By proceeding you confirm that you accept these terms and conditions ("these Terms") for accessing the Website. You will be legally bound by these Terms on each occasion that you log on to the Website and we accept your username and password request for access. We may modify these Terms at any time by an on-screen message on the Website linking to this page and the modification will take effect from the date it first appears on this page.
The applicable terms may change depending on the product or subscription you have purchased. Please read this section carefully to understand what sections may apply to you.
|
Section |
Applicable to |
|
1. Glossary |
Everyone |
|
Customers of Resellers |
|
|
Everyone |
|
|
Customers with data subject to the GDPR. |
|
|
SmartLicence and SmartCompliance subscribers |
|
|
Everyone |
"You" or “your” means the person, partnership, company or organisation that we have provided with a password to access the Website.
“Confidential Information” shall mean any information about the Website, or any source code, algorithm, formula, or other mechanism that relates to any part of the Website or the services available through the Website.
“Descartes” shall mean collectively Descartes Systems UK Limited, and any affiliate and subsidiary of theirs, or any other entity contracted by them to host, support, or maintain the Website.
“Personal Data” means any personally identifiable information provided by you to us, including identity data (such as a name, address, driver’s licence number or other government issued identification number), contact information (such as phone number or email address), or driver history or performance data (such as Tachograph Data, driving certifications or qualifications, or any other driver history data obtained through the Diver Vehicle Licensing Agency).
“Reseller” or “Resellers” means corporations or organisations who have a valid contract with Descartes to resell the Services.
“Service” or “Services” shall mean the SmartAnalaysis, SmartLicence, and SmartCompliance services, in addition to any related addon, feature, or modification made to that service and offered by Descartes.
“Subscription Agreement” shall mean any agreement between you and us for the provision of the Service, or any other similar or subset service, and identified as an agreement to provide services by us.
“Terms” means these terms and conditions, including any applicable additional terms referenced within.
“Transport Operators” means persons, corporations, or entities who are customers of a Reseller.
“Users” means individuals who are provided with a username and password to access the Website and/or utilize the Services.
"Website" means the internet accessible webpages related to the Service.
If you are a customer through a reseller, these terms and conditions may apply slightly differently. The following terms and definitions are changed:
· Section 3(h) is amended by adding the following: These Terms are between you and us. Descartes is not a party to this agreement, except that they may enforce any rights they may have under the Contracts (Rights of Third Parties) Act 1999.
The following terms apply to your use of the Service, regardless of any individual modules, features, or addons which you may or may not be subscribed to.
Upon your prompt payment of all required fees for the Service, you are granted a non-exclusive, non-assignable, and non-transferable right to access the Website and use the Service for your own internal business use only, subject to these Terms. No licence is given to any of the underlying software used by Descartes or any of our licensors to provide you the Service.
The Service is primarily a subscription-based service. Access to the service is only through the Website unless specifically provided for otherwise. Only authorised Users are permitted to log into the Website and access the Services. Depending on the individual user privileges, as well as the specific modules, features, or products subscribed to, the Website may differ in appearance.
You must not allow either directly or indirectly any third party, including any Competitor, to access the Service or the Website. You agree to keep your username and password confidential at all times and not share it with any other person or individual. In the event a person under your direction requires access to the Service or Website, you will instruct them to obtain their own unique username and password.
You will make no attempt to gain access to any part of the Service or Website to which your Subscription Agreement or your password does not specifically give you the right of access.
You will review and comply with all applicable terms and conditions in your Subscription Agreement as well as in these Terms, including any feature or product specific terms and conditions as applicable.
If you do not agree to any variation to these Terms that we notify you of, you will not access or attempt to the Website after such notification.
You agree to pay all fees in the amount, manner, and timing described in your Subscription Agreement. A failure by you to pay fees when due under the Subscription Agreement may result in your access to the Website being immediately terminated.
All right, title and interest, including any copyrights, patents, trade secrets, moral rights and other Intellectual Property Rights in and to any software, documentation, processes or methodology produced or used by Descartes on the Website or in the compilation or formatting of the Information on the Website belongs to and will remain with Descartes. To the extent of any interest of you therein (including, to the extent that any services performed by Descartes may constitute a “work made for hire”), you irrevocably agree to assign and, upon its creation, automatically assign to Descartes the ownership of such Intellectual Property Rights absolutely and without the necessity of any additional consideration. You agree to do and perform such other acts and things and to execute and file such other agreements, documents, certificates or instruments as may be considered necessary or advisable by Descartes in order to carry out the intent of this provision and should you be unable or unwilling to do so, you irrevocably appoint Descartes and their duly authorised representatives as your agent and attorney to do all such acts and things and to execute and file all such aforementioned documents.
We warrant that we will use all reasonable skill and care in providing the Service, producing the Website, and processing the Information. We make no other representations or warranties, express or implied, regarding the Website and the Information. The warranties given in these Terms are in place of all warranties, conditions or other terms implied by statute or otherwise that relate to quality, fitness for purpose or compliance with description, all of which are excluded to the fullest extent permitted by law.
Nothing in these Terms shall restrict or exclude any liability on our part for death or personal injury resulting from our negligence or for fraud or fraudulent misrepresentation. In no event shall we be liable to you for any indirect, special or consequential losses or damages (including third party claims, loss of profits, revenue or goodwill) suffered by you or any third party howsoever caused (including any loss or damage suffered by you as a result of an action brought by a third party) arising in relation to the Website (including any errors, inaccuracies or omissions in the Information or any faults, interruptions or delays in connection with the Website) or any transaction made in reliance on the Information.
In addition to any other limitations on liability that you may have agreed to with us, you agree that to the extent permitted by applicable law, under no circumstances will we or our licensors, including but not limited to Descartes, or any officers, directors, employees, or shareholders of us or our licensors:
a. be liable to any other person, firm, corporation, or entity for special, incidental, exemplary, punitive, multiple, consequential or indirect damages, including without limitation any loss of goodwill, business profits, revenue, data, computer damage or use of computing equipment, lost opportunity, or replacement costs, regardless of if the damages are alleged in tort, contract, or any other legal or equitable theory, even if we have been advised of the possibility of such damage;
b. be liable for your actual direct damages in the amount that exceeds the total fees paid to us by you under the Subscription Agreement in the twelve (12) month period immediately preceding the date of the claim;
c. be liable for any action, regardless of form (including negligence), arising out of any claimed breach or in any way related to the Subscription Agreement if more than one (1) year has passed after the cause of action has first arisen.
Notwithstanding the foregoing, nothing contained in these Terms shall limit our liability for damages to you for death or personal injury resulting solely from our wilful actions or our gross negligence.
In addition to any other indemnification obligations that you may have with Descartes, you agree to indemnify Descartes and its licensors for any loss, damage, or expense experienced by Descartes and its licensors arising out of your use or misuse of the Service or the Website or arising from the misuse of your username or password you were provided.
In addition to any other obligations of confidentiality that you may have with Descartes, you agree not to disclose, reproduce, use, or transfer, directly or indirectly, any Confidential Information in any form, by any means, or for any purpose. You agree to protect the Confidential Information with the same degree of protection and care used by you to protect your own Confidential Information, but in no event no less than reasonable protection in light of general industry practices.
Descartes may terminate your access to the Website immediately without notice if you are in breach of any of these Terms.
You may not transfer or assign any right you have in relation to the Website, the Information, or these Terms to any third party.
These Terms will be governed by English law and both parties irrevocably submit to the exclusive jurisdiction of the courts of England and Wales.
The mere lapse of time without giving notice or taking other action shall not be deemed to be a waiver of any breach of these Terms. Any failure to enforce any part of these Terms shall not be deemed a waiver of future enforcement of that or any other part.
This Data Processing Attachment (“DPA”) applies to Descartes’ Processing of Personal Information in Descartes’ capacity as a Processor for the Customer under the Agreement and this version of the DPA is incorporated into and subject to the terms of the Agreement. Where Descartes is deemed to be a Controller, Descartes will comply with its own privacy policy in the handling of any applicable Personal Information. All capitalized terms used in this DPA shall have the meaning set out in the Agreement unless otherwise defined in this DPA. Except as expressly stated otherwise, in the event of any conflict between the terms of the Agreement and any other attachments thereto and the terms of this DPA, the relevant terms of this DPA shall take precedence.
“Controller” and “Processor” have the meaning set out in the Data Protection Regulations.
“Data Subject” means an identified or identifiable living natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
“Descartes’ Affiliates” means the Affiliates of Descartes that may assist in the performance of the Services.
“Data Protection Regulations” means the General Data Protection Regulation (GDPR) Regulation (EU) 2016/679 and applicable laws by EU member states which either supplement or are necessary to implement the GDPR.
“Model Clauses” means the standard contractual clauses annexed to the EU Commission Decision 2010/87/EU of 5 February 2010 for the Transfer of Personal Data to Processors established in Third Countries under the Directive 95/46/EC, or any successor standard contractual clauses that may be adopted pursuant to an EU Commission decision.
“Personal Information” means any information that relates to a Data Subject that Customer or its Administrative User or Permitted Users provide to Descartes to Process under the Agreement.
“Process” or “Processing” means any operation or set of operations, whether or not by automated means, which is performed upon Personal Information that is stored on computers, servers, or mobile devices owned or maintained by Descartes, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination of otherwise making available, alignment or combination, blocking, erasure or destruction.
“Processor” means the Descartes entity listed in the Agreement.
“Processor List” means the list of Descartes’ Affiliates and/or Third Party Processors who may assist Descartes with some or all of the Processing of Personal Information of the Customer.
“Third Party Processor” means a third party subcontractor, other than a Descartes’ Affiliate, engaged by Descartes, which, as a part of the subcontractor’s role in providing services under the Agreement, will Process Personal Information of the Customer.
Customer shall remain the Controller of the Personal Information for the purposes of the Agreement, including this DPA. Customer is responsible for compliance with its obligations as a Controller under the Data Protection Regulations and, in particular, for the basis of any transmission of Personal Information to Descartes (including providing any required notices and obtaining any required consents and authorizations), and for its decisions and actions concerning the Processing and use of Personal Information. Customer will not provide Descartes with access to any special categories of Personal Information, as defined under the Data Protection Regulations, or any health, payment card, or similar information that imposes specific data security obligations for the processing of such Personal Information unless permitted in the Agreement.
Descartes is a Processor of the Personal Information for the purposes of the Agreement. Descartes will Process Personal Information as necessary for the purposes of the Agreement in accordance with this DPA and will not disclose Personal Information to third parties other than to Descartes’ Affiliates or Third Party Processors for the aforementioned purposes or as required by law.
Customer authorizes and requests that Descartes Process the necessary types of Personal Information required to fulfil the Agreement, which may include but is not limited to:
a) personal contact information of Customer’s employees, trading partners or contractors (such as name, home address, home telephone number, mobile number or email address, etc.);
b) transactional data (such as details of goods and services purchased, value of purchase, VAT registration number, delivery addresses, or names and contact information of shippers, receivers, or other individuals involved in the transportation or movement of the goods); and
c) where required, identification data (such as government ID numbers if required by a government when information is submitted to or received from that government).
Customer authorizes Descartes to Process Personal Information for the following purposes only:
a) providing the requested Descartes product or service under the Agreement;
b) communicating about the Descartes product or service including confirming the provision of all or part of the product or service;
c) handling or preparing for disputes or litigation;
d) complying with Customer’s written instructions in accordance with Section 5;
e) to comply with Descartes’ legal or regulatory obligations; and
f) for no other reason unless provided for under the Data Protection Regulations.
To the extent Descartes receives additional instructions for the Processing of Personal Information, Descartes will comply with such instructions to the extent necessary for: (i) Descartes to comply with its Processor obligations under the Data Protection Regulations; and (ii) to assist Customer in complying with its Controller obligations under the Data Protection Regulations in relation to the Agreement. Without prejudice to Descartes’ obligations under this Section 5, the parties will negotiate in good faith with respect to any charges or fees that may be incurred by Descartes to comply with Customer’s instructions with regard to the Processing of Personal Information that require the use of resources different from, or in addition to, those required for the provision of the product or services under the Agreement.
Customer will ensure that its instructions to Descartes for the Processing of Personal Information will, at all times, be lawful and in compliance with the Data Protection Regulations. Descartes will notify Customer if it reasonably believes any instruction or request from the Customer will require Descartes to take any action that Descartes reasonably believes will not be in compliance with the GDPR. Descartes shall have no other obligation to act beyond sending such notice to the Customer and is not responsible for performing legal research or providing legal advice.
Descartes will use reasonable efforts to accommodate Customer’s detailed written instructions to access, delete, release, correct or block access to Personal Information provided that at no time shall Descartes have any obligation to alter any records that are maintained as system of record of past transactions, to make any change to any records maintained in a system that are inconsistent with the purpose for which the Personal Information was originally provided to Descartes for Processing, or to alter any record that Descartes is required to keep by any law or for any regulatory purposes. If Customer requires Descartes to develop or implement any additional or specific means or methods related to the access, deletion, release, correction, or blocking of access to Personal Information on behalf of Customer, Customer and Descartes will mutually agree on the scope of the work that Descartes may be willing to undertake and the reasonable fees for such work.
Descartes will pass on to the Customer any requests of an individual Data Subject to access, delete, release, correct or block Personal Information Processed under the Agreement. Descartes will not be responsible for responding directly to the Data Subject’s request, unless otherwise required by law. Descartes shall provide the Customer with assistance in responding to such requests in accordance with Section 5.
Any transfers of Personal Information of Data Subjects received by Descartes from Customer in the EU to Descartes, Descartes’ Affiliates or Third Party Processors which are outside of the EU are subject to the terms of the Model Clauses and the terms of this DPA shall be read in conjunction with the Model Clauses; provided, however, that the Model Clauses shall not apply where the transfers of Personal Information are to any country or territory which is, at the time, subject to a current finding of adequacy by the European Commission as set out at http://ec.europa.eu/justice/data-protection/international-transfers/adequacy/index_en.htm (as amended from time to time).
Some or all of Descartes obligations under the Agreement may be performed by Descartes’ Affiliates and/or Third Party Subprocessors. Descartes maintains a Processor List, which lists all Descartes’ Affiliates and Third Party Subprocessors that may Process Personal Information on behalf of Descartes. Descartes will provide a copy of the Processor List to Customer upon request.
The Descartes’ Affiliates and Third Party Subprocessors are required to abide by substantially the same obligations as Descartes under this DPA as applicable to the Processing of the Customer’s Personal Information and, in any event, in a manner that is compliant with the Data Protection Regulations.
Descartes remains responsible at all times for compliance with the terms of this DPA by Descartes’ Affiliates and Third Party Subprocessors. Customer consents to Descartes use of Descartes’ Affiliates and Third Party Subprocessors in the performance of the Services in accordance with this DPA.
If additional Descartes’ Affiliates or Third Party Subprocessors are required to process Customer’s Personal Information in connection with Descartes’ performance under an Agreement, Customer will be notified in advance of changes to the Processor List. The Customer may refuse to consent to the involvement of a Descartes’ Affiliate or a Third Party Subprocessor under this DPA by sending written notice to Descartes of their refusal within ten (10) business days of receipt of notice and providing reasonable and justified, objective grounds relating to such Descartes’ Affiliate or Third Party Processor’s ability to adequately protect Personal Information in accordance with this DPA. In the event that the Customer’s objection is justified, Descartes and Customer will work together in good faith to find a mutually acceptable resolution to address Customer’s objection(s). If Descartes and Customer are unable to reach a mutually acceptable solution within a reasonable timeframe, Customer may immediately terminate the Agreement without obligation, if any is provided under the Agreement, for the payment of any further Fees that otherwise may be due as result of early termination of the Agreement.
Descartes shall implement appropriate physical, administrative, organisational, technical, and personal security measures based on the type and nature of the Personal Information being processed and the level of risk associated with it. Descartes shall retain all Personal Information, including Personal Information that is contained on back-up media, in a logically secure environment that protects it from unauthorised access, modification, theft, misuse and destruction. Descartes shall ensure that platforms hosting the Personal Information are configured to conform to industry standard security requirements and that hardened platforms are monitored for unauthorised change. Descartes’ security policy shall not allow electronic files containing Personal Information to be stored on personal desktops, laptops, or removable data storage devices, unless the device is password protected and the Personal Information is encrypted using industry standard encryption technology. Descartes shall ensure that all employees with access to Personal Information are subject to a duty of confidence and/or written confidentiality agreement.
For the purposes of this section, “Security Breach” means the misappropriation or unauthorised Processing of Personal Information located on Descartes’ systems, including by a Descartes employee, that compromises the security, confidentiality or integrity of such Personal Information. Unless prohibited by applicable law, upon becoming aware of the Security Breach, Descartes will: (i) within forty eight (48) hours, or sooner as required by applicable law, provide to Customer a notification of the occurrence of the Security Breach; (ii) within five (5) business days, provide to Customer a summary report of the Security Breach containing details of the Security Breach, its impact on the services under the Agreement and the Personal Information and the initial steps taken by Descartes to address the Security Breach; and (iii) within fifteen (15) business days, provide to Customer a detailed incident report analysing the Security Breach and a rectification plan which sets out what steps, if any are appropriate, will be taken to stop and further prevent the Security Breach occurring in the future.
In investigating any Security Breach, Descartes will work to provide to Customer a root cause analysis in order to prevent a recurrence. In addition, unless prohibited by applicable law, Descartes will provide Customer with a summary of the Security Breach and share information about the Security Breach as it becomes available.
In the event of a Security Breach, the parties agree to coordinate in good faith on developing the content of any related public statements or required notices for the affected Data Subjects and/or notices to the relevant data protection authorities.
During the Term of the Agreement, on an annual basis, Descartes will conduct, at no charge to Customer, an SSAE SOC 1, Type II audit of controls relating to the network operations of Descartes through which Personal Information is processed by Descartes under an Agreement, which audit will be performed by an independent certified public accounting firm (or similarly qualified person). If a deficiency is identified as result of such audit, Descartes will remediate, as Descartes deems reasonable given the circumstances, within an agreed to and reasonable timeframe. All costs of remediation will be the responsibility of Descartes.
In the event Customer wishes to audit Descartes’ compliance with this DPA, an independent third party auditor mutually agreed to by the parties (the “Auditor”) may, on behalf of Customer and at the expense of Customer, audit Descartes’ compliance with the terms of this DPA up to once per year. The Auditor may perform more frequent audits of the data centre facility that Processes Personal Information to the extent required by laws applicable to Customer. The Auditor must execute a written confidentiality agreement acceptable to Descartes before conducting the audit.
To request an audit, Customer must submit a detailed audit plan to Descartes at least four weeks in advance of the proposed audit date. The audit plan must describe the proposed scope, duration, and start date of the audit. Descartes will review the audit plan and provide Customer with any concerns or questions (for example, any request for information that could compromise Descartes’ security, privacy, employment or other relevant policies). Descartes will work cooperatively with Customer to agree on a final audit plan. If the requested audit scope is addressed in a SSAE SOC 1, Type II report prepared for Descartes by a qualified third party auditor or another equivalent report within the prior twelve (12) months and Descartes confirms there are no known material changes in the controls audited, Customer agrees to accept those findings in lieu of requesting an audit of the controls covered by the report.
The audit must be conducted during regular business hours at the applicable facility, subject to Descartes’ policies, and may not unreasonably interfere with Descartes’ business activities.
Customer will provide Descartes any audit reports generated in connection with any audit under this section, unless prohibited by law. Customer agrees that Descartes may, at their discretion, release the audit report to a third party provided Customer is given a reasonable opportunity to redact any personal, confidential, or proprietary information that may be contained in the audit report. Customer may use the audit reports only for the purpose of confirming compliance with the requirements of this DPA. The audit reports are Confidential Information of the parties under the terms of the Agreement.
Any audits are at the Customer's expense. Any request for Descartes to provide assistance with an audit is considered a separate service if such audit assistance requires the use of resources different from, or in addition to, those required for the provision services under the Agreement. Descartes will seek the Customer's written approval and agreement to pay any related fees before performing such audit assistance.
Except as otherwise required by law, Descartes will promptly notify Customer of any requirement of a governmental agency or by operation of law (a “Demand”) that it receives and which relates to the Processing of Personal Information. At Customer’s request, Descartes will provide Customer with reasonable information in its possession that may be responsive to the Demand and any assistance reasonably required for Customer to respond to the Demand in a timely manner. Customer acknowledges that Descartes has no responsibility to interact directly with the entity making the Demand.
If requested by Customer, Descartes will, within a commercially reasonable period of time, destroy or render unreadable all Personal Information received by Descartes from Customer using appropriate methods of data destruction based on current industry standards, except where the Data Protection Regulations or local law provide for that Personal Information to be preserved or maintained. Written confirmation that the Personal Information was destroyed or rendered unreadable can be provided upon request.
Definitions. For the purposes of this section of the Terms only, all capitalized terms used in this section of the Terms shall have the meaning set out below.
(i) “Authorised Enquiry” means a Driver’s Licence Check of a Driver.
(ii) “Contract” means this written agreement between the Intermediary and Customer consisting of these clauses and any attached Schedules and Annexes.
(iii) “Conviction” means, other than for minor road traffic offences, any previous or pending prosecutions, convictions, cautions and binding-over orders (including any spent convictions as contemplated by section 1(1) of the Rehabilitation of Offenders Act 1974 (as amended) by virtue of the exemptions specified in Part II of Schedule 1 of the Rehabilitation of Offenders Act 1974 (Exemptions) Order 1975 (SI 1975/1023) (as amended) or any replacement or amendment to that Order, or being placed on a list kept pursuant to the safeguarding of Vulnerable Groups Act 2006 (as amended).
(iv) “Customer” means the entity that has subscribed to SmartLicence.
(v) “Data Protection Declaration” means the driving licence information fair processing declaration form (D906/ADD), to be used by the Descartes as Evidence that the record holder is fully aware that information from their driver record is to be obtained by Customer through Descartes from DVLA.
(vi) “Data Protection Legislation” means: (i) the Data Protection Regulations as defined in the DPA, the Law Enforcement Directive (Directive (EU) 2016/680; (ii) the Data Protection Act 2018 [subject to Royal Assent] to the extent that it relates to the Processing of personal data and privacy; (iii) all applicable Law about the Processing of Personal Data and privacy.
(vii) “Data Subject” has the meaning given to that term in Data Protection Legislation, means an identified or identifiable natural person through Personal Data.
(viii) “Default” means any breach of the obligations of the relevant Party (including but not limited to fundamental breach or breach of a fundamental term) or any other default, act, omission, negligence or negligent statement of the relevant Party or the Staff in connection with or in relation to the subject matter of the Contract and in respect of which such Party is liable to the other.
(ix) “Equipment” means Customer’s equipment, plant, materials and such other items used by Customer in the performance of its obligations under the Contract, or otherwise used to access or store Data.
(x) “Evidence” means the Customer’s proof that the Data Subject has confirmed his understanding as to the purposes and limitations of the enquiry and does not object to his personal data being processed for these purposes. This is to be made via a signed Data Protection Declaration.
(xi) “Fraud” means any offence under Laws creating offences in respect of fraudulent acts or at common law in respect of fraudulent acts in relation to the Contract or defrauding or attempting to defraud or conspiring to defraud the Crown.
(xii) “Industry Best Practice” means at any time the exercise of that degree of skill, care, diligence, prudence, efficiency, foresight, standards, practices, methods, procedures and timeliness which would be expected at such time from a leading and expert company within the industry, such company seeking to comply with its contractual obligations in full and complying with all applicable Laws.
(xiii) “Intermediary” means Descartes
(xiv) “Law” means any law, statute, subordinate legislation (as amended) within the meaning of Section 21(1) of the Interpretation Act 1978 (as amended), bye-law, exercise of the royal prerogative, enforceable community right within the meaning of Section 2 of the European Communities Act 1972 (as amended), regulatory policy, guidance or industry code, judgement of a relevant court of law, or directives or requirements or any Regulatory Body which the Customer is bound to comply.
(xv) “Party and Parties” means a party to the Contract.
(xvi) “Permitted Purpose” means the purpose for which the Data is provided to you for the fulfilment of an Authorised Enquiry.
(xvii) “Premises” means the location where the Data is to be supplied to the Customer, or accessed, stored or destroyed by the Customer.
(xviii) “Processing” has the meaning given to that term in Data Protection Legislation (and related terms such as ‘Process’ have corresponding meaning) Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaption or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
(xix) “Relevant Conviction” means a Conviction which the Customer, acting reasonably and in accordance with Industry Best Practice, deems to preclude a person from being involved in any way with use of the Data.
(xx) “Staff” means all persons employed by the Customer to perform its obligations under the Contract together with the Party’s servants, agents, suppliers and sub-contractors used in the performance of its obligations under the Contract.
(xxi) “Sub-Contracting” means the Customer appointing a Third Party to provide services on behalf of the Customer providing an appropriate Sub-Contracting agreement is in place. The Customer will retain Data Controller responsibilities while the Sub-Contractor is a Data Processor. The Customer shall be responsible for the acts and omissions of its Sub-Contractors as though they are its own.
(xxii) “Sub-Contractor(s)” means a Third Party appointed by the Customer to provide services on behalf of the Customer. The Customer will retain Data Controller responsibilities while the Sub-Contractor is a Data Processor.
(xxiii) “Third Party Customer” means Customer.
Part B – The Provision of Data Under The Contract
B1. The Legal Basis For the Release of Data.
B1.1. The basis for release of DVLA’s driving licence data to the Customer is that it is necessary for the performance of a task carried out in the public interest or the exercise of an official authority vested in DVLA. This is in line with Data Protection Legislation. The requirements for this Approval are detailed in SCHEDULE 3 (MINIMUM REQUIREMENTS FOR DATA PROTECTION DECLARATION).
B2. Customer Criteria
B2.1. The Customer will provide Intermediary with a statement detailing the type of business it conducts and a description of products/services it offers to its customers that involve the use of DVLA data. Applications to the ADD service will only be considered for organisations that can demonstrate the Permitted Purpose for access to the ADD Service. Organisations that cannot prove a Permitted Purpose will not be considered further. Categories of business that meet this pre-requisite include:
o Employers of drivers;
o Auto insurance companies (at point of claim only);
o Car rental companies; and
o Fleet companies.
B2.2. The Customer shall use the Data only for its Permitted Purpose as stated in clause B2.1. The Customer will not sell the Data or permit it to be sold to any Third Party.
B2.3. The Customer shall provide Intermediary with estimated usage of the service, to include volume and frequency information. The Customer shall inform Intermediary of any factors that could cause a significant increase or decrease in usage.
B2.4. Where there is a change of or additional use of Data from that specified, the Customer is required to detail in writing to the Intermediary the proposed use of the Data and to identify customer sectors to whom it will be provided and the media in which it will be made available. All requests are subject to written Approval by Intermediary.
B2.5. The Customer will notify Intermediary of any changes to their business need for access to the ADD Service.
B2.6. The Customer will inform Intermediary of changes to their business processes, which may impact how the ADD Service is used.
B2.7. The Customer will only make enquiries on those drivers for which they are in receipt of a signed Data Protection Declaration, as stipulated in SCHEDULE 3 (MINIMUM REQUIREMENTS FOR DATA PROTECTION DECLARATION).
B2.8. Consent forms or mandates such as the previously used D796 form or similar paper or electronic forms will continue to be valid for a 3 month transition period from 25 May 2018 to 25 August 2018. Consent forms or mandates such as the D796 form or similar paper or electronic forms cannot be used as Evidence to make enquiries from 26 August 2018. The D906/ADD form shall be used to make all enquiries from the 26 August 2018.
B2.9. Staff must not use the ADD service in order to view their own DVLA driver record. There must be separation of duty between the Data Subject and the Data obtained via the ADD service.
B2.10. Data is supplied on the explicit basis that it should not be used for identity checking of any kind. If agreement is obtained from DVLA to provide Data to a Third Party, it is essential that this Data is only used to check entitlement to drive. The driver must be made fully aware of who is accessing his/her information. DVLA must approve any changes to the driver Data Protection Declaration.
B2.11. The Customer shall (and shall ensure that each member of the Customer’s Staff) comply with any notification requirements under the Data Protection Legislation and will duly observe all their obligations under Data Protection Legislation which arise in connection with the Contract.
B2.12. The Customer must be registered with Companies House, Her Majesty’s Revenue and Customs (HMRC) and The Charities Commission, where applicable.
B3. Purpose For Which Data Is Provided
B3.1. The Customer shall use the Data only for the Permitted Purpose for which it was provided and in accordance with its obligations under Data Protection Legislation.
B3.2. Before making each request for Data, the Customer shall gather Evidence to demonstrate the Permitted Purpose to request the Data.
B3.3. The Customer shall hold the Data on the minimum amount of databases required for the purposes of Processing the Data for the defined Permitted Purpose. This does not apply to the Data stored for backup or disaster recovery purposes.
B3.4. The requirements of clause D4 (Transfer of the Data outside the UK) apply to the Customer’s backup or disaster recovery sites.
B7. Accuracy of Data
B7.1. The DVLA shall take all reasonable steps to ensure that the Data is accurate and up to date before it is transmitted to the Customer, however, DVLA cannot warrant the accuracy of the Data provided. DVLA does not accept any liability for any inaccurate information supplied to it by the licence holder or any other source beyond its control.
B7.2. The Customer shall ensure before relying on any item of Data that the Data provided matches the information in the request and that the Data pertains to the licence holder for whom they possess a standard electronic Data Protection Declaration. Any records passed to the Customer from DVLA that do not pertain to a Data Protection Declaration held by the Customer must be disregarded, and deleted from any systems. The DVLA Service Manager must be contacted in this instance.
Part C – Management Of The Contract
C1. The Customer’s Key Staff
C1.1. The Customer shall complete the list at ANNEX A (CUSTOMERS KEY STAFF) of the individuals who have direct responsibilities for the use of the Data and for the Customer’s other obligations under this Contract. The Customer will provide the individuals names, business addresses and other contact details, specifying the capacities in which they are concerned with the Data.
C1.2. Calls to the ADD Service Support Line from any members of staff that are not listed on the proforma will not be handled by the ADD Service Support Line.
C1.3. As a minimum, the list shall include details of the Customer’s registered office, as recorded by Companies’ House and: (a) the manager who shall be responsible for the Customer’s general contractual matters and shall receive Notices under clause A6 (Notices) sent to the Customer’s registered office, and who shall be referred to in this Agreement as the Commercial Manager; and the manager who is responsible for the management of the Data once in the hands of the Customer, to be referred to in this Contract as the Data Manager; and (b) the Customer shall inform Descartes immediately of any changes in personnel listed in ANNEX A (CUSTOMERS KEY STAFF) or their business contact details.
C1.4. The Customer shall inform the Intermediary immediately of any changes in personnel listed in ANNEX A (CUSTOMERS KEY STAFF) or their business contact details.
C3. Reviews And Meetings
C3.1. The Customer shall upon receipt of reasonable notice and during normal office hours attend all meetings arranged by Descartes for the discussion of matters connected with the performance of the Subscription Agreement.
C3.2. Without prejudice to any other requirement in this Subscription Agreement the Customer shall provide such reports on the performance of the Subscription Agreement or any other information relating to the Customer’s requests for and use of the Data as Descartes may reasonably require.
C3.3. Intermediary reserves the right to review the Subscription Agreement at any time. Where required, Intermediary and the Customer shall meet in person or via video or telephone conference to review:
(a) the ongoing need for the ADD Service as defined and any consequential variation to the terms of the Contract;
(b) the Permitted Purpose for which the Data is provided;
(c) the performance of the ADD Service;
(d) the volume of Data which the DVLA is providing to the Customer;
(e) the security arrangements governing the Customer’s safe receipt of the Data and the Customer’s further use of the Data;
(f) the arrangements that the Customer has in place relating to the retention and secure destruction of the Data;
(g) any audits that have been carried out that have relevance to the way that the Customer is Processing the Data;
(h) any security incidents that have occurred with the Data;
(i) the continued registration of the Customer’s company under the same registered number;
(j) the training and experience of the Customer’s Staff in their duties and responsibilities under Data Protection Legislation.
Part D – Data Protection
D1. Data Protection Legislation
D1.1. The Parties shall comply with the requirements of Data Protection Legislation and subordinate legislation made under it, or any legislation which may supersede it, together with any relevant guidance and/or codes of practice issued by the Information Commissioner. All these requirements are referred to in this Contract as Data Protection Legislation.
D1.2. For the purposes of Part D, the terms “Conviction Data”, “Data Controller”, “Data Processor”, “Data Subject”, “Information Commissioner”, “Information Commissioners Office”, “Personal Data”, “Processing” and “Special Categories of Personal Data” shall have the meanings prescribed within Data Protection Legislation.
D1.3. The Parties agree that the Data constitutes Personal Data which may include Conviction Data and Special Categories of Personal Data, as they relate to a living individual who can be identified directly or indirectly from the Data.
D1.4. It is the duty of the Data Controller to comply with the Data protection principles. The Customer, separately from the Intermediary and DVLA, shall be the Data Controller of each item of Data received from the DVLA through the Intermediary from the point of receipt of that Data by the Customer or its Sub-contractor and shall be responsible for complying with Data Protection Legislation in relation to its further Processing of that Data.
D1.5. The Customer shall (and shall ensure that each member of the Customer’s Staff) comply with Data Protection Legislation and will duly observe all their obligations under Data Protection Legislation which arise in connection with the Contract.
D1.6. The DVLA is satisfied that providing the Data to the Customer for the Permitted Purpose is compliant with the principles of Data Protection Legislation.
D1.7. The Customer shall ensure that the individual rights of the Data Subject are taken into account in responding to any Data Subject Access Request.
D1.9. The Customer shall ensure that Data Subjects are aware of the legal basis for the release of Data. Data Subjects have rights to restrict the Processing of their Data in accordance with Data Protection Legislation. DVLA through the Intermediary will provide written notification to the Customer where a Data Subject wishes to invoke this right. In such cases, the Customer must act immediately to ensure enquiries on such records are not submitted following written notification from DVLA through the Intermediary.
D1.10. The Customers agree to take account of any guidance issued by the Information Commissioner’s Office. Intermediary may on not less than 30 working days’ notice to the Customer amend this agreement to ensure that it complies with any guidance issued by the Information Commissioners Office.
D2. Data Security
D2.1. Both Parties shall ensure the safe transportation/transmission of the Data to the Business to Business Gateway in accordance with appropriate technical and organisational measures, the requirements of the Data Protection Legislation and Her Majesty’s Government Security Policy Framework.
D2.2. The Customer shall ensure the Data is processed in accordance with Data Protection Legislation guidance and codes of practise.
D2.3. The Customer shall comply with all the security requirements of the DVLA, including as a minimum those set out in SCHEDULE 2 (MINIMUM DATA SECURITY REQUIREMENTS) and any other requirements that the DVLA through the Intermediary shall make from time to time.
D2.4. The Customer shall notify the Intermediary immediately, within a maximum of 24 hours of becoming aware, of any Default of the security requirements of this Contract.
D2.5. The Customer shall not transfer, sell or in any way make the Data available to third parties unconnected with the original purpose of the enquiry.
D3. Malicious Software
D3.1. The Customer shall, as an enduring obligation throughout the term of the Subscription Agreement, use the latest versions of anti-virus software available from an industry accepted anti-virus software vendor to check for and remove Malicious Software from the ICT Environment.
D3.2. Notwithstanding clause D3.1, if Malicious Software is found, the Parties shall co-operate to reduce the effect of the Malicious Software and, particularly if Malicious Software causes loss of operational efficiency or loss or corruption of Data, assist each other to mitigate any losses and to restore the ADD Service to their desired operating efficiency.
D3.3. Cost arising out of the actions of the Parties taken in compliance with the provisions of clause D3.2 shall be borne by the Parties as follows:
a) by the Customer or it’s Sub-contractor where the Malicious Software originates from the Customer’s or it’s Sub-contractor’s software, any Third Party software or the Customer’s or it’s Subcontractor’s Data;
b) by the DVLA if the Malicious Software originates from the DVLA’s software or the Data.
D4. Transfer of the Data outside the UK
D4.1. The Customer shall not transfer Personal Data outside of the EU unless the prior written Approval of the DVLA through the Intermediary has been obtained and the following conditions are fulfilled:
(i) the DVLA or the Customer has provided appropriate safeguards in relation to the transfer (whether in accordance with GDPR Article 46 or LED Article 37) as determined by DVLA;
(ii) the Data Subject has enforceable rights and effective legal remedies.
(iii) the Customer complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the DVLA or Intermediary in meeting its obligations); and
(iv) the Customer complies with any reasonable instructions notified to it in advance by the DVLA through the Intermediary with respect to the Processing of Personal Data.
D5. Restrictions on Disclosure of the Data
D5.1. The Customer shall respect the confidentiality of the Data and shall not disclose it to any person, except in the following circumstances:
D5.1.1. to a Sub-contractor who acts as the Customer’s Data Processor, with whom the Customer shall have entered into a written contract that requires the Data Processor to abide by requirements in SCHEDULE 2 (MINIMUM DATA SECURITY REQUIREMENTS), SCHEDULE 3 (MINIMUM REQUIREMENTS FOR DATA PROTECTION DECLARATION, and the terms for Sub-contractors set out SCHEDULE 5 (REQUIRED TERMS FOR CONTRACTS WITH SUB-CONTRACTORS); or
D5.1.2. Not applicable; or
D5.1.3. With the prior written Approval of the Intermediary (which may be given or refused at the absolute discretion of the Intermediary):
a) provided that the Customer shall have entered into a written contract which requires the sub-contractor to abide by the requirements in SCHEDULE 2 (MINIMUM DATA SECURITY REQUIREMENTS), SCHEDULE 3 (MINIMUM REQUIREMENTS FOR DATA PROTECTION DECLARATION), and the terms for subcontractors set out in SCHEDULE 5 (REQUIRED TERMS FOR CONTRACTS WITH SUBCONTRACTORS); and
b) in accordance with any other conditions attached to the giving of that Approval; or
D5.1.4. If required to do so by Law.
D6. Retention of Data and Evidence
D6.1. In accordance with Data Protection Legislation the Customer shall retain each item of Data only for as long as is necessary with reference to the Permitted Purpose for which it was shared.
D6.2. The Customer shall arrange for the secure destruction or deletion of each item of Data, in accordance with Data Protection Legislation, as soon as it is no longer necessary to retain it.
D6.3. The Customer shall retain for a minimum period of 2 years from the date of conclusion or longer period as may be agreed between Intermediary and the Customer (such agreement to be recorded in writing), full and accurate records of the performance of the ADD Service, including records of all payments made to Intermediary by the Customer in relation to the Subscription Agreement.
D6.4. The Customer shall retain for a period of 7 years (current year plus 6), from the date of signature the signed Data Protection Declaration. This includes photocopies, fax copies, scanned copies or Data Protection Declaration if used.
D6.5. The Customer shall produce such records retained pursuant to clause D6 as DVLA may reasonably require. This will include, but not limited to, any mis-matched or incorrect enquiries that may have been made in pursuance of the Permitted Purpose. These will be cross-referenced to the correct record, enquiry or issue that gave arise to the incorrect enquiry. This will enable DVLA to establish the enquirer and reason for enquiry.
D7. The Customer’s Vetting and Disciplinary Policies.
D7.1. The Customer shall maintain policies for vetting, hiring, training and disciplining the Customer’s Staff and shall comply with these in respect of each person who has access to the ADD Service. The minimum requirements for such vetting procedures are set out in SCHEDULE 2 (MINIMUM DATA SECURITY REQUIREMENTS).
D8. The Customer’s Internal Compliance Checks
D8.1. The Customer shall ensure that its business processes, records of customer interactions and transactions, audit procedures on business activities and financial reporting are appropriate and effective to ensure proper use of the Data in compliance with this Contract and the requirements of Data Protection Legislation. The minimum requirements for such internal compliance are set out in SCHEDULE 2 (MINIMUM DATA SECURITY REQUIREMENTS).
D8.2. The Customer shall carry out its own internal compliance checks at least annually and shall notify Intermediary of such checks by using the Data Governance Assessment Form provided by DVLA.
D9. Audits and Reviews
D9.1. The Customer shall share with Intermediary the outcome of any other checks, audits or reviews that have been carried out on its activities as a Data Controller that are relevant to the Processing of the Data.
D9.2. The Customer shall notify Intermediary immediately, or within a maximum of 24 hours of becoming aware, of any audits that are being carried out by the Information Commissioner’s Office under Data Protection Legislation that are relevant to the Processing of the Data.
D10. Incidents
D10.1. The Customer shall notify Intermediary immediately, within a maximum of 24 hours of becoming aware, of any losses, compromise or misuse of the Data or any Personal Data Breach and keep Intermediary informed of any communications about the incident with; the individuals whose Personal Data is affected; the Information Commissioner’s Office; or the media.
D10.2. The Customer understands that as the Data Controller it shall be responsible for taking any action necessary to resolve any such incident.
D11. Inspection By The DVLA/Intermediary
D11.1. The DVLA, either on its own or through the Intermediary, reserves the right to carry out an inspection at any time of the Customer’s compliance with the terms of this Contract. Where possible, the DVLA or Intermediary shall give the Customer 7 Days’ written notice of any such inspection
D11.2. In exceptional circumstances in relation to abuse of the ADD Service, access to Third Party Customers Premises may be required. Other than in exceptional circumstances, such as a suspected serious breach of Data security, examinations will be by prior contact and Intermediary will notify the Customer in advance of any Third Party premises they wish to examine.
D11.3. The Customer agrees to co-operate fully with any such inspection and to allow the DVLA, or an agent acting on its behalf, access to its Premises, Equipment, Evidence and the Customer’s Staff for the purposes of the inspection.
D11.4. The Customer will respond as required to the findings and recommendations of any DVLA or Intermediary inspection and will provide updates as required on the implementation of any required actions.
D11.5. The DVLA or Intermediary may at any time check the electronic trail relating to any activity made by the Customer and contact the person responsible for such activity.
D11.6 The DVLA or Intermediary may, by written notice to the Customer, forbid access to the Data, or withdraw permission for continued access to the Data, to: (i) any member of the Customer’s Staff; or (ii) any person employed or engaged by any member of the Customer’s Staff; whose access to or use of the Data would, in the reasonable opinion of the DVLA, be undesirable.
D11.7. The decision of the DVLA or Intermediary as to whether any person is to be forbidden from accessing the Data and as to whether the Customer has failed to comply with this clause shall be final and conclusive.
D11.8. The DVLA will be entitled to be reimbursed by the Customer for all DVLA’s reasonable costs incurred in the course of the inspection.
D12. Action On Complaint
D12.1. Where a complaint is received about the Customer or the manner in which its services have been supplied or work has been performed or procedures used or about any other matter connected with the performance of the Customer’s obligations under the Subscription Agreement or the use of Data, the DVLA or Intermediary may notify the Customer, and where considered appropriate by the DVLA or Intermediary, investigate the complaint. The DVLA or Intermediary may, in its sole discretion, acting reasonably, uphold the complaint and take further action in accordance with PART J.
Part F – Statutory Obligations
F1. Prevention of Corruption
F1.1. The Customer shall not offer or give, or agree to give, to the DVLA or any other public body or person employed by or on behalf of the DVLA any gift or consideration of any kind as an inducement or reward for doing, refraining from doing, or for having done or refrained from doing, any act in relation to the obtaining or execution of the Contract or any other contract with the DVLA or any other public body, or for showing or refraining from showing favour or disfavour to any person in relation to the Contract or any such contract.
F1.2. If the Customer, its Staff or anyone acting on the Customer’s behalf, engages in conduct prohibited by clause F1.1 or the Bribery Act 2010 (as amended), the DVLA may: (a) terminate and recover from the Customer the amount of any loss suffered by the DVLA resulting from the termination; or (b) recover in full from the Customer any other loss sustained by the DVLA in consequence of any breach of that clause.
F2. Prevention of Fraud
F2.1. The Customer shall take all reasonable steps, in accordance with Industry Best Practice, to prevent Fraud by the Customer’s Staff and the Customer (including its shareholder, members, and directors) in connection with the receipt of the ADD Service.
F2.2. The Customer shall notify the DVLA immediately if it has reason to suspect that any Fraud has occurred or is occurring or is likely to occur.
F2.3. If the Customer or its Staff commits Fraud in relation to this or any other contract with the Crown (including the DVLA) the DVLA may: (a) terminate the Contract and recover from the Customer the amount of any loss suffered by the DVLA resulting from the termination; or (b) recover in full from the Customer any other loss sustained by the DVLA in consequence of any breach of this clause.
F3. Discrimination
F3.1. The Customer must not unlawfully discriminate either directly or indirectly or by way of victimisation or harassment against a person on such grounds as age, disability, gender reassignment, marriage and civil partnership, pregnancy and maternity, race, colour, ethnic or national origin, sex or sexual orientation, and without prejudice to the generality of the foregoing the Customer must not unlawfully discriminate within the meaning and scope of the Equality Acts 2006 and 2010 (as amended), the Human Rights Act 1998 (as amended) or other relevant or equivalent legislation, or any statutory modification or re-enactment thereof.
F3.2. The Customer shall take all reasonable steps to secure the observance of F3.1 by all of its Staff.
F4. The Contracts (Rights of Third Parties) Act 1999 (as amended)
F4.1. A person who is not a Party to the Contract shall have no right to enforce any of its provisions which, expressly or by implication, confer a benefit on him, without the prior written Approval of both Parties. This clause does not affect any right or remedy of any person which exists or is available apart from the Contracts (Rights of Third Parties) Act 1999 (as amended) and does not apply to the Crown.
F5. Health and Safety
F5.1. The Customer shall promptly notify the DVLA of any health and safety hazards which may arise in connection with the performance of its obligations under the Contract, including but not limited to, on inspection by the DVLA.
F5.2. While on the Customer’s Premises, the DVLA shall comply with any health and safety measures implemented by the Customer in respect of its Staff and other persons working there.
F5.3. The DVLA shall notify the Customer immediately in the event of any incident occurring in the performance of its obligations under the Contract on the Premises where that incident causes any personal injury or damage to property which could give rise to personal injury.
F5.4. The Customer must comply with the requirements of the Health and Safety at Work Act 1974 (as amended) and any other acts, orders, regulations and codes of practice relating to health and safety, which may apply to the Customer’s Staff and other persons working on the Premises in the performance of its obligations under the Contract.
Part G – Protection of Information
G2. Publicity and Media
G2.1. The Customer shall notify the DVLA immediately if any circumstances arise which could result in publicity or media attention to the Customer which could adversely reflect on the DVLA or the ADD Service.
G2.2. The Customer shall not create or approve any publicity implying or stating that the DVLA has a connection with or endorses any service provided by the Customer without the prior written Approval of DVLA.
Part H – Control Of The Contract
H1. Transfer and Sub-Contracting
H1.1. The Customer shall not assign, sub-contract or in any other way dispose of the Contract or any part of it without the prior written Approval of the Intermediary.
H1.2. Sub-Contracting any part of the Contract shall not relieve the Customer of any of its obligations or duties under the Contract. The Customer shall be responsible for the acts and omissions of its Sub-Contractors as though they are its own. Where the Intermediary has approved to the placing of sub-contracts, copies of each sub-contract shall, at the request of the Intermediary, be sent by the Customer to the Intermediary as soon as reasonably practicable.
H2. Insolvency
H2.1. The Customer shall notify the Intermediary immediately in writing where the Customer is a company and in respect of the Customer:
(a) a proposal is made for a voluntary arrangement within Part 1 of the Insolvency Act 1986 (as amended) or of any other composition scheme or arrangement with, or assignment for the benefit of, its creditors; or
(b) a shareholders’ meeting is convened for the purpose of considering a resolution that it be wound up or a resolution for its winding-up is passed (other than as part of, and exclusively for the purpose of, a bona fide reconstruction or amalgamation); or
(c) a petition is presented for its winding up (which is not dismissed within 14 Days of its service) or an application is made for the appointment of a provisional liquidator or a creditors’ meeting is convened pursuant to section 98 of the Insolvency Act 1986 (as amended); or
(d) a receiver, administrative receiver or similar officer is appointed over the whole or any part of its business or assets; or
(e) an application order is made either for the appointment of an administrator or for an administration order, and administrator is appointed, or notice of intention to appoint an administrator is given; or
(f) it is or becomes insolvent within the meaning of section 123 of the Insolvency Act 1986 (as amended); or
(g) being a “small company” within the meaning of section 247(3) of the Companies Act 1985 (as amended); a moratorium comes into force pursuant to Schedule 1A of the Insolvency Act 1986 (as amended); or
(h) any event similar to those listed in this clause occurs under the law of any other jurisdiction.
H2.2. The Customer shall notify the Intermediary immediately in writing where the Customer is an individual and:
(a) an application for an interim order is made pursuant to sections 252-253 of the Insolvency Act 1986 (as amended) or a proposal is made for any composition scheme or arrangement with, or assignment for the benefit of, the Customer’s creditors; or
(b) a petition is presented and not dismissed within 14 Days or order made for the Customer’s bankruptcy; or
(c) a receiver, or similar officer is appointed over the whole or any part of the Customer’s assets or a person becomes entitled to appoint a receiver, or similar officer over the whole or any part of his assets; or
(d) the Customer is unable to pay his debts or has no reasonable prospect of doing so, in either case within the meaning of section 268 of the Insolvency Act 1986 (as amended); or
(e) a creditor or encumbrancer attaches or takes possession of, or a distress, execution, sequestration or other such process is levied or enforced on or sued against, the whole or any part of the Customer’s assets and such attachment or process is not discharged within 14 Days; or
(f) suspends or ceases, or threatens to suspend or cease, to carry on all or a substantial part of his business.
H3. Change of Control
H3.1. The Customer shall seek the prior written Approval of the Intermediary to any change of control within the meaning of section 450 of the Corporation Taxes Act 2010 (as amended) (“Change of Control”). Where the Intermediary has not given its written agreement before the Change of Control, the Intermediary may terminate the Contract by notice in writing with immediate effect within 26 weeks of:
(a) being notified that that change of control has occurred; or
(b) where no notification has been made, the date that the DVLA becomes aware of that change of control.
Part J – Defaults, Disruption, Suspension and Termination
J2. Termination For Material Breach
J2.1. The Intermediary may terminate the Contract with immediate effect by written notice to the Customer on or at any time after the occurrence of an event specified in clause J2.2.
J2.2. The events are that:
(a) The Customer fails to pay any amount due under this Contract on the due date for payment and remains default not less than 60 days after being notified in writing to make such payment;
(b) The Customer commits any three or more Defaults, whether simultaneously or singly at any time during the operation of the Contract, irrespective of whether any or all of such breaches is minimal or trivial in nature;
(c) The Customer commits a Material Breach of any other term of this agreement which breach is irremediable or (if such breach is remediable) fails to remedy that breach within a period of 26 weeks after being notified [in writing] to do so.
J3. Suspension of The ADD Service
J3.1. If it comes to the attention of the DVLA that the Customer has committed any Default (including Material Breaches and all other Defaults), the DVLA may suspend the ADD Service without further notice and with immediate effect and investigate the nature and effect of the breach.
J3.2. The DVLA may from time to time issue guidance on its principles on suspending the ADD Service and terminating contracts to supply Data using the ADD Service. The guidance may include guidance concerning: types of Defaults which the DVLA may consider to be Material Breaches; guidance as to specific types of breach that the DVLA will consider to be remediable; how such breaches may be remedied; how long suspension may last; when following any period of suspension the Customer may resume making requests and in relation to which dates of events such requests may be made; and guidance as to which types of breach the DVLA may consider to be irremediable.
J4. Effect of Suspension
J4.1. If the DVLA suspends the ADD Service at any time, the Customer shall co-operate with any further investigation, audit or review that the DVLA requires to be carried out in relation to the Data provided to the Customer.
J4.2. The DVLA may refuse to resume the ADD Service until the Customer provides assurances that the matter resulting in the suspension has been resolved to the satisfaction of the DVLA, and takes specified actions within a reasonable period set by the DVLA.
J4.3. The DVLA may require that an inspection is carried out after the ADD Service is resumed, to check the Customer’s compliance with the Contract and Data Protection Legislation.
J4.4. Intermediary may require the Customer to pay the reconnection fee and the fee for any inspection before it will resume the ADD Service.
J4.5. During any suspension period, the DVLA shall not provide Data to the Customer through the Business to Business Gateway ADD system. The DVLA may also refuse requests for Data from the Customer through the paper service during this period.
J4.6. The Customer shall reimburse the DVLA for all DVLA’s cost and expenses incurred in relation to the DVLA’s right under clause J4 to carry out an inspection, investigation, audit or review of the Customer.
J5. Insolvency
J5.1. Where the DVLA is notified in writing of any of the circumstances listed in clause H2 (Insolvency), the DVLA may suspend the ADD Service without further notice and with immediate effect and investigate further whether any of the Customer’s directors or any liquidator, receiver, administrative receiver, administrator, or other officer is capable of ensuring that the provisions of this Contract and of Data Protection Legislation are complied with. If the DVLA is not satisfied that any such person shall ensure such compliance, the DVLA may terminate the Contract by written notice with immediate effect.
J6. Other Termination Rights
J6.1. The DVLA may require the Intermediary to terminate the Contract by written notice with immediate effect if in the reasonable view of the DVLA, during any period of suspension of the ADD Service the Customer:
(a) fails to co-operate with any investigation, audit or review;
(b) fails to provide any assurances or take any actions within the reasonable period set by the DVLA under clause J4.2; or
(c) fails to provide assurances that satisfy the DVLA (acting reasonably) that the Customer has complied and shall continue to comply with the requirements of this Contract and of Data Protection Legislation.
J6.2. The DVLA may require the Intermediary to terminate the Contract by written notice with immediate effect if the Customer fails to pay the DVLA undisputed sums of money when due by variable direct debit in two or more consecutive Months.
J6.3. The DVLA may require the Intermediary to terminate the Contract by written notice with immediate effect if the Customer is found to be in breach of any aspect of the Law that could, in the reasonable opinion of the DVLA, bring the DVLA into disrepute.
J6.4. The DVLA may require the Intermediary to terminate the Contract by written notice with immediate effect if the Customer is an individual and he has died or is adjudged incapable of managing his affairs within the Mental Capacity Act 2005 (as amended).
J7. Consequences of Suspension and Termination
J7.1. After the ADD Service has been suspended or the Contract has been terminated or both, the Customer shall continue to comply with its obligations under this Contract and under Data Protection Legislation in relation to the Data which it holds, including as to the proper use of the Data, retention of the Data and secure destruction of the Data.
SCHEDULE 1 - DVLA OBLIGATIONS FOR USE OF DESCARTES SMARTLICENCE SERVICE
ANNEX A (CUSTOMERS KEY STAFF)
CUSTOMER’S KEY STAFF WITH DIRECT RESPONSIBILITIES FOR THE DATA AND FOR THE OTHER OBLIGATIONS UNDER THE AGREEMENT
1. The contact details of the Customer’s Key Staff with responsibility for the Data and the performance of the Agreement, as referred to in clause C1 of this Contract, are set out in this Annex.
1.1 The contact details of the Commercial Manager referred to in clause C1.(a) are:
Name: ………………………………………….
Job Title: ……………………………………….
Business Address (The Customer’s Registered Office, as recorded at Companies’ House):
…………………………………………………..
…………………………………………………..
…………………………………………………..
Postcode: ……………………………………….
Business telephone number: ……………………………………….
Business mobile telephone number: ……………………………….
Business Email address: …………………………………………….
1.2 The contact details of the Data Manager referred to in clause C1.(b) are:
Name: ………………………………………….
Job Title: ……………………………………….
Business Address: ……………………………
…………………………………………………..
…………………………………………………..
…………………………………………………..
Postcode: ……………………………………….
Business telephone number: ……………………………………….
Business mobile telephone number: ……………………………….
Business Email address: …………………………………………….
1.3 The contact details of any other Key Staff, who are responsible for the Data or for supervision of the Staff with access to the Data, should be provided below and on continuation sheets attached to ANNEX A (CUSTOMERS KEY STAFF).
1.4 The contact details for the ADD Customer Data Protection Officer (DPO) where applicable:
Name: ………………………………………….
Business Address: ……………………………
…………………………………………………..
…………………………………………………..
…………………………………………………..
Postcode: ……………………………………….
Business telephone number: ……………………………………….
Business mobile telephone number: ……………………………….
Business Email address: …………………………………………….
SCHEDULE 2 – MINIMUM DATA SECURITY REQUIREMENTS
The following Minimum Data Security Requirements will apply to the Customer where the Customer stores Data on devices or hardware under its control or used by the Customer.
1. Data Security Requirements
1.1. The minimum security requirements, which are required by clause D2, are as follows:
(a) Data, including back-up Data, must be retained in secure Premises and locked away;
(b) the Data supplied may only be copied for back-up and for the purposes of Processing the Data. Copies must be erased immediately thereafter and they must not be otherwise duplicated;
(c) the Customer will retain the Data only for as long as necessary with reference to the Permitted Purpose of which the Data is required;
(d) the Customer, in accordance to Data Protection Legislation should dispose of the Data where there is no business need to retain it;
(e) Data, including back-up Data, must be protected from unauthorised access, release or loss;
(f) a User ID and a robust password must be required to enter all databases on which the Data is stored;
(g) a unique User ID and password must be allocated to each person with access to the Data or the ADD Service;
(h) user IDs must not be shared between the Customer’s Staff;
(i) an electronic trail relating to any activity involving the Data must be retained, identifying the User ID and individual involved in each activity;
(j) access to the Data must be minimised so that only where necessary are individuals given the following levels of access:
· ability to view material from single identifiable records
· ability to view material from many identifiable records
· functional access, including: searching, amendment, deletion, printing, downloading or transferring information;
(k) the Data must not be accessed from, copied onto or stored on Removable Media. Laptops may be used but only if the device has full disk encryption installed in line with Industry Best Practice and devices are securely protected when not in use;
(l) all manual and electronic enquiries must be logged centrally and stored by the Customer;
(m) enquiries must be checked by senior staff on a regular basis;
(n) senior members of the Customer’s Staff must conduct reconciliation checks between incoming and outgoing enquiry volumes on a regular basis;
(o) Data must be used only for the Permitted Purpose for which it was obtained;
(p) Data must only be kept for as long as necessary, as required by clause D6.1;
(q) paper records must be securely destroyed so that reconstruction is unlikely;
(r) electronic Data must be securely destroyed or deleted in accordance with current guidance from the Information Commissioner’s Office as soon as it is no longer needed;
(s) Data received by post must be available only to appropriately trained and experienced members of the Customer’s Staff, who must abide by the requirements of this Contract and Data Protection Legislation;
(t) all records containing personal information, including screen prints, reports or other Data which have been supplied or derived from the DVLA’s system in any format must be retained in a secure manner;
(u) all Premises and buildings in which the Data is stored must be secure;
(v) the Customer must be registered with the Information Commissioner and the permission must cover all activities actually carried out;
(w) information must not be passed to third parties except with the prior written Approval of the DVLA, in accordance with D5.1; and
(x) transfer of the Data to third parties (where Approval has been granted by DVLA or Intermediary in accordance with clause D5.1 must be in accordance with the principles of Data Protection Legislation. Any other conditions required by the DVLA in giving permission for disclosure to third parties must be satisfied.
2. Inspection, Internal Compliance and Audit
2.1. The Data Governance Assessment form shall be completed upon DVLA request and shall confirm whether or not the following requirements have been complied with:
(a) all of the Data Security requirements in paragraph 1 of SCHEDULE 2 (MINIMUM DATA SECURITY REQUIREMENTS);
(b) all of the minimum requirements for the Data Protection Declaration detailed in SCHEDULE 3 (MINIMUM REQUIREMENTS FOR DATA PROTECTION DECLARATION);
(c) All of the minimum requirements for electronic Data Protection Declaration Solutions (if applicable).
3. Minimum Requirements for the Customer’s Staff Vetting and Disciplinary Procedures
3.1 The minimum requirements for the Customer’s Staff vetting procedures, which are required by clause D7 are as follows:
(a) the Customer shall confirm the identity of all of its new Staff;
(b) the Customer shall confirm the references and qualifications of all of its Staff;
(c) the Customer shall require all persons who are to have access to the ADD Service or to the Data to complete and sign a written declaration of any unspent criminal Convictions;
(d) the Customer shall not allow any person with unspent criminal Convictions to have access to the ADD Service or to the Data, except with the prior written Approval of the DVLA;
(e) the Customer shall ensure that no person who discloses that he or she has a Relevant Conviction, or who is found by the Customer to have any Relevant Conviction is allowed access to the Data or to the ADD Service without the prior written Approval of the DVLA;
(f) the Customer shall require all persons who are to have access to the ADD Service or to the Data to complete and sign an agreement to use the ADD Service and the Data only for the Permitted Purpose set out in this Contract and in accordance with the Customer’s procedures;
(g) the Customer shall require that each person who has access to the Data shall sign a document confirming that the person shall use the Data and the ADD Service only in accordance with the Customer’s procedures and only for the Permitted Purpose;
(h) the Customer shall ensure that each person who has access to the ADD Service or the Data shall act with all due skill, care and diligence and shall possess such qualifications, skills and experience as are necessary for the proper use of the ADD Service and the Data;
(i) the Customer shall ensure that each person who is authorised to use the ADD Service has been trained in the operation of the system and its associated procedures. The Customer shall keep documentary records of attendance on such training by each person;
(j) the Customer shall ensure that each person who has access to the Data is appropriately trained in and aware of his or her duties and responsibilities under Data Protection Legislation and this Contract;
(k) the Customer shall create and maintain a unique user account ID for each person who has access to the ADD Service;
(l) the Customer shall maintain a procedure for authorising the creation of user accounts and for the prompt deletion of accounts that are no longer required. The customer must ensure that the person or persons carrying out this work are appropriately trained and that their duties are separate from that of a normal user account. A normal user must not be able to manage their own account;
(m) the Customer’s disciplinary policy shall state that misuse of the ADD Service or the Data by any person shall constitute gross misconduct and may result in summary dismissal of that person. The Customer shall notify such misuse to the DVLA and the person involved shall be refused all future access to DVLA Data;
(n) system administrators must receive appropriate training;
(o) the system administration role must be separated from any other role to ensure a separation of duties;
(p) the Customer shall notify DVLA immediately, within a maximum of 24 hours of becoming aware, of any security breaches, losses, compromise or misuse of the Data, and keep DVLA informed of any such communications about such incidents with:
· the Data Subjects whose Personal Data is affected;
· the Information Commissioner’s Office (or relevant Supervisory Authority);
· the media.
SCHEDULE 3 – MINIMUM REQUIREMENTS FOR DATA PROTECTION DECLARATION
1.1 DVLA is required to be satisfied that any Processing (including disclosure) of Personal Data is compliant with Data Protection Legislation. The Customer may make enquiries of the record holder for its own legitimate purposes in accordance with Data Protection Legislation. The Customer must make the record holder fully aware that information from that person’s driver record is to be obtained from DVLA, the categories of Data involved, the purposes and the period and frequency in which Data will be requested. DVLA requires the Customer to Evidence this through the provision of a Data Protection Declaration signed by the record holder and containing a declaration to that effect.
1.2 The Customer must have a defined procedure in place for obtaining Evidence of the record-holder’s Data Protection Declaration.
1.3 The Customer must retain Evidence at the Customer’s main office for business operations for a period of 7 years (current year plus 6) regardless of the length of time for which the Evidence was valid. Evidence must be retained in a structured manner that permits the easy recovery of specific cases. Evidence must be produced by the Customer for any enquiry logged on DVLA’s system. Evidence can be stored electronically provided it meets the requirements stated in clause D6 and SCHEDULE 3 (MINIMUM REQUIREMENTS FOR DATA PROTECTION DECLARATION) of this Contract.
1.4 All Data Protection Declarations must clearly state the Customer’s name(s). In event of the Customer’s name(s) changing, or if there is any restructuring of the Customer that affects its legal entities, subsidiary companies or its trading / legal name(s), a new completed Data Protection Declaration form must be completed to reflect the change. Customers must inform the Intermediary of any such changes.
1.5 When it is necessary for DVLA to change the Data Protection Declaration within the three-year period it may be a requirement for a new Data Protection Declaration to be obtained from the record holders concerned within this period (using the revised format), depending on the nature of any changes made.
1.6 Data Protection Declarations completed and signed previously for a different intermediary are not valid and must not be used.
1.7 If the Customer procedures permit a separation or delay between obtaining the Data Protection Declaration and making the enquiry on the record, there must be a clear audit trail to identify the employee responsible for obtaining the Data Protection Declaration.
1.8 The Data Protection Declaration is valid for a period of not more than 3 years from the date of signature or until the record holder ceases to drive for the Customer, whichever occurs sooner.
1.9 It is the responsibility of the record holder to inform and obtain written acknowledgement from the Customer that his details will not be processed further if that is the instruction. The rights of the Customer under Data Protection Legislation are not affected, but DVLA reserves the right to withhold the record holder’s Personal Data. Intermediary companies must ensure that procedures are in place to check the validity of Data Protection Declarations.
1.10 Where a paper Data Protection Declaration is used DVLA, through the Intermediary, will accept original forms, photocopies, fax copies and electronically scanned copies on the basis that they are of good quality and the information contained thereon is clearly legible. This includes, but is not limited to: (a) Handwriting and printed wording must not be obscured or tampered with in any way, shape or form; (b) The use of correction fluid or other tampering will render the form invalid and will require the completion of a new one; (c) Forms printed from an electronic scanning solution must meet stipulations in clause 1.16 of SCHEDULE 3 (MINIMUM REQUIREMENTS FOR DATA PROTECTION DECLARATION).
1.11 DVLA offers a standard Data Protection Declaration (D906/ADD) which DVLA recommend you use as Evidence. Alternatively, the Customer can produce a bespoke Data Protection Declaration. However, any such bespoke Data Protection Declaration must meet DVLA requirements and must first be approved by DVLA prior to being used.
1.12 For all “401” enquiries, only the standard DVLA Data Protection Declaration (D906/ADD) will be accepted.
1.13 The Customer is permitted to develop and implement electronic Data Protection Declaration solutions, providing that the Customer can Evidence to DVLA, upon request, that the following information has been electronically presented to and read by the record holder, on a given date to support ADD enquiries:
a) Company details
· Details of the company or companies that will be requesting the driving licence Data;
b) The reason for the request
· The Permitted Purpose for requesting the driving licence Data
c) The Driver details
· Surname
· First name
· Date of Birth
· Address
· Driver Number
· Certificate of Professional Competence (CPC) Number if applicable)
· Digital Tachograph Card Number (if applicable)
d) The following fair processing declaration;
“I am the person referred to in [refer to section]. I understand the [named companies] will ask DVLA for my driver record information, as and when they require, for the purpose set out [refer to section]. I understand DVLA will disclose to the [named companies] all relevant information held in the computerised register of drivers maintained by DVLA. This includes personal details, driving entitlements, valid endorsements and disqualifications (if relevant), photo images, Certificate of Professional Competence (CPC) and Digital Tachograph Card details (where appropriate). Medical information will not be provided. This declaration will expire when I cease driving in connection with the company or in any case, three years from the date of my signature.”
1.14 The Customer is responsible as Data Controller for ensuring that any electronic Data Protection Declaration solutions comply with Data Protection Legislation.
1.15 All records containing Data obtained from the ADD Service will be retained by the Customer in accordance with Data Protection Legislation. The Customer will retain responsibility for the storage of Data and any subsequent failure to do so may result in the withdrawal of the ADD Service. Data Protection Declaration, screen-prints and paper copies of records obtained from the ADD Service must be stored in a locked cupboard or similar in a lockable room with a suitable keypad or lock, which must be secured overnight. The Data Protection Declarations must be stored at the Customer’s address given as a point of contact to DVLA. Copies of records stored on electronic systems must meet the minimum level of security required. The minimum level of security must be implemented such that the controls described in this document are applied, and that electronic records can only be accessed by legitimate users who have authenticated correctly and have a Permitted Purpose to view the Data.
1.16 Any scanned images of paper Data Protection Declarations stored electronically must be encrypted and stored in a secure and auditable database provided the company has the facility and expertise to scan, store and destroy Data to required standards of legal admissibility.
1.17 Where the Customer utilises an electronic Data Protection Declaration solution, the Customer must ensure that all electronic Data Protection Declarations are encrypted, stored and destroyed to required standards of legal admissibility.
SCHEDULE 4 – REQUIREMENTS IN RELATION INTERMEDIARIES AND THIRD PARTY CUSTOMERS
For the purpose of this Schedule 4 ONLY:
“Customer” shall mean Descartes.
“Third Party Customer” shall mean the entity that has subscribed to SmartLicence.
1. Contractual Obligations of all Third Party Customers
1.1. In accordance with clause B5.2, the ADD user obligations to be imposed on the Third Party Customer in the written contract between the Customer and each Third Party Customer for whom it intends to act as Intermediary, are as follows:
(a) the obligations of the Customer in clauses B1 (The Legal Basis for Release of Data), B2 (Customer Criteria) and B3 (Purpose For Which Data Is Provided);
(b) the obligations of the Customer in clause C1 (The Customer’s Key Staff), except that the obligation on the Customer in clause C1.3 (changes in personnel) to notify the DVLA shall instead be an obligation to notify the Intermediary;
(c) the obligations of the Customer in PART F (STATUTORY OBLIGATIONS) and G2 (Publicity and Media);
(d) the obligations of the Customer in the following clauses, except that any obligation to seek the permission of or to notify the DVLA shall instead be an obligation to seek the permission of or to notify the Intermediary:
1.1.d.1 H1.1 and H1.2 (Transfer and Sub-contracting);
1.1.d.2 H2 (Insolvency);
1.1.d.3 H3 (Change of Control); and
1.1.d.4 J7.1 (Consequences of Suspension and Termination).
2. Contractual Obligations of Third Party Customers with Access to the Data
2.1. In accordance with clause B5.3, the ADD user obligations to be imposed on the Third Party Customer in the written contract between the Customer and each Third Party Customer for whom it intends to act as Intermediary, are as follows:
(a) the obligations of the Customer in clauses B7.2 (Accuracy of the Data);
(b) the obligations of the Customer in clause C3 (Reviews and meetings), except that the requirements in that clause to attend meetings and otherwise may be placed on the Customer by the Intermediary and not by the DVLA;
(c) the obligations of the Customer in PART D, except that the obligations on the Customer in the following clauses to notify, inform, share information with or co-operate with the DVLA shall instead be obligations to notify, inform, share information with or co-operate with the Intermediary:
2.1.c.1 D8.2 (outcome of internal compliance checks);
2.1.c.2 D9 (Audits and Reviews, etc);
2.1.c.3 D10.1 (Incidents); and
2.1.c.4 D11.2 (Inspection).
(d) the requirements in SCHEDULE 2 (MINIMUM DATA SECURITY REQUIREMENTS), SCHEDULE 3 (MINIMUM REQUIREMENTS FOR DATA PROTECTION DECLARATION) and SCHEDULE 4 (REQUIREMENTS IN RELATION TO INTERMEDIARIES AND THIRD PARTY CUSTOMERS).
3. Contractual Rights and Powers of Intermediaries
3.1. The rights and powers to be reserved by the Customer in accordance with clause B5.2, in the written contract between the Customer and each Third Party Customer for whom it intends to act as Intermediary, are as follows:
(a) the rights and powers of the DVLA in clauses D11 and D12;
(b) the right of the DVLA to terminate the contract, in accordance with clause J2 or J6; and
(c) the right of the DVLA to suspend access to the ADD Service to the Third Party Customer under clauses J3 and J5, and the effect of suspension under clause J4, except that the obligation to pay fees under clause J4.4 shall be an obligation to pay those fees to the Intermediary, or may be varied or waived by the Intermediary.
4. Intermediary to Ensure Compliance by Third Party Customers
4.1. In accordance with clause B5.7 and in order to ensure the compliance of its Third Party Customers with the ADD user obligations in SCHEDULE 4 (REQUIREMENTS IN RELATION TO INTERMEDIARIES AND THIRD PARTY CUSTOMERS), the Customer shall:
(a) at all times maintain a written contract with the Third Party Customer that includes all the obligations and rights required to be included under this contract;
(b) audit every Third Party Customer at least once in the first calendar year during which it acts as Intermediary to that Third Party Customer, and annually thereafter, and make evidence of such audits available to the DVLA at its request;
(c) notify the DVLA immediately of any Defaults that the Customer considers to have been committed by the Third Party Customer, whether discovered on audit by the Customer or at any other time; and
(d) take any additional action the Intermediary considers reasonable to ensure that the Third Party Customer shall comply with all of the ADD user obligations.
In order for the Website to properly verify your access to the Services, the Website may make use of various technologies to identify, verify, and track users of the Website.
You agree that we may make use of "cookie" software to optimise your access to the Website and the Information.
As all computers need routine maintenance and sometimes break down, because continuity of access is dependent on continuity of electricity and telecommunications, and because we have no control over the timing or volume of attempts to access our servers, we do not guarantee that you will be able to access the Website at any particular time. We will however use all reasonable endeavours to minimise downtime.
A cookie is a small file of letters and numbers downloaded on to a device when the user accesses certain websites. Cookies allow a website to recognise a user’s device.
Cookies may store user preferences and other information, and be used to gather anonymous analytics that help us improve our websites based on how people use them. You can reset your browser to refuse all cookies or to indicate when a cookie is being sent, however some website features or services may not function properly without cookies.
You can find more information about cookies below.
We only uses first-party cookies to track visitor interactions and do not collect any personal information in these cookies. Browsers do not share first-party cookies across domains. We use cookies to gather anonymous usage statistics via Google Analytics, which help us analyse data about webpage traffic and improve our website in order to tailor it to customer needs.
The cookies used on this website have been categorised based on the categories found in the ICC UK Cookie guide. A list of all the cookies used on this website by category is set out below.
These cookies are essential in order to enable you to move around the website and use its features, such as accessing secure areas of the website. Without these cookies services you have asked for, like secure login and reporting, cannot be provided.
Summary - These cookies enable services you have specifically asked for.
These cookies collect information about how visitors use a website, for instance which pages visitors go to most often, and if they get error messages from web pages. These cookies don’t collect information that identifies a visitor. All information these cookies collect is aggregated and therefore anonymous. It is only used to improve how a website works.
Summary - These cookies collect anonymous information on the pages visited.
By using our online service, you agree that we can place these types of cookies on your device.
Below is a summary of the cookies used by this website.
Cookie name: ASP.NET_SessionID
Category: 1 – Strictly necessary cookie
Purpose: Session cookie used to provide session tracking across multiple load-balanced webservers. Used by the ASP.NET State Server service.
Cookie name: AardvarkRS
Category: 1 – Strictly necessary cookie
Purpose: Session cookie used by the SQL Server Reporting Services report viewer control to provide secure access to reports within the user’s session.
Cookie name: Aardvark
Category: 1 – Strictly necessary cookie
Purpose: Session cookie used to provide secure session tracking for the main website.
Cookie name: _utma
Category: 2 – Performance cookie
Purpose: Saves information about total number of visits to the site, the time of the first visit, previous visit and current visit. This is a persistent cookie with a lifespan of 2 years.
Cookie name: _utmb
Category: 2 – Performance cookie
Purpose: Used to record information about what happened during the current visit or session, including the ability to tell when a session ends.
Cookie name: _utmc
Category: 1 – Strictly necessary cookie, 2 – Performance cookie
Purpose: Session cookie that expires at the end of the current session/visit.
Cookie name: _utmz
Category: 2 – Performance cookie
Purpose: Saves info relating to how a user arrived at a site, the channel though which they came, date/time info and what keywords they used if they arrived via a search engine.