.svg)
0 comments
1. INTRODUCTION
1.1. Playroll is committed to compliance with data protection laws, regulations and rules.
1.2. Individuals have the right to access and receive a copy of their personal data, and other supplementary information. This Data Subject Access Request Policy (“Policy”) explains how a Data Subject can exercise its privacy rights.
2. PURPOSE
2.1. This Policy sets out how Playroll identifies and manages its “Data Subject Access Request” (“DSAR”) responsibilities in accordance with its legal and regulatory obligations, and outlines both the procedural and technical mechanisms Playroll provides to facilitate these requests securely and efficiently.
2.2. Data subjects have the right to be informed about:
2.2.1. the purposes of the processing;
2.2.2. the categories of personal data concerned;
2.2.3. the recipients to whom the personal data has been or will be disclosed to, particularly recipients in third countries or international organisations;
2.2.4. the envisaged period for which personal data will be stored;
2.2.5. the existence of the right to request rectification or erasure of personal data, or restriction of processing of personal data from the Controller;
2.2.6. their right to lodge a complaint with a supervisory authority. For data subjects in the United Kingdom, this means the right to complain to the Information Commissioner’s Office (“ICO”) — see the “How to Complain” section below for details of the prior internal step required by the Data (Use and Access) Act 2025;
2.2.7. where personal data is not collected from the data subject, any information regarding the source; and
2.2.8. the existence of automated decision-making.
3. SCOPE
This Policy shall apply to Playroll, its employees (permanent and temporary), shareholders, directors (executive and non-executive), officers, contractors, subcontractors, suppliers and agents, together as well as any other Data Subject that Playroll processes, including employees hired in its capacity as employer of record for the benefit of Playroll’s Clients, contractors that it engages, and in relation to individuals whose information is stored on Playroll’s Global Payroll Platform, that is, identifiable individuals throughout the Playroll ecosystem.
4. DEFINITIONS
Unless otherwise expressly stated, or the context otherwise requires, the words and expressions listed below shall, when used in this Policy or in any Annexures and Schedules attached hereto, have the following meanings:
4.1. “Applicable Data Protection Law” means any data privacy, security or protection laws or regulations to the extent applicable to the processing of Personal Data under this policy, including any binding laws or regulations ratifying, implementing, adopting, supplementing or replacing the foregoing; in each case, to the extent in force, and as such are updated, amended or replaced from time to time;
4.2. “Controller” means the natural or legal person, public authority, agency or other body which alone, or jointly with others, determines the purposes and means of the processing of personal data, and shall also include, but not be limited to, business, responsible party, or any other term used in other Data Protection Laws with the same corresponding meaning;
4.3. “Data Subject” means identified or identifiable natural person(s), and shall also include, but not be limited to, contactors, employees hired by Playroll in its capacity as employer of record, for the benefit of Clients, or any other term used in other Applicable Data Protection Laws with the same corresponding meaning;
4.4. “information” means any content, data or other information transmitted to or from, or stored on Playroll’s information technology system. This shall refer to information that belongs to Playroll and/or its clients;
4.5. “personal data” has the meaning given to it in the General Data Protection Regulation and shall also include, but not be limited to, personal information, or any other term used in other Applicable Data Protection Laws with the same corresponding meaning;
4.6. “Policy” means this Data Subject Access Request Policy;
4.7. “processing” means any operation or set of operations which is performed upon Personal Data or sets of Personal Data, by manual or automated means (including the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of Personal Data);
4.8. “processor” means a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the Controller, and shall also include, but not be limited to, Service Provider, Operator, or any other term used in other Data Protection Laws with the same or similar corresponding meaning; and
5. DSAR PROCEDURE
The following procedure with apply:
5.1. Data Subjects may submit a Data Subject Access Request (“DSAR”) by completing the online DSAR Form available here:
https://forms.monday.com/forms/f46a55bf97af2c22061a2ab00fd3bb08?r=use1
5.2. Upon receiving a Data Subject Access Request, Playroll will log it and acknowledge receipt promptly, and in any event within the timeframe required by Applicable Data Protection Law. For UK data subjects, Playroll will acknowledge receipt within 30 calendar days of receiving the request.
5.3. The Legal Team will check and confirm the identity of anyone making a subject access request to ensure the information is only given to the person who is entitled to it. If the identity of the requestor has not already been provided, the person receiving the request will ask the requestor to provide at least two forms of identification, one of which must be a photo identity and the other confirmation of address.
5.4. If the requestor is not the Data Subject, written confirmation that the requestor is authorised to act on behalf of the data subject is required.
5.5. Any third-party information within the information collected must be anonymised.
5.6. Information should be summarised instead of whole documents being provided where possible.
5.7. All information collected must be reviewed to determine if it is permitted to be provided to the subject access requestor.
5.8. Exempted data that must be redacted or excluded from the response includes, but is not limited to:
5.8.1. Information that would adversely affect the rights and freedoms of others;
5.8.2. Management forecasting/planning - If a reorganisation is planned and there are documents that identify the employee, but these also outline the likelihood of certain other employees being made redundant, there may be a substantial risk of prejudice;
5.8.3. Confidential references - A reference, given confidentially, in relation to an employee’s employment is exempt from a data subject access request;
5.8.4. Settlement negotiations;
5.8.5. Legal advice/proceedings;
5.8.6. Information about other people;
5.8.7. Publicly available information; and
5.8.8. Opinions given in confidence or protected by copyright law.
5.9. The Legal Team will ensure that a written response will be sent back to the requestor.
5.10. We will respond within one calendar month of receiving your request (or of receiving any identity verification we have asked for). Where your request is particularly complex, or you have submitted multiple requests, we may extend this period by up to a further two months. If we do so, we will notify you within the first month and explain why.
5.11. The Legal Team will only provide information via channels that are secure. When hard copies of information are posted, they will be sealed securely and sent by recorded delivery.
5.12. After the response has been sent to the requestor, the subject access request will be considered closed and archived by the Legal Team.
5.13. There are situations where individuals do not have a right to see information relating to them. For instance:
5.13.1. If the information is kept only for the purpose of statistics or research, and where the results of the statistical work or research are not made available in a form that identifies any of the individuals involved.
5.13.2. Requests made for other, non-data protection purposes can be rejected.
5.13.3. If the Legal Team refuses a subject access request on behalf of Playroll, the reasons for the rejection must be set out in writing, provided to the requestor, and retained on record by Playroll.
6. HOW TO COMPLAIN
If you are unhappy with the way Playroll has handled your personal data — including how we have responded to your DSAR — you have the right to complain. This section explains how.
Step 1: Raise your complaint with Playroll first
We would always like the opportunity to resolve your concern directly. Please submit your complaint using the same form as a DSAR, at https://forms.monday.com/forms/f46a55bf97af2c22061a2ab00fd3bb08?r=use1, or by emailing legal@playroll.com. You can also complain by post or by any other means — we must accept and consider your complaint however it reaches us.
We will acknowledge your complaint within 30 calendar days of receiving it. We will then investigate and provide you with a written outcome without undue delay, explaining our conclusions and any steps we have taken. If you are still not satisfied, you may ask us to review our decision before approaching a supervisory authority.
Step 2: Complain to your supervisory authority
You always have the right to complain to the relevant supervisory authority. You do not have to complete Step 1 first, though we encourage you to give us the chance to put things right. The relevant authority depends on where you are located:
6.1. United Kingdom: the Information Commissioner’s Office (ICO) — https://ico.org.uk/make-a-complaint/. Note: the DUA Act 2025 (in force 19 June 2026) requires that you first raise the complaint with Playroll (Step 1 above) before the ICO will ordinarily accept it for investigation. However, you may go directly to the ICO at any time.
6.2. European Union: the supervisory authority in the EU member state where you live or work, or where you believe an infringement has occurred.
6.3. South Africa: the Information Regulator — https://inforegulator.org.za.
6.4. Other jurisdictions: the relevant data protection authority in your country. Playroll operates globally and complies with Applicable Data Protection Law in each territory in which it operates.
For any questions about this Policy or how to exercise your rights, please contact us at legal@playroll.com.
7. ABOUT THE SUBMISSION PROCESS
7.1. The Online DSAR Form allows Data Subjects to describe the incident and upload relevant and supporting documents.
7.2. Data Subjects must ensure that the information provided through the online form is accurate and complete. Failure to provide sufficient identifying details or documentation may result in delays or inability to process the request.
7.3. Requests submitted through the online portal are automatically logged and acknowledged by Playroll’s Legal Team.
7.4. All personal information collected via the DSAR portal shall be processed only for the purpose of identifying, verifying, and fulfilling the DSAR request, in accordance with this Policy and Applicable Data Protection Law.
8. REVIEW AND AMENDMENTS
This policy may be amended from time to time, the latest version of which will be applicable to the Data Subject.
0 comments
Article is closed for comments.