1. Who are we?
Sage Global Services Limited t/a Sage HR is a company incorporated in England and Wales under company registration number 09506951 with the registered office address 62 Stakes Road, Waterlooville, Hampshire, PO7 5NT. Sage HR is owned by Sage Group plc, a company incorporated in England and Wales under company registration number 02231246 with the registered office address C23 - 5 & 6 COBALT PARK WAY, COBALT PARK, NEWCASTLE UPON TYNE, NE28 9EJ (hereinafter “Sage Group”).
When our customers use Sage HR software and upload personal information to it, we will be acting as data processor on behalf of our customers. This privacy policy does not cover that processing of personal information. This privacy policy covers the processing of personal information when Sage HR is acting as a data controller, meaning circumstances when we determine the purpose for the use of the personal information and the way it is used. Examples of this are where we collect information on prospective customers, and carry out client relationship management, marketing and data analytics using our customers’ data.
We have appointed a data protection officer (“DPO”), who is responsible for responding to questions in relation to this privacy policy. If at any time you are concerned or have questions about how we handle your personal information, please contact our DPO at globalprivacy@sage.com .
2. How we collect your personal information?
To the extent permitted by applicable laws, we collect personal information about you (as our customer contact) and any other individual whose details you provide to us when you:
-
fill out a form on our website, including, but not limited to, registering to use our applications or services;
-
use Sage HR software or services;
-
place an order using our website, applications or services;
-
complete online forms, take part in surveys or participate in any other interactive area that may appear on our website, applications or services;
-
interact with us using chatbots; or
-
contact us offline, for example by telephone, fax, email or post.
We will also collect your personal information when you only partially complete and/or abandon any information inputted into our website and/or other online forms, and may use this information to contact you to remind you to complete any outstanding information and/or for marketing purposes as permitted by applicable laws.
We also collect information from your devices (including mobile devices) and applications used to access and use any of our websites, applications or services (for example, we may collect the device identification number and type, location information and connection information, such as statistics on your page views, traffic to and from the sites, referral URL (i.e. web address), ad data, the IP address of your devices, your browsing history and your web log information). We may do this using cookies or similar technologies (as described in section 11 below).
We may enhance personal information we collect from you with information we obtain from third parties that are entitled to share that information; for example, information from credit agencies, search information providers or public sources (e.g. for customer due diligence purposes), but in each case as permitted by applicable laws.
Providing us with information about others
You will be telling us about employees and non-employee workers at your organisation who access and use Sage HR software. They are referred to as users throughout this privacy policy. If you provide us with personal information about someone else, including, but not limited to, these users, you are responsible for:
-
ensuring that you comply with applicable Data Protection Laws in relation to such disclosure; and
-
explaining to them how we collect, use, disclose and retain their personal information and/or directing them to read our privacy policy.
3. How we use your information
3.1 How we use your information
Personal information means any information relating to an individual from which that person can be identified. The types of personal information that we collect, and our uses of that personal information, may vary depending on our relationship with you. For example, we may collect different personal information depending on whether you are a customer, a customer’s users, a contact at a prospective customer or any individual to whom we market our products and services. We may obtain, use, store and transfer the following personal information about you:
-
Personal contact information (including your and your organisation’s users’ name, home address, personal telephone number(s) and/or personal email address);
-
Information gathered through correspondence with us;
-
Financial information (including bank account details and/or billing addresses);
-
Usage and technical data, which includes information about how you use our website, products and services, and traffic data, weblogs, pages you access and other communication data (i.e. information obtained via cookies); and
-
Profile information (including your username and password, purchases made by you, your preferences and any feedback or survey responses).
For those customers who use Sage HR with G Suite application, we use the following data:
-
Employee full names;
-
Email addresses (used to map and authenticate users in Sage HR); and
-
Access to Google Calendars (used to send time of events so they appear in Google Calendar).
Please note that we do not store any G Suite passwords.
For those customers who use the Predictive Leave service, we may use the following data (provided that this data is pseudonymised and therefore never relates to an identifiable individual or customer and only processed on an aggregated basis):
-
Leave data (leave dates, type of leave, leave policies),
-
Employment data (employment status, leave eligibility, position).
3.2 How we use your information
The personal information we hold about you and your organisation’s users may be used in any of the following ways:
Purpose for processing your personal information | Legal basis for processing your personal information |
---|---|
To provide you and your organisation’s users with the Sage HR software, including administration and management of your account. | If the personal information we use is about the individual who is a party to the contract with us, we rely on the basis that the use is necessary for our contract with you. |
For all other individuals, we need this information for our legitimate business purpose to provide our service, including to administer and manage our customers’ accounts. | |
To allow you to upload, store and access client data. |
If the personal information we use is about the individual who is a party to the contract with us, we rely on the basis that the use is necessary for our contract with you.
For all other individuals, we need this information for our legitimate business purpose to allow the upload, storage and access to client data. |
To enable users to access certain aspects of Sage HR and limited client data relevant to themselves. | We have a legitimate business purpose to allow users to access Sage HR and certain client data. |
To provide you and your organisation’s users with user support. |
If the personal information we use is about the individual who is a party to the contract with us, we rely on the basis that the use is necessary for our contract with you.
For all other individuals, we need this information for our legitimate business purpose to provide user support for you to be better able to use our products, services and applications. |
To moderate your account. |
If the personal information we use is about the individual who is a party to the contract with us, we rely on the basis that the use is necessary for our contract with you.
For all other individuals, we need this information for our legitimate business purpose to moderate client accounts. |
For research and analytics purposes (for example, to improve the quality of the service). | We have a legitimate business purpose to carry out research and analytics in order to improve our products, services and applications. |
To ensure security for you, your organisation’s users, our staff and other users of the service. | We have a legal obligation to ensure the security for our customers of our products, services and applications. |
To comply with applicable laws, court orders, government and law enforcement agencies’ requests. | It is necessary for compliance with a legal obligation. |
To send you further information about our services about which we think you may have an interest. |
Sometimes we need your consent, for example when you have provided us with a personal email address such as a Gmail account and where you have not bought our service from us, we need your consent to email you.
In other circumstances, for example, when you have provided us with a work email address we can rely on the fact that we have a legitimate business purpose to send you selected communications about the services that we offer, promotions and/or events that might interest you. |
To send you further information about our services based on a request we have received from you. | We have your consent. |
To fulfil the obligations we have in relation to any contracts we have in place with you (including, without limitation, the EULA). |
If the personal information we use is about the individual who is a party to the contract with us, we rely on the basis that the use is necessary for our contract with you.
For all other individuals, we need this information for our legitimate business purpose to fulfil our obligations under that contract. |
To provide you with notification about any changes to the service. |
If the personal information we use is about the individual who is a party to the contract with us, we rely on the basis that the use is necessary for our contract with you.
For all other individuals, we need this information for our legitimate business purpose to fulfil our obligations to engage with customers and communicate with them in respect of changes to the services we provide. |
4. Predictive Leave Service
As part of the services we provide, we may provide customers with predictions on the amount of leave likely to be taken in the future in their organisation. This service is designed to help customers better understand leave patterns and trends to enable better workforce planning and management.
We use machine learning to provide Predictive Leave as it helps us to identify patterns with minimal intervention by humans, therefore allowing the provision of an effective, frictionless service. We provide the Predictive Leave service as a data processor acting on behalf of our customers. However, to ensure accuracy of the service, we need to process your personal data to verify that the predictions the service makes are in line with the data used to provide the service. In that context, we process your personal data as a data controller, on the basis of our legitimate interest. The personal data used to train the machine learning model is pseudonymised and stored and processed in a way that it cannot be linked back to you or any living individual.
Any individual whose personal information we process has the right to object to processing based on our legitimate interests, and if you wish to do so, please contact us at globalprivacy@sage.com .
5. Sharing your information
We may share your personal information with the following parties:
-
any company within the Sage Group, for the purposes set out in this privacy policy (including, but not limited to, global information and customer relationship management; software and service compatibility and improvements; and to provide you with any information, applications, products or services that you have requested);
-
our service providers and agents (including their sub-contractors) or third parties which process information on our behalf (e.g. internet service and platform providers, payment processing providers and those organisations we engage to help us send communications to you) so that they may help us to provide you with the applications, products, services and information you have requested or which we believe is of interest to you;
-
third parties used to facilitate payment transactions, for example clearing houses, clearing systems, financial institutions and transaction beneficiaries;
-
third parties where you have a relationship with that third party and you have consented to us sending information (for example, social media sites or other third party application providers);
-
third parties for marketing purposes (e.g. our partners and other third parties with whom we work and whose products or services we think will interest you in the operation of your business activities. For example, financial services organisations (such as banks, insurers, finance providers), payment solutions providers, software and services providers that provide business solutions);
-
credit reference and fraud prevention agencies;
-
government bodies, regulators and any other third party necessary to meet Sage Group’s legal and regulatory obligations;
-
law enforcement agencies so that they may detect, investigate or prevent crime or prosecute offenders;
-
any third party in the context of actual or threatened legal proceedings, provided we can do so lawfully (for example, in response to a court order);
-
any third party in order to meet our legal and regulatory obligations, including statutory or regulatory reporting, or the detection or prevention of unlawful acts;
-
our own and Sage Group’s professional advisors and auditors for the purpose of seeking professional advice or to meet our audit responsibilities;
-
another organisation if we sell or buy (or negotiate to sell or buy) any business or assets;
-
another organisation to whom we may transfer our agreement with you; and
-
government departments where reporting is mandatory under applicable law.
When we appoint third party service providers who act as data processors on our behalf, we require them to respect the security of your personal information and to treat it in accordance with applicable laws. We do not allow our third party service providers to use your personal information for their own purposes, and only permit them to process your personal information for specified purposes and in accordance with our instructions.
We may also aggregate and anonymise your, and your organisation’s users’, personal information (excluding, for the avoidance of doubt, sensitive personal information, known as “special category” personal information under applicable law) and use and share such aggregated and anonymised personal information with third parties for statistical purposes and for the purpose of data analytics, product development, and/or improvement.
6. Marketing
From time to time, we may use your information to contact you with details about our applications, products and services which we feel may be of interest to you. In particular, we may use your personal information to provide you with marketing communications in the form of newsletters, product feature updates, blogs and listings on application review sites via email and telephone. We may also share your information with our group companies and carefully selected third parties so that they (or we) may contact you with information about their products or services which we feel may be of interest to you. We or they may wish to contact you for this purpose by telephone, post, SMS or email, as permitted by applicable laws.
You have the right at any time to stop us from contacting you for marketing purposes. You may also request at any time that we do not share your information with third parties referred to in this paragraph. If you wish to exercise these rights you can do so by selecting your contact preferences at the point where you provide us with your information on our websites, applications or services, using any preference centres we give you access to or by sending us an email to globalprivacy@sage.com . You can also unsubscribe from any email marketing using the links provided in the emails we send to you.
7. Your information and rights
Under applicable Data Protection Laws, you have key rights in relation to your personal information, as set out below. You can exercise any of these rights by contacting us via email at globalprivacy@sage.com .
Please note that although we take your rights seriously, these rights might not apply in every circumstance, and there may be some circumstances where we cannot comply with your request such as where complying with it would mean that we could not comply with our own legal or regulatory obligations. In these instances, we will let you know why we cannot comply with your request.
7.1 The right to access your personal information
You are entitled to a copy of the personal information we hold about you, together with certain details about how we use it. We will usually provide your personal information in writing, unless you request otherwise. Where your request has been made electronically (e.g. by email), a copy of your personal information will be provided to you by electronic means, where possible.
7.2 The right to rectification
We always take care to ensure that the personal information we hold about you is accurate and, where necessary, up to date. If you believe that there are any inaccuracies, discrepancies or gaps in the information we hold about you, you can contact us and ask us to update or amend it.
7.3 The right to restriction of processing
In certain circumstances, you are entitled to ask us to stop using your personal information, for example, where you think that it is inaccurate, or where you think that we no longer need to use it.
7.4 The right to withdraw your consent
Where we rely on your consent to process your personal information, you have the right to withdraw your consent to our further use of your personal information.
7.5 The right to erasure
This is sometimes known as the 'right to be forgotten'. It entitles you, in certain circumstances, to request deletion of your personal information. For example, where we no longer need your personal information for the original purpose for which we collected it, or where you have exercised your right to withdraw consent.
Whilst we will assess every request, there are other factors that will need to be taken into consideration. For example, we may be unable to erase your information as requested by you because we have a legal or regulatory obligation to keep it.
7.6 The right to object
In certain cases, you have the right to object to our processing. This arises in relation to:
Marketing: You have control over the extent to which we market to you and you have the right to request that we stop sending you marketing messages at any time. You can do this either by clicking on the "unsubscribe" button in any email that we send to you or by contacting us using the details set out in section 12 of this privacy policy below. Please note that even if you exercise this right because you do not want to receive marketing messages, we may still send you service related communications, where necessary.
Processing based on our justifiable purpose: Where we process your personal information based on a justifiable purpose, you can object to such processing, unless our purpose outweighs any prejudice to your privacy rights.
7.7 The right to data portability
In certain circumstances, you can request that we transfer personal information that you have provided to us, direct to a third party.
7.8 Rights relating to automated decision-making
We do not carry out any automated decision-making. If this changes, we will let you know and inform you of your rights relating to automated decision-making.
7.9 The right to make a complaint to the ICO
You have a right to complain to the Information Commissioner's Office (ICO) if you believe that we have breached Data Protection Laws when using your personal information.
You can visit the ICO's website at https://ico.org.uk/ for more information. Please note that lodging a complaint with either us or the ICO will not affect any other legal rights or remedies that you have.
8. Changes to this privacy policy
From time to time we may need to make changes to this privacy policy, for example, as the result of changes to law, technologies, our services, or other developments. We will provide you with the most up-to-date privacy policy and you can check our website https://sage.hr/privacy-policy periodically to view it. This privacy policy was last updated on 1 June 2021.
9. Security and storage of information
We will take reasonable steps to maintain appropriate technical and organisational measures to protect the personal information you provide to us, or we otherwise hold about you, against accidental or unlawful destruction, loss, alteration, and from unauthorised disclosure or access.
We store the personal information you and your organisation’s users provide us with, or which we otherwise hold about you or them, on our secure servers. In the event of us giving you or your organisation’s users (or you/they choosing) a password which grants you/them access to specific areas within our website or services, it remains your/their responsibility to maintain the confidentiality of this password. This includes the responsibility to refrain from sharing your/their password with other parties.
As the transmission of data via the Internet cannot be assumed to be completely secure, we cannot guarantee the security of any of your or your organisation’s users’ data transmitted to our website or services; you and they are therefore responsible for any risk associated with such transmission. We will, however, at all times take all reasonable steps to ensure the transmission of your and your organisation’s users’ data is executed as securely as possible, and upon receipt of your/their data we will continue at all times to enforce strict security procedures and features in an attempt to prevent any unauthorised access.
We will only retain the personal information for the duration of our business relationship and for as long as reasonably necessary to fulfil the purposes we collected it for, and to comply with applicable legal, regulatory, tax, accounting or reporting requirements, or as otherwise permitted by applicable laws and regulations. The exact time period will depend on your relationship with us and the type of personal information we hold about you.
When determining how long to retain your personal information, we will also take into consideration a number of factors, including whether there are any existing contractual obligations we may owe to you or you may owe to us, and whether there are anticipated or actual disputes, complaints or legal proceedings.
Where we no longer need your personal information, we will dispose of it in a secure manner (without further notice to you).
If you would like further information regarding the periods for which your personal information will be stored, please contact us using the details set out section 12 of this privacy policy below.
10. Transfers outside of the European Economic Area and the UK
Personal information in the European Economic Area (which means all the European Union (EU) countries plus Norway, Iceland and Liechtenstein, together “EEA”) and the UK is protected by Data Protection Laws, but other countries do not necessarily protect your personal information in the same way.
Our website and some of our applications, or services or parts of them, may also be hosted in the United States, or otherwise outside of the UK or the EEA, and this means that we may transfer any information which is submitted by you through the website or the application or service outside the EEA or the UK to the United States or to other territories outside of the EEA or the UK. When you send an email to us, this will also be stored on our email servers which are hosted in the United States.
We may use service providers based outside of the EEA or the UK to help us provide our website, applications and services to you (for example, platform and payment providers who help us deliver our applications and services, or advertising or execute your payments) and this means that we may transfer your information to service providers outside the EEA or the UK for the purpose of providing our applications, advertising and services to you.
We take steps to ensure that where your information is transferred outside of the EEA or the UK by our service providers and hosting providers, appropriate measures and controls in place to protect that information in accordance with applicable data protection laws and regulations. For example, we may share information with our group companies or affiliates based outside the EEA or the UK for the purposes envisaged by this privacy policy. All Sage Group companies are subject to Sage Group data protection policies designed to protect data in accordance with EU Data Protection Laws. In each case, such transfers are made in accordance with the requirements of Regulations (EU) 2016/679 (the General Data Protection Regulations or “GDPR”) and may be based on the use of the European Commission’s Standard Model Clauses for transfers of personal information outside the EEA or the UK.
By using our website, products or services or by interacting with us in the ways described in this privacy policy, you consent to the transfer of your information outside the EEA or the UK in the circumstances set out in this Privacy Notice. If you do not want your information to be transferred outside the EEA or the UK you should not use our website, applications or services.
For further information on, or a copy of, the adequate safeguards adopted by us for the international transfer of personal information, please email globalprivacy@sage.com .
11. Other sites and social media
If you follow a link from our website, application or service to another site or service, this privacy policy will no longer apply once you have left our website, application or service. We are not responsible for the information handling practices of third party sites, applications or services, and we encourage you to read the privacy policies appearing on those sites, applications or services.
Our websites, applications or services may enable you to share information with social media sites, or use social media sites to create your account or to connect your social media account. Those social media sites may automatically provide us with access to certain personal information retained by them about you (for example, any content you have viewed). You should be able to manage your privacy settings from within your own third party social media account(s) to manage what personal information you enable us to access from that account.
12. Cookies and IP addresses
We may obtain information about your and your organisation’s users’ computer, which includes your and your organisation’s users’ IP address, browser type and operating system where available. This accumulation of data is used to assist system administration.
13. Further information
If you have any queries about how we handle your personal information, the contents of this privacy policy, your data protection rights under applicable local laws, how to update your records or how to obtain a copy of the personal information that we hold about you, please write to our Data Protection Officer, at Data Protection Officer, The Sage Group plc, C23 - 5 & 6 COBALT PARK WAY, COBALT PARK, NEWCASTLE UPON TYNE, NE28 9EJ or send an email to globalprivacy@sage.com .
Last update: 27 January 2022