Terms & Conditions
Personnel Checks - v5.0 - 19th September 2025
Click here to view the previous version of our terms and conditions
1. Definitions
In this Agreement:
1.1 the following terms shall have the following meanings unless the context otherwise requires:
Account: the account that we allocate to you, which sets out details of Cases, ongoing Case Activities, CA Data and Decisions;
Activity Type: a single, background screening, pre-employment, or compliance activity performed by us on your behalf, which may include the collection by us or a Third Party Information Provider of various personal documentation directly from a Subject (Data Collection Activity) as well as information requested from Third Party Information Providers who perform various background screening checks (Key Result Activity);
Agreement: these Terms and Conditions together with the New Account Onboarding Form and any document referred to in these Terms and Conditions or the New Account Onboarding Form;
API: the application programming interface which enables access to the Platform directly through your computer system;
API Credentials: the access credentials provided by us to you to enable your API to access the Platform;
Business Day: a day other than a Saturday, Sunday or public holiday in England when banks in London are open for business;
CA Price: the amount paid or payable by you (or the Subject) to us for a particular Case Activity, as detailed to you through the price book available on the Platform, which may be updated from time to time;
Case: a compliance case file detailing the Processes carried out on a particular individual;
Case Activity: a single Activity Type carried out in respect of a particular Case;
Case Activity Data or CA Data: the report, certificate, or other outcome document generated following a particular Key Result Activity, or any data, information and documentation collected by us as part of a Data Collection Activity, provided by us to you ;
Commencement Date: the date of our acceptance of the New Account Onboarding Form submitted by you in accordance with Clause 2.2;
Confidential Information: any information in any form or medium obtained by or on behalf of either Party from or on behalf of the other Party in relation to this Agreement, which is expressly marked as confidential or which a reasonable person would consider to be confidential, and which may concern the other Party’s business, plans, ideas, methodologies, specifications, data, financial condition or clients and whether any of the foregoing information is disclosed or obtained before, on or after the date of this Agreement, together with any reproductions of such information or any part of it;
Controller: has the meaning set out in the Data Protection Act 2018;
Customer, you or your: the recipient of Services under this Agreement, as set out in the New Account Onboarding Form;
Customer Administrator: the individual identified in the New Account Onboarding Form as having full capacity and authority to enter into this Agreement on your behalf;
Customer Data: the data inputted by you, the Users, or us on your behalf in providing the Services (which may include Personal Data), as well as information and other materials in any form relating to you and which may be accessed, generated, collected, stored or transmitted by us in the course of the performance of the Services;
Customer Materials: any Customer Systems, Customer Data, calculations, algorithms, methods, information and other materials created or supplied by you and made available to us for use in the performance of the Services;
Customer Systems: any computer program (in object code or source code form), program interfaces and any tools or object libraries embedded in the software supplied by you and made available to us for use in the performance of the Services;
Customer Users: those of your employees, agents and independent contractors, who are authorised by you to access the Platform, as further described in Clause 3.3 and as stipulated in the New Account Onboarding Form;
Data Protection Laws: in relation to any Personal Data which is processed in the performance of this Agreement, the Data Protection Act 2018 and the UK GDPR, in each case together with any national implementing laws, regulations, secondary legislation and any other applicable or equivalent data protection or privacy laws, as amended or updated from time to time, in the UK, and any successor legislation to such laws;
Data Subject: has the meaning set out in the Data Protection Act 2018;
Decision: a suitability decision made by you in relation to an individual and reflected by the options you select using the functionality available on the Platform;
Event of Force Majeure: has the meaning given to it in Clause 14.1;
GDPR: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation);
Intellectual Property Rights: copyright and related rights, trade marks and service marks, trade names and domain names, rights under licences, rights in get-up, rights to goodwill or to sue for passing off or unfair competition, patents, rights to inventions, rights in designs, rights in computer software, database rights, rights in confidential information (including know-how and trade secrets) and any other intellectual property rights, in each case whether registered or unregistered and including all applications (or rights to apply) for, and renewals or extensions of, such rights and all similar or equivalent rights or forms of protection which subsist or will subsist now or in the future in any part of the world;
New Account Onboarding Form: the form we provide to you that contains specific details about the Services we are to provide under this Agreement;
Parties: us and you, and Party shall mean either us or you;
Personnel Checks, PC, we, us or our: Personnel Checks Limited, whose company number is 08101751 and whose registered office is at One Cathedral Square, Cathedral Quarter, Blackburn, Lancashire, England, BB1 1FB as well as any other holding company or subsidiary of Personnel Checks Limited that is involved in facilitating the Services to you under this Agreement;
Personal Data: has the meaning set out in the Data Protection Act 2018, and relates only to personal data, or any part of such personal data, of which you are the Controller and in relation to which we are the Processor and providing Services under this Agreement;
Personal Data Breach: has the meaning set out in the UK GDPR;
Process: a specific selection or combination of Activity Types, created by you using the functionality available through the Platform, to be carried out by us in respect of a Subject;
Process Request: a request submitted by you, or by a Subject and confirmed by you, using the functionality available through the Platform, for us to perform the Activity Types relevant to the particular Process requested;
Platform: the cloud-based website, SaaS platform, API or any other medium we make available, through which you are able to access your Account and submit CA Requests to us;
Processing: has the meaning set out in the Data Protection Act 2018 and Process shall be interpreted accordingly;
Processor: has the meaning set out in the Data Protection Act 2018;
Services: our provision to you of access to the Platform and the services that we provide to you, upon your request, in carrying out background screening checks, pre-employment checks, or compliance activities, as well as any additional services you may request from us and which we agree in writing to provide;
Special Categories of Personal Data: those categories of data listed in Article 9(1) GDPR;
Subject: the individual, who is to be the subject of, and who shall submit personal information to us in respect of, a Process that we are to perform;
Supervisory Authority: (a) an independent public authority which is established by a Member State pursuant to Article 51 GDPR; and (b) any similar regulatory authority responsible for the enforcement of Data Protection Laws;
Support Team: PC’s team members, whose contact details are available to view through the Platform, and who are able to assist you in your receipt of the Services under this Agreement;
Third-Party Information Provider: the UK Disclosure and Barring Service (DBS), the Driver and Vehicle Licensing Agency (DVLA) or any other third party (including Yoti Ltd (co.no 08998951)) from whom we receive information as a result of carrying out a Case Activity;
Third-Party Software: any other software program, cloud-based website or SaaS platform, which is owned by a third party and to which we provide you with access under this Agreement;
UK GDPR: the GDPR as applied by Chapter 3 of Part 2 of the Data Protection Act 2018;
Users: Subjects and/or Customer Users; and
Virus: anything or device (including any software, code, file or programme) which may: prevent, impair or otherwise adversely affect the operation of any computer software, hardware or network, any telecommunications service, equipment or network or any other service or device; prevent, impair or otherwise adversely affect access to or the operation of any programme or data, including the reliability of any programme or data (whether by re-arranging, altering or erasing the programme or data in whole or part or otherwise); or adversely affect the user experience, including worms, Trojan horses, viruses and other similar things or devices;
1.2 reference to Clauses shall be to clauses of this Agreement
1.3 clause headings shall not affect the interpretation of this Agreement;
1.4 in the event of a conflict between these Terms and Conditions and the New Account Onboarding Form, the New Account Onboarding Form shall prevail over these Terms and Conditions;
1.5 a person includes a natural person, corporate or unincorporated body (whether or not having separate legal personality);
1.6 unless the context otherwise requires, words in the singular shall include the plural and in the plural shall include the singular;
1.7 unless the context otherwise requires, a reference to one gender shall include a reference to the other genders;
1.8 a reference to a statute or statutory provision is a reference to it as amended, extended or re-enacted from time to time;
1.9 a reference to a statute or statutory provision shall include all subordinate legislation made from time to time under that statute or statutory provision;
1.10 a reference to writing or written includes e-mail
1.11 a reference to a holding company or a subsidiary means a holding company or a subsidiary (as the case may be) as defined in section 1159 of the Companies Act 2006; and
1.12 any words following the terms including, include, in particular, for example or any similar expression shall be construed as illustrative and shall not limit the sense of the words, description, definition, phrase or term preceding or following those terms and shall be deemed to be followed by the words without limitation unless the context requires otherwise.
2. Agreement
2.1 The terms of this Agreement apply to the exclusion of any terms and conditions submitted, proposed or stipulated by you in whatever form and at whatever time. If you provide to us a purchase order for your receipt of Services, other than as set out in Clause 2.2, that purchase order (and any terms and conditions attached or referred to in it) shall be purely for your administrative purposes and shall not form part of this Agreement.
2.2 Our submission to you of the New Account Onboarding Form shall be deemed to be an offer by us to provide the Services to you on the basis of these Terms and Conditions, and either your written confirmation or an End User accessing the Platform after your receipt of the New Account Opening Form (whichever is earlier) shall be considered as your acceptance of such an offer and this Agreement shall be legally formed and the Parties shall be legally bound.
2.3 Save as expressly provided in this Agreement, this Agreement shall operate to the entire exclusion of any other agreement, understanding or arrangement of any kind between the Parties preceding the date of this Agreement and in any way relating to the subject matter of this Agreement and to the exclusion of any representations not expressly stated in this Agreement except for any fraudulent misrepresentations or any misrepresentation as to a fundamental matter. Each of the Parties acknowledges that it has not entered into this Agreement based on any representation that is not expressly incorporated into this Agreement.
2.4 This Agreement constitutes the whole agreement and understanding of the Parties as to the subject matter of this Agreement and there are no provisions, terms, conditions or obligations, whether oral or written, express or implied, other than those contained or referred to in this Agreement.
3. Platform access licence
3.1 We hereby grant to you a non-exclusive, non-transferable right to permit the Customer Users to access the Platform, from the Commencement Date for the term of this Agreement solely for your internal business operations.
3.2 The Customer Administrator will be able to add individual user accounts for Customer Users to access the Platform by contacting the Support Team or by using the functionality available through the Platform.
3.3 In relation to the Customer Users, you undertake that:
3.3.1 each Customer User shall keep a secure password for use of the Platform, and that each Customer User shall keep his/her password confidential;
3.3.2 only one Customer User may access the Platform using a Customer User account at any one time;
3.3.3 you shall permit us to audit your use (and each Customer User’s use) of the Platform;
3.3.4 if any audit referred to in Clause 3.4.3 reveals that any password has been provided to any individual who is not a Customer User, then without prejudice to our other rights (whether under this Agreement or at law), you shall promptly disable such passwords and we shall not be required to issue any new passwords to any such individual; and
3.3.5 any act or omission of any Customer User shall be considered as if it was your act or omission; you must promptly notify us if you become aware of any suspected breaches of this Agreement by any Customer User.
3.4 You shall not, and you shall ensure that all Customer Users shall not, access, store, distribute or transmit any Viruses, or any material during the course of your use of the Platform that:
3.4.1 is unlawful, harmful, threatening, defamatory, obscene, infringing, harassing or racially or ethnically offensive;
3.4.2 facilitates illegal activity;
3.4.3 depicts sexually explicit images;
3.4.4 promotes unlawful violence;
3.4.5 is discriminatory based on race, gender, colour, religious belief, sexual orientation, disability; or
3.4.6 in a manner that is otherwise illegal or causes damage or injury to any person or property;
and we reserve the right, without liability (subject to Clause 13.2) and without prejudice to our other rights and remedies whether under this Agreement or at law, to disable your access to the Platform if you or any Customer User is in breach of this Clause 3.5.
3.5 You shall not, and you shall ensure that all Customer Users shall not:
3.5.1 attempt to copy, modify, duplicate, create derivative works from, frame, mirror, republish, download, display, transmit, or distribute all or any portion of the Platform in any form or media or by any means;
3.5.2 attempt to reverse compile, disassemble, reverse engineer or otherwise reduce to human-perceivable form all or any part of the Platform;
3.5.3 access all or any part of the Platform in order to build a product or service which competes with the Platform and/or the Services;
3.5.4 use the Platform and/or the Services to provide services to third parties;
3.5.5 license, sell, rent, lease, transfer, assign, distribute, display, disclose, or otherwise commercially exploit, or otherwise make the Platform and/or the Services available to any third party; or
3.5.6 attempt to obtain, or assist third parties in obtaining, access to the Platform and/or the Services, except as expressly provided for by this Agreement.
3.6 You will ensure that your use and each Customer User’s use of the Platform:
3.6.1 does not infringe the privacy rights or Intellectual Property Rights of any third party;
3.6.2 does not harm us or bring us or our name into disrepute;
3.6.3 is not for the purposes of breaching or circumventing the security of any network or internet user;
3.6.4 does not impose an unreasonable or disproportionately large load on our infrastructure or the Platform;
3.6.5 does not interfere with another Customer User’s use of the Platform; and
3.6.6 conforms in all respects will all applicable laws, rules, regulations, bye-laws and codes of practice (including disability discrimination, intellectual property, privacy and Data Protection Laws).
3.7 You must not use any automated means to access the Platform or collect any information from it unless you have requested the option to access the Platform through an API on registration of your Account and we have consented to this request.
3.8 If you access the Platform through an API, subject to your compliance with your obligations under this Agreement and more specifically Clause 3.10, you are hereby granted a non-transferable limited licence to:
3.8.1 programmatically access the Platform from your website or your computer system using the API Credentials that we shall make available to you; and
3.8.2 reproduce our trade marks, logos and any other Intellectual Property Rights embedded in the Platform or otherwise described in these Terms and Conditions;
3.9 If you access the Platform through an API, you agree to:
3.9.1 not edit, adapt, amend or otherwise alter the Platform;
3.9.2 not share the API Credentials with any third-party;
3.9.3 not present the Platform in a way that seeks to replicate or pass off your own website or computer system as a resource belonging to or endorsed by us; and
3.9.4 include the “Powered by Personnel Checks” logo or some other equivalent stamp or watermark, that we will provide to you upon registration of your Account, on the same webpage or the relevant tool or function embedded in your computer system that enables access to the Platform.
3.10 You shall prevent any unauthorised access to, or use of, the Platform and, in the event of any such unauthorised access or use, immediately notify us.
3.11 The rights provided under this Clause 3 are granted to you only and shall not be considered granted to any subsidiary or holding company of you.
3.12 We reserve the right, at any time, to carry out repairs, maintenance, amend or introduce new facilities and functions in respect of all or any part of the Platform.
3.13 It is your responsibility to ensure that you provide us with the information required to enable us to properly make the Platform available, and to perform our obligations under this Agreement. We shall not be responsible or have any liability (subject to Clause 13.2) for any failure to make the Platform available to the extent caused by your failure to properly ensure the provision of the relevant information to us.
3.14 We may, at our absolute discretion, from time to time either host the Platform on our own servers or use third party suppliers to do so in whole or in part. You acknowledge that we may from time to time without prior notice and without the need for prior agreement provide reasonable additional obligations or requirements on you or reasonably restrict your rights due to the requirements of a third-party supplier.
3.15 Whilst we endeavour to ensure that information and materials on or provided through the Platform (including information about the Services) are correct, no warranty or representation, express or implied, is given that they are complete, accurate, up-to-date, fit for a particular purpose and, to the extent permitted by law and we shall not have any liability (subject to Clause 13.2) for any errors or omissions.
3.16 Access to the Platform may be suspended or withdrawn from you or all Customer Users temporarily at any time without notice. We may also impose restrictions on the length and manner of usage of any part of the Platform or access for any reason. If we impose restrictions on you, you must not attempt to use the Platform under any other name or user.
3.17 Except as expressly stipulated in this Agreement:
3.17.1 we shall not, at any point or within a particular time, be responsible for providing or achieving any particular results or outcomes from your use of the Platform; and
3.17.2 we exclude all conditions, warranties, terms and obligations, whether express or implied by statute, common law or otherwise, to the fullest extent permitted by law in respect of the Platform.
3.18 We do not warrant that your use of the Platform will be uninterrupted, timely, error-free or secure from unauthorised access, or that it will meet your individual requirements. Whilst we use our reasonable endeavours to make the Platform available, we shall not have any liability (subject to Clause 13.2) if for any reason the Platform is unavailable for any time or for any period.
3.19 We maintain and support the Platform as part of our provision of the Services and at no additional cost to you. If you inform us of any fault or failure in the operation of the Platform, we will use our reasonable endeavours to respond to you and resolve and rectify the fault or failure as soon as reasonably practicable.
4. Case/process creation and process request process
4.1 This Agreement governs the overall relationship of the Parties in relation to the Services provided by us to you and sets out in this Clause 4 the procedure for you to create new Cases and Processes and submit Process Requests.
4.2 You shall be entitled to create new Cases and new Processes using the functionality available through the Platform. You shall be able, when creating a Process, to configure the Process to allow for a Subject to submit a Process Request in relation to themselves.
4.3 You shall be entitled to submit Process Requests as well as confirm your desire for us to accept Process Requests submitted by Subjects, using the functionality available through the Platform, by submitting the necessary information we require to process, and/or confirm your desire for us to carry out, the relevant Case Activities specific to such Process. You acknowledge and agree that we shall not be required to carry out any Process Request submitted by a Subject unless you have confirmed your desire for us to carry out such Process Requests using the functionality available through the Platform.
4.4 You warrant that, by submitting a Process Request to us, you have obtained the necessary consents, rights and permissions required to enable us to contact the relevant Subject and obtain from such Subject the necessary information we require to perform the relevant Case Activities.
4.5 Following your submission and/or confirmation of a Process Request, we shall make the following information available to be viewed by you via the Platform:
4.5.1 a description of the agreed Process to be performed by us;
4.5.2 details of the Subject who shall go through the particular Process; and
4.5.6 the status of each Case Activity being carried out by us under the particular Process.
5. Fees and payment
Payment in advance
5.1 Unless the parties otherwise agree in writing, payment for our Services (or for a particular Case Activity) shall be made in advance of such Services being carried out by us and, save for where you have specified that the relevant Subject shall be responsible for such payment , we shall, subject to clause 5.2, contact you to request payment following your submission of a Process Request and we will not be required to carry out the relevant Services until you have paid the relevant CA Prices.
5.2 You are able to tailor your Account to include your preferred payment details which, if selected by you using the functionality available within the Platform, may be used as an automatic payment method to pay the CA Prices due for any Process Requests. If so selected by you, you authorise us to take payment from you using such preferred payment details without the need for further authorisation to be provided by you. In such circumstances where you have included your preferred payment details and you have selected that such details may be used as an automatic payment method, we shall, at or shortly after the end of each calendar month, provide you with a report of the CA Prices paid by you during that calendar month.
5.3 Payment of the CA Prices by you shall be non-refundable, unless:
5.3.1 the Subject has failed to provide all the necessary information we require to perform the relevant Case Activity (meaning that our Services have not materially progressed following your payment of the relevant CA Price); and
5.3.2 your written request to us for a refund is made within 6 (six) months of the date the CA Price is paid.
5.3.3 In the circumstances where we are able to offer a refund, we shall be entitled to deduct our reasonable administrative costs incurred following payment of the CA Price prior to issuing a refund.
Payment by the Subject
5.4 If you specify that the relevant Subject shall be responsible for payment of the CA Price(s) when creating the relevant Process in accordance with clause 4.2, then we shall attempt to collect payment from such Subject prior to the Subject’s submission of the Process Request and we will not be required to carry out the relevant Services until the Subject has paid the relevant CA Price(s).
5.5 Payment of the CA Prices by the Subject shall be non-refundable, unless:
5.5.1 the Subject has failed to provide all the necessary information we require to perform the relevant Case Activity (meaning that our Services have not materially progressed following payment of the relevant CA Price); and
5.5.2 the written request to us for a refund is made within 6 (six) months of the date the CA Price is paid.
5.5.3 In the circumstances where we are able to offer a refund, we shall be entitled to deduct our reasonable administrative costs incurred following payment of the CA Price prior to issuing a refund.
Payment in arrears
5.6 If the parties agree in writing that payment for any of our Services (or for a particular Case Activity) shall be made in arrears and, you do not specify that the relevant Subject shall be responsible for such payment when creating the relevant Process in accordance with clause 4.2, then the following provisions shall apply:
5.6.1 You shall be responsible for payment of each relevant CA Price once the Platform displays that you have submitted a Process Request.
5.6.2 We shall invoice you on a monthly basis for the Services performed by us in the previous calendar month.
5.6.3 Payment shall be made by you within 30 (thirty) days of receipt of our invoice to the bank account nominated in writing by us.
5.6.4 In the event that at any time two invoices which are due and payable under this Agreement are outstanding and have not been paid on their due date for payment, we shall not be obliged to accept any Process Requests under this Agreement until all outstanding invoices have been paid in full and/or we may refuse to extend any further credit terms to you and require that payment for any future Case Activities shall be paid in advance in accordance with Clause 5.1 and Clause 5.2.
5.6.5 If you are late in paying any invoice due under this Agreement and such payment remains outstanding for 10 (ten) Business Days following us notifying you of such outstanding payment then, without prejudice to any other rights we have under this Agreement, we shall be entitled to:
(a) charge interest on the overdue amount at the rate of 4 (four) per cent per annum above the Bank of England's base rate from time to time from the due date until payment (after as well as before judgment), such interest to run from day to day and to be compounded monthly;
(b) recover our costs and expenses and charges (including legal and debt collection fees and costs) in collecting the late payment; and
(c) suspend performance of this Agreement, and/or any Services until payment in full has been made.
5.7 You may not at any time, set off any amount owing to us by you against any amount payable by us to you.
6. Services
6.1 We shall perform the Services within a reasonable time or as otherwise agreed in writing between the Parties from time to time. For the avoidance of doubt, time is not of the essence in respect of our performance of the Services.
6.2 We shall:
6.2.1 use our reasonable skill and care in providing the Services;
6.2.2 ensure that our employees, agents and subcontractors have the necessary skill to provide any Services;
6.2.3 ensure that any Services will be provided in a professional, competent and workmanlike manner;
6.2.4 have all necessary consents, rights and permission to enter into, and perform our obligations under, this Agreement;
6.2.5 fully, frequently and promptly update you as to progress with use of the Services, including reporting on any concerns, issues, comments or queries that need to be addressed or resolved; and
6.2.6 comply with all applicable laws, statutes, regulations and bye-laws in relation to the exercise of our rights and performance of our obligations under this Agreement.
6.3 We do not warrant or represent that the Services will be free from errors and interruptions.
6.4 We are not responsible for any people, equipment, deliverables or services that we are not expressly stipulated to provide in this Agreement. You are responsible for any people, equipment, deliverables and services that you need to obtain from someone other than us. Except for any matter in relation to which we specifically agree in writing to advise or do, we shall not be responsible, or have any liability (subject to Clause 13.2) for advising on, or failing to advise on, or doing, or failing to do, anything else.
6.5 Subject to us performing the Services within any timeframe agreed as being necessary for the performance of the Services, we may select our own working times and location provided that the nature of particular Services does not require those particular Services to be undertaken during particular working times or at a particular location (in which situation you shall be entitled to request that we perform the Services at such working times and location as are reasonable in the circumstances).
6.6 We shall use our reasonable endeavours to perform our obligations under this Agreement within any timescales set out in this Agreement. However, subject to Clause 13.2, we shall not have any liability for any delays or failures to accurately perform our obligations:
6.6.1 if we have used those endeavours;
6.6.2 if caused by any failure or delay on your part or on the part of your employees, agents or subcontractors, or by any breach by you of this Agreement or any other agreement; and/or
6.6.3 if we experience an Event of Force Majeure.
6.7 If we are delayed or hindered in providing any Services as a result of any breach, delay or failure by you to perform any of your obligations under this Agreement or of any other agreement between us and you, then we may charge you at our time and materials rates from time to time for:
6.7.1 any time reasonably incurred as a result of the hindrance or breach (including any wasted time for which we had anticipated that our personnel would provide Services under this Agreement but become unable to provide the Services at that time as a result of your act or omission); and
6.7.2 any time that we were going to spend in providing the Services, in addition to the time we actually do spend in providing the Services.
6.8 We expressly exclude all liability (subject to Clause 13.2) for the content or accuracy of any CA Data or any other information that we receive or provide to you in providing the Services relating to a Subject which we have obtained from a Third Party Information Provider or been provided with by the applicable Subject and under no circumstance shall we be liable for any failure to verify the accuracy and completeness of any CA Data, or conducting any further investigations or controlling the time taken by any third party (including any Third Party Information Provider or the Subject) to provide us with the information necessary for us to provide the CA Data to you.
6.9 Except for providing you with the CA Data in respect of each Case Activity we perform, or as specifically stipulated in this Agreement, we:
6.9.1 shall not be responsible for providing or achieving any particular results or outcomes or within a particular time; and
6.9.2 exclude all conditions, warranties, terms and obligations, whether express or implied by statute, common law or otherwise, to the fullest extent permitted by law in respect of the Services.
6.10 We have the right to make any changes to the Services which are necessary to comply with any applicable law or safety requirement, and we shall notify you in writing as soon as reasonably possible after we become aware of any such event.
7. Your obligations
7.1 You shall:
7.1.1 ensure that the instructions or directions that you provide to us in respect of the Services (and each Process Request) are complete and accurate;
7.1.2 ensure that the Customer Materials do not and shall not infringe the Intellectual Property Rights of any third party;
7.1.3 ensure that the Customer Materials do not contain any Viruses;
7.1.4 ensure that your Computer Systems comply with the relevant specifications provided by us from time to time;
7.1.5 ensure that your employees, agents and subcontractors fully co-operate with, and make themselves available at all reasonable times for discussion and meetings with, us and our employees, agents and subcontractors and to enable us to promptly perform our obligations under this Agreement;
7.1.6 promptly provide to us such data, information and assistance that will enable us to carry out fully, accurately and promptly our obligations under this Agreement to the best of our ability;
7.1.7 promptly comply with all of our reasonable requests in connection with this Agreement; and
7.1.8 comply with all applicable laws, statutes, regulations and bye-laws in relation to the exercise of your rights and performance of your obligations under this Agreement.
7.2 You warrant and undertake that at all times during the term of this Agreement you will ensure that:
7.2.1 you will use our Services for your own internal business purposes and not for your own commercial gain;
7.2.2 you will ensure that when any Process Requests are submitted where a relevant Case Activity is in relation to the Subject’s criminal history, they are submitted in accordance with the appropriate eligibility criteria stipulated by the DBS for the relevant position of employment and you shall pay any additional charges, or reimburse us for any additional charges we incur, as a result of your failure to comply with this obligation;
7.2.3 you will store, handle, retain and dispose of the CA Result Data, where the relevant Case Activity is in relation to the Subject’s criminal history, strictly in accordance with the DBS’s explanatory Guide – “Handling of DBS certificate information”;
7.2.4 where applicable, you will comply with all other DBS’s codes, policy requirements and regulations as amended from time to time when submitting Process Requests, when handling CA Data and when making Decisions, when the relevant Case Activity is in relation to a Subject’s criminal history; and
7.2.5 where you submit a Process Request you agree to comply with any additional terms a Third Party Information Provider requires us to impose on you from time to time.
7.3 You are responsible for ensuring that you provide us with the information required to enable us to properly provide the Services (including performing each Case Activity). We shall not be responsible or, subject to Clause 13.2, have any liability for any failure to provide the Services to the extent caused by your failure to properly ensure the provision of the relevant information.
7.4 It is your responsibility to ensure that the Services are sufficient and suitable for your purposes.
7.5 It is your responsibility to ensure that any decision or implementation made by you and/or your employees, agents and other contractors as a result of any CA Result Data, including making any Decisions, is made in your best interests and you shall be responsible (and, subject to Clause 13.2, we shall not have any liability) for such decision and/or implementation and the consequences of any such decision and/or implementation.
8. Commencement and term
8.1 This Agreement shall commence on the Commencement Date and shall continue until it is terminated in accordance with the termination provisions set out in Clause 9.
9. Termination and consequences of termination
9.1 Without affecting any other right or remedy available to it, either Party may terminate this Agreement with immediate effect by giving written notice to the other Party if:
9.1.1 the other Party is in material breach of any of its obligations under this Agreement, or any other agreement between the Parties, which is incapable of remedy;
9.1.2 the other Party fails to remedy, where capable of remedy, any material breach of any of its obligations under this Agreement, or any other agreement between the Parties, after having been required in writing to do so within a period of no less than 10 (ten) Business Days;
9.1.3 the other Party is in persistent breach of any of its obligations under this Agreement or any other agreement between the Parties;
9.1.4 the other Party gives notice to any of its creditors that it has suspended is about to suspend payment or if such Party shall be unable to pay its debts within the meaning of Section 123 of the Insolvency Act 1986, or an order is made or a resolution is passed for its winding-up or an administration order is made or an administrator is appointed to manage its affairs, business and property or a receiver and/or manager or administrative receiver is appointed in respect of all or any of its assets or undertaking or circumstances arise which entitle the court or a creditor to appoint a receiver and/or manager or administrative receiver or administrator or which entitle the court to make a winding-up or bankruptcy order or it takes or suffers any similar or analogous action in consequence of debt in any jurisdiction;
9.1.5 the other Party’s financial position deteriorates to such an extent that in the terminating Party’s reasonable opinion the other Party’s capability to adequately fulfil its obligations under the Agreement has been placed in jeopardy; or
9.1.6 the other Party suspends or ceases, or threatens to suspend or cease, carrying on all or a substantial part of its business.
9.2 Without affecting any other right or remedy available to it, either Party may give [60] days’ prior written notice to terminate this Agreement with immediate effect upon the expiry of such written notice.
9.3 On termination of this Agreement:
9.3.1 we shall perform each outstanding Case Activity if we have already provided a CA Request Confirmation in respect of such Case Activity;
9.3.2 any rights, remedies, obligations or liabilities of the Parties that have accrued up to the date of termination, including the right to claim damages in respect of any breach of this Agreement which existed at or before the date of termination, shall not be affected;
9.3.3 all licences granted under this Agreement shall immediately terminate and you must immediately cease, and ensure all of your Customer Users cease, to access or use the Platform;
9.3.4 outstanding unpaid invoices rendered by us shall become immediately payable by you;
9.3.5 any provision of this Agreement that expressly or by implication is intended to come into or continue in force on or after termination of this Agreement shall remain in full force and effect; and
9.3.6 we may destroy or otherwise dispose of any of the Customer Data in our possession (including the Case information set out in your Account).
10. Intellectual property rights
10.1 You acknowledge and agree that we, or our licensors, own all the Intellectual Property Rights in the Platform and any rights arising out of in connection with it.
10.2 We acknowledge that you or your licensors own and shall retain all rights, title and interest in and to the Customer Data and the Customer Materials. We shall not have any rights to access, use or modify the Customer Data and/or the Customer Materials without your prior written consent, except to the extent necessary for you to receive the Services.
10.3 We hereby irrevocably assign (and shall assign by way of future assignment) to you, with full title guarantee, absolutely and free from all encumbrances, all our rights, title and interest in any and all Intellectual Property Rights in or relating to any Customer Data or Customer Materials modified by or on behalf of us in our performance of the Services under this Agreement.
10.4 In the event that your use of the Platform or your receipt of our Services infringe any third party’s Intellectual Property Rights, we shall be entitled to procure the right for you to:
10.4.1 continue to receive the Services;
10.4.2 replace or modify the Platform and/or the Services so that they become non-infringing; or
10.4.3 if the remedies set out in Clause 10.4.1 and Clause 10.4.2 are not reasonably available, terminate this Agreement on no less than [five] Business Days' notice to you.
10.5 You agree to indemnify us, keep us indemnified and defend us at your own expense, against all costs, claims, damages or expenses incurred by us or for which we may become liable, in the event that our use of the Customer Data or Customer Materials, or your use of the Platform in a manner not consistent with our instructions, infringe any third party’s Intellectual Property Rights.
11. Data protection
11.1 You are exclusively responsible for the legality, reliability, integrity, accuracy and quality of the Customer Data.
11.2 The Parties acknowledge that, for the purposes of Data Protection Laws, you are the Controller and we are the Processor of any Personal Data.
11.3 Details of the scope, nature and purpose of Processing by us, the duration of the Processing, the types of Personal Data that we are to Process, the categories of Data Subject and the sub-Processors that we have appointed are as set out in the supplier Data Sharing Summary.
11.4 Each Party confirms that it holds, and during the term of this Agreement will maintain, all registrations and notifications required in terms of the Data Protection Laws which are appropriate to the performance of its obligations under this Agreement.
11.5 Each Party confirms that, in the performance of this Agreement, it will comply with the Data Protection Laws.
11.6 We will:
11.6.1 Process Personal Data only on documented instructions from you, unless required to do so by Data Protection Laws or any other applicable law to which we are subject; in such a case, we shall inform you of that legal requirement before Processing, unless that law prohibits us to so inform you;
11.6.2 ensure that persons authorised to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
11.6.3 take all measures required pursuant to Article 32 of the GDPR in respect of security of Processing;
11.6.4 notify you as soon as reasonably practicable before appointing any subcontractor in respect of Processing of Personal Data, and ensure that any such subcontractor complies with the provisions of this Clause 11 as if it was a Party; if you (acting reasonably) disagree with the appointment of the subcontractor for reasons relating to the Processing of Personal Data, you shall have the right to terminate this Agreement on no less than 30 (thirty) days’ written notice; for the avoidance of doubt, any appointment of subcontractors in the same corporate group or banner as an existing subcontractor (for example, a subsidiary in the UK, in a different country within the European Economic Area or otherwise any adequate jurisdictions for data processing purposes) shall not require further approval from you;
11.6.5 taking into account the nature of the Processing, assist you by putting in place appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of your obligation to respond to requests for exercising the Data Subject's rights laid down in Data Protection Laws, to the extent that such requests relate to this Agreement and our obligations under it;
11.6.6 assist you in ensuring compliance with your obligations pursuant to Articles 32 to 36 of the GDPR taking into account the nature of Processing and the information available to us;
11.6.7 at your option, delete (to the extent practicable), put beyond use, or return all the Personal Data to you after termination of this Agreement or otherwise on your request, and delete existing copies (to the extent practicable) unless applicable law requires our ongoing storage of the Personal Data;
11.6.8 make available to you all information necessary to demonstrate our compliance with this Clause 11, and allow for and reasonably contribute to audits, including inspections, conducted by you or another auditor mandated by you; and
11.6.9 inform you immediately if, in our opinion, an instruction from you infringes (or, if acted upon, might cause an infringement of) Data Protection Laws.
11.7 Each Party will notify the other Party as soon as is reasonably practicable (any in event within 24 hours) if it becomes aware of a Personal Data Breach relating to either Party’s obligations under this Agreement.
11.8 You shall undertake appropriate data protection impact assessments to ensure that Processing of Personal Data complies with Data Protection Laws. We will provide you with reasonable assistance, where necessary and upon your request, in carrying out any data protection impact assessment and undertaking any necessary prior consultation of the Supervisory Authority.
11.9 It is your responsibility to ensure that Personal Data is dealt with in a way that is compliant with Article 5(1) of the GDPR.
11.10 It is your responsibility to ensure that:
11.10.1 you are able to justify the Processing of Personal Data in accordance with Article 6(1) of the GDPR (including, where applicable, obtaining any and all consents of Data Subjects required in order to commence the Processing), and that you have recorded or documented this in accordance with the record keeping requirements of the GDPR;
11.10.2 where Personal Data falls within the Special Categories of Personal Data, Article 9(2) of the GDPR applies to that Personal Data before Processing takes place;
11.10.3 where Article 9(2) of the GDPR does not apply to any Personal Data falling within the Special Categories of Personal Data, no such data will be sent to us; and
11.10.4 you have all necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data to us for the duration and purposes of this Agreement.
11.11 You agree to indemnify us, keep us indemnified and defend us at your own expense, against all costs, claims, damages or expenses incurred by us or for which we may become liable, arising from or in connection with a breach by you of your obligations under this Clause 11.
12. Confidentiality
12.1 Each Party shall keep the other Party’s Confidential Information confidential and shall not:
12.1.1 use such Confidential Information except for the purpose of exercising or performing its rights and obligations under this Agreement; or
12.1.2 disclose such Confidential Information in whole or in part to any third party, except as expressly permitted by this Agreement.
Each Party shall use adequate procedures and security measures (including any such measures required by our service providers) to protect the other Party’s Confidential Information from inadvertent disclosure or release to unauthorised persons.
12.2 A Party may disclose the other Party’s Confidential Information to those employees, agents and sub-contractors who need to know such Confidential Information provided that:
12.2.1 it informs such employees, agents and sub-contractors of the confidential nature of the Confidential Information before disclosure; and
12.2.2 it does so subject to obligations equivalent to those set out in this Clause 12.
12.3 A Party may disclose the Confidential Information of the other Party to the extent such Confidential Information is required to be disclosed by law, by any governmental or other regulatory authority or by a court or other authority of competent jurisdiction provided that, to the extent it is legally permitted to do so, it gives the other Party as much notice of such disclosure as possible and, where notice of disclosure is not prohibited and is given in accordance with this Clause 12.3, it takes into account the reasonable requests of the other Party in relation to the content of such disclosure.
12.4 The obligations of confidentiality in this Agreement shall not extend to any matter which either Party can show:
12.4.1 is in, or has become part of, the public domain other than as a result of a breach of the confidentiality obligations of this Agreement; or
12.4.2 was independently developed by it; or
12.4.3 was independently disclosed to it by a third party entitled to disclose the same; or
12.4.4 was in its written records prior to receipt.
12.5 Each Party reserves all rights in its Confidential Information. No rights or obligations in respect of a Party’s Confidential Information other than those expressly stated in this Agreement or are granted to the other Party, or to be implied from this Agreement.
12.6 On termination of this Agreement, each Party shall:
12.6.1 return to the other Party all documents and materials (and any copies) containing, reflecting, incorporating or based on the other Party’s Confidential Information; and
12.6.2 Erase, or otherwise put beyond use, all the other Party’s Confidential Information from its computer systems (to the extent possible).
13. Limitation of liability
13.1 This Clause 13 prevails over all of this Agreement and sets forth our entire liability, and your sole and exclusive remedies, in respect of:
13.1.1 our performance, non-performance, purported performance, delay in performance or mis-performance of this Agreement or any goods, services or deliverables in connection with this Agreement; or
13.1.2 otherwise in relation to this Agreement or entering into this Agreement.
13.2 We do not exclude or limit our liability for:
13.2.1 our fraud or fraudulent misrepresentation;
13.2.2 death or personal injury caused by our negligence; or
13.2.3 any other liability which cannot be excluded or limited by applicable law.
13.3 Subject to Clause 13.2, we shall have not be liable whether in tort (including for negligence or breach of statutory duty), contract, misrepresentation, restitution or otherwise for any:
13.3.1 loss of actual or anticipated profits;
13.3.2 loss of revenue;
13.3.3 loss of business;
13.3.4 loss of contracts;
13.3.5 loss of opportunity;
13.3.6 loss of goodwill;
13.3.7 loss of, damage to, or corruption of, data; or
13.3.8 indirect or consequential losses, damages, costs or expenses,
whether or not such losses were reasonably foreseeable or we or our agents or contractors had been advised of the possibility of such losses being incurred.
13.4 Subject to Clause 13.2, our total aggregate liability arising out of or in connection with all claims in aggregate (including warranty claims and losses relating to the breach of warranty) shall be limited to £500,000 (five hundred thousand pounds).
13.5 The limitation of liability under Clause 13.4 has effect in relation both to any liability expressly provided for under this Agreement and to any liability arising by reason of the invalidity or unenforceability of any term of this Agreement.
14. Force majeure
14.1 Subject to Clause 13.2, neither Party shall have any liability for any breach, hindrance or delay in performance of its obligations under this Agreement which is caused by an Event of Force Majeure, regardless of whether the circumstances in question could have been foreseen. An Event of Force Majeure means any cause outside of the Party's reasonable control, including act of God, actions or omissions of third parties (including hackers, suppliers, couriers, governments, quasi-governmental, supra-national or local authorities), insurrection, riot, civil war, civil commotion, war, hostilities, threat of war, warlike operations, armed conflict, imposition of sanctions, embargo, breaking off of diplomatic relations or similar actions, national emergencies, terrorism, nuclear, chemical or biological contamination or sonic boom, piracy, arrests, restraints or detainments of any competent authority, blockade, strikes or combinations or lock-out of workmen, epidemic, pandemic, fire, explosion, storm, flood, drought, adverse weather conditions, earthquake, natural disaster, accident, collapse of building structures, failure of plant machinery or machinery or third party computers or third party hardware, software or vehicles, failure or problems with public utility supplies (including general: electrical, telecoms, water, gas, postal, courier, communications or Internet disruption or failure), shortage of or delay in or inability to obtain supplies, stocks, storage, materials, equipment or transportation.
14.2 Each of the Parties agrees to inform the other upon becoming aware of an Event of Force Majeure, such information to contain details of the circumstances giving rise to the Event of Force Majeure.
14.3 The performance of each Party's obligations shall be suspended during the period that the circumstances persist and such Party shall be granted an extension of time for performance equal to the period of the delay.
14.4 Each Party shall bear its own costs incurred by the Event of Force Majeure.
14.5 If the performance of any obligations under this Agreement are delayed under Clause 14.1, each Party shall nevertheless accept performance as and when the other shall be able to perform.
14.6 If the breach, hindrance or delay caused by an Event of Force Majeure continues without a break for more than [one month], either Party may terminate this Agreement immediately by notice to the other, in which event neither Party shall have any liability (subject to Clause 13.2) to the other Party by reason of such termination.
14.7 If we have contracted to provide identical or similar services to more than one customer and we are prevented from fully meeting our obligations to you due to an Event of Force Majeure, we may decide at our absolute discretion which contracts we will perform and to what extent.
15. Waiver
15.1 No failure or delay by a Party to exercise any right or remedy provided under this Agreement or by law shall constitute a waiver of that or any other right or remedy, nor shall it prevent or restrict the further exercise of that or any other right or remedy. No single or partial exercise of such right or remedy shall prevent or restrict the further exercise of that or any other right or remedy.
16. Variation
16.1 No variation of this Agreement shall be effective unless a varied version of this Agreement is made available by one party to the other party and the receiving party gives a clear indication to the requesting party of its intention to continue with this Agreement on the basis of the revised terms of this Agreement.
17. Rights and remedies
17.1 Except as expressly provided in this Agreement, the rights and remedies provided under this Agreement are in addition to, and not exclusive of, any rights or remedies provided by law.
18. Severance
18.1 If any provision or part-provision of this is or becomes invalid, illegal or unenforceable, it shall be deemed modified to the minimum extent necessary to make it valid, legal and enforceable. If such modification is not possible, the relevant provision or part-provision shall be deemed deleted. Any modification to or deletion of a provision or part-provision under this Clause 18 shall not affect the validity and enforceability of the rest of this Agreement.
18.2 If any provision or part-provision of this Agreement is invalid, illegal or unenforceable, the Parties shall negotiate in good faith to amend such provision so that, as amended, it is legal, valid and enforceable, and, to the greatest extent possible, achieves the intended commercial result of the original provision.
19. No partnership or agency
19.1 Nothing in this Agreement is intended to or shall operate to create a partnership between the Parties, or authorise either Party to act as agent for the other, and neither Party shall have the authority to act in the name or on behalf of or otherwise to bind the other in any way (including, but not limited to, the making of any representation or warranty, the assumption of any obligation or liability and the exercise of any right or power).
20. Third party rights
20.1 This Agreement does not confer any rights on any person or party (other than the Parties to this Agreement and, where applicable, their successors and permitted assigns) pursuant to the Contracts (Rights of Third Parties) Act 1999.
21. Notices
21.1 Any notice given to either Party under or in connection with this Agreement shall be in writing, addressed to the relevant Party at its registered office or such other address as that Party may have specified to the other Party in writing, and shall be delivered personally, sent by pre-paid first-class post, recorded delivery or commercial courier, or by email.
21.2 A notice shall be deemed to have been received: if delivered personally, when left at the address referred to in Clause 21.1; if sent by pre-paid first class post or recorded delivery, at 9.00 am on the second Business Day after posting; if delivered by commercial courier, on the date and at the time that the courier's delivery receipt is signed; or if delivered by email, at the time of transmission, provided that a hard copy of such email is sent by first class post on the next Business Day.
21.3 The provisions of this Clause 21.1 and 21.2 shall not apply to the service of any proceedings or other documents in any legal action.
22. Assignment
22.1 You may not assign, transfer, charge or otherwise encumber, create any trust over, or deal in any manner with, this Agreement or any right, benefit or interest under it, nor transfer, novate or sub-contract any of your obligations under it, without our prior written consent.
23. Governing law and jurisdiction
23.1 This Agreement, and any dispute or claim arising out of or in connection with it or them or its or their subject matter or formation (including non-contractual disputes or claims) shall be governed by and construed in accordance with the law of England.
23.2 Each Party irrevocably agrees that the courts of England shall have exclusive jurisdiction to settle any dispute or claim arising out of or in connection with this Agreement or its subject matter or formation.
Addendums
DVLA Addendum to our Terms and Conditions
Under clause 7.2.5 of our Terms and Conditions, you warrant that you will comply with any additional terms and conditions that a Third Party Information Provider (such as the UK Disclosure and Barring Service (DBS) or the Driver and Vehicle Licensing Agency (DVLA)) require us to impose on you from time to time. If any provisions in our Terms and Conditions and this DVLA Addendum conflict then the provision in this DVLA Addendum shall take priority.
Where you submit a Process Request which shall result in information being provided by the DVLA, we are required to ensure (i) that you specifically agree to comply with certain additional terms; and (ii) that certain additional terms and conditions are included within our agreement with you generally. For ease, we have broken this DVLA Addendum up into 2 sections:
Specific obligations that you are required to comply with; and
General terms that we are required to present to you.
Part 1 - Specific obligations that you are required to comply with
1. Your Key Staff
You must complete a list of the individuals who have direct responsibilities for the use of any data provided by the DVLA and for your other obligations under your agreement with us. You will provide such individual’s names, business addresses and other contact details, specifying the capacities in which they are concerned with such data.
Calls to our or the DVLA’s support line from any members of staff that are not listed pursuant to the above paragraph will not be handled by any support line.
As a minimum, the list must include details of your registered office, as recorded by Companies’ House and:
The manager who must be responsible for your general contractual matters and shall receive notices sent to your registered office, and who shall be referred to as your Commercial Manager (or equivalent); and
The manager who is responsible for the management of any data provided once in your hands, to be referred to as the Data Manager (or equivalent).
You must inform the us immediately (and we must inform the DVLA) of any changes in personnel listed or your business contact details. Failure to do so may result in delayed communications between us, you and the DVLA.
2. Reviews and Meetings
You must, upon receipt of reasonable notice and during normal office hours, attend all meetings arranged by us or the DVLA for the discussion of matters connected with the agreement between us and you.
You must provide such reports on your performance of the agreement or any other information relating to your requests for and use of the data from the DVLA as we or the DVLA may reasonably require.
We reserve the right to review the agreement between us and you at any time. Where required, both us and you shall meet in person or via video or telephone conference to review:
the performance of our services.
the volume of data which the DVLA is providing to you via us.
the security arrangement governing your safe receipt of any such data;
the arrangements we have in place relating to the retention and secure destruction of any such data;
any audits that have been carried out;
any security incidents that have occurred with us or you; and
the training and experience of our staff and your staff in their duties and responsibilities under all applicable data protection legislation.
3. Data Protection
You must ensure before relying on any item of data provided to you that the data provided matches the information in your request and that the data pertains to the licence holder for whom we possess a Data Protection Declaration. Any records passed to you from us that do not pertain to a Data Protection Declaration held by us (or you) must be disregarded and deleted from any systems and we must be contacted by you.
The DVLA, us and you must comply with the requirements of all applicable data protection legislation and subordinate legislation made under it, or any legislation which may supersede it, together with any relevant guidance and/or codes of practice issued by the Information Commissioner’s Office.
The DVLA, us and you agree that the data provided to and by the DVLA (and by us to you) shall constitute personal data which may include criminal conviction data and special categories of personal data, as it relates to a living individual who can be identified directly or indirectly from such data.
The DVLA is satisfied that providing data to us (and us to you) for the purpose highlighted in paragraph 3 of part 2 below is compliant with all applicable data protection legislation.
You are the controller of the personal data collected on the Data Protection Declaration, which is to be used as evidence by us (on your behalf) that the individual (i.e. the Data Subject) is fully aware that information from their driver record is to be obtained by us from the DVLA and processed by us and by you. Both us and you are responsible for complying with all applicable data protection legislation in relation to the processing of personal data collected on the Data Protection Declaration.
You must ensure that Data Subjects are aware of the legal basis for the release of data to you. Data Subjects have rights to restrict the processing of their personal data in accordance with applicable data protection legislation. The DVLA and/or us will provide written notification to you where a Data Subject wishes to invoke this right. In such cases, we must act immediately to ensure enquiries on such records are not submitted following such written notification.
The DVLA, us and you agree to take account of any guidance issued by the Information Commissioner’s Office. The DVLA may amend our contract with them (and we may amend our agreement with you) to ensure that it complies with any guidance issued by the Information Commissioner’s Office on no less than 30 working days’ notice to us (or from us to you).
Both us and you must be registered with the Information Commissioner and the permission must cover all activities actually carried out under our agreement with you.
The DVLA, us and you shall ensure the safe transportation/transmission and processing of data in accordance with the appropriate technical and organisational measures, the requirements of data protection legislation, His Majesty’s Government Security Policy Framework and Functional Standard GovS 007: Security.
Both us and you must ensure that relevant data is processed in accordance with guidance and codes of practice related to any applicable data protection legislation.
Both us and you must ensure we both respectively have in place protective security measures, which are appropriate to protect against a personal data loss event.
We must notify the DVLA immediately (and you must notify us immediately), within a maximum of 24 hours of becoming aware, of any breach of the security requirements under our contract with them (or you become aware of under your agreement with us).
Both us and you must not transfer, sell or in any way make any relevant data available to third parties unconnected with the original purpose of your enquiry.
Both us and you must, as an enduring obligation throughout the term of the agreement between us, use the latest versions of anti-virus software available from an industry accepted anti-virus software vendor to check for and remove malicious software from your computer systems. Notwithstanding this, if such software is found, the DVLA, us and you must co-operate to reduce the effect of such software and, particularly if such software causes loss of operational efficiency or loss or corruption of any relevant data, assist each other to mitigate any losses and to restore the DVLA’s service to their desired operating efficiency. Costs arising out of any actions taken in compliance with the provisions of this paragraph must be borne by the party responsible for where any malicious software originates (including if it originates from such a party’s sub-contractor or any of its third party suppliers).
Both us and you (where applicable), and our or your sub-contractors (where applicable) must not transfer any data provided by the DVLA outside of the UK, and must not allow access to such data from outside the UK, unless the prior written approval of the DVLA has been obtained by us (or from us by you) and the following conditions are fulfilled:
the destination country has been recognised as adequate by the UK government in accordance with Article 45 UK GDPR or sections 74A and 74B of the DPA 2018; or
we (or where applicable, you) have provided appropriate safeguards in relation to the transfer (whether in accordance with Article 46 UK GDPR or section 75 DPA 2018); and
the Data Subject has enforceable rights and effective legal remedies; and
we (or you) comply with our (or your) obligations under any applicable data protection legislation by providing an appropriate level of protection to any personal data that is transferred; and
we (or you) comply with any reasonable instructions notified to us (or you) in advance by the DVLA (or by us to you) with respect to the processing of personal data; and
ensure that transfers of personal data from the EEA to the UK comply with the EU GDPR and, where the transfer is safeguarded by Standard Contractual Clauses as issued by the European Commission, the conditions set down in those clauses are fully met.
Where the DVLA (or us) gives the prior and express written approval referred to above, we (or you) must disclose the personal data provided by the DVLA only to the extent agreed and in accordance with any conditions attached to the giving of that approval.
In accordance with all applicable data protection legislation, us and you must only retain each item of data provided by the DVLA for as long as is necessary. It is the responsibility of the controller (which is you) to determine and justify the retention period for all relevant data.
You must arrange for the secure destruction or deletion of each item of data provided by the DVLA, in accordance with applicable data protection legislation, as soon as it is no longer necessary to retain it.
You must retain for a minimum period of two (2) years from the date of conclusion or longer period as may be agreed between us and you (such agreement to be recorded in writing), full and accurate records of the performance of the agreement by us.
You (or us on your behalf) must retain, for a minimum period of two (2) years, each Data Protection Declaration. You (where retained by you) must produce such records retained as the DVLA may reasonably require. This will include, but not limited to, any mis-matched or incorrect enquiries.
You must maintain your use of any data provided by the DVLA in accordance with best practice in the industry.
You must ensure that your business processes, records of customer interactions and transactions, audit procedures on business activities and financial reporting are appropriate and effective to ensure that proper use of the data provided by the DVLA complies with applicable data protection legislation.
You must carry out your own internal compliance checks at least annually and must notify us of such checks upon our request. You must share with us the outcome of any other checks, audits or reviews that have been carried out on your activities as a controller of data provided to and received from the DVLA.
You must notify us immediately of any personal data loss event that meets the criteria for notification to the Information Commissioner’s Office or affected Data Subjects.
You understands that you are responsible for notifying any personal data loss event to the Information Commissioner’s Office and, where appropriate, Data Subjects, and to do so within the time limits required by applicable data protection legislation, and for taking such action as is necessary to resolve the incident.
The DVLA or an agent acting on its behalf reserves the right to carry out an inspection at any time of your compliance with the terms of the agreement between us and you (including this DVLA Addendum). Where possible, we shall give you 4 days’ written notice of any such inspection. You agree to co-operate fully with any such inspection and to allow us, the DVLA, or an agent acting on its behalf, access to your premises, equipment, and staff for the purposes of the inspection. You will respond as required to the findings and recommendations of any such inspection and will provide updates as required on the implementation of any required actions.
We may, by written notice to you, forbid access to any data provided by the DVLA, or withdraw permission for continued access to such data, to:
any member of your staff; or
any person employed or engaged by any member of your staff,
whose access to or use of such data would, in the reasonable opinion of the DVLA, be undesirable. The decision of the DVLA as to whether any person (or you generally) is to be forbidden from accessing such data must be final and conclusive.
We will be entitled to be reimbursed by you for all of our and the DVLA’s reasonable costs incurred in the course of any DVLA required inspection.
It is your duty, as the controller, to comply with all applicable data protection principles. We are a processor who has been appointed by you. You shall be the controller of each item of data received from the DVLA from the point of receipt of that data by us or our sub-contractors. You must be responsible for complying with all applicable data protection legislation in relation to the processing of such by us and you.
Both us and you must comply with all applicable data protection legislation and each of us and you will duly observe all obligations under all applicable data protection legislation.
You will answer any Data Subject requests that you or us receive for data provided to, or provided by, the DVLA and for which you are the controller.
You will instruct each Data Subject to contact the DVLA where the Data Subject Request is pursuant to DVLA’s activities as a separate independent controller.
You understand that we must provide the DVLA with a complete and accurate list of all of our customers at any time upon request by the DVLA. Wherever possible, we will provide written notification providing advance warning of this requirement, once received by the DVLA.
Part 2 - General terms that we are required to present to you
1. The Legal Basis for Release of Data
The basis for release of DVLA’s driving licence data to us is that it is necessary for the performance of a task carried out in the public interest or the exercise of an official authority vested in DVLA. This is in line with data protection legislation.
Special Categories of Personal Data is processed under Article 9.2.g of UK GDPR as it is deemed necessary for reasons of substantial public interest for the reasons stated above. In addition, each Data Subject will be given notice of fair processing by way of the Data Protection Declaration and will be aware that this category of data is being shared as part of the processing.
2. Our Requirements
We are required to provide the DVLA with a statement detailing the type of business we conduct that involves the use of the requested data. This may include a description of products/services we offers to our customers based on this type of data. Our permitted purpose is that we are an intermediary company that requests the data in order to provide services to our customers, and that our customers typically are:
Employers of drivers.
Auto insurance companies (at point of claim only).
Car rental companies.
Fleet companies.
Taxi Licensing for Local Authorities.
We need to highlight that we may operate either as a controller of the relevant personal data submitted by us to the DVLA and received from the DVLA or as a processor acting on your behalf. The manner in which operate mean that we determine ourselves to be a processor acting on your behalf. This means that you are the controller of this data and determine the purpose and means of processing the data. Pursuant to clause 11 of our Terms and Conditions, you ensure that the requirements of Articles 28 and 29 of UK GDPR are met in relation to our use of the relevant data as your processor and such Terms and Conditions are the written contract between us and you which set out your processing instructions to us and require us to act on your behalf and comply with your processing instructions.
We are required to provide the DVLA with our estimated usage of their service, to include volume and frequency information. Further we must inform DVLA of any factors that could cause a significant increase or decrease such usage.
If we wish to change our permitted purpose for submitting, requesting and receiving data from the DVLA, the proposed use for any of the data or if we wish to act as a controller of any such data then we must notify the DVLA to obtain their approval. We are also required to inform them and receive their approval if any of our business processes change if it impacts upon the way we work with them and our receipt of their service.
We are only entitled to submit requests for data to the DVLA if we are in receipt of a Data Protection Declaration from the relevant individual to whom the data relates/belongs.
The DVLA requires us to ensure that our staff do not submit requests in relation to themselves and that we comply with all relevant data protection legislation.
3. Purpose for Which Data is Provided
We access the DVLA’s service and use the data that they provide so that you can check entitlement to drive, driving endorsements and disqualifications for a legitimate business need. The data is not to be used for checking an individual’s identity. No other purpose is permitted.
Before we request that the DVLA provide data in relation to an individual, we are required to ensure that the specific individual understands that such a request has been made and that they do not object to the data being provided. This is why we are required to get subjects to complete the Data Protection Declaration.
We are only permitted to hold any relevant data on the minimum amount of databases possible, and we are not permitted to request or share data in order to entice individuals into additional purchases of goods or services from us.
Our use of the DVLA’s service may be reviewed at any time by the DVLA for many reasons including if there has been a reduction in the number of enquiries we have submitted within a particular period of time.
4. Prevention of Corruption
We must not offer or give, or agree to give, to the DVLA or any other public body or person employed by or on behalf of the DVLA any gift or consideration of any kind as an inducement or reward for doing, refraining from doing, or for having done or refrained from doing, any act in relation to the obtaining or execution any contract with the DVLA or any other public body, or for showing or refraining from showing favour or disfavour to any person in relation to any such contract.
If we or any of our staff, or anyone acting on our behalf, engages in conduct prohibited by the paragraph above or the Bribery Act 2010 (as amended) or commit fraud under a contract with the DVLA or any crown body, the DVLA may:
terminate and recover from us the amount of any loss suffered by the DVLA resulting from the termination; or
recover in full us any other loss sustained by the DVLA in consequence of our breach.
We must take all reasonable steps, in accordance with best practice in our industry, to prevent fraud by our staff, shareholders, members, and directors in connection with our receipt of the DVLA’s service.
We must notify the DVLA immediately if we have reason to suspect that any fraud has occurred or is occurring or is likely to occur.
We must not unlawfully discriminate either directly or indirectly or by way of victimisation or harassment against a person on such grounds as age, disability, gender reassignment, marriage and civil partnership, pregnancy and maternity, race, colour, ethnic or national origin, sex or sexual orientation, and without prejudice to the generality of the foregoing, we must not unlawfully discriminate within the meaning and scope of the Equality Acts 2006 and 2010 (as amended), the Human Rights Act 1998 (as amended) or other relevant or equivalent legislation, or any statutory modification or re-enactment thereof. We must do everything we can to ensure our staff act in this manner.
6. Health and Safety
We must promptly notify the DVLA of any health and safety hazards which may arise in connection with the performance of its obligations under our contract with the DVLA, including but not limited to, on inspection by the DVLA of us.
We must comply with the requirements of the Health and Safety at Work Act 1974 (as amended) and any other acts, orders, regulations and codes of practice relating to health and safety, which may apply to our staff and other persons working on our premises.
7. Publicity and Media
We must notify the DVLA immediately if any circumstances arise which could result in publicity or media attention to us or to you which could adversely reflect on the DVLA or the DVLA’s service.
We must not misrepresent our relationship with the DVLA. We must not publish information that implies a direct relationship with the DVLA where no such relationship exists. We must comply with the following restrictions:
We must not (and must ensure you do not) create, approve, or distribute any publicity, media or website content implying or stating any of the following:
That the DVLA has a direct connection with or interest in our or your products and services.
That the DVLA has worked in conjunction with us or you to develop and deliver our or your products and services.
That the DVLA has authorised or endorsed our or your products and services.
That the DVLA has licensed us or you to provide products and services.
That the DVLA has entered into or is working in any partnership or any agency relationship with the us or you.
That our or your products or services are provided on behalf of the DVLA.
That us or you have a direct link and unfettered access into the DVLA’s driver database.
That us or you receives a direct feed of data from the DVLA;
Only the following wording can be used when referring to the DVLA:
We are a contracted customer of the DVLA’s Access to Driver Data (ADD) service.
We have a direct link to the DVLA’s Access to Driver Data (ADD) service.
Driver record data is derived/sourced/taken from the DVLA’s Access to Driver Data (ADD) service.
We use the DVLA’s Access to Driver Data (ADD) service.
We are linked to the DVLA’s Access to Driver Data (ADD) service.
We must obtain prior written approval from the DVLA before distributing any publicity, media or website content produced by us or you that includes any wording not specified in the above.
8. Transfer and Sub-contracting
We must not assign, sub-contract or in any other way dispose of our contract with the DVLA or any part of it without the prior written approval of the DVLA.
Sub-Contracting any part of our contract with the DVLA shall not relieve us of any of our obligations or duties to the DVLA. We must be responsible for the acts and omissions of our sub-contractors as though they are our own. Where the DVLA has approved to the placing of sub-contractors, copies of each sub-contract must, at the request of the DVLA, be sent by us to the DVLA as soon as reasonably practicable. If we permit you to subcontract any of your obligations under your agreement with us, you shall likewise be responsible for the acts and omissions of your sub-contractors as though they were your own.
9. Insolvency
We must notify the DVLA immediately in writing where (and you must notify us in writing where):
a proposal is made for a voluntary arrangement within Part 1 of the Insolvency Act 1986 (as amended) or of any other composition scheme or arrangement with, or assignment for the benefit of, our (or your) creditors; or
a shareholder’s meeting is convened for the purpose of considering a resolution that we (or you) be wound up or a resolution for our (or your) winding-up is passed (other than as part of, and exclusively for the purpose of, a bona fide reconstruction or amalgamation); or
a petition is presented for our (or your) winding up (which is not dismissed within 14 days of its service) or an application is made for the appointment of a provisional liquidator or a creditors’ meeting is convened pursuant to section 98 of the Insolvency Act 1986 (as amended); or
a receiver, administrative receiver or similar officer is appointed over the whole or any part of our (or your) business or assets; or
an application order is made either for the appointment of an administrator or for an administration order, and administrator is appointed, or notice of intention to appoint an administrator is given; or
we (or you) become insolvent within the meaning of section 123 of the Insolvency Act 1986 (as amended); or
being a “small company” within the meaning of section 247(3) of the Companies Act 1985 (as amended); a moratorium comes into force pursuant to Schedule 1A of the Insolvency Act 1986 (as amended); or
any event similar to those listed in this clause occurs under the law of any other jurisdiction.
You must notify us in writing where you are an individual where:
an application for an interim order is made pursuant to sections 252-253 of the Insolvency Act 1986 (as amended) or a proposal is made for any composition scheme or arrangement with, or assignment for the benefit of, your creditors; or
a petition is presented and not dismissed within 14 days or an order made for your bankruptcy; or
a receiver, or similar officer is appointed over the whole or any part of your assets or a person becomes entitled to appoint a receiver, or similar officer over the whole or any part of your assets; or
you are unable to pay your debts or you have no reasonable prospect of doing so, in either case within the meaning of section 268 of the Insolvency Act 1986 (as amended); or
a creditor or encumbrancer attaches or takes possession of, or a distress, execution, sequestration, or other such process is levied or enforced on or sued against, the whole or any part of your assets and such attachment or process is not discharged within 14 days; or
you suspend or cease, or threaten to suspend or cease, to carry on all or a substantial part of your business.
Where the DVLA is notified in writing of any of the circumstances (when applicable to us) listed above, the DVLA may suspend the DVLA’s service without further notice and with immediate effect and investigate further whether any of our directors or any liquidator, receiver, administrative receiver, administrator, or other officer is capable of ensuring that the provisions of our contract with them and of data protection legislation are complied with. If the DVLA is not satisfied that any such person shall ensure such compliance, the DVLA may terminate the contract by written notice with immediate effect. This paragraph shall apply with us in place of the DVLA and you in place of us where you are subject to any of the circumstances listed above.
10. Change of Control
We must seek the prior written approval of the DVLA to any change of control within the meaning of section 450 of the Corporation Taxes Act 2010 (as amended (Change of Control).Where the DVLA has not given its written agreement before the Change of Control, the DVLA may terminate our contract with the DVLA by notice in writing with immediate effect within 26 weeks of:
being notified that that Change of Control has occurred; or
where no notification has been made, the date that the DVLA becomes aware of that Change of Control.
You are required to act in this same manner and obtain our approval to any Change of Control and we shall be entitled to the same rights as the DVLA in respect of you where we have not given our written agreement to you before the Change of Control occurs.
11. DVLA’s right to suspend its services
If it comes to the attention of the DVLA that we have committed a breach of our contract with them (including material breaches and all other minor breaches), the DVLA may suspend our access to the DVLA’s service without further notice and with immediate effect and investigate the nature and effect of the breach.
The DVLA may from time-to-time issue guidance on its principles on suspending access to the DVLA’s service and terminating contracts to supply data to us. The guidance may include guidance concerning: types of breaches which the DVLA may consider to be material breaches; guidance as to specific types of breach that the DVLA will consider to be remediable; how such breaches may be remedied; how long suspension may last; when following any period of suspension we may resume making requests and in relation to which dates of events such requests may be made; and guidance as to which types of breach the DVLA may consider to be irremediable.
If the DVLA suspends our access to the DVLA’s service at any time, we must co-operate with any further investigation, audit or review that the DVLA requires to be carried out in relation to the data provided to us.
The DVLA may refuse to resume our access to the DVLA’s service until we provide assurances that the matter resulting in the suspension has been resolved to the satisfaction of the DVLA and taken specified actions within a reasonable period set by the DVLA.
The DVLA may require that an inspection is carried out after our access to the DVLA’s service is resumed, to check our compliance with the contract between us and them and data protection legislation.
The DVLA shall require us to pay the fee for any inspection before it will resume the DVLA’s service
During any suspension period, the DVLA shall not provide data to us. The DVLA may also refuse requests for data from us through its paper service during this period.
We must reimburse the DVLA for all the DVLA’s cost and expenses incurred in relation to the DVLA’s right under this paragraph to carry out an inspection.
12. Termination of our contract with the DVLA
The DVLA may terminate the contract between us and them with immediate effect by written notice to us on or at any time after the occurrence of any event specified below. These events being:
We fail to pay any amount due under our contract with the DVLA on the due date for payment and we remain in default not less than 60 days after being notified in writing to make such payment.
We commit any three or more breach of our contact with the DVLA, whether simultaneously or singly at any time during the operation of the contract, irrespective of whether any or all such breaches are minimal or trivial in nature.
We commit a material breach of any other term of our contract with the DVLA which is irremediable or (if such breach is remediable) we fail to remedy that breach within a period of 26 weeks after being notified in writing to do so by the DVLA.
Further the DVLA may terminate the contract between us and them with immediate effect if in its reasonable view, during any period of suspension of the DVLA’s service to us, we:
fail to co-operate with any investigation, audit, or review:
fail to provide any assurances or take any actions within the reasonable period set by the DVLA to rectify the matter that led to the suspension; or
fail to provide assurances that satisfy the DVLA (acting reasonably) that we have complied and shall continue to comply with the requirements of the contract and data protection legislation.
The DVLA may terminate the contract between us and them by written notice with immediate effect if we fail to pay the DVLA undisputed sums of money when due by variable direct debit in two or more consecutive months.
The DVLA may terminate the contract between us and them by written notice with immediate effect if we are found to be in breach of any aspect of any applicable law that could, in the reasonable opinion of the DVLA, bring the DVLA into disrepute.
13. Consequences of Suspension and Termination
After the DVLA’s service has been suspended or our contract with the DVLA has been terminated (or both), we must continue to comply with our obligations under the contract and under data protection legislation in relation to the data which we hold, including as to the proper use of such data, the retention of such data and secure destruction of such data.
14. Data Protection
We must notify the DVLA immediately, or within a maximum of 24 hours of becoming aware, of any audits that are being carried out by the Information Commissioner’s Office under applicable data protection legislation that are relevant to our or your processing of the personal data provided to or received from the DVLA.
We acknowledge that the DVLA has a continuing interest in the security of the personal data provided by the DVLA and in knowing about any personal data loss that may occur whilst such data is being processed by us or you.
In exceptional circumstances in relation to abuse of the DVLA’s service, access to your premises may be required. Other than in exceptional circumstances, such as a suspected serious breach of data security, examinations will be by prior contact and the DVLA will notify us in advance of any of your premises they wish to examine.
The DVLA may, by written notice to us, forbid access to any of its data, or withdraw permission for continued access to any data it provides (in exceptional circumstances), where access or use of such data would, in the reasonable opinion of the DVLA, be undesirable.
Where a complaint is received about us (or you) which relates to any matter connected with the contract between us and the DVLA or the use of relevant data, the DVLA may investigate the complaint.
We must provide any information relating to our requests for and use of the data provided (or to be provided) by the DVLA, or where applicable your use of the Data, as the DVLA may reasonably require as part of any DVLA led investigation. The DVLA may, in its sole discretion, acting reasonably, uphold the complaint and take further action as it deems appropriate.