Pento Data Processing Agreement 

Last updated:  April 18, 2024 

Our customers are employers located in Europe and the United Kingdom who use Pento to simplify their payroll processes. Customers create an online profile for their business on the Pento platform and upload their employee information (such as the employee’s name, working hours and annual salary). As part of the registration process, the customer must  also open an account with a nominated payment service provider (PSP) so that funds can be transferred from the business account to the various payees (whether the employees themselves, or relevant tax authorities and pension providers). The customer also has the choice to integrate Pento with other suppliers that they use which are relevant to the payroll process (such as accounting platforms and HR software). 

Whilst Pento makes payroll painless, our services involve the use and sharing of personal data (which is any information which can identify a living person). This Data Processing Agreement (DPA) sets out the relationship and obligations between Pento and its customer to ensure that both parties use and share any personal data in a responsible, compliant and secure way. 

This DPA is between the Pento entity and the entity identified as the Customer in a completed Order Form or via the Pento platform. The contracting Pento entity is dependent on the country in which the Customer is incorporated. 

This DPA is legally enforceable from the date of the Agreement (the Start Date) and its terms apply in addition to the standard terms set out in the Pento customer Terms and conditions.

1.Definitions and Interpretation

The following definitions apply in this DPA:

Controller        means organisation or person that makes decisions about what and why Personal Data is being collected from individuals.

Customer         means the entity identified in the completed Order Form which uses Pento services to facilitate the payroll process.

Data Protection Laws             means applicable laws and regulations relating to privacy or Processing of Personal Data, including any relevant guidance or codes of practice issued by a regulator.

Data Subject(s)             means the living person who is or could be identified by the Personal Data.

European Economic Area (EEA)      means the countries which are party to the European Economic Area Treaty.

Pento means the Pento entity identified in the completed Order From, which will be one of the following:

1. Pento Services Limited a company incorporated in England and Wales (company number 12311368) with its registered office at 1 Chapel Street, Warwick, CV34 4HL, United Kingdom;
2. Pento Payroll Services Limited, a company incorporated in Ireland (company number 693348) with its registered office at Penthouse Floor, 5 Lapps Quay, Cork, T12 RW7D, Ireland; or
3. Pento ApS, a company incorporated in Denmark (company number 37959383) with its registered office at Amaliegade 6. 2. tv., DK, 1256 Copenhagen K, Denmark.

The definition of Pento shall also include the HiBob subsidiaries, as detailed here – HiBob Group Subsidiaries

Personal Data                means any information which can (or could be used to) identify a living person.

Process(ing)                 means any action in relation to personal data – ranging from actively using or analysing the information to simply having access to or storing the information.

Processor                      means the organisation or person that carries out a task for the Controller which requires them to Process Personal Data.

Personal Data Breach              means a security incident in which Personal Data has been accidentally or illegally destroyed, lost, changed or shared with, accessed or used by someone who did not have permission.

Standard Contractual Clauses or SCC      means the ICO’s International Data Transfer Agreement for the transfer of personal data from the UK and/or the ICO’s International Data Transfer Addendum to EU Commission Standard Contractual Clauses and/or the European Commission’s Standard Contractual Clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 as set out in the Annex to Commission Implementing Decision (EU) 2021/914 and/or the European Commission’s Standard Contractual Clauses for the transfer of Personal Data from the European Union to processors established in third countries (controller-to-processor transfers), as set out in the Annex to Commission Decision 2010/87/EU as adapted for the UK, or such alternative clauses as may be approved by the European Commission or by the UK from time to time.         

Service         means the payroll support service provided by Pento to the Customer, including any ancillary services (such as customer service support and installation).

Sub-Processor       means an organisation or person engaged by the Processor to assist the Processor carry out the task for the Controller, where the assistance requires them to Process Personal Data.

1.             A reference to writing or written includes email.

• Any words following the phrases including, include, such as, for example or any similar expression are intended to be illustrative only. 

• Use of the singular shall include the plural and vice versa.

2. Role of the parties

1.             Where Pento receives Personal Data from the Customer or Pento is required to Process Personal Data to deliver its Service to the Customer, the Customer is the Controller of that Personal Data and Pento is the Processor. 

• Pento states in its privacy policy where it acts as Controller for any Personal Data (for example, for the users with login credentials to access the Pento platform).
• The Customer’s chosen PSP will also act as a Controller for Personal Data it Processes in the provision of the Customer’s account and transfers made from that account. This is because the PSP Processes the Personal Data for its own purposes (namely, to comply the legal obligations it has as an entity regulated by a financial services regulator). The Customer has a separate contractual relationship with the PSP and the terms between those parties which govern the use of Personal Data are outside the scope of this DPA. 
• The subject matter, duration, nature and purpose of the Processing by Pento and the categories of Personal Data and types of Data Subject are set out in Schedule 1.

3.Providing information to individuals

1.             It is the responsibility of the Customer as the Controller to inform Data Subjects how their Personal Data is used and maintain the mandatory records required under Data Protection Laws. 

• Pento includes generic information its privacy policy to explain to Data Subjects how it uses Personal Data as Processor, but the Customer acknowledges that the particulars of the relationship Pento has with its different customers varies and is unique, therefore specific information should be provided by the Customer (for example, to its employees).

4. Pento’s obligations as a Processor

1.             Where Pento Processes Personal Data for which the Customer is the Controller , Pento shall:

1. only Process Personal Data in line with the Customer’s written instructions, and promptly inform the Customer if Pento believes an instruction infringes the Data Protection Laws;
2. ensure that any of Pento’s staff who have access to Personal Data are bound by obligations of confidentiality (which are included in their employment contracts or equivalent contracts governing the working relationship)
3. implement appropriate  technical and organisational measures and procedures which ensure an appropriate level of security for Personal Data and reduce the risk of a Personal Data Breach;
4. promptly and without undue delay inform the Customer if there has been a Personal Data Breach which impacts the Personal Data Pento Processes to deliver its Service;
5. twelve (12) months after the contractual relationship has ended or any earlier written request from the Customer, delete or return Personal Data, save for when the law requires a longer data retention period;
6. assist the Customer and provide the information required to ensure the Customer can comply with its obligations under the Data Protection Laws;
7. promptly inform the Customer if Pento receives a request from or on behalf of an individual who wishes to exercise their rights under the Data Protection Laws, and provide assistance so the Customer can respond to the request; 
8. not disclose Personal Data without the Customer’s written permission unless Pento is legally required to make the disclosure (in which case, Pento will promptly notify the Customer unless it is prohibited from doing so); and
9. allow the Customer to access Pento premises or records to audit Pento’s compliance with the Data Protection Laws, provided the Customer gives Pento thirty (30) days’ written notice 

5. Sub-Processors

1.The Customer is deemed to authorise the list of Sub-Processors as set out in Schedule 2 at the Start Date and provides general prior authorisation to Pento to appoint Sub-Processors, provided that such Sub-Processors are appointed on terms that comply with Data Protection Laws and are consistent with the obligations imposed on Pento under this DPA. Where the Customer chooses to integrate Pento with any of the Customer’s suppliers (such as a HR software tool or accounting platform the Customer uses), it warrants it has a separate agreement with those suppliers which contains any contractual clauses required by the Data Protection Laws. 

2.Where Pento uses a Sub-Processor which is located outside of the European Economic Area or United Kingdom (whichever is applicable in the circumstances): 

1. it will identify and put in place a mechanism to ensure any international transfer of Personal Data complies with the applicable Data Protection Laws. The details of the Sub-Processors authorised by the Customer pursuant to clause 5.1, their location and the mechanism relied upon are set out in Schedule 2; and 
2. the Customer authorises Pento to enter into the SCCs with such Sub-Processor.

3. Pento shall, and shall procure that any Sub-Processor shall only process, or permit the processing, of the Personal Data outside the EEA under the following conditions:

1. the Personal Data is processed in a territory which is subject to adequacy regulations under the Data Protection Laws that the territory provides adequate protection for the privacy rights of individuals; or
2. Pento participates in a valid cross-border transfer mechanism under the Data Protection Laws, so that Pento (and, where appropriate, the Customer) can ensure that appropriate safeguards are in place to ensure an adequate level of protection with respect to the privacy rights of individuals required by the Data Protection Laws. 
3. If Pento wishes to appoint a new or replacement Sub-processor, it shall inform the Customer in writing.  Where the Customer objects to Pento’s proposed use of a new or replacement Sub-Processor within a fourteen (14) day period commencing from the date the Customer is so informed in writing, Pento will arrange a meeting to better understand the Customer’s concerns. The parties will try in good faith to resolve those concerns together. Where the parties cannot resolve the concerns, the Customer may terminate the contractual agreement without penalty. Where the Customer does not object, it shall be deemed to have authorised Pento’s appointment of such new or replacement Sub-processor with effect from 23:59 GMT on the last day of such fourteen (14) day period. 

6.Liability 

1.      Pento is only liable for data protection losses, costs and expenses incurred by the Customer where:

1. Pento has not complied with its obligations under this DPA;
2. Pento has not complied with its Processor obligations under the applicable Data Protection Laws; or
3. Pento’s Sub-Processor has not complied with its data protection obligations.

2.Except where prohibited by law, Pento’s total liability to the Customer under this DPA in contract, tort (including negligence) or restitution, or for breach of statutory duty or misrepresentation, or any other claims of any nature arising under or in connection with this DPA shall in all circumstances be limited to 3 (three) times the fees  paid by the Customer to Pento in respect of the 12 (twelve) months prior to the event giving rise to the claim. 

3.Subject to clause 6.1 and 6.2, each party shall indemnify the other against all claims and proceedings and all liability, loss, costs and expenses incurred by the other as a result of any claim made or brought by a Data Subject or other legal person in respect of any loss, damage or distress caused to them as a result of any breach by the other party of the Data Protection Laws by that party, its employees or agents, provided that the indemnified party gives to the indemnifier prompt notice of such claim, full information about the circumstances giving rise to it, reasonable assistance in dealing with the claim and sole authority to manage, defend or settle it. 

7.Governing Law

This DPA, and any dispute arising in relation to it, will be governed by the law in which the Pento contracting entity is located. The parties agree that the courts of the country in which Pento is located will have exclusive jurisdiction to settle any dispute arising out of or in relation this DPA.

Schedule 1 

Subject Matter of Processing The service that Pento will provide to the Customer	Pento simplifies the payroll process for the Customer by: processing and storing relevant employee and payment information all in one place (on the Pento platform) providing visibility of employee payment information and when payments are due to be made  calculating monies owed to employees, including a breakdown of tax and pension contributions arranging for payments to be made by the PSP
Nature of Processing The ways in which we will use the Personal Data	The Customer uploads Personal Data to the Pento platform, indicates where Pento should integrate with any of its existing suppliers and opens an account with its chosen PSP.  Pento Processes Personal Data in the following ways: stores Personal Data on Pento systems uses Personal Data to calculate monies due  transfers Personal Data to the PSP (to allow the PSP to conduct AML checks, open an account and make payments from the Customer account) analyses Personal Data to provide trends to the Customer (e.g. month on month comparisons) deletes Personal Data upon the Customer request or within twelve (12) months from the end of the contractual relationship
Purpose of Processing	Personal Data will be processed for the purpose of providing the Services to the Customer in accordance with the terms of the Agreement.
Types of Personal Data	Full name, home address, email, phone number, employment status, date of birth, gender, bank account information, national insurance information, PAYE reference number, salary information.
Types of Special Category Data	Pento does not intentionally collect special category data but this could be inferred from types of payment that are made (for example, statutory sickness pay).
Categories of data subjects	Customer employees.

Schedule 2 

List of Sub-Processors