Key data protection laws
The key data protection laws in the United Kingdom are the UK General Data Protection Regulation (“UK GDPR”), UK Data Protection Act 2018 and the Privacy and Electronic Communications Regulations.
The key data protection laws in the Republic of Ireland are the General Data Protection Regulation, the Data Protection Act 2018 and the S.I. No. 336/2011 - European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011.
Controllers and processors
This privacy notice describes our processing of your personal data in our capacity as a “data controller” under applicable law in the UK and the Republic of Ireland. A data controller decides how and why your personal data is processed. Depending on the country in which you are located, a different Sage company may be the data controller of your personal data. You will find here the list of all Sage affiliate companies, by region.
Where we process personal data on behalf of another individual, for example our customers, partners, or other parties, we do not decide how and why to process that personal data. In those instances, we are a “data processor” under applicable law rather than a data controller. Where we are a data processor of your personal data, we use it in accordance with the data controller’s instructions to us. Those instructions include the terms and conditions applicable to the product or service you or your employer are using, and our Data Processing Agreement here which forms part of those terms.
If we are a data processor of your personal data, then you should also read the relevant data controller’s privacy notice. Make sure that you familiarise yourself with the privacy notice of your own employer, accountant, business, or other organisation that you have a direct relationship with, and which may share your personal data with Sage.
European Union representative
European Union (“EU”) data protection laws require non-EU organisations to have a representative in the EU. The role of the EU representative is to be the point of contact for individuals and authorities for all EU member states.
In the UK, we have appointed Sage Global Services (Ireland) Limited as our EU representative. Sage Global Services (Ireland) Limited’s contact details are:
Number One Central Park
You can also contact [email protected] if you have any questions about or for our EU representative.
Your data protection rights
If you are based within the UK or the Republic of Ireland, you have the following data protection rights:
- the right to be informed about the processing of your personal data;
- the right to obtain access to your personal data;
- the right to have your personal data rectified or erased, or to place restrictions on processing your personal data;
- the right to object to the processing of your personal data e.g., for direct marketing purposes or where the processing is based on our legitimate interests;
- the right to have any personal data you provided to us electronically returned to you in a structured, commonly used and machine-readable format, or sent directly to another company, where technically feasible (this is known as ‘data portability’);
- where the processing of your personal data is based on your consent, the right to withdraw that consent subject to legal or contractual restrictions;
- the right to object to any decisions based solely on the automated processing of your personal data, including profiling; and
- the right to lodge a complaint with the data protection supervisory authority responsible for data protection matters in your location. For the UK, this is the Information Commissioner’s Office (ICO). For the Republic of Ireland, this is the DataProtection Commissioner (DPC).
Please note that in some circumstances the exercise of the above rights may be limited by legal restrictions and exemptions. If relevant, we will explain this when responding to a request to exercise data protection rights.
If you think we hold any personal data about you which is incorrect or if there are any changes to your personal data, please let us know so that we can keep our records accurate and up to date.
If you wish to exercise your data protection rights as an individual, please access the Individual Rights Request Form on the Trust and Security Hub or contact us at [email protected].
If you do not want us to use your personal data for purposes set out in our privacy notice, we may not be able to provide you with access to all or parts of our Website or Solutions.
International transfer of personal data
Personal data in EU member states and the UK is protected by data protection laws, but other countries do not necessarily protect your personal data in the same way. You can find a list of countries that the European Commission considers provide an equivalent level of data protection to that which exists within the European Economic Area (EEA) (“Adequate countries”) here.
Our Website and some of our Solutions, or parts of them, may be hosted outside the EEA or UK, which means that we may transfer personal data to third countries which do not have an EU or UK adequacy determination in some circumstances. In addition, we may use service providers located outside the EEA or UK to help us provide our Websites, Solutions or other services to you and this means that we may transfer your personal data to these regions.
We take steps to ensure that where your personal data is transferred outside of the EEA or the UK, appropriate measures and controls are in place to protect that data in accordance with applicable data protection laws. All Sage Group companies are subject to an internal Personal Data Protection governance policy and related procedures designed to protect personal data in accordance with EU, EU member state and UK data protection laws. In each case, such transfers are made in accordance with applicable data protection laws and may be based on the use of (i) the European Commission’s Standard Contractual Clauses for transfers of personal data outside the EEA, or (ii) the UK’s International Data Transfer Agreement and/or the European Commission’s Standard Contractual Clauses and/or the UK Addendum for transfers of personal data outside the UK.
For more information on international transfer of personal data, please contact [email protected].
How can you contact us?
If you have any question about this privacy notice, or wish to exercise your data privacy rights as an individual, you can contact our Chief Data Protection Officer at by sending an email to [email protected] or by postal mail at Sage Group plc, C23 5 & 6 Cobalt Park Way, Cobalt Business Park, Newcastle-Upon-Tyne, Tyne & Wear, NE28 9EJ.