privacy law, which aims to protect the personal data of individuals being used by organisations. The Regulation took effect from 25 May 2018, binding enterprises to compliance if they wish to operate within the European Union. The objective of the Regulation is to:

“Protect fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.”

In GDPR terms, personal data means any information relating to a person or any information which can be used to identify a person. Resultantly, any collection, use and storage of personal data by a company is subject to the rules within the GDPR.

In summary, the rights given to Data Subjects under GDPR, gives them the powers to hold both Controllers and Processors accountable for the lawful processing of that Data Subject’s personal information.


In GDPR terms, a Controller is the natural or legal person who, alone or jointly, determines the means of the processing of personal data.

A Processor is any natural or legal person who processes personal data on the behalf of the controller.

A Data Subject is the natural person to whom the personal data being processed relates.

Putting this into context, you, the Client are the Controller for your Employees or Data Subjects’ personal data. SimplePay is acting as a Processor for your benefit, processing your employees’ personal data in order to assist you in your payroll obligations. The relevance of this is that a party’s role determines their rights, obligations and liabilities.


As a processor in terms of Article 4, SimplePay processes data on behalf of other organisations (Controllers). In exercising our responsibilities as a processor, we also aim to ensure that you remain compliant with the same ease to which you’ve become accustomed.

That’s why, although we always have and always will take our privacy obligations seriously, in 2018 we embarked on a thorough and multi-faceted programme to identify and rectify any shortcomings in our policies and / or processes. Luckily, as privacy and confidentiality are cornerstones of our system and culture, we found we were already largely compliant. Below are some of the projects we’ve undertaken since the GDPR’s enactment to ensure any compliance gaps were closed:

  • Added supplementary functionality and processes to ensure quick and complete compliance with individual’s rights, such as access, rectification and erasure (see below for details)
  • Appointed a Data Protection Officer (DPO)
  • Appointed an EU Representative
  • Reviewed the GDPR compliance of all third party apps and suppliers
  • Updated our Terms of Service, Privacy Policy and Security Statement to more fully embody the spirit of GDPR
  • Created processes for breach management and notification
  • Implemented staff readiness and training programmes, with refresher courses happening periodically
  • Reviewed all staff contracts to ensure they impose adequate confidentiality obligations
  • Undergoing ISO 27001 accreditation, which goes beyond GDPR requirements in many aspects of information security.

All client data is stored off-site in AWS’s data centre in Ireland and is backed up regularly. Full details of our privacy and security measures can be found in our Privacy Policy and Security Statement.


Pursuant to Article 37 GDPR, SimplePay has designated the role of a Data Protection Officer (DPO) within the company. Our DPO’s role, amongst other duties, includes advising SimplePay and its employees on their obligations under the GDPR, monitoring compliance and liaising with the Data Protection Commission (DPC)

Should you need to contact SimplePay’s Data Protection Officer, you can do so at


Under GDPR, individuals have enhanced rights in respect of the data they share with processors and controllers:

  • Right of access by the data subject
  • Right to rectification
  • Right to erasure
  • Right to restriction of processing
  • Right to data portability
  • Right to object

Further detail on these rights can be found in Chapter 3 GDPR. In light of these rights, we have implemented internal policies and workflows to allow us to respond to requests within the required timeframe.

Exercise of Data Subject's Rights

SimplePay implemented additional functionality to ensure full compliance with the GDPR in the following scenarios:

  • Requests for deletion (in terms of the right to erasure) will be handled by means of one way, irreversible encryption of the data. Any identifying information will be scrambled but all non-identifiable financial (payroll) information will remain.
  • Requests for all information (in terms of the right of access by the data subject) on a particular individual could mostly be handled by our various reports; however, we will now also be generating a comprehensive ZIP file containing all information we have on a particular employee.

Requests in terms of the above will need to be made by full access users. Any employee queries will be directed to the relevant full access administrator on the account for actioning in their capacity as a Controller. If a situation arises where such a request cannot be complied with by the administrator (Controller), SimplePay will assess the situation and assist to the best of our ability, in alignment with the GDPR.

Any queries regarding data subjects' rights should please be directed to our Data Protection Officer as follows:

  • Sending an email to quoting “Data Subject Request” in the subject line; or
  • Mailing your request to the following address: 81 Dodder Park Road, Rathfarnham, Dublin 14, D14 NW64, Republic of Ireland.


We have researched and confirmed that all apps and suppliers we use as well as those with which we integrate are fully GDPR compliant. Below you will find links to the GDPR pages of our partners, integrated apps and internal tools: