Supplemental Agreement for licence checking customers

Supplemental Agreement for all users of Licence Check Services provided by Drivetech (UK) Limited and Intelligent Data Systems Limited (together “Drivetech”)

Background

1. Drivetech have entered into a revised agreement (“Revised Agreement”) with the Driver and Vehicle Licensing Agency on behalf of the Secretary of State for Transport (“DVLA”), pursuant to which we are required to ensure that all of our customers comply with certain provisions of the Revised Agreement when they are provided with access to the Data (as defined below). As a result, in addition to any existing agreements between Drivetech and the Customer, the terms of this Supplemental Agreement will apply to the Customer’s access to and use of the Data, with effect from 25th May 2018 (Effective Date).

Operative Provisions

1. Definitions and Interpretation
1.1 Definitions: in this Supplemental Agreement the following terms have the following meanings:
(a) “Confidential Information” means any information which has been designated as confidential by either Party in writing or that ought to be considered as confidential (however it is conveyed or on whatever media it is stored) including information the disclosure of which would, or would be likely to, prejudice the commercial interests of any person, information relating to trade secrets, Intellectual Property Rights and know-how of either Party and all “Personal Data”, “Conviction Data” and “Special Categories of Personal Data” within the meaning of Data Protection Legislation. Confidential Information shall not include information which:
(i) was public knowledge at the time of disclosure (otherwise than by breach of any term of this Supplemental Agreement);
(ii) was in the possession of the receiving Party, without restriction as to its disclosure, before receiving it from the disclosing Party;
(iii) is received from a Third Party (who lawfully acquired it) without restriction as to its disclosure;
(iv) is independently  developed  without  access  to  the  Confidential Information; 
is agreed by the Parties in writing not to be confidential. 
(b) “Contracting Authority” means any contracting authority as defined in Regulation 2 of the Public Contracts Regulations 2015 (as amended).
(c) “Conviction” means, other than for minor road traffic offences, any previous or pending  prosecutions,  convictions,  cautions  and  binding-over  orders (including any spent convictions as contemplated by section 1(1) of the Rehabilitation of Offenders Act 1974  (as amended) by virtue of the exemptions specified in Part II of Schedule 1 of the Rehabilitation of Offenders Act 1974 (Exemptions) Order 1975 (SI 1975/1023) (as amended) or any replacement or amendment to that Order, or being placed on a list kept pursuant to the safeguarding of Vulnerable Groups Act 2006 (as amended).
(d) “Crown” means the government of the United Kingdom (including the Northern Ireland Executive Committee and Northern Ireland Departments, the Scottish Executive and the National Assembly for Wales), including, but not limited to, government ministers, government departments, government and particular bodies and government agencies.
(e) “Customer” means an organisation who: (i) submits a request for Data and receives the Data requested using the Service; and (ii) is Data Controller of the Data so received.
(f) “Data” means driver data provided by DVLA to Drivetech pursuant to the Revised Agreement.
(g) “Data Controller” has the meaning given to that term (or the term ‘Controller’) in Data Protection Legislation.
(h) “Data Processor” has the meaning given to that term (or the term ‘Processor) in Data Protection Legislation.
(i) “Data Protection Declaration” means the driving licence information fair processing declaration form (D906/ADD), to be used by the Customer as Evidence that the record holder is fully aware that information from their driver record is to be obtained by the Customer from DVLA, in accordance with Schedule 2.
(j) “Data Protection Legislation” means: (i) the means the General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”), the Law Enforcement Directive (Directive (EU) 2016/680) (“LED”) and any applicable national implementing Laws as amended from time to time; (ii) the Data Protection Act 2018 (as amended) (subject to Royal Assent) to the extent that it relates to Processing of personal data and privacy; and (iii) all applicable Law about the Processing of Personal Data and privacy;
(k) “Default” means any breach of the obligations of the relevant Party (including but not limited to fundamental breach or breach of a fundamental term) or any other default, act, omission, negligence or negligent statement of the relevant Party (or its Staff) in connection with or in relation to the subject matter of this Supplemental Agreement and in respect of which such Party is liable to the other.
(l) “Demonstrable Business Need” means the purpose for which the Data is provided to the Customer.
(m) “DVLA” means the Driver and Vehicle Licensing Agency.
(n) “Equipment” means the Customer’s equipment, plant, materials and such other items used by the Customer in the exercise of its rights and/or the performance of its obligations under this Supplemental Agreement, or otherwise used to access or store Data.
(o) “Evidence” means the Customer’s proof that the data subject has confirmed his understanding as to the purposes and limitations of the enquiry and does not object to his personal data being processed for these purposes. This is to be made via a signed Data Protection Declaration. These are described more specifically in Schedule 2 of this Supplemental Agreement.
(p) “Fraud” means any offence under Laws creating offences in respect of fraudulent acts or at common law in respect of fraudulent acts in relation to the Contract or defrauding or attempting to defraud or conspiring to defraud the Crown.
(q) “Industry Best Practice” means at any time the exercise of that degree of skill, care, diligence, prudence, efficiency, foresight, standards, practices, methods, procedures and timeliness which would be expected at such time from a leading and expert company within the industry, such company seeking to comply with its contractual obligations in full and complying with all applicable Laws.
(r) “Intellectual Property Rights” means patents, inventions, trademarks, service marks, logos, design rights (whether registrable or otherwise), know how, Confidential Information, trademarks discoveries, inventions, applications for any of the foregoing, copyright, database rights, domain names, trade or business names, moral rights and other similar rights or obligations whether registrable or not in any country (including but not limited to the United Kingdom) and the right to sue for passing off. In each case it includes these rights and interests in every part of the world for their full terms, including any renewals and extensions, and the right to receive any income from them and any compensation in respect of their infringement.
(s) “Law” means any law, statute, subordinate legislation (as amended) within the meaning of Section 21(1) of the Interpretation Act 1978 (as amended), bye- law, exercise of the royal prerogative, enforceable community right within the meaning of Section 2 of the European Communities Act 1972 (as amended), regulatory policy, guidance or industry code, judgement of a relevant court of law, or directives or requirements or any Regulatory Body with which Drivetech is bound to comply.
(t) “Malicious Software” means any software program or code intended to destroy, interfere with, corrupt, or cause undesired effects on program files, data or other information, executable code or application software macros, whether or not its operation is immediate or delayed, and whether the malicious software is introduced wilfully, negligently or without knowledge of its existence.
(u) “Material Breach” means a breach (including an anticipatory breach) which is not minimal or trivial in its consequences to the other Party. In deciding whether any breach is material no regard shall be had to whether it occurs by some accident, mishap, mistake or misunderstanding.
(v) “Permitted Purpose” means the purpose for which the Data is provided to Drivetech for the fulfilment of an authorised enquiry as described in clause 3.1 of this Supplemental Agreement.
(w) “Personal Data” means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
(x) “Premises” means the location where the Data is to be supplied to the Customer, or accessed, stored or destroyed by the Customer.
(y) “Processing” has the meaning given to that term in Data Protection Legislation (and  related  terms  such  as  ‘Process’  have  corresponding  meaning) Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaption or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
(z) “Relevant Conviction” means a Conviction which Drivetech or the Customer, acting reasonably and in accordance with Industry Best Practice, deems to preclude a person from being involved in any way with use of the Data.
(aa) “Removable Media” means all physical items and devices that can carry and transfer electronic information. Examples include but are not limited to DVDs, CD-ROMs, floppy disks, portable hard disk drives, USB memory sticks, flash drives, portable music and video players including mobile phones, hand held devices such as Smartphones and Personal Digital Assistants.
(bb) “Service” means the transmission of the driver Data from Drivetech to organisations that have Demonstrable Business Need.
(cc) “Special Categories of Personal Data” has the meaning given to it in the Data Protection Legislation.
(dd) “Staff” means all persons employed by the Customer to perform its obligations under this Supplemental Agreement together with the Customer’s servants, agents, suppliers and sub-contractors used in the performance of its obligations under this Supplemental Agreement. 
(ee) “Sub-Contractor(s)” means a Third Party appointed by the Customer to provide services on behalf of the Customer. The Customer will retain Data Controller responsibilities while the Sub-Contractor is a Data Processor.

1.2 In the event of any inconsistency between the terms of any existing agreements and this Supplemental Agreement, the terms of this Supplemental Agreement shall prevail SAVE where any provisions in existing agreements afford any Data greater protection than under this Supplemental Agreement.

1.3 With effect from the Effective Date, the following provisions shall apply to Your access to and use of the Data:

2. The Legal Basis for Release of Data

2.1 The basis for release of DVLA’s driving licence data to Drivetech and from Drivetech to the Customer is that it is necessary for the performance of a task carried out in the public interest or the exercise of an official authority vested in DVLA. This is in line with Data Protection Legislation. The requirements for this release are detailed in Schedule 2 of this Supplemental Agreement.

3. Customer Criteria

3.1 The Customer will provide Drivetech with a statement detailing the type of business it conducts and a description of products/services it offers to its customers that involve the use of DVLA data. Applications to the Service will only be considered for organisations that can demonstrate the Permitted Purpose for access to the Service. Organisations that cannot prove a Permitted Purpose will not be considered further. Categories of business that meet this pre-requisite include:
(a) employers of drivers;
(b) auto insurance companies (at point of claim only);
(c) car rental companies; and
(d) fleet companies.
3.2 The Customer shall use the Data only for its Permitted Purpose as stated in clause 3.1. The Customer will not sell the Data or permit it to be sold to any Third Party.
3.3 Where there is a change of or additional use of Data from that specified, the Customer is required to detail in writing to Drivetech the proposed use of the Data and to identify customer sectors to whom it will be provided and the media in which it will be made available. All requests are subject to written approval by Drivetech and DVLA.
3.4 The Customer will notify Drivetech of any changes to their business need for access to the Service.
3.5 The Customer will inform Drivetech of changes to their business processes, which may impact how the Service is used.
3.6 The Customer will only make enquiries on those drivers for which they are in receipt of a signed Data Protection Declaration, as stipulated in Schedule 2.
3.7 Consent forms or mandates such as the previously used D796 form or similar paper or electronic forms will continue to be valid for a 3 month transition period from 25 May 2018 to 25 August 2018. Consent forms or mandates such as the D796 form or similar paper or electronic forms cannot be used as Evidence to make enquiries from 26 August 2018. The D906/ADD form shall be used to make all enquiries from the 26 August 2018.
3.8 Data is supplied on the explicit basis that it should not be used for identity checking of any kind. The driver must be made fully aware of who is accessing his/her information. DVLA must approve any changes to the driver Data Protection Declaration, with proposed changes being submitted by Drivetech in all cases.
3.9 The Customer shall (and shall ensure that each member of the Customer’s Staff) comply with any notification requirements under the Data Protection Legislation and will duly observe all their obligations under Data Protection Legislation which arise in connection with this Supplemental Agreement.
3.10 The Customer must be registered with Companies House, Her Majesty’s Revenue and Customs (HMRC).

4. Purpose for which Data is provided

4.1 The Customer shall use the Data only for the Permitted Purpose for which it was provided and in accordance with its obligations under Data Protection Legislation.
4.2 Before Drivetech can make each request for Data, the Customer shall gather Evidence to demonstrate use for the Permitted Purpose.
4.3 The Customer shall hold the Data on the minimum number of databases required for the purposes of Processing the Data for the defined Permitted Purpose. This does not apply to the Data stored for backup or disaster recovery purposes.
4.4 The Customer shall not transfer Personal Data outside the EU including on or within the Customer’s backup or disaster recovery sites unless the prior written approval of Drivetech and the DVLA has been obtained and any conditions stipulated in this Supplemental Revised Agreement or otherwise by Drivetech or DVLA are fulfilled.

5. Accuracy of the Data

5.1 The Customer shall ensure before relying on any item of Data, that the Data provided matches the information in the request and that the Data pertains to the licence holder for whom they gathered a standard paper or electronic Data Protection Declaration. Any records passed to the Customer from DVLA or Drivetech that do not pertain to a Data Protection Declaration held by Drivetech or Customer must be disregarded and deleted from any systems. The Drivetech Service Manager must be contacted in this instance.

6. The Customer’s Key Staff

6.1 Those of the Customer’s Staff who have direct responsibilities for the use of the Data and for the Customer’s other obligations under this Supplemental Agreement. 
6.2 As a minimum, the list shall include details of the Customer’s registered office, as recorded by Companies’ House and:
(a) the manager who shall be responsible for the Customer’s general contractual matters and shall receive notices sent to the Customer’s registered office, and who shall be referred to in this Supplemental Agreement as the Commercial Manager; and
(b) the manager who is responsible for the management of the Data once in the hands of the Customer, to be referred to in this Supplemental Agreement as the Data Manager.

7. The Data Protection Legislation

7.1 The Parties shall comply with the requirements of Data Protection Legislation and subordinate legislation made  under it,  or any legislation which may supersede it, together with any relevant guidance and/or codes of practice issued by the Information Commissioner. All these requirements are referred to in this Supplemental Agreement as Data Protection Legislation.
7.2 For the purposes of this Clause 7, the terms “Conviction Data”, “Data Controller”, “Data Processor”, “Data Subject”, “Information Commissioner”, “Information Commissioners Office”, “Personal Data”, “Processing” and “Special Categories of Personal Data” shall have the meanings prescribed within Data Protection Legislation.
7.3 The Parties agree that the Data constitutes Personal Data which may include Conviction Data and Special Categories of Personal Data, as they relate to a living individual who can be identified directly or indirectly from the Data.
7.4 The Customer, separately from the DVLA and Drivetech, shall be the Data Controller of each item of Data received from Drivetech from the point of receipt of that Data by the Customer and shall be responsible for complying with Data Protection Legislation in relation to its further Processing of that Data.
7.5 It is the duty of Drivetech and the Customer, each as the Data Controller, to comply with the Data Protection Legislation in relation to the Data. 
7.6 The Customer shall (and shall ensure that each member of the Customer’s Staff) comply with Data Protection Legislation and will duly observe all their obligations under Data Protection Legislation which arise in connection with this Supplemental Agreement.
7.7 The Customer shall ensure that the individual rights of the Data Subject are taken into account in responding to any Data Subject Access Request.
7.8 The Customer shall ensure that Data Subjects are aware of the legal basis for the release of Data. Data Subjects have rights to restrict the Processing of their Data in accordance with Data Protection Legislation. DVLA or Drivetech will provide written notification to the Customer where a Data Subject wishes to invoke this right. In such cases, the Customer must act immediately to ensure enquiries on such records are not submitted following written notification from DVLA.
7.9 The Parties agree to take account of any guidance issued by the Information Commissioner’s Office. Drivetech may on not less than 30 working days’ notice to the Customer amend this Supplemental Agreement to ensure that it complies with any guidance issued by the Information Commissioners Office.
7.10 Data Security
(a) Both Parties shall ensure the safe transportation/transmission of the Data via API or SFTP in accordance with appropriate technical and organisational measures, the requirements of the Data Protection Legislation and Her Majesty’s Government Security Policy Framework.
(b) The Customer shall ensure the Data is processed in accordance with Data Protection Legislation guidance and codes of practise.
(c) The Customer shall comply with all the security requirements of the DVLA and Drivetech, including as a minimum those set out in Schedule 1 and any other requirements that the DVLA and/or Drivetech shall make from time to time.
(d) The Customer shall notify Drivetech immediately, within a maximum of 24 hours of becoming aware, of any Default of the security requirements of this Supplemental Agreement.
(e) The Customer shall not transfer, sell or in any way make the Data available to third parties unconnected with the original purpose of the enquiry.
7.11 Malicious Software
(a) The Customer shall, as an enduring obligation throughout the term of this Agreement, use the latest versions of anti-virus software available from an industry accepted anti-virus software vendor to check for and remove Malicious Software.
(b) Notwithstanding clause 7.11 (a), if Malicious Software is found, the Parties shall co-operate to reduce the effect of the Malicious Software and, particularly if Malicious Software causes loss of operational efficiency or loss or corruption of Data, assist each other to mitigate any losses and to restore the Service to their desired operating efficiency.
(c) Costs arising out of the actions of the Parties taken in compliance with the provisions of clause 7.11 (b) shall be borne by the Parties as follows:
(i) by the Customer or it’s Sub-contractor where the Malicious Software originates from the Customer or it’s Sub-contractor’s software, any Third Party software or the Customer’s or it’s Sub- contractor’s data;
(ii) by the DVLA if the Malicious Software originates from the DVLA’s software or the Data; or
(iii) by Drivetech if the Malicious Software originates from Drivetech ’s software or data.
7.12 The Customer shall not transfer Personal Data outside of the EU unless the prior written approval of the DVLA and Drivetech has been obtained and the following conditions are fulfilled:
(a) the Customer has provided appropriate safeguards in relation to the transfer (whether in accordance with GDPR Article 46 or LED Article 37) as determined by DVLA;
(b) the Data Subject has enforceable rights and effective legal remedies; 
(c) the Customer complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the DVLA in meeting its obligations); and 
(d) the  Customer complies with any reasonable instructions notified to it in advance by the DVLA or Drivetech with respect to the Processing of Personal Data.
7.13 The Customer shall respect the confidentiality of the Data and shall not disclose it to any person or entity, except in the following circumstances:
(a) with the prior written approval of Drivetech and the DVLA provided that the Customer shall have entered into a written contract with such person or entity that requires it to abide by requirements in Schedules 1 and 2 and any terms for Sub-Contractors required by the DVLA and/or Drivetech from time to time and such other conditions as the DVLA may specify from time to time in its absolute discretion);
(b) if required to do so by Law.
7.14 Retention of Data and Evidence
(a) In accordance with Data Protection Legislation the Customer shall retain each item of Data only for as long as is necessary with reference to the Permitted Purpose for which it was shared;
(b) The Customer shall arrange for the secure destruction or deletion of each item of Data, in accordance with Data Protection Legislation, as soon as it is no longer necessary to retain it; 
(c) The Customer shall retain for a minimum period of 2 years from the date of conclusion or longer period as may be agreed between DVLA or Drivetech and the Customer (such agreement to be recorded in writing), full and accurate records of the performance of the Service, including records of all ayments made to Drivetech by the Customer in relation to this Supplemental Agreement and any other agreements between the parties relating to the Service and/or Data;
(d) The Customer shall retain for a period of 7 years (current year plus 6), from the date of signature the signed Data Protection Declaration. This includes photocopies, fax copies, scanned copies or Data Protection Declaration if used; and
(e) The Customer shall produce such records retained pursuant to this clause as DVLA or Drivetech may reasonably require. This will include, but not limited to, any mis-matched or incorrect enquiries that may have been made in pursuance of the Permitted Purpose. These will be cross- referenced to the correct record, enquiry or issue that gave arise to the incorrect enquiry. This will enable DVLA or Drivetech to establish the enquirer and reason for enquiry.
7.15 The Customer shall maintain policies for vetting, hiring, training and disciplining the Customer’s Staff and shall comply with these in respect of each person who has access to the Service. The minimum requirements for such vetting procedures are set out in Schedule 1.
7.16 The Customer’s Internal Compliance Checks
(a) The Customer shall ensure that its business processes, records of customer interactions and transactions, audit procedures on business activities and financial reporting are appropriate and effective to ensure proper use of the Data in compliance with this Supplemental Agreement and the requirements of Data Protection Legislation. The minimum requirements for such internal compliance are set out in Schedule 1;
(b) The Customer shall carry out its own internal compliance checks at least annually and shall notify Drivetech of such checks by using the Data Governance Assessment Form provided by DVLA (or Drivetech on its behalf).
7.17 Audits and Reviews
(a) The Customer shall share with Drivetech the outcome of any other checks, audits or reviews that have been carried out on its activities as a Data Controller that are relevant to the Processing of the Data; 
(b) The Customer shall notify Drivetech immediately, or within a maximum of 24 hours of becoming aware, of any audits that are being carried out by the Information Commissioner’s Office under Data Protection Legislation that are relevant to the Processing of the Data.
7.18 Incidents
(a) The Customer shall notify Drivetech immediately, within a maximum of 24 hours of becoming aware, of any losses, compromise or misuse of the Data or any Personal Data Breach and keep Drivetech informed  of  any communications  about  the  incident  with;  the individuals whose Personal Data is affected; the Information Commissioner’s Office; or the media; 
(b) Drivetech understands that as the Data Controller, the Customer shall be responsible for taking any action necessary to resolve any such incident.
7.19 Inspection by Drivetech or DVLA
(a) The DVLA and/or Drivetech reserve the right to carry out an inspection at any time of the Customer’s compliance with the terms of this Supplemental Agreement. Where possible, the DVLA or Drivetech (as appropriate) shall give the Customer 7 Days’ written notice of any such inspection; 
(b) In exceptional circumstances in relation to abuse of the Service, access to third party premises may be required. Other than in exceptional circumstances, such as a suspected serious breach of Data security, examinations will be by prior contact and DVLA or Drivetech (as appropriate) will notify the Customer in advance of any third party premises they wish to examine; 
(c) The Customer agrees to co-operate fully with any such inspection and to allow the DVLA, or Drivetech (as appropriate) or an agent acting on their behalf, access to its Premises, Equipment, Evidence and the Customer’s Staff for the purposes of the inspection; 
(d) The Customer will respond as required to the findings and recommendations of any DVLA or Drivetech inspection and will provide updates as required on the implementation of any required actions; 
(e) The DVLA or Drivetech may at any time check the electronic trail relating to any activity made by the Customer and contact the person responsible for such activity; 
(f) The DVLA or Drivetech may, by written notice to the Customer, forbid access to the Data, or withdraw permission for continued access to the Data, to: 
(i) any member of the Customer’s Staff, including any such Staff whose access to or use of the Data would, in the reasonable opinion of the DVLA or Drivetech, be undesirable; 
(ii) The decision of the DVLA or Drivetech (as appropriate) as to whether any person is to be forbidden from accessing the Data and as to whether the Customer has failed to comply with this clause shall be final and conclusive.
(g) The DVLA or Drivetech (as appropriate) will be entitled to be reimbursed by the Customer for all of the DVLA’s or Drivetech’s reasonable costs incurred in the course of the inspection.
7.20 Where a complaint is received about the Customer or the manner in which its services have been supplied or work has been performed or procedures used or about any other matter connected with the performance of the Customer’s obligations under this Supplemental Agreement or the use of Data, the DVLA or Drivetech may notify the Customer, and where considered appropriate by the DVLA or Drivetech (as appropriate), investigate the complaint. The DVLA or Drivetech (as appropriate) may, in its sole discretion, acting reasonably, uphold the complaint and take further action.

8. Prevention of Corruption

8.1 The Customer shall not offer or give, or agree to give, to the DVLA or any other public body or person employed by or on behalf of the DVLA any gift or consideration of any kind as an inducement or reward for doing, refraining from doing, or for having done or refrained from doing, any act in relation to the obtaining or execution of this Supplemental Agreement or any other contract relating to the DVLA or any other public body, or for showing or refraining from showing favour or disfavour to any person in relation to the same.
8.2 If the Customer, its Staff or anyone acting on the Customer’s behalf, engages in conduct prohibited by clause 8.1 or the Bribery Act 2010 (as amended), Drivetech or DVLA may: 
(a) terminate this Supplemental Agreement and recover from the Customer the amount of any loss suffered by Drivetech and/or DVLA resulting from the termination; or
(b) recover in full from the Customer any other loss sustained by Drivetech and DVLA in consequence of any breach of that clause.

9. Prevention of Fraud

9.1 The Customer shall take all reasonable steps, in accordance with Industry Best Practice, to prevent Fraud by the Customer’s Staff and the Customer (including its shareholder, members, and directors) in connection with the receipt of the Service.
9.2 The Customer shall notify Drivetech immediately if it has reason to suspect that any Fraud has occurred or is occurring or is likely to occur.
9.3 If the Customer or its Staff commits Fraud in relation to the Agreement, this Supplemental Agreement or any other agreement with the Customer or with or relating to the Crown (including the DVLA) Drivetech or DVLA may:
(a) terminate the Agreement and this Supplemental Agreement and recover from the Customer the amount of any loss suffered by the DVLA and/or Drivetech resulting from the termination; or
(b) recover in full from the Customer any other loss sustained by the DVLA and/or Drivetech in consequence of any breach of this clause.

10. Publicity and Media

10.1 The Customer shall notify the DVLA and Drivetech immediately if any circumstances arise which could result in publicity or media attention to the Customer which could adversely reflect on Drivetech , the DVLA or the Service.
10.2 The Customer shall not create or approve any publicity implying or stating that Drivetech or DVLA has a connection with or endorses any service provided by the Customer without the prior written approval of Drivetech and DVLA.

11. Transfer and Sub-Contracting

11.1 The Customer shall not assign, sub-contract or in any other way dispose of this Supplemental Agreement or any part of it without the prior written approval of Drivetech .
11.2 Sub-contracting any part of this Supplemental Agreement shall not relieve the Customer of any of its obligations or duties under this Supplemental Agreement. The Customer shall be responsible for the acts and omissions of its Sub-Contractors as though they are its own.

12. Termination and Suspension

12.1 Drivetech may terminate any existing agreement relating to the Service and/or Data, including this Supplemental Agreement, with immediate effect by written notice to the Customer on or at any time after the occurrence of any of the following events:
(a) The Customer commits any three or more Defaults, whether simultaneously or singly at any time during the operation of this Supplemental Agreement, irrespective of whether any or all of such breaches are minimal or trivial in nature;
(b) The Customer commits a Material Breach of any term of this Supplemental Agreement where the breach is irremediable or (if such breach is remediable) fails to remedy that breach within a period of 26 weeks after being notified in writing to do so; 
(c) For the purposes of clause 12.1 (b), a Material Breach is remediable if time is not of the essence in performance of the obligation and if in the reasonable opinion of Drivetech the Material Breach is capable of remedy within the 26 week period.
12.2 Suspension of the Service
(a) If it comes to the attention of Drivetech that the Customer has committed any Default (including Material Breaches and all other Defaults), Drivetech may suspend the Service without further notice and with immediate effect and investigate the nature and effect of the breach.
(b) The DVLA or Drivetech may from time to time issue guidance on its principles on suspending the Service and terminating contracts to supply Data using the Service. The guidance may include guidance concerning: types of Defaults which the DVLA or Drivetech (as appropriate) may consider to be Material Breaches; guidance as to specific types of breach that the DVLA will consider to be remediable; how such breaches may be remedied; how long suspension may last; when following any period of suspension the Customer may resume making requests and in relation to which types of events such requests may be made; and guidance as to which types of breach the DVLA or Drivetech may consider to be irremediable.
12.3 Effect of Suspension
(a) If the DVLA or Drivetech suspends the Service at any time, the Customer shall co-operate with any further investigation, audit or review that the DVLA or Drivetech requires to be carried out in relation to the Data provided to the Customer;
(b) The DVLA or Drivetech (as appropriate) may refuse to resume the Service until the Customer provides assurances that the matter resulting in the suspension has been resolved to the satisfaction of the DVLA or Drivetech (as appropriate) and takes specified actions within a reasonable period set by the DVLA or Drivetech (as appropriate);
(c) The DVLA or Drivetech (as appropriate) may require that an inspection is carried out after the Service is resumed, to check the Customer’s compliance with this Supplemental Agreement and Data Protection Legislation;
(d) During any suspension period, neither the DVLA nor Drivetech shall provide Data to the Customer;
(e) The Customer shall reimburse the DVLA and Drivetech (as appropriate) for all costs and expenses incurred by them in relation to their right under this clause 12.3 to carry out an inspection, investigation, audit or review of the Customer.
12.4 Where Drivetech is notified in writing of any of the circumstances listed in clause 14, Drivetech (as appropriate) may suspend the Service without further notice and with immediate effect and investigate further whether any of the Customer’s directors or any liquidator, receiver, administrative receiver, administrator, or other officer is capable of ensuring that the provisions of this Supplemental Agreement and of Data Protection Legislation are complied with. If the DVLA or Drivetech (as appropriate) are not satisfied that any such person shall ensure such compliance, Drivetech may terminate any existing agreement, including this Supplemental Agreement by written notice with immediate effect. 
12.5 Drivetech may terminate any existing agreement relating to the Service and/or Data and this Supplemental Agreement by written notice with immediate effect if in the reasonable view of the DVLA or Drivetech, during any period of suspension of the Service the Customer:
(a) fails to co-operate with any investigation, audit or review; 
(b) fails to provide any assurances or take any actions within the reasonable period set by the DVLA or Drivetech under clause 12.3 (b); or 
(c) fails to provide assurances that satisfy the DVLA or Drivetech (acting reasonably) that the Customer has complied and shall continue to comply with the requirements of this Supplemental Agreement and of Data Protection Legislation.
12.6 Drivetech may terminate any existing agreement relating to the Service and/or Data, including this Supplemental Agreement by written notice with immediate effect if the Customer is found to be in breach of any aspect of the Law that could, in the reasonable opinion of the DVLA or Drivetech, bring the DVLA or Drivetech into disrepute.
12.7 Drivetech may terminate any existing agreement relating to the Service and/or Data, including this Supplemental Agreement by written notice with immediate effect if the Customer is an individual and he has died or is adjudged incapable of managing his affairs within the Mental Capacity Act 2005 (as amended).

13. Consequences of Suspension and Termination

13.1 After the Service has been suspended or any existing agreement relating to the Service and/or Data (including this Supplemental Agreement) has been terminated or both, the Customer shall continue to comply with its obligations under this Supplemental Agreement and under Data Protection Legislation in relation to the Data which it holds, including as to the proper use of the Data, retention of the Data and secure destruction of the Data.

14. Insolvency

14.1 The Customer shall notify Drivetech immediately in writing where the Customer is a company and in respect of the Customer:
(a) a proposal is made for a voluntary arrangement within Part 1 of the Insolvency Act 1986 (as amended) or of any other composition scheme or arrangement with, or assignment for the benefit of, its creditors; or
(b) a shareholders’ meeting is convened for the purpose of considering a resolution that it be wound up or a resolution for its winding-up is passed (other than as part of, and exclusively for the purpose of, a bona fide reconstruction or amalgamation); or
(c) a petition is presented for its winding up (which is not dismissed within 14 Days of its service) or an application is made for the appointment of a provisional liquidator or a creditors’ meeting is convened pursuant to section 98 of the Insolvency Act 1986 (as amended); or
(d) a receiver, administrative receiver or similar officer is appointed over the whole or any part of its business or assets; or
(e) an application order is made either for the appointment of an administrator or for an administration order, and administrator is appointed, or notice of intention to appoint an administrator is given; or
(f) it is or becomes insolvent within the meaning of section 123 of the Insolvency Act 1986 (as amended); or
(g) being a “small company” within the meaning of section 247(3) of the Companies Act 1985 (as amended); a moratorium comes into force pursuant to Schedule 1A of the Insolvency Act 1986 (as amended); or
(h) any event similar to those listed in this clause occurs under the law of any other jurisdiction.

15. Liability

15.1 Neither Party excludes or limits liability to the other Party for death or personal injury caused by its negligence, fraud, fraudulent misrepresentation or any other liability which cannot be excluded or limited by law.
15.2 Subject always to clause 15.1 and separately from the indemnity in clause 15.3, the liability of each Party to the other arising in connection with this Supplemental Agreement (whether in respect of breach of contract, tort, negligence or any other Default) shall be, limited in respect of all Defaults arising in any one year, to one million pounds (£1,000,000).
15.3 The Customer shall indemnify Drivetech to a minimum level of one million pounds (£1,000,000) for each and every event, and keep Drivetech indemnified fully for six years after the termination of this Supplemental Agreement against all claims, proceedings, actions, and any damages, costs, expenses and any other liabilities (including legal fees) incurred by, awarded against or agreed to be paid by Drivetech that arise out of a claim relating to the performance or non-performance by the Customer under this Supplemental Agreement and any other agreement between the parties relating to the Service and/or Data. Such indemnity shall include losses in respect of any death or personal injury, loss of or damage to property, a Personal Data Breach or any other loss which is caused directly or indirectly by any act or omission of the Customer.
15.4 The Customer’s liability for direct loss or damage to Drivetech caused by the Customer’s Default shall include liability for additional operational and administrative costs and wasted expenditure and loss of profits, business revenue and goodwill that arise as a direct consequence of the Default.
15.5 Drivetech’s liability for direct loss or damage to the Customer caused by Drivetech’s Default shall include loss of profits, business revenue, and goodwill that arise as a direct consequence of the Default.
15.6 All Equipment used by the Customer to access the Service shall be used at the Customer’s own risk and Drivetech shall have no liability for any loss of or damage to any Equipment unless the Customer is able to demonstrate that such loss or damage was directly caused or contributed to by Drivetech’s Default.
15.7 Subject to clauses 15.1 and 15.2, in no event shall either Party be liable to the other for any loss of savings (whether anticipated or otherwise).
15.8 Subject to clauses 15.1 and 15.2, in no event shall either Party be liable to the other for any indirect or consequential or special loss or damages.
15.9 Drivetech shall not be responsible for any injury, loss, damage, cost or expense if and to the extent that it is caused by the negligence or wilful misconduct of the DVLA or by breach by the DVLA of its obligations under the Revised Agreement.

16. Mitigation

16.1 Each Party shall at all times take all reasonable steps to minimise and mitigate any loss for which that Party is entitled to bring a claim against the other Party under clause 15.

17. Warranties and Representations

17.1 The Customer warrants and represents that:
(a) it has full capacity and authority and all necessary approvals (including where its procedures so require, the approval of its parent company) to enter into and perform its obligations under any existing agreement relating to the Service and/or Data and this Supplemental Agreement and that such agreements are executed by a duly authorised representative of the Customer;
(b) in entering any existing agreement relating to the Service and/or Data and this Supplemental Agreement it has not committed any Fraud;
(c) no claim is being asserted and no litigation, arbitration or administrative proceeding is presently in progress or, to the best of its knowledge and belief, pending or threatened against it or any of its assets which will or might have a material adverse effect on its ability to perform its obligations under any existing agreement relating to the Service and/or Data and this Supplemental Agreement;
(d) it is not subject to any contractual obligation, compliance with which is likely to have a material adverse effect on its ability to perform its obligations under any existing agreement relating to the Service and/or Data and this Supplemental Agreement;
(e) no proceedings or other steps have been taken and not discharged (nor, to the best of its knowledge, are threatened) for the winding up of the Customer or for its dissolution or for the appointment of a receiver, administrative receiver, liquidator, manager, administrator or similar officer in relation to any of the Customer’s assets or revenue;
(f) it owns, has obtained or is able to obtain, valid licences for all Intellectual Property Rights that are necessary for the performance of its obligations under any existing agreement relating to the Service and/or Data and this Supplemental Agreement;
(g) in the three (3) years prior to the date of any existing agreement relating to the Service and/or Data and this Supplemental Agreement:
(i) it has conducted all financial accounting and reporting activities in compliance in all material respects with the generally accepted accounting principles that apply to it in any country where it files accounts; 
(ii) it has been in full compliance with all applicable securities and tax laws and regulations in the jurisdiction in which it is established; and 
(iii) it has not done or omitted to do anything which could have a material adverse effect on its assets, financial condition or position as an ongoing business concern or its ability to fulfil its obligations under any existing agreement relating to the Service and/or Data and this Supplemental Agreement.

18. Entire Agreement

18.1 This Supplemental Agreement and any existing agreement relating to the Service and/or Data constitute the entire agreement between the Parties in respect of the Service and Data. This Supplemental Agreement, together with any such existing agreement, supersede all prior negotiations and contracts between the parties and all representations and undertakings made by one part to another, whether written or oral, except that this clause shall not exclude liability in respect of any Fraud or fraudulent misrepresentation.
18.2 In the event of, and only to the extent of, any conflict between:
(a) the clauses of this Agreement and the Schedules, the clauses of this Agreement shall prevail;
(b) this Supplemental Agreement and any existing agreement relating to the Service and/or Data, this Supplemental Agreement shall prevail save where such existing agreement provides better protection of the Data and/or greater protection to Drivetech in respect of any act, default or negligence of the Customer and/or any of its Staff. 

19. Third Party Rights

19.1 A person who is not a Party to this Supplemental Agreement shall have no right to enforce any of its provisions which, expressly or by implication, confer a benefit on him, without the prior written Approval of both Parties. This clause does not affect any right or remedy of any person which exists or is available apart from the Contracts (Rights of Third Parties) Act 1999 (as amended) and does not apply to the Crown or to the DVLA.

20. Governing Law and Jurisdiction

This Agreement shall be governed by the laws of England and Wales and each party hereby submits to the exclusive jurisdiction of the courts of England and Wales in relation to any dispute or action (including any non-contractual disputes or actions) arising under it.

SCHEDULE 1

MINIMUM DATA SECURITY REQUIREMENTS

1.     Data Security Requirements
1.1.   The minimum security requirements, which are required by clause 7.10, are as follows:
a) Data, including back-up Data, must be retained in secure Premises and locked away;
b) the Data supplied may only be copied for back-up and for the purposes of Processing the Data. Copies must be erased immediately thereafter and they must not be otherwise duplicated;
c) the Customer will retain the Data only for as long as necessary with reference to the Permitted Purpose of which the Data is required.
d) the Customer, in accordance to Data Protection Legislation shall dispose of the Data where there is no business need to retain it;
e) Data, including back-up Data, must be protected from unauthorised access, release or loss;
f) a user ID and a robust password must be required to enter all databases on which the Data is stored;
g) a unique user ID and password must be allocated to each person with access to the Data or the Service;
h)   user IDs must not be shared between the Customer’s Staff;
i) an electronic trail relating to any activity involving the Data must be retained, identifying the user ID and individual involved in each activity;
j) access to the Data must be minimised so that only where necessary are individuals given the following levels of access:
i) ability to view material from single identifiable records;
ii) ability to view material from many identifiable records
iii) functional access, including: searching, amendment, deletion, printing, downloading or transferring information;
k)   the Data must not be accessed from, copied onto or stored on Removable Media. Laptops may be used but only if the device has full disk encryption installed in line with Industry Best Practice and devices are securely protected when not in use;
l) all manual and electronic enquiries must be logged centrally and stored by the Customer;
m)  enquiries must be checked by senior staff on a regular basis;
n) senior members of the Customer’s Staff must conduct reconciliation checks between incoming and outgoing enquiry volumes on a regular basis;
o) Data must be used only for the Permitted Purpose for which it was obtained;
p)   Data must only be kept for as long as necessary, as required by clause 7.14 of this Supplemental Agreement;
q) paper records must be securely destroyed so that reconstruction is unlikely;
r) electronic Data must be securely destroyed or deleted in accordance with current guidance from the Information Commissioner’s Office as soon as it is no longer needed;
s) Data received by post must be available only to appropriately trained and experienced members of the Customer’s Staff, who must abide by the requirements of the Agreement, this Supplemental Agreement and Data Protection Legislation;
t) all records containing personal information, including screen prints, reports or other Data which have been supplied or derived from the DVLA’s system in any format must be retained in a secure manner;
u)   all Premises and buildings in which the Data is stored must be secure;
v) the Customer must be registered with the Information Commissioner and the permission must cover all activities actually carried out;
w)  information must not be passed to third parties except with the prior written approval of the DVLA and Drivetech or in accordance with 7.13; and
x) transfer of the Data to third parties (where approval has been granted by DVLA and Drivetech or in accordance with clause 7.13) must be in accordance with the principles of Data Protection Legislation. Any other conditions required by the DVLA and/or Drivetech in giving permission for disclosure to third parties must be satisfied.

2. Inspection, Internal Compliance and Audit
2.1.  The Data Governance Assessment form shall be completed upon Drivetech ’s request and shall confirm whether or not the following requirements have been complied with:
a) all of the Data Security requirements in paragraph 1 of this Schedule 1;
b) all of the minimum requirements for the Data Protection Declaration detailed in Schedule 2;
c)    all of the minimum requirements for electronic Data Protection Declaration solutions (if applicable).
3.  Minimum Requirements for the Customer’s Staff Vetting and Disciplinary Procedures
3.1  The minimum requirements for the Customer’s Staff vetting procedures, which are required by clause 7.15 of this Supplemental Agreement, are as follows:
a)     the Customer shall confirm the identity of all of its new Staff;
b)     the Customer shall confirm the references and qualifications of all of its Staff;
c) the Customer shall require all persons who are to have access to the Service or to the Data to complete and sign a written declaration of any unspent criminal Convictions;
d) the Customer shall not allow any person with unspent criminal Convictions to have access to the Service or to the Data, except with the prior written approval of the DVLA and Drivetech ;
e)     the Customer shall require all persons who are to have access to the Service or to the Data sign an agreement to use the Service and the Data only for the Permitted Purpose set out in this Supplemental Agreement and in accordance with the Customer’s procedures;
g) the Customer shall require that each person who has access to the Data shall sign a document confirming that the person shall use the Data and the Service only in accordance with the Customer’s procedures and only for the Permitted Purpose;
h) the Customer shall ensure that each person who has access to the Service or the Data shall act with all due skill, care and diligence and shall possess such qualifications, skills and experience as are necessary for the proper use of the Service and the Data;
i) the Customer shall ensure that each person who is authorised to use the Service has been trained in the operation of the system and its associated procedures. The Customer shall keep documentary records of attendance on such training by each person;
j) the Customer shall ensure that each person who has access to the Data is appropriately trained in and aware of his or her duties and responsibilities under Data Protection Legislation, the Agreement and this Supplemental Agreement;
k) the Customer shall create and maintain a unique user account ID for each person who has access to the Service or Data;
l) the Customer shall maintain a procedure for authorising the creation of user accounts and for the prompt deletion of accounts that are no longer required. The Customer must ensure that the person or persons carrying out this work are appropriately trained and that their duties are separate from that of a normal user account. A normal user must not be able to manage their own account;
m) the Customer’s disciplinary policy shall state that misuse of the Service or the Data by any person shall constitute gross misconduct and may result in summary dismissal of that person. The Customer shall notify such misuse to Drivetech and the person involved shall be refused all future access to DVLA Data;
n)     system administrators must receive appropriate training;
o) the system administration role must be separated from any other role to ensure a separation of duties; and
p) the Customer shall notify DVLA and Drivetech immediately, within a maximum of 24 hours of becoming aware, of any security breaches, losses, compromise or misuse of the Data, and keep DVLA and Drivetech informed of any such communications about such incidents with: (i) the Data Subjects whose Personal Data is affected; (ii) the Information Commissioner’s Office (or relevant Supervisory Authority); and (iii) the media. 

SCHEDULE 2

1.    MINIMUM REQUIREMENTS FOR DATA PROTECTION DECLARATION
1.1    DVLA is required to be satisfied that any Processing (including disclosure) of Personal Data is compliant with Data Protection Legislation. The Customer may make enquiries of the record holder for its own legitimate purposes in accordance with Data Protection Legislation. The Customer must make the record holder fully aware that information from that person’s driver record is to be obtained from DVLA, the categories of Data involved, the purposes and the period and frequency in which Data will be requested. DVLA requires the Customer to Evidence this through the provision of a Data Protection Declaration signed by the record holder and containing a declaration to that effect.
1.2    The Customer must have a defined procedure in place for obtaining Evidence of the record-holder’s Data Protection Declaration and passing this on to Drivetech. 
1.3    The Customer must retain Evidence at its main office for business operations for a period of 7 years (current year plus 6) regardless of the length of time for which the Evidence was valid. Evidence must be retained in a structured manner that permits the easy recovery of specific cases. Evidence must be produced by the Customer for any enquiry logged on DVLA’s system. Evidence can be stored electronically provided it meets the requirements stated in clause 7.14 and this Schedule 2.
1.4    When it is necessary for DVLA to change the Data Protection Declaration within the three year period referred to in paragraph 1.5 below it may be a requirement for a new Data Protection Declaration to be obtained from the record holders concerned within this period (using the revised format), depending on the nature of any changes made.
1.5    The Data Protection Declaration is valid for a period of not more than 3 years from the date of signature or until the record holder ceases to drive for the Customer, whichever occurs sooner.
1.6    It is the responsibility of the record holder to inform and obtain written acknowledgement from the Customer that his details will not be processed further if that is the instruction. The rights of the Customer under Data Protection Legislation are not affected, but DVLA reserves the right to withhold the record holder’s Personal Data. 
1.7  Where a paper Data Protection Declaration is used Drivetech will accept original forms, photocopies, fax copies and electronically scanned copies on the basis that they are of good quality and the information contained thereon is clearly legible. This includes, but is not limited to:
(a) handwriting and printed wording must not be obscured or tampered with in any way, shape or form;
(b) the use of correction fluid or other tampering will render the form invalid and will require the completion of a new one;
(c) forms printed from an electronic scanning solution must meet stipulations in paragraph 1.104-1.12of this Schedule 2.
1.8  Drivetech offers a bespoke Data Protection Declaration (FP30) which it recommends the Customer uses as Evidence. Alternatively, the Customer can produce a standard DVLA (D906/ADD) Data Protection Declaration. 
1.9  For all “401” enquiries, only the standard DVLA Data Protection Declaration (D906/ADD) will be accepted.
1.10  All records containing Data obtained from the Service will be retained by the Customer in accordance with Data Protection Legislation. The Customer will retain responsibility for the storage of Data and any subsequent failure to do so may result in the withdrawal of the Service. Data Protection Declaration, screen-prints and paper copies of records obtained from the Service must be stored in a locked cupboard or similar in a lockable room with a suitable keypad or lock, which must be secured overnight. The Data Protection Declarations must be stored at the Customer’s address given as a point of contact to DVLA. Copies of records stored on electronic systems must meet the minimum level of security required. The minimum level of security must be implemented such that the controls described in this document are applied, and that electronic records can only be accessed by legitimate users who have authenticated correctly and have a Permitted Purpose to view the Data.
1.11  Any scanned images of paper Data Protection Declarations stored electronically must be encrypted and stored in a secure and auditable database provided the Customer has the facility and expertise to scan, store and destroy Data to required standards of legal admissibility.
1.12  Where the Customer utilises an electronic Data Protection Declaration solution, the Customer must ensure that all electronic Data Protection Declarations are encrypted, stored and destroyed to required standards of legal admissibility.