• Supplier hosts the Supplier Data

• Supplier receives and processes Client Information in its capacity as Controller

• Client Information includes Personal Data

• The Supplier is based in the UK

• The Supplier is located within the EEA

The Supplier Data that GBG uses to provide KYP Driving Licence checks is supplied by the DVLA. GBG is obliged under the terms of its agreement with partner to ensure that all End Users agree to comply with the following provisions. These terms apply to all KYP Driving Licence checks. Individual KYP Driving Licence checks can be identified by the ID number on the End User's Order Form. 

1.1. In these Additional Terms, the following definitions shall apply, in addition to the definitions set out in the General Terms:

“Conviction” means, other than for minor road traffic offences, any previous or pending prosecutions, convictions, cautions and binding-over   orders (including any spent convictions as contemplated by section 1(1) of the Rehabilitation of Offenders Act 1974  (as amended) by virtue  of the exemptions specified in Part II of Schedule 1 of the Rehabilitation of Offenders Act 1974 (Exemptions) Order 1975 (SI 1975/1023) (as  amended) or any replacement or amendment to that Order, or being placed on a list kept pursuant to the safeguarding of Vulnerable Groups Act 2006 (as amended).

“Data Protection Declaration” means the driving licence information fair processing declaration form (D906/ADD), to be used by the End User as Evidence that the record holder is fully aware that information from their driver record is to be obtained by the End User from DVLA.

“Data Protection Legislation” means:

(a) the.“GDPR”, the LED and any applicable national implementing laws as amended from time to time.

(b) the DPA 2018 (as amended) [subject to Royal Assent] to the extent that it relates to Processing of personal data and privacy;

(c) all applicable Law about the Processing of Personal Data and privacy.

“DVLA” means the Driver and Vehicle Licensing Agency. 

“End User” means the End User, the beneficiary of the Service or Data, or the channel partner providing the Service to the End User or beneficiary of the Service or Data.

“Evidence” means the End User’s proof that the Data Subject has confirmed his understanding as to the purposes and limitations of the enquiry and does not object to his personal data being processed for these purposes.  This is to be made via a signed Data Protection Declaration. 

“Malicious  Software”  means  any  software  program  or  code  intended  to destroy, interfere with, corrupt, or cause undesired effects on program files, data or other information, executable code or application software macros, whether or not its operation is immediate or delayed, and whether the malicious software is introduced wilfully, negligently or without knowledge of its existence.

“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss,  alteration, unauthorised  disclosure of, or access to, Conviction Data, Personal Data or Special Categories of Personal Data, transmitted, stored or otherwise processed.

“Permitted Purpose” means use, by (i) organisations involved in employment of drivers, (ii) auto insurance companies (at point of claim only), (iii) car rental companies fleet companies and (iv) intermediaries, for the purpose of checking a Data Subject’s entitlement to drive. 

“Processing” has the meaning given to that term in Data Protection Legislation (and   related   terms   such   as   ‘Process’   have   corresponding   meaning) Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaption or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

“Relevant Conviction” means a Conviction which the End User, acting reasonably and in accordance with industry best practice, deems to preclude a person from being involved in any way with use of the Supplier Data.

“Staff” means all persons employed by the End User to perform its obligations under the Agreement together with the End User’s servants, agents, suppliers and sub-contractors used in the performance of its obligations under the Agreement.

“Supplier Data” means the DVLA driver data received through the DVLA ADD Service.  

2.1 The End User may only use the Supplier Data for the Permitted Purpose in accordance with these terms and in accordance with its obligations under Data Protection Legislation. The End User shall not transfer, sell or in any way make the Supplier Data available to third parties who cannot demonstrate its use for the Permitted Purpose. 

2.2 The End User will only make enquiries on those drivers for which they are in receipt of a signed Data Protection Declaration, as provided by GBG. 

3.1 Before making a request for Supplier Data, the End User shall gather Evidence to demonstrate the Permitted Purpose to request the Supplier Data. The End User shall provide GBG with estimated usage of the Supplier Data, to include volume and frequency information and shall inform GBG of any factors that could cause a significant increase or decrease in the usage.

3.2 The End User agrees to (i) notify GBG in writing of any changes to their business need for access to the Service; and (ii) inform GBG in writing of changes to their business processes, which may impact how the Supplier Data is used.

3.3 The End User shall provide GBG with a list of the individuals, business addresses and other contact details, specifying in each case the capacities in which they are concerned with the Supplier Data who have direct responsibilities for the use of the Supplier Data and for the End User’s obligations under this Agreement. The End User shall inform GBG immediately of any changes in Staff listed. 

3.4 The End User shall ensure that its Staff do not use the Service in order to view their own DVLA driver record. 

3.5 The End User shall hold the Supplier Data on the minimum amount of databases required for the purposes of processing the Supplier Data for the Permitted Purpose.

3.6 In respect of the use of Supplier Data, the End User shall take all reasonable steps to:

(a) prevent fraud by its Staff or anyone acting on the End User’s behalf, its shareholders, members, and directors; and

(b) prevent its Staff or anyone acting on the End User’s behalf from engaging in conduct prohibited by the Bribery Act 2010.

The End User shall notify GBG immediately if it has reason to suspect that any fraud or bribery has occurred or is occurring or is likely to occur in respect of the Supplier Data. If the End User or its Staff commits fraud or bribery in relation to this Agreement, the DVLA may require GBG to terminate the Agreement and recover from the End User the amount of any loss suffered by the DVLA resulting from the termination; or recover in full from the End User any other loss sustained by the DVLA in consequence of any breach of this clause.

3.7 In respect of the use of the Supplier Data, the End User must not unlawfully discriminate, and shall take all reasonable steps to ensure that its Staff do not, either directly or indirectly or by way of victimisation or harassment against a person on such grounds as age, disability, gender reassignment, marriage and civil  partnership,  pregnancy  and  maternity,  race,  colour,  ethnic  or national origin, sex or sexual orientation, and without prejudice to the generality of the foregoing the End User must not unlawfully discriminate within the meaning and scope of the Equality Acts 2006 and 2010 (as amended), the Human Rights Act 1998 (as amended) or other relevant or equivalent legislation, or any statutory modification or re-enactment thereof.

3.8 The End User shall notify GBG immediately if any circumstances arise which could result in publicity or media attention to the End User which could adversely reflect on the DVLA or the Supplier Data. 

3.9 The End User shall not create or approve any publicity implying or stating that the DVLA has a connection with or endorses any service provided by the End User without the prior written Approval of the DVLA. 

3.10 The End User shall upon receipt of reasonable notice and during normal office hours attend all meetings arranged by GBG for the discussion of matters connected with the performance of the Agreement. 

3.11 The End User shall provide such reports on the its performance of the Agreement or any other information relating to the End User’s requests for and use of the Supplier Data as GBG may reasonably require. GBG reserves the right to review the Agreement at any time. Where required, GBG and the End User shall meet in person or via video or telephone conference to review:

(a) the ongoing need for the Supplier Data and any consequential variation to the terms of the Agreement;

(b) the Permitted Purpose;

(c) the volume of Supplier Data which GBG is providing to the End User;

(d) the security arrangements governing the End User’s safe receipt of the Supplier Data and the End User’s further use of the Supplier Data;

(e) the arrangements that the End User has in place relating to the retention and secure destruction of the Supplier Data;

(f) any audits that have been carried out that have relevance to the way that the End User is processing the Supplier Data;

(g) any security incidents that have occurred with the Supplier Data;

(h) the continued registration of the End User’s company under the same registered number;

(i) the training and experience of the End User’s Staff in their duties and responsibilities under Privacy and Data Protection Requirements.

3.12 Except as set out in this Appendix the End User must not transfer, assign, sell or licence Supplier Data or their use to any other person.

3.13 The End User will notify GBG if it is subject to an insolvency event or change of control. 

3.14 The End User acknowledges and accepts that the nature of this Service requires disclosure of Client Information to the Data Supplier who processes Client Information in its capacity as Controller and not Sub-processor. The End User’s request for this Service will be deemed to be the End User’s instruction to GBG to disclose Client Information to the Data Supplier as necessary to perform this Service.

3.15 The Data Supplier is based in the UK which is located within the EEA. On this basis, Personal Data is not transferred outside of the EEA in order to provide End Users with access to this element of the Service.

4.1 The DVLA takes all reasonable steps to ensure that the Supplier Data is accurate and up to date before it is transmitted to the GBG, however, DVLA cannot warrant the accuracy of the Supplier Data provided. DVLA does not accept any liability for any inaccurate information supplied to it by the licence holder or any other source beyond its control.

4.2 The End User shall ensure before relying on any item of Supplier Data that the Supplier Data provided matches the information in the request and that the Supplier Data pertains to the Data Subject for whom they possess a Data Protection Declaration.   Any records passed to the End User from DVLA that do not pertain to a Data Protection Declaration held by the End User must be disregarded, and deleted from any systems. GBG must be contacted in this instance.

5.1 The Supplier Data constitutes Personal Data which may include Conviction Data and Special Categories of Personal Data, as defined within the Privacy and Data Protection Requirements.

5.2 The End User, separately from the DVLA, shall be the data controller of each item of Supplier Data received from the Service from the point of receipt of that Supplier Data by the End User and shall be responsible for complying with the Privacy and Data Protection Requirements in relation to its further Processing of that Data.

5.3 The End User shall ensure that data subjects are aware of the legal basis for the release of the Supplier Data.  Data subjects have rights to restrict the processing of their data in accordance with the Privacy and Data Protection Requirements. GBG or the DVLA will provide written notification to the End User where a data subject wishes to invoke this right. In such cases, the End User must act immediately to ensure enquiries on such records are not submitted following written notification from GBG or the DVLA. 

5.4 The Parties agrees to take account of any guidance issued by the Information Commissioner’s Office. 

5.5 The End User shall notify GBG immediately, within a maximum of 24 hours of becoming aware, of any default of the security requirements of this Agreement.

5.6 The End User shall not transfer, sell or in any way make the Supplier Data available to third parties unconnected with the Permitted Purpose.

5.7 The End User shall, throughout the Initial Period and any Renewal Period, use the latest versions of anti-virus software available from an industry accepted anti-virus software vendor to check for and remove Malicious Software. If Malicious Software is found, the Parties shall co-operate to reduce the effect of the Malicious Software and, particularly if Malicious Software causes loss of operational efficiency or loss or corruption of Supplier Data, assist each other to mitigate any losses.

5.8 The End User shall not transfer Personal Data outside of the EU unless the prior written approval of the DVLA has been obtained and the following conditions are fulfilled:

(i) the DVLA or the End User has provided appropriate safeguards in relation to the transfer (whether in accordance with GDPR Article 46 or LED Article  37) as determined by DVLA;

(ii) the data subject has enforceable rights and effective legal remedies;

(iii) the End User complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any personal data that is transferred (or, if it is not so bound, uses its best endeavours to assist the DVLA in meeting its obligations); and

(iv) the End User complies with  any  reasonable instructions notified to it in advance by the DVLA with respect to the processing of personal data.

5.9 In accordance with the Privacy and Data Protection Requirements, the End User shall retain each item of Supplier Data only for as long as is necessary with reference to the Permitted Purpose for which it was shared. 

5.10 The End User shall arrange for the secure destruction or deletion of each item of Supplier Data, in accordance with the Privacy and Data Protection Requirements, as soon as it is no longer necessary to retain it.

5.11 The End User shall retain for a minimum period of 2 years from the date of conclusion or longer period as may be agreed between DVLA and the End User (such agreement to be recorded in writing), full and accurate records of the performance of the Service, including records of all payments made to GBG by the End User in relation to the Agreement. This will include, but not limited to, any mis-matched or incorrect enquiries that may have been made in pursuance of the Permitted Purpose.  These will be cross- referenced to the correct record, enquiry or issue that gave arise to the incorrect enquiry. This will enable GBG and the DVLA establish the enquirer and reason for enquiry. 

5.12 The End User shall retain for a period of 7 years (current year plus 6), from the date of signature the signed Data Protection Declaration. This includes photocopies, fax copies, scanned copies or Data Protection Declaration if used. 

5.13 The End User shall carry out its own internal compliance checks at least annually and shall notify GBG of such checks. The End User shall share with GBG the outcome of any other checks, audits or reviews that have been carried out on its activities as a data controller that are relevant to the processing of the Supplier Data.

5.14 The End User shall notify GBG immediately, or within a maximum of 24 hours of becoming aware, of any audits that are being carried out by the Information Commissioner’s Office under the Privacy and Data Protection Requirements that are relevant to the processing of the Supplier Data. 

5.15 The End User shall notify the GBG immediately, within a maximum of 24 hours of becoming aware, of any losses, compromise or misuse of the Supplier Data or any Personal Data Breach and keep the DVLA informed of any communications about the incident with; the individuals whose Personal Data is affected; the Information Commissioner’s Office; or the media. 

5.16 The End User will respond as required to the findings and recommendations of any GBG or DVLA inspection and will provide updates as required on the implementation of any required actions. 

5.17 GBG or the DVLA may at any time check the electronic trail relating to any activity made by the End User and contact the person responsible for such activity. 

5.18 The End User is required to comply with the following minimum data security requirements in respect of the Supplier Data:

(a) Supplier Data, including back-up Supplier Data, must be retained in secure premises and locked away;

(b) Supplier Data supplied may only be copied for back-up and for the purposes of processing the Supplier Data. Copies must be erased immediately thereafter and they must not be otherwise duplicated;

(c) the End User will retain the Supplier Data only for as long as necessary with reference to the Permitted Purpose of which the Supplier Data is required;

(d) the End User, in accordance with Privacy and Data Protection Requirements should dispose of the Supplier Data where there is no business need to retain it;

(e) Supplier Data, including back-up Supplier Data, must be protected from unauthorised access, release or loss;

(f) a User ID and a robust password must be required to enter all databases on which the Supplier Data is stored;

(g) a unique User ID and password must be allocated to each person with access to the Supplier Data;

(h) User IDs must not be shared between the End User’s Staff;

(i) an electronic trail relating to any activity involving Supplier Data must be retained, identifying the User ID and individual involved in each activity; 

(j) access to Supplier Data must be minimised so that only where necessary are individuals given the following levels of access:

j1. ability to view material from single identifiable records

j2. ability to view material from many identifiable records

j3. functional access, including: searching, amendment, deletion, printing, downloading or transferring 

information

(k) Supplier Data must not be accessed from, copied onto or stored on removable media. Laptops may be used but only if the device has full disk encryption installed in line with industry best practice and devices are securely protected when not in use;

(l) all manual and electronic enquiries must be logged centrally and stored by the End User;

(m) enquiries must be checked by senior staff on a regular basis;

(n) senior members of the End User’s Staff must conduct reconciliation checks between incoming  and outgoing enquiry volumes on a regular basis; 

(o) paper records must be securely destroyed so that reconstruction is unlikely;

(p) electronic Supplier Data must be securely destroyed or deleted in accordance with current guidance from the Information Commissioner’s Office as soon as it is no longer needed;

(q) Supplier Data received by post must be available only to appropriately trained and experienced members of the End User’s Staff, who must abide by the requirements of this Agreement and Data Protection Legislation;

(r) all records containing personal information, including screen prints, reports or other Supplier Data which have been supplied or derived from the DVLA’s system in any format must be retained in a secure manner;

(s) all Premises and buildings in which the Supplier Data is stored must be secure;

(t) the End User must be registered with the Information Commissioner and the permission must cover all activities actually carried out;

(u) information must not be passed to third parties except with the prior written approval of the DVLA; and

(v) transfer of Supplier Data to third parties (where approval has been granted by DVLA must be in accordance with the principles of Data Protection Legislation. Any other conditions required by the DVLA in giving permission for disclosure to third parties must be satisfied.

5.19 The End User is required to comply with the following minimum requirements for data protection declaration:

(a) DVLA is required to be satisfied that any Processing (including disclosure) of Personal Data is compliant with Data Protection Legislation. The End User may make enquiries of the Data Subject for its own legitimate purposes in accordance with Data Protection Legislation. The End User must make the Data Subject fully aware that information from that person’s driver record is to be obtained from DVLA, the categories of Supplier Data involved, the purposes and the period and frequency in which Supplier Data will be requested. DVLA requires the Data Subject to Evidence this through the provision of a Data Protection Declaration signed by the record holder and containing a declaration to that effect.

(b) The End User must have a defined procedure in place for obtaining Evidence of the Data Subject’s Data Protection Declaration.

(c) The End User must retain Evidence at the End User’s main office for business operations for a period of 7 years (current year plus 6) regardless of the length of time for which the Evidence was valid.  Evidence must be retained in a structured manner that permits the easy recovery of specific cases.  Evidence must be produced by the End User for any enquiry logged on DVLA’s system. Evidence can be stored electronically provided it meets the requirements stated in this clause 5.19 of this Appendix.

(d) GBG must ensure that all Data Protection Declarations clearly state the company name, and the End User’s name(s).  In event of the End User’s name(s) changing, or if there is any restructuring of the End User that affects its legal entities, subsidiary companies or its trading / legal name(s), a new completed Data Protection Declaration form must be completed to reflect the change. It is the responsibility of GBG to ensure all End Users inform the GBG of any such changes.

(e) When it is necessary for DVLA to change the Data Protection Declaration within the three-year period it may be a requirement for a new Data Protection Declaration to be obtained from the Data Subjects concerned within this period (using the revised format), depending on the nature of any changes made.

(f) If the End User procedures permit a separation or delay between obtaining the Data Protection Declaration and making the enquiry on the record, there must be a clear audit trail to identify the employee responsible for obtaining the Data Protection Declaration.

(g) The Data Protection Declaration is valid for a period of not more than 3 years from the date of signature or until the record holder ceases to drive for the End User, whichever occurs sooner.

(h) GBG must ensure that procedures are in place to check the validity of Data Protection Declarations.

(i) Where a paper Data Protection Declaration is used DVLA will accept original forms, photocopies, fax copies and electronically scanned copies on the basis that they are of good quality and the information contained thereon is clearly legible. 

(j) DVLA offers a standard Data Protection Declaration (D906/ADD) which DVLA recommend you use as Evidence. Alternatively, the End User can produce a bespoke Data Protection Declaration. However, any such bespoke Data Protection Declaration must meet DVLA requirements and must first be approved by DVLA prior to being used.

(k) GBG is responsible as Data Controller for ensuring that any electronic Data Protection Declaration solutions comply with Data Protection Legislation.

(l) All records containing Supplier Data obtained from the Service will be retained by the End User in accordance with Data Protection Legislation. The End User will retain responsibility for the storage of Supplier Data and any subsequent failure to do so may result in the withdrawal of the Service. Data Protection Declaration, screen-prints and paper copies of records obtained from the Service must be stored in a locked cupboard or similar in a lockable room with a suitable keypad or lock, which must be secured overnight. The Data Protection Declarations must be stored at the End User’s business address given as a point of contact to GBG. Copies of records stored on electronic systems must meet the minimum level of security required.  The minimum level of security must be implemented such that the controls described in this document are applied, and that electronic records can only be accessed by legitimate users who have authenticated correctly and have a Permitted Purpose to view the Supplier Data.

(m) Any scanned images of paper Data Protection Declarations stored electronically must be encrypted and stored in a secure and auditable database provided the End User has the facility and expertise to scan, store and destroy Supplier Data to required standards of legal admissibility.

(n) Where the End User utilises an electronic Data Protection Declaration solution, the End User must ensure that all electronic Data Protection Declarations are encrypted, stored and destroyed to required standards of legal admissibility.

5.20 The End User is required to comply with the following minimum requirements in respect of its Staff vetting and disciplinary procedures:

(a) the End User shall confirm the identity of all of its new Staff;

(b) the End User shall confirm the references and qualifications of all of its Staff;

(c) the End User shall require all persons who are to have access to the Service or to the Supplier Data to complete and sign a written declaration of any unspent criminal convictions;

(d) the End User shall not allow any person with unspent criminal Convictions to have access to the Service or to the Supplier Data, except with the prior written approval of the DVLA;

(e) the End User shall ensure that no person who discloses that he or she has a Relevant Conviction, or who is found by the End User to have any Relevant Conviction is allowed access to the Supplier Data or to the Service without the prior written approval of the DVLA;

(f) the End User shall require all persons who are to have access to the Service or to the Supplier Data to complete and sign an agreement to use the Service and the Supplier Data only for the Permitted Purpose set out in this Agreement and in accordance with the End User’s procedures;

(g) the End User shall ensure that each person who has access to the Service or the Supplier Data shall act with all due skill, care and diligence and shall possess such qualifications, skills and experience as are necessary for the proper use of the Service and the Supplier Data;

(h) the End User shall ensure that each person who is authorised to use the Service has been trained in the operation of the system and its associated procedures. The End User shall keep documentary records of attendance on such training by each person; 

(i) the End User shall ensure that each person who has access to the Supplier Data is appropriately trained in and aware of his or her duties and responsibilities under Data Protection Legislation and this Agreement; 

(j) the End User shall create and maintain a unique user account ID for each person who has access to the Service;

(k) the End User shall maintain a procedure for authorising the creation of user accounts and for the prompt deletion of accounts that are no longer required. The End User must ensure that the person or persons carrying out this work are appropriately trained and that their duties are separate from that of a normal user account. A normal user must not be able to manage their own account;

(l) the End User’s disciplinary policy shall state that misuse of the Service or the Supplier Data by any person shall constitute gross misconduct and may result in summary dismissal of that person. The End User shall notify such misuse to GBG who in turn will notify the DVLA and the person involved shall be refused all future access to DVLA Data;

(m) End User’s system administrators must receive appropriate training and the system administration role must be separated from any other role to ensure a separation of duties;

(n) the End User shall notify GBG immediately, within a maximum of 24 hours of becoming aware, of any security breaches, losses, compromise or misuse of the Supplier Data, and keep GBG informed of any such communications about such incidents with:

n1. the Data Subjects whose Personal Data is affected;

n2. the Information Commissioner’s Office (or relevant Supervisory Authority);

n3. the media.

6.1 The DVLA reserves the right to carry out an inspection at any time of the End User’s compliance with the terms of this Agreement. Where possible, the DVLA shall give the End User 7 Days’ written notice of any such inspection.

6.2 In exceptional circumstances in relation to abuse of the Supplier Data, access to the End Users premises may be required. Other than in exceptional circumstances, such as a suspected serious breach of Supplier Data security, examinations will be by prior contact and DVLA will notify the End User in advance of any End User premises they wish to examine.

6.3 The End User agrees to co-operate fully with any such inspection and to allow the DVLA, or an agent acting on its behalf, access to its premises, equipment, Evidence and the Staff for the purposes of the inspection.

6.4 The End User will respond as required to the findings and recommendations of any DVLA inspection and will provide updates as required on the implementation of any required actions.

6.5 The DVLA may at any time check the electronic trail relating to any activity made by the End User and contact the person responsible for such activity.

6.6 The DVLA may, by written notice to the End User, forbid access to the Supplier Data, or withdraw permission for continued access to the Supplier Data, to:

(a) any member of the End User’s Staff; or

(b) any  person  employed  or  engaged  by  any  member  of  the End User’s Staff; whose access to or use of the Supplier Data would, in the reasonable opinion of the DVLA, be undesirable.

6.7 The decision of the DVLA as to whether any person is to be forbidden from accessing the Supplier Data and as to whether the End User has failed to comply with this clause shall be final and conclusive.

6.8 The DVLA will be entitled to be reimbursed by the End User for all DVLA’s reasonable costs incurred in the course of the inspection.

7.1 Where a complaint is received about the End User about any matter connected with the performance of its obligations under the Agreement or the use of Supplier Data, the DVLA may notify GBG, and where considered appropriate by the DVLA, investigate the complaint. The DVLA may, in its sole discretion, acting reasonably, uphold the complaint and take further action against the End User.