0337 UK ENTITLEMENT TO DRIVE CHECK | ID NUMBER 200032
• Supplier hosts the Supplier Data
• Supplier receives and processes End User Data in its capacity as an independent controller
• End User Data includes personal data
• The Supplier is based in the United Kingdom
• The United Kingdom is deemed to offer an adequate level of data protection by the European Commission
The Supplier Data that GBG uses to provide Entitlement to Drive Dataset is provided by the Driving and Vehicle Licencing Agency (“DVLA”). GBG is obliged under the terms of its agreement with DVLA to ensure that all End Users agree to comply with the following licencing provisions.
1. DEFINITIONS
1.1. In these Additional Terms, the following definitions shall apply, in addition to the definitions set out in the General Terms and Product Terms:
“Conviction” means, other than for minor road traffic offences, any previous or pending prosecutions, convictions, cautions and binding-over orders (including any spent convictions as contemplated by section 1(1) of the Rehabilitation of Offenders Act 1974 (as amended) by virtue of the exemptions specified in Part II of Schedule 1 of the Rehabilitation of Offenders Act 1974 (Exemptions) Order 1975 (SI 1975/1023) (as amended) or any replacement or amendment to that Order, or being placed on a list kept pursuant to the safeguarding of Vulnerable Groups Act 2006 (as amended). “Data Loss Event” means any event that results, or may result, in unauthorised access to Supplier Data held by the End User under this Agreement, and/or actual or potential loss and/or destruction of Supplier Data in breach of this Agreement, including any Personal Data Breach. “Data Protection Declaration” means the driving licence information fair processing declaration form (D906/ADD), to be used by the End User as Evidence that the record holder is fully aware that information from their driver record is to be obtained by the End User, through GBG, from DVLA.
“DVLA” means the Driver and Vehicle Licensing Agency.
“End User Data” means any data provided to GBG by the End User for processing in accordance with the terms of the Agreement including where relevant any personal data.
“Evidence” means the End User’s proof that the data subject has confirmed its understanding as to the purposes and limitations of the enquiry and does not object to their personal data being processed for these purposes. This is to be made via a signed Data Protection Declaration.
“Malicious Software” means any software program or code intended to destroy, interfere with, corrupt, or cause undesired effects on program files, data or other information, executable code or application software macros, whether or not its operation is immediate or delayed, and whether the malicious software is introduced wilfully, negligently or without knowledge of its existence.
“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Conviction data, personal data or special categories of personal data, transmitted, stored or otherwise processed.
“Permitted Purpose” means the purposes, restrictions and or conditions for use of the Dataset outlined by the Supplier at clause 2.3-2.33 below in additional to the Customer Use Case set out in the Agreement and at clause 2.1.
“Relevant Conviction” means a Conviction which the End User, acting reasonably and in accordance with industry best practice, deems to preclude a person from being involved in any way with use of the Supplier Data.
“Staff” means all persons employed by the End User to perform its obligations under the Agreement together with the End User’s servants, agents, suppliers and sub-contractors used in the performance of its obligations under the Agreement.
“Supplier Data” means the DVLA driver data received through the DVLA ADD Service.
2. USE OF SUPPLIER DATA
2.1. The Supplier Data may only be used for the Customer Use Cases detailed below, provided that such Customer Use Case is selected on the End User's Order Form and the End User complies with any use case restrictions set out the Agreement or these Additional Terms:
• ID Verification – Fraud
• ID Verification – Regulatory
2.2. In addition to the Customer Use Case restrictions contained within clause 2.1 (including any conditions that apply to that Customer Use Case) the following terms set out in clauses 2.3-2.33 also apply.
2.3. The Supplier Data must only be used by (i) organisations involved in employment of drivers, (ii) auto insurance companies (at point of claim only), (iii) car rental companies fleet companies and or (iv) intermediaries, solely for the purpose of checking a data subject’s entitlement to drive. The Dataset must only be used to check entitlement to drive, driving endorsements and disqualifications for a legitimate business need.
2.4. The End User will only make enquiries on those drivers for which they are in receipt of a signed Data Protection Declaration, as provided by GBG.
2.5. Before making a request for Supplier Data, the End User shall gather Evidence to demonstrate the Permitted Purpose to request the Supplier Data. The End User shall provide GBG with estimated usage of the Supplier Data, to include volume and frequency information and shall inform GBG of any factors that could cause a significant increase or decrease in the usage.
2.6. The End User agrees to (i) notify GBG in writing of any changes to their business need for access to the Service; and (ii) inform GBG in writing of changes to their business processes, which may impact how the Supplier Data is used.
2.7. The End User shall provide GBG with a list of the individuals, business addresses and other contact details, specifying in each case the capacities in which they are concerned with the Supplier Data who have direct responsibilities for the use of the Supplier Data and for the End User’s obligations under this Agreement. The End User shall inform GBG immediately of any changes in Staff listed.
2.8. The End User shall ensure that its Staff do not use the Service in order to view their own DVLA driver record.
2.9. The End User shall hold the Supplier Data on the minimum amount of databases required for the purposes of processing the Supplier Data for the Customer Use Case and Permitted Purpose.
2.10. In respect of the use of Supplier Data, the End User shall take all reasonable steps to:
(a) prevent fraud by its Staff or anyone acting on the End User’s behalf, its shareholders, members, and directors; and
(b) prevent its Staff or anyone acting on the End User’s behalf from engaging in conduct prohibited by the Bribery Act 2010.
The End User shall notify GBG immediately if it has reason to suspect that any fraud or bribery has occurred or is occurring or is likely to occur in respect of the Supplier Data. If the End User or its Staff commits fraud or bribery in relation to this Agreement, the DVLA may require GBG to terminate this element of the Agreement and recover from the End User the amount of any loss suffered by the DVLA resulting from the termination; or recover in full from the End User any other loss sustained by the DVLA in consequence of any breach of this clause.
2.11. In respect of the use of the Supplier Data, the End User must not unlawfully discriminate, and shall take all reasonable steps to ensure that its Staff do not, either directly or indirectly or by way of victimisation or harassment against a person on such grounds as age, disability, gender reassignment, marriage and civil partnership, pregnancy and maternity, race, colour, ethnic or national origin, sex or sexual orientation, and without prejudice to the generality of the foregoing the End User must not unlawfully discriminate within the meaning and scope of the Equality Acts 2006 and 2010 (as amended), the Human Rights Act 1998 (as amended) or other relevant or equivalent legislation, or any statutory modification or re-enactment thereof.
2.12. The End User shall notify GBG immediately if any circumstances arise which could result in publicity or media attention to the End User which could adversely reflect on the DVLA or the Supplier Data.
2.13. The End User shall not create or approve any publicity implying or stating that the DVLA has a connection with or endorses any service provided by the End User without the prior written Approval of the DVLA.
2.14. The End User shall upon receipt of reasonable notice and during normal office hours attend all meetings arranged by GBG for the discussion of matters connected with the performance of the Agreement.
2.15. The End User shall provide such reports on its performance of the Agreement or any other information relating to the End User’s requests for and use of the Supplier Data as GBG may reasonably require. GBG reserves the right to review the Agreement at any time. Where required, GBG and the End User shall meet in person or via video or telephone conference to review:
(a) the ongoing need for the Supplier Data and any consequential variation to the terms of the Agreement;
(b) the Customer Use Case and or Permitted Purpose;
(c) the volume of Supplier Data which GBG is providing to the End User;
(d) the security arrangements governing the End User’s safe receipt of the Supplier Data and the End User’s further use of the Supplier Data;
(e) the arrangements that the End User has in place relating to the retention and secure destruction of the Supplier Data;
(f) any audits that have been carried out that have relevance to the way that the End User is processing the Supplier Data;
(g) any security incidents that have occurred with the Supplier Data;
(h) the continued registration of the End User’s company under the same registered number;
(i) the training and experience of the End User’s Staff in their duties and responsibilities under Applicable Data Protection Law.
2.16. Except as set out in these Additional Terms the End User must not transfer, assign, sell or licence Supplier Data or their use to any other person. Notwithstanding any other provisions of the Agreement, the End User must not sub-contract the Agreement or any part of it without GBG’s prior written consent.
2.17. The End User will notify GBG if it is subject to an insolvency event or change of control.
2.18. The End User shall not transfer, sell or in any way make the Supplier Data available to third parties unconnected with the Customer User Case and or Permitted Purpose.
2.19. The End User shall, throughout the Term, use the latest versions of anti-virus software available from an industry accepted anti-virus software vendor to check for and remove Malicious Software. If Malicious Software is found, the Parties shall co-operate to reduce the effect of the Malicious Software and, particularly if Malicious Software causes loss of operational efficiency or loss or corruption of Supplier Data, assist each other to mitigate any losses.
2.20. The End User shall notify GBG immediately, within a maximum of 24 hours of becoming aware, of any default of the security requirements of this Agreement.
2.21. In accordance with the Applicable Data Protection Law, the End User shall retain each item of Supplier Data only for as long as is necessary with reference to the Permitted Purpose for which it was shared.
2.22. The End User shall arrange for the secure destruction or deletion of each item of Supplier Data, in accordance with the Applicable Data Protection Law, as soon as it is no longer necessary to retain it.
2.23. The End User shall retain for a minimum period of 2 years from the date of conclusion or longer period as may be agreed between DVLA and the End User (such agreement to be recorded in writing), full and accurate records of the performance of the Dataset, including records of all payments made to GBG by the End User in relation to the Dataset. This will include, but not limited to, any mis-matched or incorrect enquiries that may have been made in pursuance of the Customer Use Case and or Permitted Purpose. These will be cross-referenced to the correct record, enquiry or issue that gave arise to the incorrect enquiry. This will enable GBG and the DVLA establish the enquirer and reason for enquiry.
2.24. The End User shall retain for a period of 2 years, from the date of signature the signed Data Protection Declaration. This includes photocopies, fax copies, scanned copies or Data Protection Declaration if used.
2.25. The End User shall carry out its own internal compliance checks at least annually and shall notify GBG of such checks. The End User shall share with GBG the outcome of any other checks, audits or reviews that have been carried out on its activities as a data controller that are relevant to the processing of the Supplier Data.
2.26. The End User shall notify GBG immediately, or within a maximum of 24 hours of becoming aware, of any audits that are being carried out by the Information Commissioner’s Office under the Applicable Data Protection Law that are relevant to the processing of the Supplier Data.
2.27. The End User acknowledges that GBG has a continuing interest in the security of the Supplier Data and in knowing about any Data Loss Event that may occur whilst the Supplier Data is being processed by the End User. The End User must notify GBG immediately of any Data Loss Event involving the Supplier Data that meets the criteria for notification to the Information Commissioner’s Office or affected data subjects. The End User will notify GBG periodically of Data Loss Events that do not meet this criteria. The End User understands that it must be responsible for notifying the incident to the Information Commissioner’s Office and, where appropriate, data subjects, and to do so within the time limits required by Applicable Data Protection Law, and also for taking such action as is necessary to resolve the incident. 2.28. The End User will respond as required to the findings and recommendations of any GBG or DVLA inspection and will provide updates as required on the implementation of any required actions.
2.29. GBG or the DVLA may at any time check the electronic trail relating to any activity made by the End User and contact the person responsible for such activity.
2.30. The End User is required to comply with the following minimum data security requirements in respect of the Supplier Data:
(a) Supplier Data, including back-up Supplier Data, must be retained in secure premises and locked away;
(b) Supplier Data supplied may only be copied for back-up and for the purposes of processing the Supplier Data. Copies must be erased immediately thereafter and they must not be otherwise duplicated;
(c) the End User will retain the Supplier Data only for as long as necessary with reference to the Permitted Purpose of which the Supplier Data is required;
(d) the End User, in accordance with Applicable Data Protection Law should dispose of the Supplier Data where there is no business need to retain it;
(e) Supplier Data, including back-up Supplier Data, must be protected from unauthorised access, release or loss;
(f) a User ID and a robust password must be required to enter all databases on which the Supplier Data is stored;
(g) a unique User ID and password must be allocated to each person with access to the Supplier Data;
(h) User IDs must not be shared between the End User’s Staff;
(i) an electronic trail relating to any activity involving Supplier Data must be retained, identifying the User ID and individual involved in each activity;
(j) access to Supplier Data must be minimised so that only where necessary are individuals given the following levels of access:
j1. ability to view material from single identifiable records
j2. ability to view material from many identifiable records
j3. functional access, including: searching, amendment, deletion, printing, downloading or transferring
information
(k) Supplier Data must not be accessed from, copied onto or stored on removable media. Laptops may be used but only if the device has full disk encryption installed in line with industry best practice and devices are securely protected when not in use;
(l) all manual and electronic enquiries must be logged centrally and stored by the End User;
(m) enquiries must be checked by senior staff on a regular basis;
(n) senior members of the End User’s Staff must conduct reconciliation checks between incoming and outgoing enquiry volumes on a regular basis;
(o) paper records must be securely destroyed so that reconstruction is unlikely;
(p) electronic Supplier Data must be securely destroyed or deleted in accordance with current guidance from the Information Commissioner’s Office as soon as it is no longer needed;
(q) Supplier Data received by post must be available only to appropriately trained and experienced members of the End User’s Staff, who must abide by the requirements of the Agreement and Applicable Data Protection Law;
(r) all records containing personal information, including screen prints, reports or other Supplier Data which have been supplied or derived from the DVLA’s system in any format must be retained in a secure manner;
(s) all Premises and buildings in which the Supplier Data is stored must be secure;
(t) the End User must be registered with the Information Commissioner and the permission must cover all activities actually carried out;
(u) information must not be passed to third parties except with the prior written approval of the DVLA; and
(v) transfer of Supplier Data to third parties (where approval has been granted by DVLA must be in accordance with the principles of Applicable Data Protection Law. Any other conditions required by the DVLA in giving permission for disclosure to third parties must be satisfied.
2.31. The End User is required to comply with the following minimum requirements for data protection declaration:
(a) DVLA is required to be satisfied that any processing (including disclosure) of personal data is compliant with Applicable Data Protection Law. The End User may make enquiries of the data subject for its own legitimate purposes in accordance with Applicable Data Protection Law. The End User must make the data subject fully aware that information from that person’s driver record is to be obtained from DVLA, the categories of Supplier Data involved, the purposes and the period and frequency in which Supplier Data will be requested. DVLA requires the data subject to Evidence this through the provision of a Data Protection Declaration signed by the record holder and containing a declaration to that effect.
(b) The End User must have a defined procedure in place for obtaining Evidence of the data subject’s Data Protection Declaration.
(c) The End User must retain Evidence at the End User’s main office for business operations for a period of 7 years (current year plus 6) regardless of the length of time for which the Evidence was valid. Evidence must be retained in a structured manner that permits the easy recovery of specific cases. Evidence must be produced by the End User for any enquiry logged on DVLA’s system. Evidence can be stored electronically provided it meets the requirements stated in this clause 2.31 of these Additional Terms.
(d) GBG shall ensure that all Data Protection Declarations clearly state GBG’s name, and the End User’s name(s). In event of the End User’s name(s) changing, or if there is any restructuring of the End User that affects its legal entities, subsidiary companies or its trading / legal name(s), a new completed Data Protection Declaration form must be completed to reflect the change. It is the responsibility of the End User to inform GBG of any such changes.
(e) When it is necessary for DVLA to change the Data Protection Declaration within the three-year period it may be a requirement for a new Data Protection Declaration to be obtained from the data subjects concerned within this period (using the revised format), depending on the nature of any changes made.
(f) If the End User procedures permit a separation or delay between obtaining the Data Protection Declaration and making the enquiry on the record, there must be a clear audit trail to identify the employee responsible for obtaining the Data Protection Declaration.
(g) The Data Protection Declaration is valid for a period of not more than 3 years from the date of signature or until the record holder ceases to drive for the End User, whichever occurs sooner.
(h) Where a paper Data Protection Declaration is used DVLA will accept original forms, photocopies, fax copies and electronically scanned copies on the basis that they are of good quality and the information contained thereon is clearly legible.
(i) DVLA offers a standard Data Protection Declaration (D906/ADD) which DVLA recommend the End User use as Evidence. Alternatively, the End User can produce a bespoke Data Protection Declaration. However, any such bespoke Data Protection Declaration must meet DVLA requirements and must first be approved by DVLA prior to being used.
(j) All records containing Supplier Data obtained from the Service will be retained by the End User in accordance with Applicable Data Protection Law. The End User will retain responsibility for the storage of Supplier Data and any subsequent failure to do so may result in the withdrawal of the Service. Data Protection Declaration, screen-prints and paper copies of records obtained from the Service must be stored in a locked cupboard or similar in a lockable room with a suitable keypad or lock, which must be secured overnight. The Data Protection Declarations must be stored at the End User’s business address given as a point of contact to GBG. Copies of records stored on electronic systems must meet the minimum level of security required. The minimum level of security must be implemented such that the controls described in this document are applied, and that electronic records can only be accessed by legitimate users who have authenticated correctly and have a Permitted Purpose to view the Supplier Data.
(k) Any scanned images of paper Data Protection Declarations stored electronically must be encrypted and stored in a secure and auditable database provided the End User has the facility and expertise to scan, store and destroy Supplier Data to required standards of legal admissibility.
(l) Where the End User utilises an electronic Data Protection Declaration solution, the End User must ensure that all electronic Data Protection Declarations are encrypted, stored and destroyed to required standards of legal admissibility.
2.32. The End User is required to comply with the following minimum requirements in respect of its Staff vetting and disciplinary procedures:
(a) the End User shall confirm the identity of all of its new Staff;
(b) the End User shall confirm the references and qualifications of all of its Staff;
(c) the End User shall require all persons who are to have access to the Service or to the Supplier Data to complete and sign a written declaration of any unspent criminal convictions;
(d) the End User shall not allow any person with unspent criminal Convictions to have access to the Service or to the Supplier Data, except with the prior written approval of the DVLA;
(e) the End User shall ensure that no person who discloses that he or she has a Relevant Conviction, or who is found by the End User to have any Relevant Conviction is allowed access to the Supplier Data or to the Service without the prior written approval of the DVLA;
(f) the End User shall require all persons who are to have access to the Service or to the Supplier Data to complete and sign an agreement to use the Service and the Supplier Data only for the Permitted Purpose set out in this Agreement and in accordance with the End User’s procedures;
(g) the End User shall ensure that each person who has access to the Service or the Supplier Data shall act with all due skill, care and diligence and shall possess such qualifications, skills and experience as are necessary for the proper use of the Service and the Supplier Data;
(h) the End User shall ensure that each person who is authorised to use the Service has been trained in the operation of the system and its associated procedures. The End User shall keep documentary records of attendance on such training by each person;
(i) the End User shall ensure that each person who has access to the Supplier Data is appropriately trained in and aware of his or her duties and responsibilities under Applicable Data Protection Law and this Agreement;
(j) the End User shall create and maintain a unique user account ID for each person who has access to the Service;
(k) the End User shall maintain a procedure for authorising the creation of user accounts and for the prompt deletion of accounts that are no longer required. The End User must ensure that the person or persons carrying out this work are appropriately trained and that their duties are separate from that of a normal user account. A normal user must not be able to manage their own account;
(l) the End User’s disciplinary policy shall state that misuse of the Service or the Supplier Data by any person shall constitute gross misconduct and may result in summary dismissal of that person. The End User shall notify such misuse to GBG who in turn will notify the DVLA and the person involved shall be refused all future access to DVLA Data;
(m) End User’s System Administrators must receive appropriate training and the System Administration role must be separated from any other role to ensure a separation of duties;
2.33. The End User warrants that it will not use the Supplier Data for any reason outside of the Customer Use Case and the Permitted Purpose.
3. WARRANTIES AND ACKNOWLEDGEMENTS
3.1. The DVLA takes all reasonable steps to ensure that the Supplier Data is accurate and up to date before it is transmitted to the GBG, however, DVLA cannot warrant the accuracy of the Supplier Data provided. DVLA does not accept any liability for any inaccurate information supplied to it by the licence holder or any other source beyond its control.
3.2. The End User shall ensure before relying on any item of Supplier Data that the Supplier Data provided matches the information in the request and that the Supplier Data pertains to the data subject for whom they possess a Data Protection Declaration. Any records passed to the End User from DVLA that do not pertain to a Data Protection Declaration held by the End User must be disregarded, and deleted from any systems. GBG must be contacted in this instance.
4. DATA PROTECTION OBLIGATIONS SPECIFIC TO THE SUPPLIER DATA
4.1. The Supplier Data used to provide you with this element of the Service is hosted by the DVLA in the United Kingdom. In order to perform the Services, the Supplier shall receive and process End User Data in its capacity as an independent controller for the sole purpose of delivering this element of the Service.
4.2. The United Kingdom is deemed to offer an adequate level of data protection for personal data by the European Commission, therefore the Parties acknowledge that End User Data can be safely transferred to the Supplier for processing without further data export safeguards.
4.3. The Supplier Data constitutes personal data which may include Conviction data and special categories of personal data, as defined within the Applicable Data Protection Law.
4.4. The End User shall ensure that data subjects are aware of the legal basis for the release of the Supplier Data. Data subjects have rights to restrict the processing of their data in accordance with the Applicable Data Protection Law. GBG or the DVLA will provide written notification to the End User where a data subject wishes to invoke this right. In such cases, the End User must act immediately to ensure enquiries on such records are not submitted following written notification from GBG or the DVLA.
4.5. The End User shall not transfer Supplier Data outside of the EEA unless the prior written approval of the DVLA has been obtained and the following conditions are fulfilled:
(i) the destination country has been recognised as adequate by the UK government in accordance with Article 45 UK GDPR or section 74 of the DPA 2018 (ii) the End User has provided appropriate safeguards in relation to the transfer (whether in accordance with Article 46 UK GDPR or section 75 of the DPA 2018) as determined by DVLA;
(ii) the data subject has enforceable rights and effective legal remedies;
(iii) the End User complies with its obligations under the Applicable Data Protection Law by providing an adequate level of protection to any personal data that is transferred (or, if it is not so bound, uses its best endeavours to assist the DVLA in meeting its obligations);
(iv) the End User complies with any reasonable instructions notified to it in advance by the DVLA with respect to the processing of personal data; and (v) the End User ensures that the transfers of personal data from the EEA to the UK comply with the EU GDPR and, where the transfer is safeguarded by the Standard Contractual Clauses as issued by the European Commission, the conditions set down in those clauses are fully met.
5. INSPECTION BY THE DVLA, SUSPENSION AND TERMINATION
5.1. In addition to the audit clauses contained within the Agreement, the DVLA reserves the right to carry out an inspection at any time of the End User’s compliance with the terms of this Agreement. Where possible, the DVLA shall give the End User 7 Days’ written notice of any such inspection.
5.2. In exceptional circumstances in relation to abuse of the Supplier Data, access to the End Users premises may be required. Other than in exceptional circumstances, such as a suspected serious breach of Supplier Data security, examinations will be by prior contact and DVLA will notify the End User in advance of any End User premises they wish to examine.
5.3. The End User agrees to co-operate fully with any such inspection and to allow the DVLA, or an agent acting on its behalf, access to its premises, equipment, Evidence and the Staff for the purposes of the inspection.
5.4. The End User will respond as required to the findings and recommendations of any DVLA inspection and will provide updates as required on the implementation of any required actions.
5.5. The DVLA may at any time check the electronic trail relating to any activity made by the End User and contact the person responsible for such activity.
5.6. The DVLA may, by written notice to the End User, forbid access to the Supplier Data, or withdraw permission for continued access to the Supplier Data, to:
(a) any member of the End User’s Staff; or
(b) any person employed or engaged by any member of the End User’s Staff; whose access to or use of the Supplier Data would, in the reasonable opinion of the DVLA, be undesirable.
5.7. The decision of the DVLA as to whether any person is to be forbidden from accessing the Supplier Data and as to whether the End User has failed to comply with this clause shall be final and conclusive.
5.8. The DVLA will be entitled to be reimbursed by the End User for all DVLA’s reasonable costs incurred in the course of the inspection. 5.9. The Supplier is entitled to suspend and/or terminate the supply of the Supplier Data in the event the End User has breached any of its obligations under the Agreement and in the event the End User is subject to an insolvency event or change of control. 5.10. After the use of the Dataset has been suspended or terminated, the End User must continue to comply with its obligations under the Agreement and under the Applicable Data Protection Law in relation to the Supplier Data which it holds, including as to the proper use of the Dataset, retention of the Supplier Data and secure destruction of the Supplier Data.
6. ACTION ON COMPLAINT
6.1. Where a complaint is received about the End User about any matter connected with the performance of its obligations under the use of this Dataset or the use of Supplier Data, the DVLA may notify GBG, and where considered appropriate by the DVLA, investigate the complaint. The DVLA may, in its sole discretion, acting reasonably, uphold the complaint and take further action against the End User.